@noble/curves 0.6.4 → 0.7.1

package/src/abstract/poseidon.ts

@@ -0,0 +1,119 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
+import { Field, FpPow, validateField } from './modular.js';
+// We don't provide any constants, since different implementations use different constants.
+// For reference constants see './test/poseidon.test.js'.
+export type PoseidonOpts = {
+  Fp: Field<bigint>;
+  t: number;
+  roundsFull: number;
+  roundsPartial: number;
+  sboxPower?: number;
+  reversePartialPowIdx?: boolean; // Hack for stark
+  mds: bigint[][];
+  roundConstants: bigint[][];
+};
+
+export function validateOpts(opts: PoseidonOpts) {
+  const { Fp } = opts;
+  validateField(Fp);
+  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
+  }
+  if (opts.reversePartialPowIdx !== undefined && typeof opts.reversePartialPowIdx !== 'boolean')
+    throw new Error(`Poseidon: invalid param reversePartialPowIdx=${opts.reversePartialPowIdx}`);
+  // Default is 5, but by some reasons stark uses 3
+  let sboxPower = opts.sboxPower;
+  if (sboxPower === undefined) sboxPower = 5;
+  if (typeof sboxPower !== 'number' || !Number.isSafeInteger(sboxPower))
+    throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
+
+  const _sboxPower = BigInt(sboxPower);
+  let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
+  // Unwrapped sbox power for common cases (195->142μs)
+  if (sboxPower === 3) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(n), n);
+  else if (sboxPower === 5) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
+
+  if (opts.roundsFull % 2 !== 0)
+    throw new Error(`Poseidon roundsFull is not even: ${opts.roundsFull}`);
+  const rounds = opts.roundsFull + opts.roundsPartial;
+
+  if (!Array.isArray(opts.roundConstants) || opts.roundConstants.length !== rounds)
+    throw new Error('Poseidon: wrong round constants');
+  const roundConstants = opts.roundConstants.map((rc) => {
+    if (!Array.isArray(rc) || rc.length !== opts.t)
+      throw new Error(`Poseidon wrong round constants: ${rc}`);
+    return rc.map((i) => {
+      if (typeof i !== 'bigint' || !Fp.isValid(i))
+        throw new Error(`Poseidon wrong round constant=${i}`);
+      return Fp.create(i);
+    });
+  });
+  // MDS is TxT matrix
+  if (!Array.isArray(opts.mds) || opts.mds.length !== opts.t)
+    throw new Error('Poseidon: wrong MDS matrix');
+  const mds = opts.mds.map((mdsRow) => {
+    if (!Array.isArray(mdsRow) || mdsRow.length !== opts.t)
+      throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
+    return mdsRow.map((i) => {
+      if (typeof i !== 'bigint') throw new Error(`Poseidon MDS matrix value=${i}`);
+      return Fp.create(i);
+    });
+  });
+  return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds });
+}
+
+export function splitConstants(rc: bigint[], t: number) {
+  if (typeof t !== 'number') throw new Error('poseidonSplitConstants: wrong t');
+  if (!Array.isArray(rc) || rc.length % t) throw new Error('poseidonSplitConstants: wrong rc');
+  const res = [];
+  let tmp = [];
+  for (let i = 0; i < rc.length; i++) {
+    tmp.push(rc[i]);
+    if (tmp.length === t) {
+      res.push(tmp);
+      tmp = [];
+    }
+  }
+  return res;
+}
+
+export function poseidon(opts: PoseidonOpts) {
+  const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts);
+  const halfRoundsFull = Math.floor(opts.roundsFull / 2);
+  const partialIdx = reversePartialPowIdx ? t - 1 : 0;
+  const poseidonRound = (values: bigint[], isFull: boolean, idx: number) => {
+    values = values.map((i, j) => Fp.add(i, opts.roundConstants[idx][j]));
+
+    if (isFull) values = values.map((i) => sboxFn(i));
+    else values[partialIdx] = sboxFn(values[partialIdx]);
+    // Matrix multiplication
+    values = opts.mds.map((i) =>
+      i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO)
+    );
+    return values;
+  };
+  const poseidonHash = function poseidonHash(values: bigint[]) {
+    if (!Array.isArray(values) || values.length !== t)
+      throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
+    values = values.map((i) => {
+      if (typeof i !== 'bigint') throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
+      return Fp.create(i);
+    });
+    let round = 0;
+    // Apply r_f/2 full rounds.
+    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
+    // Apply r_p partial rounds.
