@noble/curves 0.6.4 → 0.7.1

package/src/secp256k1.ts

@@ -0,0 +1,270 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { randomBytes } from '@noble/hashes/utils';
+import { Fp as Field, mod, pow2 } from './abstract/modular.js';
+import { ProjPointType as PointType, mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import type { Hex, PrivKey } from './abstract/utils.js';
+import { bytesToNumberBE, concatBytes, ensureBytes, numberToBytesBE } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
+import { createCurve } from './_shortw_utils.js';
+
+const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
+const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
+
+/**
+ * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
+ * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
+ */
+function sqrtMod(y: bigint): bigint {
+  const P = secp256k1P;
+  // prettier-ignore
+  const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
+  // prettier-ignore
+  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+  const b2 = (y * y * y) % P; // x^3, 11
+  const b3 = (b2 * b2 * y) % P; // x^7
+  const b6 = (pow2(b3, _3n, P) * b3) % P;
+  const b9 = (pow2(b6, _3n, P) * b3) % P;
+  const b11 = (pow2(b9, _2n, P) * b2) % P;
+  const b22 = (pow2(b11, _11n, P) * b11) % P;
+  const b44 = (pow2(b22, _22n, P) * b22) % P;
+  const b88 = (pow2(b44, _44n, P) * b44) % P;
+  const b176 = (pow2(b88, _88n, P) * b88) % P;
+  const b220 = (pow2(b176, _44n, P) * b44) % P;
+  const b223 = (pow2(b220, _3n, P) * b3) % P;
+  const t1 = (pow2(b223, _23n, P) * b22) % P;
+  const t2 = (pow2(t1, _6n, P) * b2) % P;
+  const root = pow2(t2, _2n, P);
+  if (!Fp.eql(Fp.sqr(root), y)) throw new Error('Cannot find square root');
+  return root;
+}
+
+const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+type Fp = bigint;
+
+export const secp256k1 = createCurve(
+  {
+    a: BigInt(0), // equation params: a, b
+    b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
+    Fp, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    n: secp256k1N, // Curve order, total count of valid points in the field
+    // Base point (x, y) aka generator point
+    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
+    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
+    h: BigInt(1), // Cofactor
+    lowS: true, // Allow only low-S signatures by default in sign() and verify()
+    /**
+     * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
+     * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
+     * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
+     * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+     */
+    endo: {
+      beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+      splitScalar: (k: bigint) => {
+        const n = secp256k1N;
+        const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
+        const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
+        const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
+        const b2 = a1;
+        const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
+
+        const c1 = divNearest(b2 * k, n);
+        const c2 = divNearest(-b1 * k, n);
+        let k1 = mod(k - c1 * a1 - c2 * a2, n);
+        let k2 = mod(-c1 * b1 - c2 * b2, n);
+        const k1neg = k1 > POW_2_128;
+        const k2neg = k2 > POW_2_128;
+        if (k1neg) k1 = n - k1;
+        if (k2neg) k2 = n - k2;
+        if (k1 > POW_2_128 || k2 > POW_2_128) {
+          throw new Error('splitScalar: Endomorphism failed, k=' + k);
+        }
+        return { k1neg, k1, k2neg, k2 };
+      },
+    },
+  },
+  sha256
+);
+
+// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
+// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
+const _0n = BigInt(0);
+const fe = (x: bigint) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
+const ge = (x: bigint) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
+/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
+const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
+function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
+  let tagP = TAGGED_HASH_PREFIXES[tag];
+  if (tagP === undefined) {
+    const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
+    tagP = concatBytes(tagH, tagH);
+    TAGGED_HASH_PREFIXES[tag] = tagP;
+  }
+  return sha256(concatBytes(tagP, ...messages));
+}
+
+// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
+const pointToBytes = (point: PointType<bigint>) => point.toRawBytes(true).slice(1);
+const numTo32b = (n: bigint) => numberToBytesBE(n, 32);
+const modP = (x: bigint) => mod(x, secp256k1P);
+const modN = (x: bigint) => mod(x, secp256k1N);
+const Point = secp256k1.ProjectivePoint;
+const GmulAdd = (Q: PointType<bigint>, a: bigint, b: bigint) =>
+  Point.BASE.multiplyAndAddUnsafe(Q, a, b);
+// Calculate point, scalar and bytes
+function schnorrGetExtPubKey(priv: PrivKey) {
+  const d = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey
+  const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
+  const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
+  return { point, scalar, bytes: pointToBytes(point) };
+}
+/**
+ * lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
+ * @returns valid point checked for being on-curve
+ */
+function lift_x(x: bigint): PointType<bigint> {
+  if (!fe(x)) throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
+  const xx = modP(x * x);
+  const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
+  let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
+  if (y % 2n !== 0n) y = modP(-y); // Return the unique point P such that x(P) = x and
+  const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+  p.assertValidity();
+  return p;
+}
+/**
+ * Create tagged hash, convert it to bigint, reduce modulo-n.
