@noble/curves 1.2.0 → 1.4.0

package/README.md

@@ -2,30 +2,36 @@
 
 Audited & minimal JS implementation of elliptic curve cryptography.
 
-- 🔒 [**Audited**](#security) by an independent security firm
+- 🔒 [**Audited**](#security) by independent security firms
 - 🔻 Tree-shaking-friendly: use only what's necessary, other code won't be included
 - 🏎 Ultra-fast, hand-optimized for caveats of JS engines
 - 🔍 Unique tests ensure correctness: property-based, cross-library and Wycheproof vectors, fuzzing
 - ➰ Short Weierstrass, Edwards, Montgomery curves
-- ✍️ ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
-- 🔖 SUF-CMA and SBS (non-repudiation) for ed25519, ed448 and others
-- #️⃣ hash-to-curve for encoding or hashing an arbitrary string to an elliptic curve point
+- ✍️ ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement, hashing to curves
+- 🔖 SUF-CMA, SBS (non-repudiation), ZIP215 (consensus friendliness) features for ed25519
 - 🧜‍♂️ Poseidon ZK-friendly hash
+- 🪶 178KB for everything, 25KB for single-curve build
 
-### This library belongs to _noble_ crypto
+For discussions, questions and support, visit
+[GitHub Discussions](https://github.com/paulmillr/noble-curves/discussions)
+section of the repository.
 
-> **noble-crypto** — high-security, easily auditable set of contained cryptographic libraries and tools.
+### This library belongs to _noble_ cryptography
 
-- No dependencies, protection against supply chain attacks
-- Auditable TypeScript / JS code
-- Supported on all major platforms
-- Releases are signed with PGP keys and built transparently with NPM provenance
-- Check out [homepage](https://paulmillr.com/noble/) & all libraries:
+> **noble cryptography** — high-security, easily auditable set of contained cryptographic libraries and tools.
+
+- Zero or minimal dependencies
+- Highly readable TypeScript / JS code
+- PGP-signed releases and transparent NPM builds
+- All libraries:
   [ciphers](https://github.com/paulmillr/noble-ciphers),
   [curves](https://github.com/paulmillr/noble-curves),
   [hashes](https://github.com/paulmillr/noble-hashes),
+  [post-quantum](https://github.com/paulmillr/noble-post-quantum),
   4kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
   [ed25519](https://github.com/paulmillr/noble-ed25519)
+- [Check out homepage](https://paulmillr.com/noble/)
+  for reading resources, documentation and apps built with noble
 
 ## Usage
 
@@ -33,13 +39,19 @@ Audited & minimal JS implementation of elliptic curve cryptography.
 
 We support all major platforms and runtimes.
 For [Deno](https://deno.land), ensure to use [npm specifier](https://deno.land/manual@v1.28.0/node/npm_specifiers).
-For React Native, you may need a [polyfill for crypto.getRandomValues](https://github.com/LinusU/react-native-get-random-values).
-If you don't like NPM, a standalone [noble-curves.js](https://github.com/paulmillr/noble-curves/releases) is also available.
+For React Native, you may need a [polyfill for getRandomValues](https://github.com/LinusU/react-native-get-random-values).
+A standalone file [noble-curves.js](https://github.com/paulmillr/noble-curves/releases) is also available.
+
+```js
+// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
+import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
+// import { secp256k1 } from 'npm:@noble/curves@1.4.0/secp256k1'; // Deno
+```
 
