@noble/curves 0.8.0 → 0.8.1

package/README.md

@@ -1,6 +1,6 @@
 # noble-curves
 
-Audited & minimal JS implementation of elliptic curve cryptography.
+[Audited](#security) & minimal JS implementation of elliptic curve cryptography.
 
 - **noble** family, zero dependencies
 - Short Weierstrass, Edwards, Montgomery curves
@@ -56,7 +56,7 @@ Instead, you need to import specific primitives. This is done to ensure small si
 Each curve can be used in the following way:
 
 ```ts
-import { secp256k1 } from '@noble/curves/secp256k1'; // ECMAScript Modules (ESM)
+import { secp256k1 } from '@noble/curves/secp256k1'; // ECMAScript Modules (ESM) and Common.js
 // import { secp256k1 } from 'npm:@noble/curves@1.2.0/secp256k1'; // Deno
 const priv = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(priv);
@@ -78,7 +78,6 @@ import { p256 } from '@noble/curves/p256';
 import { p384 } from '@noble/curves/p384';
 import { p521 } from '@noble/curves/p521';
 import { pallas, vesta } from '@noble/curves/pasta';
-import * as stark from '@noble/curves/stark';
 import { bls12_381 } from '@noble/curves/bls12-381';
 import { bn254 } from '@noble/curves/bn';
 import { jubjub } from '@noble/curves/jubjub';
@@ -530,7 +529,7 @@ Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
 
 There are many poseidon variants with different constants.
 We don't provide them: you should construct them manually.
-The only variant provided resides in `stark` module: inspect it for proper usage.
+Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
 
 ```ts
 import { poseidon } from '@noble/curves/abstract/poseidon';
@@ -541,7 +540,7 @@ type PoseidonOpts = {
   roundsFull: number;
   roundsPartial: number;
   sboxPower?: number;
-  reversePartialPowIdx?: boolean; // Hack for stark
+  reversePartialPowIdx?: boolean;
   mds: bigint[][];
   roundConstants: bigint[][];
 };
@@ -612,9 +611,11 @@ utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
 
 ## Security
 
-The library had no prior security audit. The library has been fuzzed by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz): you can run the fuzzer by yourself to check it.
-
-[Timing attack](https://en.wikipedia.org/wiki/Timing_attack) considerations: we are using non-CT bigints. However, _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to achieve in a scripting language. Which means _any other JS library can't have constant-timeness_. Even statically typed Rust, a language without GC, [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security) for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
+1. The library has been audited during Jan-Feb 2023 by an independent security firm [Trail of Bits](https://www.trailofbits.com):
+[PDF](https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf).
+The audit has been funded by Ryan Shea. Audit scope was abstract modules `curve`, `hash-to-curve`, `modular`, `poseidon`, `utils`, `weierstrass`, and top-level modules `_shortw_utils` and `secp256k1`. See [changes since audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main).
+2. The library has been fuzzed by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz). You can run the fuzzer by yourself to check it.
+3. [Timing attack](https://en.wikipedia.org/wiki/Timing_attack) considerations: _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to achieve in a scripting language. Which means _any other JS library can't have constant-timeness_. Even statically typed Rust, a language without GC, [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security) for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
 
 We consider infrastructure attacks like rogue NPM modules very important; that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings. If your app uses 500 dependencies, any dep could get hacked and you'll be downloading malware with every `npm install`. Our goal is to minimize this attack vector. As for devDependencies used by the library:
 
@@ -670,12 +671,6 @@ getPublicKey x 3,363 ops/sec @ 297μs/op
 sign x 1,615 ops/sec @ 619μs/op
 verify x 319 ops/sec @ 3ms/op
 
-stark
-init x 35 ops/sec @ 28ms/op
-pedersen x 884 ops/sec @ 1ms/op
-poseidon x 8,598 ops/sec @ 116μs/op
-verify x 528 ops/sec @ 1ms/op
-
 ecdh
 ├─x25519 x 1,337 ops/sec @ 747μs/op
 ├─secp256k1 x 461 ops/sec @ 2ms/op
@@ -713,8 +708,6 @@ hashToCurve
 