+ */
+function challenge(...args: Uint8Array[]): bigint {
+  return modN(bytesToNumberBE(taggedHash('BIP0340/challenge', ...args)));
+}
+
+/**
+ * Schnorr public key is just `x` coordinate of Point as per BIP340.
+ */
+function schnorrGetPublicKey(privateKey: Hex): Uint8Array {
+  return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
+}
+
+/**
+ * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
+ * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
+ */
+function schnorrSign(
+  message: Hex,
+  privateKey: PrivKey,
+  auxRand: Hex = randomBytes(32)
+): Uint8Array {
+  const m = ensureBytes('message', message);
+  const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder
+  const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+  const t = numTo32b(d ^ bytesToNumberBE(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
+  const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
+  const k_ = modN(bytesToNumberBE(rand)); // Let k' = int(rand) mod n
+  if (k_ === _0n) throw new Error('sign failed: k is zero'); // Fail if k' = 0.
+  const { point: R, bytes: rx, scalar: k } = schnorrGetExtPubKey(k_); // Let R = k'⋅G.
+  const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
+  const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
+  sig.set(numTo32b(R.px), 0);
+  sig.set(numTo32b(modN(k + e * d)), 32);
+  // If Verify(bytes(P), m, sig) (see below) returns failure, abort
+  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');
+  return sig;
+}
+
+/**
+ * Verifies Schnorr signature.
+ * Will swallow errors & return false except for initial type validation of arguments.
+ */
+function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
+  const sig = ensureBytes('signature', signature, 64);
+  const m = ensureBytes('message', message);
+  const pub = ensureBytes('publicKey', publicKey, 32);
+  try {
+    const P = lift_x(bytesToNumberBE(pub)); // P = lift_x(int(pk)); fail if that fails
+    const r = bytesToNumberBE(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
+    if (!fe(r)) return false;
+    const s = bytesToNumberBE(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
+    if (!ge(s)) return false;
+    const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
+    const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
+    if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false; // -eP == (n-e)P
+    return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
+  } catch (error) {
+    return false;
+  }
+}
+
+export const schnorr = {
+  getPublicKey: schnorrGetPublicKey,
+  sign: schnorrSign,
+  verify: schnorrVerify,
+  utils: {
+    randomPrivateKey: secp256k1.utils.randomPrivateKey,
+    getExtendedPublicKey: schnorrGetExtPubKey,
+    lift_x,
+    pointToBytes,
+    numberToBytesBE,
+    bytesToNumberBE,
+    taggedHash,
+    mod,
+  },
+};
+
+const isoMap = htf.isogenyMap(
+  Fp,
+  [
+    // xNum
+    [
+      '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
+      '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
+      '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
+      '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
+    ],
+    // xDen
+    [
+      '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
+      '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
+      '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+    // yNum
+    [
+      '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
+      '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
+      '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
+      '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
+    ],
+    // yDen
+    [
+      '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
+      '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
+      '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
+      '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+  ].map((i) => i.map((j) => BigInt(j))) as [Fp[], Fp[], Fp[], Fp[]]