 - [Implementations](#implementations)
   - [ECDSA signature scheme](#ecdsa-signature-scheme)
   - [ECDSA public key recovery & extra entropy](#ecdsa-public-key-recovery--extra-entropy)
-  - [ECDH (Elliptic Curve Diffie-Hellman)](#ecdh-elliptic-curve-diffie-hellman)
+  - [ECDH: Elliptic Curve Diffie-Hellman](#ecdh-elliptic-curve-diffie-hellman)
   - [Schnorr signatures over secp256k1, BIP340](#schnorr-signatures-over-secp256k1-bip340)
   - [ed25519, X25519, ristretto255](#ed25519-x25519-ristretto255)
   - [ed448, X448, decaf448](#ed448-x448-decaf448)
@@ -47,37 +59,32 @@ If you don't like NPM, a standalone [noble-curves.js](https://github.com/paulmil
   - [All available imports](#all-available-imports)
   - [Accessing a curve's variables](#accessing-a-curves-variables)
 - [Abstract API](#abstract-api)
-  - [abstract/weierstrass: Short Weierstrass curve](#abstractweierstrass-short-weierstrass-curve)
-  - [abstract/edwards: Twisted Edwards curve](#abstractedwards-twisted-edwards-curve)
-  - [abstract/montgomery: Montgomery curve](#abstractmontgomery-montgomery-curve)
-  - [abstract/bls: Barreto-Lynn-Scott curves](#abstractbls-barreto-lynn-scott-curves)
-  - [abstract/hash-to-curve: Hashing strings to curve points](#abstracthash-to-curve-hashing-strings-to-curve-points)
-  - [abstract/poseidon: Poseidon hash](#abstractposeidon-poseidon-hash)
-  - [abstract/modular: Modular arithmetics utilities](#abstractmodular-modular-arithmetics-utilities)
+  - [weierstrass: Short Weierstrass curve](#weierstrass-short-weierstrass-curve)
+  - [edwards: Twisted Edwards curve](#edwards-twisted-edwards-curve)
+  - [montgomery: Montgomery curve](#montgomery-montgomery-curve)
+  - [bls: Barreto-Lynn-Scott curves](#bls-barreto-lynn-scott-curves)
+  - [hash-to-curve: Hashing strings to curve points](#hash-to-curve-hashing-strings-to-curve-points)
+  - [poseidon: Poseidon hash](#poseidon-poseidon-hash)
+  - [modular: Modular arithmetics utilities](#modular-modular-arithmetics-utilities)
     - [Creating private keys from hashes](#creating-private-keys-from-hashes)
-  - [abstract/utils: Useful utilities](#abstractutils-useful-utilities)
+  - [utils: Useful utilities](#utils-useful-utilities)
 - [Security](#security)
 - [Speed](#speed)
-- [Contributing & testing](#contributing--testing)
 - [Upgrading](#upgrading)
+- [Contributing & testing](#contributing--testing)
 - [Resources](#resources)
-  - [Demos](#demos)
-  - [Projects using curves](#projects-using-curves)
-- [License](#license)
 
 ### Implementations
 
-Implementations are utilizing [noble-hashes](https://github.com/paulmillr/noble-hashes).
-[Abstract API](#abstract-api) doesn't depend on them: you can use a different hashing library.
+Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
+If you want to use a different hashing library, [abstract API](#abstract-api) doesn't depend on them.
 
 #### ECDSA signature scheme
 
 Generic example that works for all curves, shown for secp256k1:
 
 ```ts
-// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
-import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
-// import { secp256k1 } from 'npm:@noble/curves@1.2.0/secp256k1'; // Deno
+import { secp256k1 } from '@noble/curves/secp256k1';
 const priv = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(priv);
 const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
@@ -89,16 +96,20 @@ const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c12623
 const pub2 = secp256k1.getPublicKey(privHex);
 ```
 
+We support P256 (secp256r1), P384 (secp384r1), P521 (secp521r1).
+
 #### ECDSA public key recovery & extra entropy
 
 ```ts
+// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex)
+// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format
 sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
 
 // extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html
 const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
 ```
 
