@noble/curves 0.8.3 → 0.9.1

package/src/abstract/modular.ts

@@ -97,7 +97,7 @@ export function tonelliShanks(P: bigint) {
   // Fast-path
   if (S === 1) {
     const p1div4 = (P + _1n) / _4n;
-    return function tonelliFast<T>(Fp: Field<T>, n: T) {
+    return function tonelliFast<T>(Fp: IField<T>, n: T) {
       const root = Fp.pow(n, p1div4);
       if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
       return root;
@@ -106,7 +106,7 @@ export function tonelliShanks(P: bigint) {
 
   // Slow-path
   const Q1div2 = (Q + _1n) / _2n;
-  return function tonelliSlow<T>(Fp: Field<T>, n: T): T {
+  return function tonelliSlow<T>(Fp: IField<T>, n: T): T {
     // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
     if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE)) throw new Error('Cannot find square root');
     let r = S;
@@ -146,7 +146,7 @@ export function FpSqrt(P: bigint) {
     //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
     // const NUM = 72057594037927816n;
     const p1div4 = (P + _1n) / _4n;
-    return function sqrt3mod4<T>(Fp: Field<T>, n: T) {
+    return function sqrt3mod4<T>(Fp: IField<T>, n: T) {
       const root = Fp.pow(n, p1div4);
       // Throw if root**2 != n
       if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
@@ -157,7 +157,7 @@ export function FpSqrt(P: bigint) {
   // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
   if (P % _8n === _5n) {
     const c1 = (P - _5n) / _8n;
-    return function sqrt5mod8<T>(Fp: Field<T>, n: T) {
+    return function sqrt5mod8<T>(Fp: IField<T>, n: T) {
       const n2 = Fp.mul(n, _2n);
       const v = Fp.pow(n2, c1);
       const nv = Fp.mul(n, v);
@@ -203,7 +203,7 @@ export const isNegativeLE = (num: bigint, modulo: bigint) => (mod(num, modulo) &
 // - unreadable mess: addition, multiply, square, squareRoot, inversion, divide, power, equals, subtract
 
 // Field is not always over prime, Fp2 for example has ORDER(q)=p^m
-export interface Field<T> {
+export interface IField<T> {
   ORDER: bigint;
   BYTES: number;
   BITS: number;
@@ -249,7 +249,7 @@ const FIELD_FIELDS = [
   'eql', 'add', 'sub', 'mul', 'pow', 'div',
   'addN', 'subN', 'mulN', 'sqrN'
 ] as const;
-export function validateField<T>(field: Field<T>) {
+export function validateField<T>(field: IField<T>) {
   const initial = {
     ORDER: 'bigint',
     MASK: 'bigint',
@@ -264,7 +264,7 @@ export function validateField<T>(field: Field<T>) {
 }
 
 // Generic field functions
-export function FpPow<T>(f: Field<T>, num: T, power: bigint): T {
+export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
   // Should have same speed as pow for bigints
   // TODO: benchmark!
   if (power < _0n) throw new Error('Expected power > 0');
@@ -275,12 +275,13 @@ export function FpPow<T>(f: Field<T>, num: T, power: bigint): T {
   while (power > _0n) {
     if (power & _1n) p = f.mul(p, d);
     d = f.sqr(d);
-    power >>= 1n;
+    power >>= _1n;
   }
   return p;
 }
 
-export function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[] {
+// 0 is non-invertible: non-batched version will throw on 0
+export function FpInvertBatch<T>(f: IField<T>, nums: T[]): T[] {
   const tmp = new Array(nums.length);
   // Walk from first to last, multiply them by each other MOD p
   const lastMultiplied = nums.reduce((acc, num, i) => {
@@ -299,12 +300,12 @@ export function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[] {
   return tmp;
 }
 
-export function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T {
+export function FpDiv<T>(f: IField<T>, lhs: T, rhs: T | bigint): T {
   return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 
 // This function returns True whenever the value x is a square in the field F.
-export function FpIsSquare<T>(f: Field<T>) {
+export function FpIsSquare<T>(f: IField<T>) {
   const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
   return (x: T): boolean => {
     const p = f.pow(x, legendreConst);
@@ -320,16 +321,24 @@ export function nLength(n: bigint, nBitLength?: number) {
   return { nBitLength: _nBitLength, nByteLength };
 }
 