+);
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+  A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
+  B: BigInt('1771'),
+  Z: Fp.create(BigInt('-11')),
+});
+export const { hashToCurve, encodeToCurve } = htf.createHasher(
+  secp256k1.ProjectivePoint,
+  (scalars: bigint[]) => {
+    const { x, y } = mapSWU(Fp.create(scalars[0]));
+    return isoMap(x, y);
+  },
+  {
+    DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+  }
+);

package/src/stark.ts

@@ -0,0 +1,356 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { keccak_256 } from '@noble/hashes/sha3';
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass, ProjPointType } from './abstract/weierstrass.js';
+import * as cutils from './abstract/utils.js';
+import { Fp, mod, Field, validateField } from './abstract/modular.js';
+import { getHash } from './_shortw_utils.js';
+import * as poseidon from './abstract/poseidon.js';
+import { utf8ToBytes } from '@noble/hashes/utils';
+
+type ProjectivePoint = ProjPointType<bigint>;
+// Stark-friendly elliptic curve
+// https://docs.starkware.co/starkex/stark-curve.html
+
+const CURVE_N = BigInt(
+  '3618502788666131213697322783095070105526743751716087489154079457884512865583'
+);
+const nBitLength = 252;
+// Copy-pasted from weierstrass.ts
+function bits2int(bytes: Uint8Array): bigint {
+  const delta = bytes.length * 8 - nBitLength;
+  const num = cutils.bytesToNumberBE(bytes);
+  return delta > 0 ? num >> BigInt(delta) : num;
+}
+function bits2int_modN(bytes: Uint8Array): bigint {
+  return mod(bits2int(bytes), CURVE_N);
+}
+export const starkCurve = weierstrass({
+  // Params: a, b
+  a: BigInt(1),
+  b: BigInt('3141592653589793238462643383279502884197169399375105820974944592307816406665'),
+  // Field over which we'll do calculations; 2n**251n + 17n * 2n**192n + 1n
+  // There is no efficient sqrt for field (P%4==1)
+  Fp: Fp(BigInt('0x800000000000011000000000000000000000000000000000000000000000001')),
+  // Curve order, total count of valid points in the field.
+  n: CURVE_N,
+  nBitLength: nBitLength, // len(bin(N).replace('0b',''))
+  // Base point (x, y) aka generator point
+  Gx: BigInt('874739451078007766457464989774322083649278607533249481151382481072868806602'),
+  Gy: BigInt('152666792071518830868575557812948353041420400780739481342941381225525861407'),
+  h: BigInt(1),
+  // Default options
+  lowS: false,
+  ...getHash(sha256),
+  // Custom truncation routines for stark curve
+  bits2int: (bytes: Uint8Array): bigint => {
+    while (bytes[0] === 0) bytes = bytes.subarray(1);
+    return bits2int(bytes);
+  },
+  bits2int_modN: (bytes: Uint8Array): bigint => {
+    let hashS = cutils.bytesToNumberBE(bytes).toString(16);
+    if (hashS.length === 63) {
+      hashS += '0';
+      bytes = hexToBytes0x(hashS);
+    }
+    // Truncate zero bytes on left (compat with elliptic)
+    while (bytes[0] === 0) bytes = bytes.subarray(1);
+    return bits2int_modN(bytes);
+  },
+});
+
+// Custom Starknet type conversion functions that can handle 0x and unpadded hex
+function hexToBytes0x(hex: string): Uint8Array {
+  if (typeof hex !== 'string') {
+    throw new Error('hexToBytes: expected string, got ' + typeof hex);
+  }
+  hex = strip0x(hex);
+  if (hex.length & 1) hex = '0' + hex; // padding
+  if (hex.length % 2) throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+  const array = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < array.length; i++) {
+    const j = i * 2;
+    const hexByte = hex.slice(j, j + 2);
+    const byte = Number.parseInt(hexByte, 16);
+    if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
+    array[i] = byte;
+  }
+  return array;
+}
+function hexToNumber0x(hex: string): bigint {
+  if (typeof hex !== 'string') {
+    throw new Error('hexToNumber: expected string, got ' + typeof hex);
+  }
+  // Big Endian
+  // TODO: strip vs no strip?