-#### ECDH (Elliptic Curve Diffie-Hellman)
+#### ECDH: Elliptic Curve Diffie-Hellman
 
 ```ts
 // 1. The output includes parity byte. Strip it using shared.slice(1)
@@ -235,7 +246,7 @@ Same RFC7748 / RFC8032 / IRTF draft are followed.
 
 #### bls12-381
 
-See [abstract/bls](#abstractbls-barreto-lynn-scott-curves).
+See [abstract/bls](#bls-barreto-lynn-scott-curves).
 
 #### All available imports
 
@@ -274,7 +285,7 @@ Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
 could precompute any other point (e.g. for ECDH) using `utils.precompute()`
 method: check out examples.
 
-### abstract/weierstrass: Short Weierstrass curve
+### weierstrass: Short Weierstrass curve
 
 ```ts
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
@@ -316,6 +327,10 @@ type CHash = {
   outputLen: number;
   create(): any;
 };
+
+// example
+function sha256(message: Uint8Array) { return _internal_lowlvl(message) }
+sha256.outputLen = 32; // 32 bytes of output for sha2-256
 ```
 
 **Message hash** is expected instead of message itself:
@@ -441,7 +456,7 @@ const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey));
 fast.multiply(privKey); // much faster ECDH now
 ```
 
-### abstract/edwards: Twisted Edwards curve
+### edwards: Twisted Edwards curve
 
 ```ts
 import { twistedEdwards } from '@noble/curves/abstract/edwards';
@@ -531,7 +546,7 @@ interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
 }
 ```
 
-### abstract/montgomery: Montgomery curve
+### montgomery: Montgomery curve
 
 ```typescript
 import { montgomery } from '@noble/curves/abstract/montgomery';
@@ -558,7 +573,7 @@ Proper Elliptic Curve Points are not implemented yet.
 
 You must specify curve params `Fp`, `a`, `Gu` coordinate of u, `montgomeryBits` and `nByteLength`.
 
-### abstract/bls: Barreto-Lynn-Scott curves
+### bls: Barreto-Lynn-Scott curves
 
 The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.
 They allow to construct [zk-SNARKs](https://z.cash/technology/zksnarks/) and
@@ -567,6 +582,8 @@ use aggregated, batch-verifiable
 using Boneh-Lynn-Shacham signature scheme.
 
 The module doesn't expose `CURVE` property: use `G1.CURVE`, `G2.CURVE` instead.
+Only BLS12-381 is implemented currently.
+Defining BLS12-377 and BLS24 should be straightforward.
 
 Main methods and properties are:
 
@@ -579,8 +596,13 @@ Main methods and properties are:
 - `Signature` property with `fromHex`, `toHex` methods
 - `fields` containing `Fp`, `Fp2`, `Fp6`, `Fp12`, `Fr`
 
-Right now we only implement BLS12-381 (compatible with ETH and others),
-but in theory defining BLS12-377, BLS24 should be straightforward. An example:
+The default BLS uses short public keys (with public keys in G1 and signatures in G2).
+Short signatures (public keys in G2 and signatures in G1) is also supported, using:
+
+- `getPublicKeyForShortSignatures(privateKey)`
+- `signShortSignature(message, privateKey)`
+- `verifyShortSignature(signature, message, publicKey)`
+- `aggregateShortSignatures(signatures)`
 
 ```ts
 import { bls12_381 as bls } from '@noble/curves/bls12-381';
@@ -591,6 +613,12 @@ const signature = bls.sign(message, privateKey);
 const isValid = bls.verify(signature, message, publicKey);
 console.log({ publicKey, signature, isValid });
 
+// Use custom DST, e.g. for Ethereum consensus layer
+const htfEthereum = {DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_'};
+const signatureEth = bls.sign(message, privateKey, htfEthereum);
+const isValidEth = bls.verify(signature, message, publicKey, htfEthereum);
+console.log({ signatureEth, isValidEth });
+
 // Sign 1 msg with 3 keys
 const privateKeys = [
   '18f020b98eb798752a50ed0563b079c125b0db5dd0b1060d1c1b47d4a193e1e4',
@@ -612,68 +640,19 @@ const isValid3 = bls.verifyBatch(aggSignature3, messages, publicKeys);
 console.log({ publicKeys, signatures3, aggSignature3, isValid3 });
 
 // Pairings, with and without final exponentiation
-// bls.pairing(PointG1, PointG2);
-// bls.pairing(PointG1, PointG2, false);
-// bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(eGS, ePHm));
+bls.pairing(PointG1, PointG2);
+bls.pairing(PointG1, PointG2, false);
+bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2));
 
 // Others
-// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE
-// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr
+bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE
+bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr
+bls.params.x, bls.params.r, bls.params.G1b, bls.params.G2b
 
 // hash-to-curve examples can be seen below
 ```
 
-Full types:
-
-```ts
-getPublicKey: (privateKey: PrivKey) => Uint8Array;
-sign: {
-  (message: Hex, privateKey: PrivKey): Uint8Array;
-  (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
-};
-verify: (
-  signature: Hex | ProjPointType<Fp2>,
-  message: Hex | ProjPointType<Fp2>,
-  publicKey: Hex | ProjPointType<Fp>
-) => boolean;
-verifyBatch: (
-  signature: Hex | ProjPointType<Fp2>,
-  messages: (Hex | ProjPointType<Fp2>)[],
-  publicKeys: (Hex | ProjPointType<Fp>)[]
-) => boolean;
-aggregatePublicKeys: {
-  (publicKeys: Hex[]): Uint8Array;
-  (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
-};
-aggregateSignatures: {
-  (signatures: Hex[]): Uint8Array;
-  (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
-};
-millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
-pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
-G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
-G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
-Signature: SignatureCoder<Fp2>;
-params: {
-  x: bigint;
-  r: bigint;
-  G1b: bigint;
-  G2b: Fp2;
-};
-fields: {
-  Fp: IField<Fp>;
-  Fp2: IField<Fp2>;
-  Fp6: IField<Fp6>;
-  Fp12: IField<Fp12>;
-  Fr: IField<bigint>;
-};
-utils: {
-  randomPrivateKey: () => Uint8Array;
-  calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
-};
-```
-
-### abstract/hash-to-curve: Hashing strings to curve points
+### hash-to-curve: Hashing strings to curve points
 
 The module allows to hash arbitrary strings to elliptic curve points. Implements [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
 
@@ -731,7 +710,7 @@ type Opts = {
 };
 ```
 
-### abstract/poseidon: Poseidon hash
+### poseidon: Poseidon hash
 
 Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
 
@@ -755,7 +734,7 @@ type PoseidonOpts = {
 const instance = poseidon(opts: PoseidonOpts);
 ```
 
-### abstract/modular: Modular arithmetics utilities
+### modular: Modular arithmetics utilities
 
 ```ts
 import * as mod from '@noble/curves/abstract/modular';
@@ -792,19 +771,20 @@ and [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
 This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
 
 `hashToPrivateScalar()` that hashes to **private key** was created for this purpose.
-Use [abstract/hash-to-curve](#abstracthash-to-curve-hashing-strings-to-curve-points)
+Use [abstract/hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points)
 if you need to hash to **public key**.
 
 ```ts
 import { p256 } from '@noble/curves/p256';
 import { sha256 } from '@noble/hashes/sha256';
 import { hkdf } from '@noble/hashes/hkdf';
+import * as mod from '@noble/curves/abstract/modular';
 const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2)
 const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv
 const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
 ```
 
-### abstract/utils: Useful utilities
+### utils: Useful utilities
 
 ```ts
 import * as utils from '@noble/curves/abstract/utils';
@@ -826,43 +806,61 @@ utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
 
 ## Security
 
-1. The library has been independently audited:
-
-- in Feb 2023 by [Trail of Bits](https://www.trailofbits.com):
-  [PDF](https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf).
-  The audit has been funded by [Ryan Shea](https://www.shea.io).
-  Audit scope was abstract modules `curve`, `hash-to-curve`, `modular`, `poseidon`, `utils`, `weierstrass`,
-  and top-level modules `_shortw_utils` and `secp256k1`.
-  See [changes since v0.7.3 audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main).
-
-2. The library has been fuzzed by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz).
-   You can run the fuzzer by yourself to check it.
-3. [Timing attack](https://en.wikipedia.org/wiki/Timing_attack) considerations:
-   _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to
-   achieve in a scripting language. Which means _any other JS library can't have
-   constant-timeness_. Even statically typed Rust, a language without GC,
-   [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security)
-   for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
-   Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
-
-We consider infrastructure attacks like rogue NPM modules very important;
-that's why it's crucial to minimize the amount of 3rd-party dependencies & native bindings.
-If your app uses 500 dependencies, any dep could get hacked and you'll be
-downloading malware with every `npm install`. Our goal is to minimize this attack vector.
-As for devDependencies used by the library:
-
-- `@scure` base, bip32, bip39 (used in tests), micro-bmark (benchmark), micro-should (testing)
-  are developed by us and follow the same practices such as: minimal library size, auditability,
-  signed releases
-- prettier (linter), fast-check (property-based testing), typescript versions
-  are locked and rarely updated. Every update is checked with `npm-diff`.
-  The packages are big, which makes it hard to audit their source code thoroughly and fully.
-- They are only used if you clone the git repo and want to add some feature to it. End-users won't use them.
-
-As for key generation, we're deferring to built-in
+The library has been independently audited:
+
+- at version 1.2.0, in Sep 2023, by [Kudelski Security](https://kudelskisecurity.com)
+  - PDFs: [offline](./audit/2023-09-kudelski-audit-starknet.pdf)
+  - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/1.2.0..main)
+  - Scope: [scure-starknet](https://github.com/paulmillr/scure-starknet) and its related
+    abstract modules of noble-curves: `curve`, `modular`, `poseidon`, `weierstrass`
+  - The audit has been funded by [Starkware](https://starkware.co)
+- at version 0.7.3, in Feb 2023, by [Trail of Bits](https://www.trailofbits.com)
+  - PDFs: [online](https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf),
+    [offline](./audit/2023-01-trailofbits-audit-curves.pdf)
+  - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main)
+  - Scope: abstract modules `curve`, `hash-to-curve`, `modular`, `poseidon`, `utils`, `weierstrass` and
+    top-level modules `_shortw_utils` and `secp256k1`
+  - The audit has been funded by [Ryan Shea](https://www.shea.io)
+
+It is tested against property-based, cross-library and Wycheproof vectors,
+and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz).
+
+If you see anything unusual: investigate and report.
+
+### Constant-timeness
+
+_JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to
+achieve [timing attack](https://en.wikipedia.org/wiki/Timing_attack) resistance
+in a scripting language. Which means _any other JS library can't have
+constant-timeness_. Even statically typed Rust, a language without GC,
+[makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security)
+for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
+Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
+
+### Supply chain security
+
+* **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
+* **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
+* **Rare releasing** is followed to ensure less re-audit need for end-users
+* **Dependencies** are minimized and locked-down:
+   - If your app has 500 dependencies, any dep could get hacked and you'll be downloading
+     malware with every install. We make sure to use as few dependencies as possible
+   - We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff`
+   - One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality
+* **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users:
+   - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
+   - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
+
+### Randomness
+
+We're deferring to built-in
 [crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
 which is considered cryptographically secure (CSPRNG).
 
+In the past, browsers had bugs that made it weak: it may happen again.
+Implementing a userspace CSPRNG to get resilient to the weakness
+is even worse: there is no reliable userspace source of quality entropy.
+
 ## Speed
 
 Benchmark results on Apple M2 with node v20:
@@ -944,13 +942,6 @@ ed25519 x 3,088 ops/sec @ 323μs/op
 ed448 x 1,247 ops/sec @ 801μs/op
 ```
 