-// NOTE: very fragile, always bench. Major performance points:
-// - NonNormalized ops
-// - Object.freeze
-// - same shape of object (don't add/remove keys)
-type FpField = Field<bigint> & Required<Pick<Field<bigint>, 'isOdd'>>;
-export function Fp(
+type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
+/**
+ * Initializes a galois field over prime. Non-primes are not supported for now.
+ * Do not init in loop: slow. Very fragile: always run a benchmark on change.
+ * Major performance gains:
+ * a) non-normalized operations like mulN instead of mul
+ * b) `Object.freeze`
+ * c) Same object shape: never add or remove keys
+ * @param ORDER prime positive bigint
+ * @param bitLen how many bits the field consumes
+ * @param isLE (def: false) if encoding / decoding should be in little-endian
+ * @param redef optional faster redefinitions of sqrt and other methods
+ */
+export function Field(
   ORDER: bigint,
   bitLen?: number,
   isLE = false,
-  redef: Partial<Field<bigint>> = {}
+  redef: Partial<IField<bigint>> = {}
 ): Readonly<FpField> {
   if (ORDER <= _0n) throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
   const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
@@ -382,13 +391,13 @@ export function Fp(
   return Object.freeze(f);
 }
 
-export function FpSqrtOdd<T>(Fp: Field<T>, elm: T) {
+export function FpSqrtOdd<T>(Fp: IField<T>, elm: T) {
   if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
   const root = Fp.sqrt(elm);
   return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 
-export function FpSqrtEven<T>(Fp: Field<T>, elm: T) {
+export function FpSqrtEven<T>(Fp: IField<T>, elm: T) {
   if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
   const root = Fp.sqrt(elm);
   return Fp.isOdd(root) ? Fp.neg(root) : root;

package/src/abstract/poseidon.ts

@@ -1,10 +1,10 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
-import { Field, FpPow, validateField } from './modular.js';
+import { IField, FpPow, validateField } from './modular.js';
 // We don't provide any constants, since different implementations use different constants.
 // For reference constants see './test/poseidon.test.js'.
 export type PoseidonOpts = {
-  Fp: Field<bigint>;
+  Fp: IField<bigint>;
   t: number;
   roundsFull: number;
   roundsPartial: number;

package/src/abstract/weierstrass.ts

@@ -58,6 +58,8 @@ export interface ProjPointType<T> extends Group<ProjPointType<T>> {
   readonly px: T;
   readonly py: T;
   readonly pz: T;
+  get x(): T;
+  get y(): T;
   multiply(scalar: bigint): ProjPointType<T>;
   toAffine(iz?: T): AffinePoint<T>;
   isTorsionFree(): boolean;
@@ -82,8 +84,8 @@ export interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
 
 export type CurvePointsType<T> = BasicWCurve<T> & {
   // Bytes
-  fromBytes: (bytes: Uint8Array) => AffinePoint<T>;
-  toBytes: (c: ProjConstructor<T>, point: ProjPointType<T>, compressed: boolean) => Uint8Array;
+  fromBytes?: (bytes: Uint8Array) => AffinePoint<T>;
+  toBytes?: (c: ProjConstructor<T>, point: ProjPointType<T>, isCompressed: boolean) => Uint8Array;
 };
 
 function validatePointOpts<T>(curve: CurvePointsType<T>) {
@@ -93,8 +95,6 @@ function validatePointOpts<T>(curve: CurvePointsType<T>) {
     {
       a: 'field',
       b: 'field',
-      fromBytes: 'function',
-      toBytes: 'function',
     },
     {
       allowedPrivateKeyLengths: 'array',
@@ -102,6 +102,8 @@ function validatePointOpts<T>(curve: CurvePointsType<T>) {
       isTorsionFree: 'function',
       clearCofactor: 'function',
       allowInfinityPoint: 'boolean',
+      fromBytes: 'function',
+      toBytes: 'function',
     }
   );
   const { endo, Fp, a } = opts;
@@ -176,14 +178,31 @@ const DER = {
   },
 };
 
-// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
-const _0n = BigInt(0);
-const _1n = BigInt(1);
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
 export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   const CURVE = validatePointOpts(opts);
   const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
 
