@noble/curves 0.5.2 → 0.6.1

package/lib/stark.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.keccak = exports.computeHashOnElements = exports.hashChain = exports.pedersen = exports.getAccountPath = exports.ethSigToPrivate = exports.getStarkKey = exports.grindKey = exports.numberToHexEth = exports.strip0x = exports.bytesToHexEth = exports.verify = exports.sign = exports.getSharedSecret = exports.getPublicKey = exports.ProjectivePoint = exports.Signature = exports.Point = exports.CURVE = exports.utils = exports.starkCurve = void 0;
+exports.poseidonHash = exports.poseidonSmall = exports.poseidonCreate = exports.poseidonBasic = exports._poseidonMDS = exports.Fp251 = exports.Fp253 = exports.keccak = exports.computeHashOnElements = exports.hashChain = exports.pedersen = exports.getAccountPath = exports.ethSigToPrivate = exports.getStarkKey = exports.grindKey = exports.numberToHexEth = exports.strip0x = exports.bytesToHexEth = exports.verify = exports.sign = exports.getSharedSecret = exports.getPublicKey = exports.ProjectivePoint = exports.Signature = exports.CURVE = exports.utils = exports.starkCurve = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha3_1 = require("@noble/hashes/sha3");
 const sha256_1 = require("@noble/hashes/sha256");
@@ -8,10 +8,21 @@ const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const cutils = require("./abstract/utils.js");
 const modular_js_1 = require("./abstract/modular.js");
 const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const poseidon = require("./abstract/poseidon.js");
+const utils_1 = require("@noble/hashes/utils");
 // Stark-friendly elliptic curve
 // https://docs.starkware.co/starkex/stark-curve.html
 const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
 const nBitLength = 252;
+// Copy-pasted from weierstrass.ts
+function bits2int(bytes) {
+    const delta = bytes.length * 8 - nBitLength;
+    const num = cutils.bytesToNumberBE(bytes);
+    return delta > 0 ? num >> BigInt(delta) : num;
+}
+function bits2int_modN(bytes) {
+    return (0, modular_js_1.mod)(bits2int(bytes), CURVE_N);
+}
 exports.starkCurve = (0, weierstrass_js_1.weierstrass)({
     // Params: a, b
     a: BigInt(1),
@@ -29,33 +40,28 @@ exports.starkCurve = (0, weierstrass_js_1.weierstrass)({
     // Default options
     lowS: false,
     ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
-    truncateHash: (hash, truncateOnly = false) => {
-        // TODO: cleanup, ugly code
-        // Fix truncation
-        if (!truncateOnly) {
-            let hashS = bytesToNumber0x(hash).toString(16);
-            if (hashS.length === 63) {
-                hashS += '0';
-                hash = hexToBytes0x(hashS);
-            }
+    // Custom truncation routines for stark curve
+    bits2int: (bytes) => {
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int(bytes);
+    },
+    bits2int_modN: (bytes) => {
+        let hashS = cutils.bytesToNumberBE(bytes).toString(16);
+        if (hashS.length === 63) {
+            hashS += '0';
+            bytes = hexToBytes0x(hashS);
         }
         // Truncate zero bytes on left (compat with elliptic)
-        while (hash[0] === 0)
-            hash = hash.subarray(1);
-        const byteLength = hash.length;
-        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = hash.length ? bytesToNumber0x(hash) : 0n;
-        if (delta > 0)
-            h = h >> BigInt(delta);
-        if (!truncateOnly && h >= CURVE_N)
-            h -= CURVE_N;
-        return h;
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int_modN(bytes);
     },
 });
 // Custom Starknet type conversion functions that can handle 0x and unpadded hex
 function hexToBytes0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+        throw new Error('hexToBytes: expected string, got ' + typeof hex);
     }
     hex = (0, exports.strip0x)(hex);
     if (hex.length & 1)
@@ -75,7 +81,7 @@ function hexToBytes0x(hex) {
 }
 function hexToNumber0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+        throw new Error('hexToNumber: expected string, got ' + typeof hex);
     }
     // Big Endian
     // TODO: strip vs no strip?