+  return BigInt(`0x${strip0x(hex)}`);
+}
+function bytesToNumber0x(bytes: Uint8Array): bigint {
+  return hexToNumber0x(cutils.bytesToHex(bytes));
+}
+function ensureBytes0x(hex: Hex): Uint8Array {
+  // Uint8Array.from() instead of hash.slice() because node.js Buffer
+  // is instance of Uint8Array, and its slice() creates **mutable** copy
+  return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
+}
+
+function normPrivKey(privKey: Hex) {
+  return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
+}
+function getPublicKey0x(privKey: Hex, isCompressed = false) {
+  return starkCurve.getPublicKey(normPrivKey(privKey), isCompressed);
+}
+function getSharedSecret0x(privKeyA: Hex, pubKeyB: Hex) {
+  return starkCurve.getSharedSecret(normPrivKey(privKeyA), pubKeyB);
+}
+
+function sign0x(msgHash: Hex, privKey: Hex, opts?: any) {
+  if (typeof privKey === 'string') privKey = strip0x(privKey).padStart(64, '0');
+  return starkCurve.sign(ensureBytes0x(msgHash), normPrivKey(privKey), opts);
+}
+function verify0x(signature: Hex, msgHash: Hex, pubKey: Hex) {
+  const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
+  return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
+}
+
+const { CURVE, ProjectivePoint, Signature } = starkCurve;
+export const utils = starkCurve.utils;
+export {
+  CURVE,
+  Signature,
+  ProjectivePoint,
+  getPublicKey0x as getPublicKey,
+  getSharedSecret0x as getSharedSecret,
+  sign0x as sign,
+  verify0x as verify,
+};
+
+const stripLeadingZeros = (s: string) => s.replace(/^0+/gm, '');
+export const bytesToHexEth = (uint8a: Uint8Array): string =>
+  `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
+export const strip0x = (hex: string) => hex.replace(/^0x/i, '');
+export const numberToHexEth = (num: bigint | number) => `0x${num.toString(16)}`;
+
+// We accept hex strings besides Uint8Array for simplicity
+type Hex = Uint8Array | string;
+
+// 1. seed generation
+function hashKeyWithIndex(key: Uint8Array, index: number) {
+  let indexHex = cutils.numberToHexUnpadded(index);
+  if (indexHex.length & 1) indexHex = '0' + indexHex;
+  return sha256Num(cutils.concatBytes(key, hexToBytes0x(indexHex)));
+}
+
+export function grindKey(seed: Hex) {
+  const _seed = ensureBytes0x(seed);
+  const sha256mask = 2n ** 256n;
+
+  const limit = sha256mask - mod(sha256mask, CURVE_N);
+  for (let i = 0; ; i++) {
+    const key = hashKeyWithIndex(_seed, i);
+    // key should be in [0, limit)
+    if (key < limit) return mod(key, CURVE_N).toString(16);
+  }
+}
+
+export function getStarkKey(privateKey: Hex) {
+  return bytesToHexEth(getPublicKey0x(privateKey, true).slice(1));
+}
+
+export function ethSigToPrivate(signature: string) {
+  signature = strip0x(signature.replace(/^0x/, ''));
+  if (signature.length !== 130) throw new Error('Wrong ethereum signature');
+  return grindKey(signature.substring(0, 64));
+}
+
+const MASK_31 = 2n ** 31n - 1n;
+const int31 = (n: bigint) => Number(n & MASK_31);
+export function getAccountPath(
+  layer: string,
+  application: string,
+  ethereumAddress: string,
+  index: number
+) {
+  const layerNum = int31(sha256Num(layer));
+  const applicationNum = int31(sha256Num(application));
+  const eth = hexToNumber0x(ethereumAddress);
+  return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
+}
+
+// https://docs.starkware.co/starkex/pedersen-hash-function.html
+const PEDERSEN_POINTS_AFFINE = [
+  new ProjectivePoint(
+    2089986280348253421170679821480865132823066470938446095505822317253594081284n,
+    1713931329540660377023406109199410414810705867260802078187082345529207694986n,
+    1n
+  ),
+  new ProjectivePoint(
+    996781205833008774514500082376783249102396023663454813447423147977397232763n,
+    1668503676786377725805489344771023921079126552019160156920634619255970485781n,
+    1n
+  ),
+  new ProjectivePoint(
+    2251563274489750535117886426533222435294046428347329203627021249169616184184n,
+    1798716007562728905295480679789526322175868328062420237419143593021674992973n,
+    1n
+  ),
+  new ProjectivePoint(
+    2138414695194151160943305727036575959195309218611738193261179310511854807447n,
+    113410276730064486255102093846540133784865286929052426931474106396135072156n,
+    1n
+  ),
+  new ProjectivePoint(
+    2379962749567351885752724891227938183011949129833673362440656643086021394946n,
+    776496453633298175483985398648758586525933812536653089401905292063708816422n,
+    1n
+  ),
+];
+// for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE;
+
+function pedersenPrecompute(p1: ProjectivePoint, p2: ProjectivePoint): ProjectivePoint[] {
+  const out: ProjectivePoint[] = [];
+  let p = p1;
+  for (let i = 0; i < 248; i++) {
+    out.push(p);
+    p = p.double();
+  }
+  // NOTE: we cannot use wNAF here, because last 4 bits will require full 248 bits multiplication
+  // We can add support for this to wNAF, but it will complicate wNAF.