 Article about some of library's features: [Learning fast elliptic-curve cryptography](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/)
 
-Demo: Elliptic curve calculator [paulmillr.com/ecc](https://paulmillr.com/ecc).
-
 Projects using the library:
 
 - secp256k1
@@ -725,7 +718,9 @@ Projects using the library:
   - Check out `bls12-381.ts` for articles about the curve
   - Threshold sigs demo [genthresh.com](https://genthresh.com)
   - BBS signatures [github.com/Wind4Greg/BBS-Draft-Checks](https://github.com/Wind4Greg/BBS-Draft-Checks) following [draft-irtf-cfrg-bbs-signatures-latest](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html)
-
+- Others
+  - All curves demo: Elliptic curve calculator [paulmillr.com/ecc](https://paulmillr.com/ecc)
+  - [micro-starknet](https://github.com/paulmillr/micro-starknet) for stark-friendly elliptic curve.
 ## Upgrading
 
 If you're coming from single-feature noble packages, the following changes need to be kept in mind:

package/esm/_shortw_utils.js

@@ -0,0 +1,17 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
+import { weierstrass } from './abstract/weierstrass.js';
+// connects noble-curves to noble-hashes
+export function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
+        randomBytes,
+    };
+}
+export function createCurve(curveDef, defHash) {
+    const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
+    return Object.freeze({ ...create(defHash), create });
+}
+//# sourceMappingURL=_shortw_utils.js.map

package/esm/_shortw_utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"_shortw_utils.js","sourceRoot":"","sources":["../src/_shortw_utils.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAa,MAAM,2BAA2B,CAAC;AAGnE,wCAAwC;AACxC,MAAM,UAAU,OAAO,CAAC,IAAW;IACjC,OAAO;QACL,IAAI;QACJ,IAAI,EAAE,CAAC,GAAe,EAAE,GAAG,IAAkB,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC;QACvF,WAAW;KACZ,CAAC;AACJ,CAAC;AAGD,MAAM,UAAU,WAAW,CAAC,QAAkB,EAAE,OAAc;IAC5D,MAAM,MAAM,GAAG,CAAC,IAAW,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/E,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;AACvD,CAAC"}