-## Contributing & testing
-
-1. Clone the repository
-2. `npm install` to install build dependencies like TypeScript
-3. `npm run build` to compile TypeScript code
-4. `npm run test` will execute all main tests
-
 ## Upgrading
 
 Previously, the library was split into single-feature packages
@@ -971,7 +962,7 @@ Upgrading from noble-secp256k1 1.7:
   - to use old behavior, which produced 65-byte uncompressed keys, set
     argument `isCompressed` to `false`: `getPublicKey(priv, false)`
 - `sign`
-  - is now sync; use `signAsync` for async version
+  - is now sync
   - now returns `Signature` instance with `{ r, s, recovery }` properties
   - `canonical` option was renamed to `lowS`
   - `recovered` option has been removed because recovery bit is always returned now
@@ -980,6 +971,7 @@ Upgrading from noble-secp256k1 1.7:
        Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
     2. If you must use DER encoding, switch to noble-curves (see above).
 - `verify`
+  - is now sync
   - `strict` option was renamed to `lowS`
 - `getSharedSecret`
   - now produce 33-byte compressed signatures by default
@@ -1009,61 +1001,18 @@ Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):
   - PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
 - Fp2 ORDER was corrected
 
+## Contributing & testing
+
+1. Clone the repository
+2. `npm install` to install build dependencies like TypeScript
+3. `npm run build` to compile TypeScript code
+4. `npm run test` will execute all main tests
+
 ## Resources
 