+  p = p2;
+  for (let i = 0; i < 4; i++) {
+    out.push(p);
+    p = p.double();
+  }
+  return out;
+}
+const PEDERSEN_POINTS1 = pedersenPrecompute(PEDERSEN_POINTS[1], PEDERSEN_POINTS[2]);
+const PEDERSEN_POINTS2 = pedersenPrecompute(PEDERSEN_POINTS[3], PEDERSEN_POINTS[4]);
+
+type PedersenArg = Hex | bigint | number;
+function pedersenArg(arg: PedersenArg): bigint {
+  let value: bigint;
+  if (typeof arg === 'bigint') value = arg;
+  else if (typeof arg === 'number') {
+    if (!Number.isSafeInteger(arg)) throw new Error(`Invalid pedersenArg: ${arg}`);
+    value = BigInt(arg);
+  } else value = bytesToNumber0x(ensureBytes0x(arg));
+  // [0..Fp)
+  if (!(0n <= value && value < starkCurve.CURVE.Fp.ORDER))
+    throw new Error(`PedersenArg should be 0 <= value < CURVE.P: ${value}`);
+  return value;
+}
+
+function pedersenSingle(point: ProjectivePoint, value: PedersenArg, constants: ProjectivePoint[]) {
+  let x = pedersenArg(value);
+  for (let j = 0; j < 252; j++) {
+    const pt = constants[j];
+    if (pt.px === point.px) throw new Error('Same point');
+    if ((x & 1n) !== 0n) point = point.add(pt);
+    x >>= 1n;
+  }
+  return point;
+}
+
+// shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
+export function pedersen(x: PedersenArg, y: PedersenArg) {
+  let point: ProjectivePoint = PEDERSEN_POINTS[0];
+  point = pedersenSingle(point, x, PEDERSEN_POINTS1);
+  point = pedersenSingle(point, y, PEDERSEN_POINTS2);
+  return bytesToHexEth(point.toRawBytes(true).slice(1));
+}
+
+export function hashChain(data: PedersenArg[], fn = pedersen) {
+  if (!Array.isArray(data) || data.length < 1)
+    throw new Error('data should be array of at least 1 element');
+  if (data.length === 1) return numberToHexEth(pedersenArg(data[0]));
+  return Array.from(data)
+    .reverse()
+    .reduce((acc, i) => fn(i, acc));
+}
+// Same as hashChain, but computes hash even for single element and order is not revesed
+export const computeHashOnElements = (data: PedersenArg[], fn = pedersen) =>
+  [0, ...data, data.length].reduce((x, y) => fn(x, y));
+
+const MASK_250 = cutils.bitMask(250);
+export const keccak = (data: Uint8Array): bigint => bytesToNumber0x(keccak_256(data)) & MASK_250;
+const sha256Num = (data: Uint8Array | string): bigint => cutils.bytesToNumberBE(sha256(data));
+
+// Poseidon hash
+export const Fp253 = Fp(
+  BigInt('14474011154664525231415395255581126252639794253786371766033694892385558855681')
+); // 2^253 + 2^199 + 1
+export const Fp251 = Fp(
+  BigInt('3618502788666131213697322783095070105623107215331596699973092056135872020481')
+); // 2^251 + 17 * 2^192 + 1
+
+function poseidonRoundConstant(Fp: Field<bigint>, name: string, idx: number) {
+  const val = Fp.fromBytes(sha256(utf8ToBytes(`${name}${idx}`)));
+  return Fp.create(val);
+}
+
+// NOTE: doesn't check eiginvalues and possible can create unsafe matrix. But any filtration here will break compatibility with starknet
+// Please use only if you really know what you doing.