package/esm/abstract/bls.js

@@ -0,0 +1,226 @@
+import { hashToPrivateScalar } from './modular.js';
+import { bitLen, bitGet, ensureBytes } from './utils.js';
+import * as htf from './hash-to-curve.js';
+import { weierstrassPoints, } from './weierstrass.js';
+export function bls(CURVE) {
+    // Fields looks pretty specific for curve, so for now we need to pass them with opts
+    const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
+    const BLS_X_LEN = bitLen(CURVE.x);
+    const groupLen = 32; // TODO: calculate; hardcoded for now
+    // Pre-compute coefficients for sparse multiplication
+    // Point addition and point double calculations is reused for coefficients
+    function calcPairingPrecomputes(p) {
+        const { x, y } = p;
+        // prettier-ignore
+        const Qx = x, Qy = y, Qz = Fp2.ONE;
+        // prettier-ignore
+        let Rx = Qx, Ry = Qy, Rz = Qz;
+        let ell_coeff = [];
+        for (let i = BLS_X_LEN - 2; i >= 0; i--) {
+            // Double
+            let t0 = Fp2.sqr(Ry); // Ry²
+            let t1 = Fp2.sqr(Rz); // Rz²
+            let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
+            let t3 = Fp2.mul(t2, 3n); // 3 * T2
+            let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            ell_coeff.push([
+                Fp2.sub(t2, t0),
+                Fp2.mul(Fp2.sqr(Rx), 3n),
+                Fp2.neg(t4), // -T4
+            ]);
+            Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+            Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Rz = Fp2.mul(t0, t4); // T0 * T4
+            if (bitGet(CURVE.x, i)) {
+                // Addition
+                let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
+                let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
+                ell_coeff.push([
+                    Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)),
+                    Fp2.neg(t0),
+                    t1, // T1
+                ]);
+                let t2 = Fp2.sqr(t1); // T1²
+                let t3 = Fp2.mul(t2, t1); // T2 * T1
+                let t4 = Fp2.mul(t2, Rx); // T2 * Rx
+                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                Rx = Fp2.mul(t1, t5); // T1 * T5
+                Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+                Rz = Fp2.mul(Rz, t3); // Rz * T3
+            }
+        }
+        return ell_coeff;
+    }
+    function millerLoop(ell, g1) {
+        const { x } = CURVE;
+        const Px = g1[0];
+        const Py = g1[1];
+        let f12 = Fp12.ONE;
+        for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
+            const E = ell[j];
+            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
+            if (bitGet(x, i)) {
+                j += 1;
+                const F = ell[j];
+                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
+            }
+            if (i !== 0)
+                f12 = Fp12.sqr(f12);
+        }
+        return Fp12.conjugate(f12);
+    }
+    const utils = {
+        randomPrivateKey: () => {
+            return Fr.toBytes(hashToPrivateScalar(CURVE.randomBytes(groupLen + 8), CURVE.r));
+        },
+    };
+    // Point on G1 curve: (x, y)
+    const G1_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G1 });
+    const G1 = Object.assign(G1_, htf.createHasher(G1_.ProjectivePoint, CURVE.G1.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G1.htfDefaults,
+    }));
+    function pairingPrecomputes(point) {
+        const p = point;
+        if (p._PPRECOMPUTES)
+            return p._PPRECOMPUTES;
+        p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
+        return p._PPRECOMPUTES;
+    }
+    // TODO: export
+    // function clearPairingPrecomputes(point: G2) {
+    //   const p = point as G2 & withPairingPrecomputes;
+    //   p._PPRECOMPUTES = undefined;
+    // }
+    // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
+    const G2_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G2 });
+    const G2 = Object.assign(G2_, htf.createHasher(G2_.ProjectivePoint, CURVE.G2.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G2.htfDefaults,
+    }));
+    const { Signature } = CURVE.G2;
+    // Calculates bilinear pairing
+    function pairing(Q, P, withFinalExponent = true) {
+        if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
+            throw new Error('pairing is not available for ZERO point');
+        Q.assertValidity();