@@ -90,9 +96,9 @@ function ensureBytes0x(hex) {
     return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
 }
 function normalizePrivateKey(privKey) {
-    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
-function getPublicKey0x(privKey, isCompressed) {
+function getPublicKey0x(privKey, isCompressed = false) {
     return exports.starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
 }
 exports.getPublicKey = getPublicKey0x;
@@ -111,9 +117,8 @@ function verify0x(signature, msgHash, pubKey) {
     return exports.starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
 }
 exports.verify = verify0x;
-const { CURVE, Point, ProjectivePoint, Signature } = exports.starkCurve;
+const { CURVE, ProjectivePoint, Signature } = exports.starkCurve;
 exports.CURVE = CURVE;
-exports.Point = Point;
 exports.ProjectivePoint = ProjectivePoint;
 exports.Signature = Signature;
 exports.utils = exports.starkCurve.utils;
@@ -129,18 +134,17 @@ function hashKeyWithIndex(key, index) {
     let indexHex = cutils.numberToHexUnpadded(index);
     if (indexHex.length & 1)
         indexHex = '0' + indexHex;
-    return bytesToNumber0x((0, sha256_1.sha256)(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+    return sha256Num(cutils.concatBytes(key, hexToBytes0x(indexHex)));
 }
 function grindKey(seed) {
     const _seed = ensureBytes0x(seed);
     const sha256mask = 2n ** 256n;
-    const Fn = (0, modular_js_1.Fp)(CURVE.n);
-    const limit = sha256mask - Fn.create(sha256mask);
+    const limit = sha256mask - (0, modular_js_1.mod)(sha256mask, CURVE_N);
     for (let i = 0;; i++) {
         const key = hashKeyWithIndex(_seed, i);
         // key should be in [0, limit)
         if (key < limit)
-            return Fn.create(key).toString(16);
+            return (0, modular_js_1.mod)(key, CURVE_N).toString(16);
     }
 }
 exports.grindKey = grindKey;
@@ -158,22 +162,22 @@ exports.ethSigToPrivate = ethSigToPrivate;
 const MASK_31 = 2n ** 31n - 1n;
 const int31 = (n) => Number(n & MASK_31);
 function getAccountPath(layer, application, ethereumAddress, index) {
-    const layerNum = int31(bytesToNumber0x((0, sha256_1.sha256)(layer)));
-    const applicationNum = int31(bytesToNumber0x((0, sha256_1.sha256)(application)));
+    const layerNum = int31(sha256Num(layer));
+    const applicationNum = int31(sha256Num(application));
     const eth = hexToNumber0x(ethereumAddress);
     return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
 }
 exports.getAccountPath = getAccountPath;
 // https://docs.starkware.co/starkex/pedersen-hash-function.html
 const PEDERSEN_POINTS_AFFINE = [
-    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
-    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
-    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
-    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
-    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+    new ProjectivePoint(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n, 1n),
+    new ProjectivePoint(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n, 1n),
+    new ProjectivePoint(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n, 1n),
+    new ProjectivePoint(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n, 1n),
+    new ProjectivePoint(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n, 1n),
 ];
 // for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
-const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE.map(ProjectivePoint.fromAffine);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE;
 function pedersenPrecompute(p1, p2) {
     const out = [];
     let p = p1;
@@ -212,7 +216,7 @@ function pedersenSingle(point, value, constants) {
     let x = pedersenArg(value);
     for (let j = 0; j < 252; j++) {
         const pt = constants[j];
-        if (pt.x === point.x)
+        if (pt.px === point.px)
             throw new Error('Same point');
         if ((x & 1n) !== 0n)
             point = point.add(pt);
@@ -225,7 +229,7 @@ function pedersen(x, y) {
     let point = PEDERSEN_POINTS[0];
     point = pedersenSingle(point, x, PEDERSEN_POINTS1);
     point = pedersenSingle(point, y, PEDERSEN_POINTS2);
-    return (0, exports.bytesToHexEth)(point.toAffine().toRawBytes(true).slice(1));
+    return (0, exports.bytesToHexEth)(point.toRawBytes(true).slice(1));
 }
 exports.pedersen = pedersen;
 function hashChain(data, fn = pedersen) {
@@ -241,6 +245,69 @@ exports.hashChain = hashChain;
 // Same as hashChain, but computes hash even for single element and order is not revesed
 const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
 exports.computeHashOnElements = computeHashOnElements;
-const MASK_250 = 2n ** 250n - 1n;
+const MASK_250 = cutils.bitMask(250);
 const keccak = (data) => bytesToNumber0x((0, sha3_1.keccak_256)(data)) & MASK_250;
 exports.keccak = keccak;
+const sha256Num = (data) => cutils.bytesToNumberBE((0, sha256_1.sha256)(data));
+// Poseidon hash
+exports.Fp253 = (0, modular_js_1.Fp)(BigInt('14474011154664525231415395255581126252639794253786371766033694892385558855681')); // 2^253 + 2^199 + 1
+exports.Fp251 = (0, modular_js_1.Fp)(BigInt('3618502788666131213697322783095070105623107215331596699973092056135872020481')); // 2^251 + 17 * 2^192 + 1
+function poseidonRoundConstant(Fp, name, idx) {
+    const val = Fp.fromBytes((0, sha256_1.sha256)((0, utils_1.utf8ToBytes)(`${name}${idx}`)));
+    return Fp.create(val);
+}
+// NOTE: doesn't check eiginvalues and possible can create unsafe matrix. But any filtration here will break compatibility with starknet
+// Please use only if you really know what you doing.