+    for (let i = 0; i < opts.roundsPartial; i++) values = poseidonRound(values, false, round++);
+    // Apply r_f/2 full rounds.
+    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
+
+    if (round !== rounds)
+      throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
+    return values;
+  };
+  // For verification in tests
+  poseidonHash.roundConstants = opts.roundConstants;
+  return poseidonHash;
+}

package/src/abstract/utils.ts

@@ -0,0 +1,246 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const u8a = (a: any): a is Uint8Array => a instanceof Uint8Array;
+
+// We accept hex strings besides Uint8Array for simplicity
+export type Hex = Uint8Array | string;
+// Very few implementations accept numbers, we do it to ease learning curve
+export type PrivKey = Hex | bigint;
+export type CHash = {
+  (message: Uint8Array | string): Uint8Array;
+  blockLen: number;
+  outputLen: number;
+  create(opts?: { dkLen?: number }): any; // For shake
+};
+export type FHash = (message: Uint8Array | string) => Uint8Array;
+
+const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
+export function bytesToHex(bytes: Uint8Array): string {
+  if (!u8a(bytes)) throw new Error('Uint8Array expected');
+  // pre-caching improves the speed 6x
+  let hex = '';
+  for (let i = 0; i < bytes.length; i++) {
+    hex += hexes[bytes[i]];
+  }
+  return hex;
+}
+
+export function numberToHexUnpadded(num: number | bigint): string {
+  const hex = num.toString(16);
+  return hex.length & 1 ? `0${hex}` : hex;
+}
+
+export function hexToNumber(hex: string): bigint {
+  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  // Big Endian
+  return BigInt(hex === '' ? '0' : `0x${hex}`);
+}
+
+// Caching slows it down 2-3x
+export function hexToBytes(hex: string): Uint8Array {
+  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  if (hex.length % 2) throw new Error('hex string is invalid: unpadded ' + hex.length);
+  const array = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < array.length; i++) {
+    const j = i * 2;
+    const hexByte = hex.slice(j, j + 2);
+    const byte = Number.parseInt(hexByte, 16);
+    if (Number.isNaN(byte) || byte < 0) throw new Error('invalid byte sequence');
+    array[i] = byte;
+  }
+  return array;
+}
+
+// Big Endian
+export function bytesToNumberBE(bytes: Uint8Array): bigint {
+  return hexToNumber(bytesToHex(bytes));
+}
+export function bytesToNumberLE(bytes: Uint8Array): bigint {
+  if (!u8a(bytes)) throw new Error('Uint8Array expected');
+  return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
+}
+
+export const numberToBytesBE = (n: bigint, len: number) =>
+  hexToBytes(n.toString(16).padStart(len * 2, '0'));
+export const numberToBytesLE = (n: bigint, len: number) => numberToBytesBE(n, len).reverse();
+// Returns variable number bytes (minimal bigint encoding?)
+export const numberToVarBytesBE = (n: bigint) => hexToBytes(numberToHexUnpadded(n));
+
+export function ensureBytes(title: string, hex: Hex, expectedLength?: number): Uint8Array {
+  let res: Uint8Array;
+  if (typeof hex === 'string') {
+    try {
+      res = hexToBytes(hex);
+    } catch (e) {
+      throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
+    }
+  } else if (u8a(hex)) {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    res = Uint8Array.from(hex);
+  } else {
+    throw new Error(`${title} must be hex string or Uint8Array`);
+  }
+  const len = res.length;
+  if (typeof expectedLength === 'number' && len !== expectedLength)
+    throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
+  return res;
+}
+
+// Copies several Uint8Arrays into one.
+export function concatBytes(...arrs: Uint8Array[]): Uint8Array {
+  const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0));
+  let pad = 0; // walk through each item, ensure they have proper type
+  arrs.forEach((a) => {
+    if (!u8a(a)) throw new Error('Uint8Array expected');
+    r.set(a, pad);
+    pad += a.length;
+  });
+  return r;
+}
+
+export function equalBytes(b1: Uint8Array, b2: Uint8Array) {
+  // We don't care about timing attacks here
+  if (b1.length !== b2.length) return false;
+  for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
+  return true;
+}
+
+// Global symbols in both browsers and Node.js since v11
+// See https://github.com/microsoft/TypeScript/issues/31535
+declare const TextEncoder: any;
+export function utf8ToBytes(str: string): Uint8Array {
+  if (typeof str !== 'string') {
+    throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+  }
+  return new TextEncoder().encode(str);
+}
+
+// Bit operations
+
+// Amount of bits inside bigint (Same as n.toString(2).length)
+export function bitLen(n: bigint) {
+  let len;
+  for (len = 0; n > 0n; n >>= _1n, len += 1);
+  return len;
+}
+// Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
+// Same as !!+Array.from(n.toString(2)).reverse()[pos]
+export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & 1n;
+// Sets single bit at position
+export const bitSet = (n: bigint, pos: number, value: boolean) =>
+  n | ((value ? _1n : _0n) << BigInt(pos));
+// Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
+// Not using ** operator with bigints for old engines.