+        P.assertValidity();
+        // Performance: 9ms for millerLoop and ~14ms for exp.
+        const Qa = Q.toAffine();
+        const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
+        return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
+    }
+    function normP1(point) {
+        return point instanceof G1.ProjectivePoint ? point : G1.ProjectivePoint.fromHex(point);
+    }
+    function normP2(point) {
+        return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
+    }
+    function normP2Hash(point, htfOpts) {
+        return point instanceof G2.ProjectivePoint
+            ? point
+            : G2.hashToCurve(ensureBytes('point', point), htfOpts);
+    }
+    // Multiplies generator by private key.
+    // P = pk x G
+    function getPublicKey(privateKey) {
+        return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+    }
+    function sign(message, privateKey, htfOpts) {
+        const msgPoint = normP2Hash(message, htfOpts);
+        msgPoint.assertValidity();
+        const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
+        if (message instanceof G2.ProjectivePoint)
+            return sigPoint;
+        return Signature.encode(sigPoint);
+    }
+    // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+    // e(P, H(m)) == e(G, S)
+    function verify(signature, message, publicKey, htfOpts) {
+        const P = normP1(publicKey);
+        const Hm = normP2Hash(message, htfOpts);
+        const G = G1.ProjectivePoint.BASE;
+        const S = normP2(signature);
+        // Instead of doing 2 exponentiations, we use property of billinear maps
+        // and do one exp after multiplying 2 points.
+        const ePHm = pairing(P.negate(), Hm, false);
+        const eGS = pairing(G, S, false);
+        const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
+        return Fp12.eql(exp, Fp12.ONE);
+    }
+    function aggregatePublicKeys(publicKeys) {
+        if (!publicKeys.length)
+            throw new Error('Expected non-empty array');
+        const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (publicKeys[0] instanceof G1.ProjectivePoint) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        // toRawBytes ensures point validity
+        return aggAffine.toRawBytes(true);
+    }
+    function aggregateSignatures(signatures) {
+        if (!signatures.length)
+            throw new Error('Expected non-empty array');
+        const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (signatures[0] instanceof G2.ProjectivePoint) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        return Signature.encode(aggAffine);
+    }
+    // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
+    // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+    function verifyBatch(signature, messages, publicKeys, htfOpts) {
+        // @ts-ignore
+        // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
+        if (!messages.length)
+            throw new Error('Expected non-empty messages array');
+        if (publicKeys.length !== messages.length)
+            throw new Error('Pubkey count should equal msg count');
+        const sig = normP2(signature);
+        const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
+        const nPublicKeys = publicKeys.map(normP1);
+        try {
+            const paired = [];
+            for (const message of new Set(nMessages)) {
+                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.ProjectivePoint.ZERO);
+                // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
+                // Possible to batch pairing for same msg with different groupPublicKey here
+                paired.push(pairing(groupPublicKey, message, false));
+            }
+            paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
+            const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
+            const exp = Fp12.finalExponentiate(product);
+            return Fp12.eql(exp, Fp12.ONE);
+        }
+        catch {
+            return false;
+        }
+    }
+    G1.ProjectivePoint.BASE._setWindowSize(4);
+    return {
+        CURVE,
+        Fr,
+        Fp,
+        Fp2,
+        Fp6,
+        Fp12,
+        G1,
+        G2,
+        Signature,
+        millerLoop,
+        calcPairingPrecomputes,
+        pairing,
+        getPublicKey,
+        sign,
+        verify,
+        aggregatePublicKeys,
+        aggregateSignatures,
+        verifyBatch,
+        utils,
+    };
+}
+//# sourceMappingURL=bls.js.map

