@noble/curves 0.9.0 → 1.0.0

package/src/ed25519.ts

@@ -95,15 +95,15 @@ export const ED25519_TORSION_SUBGROUP = [
 
 const Fp = Field(ED25519_P, undefined, true);
 
-const ED25519_DEF = {
+const ed25519Defaults = {
   // Param: a
-  a: BigInt(-1),
-  // Equal to -121665/121666 over finite field.
+  a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
+  // d is equal to -121665/121666 over finite field.
   // Negative number is P - number, and division is invert(number, P)
   d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
   // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
   Fp,
-  // Subgroup order: how many points ed25519 has
+  // Subgroup order: how many points curve has
   // 2n ** 252n + 27742317777372353535851937790883648493n;
   n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
   // Cofactor
@@ -120,7 +120,7 @@ const ED25519_DEF = {
   uvRatio,
 } as const;
 
-export const ed25519 = twistedEdwards(ED25519_DEF);
+export const ed25519 = twistedEdwards(ed25519Defaults);
 function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   if (ctx.length > 255) throw new Error('Context is too big');
   return concatBytes(
@@ -130,11 +130,11 @@ function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
     data
   );
 }
-export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
+export const ed25519ctx = twistedEdwards({ ...ed25519Defaults, domain: ed25519_domain });
 export const ed25519ph = twistedEdwards({
-  ...ED25519_DEF,
+  ...ed25519Defaults,
   domain: ed25519_domain,
-  preHash: sha512,
+  prehash: sha512,
 });
 
 export const x25519 = montgomery({
@@ -153,6 +153,20 @@ export const x25519 = montgomery({
   randomBytes,
 });
 
+/**
+ * Converts ed25519 public key to x25519 public key. Uses formula:
+ * * `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+ * * `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+ * @example
+ *   const aPub = ed25519.getPublicKey(utils.randomPrivateKey());
+ *   x25519.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
+ */
+export function edwardsToMontgomery(edwardsPub: Hex): Uint8Array {
+  const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+}
+
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart
@@ -204,7 +218,7 @@ function map_to_curve_elligator2_curve25519(u: bigint) {
   let y = Fp.cmov(y2, y1, e3);  //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
   let e4 = Fp.isOdd(y);         //  37.  e4 = sgn0(y) == 1        # Fix sign of y
   y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
-  return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
+  return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; //  39. return (xn, xd, y, 1)
 }
 
 const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0

package/src/ed448.ts

@@ -54,6 +54,7 @@ function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
 }
 
 const Fp = Field(ed448P, 456, true);
+const _4n = BigInt(4);
 
 const ED448_DEF = {
   // Param: a
@@ -119,7 +120,7 @@ const ED448_DEF = {
 
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
-export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
+export const ed448ph = twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
 
 export const x448 = montgomery({
   a: BigInt(156326),
@@ -135,22 +136,22 @@ export const x448 = montgomery({
   },
   adjustScalarBytes,
   randomBytes,
-  // The 4-isogeny maps between the Montgomery curve and this Edwards
-  // curve are:
-  //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
-  //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
-  //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
-  //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
-  // xyToU: (p: PointType) => {
-  //   const P = ed448P;
-  //   const { x, y } = p;
-  //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
-  //   const invX = invert(x * x, P); // x^2
-  //   const u = mod(y * y * invX, P); // (y^2/x^2)
-  //   return numberToBytesLE(u, 56);
-  // },
 });
 
+/**
+ * Converts edwards448 public key to x448 public key. Uses formula:
+ * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+ * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+ * @example
+ *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
+ *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
+ */
+export function edwardsToMontgomery(edwardsPub: string | Uint8Array): Uint8Array {
+  const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+}
+
 // Hash To Curve Elligator2 Map
 const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = BigInt(156326);
@@ -195,10 +196,10 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
   xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
   xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
-  xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+  xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
   tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
   tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
-  let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+  let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
   let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
   tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
   let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2

package/src/p256.ts

@@ -5,10 +5,9 @@ import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 
-// NIST secp256r1 aka P256
+// NIST secp256r1 aka p256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 
-// Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
 const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
 const CURVE_A = Fp.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
@@ -19,23 +18,20 @@ const mapSWU = mapToCurveSimpleSWU(Fp, {
   Z: Fp.create(BigInt('-10')),
 });
 
-export const P256 = createCurve(
-  {
-    // Params: a, b
-    a: CURVE_A,
-    b: CURVE_B,
-    Fp,
-    // Curve order, total count of valid points in the field
-    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-    h: BigInt(1),
-    lowS: false,
-  } as const,
-  sha256
-);
-export const secp256r1 = P256;
+// prettier-ignore
+export const p256 = createCurve({
+  a: CURVE_A, // Equation params: a, b
+  b: CURVE_B,
+  Fp, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+  // Curve order, total count of valid points in the field
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  // Base (generator) point (x, y)
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+  h: BigInt(1),
+  lowS: false,
+} as const, sha256);
+export const secp256r1 = p256;
 
 const { hashToCurve, encodeToCurve } = htf.createHasher(
   secp256r1.ProjectivePoint,

package/src/p384.ts

@@ -5,10 +5,10 @@ import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 
-// NIST secp384r1 aka P384
+// NIST secp384r1 aka p384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 
-// Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+// Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
 const Fp = Field(P);
@@ -16,31 +16,27 @@ const CURVE_A = Fp.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 
+// prettier-ignore
+export const p384 = createCurve({
+  a: CURVE_A, // Equation params: a, b
+  b: CURVE_B,
+  Fp, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+  // Curve order, total count of valid points in the field.
+  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+  // Base (generator) point (x, y)
+  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+  h: BigInt(1),
+  lowS: false,
+} as const, sha384);
+export const secp384r1 = p384;
+
 const mapSWU = mapToCurveSimpleSWU(Fp, {
   A: CURVE_A,
   B: CURVE_B,
   Z: Fp.create(BigInt('-12')),
 });
 
-// prettier-ignore
-export const P384 = createCurve({
-    // Params: a, b
-    a: CURVE_A,
-    b: CURVE_B,
-    // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-    Fp,
-    // Curve order, total count of valid points in the field.
-    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
-    h: BigInt(1),
-    lowS: false,
-  } as const,
-  sha384
-);
-export const secp384r1 = P384;
-
 const { hashToCurve, encodeToCurve } = htf.createHasher(
   secp384r1.ProjectivePoint,
   (scalars: bigint[]) => mapSWU(scalars[0]),

package/src/p521.ts

@@ -5,41 +5,53 @@ import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import * as htf from './abstract/hash-to-curve.js';
 
-// NIST secp521r1 aka P521
+// NIST secp521r1 aka p521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
 
-// Field over which we'll do calculations; 2n**521n - 1n
+// Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
 const Fp = Field(P);
 
-const CURVE_A = Fp.create(BigInt('-3'));
-// prettier-ignore
-const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00');
-
-const mapSWU = mapToCurveSimpleSWU(Fp, {
-  A: CURVE_A,
-  B: CURVE_B,
-  Z: Fp.create(BigInt('-4')),
-});
+const CURVE = {
+  a: Fp.create(BigInt('-3')),
+  b: BigInt(
+    '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+  ),
+  Fp,
+  n: BigInt(
+    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
+  ),
+  Gx: BigInt(
+    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
+  ),
+  Gy: BigInt(
+    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
+  ),
+  h: BigInt(1),
+};
 
 // prettier-ignore
-export const P521 = createCurve({
-  // Params: a, b
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp,
+export const p521 = createCurve({
+  a: CURVE.a, // Equation params: a, b
+  b: CURVE.b,
+  Fp, // Field: 2n**521n - 1n
   // Curve order, total count of valid points in the field
-  n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
-  Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
-  h: BigInt(1),
+  n: CURVE.n,
+  Gx: CURVE.Gx, // Base point (x, y) aka generator point
+  Gy: CURVE.Gy,
+  h: CURVE.h,
   lowS: false,
   allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
 } as const, sha512);
-export const secp521r1 = P521;
+export const secp521r1 = p521;
+
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+  A: CURVE.a,
+  B: CURVE.b,
+  Z: Fp.create(BigInt('-4')),
+});
 
 const { hashToCurve, encodeToCurve } = htf.createHasher(
   secp521r1.ProjectivePoint,

package/src/secp256k1.ts

@@ -131,7 +131,7 @@ function lift_x(x: bigint): PointType<bigint> {
   const xx = modP(x * x);
   const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
   let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
-  if (y % 2n !== 0n) y = modP(-y); // Return the unique point P such that x(P) = x and
+  if (y % _2n !== _0n) y = modP(-y); // Return the unique point P such that x(P) = x and
   const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
   p.assertValidity();
   return p;

package/bn.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"bn.d.ts","sourceRoot":"","sources":["src/bn.ts"],"names":[],"mappings":"AAKA;;;;;GAKG;AACH,eAAO,MAAM,KAAK,6CAShB,CAAC"}

package/bn.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"bn.js","sourceRoot":"","sources":["src/bn.ts"],"names":[],"mappings":";;;AAAA,sEAAsE;AACtE,iDAA8C;AAC9C,8DAAwD;AACxD,yDAA6C;AAC7C,sDAA8C;AAC9C;;;;;GAKG;AACU,QAAA,KAAK,GAAG,IAAA,4BAAW,EAAC;IAC/B,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,IAAA,kBAAK,EAAC,MAAM,CAAC,oEAAoE,CAAC,CAAC;IACvF,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,GAAG,IAAA,0BAAO,EAAC,eAAM,CAAC;CACnB,CAAC,CAAC"}

package/esm/bn.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"bn.js","sourceRoot":"","sources":["../src/bn.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,KAAK,GAAG,WAAW,CAAC;IAC/B,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,oEAAoE,CAAC,CAAC;IACvF,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,GAAG,OAAO,CAAC,MAAM,CAAC;CACnB,CAAC,CAAC"}