+export const bitMask = (n: number) => (_2n << BigInt(n - 1)) - _1n;
+
+// DRBG
+
+const u8n = (data?: any) => new Uint8Array(data); // creates Uint8Array
+const u8fr = (arr: any) => Uint8Array.from(arr); // another shortcut
+type Pred<T> = (v: Uint8Array) => T | undefined;
+/**
+ * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+ * @returns function that will call DRBG until 2nd arg returns something meaningful
+ * @example
+ *   const drbg = createHmacDRBG<Key>(32, 32, hmac);
+ *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
+ */
+export function createHmacDrbg<T>(
+  hashLen: number,
+  qByteLen: number,
+  hmacFn: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array
+): (seed: Uint8Array, predicate: Pred<T>) => T {
+  if (typeof hashLen !== 'number' || hashLen < 2) throw new Error('hashLen must be a number');
+  if (typeof qByteLen !== 'number' || qByteLen < 2) throw new Error('qByteLen must be a number');
+  if (typeof hmacFn !== 'function') throw new Error('hmacFn must be a function');
+  // Step B, Step C: set hashLen to 8*ceil(hlen/8)
+  let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+  let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
+  let i = 0; // Iterations counter, will throw when over 1000
+  const reset = () => {
+    v.fill(1);
+    k.fill(0);
+    i = 0;
+  };
+  const h = (...b: Uint8Array[]) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
+  const reseed = (seed = u8n()) => {
+    // HMAC-DRBG reseed() function. Steps D-G
+    k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)
+    v = h(); // v = hmac(k || v)
+    if (seed.length === 0) return;
+    k = h(u8fr([0x01]), seed); // k = hmac(k || v || 0x01 || seed)
+    v = h(); // v = hmac(k || v)
+  };
+  const gen = () => {
+    // HMAC-DRBG generate() function
+    if (i++ >= 1000) throw new Error('drbg: tried 1000 values');
+    let len = 0;
+    const out: Uint8Array[] = [];
+    while (len < qByteLen) {
+      v = h();
+      const sl = v.slice();
+      out.push(sl);
+      len += v.length;
+    }
+    return concatBytes(...out);
+  };
+  const genUntil = (seed: Uint8Array, pred: Pred<T>): T => {
+    reset();
+    reseed(seed); // Steps D-G
+    let res: T | undefined = undefined; // Step H: grind until k is in [1..n-1]
+    while (!(res = pred(gen()))) reseed();
+    reset();
+    return res;
+  };
+  return genUntil;
+}
+
+// Validating curves and fields
+
+const validatorFns = {
+  bigint: (val: any) => typeof val === 'bigint',
+  function: (val: any) => typeof val === 'function',
+  boolean: (val: any) => typeof val === 'boolean',
+  string: (val: any) => typeof val === 'string',
+  isSafeInteger: (val: any) => Number.isSafeInteger(val),
+  array: (val: any) => Array.isArray(val),
+  field: (val: any, object: any) => (object as any).Fp.isValid(val),
+  hash: (val: any) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+} as const;
+type Validator = keyof typeof validatorFns;
+type ValMap<T extends Record<string, any>> = { [K in keyof T]?: Validator };
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
+
+export function validateObject<T extends Record<string, any>>(
+  object: T,
+  validators: ValMap<T>,
+  optValidators: ValMap<T> = {}
+) {
+  const checkField = (fieldName: keyof T, type: Validator, isOptional: boolean) => {
+    const checkVal = validatorFns[type];
+    if (typeof checkVal !== 'function')
+      throw new Error(`Invalid validator "${type}", expected function`);
+
+    const val = object[fieldName as keyof typeof object];
+    if (isOptional && val === undefined) return;
+    if (!checkVal(val, object)) {
+      throw new Error(
+        `Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`
+      );
+    }
+  };
+  for (const [fieldName, type] of Object.entries(validators)) checkField(fieldName, type!, false);
+  for (const [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type!, true);
+  return object;
+}
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });