@noble/curves 0.5.2 → 0.6.1

package/lib/esm/ed448.js

@@ -4,6 +4,7 @@ import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/h
 import { twistedEdwards } from './abstract/edwards.js';
 import { mod, pow2, Fp as Field } from './abstract/modular.js';
 import { montgomery } from './abstract/montgomery.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * * X448 ECDH
@@ -46,79 +47,6 @@ function adjustScalarBytes(bytes) {
     return bytes;
 }
 const Fp = Field(ed448P, 456, true);
-// Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
-function map_to_curve_elligator2_curve448(u) {
-    let tv1 = Fp.square(u); // 1.  tv1 = u^2
-    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
-    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
-    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
-    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
-    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
-    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
-    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
-    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
-    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
-    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
-    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
-    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
-    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
-    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
-    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
-    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
-    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
-    tv2 = Fp.square(y1); // 20. tv2 = y1^2
-    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
-    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
-    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
-    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
-    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
-}
-function map_to_curve_elligator2_edwards448(u) {
-    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
-    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
-    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
-    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
-    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
-    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
-    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
-    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
-    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
-    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
-    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
-    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
-    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
-    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
-    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
-    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
-    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
-    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
-    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
-    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
-    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
-    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
-    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
-    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
-    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
-    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
-    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
-    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
-    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
-    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
-    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
-    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
-    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
-    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
-    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
-    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
-    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
-    const inv = Fp.invertBatch([xEd, yEd]); // batch division
-    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
-}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
@@ -166,15 +94,6 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: mod(x2 * v, P) === u, value: x };
     },
-    htfDefaults: {
-        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 224,
-        expand: 'xof',
-        hash: shake256,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
@@ -207,3 +126,86 @@ export const x448 = montgomery({
     //   return numberToBytesLE(u, 56);
     // },
 });
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: shake256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/jubjub.js

@@ -33,7 +33,7 @@ export function groupHash(tag, personalization) {
     h.update(GH_FIRST_BLOCK);
     h.update(tag);
     // NOTE: returns ExtendedPoint, in case it will be multiplied later
-    let p = jubjub.ExtendedPoint.fromAffine(jubjub.Point.fromHex(h.digest()));
+    let p = jubjub.ExtendedPoint.fromHex(h.digest());
     // NOTE: cannot replace with isSmallOrder, returns Point*8
     p = p.multiply(jubjub.CURVE.h);
     if (p.equals(jubjub.ExtendedPoint.ZERO))

package/lib/esm/p224.js

@@ -8,7 +8,7 @@ export const P224 = createCurve({
     // Params: a, b
     a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe'),
     b: BigInt('0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4'),
-    // Field over which we'll do calculations; 2n**224n - 2n**96n + 1n
+    // Field over which we'll do calculations;
     Fp: Fp(BigInt('0xffffffffffffffffffffffffffffffff000000000000000000000001')),
     // Curve order, total count of valid points in the field
     n: BigInt('0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d'),

package/lib/esm/p256.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
@@ -26,14 +27,15 @@ export const P256 = createCurve({
     Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P256_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256,
-    },
 }, sha256);
 export const secp256r1 = P256;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p384.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
@@ -31,14 +32,15 @@ export const P384 = createCurve({
     Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P384_XMD:SHA-384_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 192,
-        expand: 'xmd',
-        hash: sha384,
-    },
 }, sha384);
 export const secp384r1 = P384;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p521.js

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha512 } from '@noble/hashes/sha512';
-import { bytesToHex } from './abstract/utils.js';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
@@ -32,27 +32,16 @@ export const P521 = createCurve({
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
     h: BigInt(1),
     lowS: false,
-    // P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
-    // We ensure all keys are 132 bytes.
-    // Does not replace validation; invalid keys would still be rejected.
-    normalizePrivateKey(key) {
-        if (typeof key === 'bigint')
-            return key;
-        if (key instanceof Uint8Array)
-            key = bytesToHex(key);
-        if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
-            throw new Error('Invalid key');
-        }
-        return key.padStart(66 * 2, '0');
-    },
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P521_XMD:SHA-512_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 256,
-        expand: 'xmd',
-        hash: sha512,
-    },
+    allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
 }, sha512);
 export const secp521r1 = P521;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+});
+export { hashToCurve, encodeToCurve };