+// https://eprint.iacr.org/2019/458.pdf Section 2.3 (Avoiding Insecure Matrices)
+export function _poseidonMDS(Fp: Field<bigint>, name: string, m: number, attempt = 0) {
+  const x_values: bigint[] = [];
+  const y_values: bigint[] = [];
+  for (let i = 0; i < m; i++) {
+    x_values.push(poseidonRoundConstant(Fp, `${name}x`, attempt * m + i));
+    y_values.push(poseidonRoundConstant(Fp, `${name}y`, attempt * m + i));
+  }
+  if (new Set([...x_values, ...y_values]).size !== 2 * m)
+    throw new Error('X and Y values are not distinct');
+  return x_values.map((x) => y_values.map((y) => Fp.inv(Fp.sub(x, y))));
+}
+
+const MDS_SMALL = [
+  [3, 1, 1],
+  [1, -1, 1],
+  [1, 1, -2],
+].map((i) => i.map(BigInt));
+
+export type PoseidonOpts = {
+  Fp: Field<bigint>;
+  rate: number;
+  capacity: number;
+  roundsFull: number;
+  roundsPartial: number;
+};
+
+export function poseidonBasic(opts: PoseidonOpts, mds: bigint[][]) {
+  validateField(opts.Fp);
+  if (!Number.isSafeInteger(opts.rate) || !Number.isSafeInteger(opts.capacity))
+    throw new Error(`Wrong poseidon opts: ${opts}`);
+  const m = opts.rate + opts.capacity;
+  const rounds = opts.roundsFull + opts.roundsPartial;
+  const roundConstants = [];
+  for (let i = 0; i < rounds; i++) {
+    const row = [];
+    for (let j = 0; j < m; j++) row.push(poseidonRoundConstant(opts.Fp, 'Hades', m * i + j));
+    roundConstants.push(row);
+  }
+  return poseidon.poseidon({
+    ...opts,
+    t: m,
+    sboxPower: 3,
+    reversePartialPowIdx: true, // Why?!
+    mds,
+    roundConstants,
+  });
+}
+
+export function poseidonCreate(opts: PoseidonOpts, mdsAttempt = 0) {
+  const m = opts.rate + opts.capacity;
+  if (!Number.isSafeInteger(mdsAttempt)) throw new Error(`Wrong mdsAttempt=${mdsAttempt}`);
+  return poseidonBasic(opts, _poseidonMDS(opts.Fp, 'HadesMDS', m, mdsAttempt));
+}
+
+export const poseidonSmall = poseidonBasic(
+  { Fp: Fp251, rate: 2, capacity: 1, roundsFull: 8, roundsPartial: 83 },
+  MDS_SMALL
+);
+
+export function poseidonHash(x: bigint, y: bigint, fn = poseidonSmall) {
+  return fn([x, y, 2n])[0];
+}

package/{lib/stark.d.ts → stark.d.ts}

@@ -42,7 +42,6 @@ declare const CURVE: Readonly<{
 export declare const utils: {
     normPrivateKeyToScalar: (key: cutils.PrivKey) => bigint;
     isValidPrivateKey(privateKey: cutils.PrivKey): boolean;
-    hashToPrivateKey: (hash: cutils.Hex) => Uint8Array;
     randomPrivateKey: () => Uint8Array;
     precompute: (windowSize?: number | undefined, point?: ProjPointType<bigint> | undefined) => ProjPointType<bigint>;
 };
@@ -86,3 +85,4 @@ export declare function poseidonHash(x: bigint, y: bigint, fn?: {
     (values: bigint[]): bigint[];
     roundConstants: bigint[][];
 }): bigint;
+//# sourceMappingURL=stark.d.ts.map