package/esm/abstract/bls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bls.js","sourceRoot":"","sources":["../../src/abstract/bls.ts"],"names":[],"mappings":"AAcA,OAAO,EAAS,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EAAuB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9E,OAAO,KAAK,GAAG,MAAM,oBAAoB,CAAC;AAC1C,OAAO,EAIL,iBAAiB,GAClB,MAAM,kBAAkB,CAAC;AAiF1B,MAAM,UAAU,GAAG,CACjB,KAAoC;IAEpC,oFAAoF;IACpF,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,KAAK,CAAC;IACzC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,EAAE,CAAC,CAAC,qCAAqC;IAE1D,qDAAqD;IACrD,0EAA0E;IAC1E,SAAS,sBAAsB,CAAC,CAAmB;QACjD,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;QACnB,kBAAkB;QAClB,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC;QACnC,kBAAkB;QAClB,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC;QAC9B,IAAI,SAAS,GAAsB,EAAE,CAAC;QACtC,KAAK,IAAI,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE;YACvC,SAAS;YACT,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM;YAC5B,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM;YAC5B,IAAI,EAAE,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,aAAa;YACxD,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS;YACnC,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,uBAAuB;YACpF,SAAS,CAAC,IAAI,CAAC;gBACb,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC;gBACf,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxB,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,MAAM;aACpB,CAAC,CAAC;YACH,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,4BAA4B;YACzF,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,6BAA6B;YAC5G,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;YAChC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;gBACtB,WAAW;gBACX,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,eAAe;gBACtD,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,eAAe;gBACtD,SAAS,CAAC,IAAI,CAAC;oBACb,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;oBACzC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACX,EAAE,EAAE,KAAK;iBACV,CAAC,CAAC;gBACH,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM;gBAC5B,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;gBACpC,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;gBACpC,IAAI,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,yBAAyB;gBACnG,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;gBAChC,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,2BAA2B;gBACxF,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU;aACjC;SACF;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,SAAS,UAAU,CAAC,GAAsB,EAAE,EAAY;QACtD,MAAM,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC;QACpB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACjB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;QACjB,IAAI,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE;YACnD,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;YACjB,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAC1E,IAAI,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;gBAChB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjB,GAAG,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;aAC3E;YACD,IAAI,CAAC,KAAK,CAAC;gBAAE,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;SAClC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,KAAK,GAAG;QACZ,gBAAgB,EAAE,GAAe,EAAE;YACjC,OAAO,EAAE,CAAC,OAAO,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,CAAC;KACF,CAAC;IAEF,4BAA4B;IAC5B,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5D,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CACtB,GAAG,EACH,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,KAAK,CAAC,EAAE,CAAC,UAAU,EAAE;QACzD,GAAG,KAAK,CAAC,WAAW;QACpB,GAAG,KAAK,CAAC,EAAE,CAAC,WAAW;KACxB,CAAC,CACH,CAAC;IAKF,SAAS,kBAAkB,CAAC,KAAS;QACnC,MAAM,CAAC,GAAG,KAAoC,CAAC;QAC/C,IAAI,CAAC,CAAC,aAAa;YAAE,OAAO,CAAC,CAAC,aAAa,CAAC;QAC5C,CAAC,CAAC,aAAa,GAAG,sBAAsB,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,CAAC,aAAa,CAAC;IACzB,CAAC;IAED,eAAe;IACf,gDAAgD;IAChD,oDAAoD;IACpD,iCAAiC;IACjC,IAAI;IAEJ,8DAA8D;IAC9D,MAAM