-- [Learning fast elliptic-curve cryptography](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/)
-- EdDSA
-  - [A Deep dive into Ed25519 Signatures](https://cendyne.dev/posts/2022-03-06-ed25519-signatures.html)
-  - [Ed25519 Deep Dive Addendum](https://cendyne.dev/posts/2022-09-11-ed25519-deep-dive-addendum.html)
-  - [It’s 255:19AM. Do you know what your validation criteria are?](https://hdevalence.ca/blog/2020-10-04-its-25519am)
-  - [Taming the many EdDSAs](https://csrc.nist.gov/csrc/media/Presentations/2023/crclub-2023-03-08/images-media/20230308-crypto-club-slides--taming-the-many-EdDSAs.pdf)
-    that describes concepts of Strong UnForgeability under Chosen Message Attacks and Strongly Binding Signatures
-  - [Cofactor Explained: Clearing Elliptic Curves’ dirty little secret](https://loup-vaillant.fr/tutorials/cofactor)
-  - [Surrounded by Elligators](https://loup-vaillant.fr/articles/implementing-elligator)
-- Pairings and BLS
-  - [BLS signatures for busy people](https://gist.github.com/paulmillr/18b802ad219b1aee34d773d08ec26ca2)
-  - [BLS12-381 for the rest of us](https://hackmd.io/@benjaminion/bls12-381)
-  - [Key concepts of pairings](https://medium.com/@alonmuroch_65570/bls-signatures-part-2-key-concepts-of-pairings-27a8a9533d0c)
-  - Pairing over bls12-381:
-    [fields](https://research.nccgroup.com/2020/07/06/pairing-over-bls12-381-part-1-fields/),
-    [curves](https://research.nccgroup.com/2020/07/13/pairing-over-bls12-381-part-2-curves/),
-    [pairings](https://research.nccgroup.com/2020/08/13/pairing-over-bls12-381-part-3-pairing/)
-  - [Estimating the bit security of pairing-friendly curves](https://research.nccgroup.com/2022/02/03/estimating-the-bit-security-of-pairing-friendly-curves/)
-
-### Demos
-
-- [Elliptic Curve Calculator](https://paulmillr.com/noble): add / multiply points, sign messages
-- [BLS threshold signatures](https://genthresh.com)
-
-### Projects using curves
-
-- HDkey libraries: [scure-bip32](https://github.com/paulmillr/scure-bip32), [bip32](https://github.com/bitcoinjs/bip32)
-- Social networks: [nostr](https://github.com/nbd-wtf/nostr-tools), [bluesky](https://github.com/bluesky-social/atproto)
-- Ethereum libraries:
-  - [ethereum-cryptography](https://github.com/ethereum/js-ethereum-cryptography)
-  - [micro-eth-signer](https://github.com/paulmillr/micro-eth-signer),
-    [ethers](https://github.com/ethers-io/ethers.js) (old noble),
-    [viem.sh](https://viem.sh),
-    [@ethereumjs](https://github.com/ethereumjs/ethereumjs-monorepo)
-  - [metamask's eth-sig-util](https://github.com/MetaMask/eth-sig-util)
-  - [gridplus lattice sdk](https://github.com/GridPlus/lattice-eth2-utils)
-- Bitcoin libraries:
-  - [scure-btc-signer](https://github.com/paulmillr/scure-btc-signer)
-  - [tapscript](https://github.com/cmdruid/tapscript)
-- Solana libraries: [micro-sol-signer](https://github.com/paulmillr/micro-sol-signer), [solana-web3.js](https://github.com/solana-labs/solana-web3.js)
-- Other web3 stuff:
-  - [scure-starknet](https://github.com/paulmillr/scure-starknet)
-  - [aztec](https://github.com/AztecProtocol/aztec-packages)
-  - [polkadot.js](https://github.com/polkadot-js/common), [drand-client](https://github.com/drand/drand-client), [moneroj](https://github.com/beritani/moneroj), [tronlib](https://github.com/CoinSpace/tronlib)
-- [protonmail](https://github.com/ProtonMail/WebClients) (old noble for now)
-- [did-jwt](https://github.com/decentralized-identity/did-jwt), [hpke-js](https://github.com/dajiaji/hpke-js),
-  [js-libp2p-noise](https://github.com/ChainSafe/js-libp2p-noise)
-- [ed25519-keygen](https://github.com/paulmillr/ed25519-keygen) SSH, PGP, TOR key generation
-- [secp256k1 compatibility layer](https://github.com/ethereum/js-ethereum-cryptography/blob/2.0.0/src/secp256k1-compat.ts)
-  for users who want to switch from secp256k1-node or tiny-secp256k1. Allows to see which methods map to corresponding noble code.
-- [BLS BBS signatures](https://github.com/Wind4Greg/BBS-Draft-Checks) following [draft-irtf-cfrg-bbs-signatures-latest](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html)
-- [KZG trusted setup ceremony](https://github.com/dsrvlabs/czg-keremony)
-- See [full list of projects on GitHub](https://github.com/paulmillr/noble-curves/network/dependents).
+Check out [paulmillr.com/noble](https://paulmillr.com/noble/)
+for useful resources, articles, documentation and demos
+related to the library.
 