+// https://eprint.iacr.org/2019/458.pdf Section 2.3 (Avoiding Insecure Matrices)
+function _poseidonMDS(Fp, name, m, attempt = 0) {
+    const x_values = [];
+    const y_values = [];
+    for (let i = 0; i < m; i++) {
+        x_values.push(poseidonRoundConstant(Fp, `${name}x`, attempt * m + i));
+        y_values.push(poseidonRoundConstant(Fp, `${name}y`, attempt * m + i));
+    }
+    if (new Set([...x_values, ...y_values]).size !== 2 * m)
+        throw new Error('X and Y values are not distinct');
+    return x_values.map((x) => y_values.map((y) => Fp.inv(Fp.sub(x, y))));
+}
+exports._poseidonMDS = _poseidonMDS;
+const MDS_SMALL = [
+    [3, 1, 1],
+    [1, -1, 1],
+    [1, 1, -2],
+].map((i) => i.map(BigInt));
+function poseidonBasic(opts, mds) {
+    (0, modular_js_1.validateField)(opts.Fp);
+    if (!Number.isSafeInteger(opts.rate) || !Number.isSafeInteger(opts.capacity))
+        throw new Error(`Wrong poseidon opts: ${opts}`);
+    const m = opts.rate + opts.capacity;
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    const roundConstants = [];
+    for (let i = 0; i < rounds; i++) {
+        const row = [];
+        for (let j = 0; j < m; j++)
+            row.push(poseidonRoundConstant(opts.Fp, 'Hades', m * i + j));
+        roundConstants.push(row);
+    }
+    return poseidon.poseidon({
+        ...opts,
+        t: m,
+        sboxPower: 3,
+        reversePartialPowIdx: true,
+        mds,
+        roundConstants,
+    });
+}
+exports.poseidonBasic = poseidonBasic;
+function poseidonCreate(opts, mdsAttempt = 0) {
+    const m = opts.rate + opts.capacity;
+    if (!Number.isSafeInteger(mdsAttempt))
+        throw new Error(`Wrong mdsAttempt=${mdsAttempt}`);
+    return poseidonBasic(opts, _poseidonMDS(opts.Fp, 'HadesMDS', m, mdsAttempt));
+}
+exports.poseidonCreate = poseidonCreate;
+exports.poseidonSmall = poseidonBasic({ Fp: exports.Fp251, rate: 2, capacity: 1, roundsFull: 8, roundsPartial: 83 }, MDS_SMALL);
+function poseidonHash(x, y, fn = exports.poseidonSmall) {
+    return fn([x, y, 2n])[0];
+}
+exports.poseidonHash = poseidonHash;

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@noble/curves",
-  "version": "0.5.2",
+  "version": "0.6.1",
   "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "lib"
   ],
   "scripts": {
-    "bench": "node benchmark/index.js",
+    "bench": "cd benchmark; node secp256k1.js; node curves.js; node stark.js; node bls.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
     "build:release": "rollup -c rollup.config.js",
     "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
@@ -30,9 +30,9 @@
     "@scure/bip39": "~1.1.0",
     "@types/node": "18.11.3",
     "fast-check": "3.0.0",
-    "micro-bmark": "0.2.0",
-    "micro-should": "0.3.0",
-    "prettier": "2.6.2",
+    "micro-bmark": "0.3.0",
+    "micro-should": "0.4.0",
+    "prettier": "2.8.3",
     "rollup": "2.75.5",
     "typescript": "4.7.3"
   },
@@ -73,16 +73,21 @@
       "import": "./lib/esm/abstract/hash-to-curve.js",
       "default": "./lib/abstract/hash-to-curve.js"
     },
-    "./abstract/group": {
-      "types": "./lib/abstract/group.d.ts",
-      "import": "./lib/esm/abstract/group.js",
-      "default": "./lib/abstract/group.js"
+    "./abstract/curve": {
+      "types": "./lib/abstract/curve.d.ts",
+      "import": "./lib/esm/abstract/curve.js",
+      "default": "./lib/abstract/curve.js"
     },
     "./abstract/utils": {
       "types": "./lib/abstract/utils.d.ts",
       "import": "./lib/esm/abstract/utils.js",
       "default": "./lib/abstract/utils.js"
     },
+    "./abstract/poseidon": {
+      "types": "./lib/abstract/poseidon.d.ts",
+      "import": "./lib/esm/abstract/poseidon.js",
+      "default": "./lib/abstract/poseidon.js"
+    },
     "./_shortw_utils": {
       "types": "./lib/_shortw_utils.d.ts",
       "import": "./lib/esm/_shortw_utils.js",
@@ -189,4 +194,4 @@
       "url": "https://paulmillr.com/funding/"
     }
   ]
-}
+}