,GAAG,GAAG,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5D,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CACtB,GAAG,EACH,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAA+C,EAAE,KAAK,CAAC,EAAE,CAAC,UAAU,EAAE;QACzF,GAAG,KAAK,CAAC,WAAW;QACpB,GAAG,KAAK,CAAC,EAAE,CAAC,WAAW;KACxB,CAAC,CACH,CAAC;IAEF,MAAM,EAAE,SAAS,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;IAE/B,8BAA8B;IAC9B,SAAS,OAAO,CAAC,CAAK,EAAE,CAAK,EAAE,oBAA6B,IAAI;QAC9D,IAAI,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC,CAAC,cAAc,EAAE,CAAC;QACnB,CAAC,CAAC,cAAc,EAAE,CAAC;QACnB,qDAAqD;QACrD,MAAM,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,UAAU,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,OAAO,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACrE,CAAC;IAMD,SAAS,MAAM,CAAC,KAAY;QAC1B,OAAO,KAAK,YAAY,EAAE,CAAC,eAAe,CAAC,CAAC,CAAE,KAAY,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACjG,CAAC;IACD,SAAS,MAAM,CAAC,KAAY;QAC1B,OAAO,KAAK,YAAY,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/E,CAAC;IACD,SAAS,UAAU,CAAC,KAAY,EAAE,OAA0B;QAC1D,OAAO,KAAK,YAAY,EAAE,CAAC,eAAe;YACxC,CAAC,CAAC,KAAK;YACP,CAAC,CAAE,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,OAAO,CAAQ,CAAC;IACnE,CAAC;IAED,uCAAuC;IACvC,aAAa;IACb,SAAS,YAAY,CAAC,UAAmB;QACvC,OAAO,EAAE,CAAC,eAAe,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;IAMD,SAAS,IAAI,CAAC,OAAc,EAAE,UAAmB,EAAE,OAA0B;QAC3E,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9C,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,sBAAsB,CAAC,UAAU,CAAC,CAAC,CAAC;QAC1E,IAAI,OAAO,YAAY,EAAE,CAAC,eAAe;YAAE,OAAO,QAAQ,CAAC;QAC3D,OAAO,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IAED,uFAAuF;IACvF,wBAAwB;IACxB,SAAS,MAAM,CACb,SAAgB,EAChB,OAAc,EACd,SAAgB,EAChB,OAA0B;QAE1B,MAAM,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5B,MAAM,EAAE,GAAG,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;QAClC,MAAM,CAAC,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5B,wEAAwE;QACxE,6CAA6C;QAC7C,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IAMD,SAAS,mBAAmB,CAAC,UAAmB;QAC9C,IAAI,CAAC,UAAU,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC3F,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,cAAc;QACrC,IAAI,UAAU,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,eAAe,EAAE;YAC/C,SAAS,CAAC,cAAc,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC;SAClB;QACD,oCAAoC;QACpC,OAAO,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;IAKD,SAAS,mBAAmB,CAAC,UAAmB;QAC9C,IAAI,CAAC,UAAU,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QAC3F,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,cAAc;QACrC,IAAI,UAAU,CAAC,CAAC,CAAC,YAAY,EAAE,CAAC,eAAe,EAAE;YAC/C,SAAS,CAAC,cAAc,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC;SAClB;QACD,OAAO,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAED,2EAA2E;IAC3E,gDAAgD;IAChD,SAAS,WAAW,CAClB,SAAgB,EAChB,QAAiB,EACjB,UAAmB,EACnB,OAA0B;QAE1B,aAAa;QACb,kGAAkG;QAElG,IAAI,CAAC,QAAQ,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAC3E,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACvC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI;YACF,MAAM,MAAM,GAAG,EAAE,CAAC;YAClB,KAAK,MAAM,OAAO,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,EAAE;gBACxC,MAAM,cAAc,GAAG,SAAS,CAAC,MAAM,CACrC,CAAC,cAAc,EAAE,UAAU,EAAE,CAAC,EAAE,EAAE,CAChC,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,EAC9E,EAAE,CAAC,eAAe,CAAC,IAAI,CACxB,CAAC;gBACF,yFAAyF;gBACzF,4EAA4E;gBAC5E,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;aACtD;YACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;YACnE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAClE,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAC5C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;SAChC;QAAC,MAAM;YACN,OAAO,KAAK,CAAC;SACd;IACH,CAAC;IAED,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;IAE1C,OAAO;QACL,KAAK;QACL,EAAE;QACF,EAAE;QACF,GAAG;QACH,GAAG;QACH,IAAI;QACJ,EAAE;QACF,EAAE;QACF,SAAS;QACT,UAAU;QACV,sBAAsB;QACtB,OAAO;QACP,YAAY;QACZ,IAAI;QACJ,MAAM;QACN,mBAAmB;QACnB,mBAAmB;QACnB,WAAW;QACX,KAAK;KACN,CAAC;AACJ,CAAC"}

package/esm/abstract/curve.js

@@ -0,0 +1,152 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Abelian group utilities
+import { validateField, nLength } from './modular.js';
+import { validateObject } from './utils.js';
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+// Elliptic curve multiplication of Point by scalar. Fragile.
+// Scalars should always be less than curve order: this should be checked inside of a curve itself.
+// Creates precomputation tables for fast multiplication:
+// - private scalar is split by fixed size windows of W bits
+// - every window point is collected from window's table & added to accumulator
+// - since windows are different, same point inside tables won't be accessed more than once per calc
+// - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+// - +1 window is neccessary for wNAF
+// - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+// TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
+// windows to be in different memory locations
+export function wNAF(c, bits) {
+    const constTimeNegate = (condition, item) => {
+        const neg = item.negate();
+        return condition ? neg : item;
+    };
+    const opts = (W) => {
+        const windows = Math.ceil(bits / W) + 1; // +1, because
+        const windowSize = 2 ** (W - 1); // -1 because we skip zero
+        return { windows, windowSize };
+    };
+    return {
+        constTimeNegate,
+        // non-const time multiplication ladder
+        unsafeLadder(elm, n) {
+            let p = c.ZERO;
+            let d = elm;
+            while (n > _0n) {
+                if (n & _1n)
+                    p = p.add(d);
+                d = d.double();
+                n >>= _1n;
+            }
+            return p;
+        },
+        /**
+         * Creates a wNAF precomputation window. Used for caching.
+         * Default window size is set by `utils.precompute()` and is equal to 8.
+         * Number of precomputed points depends on the curve size:
+         * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+         * - 𝑊 is the window size
+         * - 𝑛 is the bitlength of the curve order.
+         * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+         * @returns precomputed point tables flattened to a single array
+         */
+        precomputeWindow(elm, W) {
+            const { windows, windowSize } = opts(W);
+            const points = [];
+            let p = elm;
+            let base = p;
+            for (let window = 0; window < windows; window++) {
+                base = p;
+                points.push(base);
+                // =1, because we skip zero
+                for (let i = 1; i < windowSize; i++) {
+                    base = base.add(p);
+                    points.push(base);
+                }
+                p = base.double();
+            }
+            return points;
+        },
+        /**
+         * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+         * @param W window size
+         * @param precomputes precomputed tables
+         * @param n scalar (we don't check here, but should be less than curve order)
+         * @returns real and fake (for const-time) points
+         */
+        wNAF(W, precomputes, n) {
+            // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
+            // But need to carefully remove other checks before wNAF. ORDER == bits here
+            const { windows, windowSize } = opts(W);
+            let p = c.ZERO;
+            let f = c.BASE;
+            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
+            const maxNumber = 2 ** W;
+            const shiftBy = BigInt(W);
+            for (let window = 0; window < windows; window++) {
+                const offset = window * windowSize;
+                // Extract W bits.
+                let wbits = Number(n & mask);
+                // Shift number by W bits.
+                n >>= shiftBy;
+                // If the bits are bigger than max size, we'll split those.
+                // +224 => 256 - 32
+                if (wbits > windowSize) {
+                    wbits -= maxNumber;
+                    n += _1n;
+                }
+                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+                // there is negate now: it is possible that negated element from low value
+                // would be the same as high element, which will create carry into next window.
+                // It's not obvious how this can fail, but still worth investigating later.
+                // Check if we're onto Zero point.
+                // Add random point inside current window to f.
+                const offset1 = offset;
+                const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero
+                const cond1 = window % 2 !== 0;
+                const cond2 = wbits < 0;
+                if (wbits === 0) {
+                    // The most important part for const-time getPublicKey
+                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+                }
+                else {
+                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+                }
+            }
+            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
+            // Even if the variable is still unused, there are some checks which will
+            // throw an exception, so compiler needs to prove they won't happen, which is hard.
+            // At this point there is a way to F be infinity-point even if p is not,
+            // which makes it less const-time: around 1 bigint multiply.
+            return { p, f };
+        },
+        wNAFCached(P, precomputesMap, n, transform) {
+            // @ts-ignore
+            const W = P._WINDOW_SIZE || 1;
+            // Calculate precomputes on a first run, reuse them after
+            let comp = precomputesMap.get(P);
+            if (!comp) {
+                comp = this.precomputeWindow(P, W);
+                if (W !== 1) {
+                    precomputesMap.set(P, transform(comp));
+                }
+            }
+            return this.wNAF(W, comp, n);
+        },
+    };
+}
+export function validateBasic(curve) {
+    validateField(curve.Fp);
+    validateObject(curve, {
+        n: 'bigint',
+        h: 'bigint',
+        Gx: 'field',
+        Gy: 'field',
+    }, {
+        nBitLength: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+    });
+    // Set defaults
+    return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
+}
+//# sourceMappingURL=curve.js.map