 ## License
 

package/abstract/bls.d.ts

@@ -14,9 +14,14 @@
 import { AffinePoint } from './curve.js';
 import { IField } from './modular.js';
 import { Hex, PrivKey, CHash } from './utils.js';
-import * as htf from './hash-to-curve.js';
+import { MapToCurve, Opts as HTFOpts, htfBasicOpts, createHasher } from './hash-to-curve.js';
 import { CurvePointsType, ProjPointType as ProjPointType, CurvePointsRes } from './weierstrass.js';
 type Fp = bigint;
+export type ShortSignatureCoder<Fp> = {
+    fromHex(hex: Hex): ProjPointType<Fp>;
+    toRawBytes(point: ProjPointType<Fp>): Uint8Array;
+    toHex(point: ProjPointType<Fp>): string;
+};
 export type SignatureCoder<Fp2> = {
     fromHex(hex: Hex): ProjPointType<Fp2>;
     toRawBytes(point: ProjPointType<Fp2>): Uint8Array;
@@ -24,13 +29,14 @@ export type SignatureCoder<Fp2> = {
 };
 export type CurveType<Fp, Fp2, Fp6, Fp12> = {
     G1: Omit<CurvePointsType<Fp>, 'n'> & {
-        mapToCurve: htf.MapToCurve<Fp>;
-        htfDefaults: htf.Opts;
+        ShortSignature: SignatureCoder<Fp>;
+        mapToCurve: MapToCurve<Fp>;
+        htfDefaults: HTFOpts;
     };
     G2: Omit<CurvePointsType<Fp2>, 'n'> & {
         Signature: SignatureCoder<Fp2>;
-        mapToCurve: htf.MapToCurve<Fp2>;
-        htfDefaults: htf.Opts;
+        mapToCurve: MapToCurve<Fp2>;
+        htfDefaults: HTFOpts;
     };
     fields: {
         Fp: IField<Fp>;
@@ -55,18 +61,24 @@ export type CurveType<Fp, Fp2, Fp6, Fp12> = {
         x: bigint;
         r: bigint;
     };
-    htfDefaults: htf.Opts;
+    htfDefaults: HTFOpts;
     hash: CHash;
     randomBytes: (bytesLength?: number) => Uint8Array;
 };
 export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
     getPublicKey: (privateKey: PrivKey) => Uint8Array;
+    getPublicKeyForShortSignatures: (privateKey: PrivKey) => Uint8Array;
     sign: {
-        (message: Hex, privateKey: PrivKey): Uint8Array;
-        (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
+        (message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
+        (message: ProjPointType<Fp2>, privateKey: PrivKey, htfOpts?: htfBasicOpts): ProjPointType<Fp2>;
+    };
+    signShortSignature: {
+        (message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
+        (message: ProjPointType<Fp>, privateKey: PrivKey, htfOpts?: htfBasicOpts): ProjPointType<Fp>;
     };
-    verify: (signature: Hex | ProjPointType<Fp2>, message: Hex | ProjPointType<Fp2>, publicKey: Hex | ProjPointType<Fp>) => boolean;
-    verifyBatch: (signature: Hex | ProjPointType<Fp2>, messages: (Hex | ProjPointType<Fp2>)[], publicKeys: (Hex | ProjPointType<Fp>)[]) => boolean;
+    verify: (signature: Hex | ProjPointType<Fp2>, message: Hex | ProjPointType<Fp2>, publicKey: Hex | ProjPointType<Fp>, htfOpts?: htfBasicOpts) => boolean;
+    verifyShortSignature: (signature: Hex | ProjPointType<Fp>, message: Hex | ProjPointType<Fp>, publicKey: Hex | ProjPointType<Fp2>, htfOpts?: htfBasicOpts) => boolean;
+    verifyBatch: (signature: Hex | ProjPointType<Fp2>, messages: (Hex | ProjPointType<Fp2>)[], publicKeys: (Hex | ProjPointType<Fp>)[], htfOpts?: htfBasicOpts) => boolean;
     aggregatePublicKeys: {
         (publicKeys: Hex[]): Uint8Array;
         (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
@@ -75,11 +87,16 @@ export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
         (signatures: Hex[]): Uint8Array;
         (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
     };
+    aggregateShortSignatures: {
+        (signatures: Hex[]): Uint8Array;
+        (signatures: ProjPointType<Fp>[]): ProjPointType<Fp>;
+    };
     millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
     pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
-    G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
-    G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
+    G1: CurvePointsRes<Fp> & ReturnType<typeof createHasher<Fp>>;
+    G2: CurvePointsRes<Fp2> & ReturnType<typeof createHasher<Fp2>>;
     Signature: SignatureCoder<Fp2>;
+    ShortSignature: ShortSignatureCoder<Fp>;
     params: {
         x: bigint;
         r: bigint;