+  const toBytes =
+    CURVE.toBytes ||
+    ((c: ProjConstructor<T>, point: ProjPointType<T>, isCompressed: boolean) => {
+      const a = point.toAffine();
+      return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
+    });
+  const fromBytes =
+    CURVE.fromBytes ||
+    ((bytes: Uint8Array) => {
+      // const head = bytes[0];
+      const tail = bytes.subarray(1);
+      // if (head !== 0x04) throw new Error('Only non-compressed encoding is supported');
+      const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
+      const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
+      return { x, y };
+    });
+
   /**
    * y² = x³ + ax + b: Short weierstrass curve formula
    * @returns y²
@@ -280,7 +299,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
      * @param hex short/long ECDSA hex
      */
     static fromHex(hex: Hex): Point {
-      const P = Point.fromAffine(CURVE.fromBytes(ensureBytes('pointHex', hex)));
+      const P = Point.fromAffine(fromBytes(ensureBytes('pointHex', hex)));
       P.assertValidity();
       return P;
     }
@@ -348,7 +367,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
     // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
     double() {
       const { a, b } = CURVE;
-      const b3 = Fp.mul(b, 3n);
+      const b3 = Fp.mul(b, _3n);
       const { px: X1, py: Y1, pz: Z1 } = this;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       let t0 = Fp.mul(X1, X1); // step 1
@@ -395,7 +414,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
       const { px: X2, py: Y2, pz: Z2 } = other;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       const a = CURVE.a;
-      const b3 = Fp.mul(CURVE.b, 3n);
+      const b3 = Fp.mul(CURVE.b, _3n);
       let t0 = Fp.mul(X1, X2); // step 1
       let t1 = Fp.mul(Y1, Y2);
       let t2 = Fp.mul(Z1, Z2);
@@ -563,7 +582,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
 
     toRawBytes(isCompressed = true): Uint8Array {
       this.assertValidity();
-      return CURVE.toBytes(Point, this, isCompressed);
+      return toBytes(Point, this, isCompressed);
     }
 
     toHex(isCompressed = true): string {
@@ -574,6 +593,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
 
   return {
+    CURVE,
     ProjectivePoint: Point as ProjConstructor<T>,
     normPrivateKeyToScalar,
     weierstrassEquation,
@@ -652,8 +672,7 @@ export type CurveFn = {
 
 export function weierstrass(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
-  const CURVE_ORDER = CURVE.n;
-  const Fp = CURVE.Fp;
+  const { Fp, n: CURVE_ORDER } = CURVE;
   const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
   const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
 
@@ -1055,22 +1074,21 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 }
 
 // Implementation of the Shallue and van de Woestijne method for any Weierstrass curve
-
 // TODO: check if there is a way to merge this with uvRatio in Edwards && move to modular?
 // b = True and y = sqrt(u / v) if (u / v) is square in F, and
 // b = False and y = sqrt(Z * (u / v)) otherwise.
-export function SWUFpSqrtRatio<T>(Fp: mod.Field<T>, Z: T) {
+export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
   // Generic implementation
   const q = Fp.ORDER;
-  let l = 0n;
-  for (let o = q - 1n; o % 2n === 0n; o /= 2n) l += 1n;
+  let l = _0n;
+  for (let o = q - _1n; o % _2n === _0n; o /= _2n) l += _1n;
   const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-  const c2 = (q - 1n) / 2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
-  const c3 = (c2 - 1n) / 2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-  const c4 = 2n ** c1 - 1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
-  const c5 = 2n ** (c1 - 1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
+  const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
+  const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+  const c4 = _2n ** c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+  const c5 = _2n ** (c1 - _1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
   const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
-  const c7 = Fp.pow(Z, (c2 + 1n) / 2n); // 7. c7 = Z^((c2 + 1) / 2)
+  const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
   let sqrtRatio = (u: T, v: T): { isValid: boolean; value: T } => {
     let tv1 = c6; // 1. tv1 = c6
     let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
@@ -1090,7 +1108,7 @@ export function SWUFpSqrtRatio<T>(Fp: mod.Field<T>, Z: T) {
     tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
     // 17. for i in (c1, c1 - 1, ..., 2):
     for (let i = c1; i > 1; i--) {
-      let tv5 = 2n ** (i - 2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
+      let tv5 = _2n ** (i - _2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
       let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
       const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
       tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
@@ -1101,9 +1119,9 @@ export function SWUFpSqrtRatio<T>(Fp: mod.Field<T>, Z: T) {
     }
     return { isValid: isQR, value: tv3 };
   };
-  if (Fp.ORDER % 4n === 3n) {
+  if (Fp.ORDER % _4n === _3n) {
     // sqrt_ratio_3mod4(u, v)
-    const c1 = (Fp.ORDER - 3n) / 4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+    const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
     const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
     sqrtRatio = (u: T, v: T) => {
       let tv1 = Fp.sqr(v); // 1. tv1 = v^2
@@ -1119,12 +1137,12 @@ export function SWUFpSqrtRatio<T>(Fp: mod.Field<T>, Z: T) {
     };
   }
   // No curves uses that
-  // if (Fp.ORDER % 8n === 5n) // sqrt_ratio_5mod8
+  // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
   return sqrtRatio;
 }
 // From draft-irtf-cfrg-hash-to-curve-16
 export function mapToCurveSimpleSWU<T>(
-  Fp: mod.Field<T>,
+  Fp: mod.IField<T>,
   opts: {
     A: T;
     B: T;