package/stark.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stark.d.ts","sourceRoot":"","sources":["src/stark.ts"],"names":[],"mappings":"AAGA,OAAO,EAAe,aAAa,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,KAAK,MAAM,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAW,KAAK,EAAiB,MAAM,uBAAuB,CAAC;AAKtE,aAAK,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;AAiB7C,eAAO,MAAM,UAAU,6CAgCrB,CAAC;AAwCH,iBAAS,cAAc,CAAC,OAAO,EAAE,GAAG,EAAE,YAAY,UAAQ,cAEzD;AACD,iBAAS,iBAAiB,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,cAErD;AAED,iBAAS,MAAM,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,CAAC,EAAE,GAAG,qDAGrD;AACD,iBAAS,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,WAG1D;AAED,QAAA,MAAQ,KAAK;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAAE,eAAe,+DAAE,SAAS,0DAAe,CAAC;AACzD,eAAO,MAAM,KAAK;;;;;CAAmB,CAAC;AACtC,OAAO,EACL,KAAK,EACL,SAAS,EACT,eAAe,EACf,cAAc,IAAI,YAAY,EAC9B,iBAAiB,IAAI,eAAe,EACpC,MAAM,IAAI,IAAI,EACd,QAAQ,IAAI,MAAM,GACnB,CAAC;AAGF,eAAO,MAAM,aAAa,WAAY,UAAU,KAAG,MACE,CAAC;AACtD,eAAO,MAAM,OAAO,QAAS,MAAM,WAA4B,CAAC;AAChE,eAAO,MAAM,cAAc,QAAS,MAAM,GAAG,MAAM,WAA4B,CAAC;AAGhF,aAAK,GAAG,GAAG,UAAU,GAAG,MAAM,CAAC;AAS/B,wBAAgB,QAAQ,CAAC,IAAI,EAAE,GAAG,UAUjC;AAED,wBAAgB,WAAW,CAAC,UAAU,EAAE,GAAG,UAE1C;AAED,wBAAgB,eAAe,CAAC,SAAS,EAAE,MAAM,UAIhD;AAID,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,eAAe,EAAE,MAAM,EACvB,KAAK,EAAE,MAAM,UAMd;AAoDD,aAAK,WAAW,GAAG,GAAG,GAAG,MAAM,GAAG,MAAM,CAAC;AA0BzC,wBAAgB,QAAQ,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,WAAW,UAKtD;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,kBAAW,eAO3D;AAED,eAAO,MAAM,qBAAqB,SAAU,WAAW,EAAE,sCACH,CAAC;AAGvD,eAAO,MAAM,MAAM,SAAU,UAAU,KAAG,MAAsD,CAAC;AAIjG,eAAO,MAAM,KAAK,kEAEjB,CAAC;AACF,eAAO,MAAM,KAAK,kEAEjB,CAAC;AAUF,wBAAgB,YAAY,CAAC,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,OAAO,SAAI,cAUnF;AAQD,oBAAY,YAAY,GAAG;IACzB,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;CACvB,CAAC;AAEF,wBAAgB,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE;;;EAoBhE;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,YAAY,EAAE,UAAU,SAAI;;;EAIhE;AAED,eAAO,MAAM,aAAa;;;CAGzB,CAAC;AAEF,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE;;;CAAgB,UAEpE"}

package/{lib/stark.js → stark.js}

@@ -95,21 +95,21 @@ function ensureBytes0x(hex) {
     // is instance of Uint8Array, and its slice() creates **mutable** copy
     return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
 }
-function normalizePrivateKey(privKey) {
+function normPrivKey(privKey) {
     return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
 function getPublicKey0x(privKey, isCompressed = false) {
-    return exports.starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
+    return exports.starkCurve.getPublicKey(normPrivKey(privKey), isCompressed);
 }
 exports.getPublicKey = getPublicKey0x;
 function getSharedSecret0x(privKeyA, pubKeyB) {
-    return exports.starkCurve.getSharedSecret(normalizePrivateKey(privKeyA), pubKeyB);
+    return exports.starkCurve.getSharedSecret(normPrivKey(privKeyA), pubKeyB);
 }
 exports.getSharedSecret = getSharedSecret0x;
 function sign0x(msgHash, privKey, opts) {
     if (typeof privKey === 'string')
         privKey = (0, exports.strip0x)(privKey).padStart(64, '0');
-    return exports.starkCurve.sign(ensureBytes0x(msgHash), normalizePrivateKey(privKey), opts);
+    return exports.starkCurve.sign(ensureBytes0x(msgHash), normPrivKey(privKey), opts);
 }
 exports.sign = sign0x;
 function verify0x(signature, msgHash, pubKey) {
@@ -311,3 +311,4 @@ function poseidonHash(x, y, fn = exports.poseidonSmall) {
     return fn([x, y, 2n])[0];
 }
 exports.poseidonHash = poseidonHash;
+//# sourceMappingURL=stark.js.map