package/esm/abstract/curve.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"curve.js","sourceRoot":"","sources":["../../src/abstract/curve.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,0BAA0B;AAC1B,OAAO,EAAS,aAAa,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAsBtB,6DAA6D;AAC7D,mGAAmG;AACnG,yDAAyD;AACzD,4DAA4D;AAC5D,+EAA+E;AAC/E,oGAAoG;AACpG,oGAAoG;AACpG,qCAAqC;AACrC,kGAAkG;AAClG,gGAAgG;AAChG,8CAA8C;AAC9C,MAAM,UAAU,IAAI,CAAqB,CAAsB,EAAE,IAAY;IAC3E,MAAM,eAAe,GAAG,CAAC,SAAkB,EAAE,IAAO,EAAK,EAAE;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;IAChC,CAAC,CAAC;IACF,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,cAAc;QACvD,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,0BAA0B;QAC3D,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IACjC,CAAC,CAAC;IACF,OAAO;QACL,eAAe;QACf,uCAAuC;QACvC,YAAY,CAAC,GAAM,EAAE,CAAS;YAC5B,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACf,IAAI,CAAC,GAAM,GAAG,CAAC;YACf,OAAO,CAAC,GAAG,GAAG,EAAE;gBACd,IAAI,CAAC,GAAG,GAAG;oBAAE,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC1B,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;gBACf,CAAC,KAAK,GAAG,CAAC;aACX;YACD,OAAO,CAAC,CAAC;QACX,CAAC;QAED;;;;;;;;;WASG;QACH,gBAAgB,CAAC,GAAM,EAAE,CAAS;YAChC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACxC,MAAM,MAAM,GAAQ,EAAE,CAAC;YACvB,IAAI,CAAC,GAAM,GAAG,CAAC;YACf,IAAI,IAAI,GAAG,CAAC,CAAC;YACb,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC/C,IAAI,GAAG,CAAC,CAAC;gBACT,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAClB,2BAA2B;gBAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE;oBACnC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBACnB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBACnB;gBACD,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;aACnB;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED;;;;;;WAMG;QACH,IAAI,CAAC,CAAS,EAAE,WAAgB,EAAE,CAAS;YACzC,gGAAgG;YAChG,4EAA4E;YAC5E,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YAExC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACf,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YAEf,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,+CAA+C;YAChF,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,CAAC;YACzB,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YAE1B,KAAK,IAAI,MAAM,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC/C,MAAM,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;gBACnC,kBAAkB;gBAClB,IAAI,KAAK,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;gBAE7B,0BAA0B;gBAC1B,CAAC,KAAK,OAAO,CAAC;gBAEd,2DAA2D;gBAC3D,mBAAmB;gBACnB,IAAI,KAAK,GAAG,UAAU,EAAE;oBACtB,KAAK,IAAI,SAAS,CAAC;oBACnB,CAAC,IAAI,GAAG,CAAC;iBACV;gBAED,6FAA6F;gBAC7F,qFAAqF;gBACrF,0EAA0E;gBAC1E,+EAA+E;gBAC/E,2EAA2E;gBAE3E,kCAAkC;gBAClC,+CAA+C;gBAC/C,MAAM,OAAO,GAAG,MAAM,CAAC;gBACvB,MAAM,OAAO,GAAG,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,0BAA0B;gBACxE,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,KAAK,CAAC,CAAC;gBAC/B,MAAM,KAAK,GAAG,KAAK,GAAG,CAAC,CAAC;gBACxB,IAAI,KAAK,KAAK,CAAC,EAAE;oBACf,sDAAsD;oBACtD,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;iBACzD;qBAAM;oBACL,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;iBACzD;aACF;YACD,wFAAwF;YACxF,yEAAyE;YACzE,mFAAmF;YACnF,wEAAwE;YACxE,4DAA4D;YAC5D,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;QAClB,CAAC;QAED,UAAU,CAAC,CAAI,EAAE,cAA2B,EAAE,CAAS,EAAE,SAAoB;YAC3E,aAAa;YACb,MAAM,CAAC,GAAW,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC;YACtC,yDAAyD;YACzD,IAAI,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC,IAAI,EAAE;gBACT,IAAI,GAAG,IAAI,CAAC,gBAAgB,CAAC,CAAC,EAAE,CAAC,CAAQ,CAAC;gBAC1C,IAAI,CAAC,KAAK,CAAC,EAAE;oBACX,cAAc,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;iBACxC;aACF;YACD,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;KACF,CAAC;AACJ,CAAC;AAgBD,MAAM,UAAU,aAAa,CAAQ,KAAyB;IAC5D,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACxB,cAAc,CACZ,KAAK,EACL;QACE,CAAC,EAAE,QAAQ;QACX,CAAC,EAAE,QAAQ;QACX,EAAE,EAAE,OAAO;QACX,EAAE,EAAE,OAAO;KACZ,EACD;QACE,UAAU,EAAE,eAAe;QAC3B,WAAW,EAAE,eAAe;KAC7B,CACF,CAAC;IACF,eAAe;IACf,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,GAAG,KAAK,EAAW,CAAC,CAAC;AACrF,CAAC"}