@noble/curves 0.6.0 → 0.6.1

package/lib/secp256k1.js

@@ -115,20 +115,17 @@ function taggedHash(tag, ...messages) {
     }
     return (0, sha256_1.sha256)((0, utils_js_1.concatBytes)(tagP, ...messages));
 }
-const toRawX = (point) => point.toRawBytes(true).slice(1);
+const pointToBytes = (point) => point.toRawBytes(true).slice(1);
 const numTo32b = (n) => (0, utils_js_1.numberToBytesBE)(n, 32);
 const modN = (x) => (0, modular_js_1.mod)(x, secp256k1N);
-const _Point = exports.secp256k1.ProjectivePoint;
-const Gmul = (priv) => _Point.fromPrivateKey(priv);
-const GmulAdd = (Q, a, b) => _Point.BASE.multiplyAndAddUnsafe(Q, a, b);
-function schnorrGetScalar(priv) {
-    // Let d' = int(sk)
-    // Fail if d' = 0 or d' ≥ n
-    // Let P = d'⋅G
-    // Let d = d' if has_even_y(P), otherwise let d = n - d' .
-    const point = Gmul(priv);
-    const scalar = point.hasEvenY() ? priv : modN(-priv);
-    return { point, scalar, x: toRawX(point) };
+const Point = exports.secp256k1.ProjectivePoint;
+const GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
+const hex32ToInt = (key) => (0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(key, 32));
+function schnorrGetExtPubKey(priv) {
+    let d = typeof priv === 'bigint' ? priv : hex32ToInt(priv);
+    const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
+    const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
+    return { point, scalar, bytes: pointToBytes(point) };
 }
 function lift_x(x) {
     if (!fe(x))
@@ -137,37 +134,31 @@ function lift_x(x) {
     let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
     if (y % 2n !== 0n)
         y = (0, modular_js_1.mod)(-y, secp256k1P); // Return the unique point P such that x(P) = x and
-    const p = new _Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+    const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
     p.assertValidity();
     return p;
 }
 function challenge(...args) {
     return modN((0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.challenge, ...args)));
 }
+// Schnorr's pubkey is just `x` of Point (BIP340)
 function schnorrGetPublicKey(privateKey) {
-    return toRawX(Gmul(privateKey)); // Let d' = int(sk). Fail if d' = 0 or d' ≥ n. Return bytes(d'⋅G)
+    return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
-/**
- * Synchronously creates Schnorr signature. Improved security: verifies itself before
- * producing an output.
- * @param msg message (not message hash)
- * @param privateKey private key
- * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
- */
+// Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
+// auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous
 function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) {
     if (message == null)
         throw new Error(`sign: Expected valid message, not "${message}"`);
-    const m = (0, utils_js_1.ensureBytes)(message);
-    // checks for isWithinCurveOrder
-    const { x: px, scalar: d } = schnorrGetScalar((0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(privateKey, 32)));
+    const m = (0, utils_js_1.ensureBytes)(message); // checks for isWithinCurveOrder
+    const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
     const a = (0, utils_js_1.ensureBytes)(auxRand, 32); // Auxiliary random data a: a 32-byte array
-    // TODO: replace with proper xor?
     const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
     const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
     const k_ = modN((0, utils_js_1.bytesToNumberBE)(rand)); // Let k' = int(rand) mod n
     if (k_ === _0n)
         throw new Error('sign failed: k is zero'); // Fail if k' = 0.
-    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k_); // Let R = k'⋅G.
+    const { point: R, bytes: rx, scalar: k } = schnorrGetExtPubKey(k_); // Let R = k'⋅G.
     const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
     const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
     sig.set(numTo32b(R.px), 0);
@@ -182,7 +173,7 @@ function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)
  */
 function schnorrVerify(signature, message, publicKey) {
     try {
-        const P = lift_x((0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(publicKey, 32))); // P = lift_x(int(pk)); fail if that fails
+        const P = lift_x(hex32ToInt(publicKey)); // P = lift_x(int(pk)); fail if that fails
         const sig = (0, utils_js_1.ensureBytes)(signature, 64);
         const r = (0, utils_js_1.bytesToNumberBE)(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
         if (!fe(r))
@@ -191,7 +182,7 @@ function schnorrVerify(signature, message, publicKey) {
         if (!ge(s))
             return false;
         const m = (0, utils_js_1.ensureBytes)(message);
-        const e = challenge(numTo32b(r), toRawX(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
+        const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
         const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
         if (!R || !R.hasEvenY() || R.toAffine().x !== r)
             return false; // -eP == (n-e)P
@@ -202,11 +193,18 @@ function schnorrVerify(signature, message, publicKey) {
     }
 }
 exports.schnorr = {
-    // Schnorr's pubkey is just `x` of Point (BIP340)
     getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,
-    utils: { lift_x, int: utils_js_1.bytesToNumberBE, taggedHash },
+    utils: {
+        getExtendedPublicKey: schnorrGetExtPubKey,
+        lift_x,
+        pointToBytes,
+        numberToBytesBE: utils_js_1.numberToBytesBE,
+        bytesToNumberBE: utils_js_1.bytesToNumberBE,
+        taggedHash,
+        mod: modular_js_1.mod,
+    },
 };
 const isoMap = htf.isogenyMap(Fp, [
     // xNum

package/lib/stark.d.ts

@@ -16,11 +16,11 @@ declare const CURVE: Readonly<{
     readonly hEff?: bigint | undefined;
     readonly Gx: bigint;
     readonly Gy: bigint;
-    readonly wrapPrivateKey?: boolean | undefined;
     readonly allowInfinityPoint?: boolean | undefined;
     readonly a: bigint;
     readonly b: bigint;
-    readonly normalizePrivateKey?: ((key: cutils.PrivKey) => cutils.PrivKey) | undefined;
+    readonly allowedPrivateKeyLengths?: readonly number[] | undefined;
+    readonly wrapPrivateKey?: boolean | undefined;
     readonly endo?: {
         beta: bigint;
         splitScalar: (k: bigint) => {
@@ -32,10 +32,10 @@ declare const CURVE: Readonly<{
     } | undefined;
     readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: ProjPointType<bigint>) => boolean) | undefined;
     readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: ProjPointType<bigint>) => ProjPointType<bigint>) | undefined;
-    lowS: boolean;
     readonly hash: cutils.CHash;
     readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
     readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+    lowS: boolean;
     readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
     readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
 }>, ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>, Signature: import("./abstract/weierstrass.js").SignatureConstructor;

package/lib/stark.js

@@ -98,7 +98,7 @@ function ensureBytes0x(hex) {
 function normalizePrivateKey(privKey) {
     return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
-function getPublicKey0x(privKey, isCompressed) {
+function getPublicKey0x(privKey, isCompressed = false) {
     return exports.starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
 }
 exports.getPublicKey = getPublicKey0x;

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@noble/curves",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "lib"
   ],
   "scripts": {
-    "bench": "cd benchmark; node index.js",
+    "bench": "cd benchmark; node secp256k1.js; node curves.js; node stark.js; node bls.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
     "build:release": "rollup -c rollup.config.js",
     "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
@@ -30,8 +30,8 @@
     "@scure/bip39": "~1.1.0",
     "@types/node": "18.11.3",
     "fast-check": "3.0.0",
-    "micro-bmark": "0.2.0",
-    "micro-should": "0.3.0",
+    "micro-bmark": "0.3.0",
+    "micro-should": "0.4.0",
     "prettier": "2.8.3",
     "rollup": "2.75.5",
     "typescript": "4.7.3"