@noble/curves 1.5.0 → 1.7.0

package/src/bls12-381.ts

@@ -56,7 +56,7 @@ bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction all
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
-/* 
+/*
 Embedding degree (k): 12
 Seed (X): -15132376222941642752
 Fr:  (x⁴-x²+1)
@@ -509,7 +509,7 @@ export const bls12_381: CurveFn = bls({
         }
         const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
-        if (!y) throw new Error('Invalid compressed G1 point');
+        if (!y) throw new Error('invalid compressed G1 point');
         if ((y * _2n) / P !== BigInt(sort)) y = Fp.neg(y);
         return { x: Fp.create(x), y: Fp.create(y) };
       } else if (value.length === 96 && !compressed) {
@@ -522,7 +522,7 @@ export const bls12_381: CurveFn = bls({
         }
         return { x: Fp.create(x), y: Fp.create(y) };
       } else {
-        throw new Error('Invalid point G1, expected 48/96 bytes');
+        throw new Error('invalid point G1, expected 48/96 bytes');
       }
     },
     toBytes: (c, point, isCompressed) => {
@@ -553,7 +553,7 @@ export const bls12_381: CurveFn = bls({
         const x = Fp.create(compressedValue & Fp.MASK);
         const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
-        if (!y) throw new Error('Invalid compressed G1 point');
+        if (!y) throw new Error('invalid compressed G1 point');
         const aflag = BigInt(sort);
         if ((y * _2n) / P !== aflag) y = Fp.neg(y);
         const point = bls12_381.G1.ProjectivePoint.fromAffine({ x, y });
@@ -644,7 +644,7 @@ export const bls12_381: CurveFn = bls({
         (!compressed && infinity && sort) || // 01100000
         (sort && infinity && compressed) // 11100000
       ) {
-        throw new Error('Invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
+        throw new Error('invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
       }
       const L = Fp.BYTES;
       const slc = (b: Uint8Array, from: number, to?: number) => bytesToNumberBE(b.slice(from, to));
@@ -654,7 +654,7 @@ export const bls12_381: CurveFn = bls({
         if (infinity) {
           // check that all bytes are 0
           if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
-            throw new Error('Invalid compressed G2 point');
+            throw new Error('invalid compressed G2 point');
           }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
@@ -669,7 +669,7 @@ export const bls12_381: CurveFn = bls({
       } else if (value.length === 192 && !compressed) {
         if (infinity) {
           if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
-            throw new Error('Invalid uncompressed G2 point');
+            throw new Error('invalid uncompressed G2 point');
           }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
@@ -679,7 +679,7 @@ export const bls12_381: CurveFn = bls({
         const y0 = slc(value, 3 * L, 4 * L);
         return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
       } else {
-        throw new Error('Invalid point G2, expected 96/192 bytes');
+        throw new Error('invalid point G2, expected 96/192 bytes');
       }
     },
     toBytes: (c, point, isCompressed) => {
@@ -712,7 +712,7 @@ export const bls12_381: CurveFn = bls({
         const P = Fp.ORDER;
         const half = value.length / 2;
         if (half !== 48 && half !== 96)
-          throw new Error('Invalid compressed signature length, must be 96 or 192');
+          throw new Error('invalid compressed signature length, must be 96 or 192');
         const z1 = bytesToNumberBE(value.slice(0, half));
         const z2 = bytesToNumberBE(value.slice(half));
         // Indicates the infinity point

package/src/bn254.ts

@@ -3,7 +3,7 @@ import { sha256 } from '@noble/hashes/sha256';
 import { getHash } from './_shortw_utils.js';
 import { weierstrass } from './abstract/weierstrass.js';
 import { randomBytes } from '@noble/hashes/utils';
-import { bls, CurveFn } from './abstract/bls.js';
+import { bls, CurveFn, PostPrecomputeFn, PostPrecomputePointAddFn } from './abstract/bls.js';
 import { Field } from './abstract/modular.js';
 import { bitGet, bitLen, notImplemented } from './abstract/utils.js';
 import { tower12, psiFrobenius } from './abstract/tower.js';
@@ -148,6 +148,20 @@ const htfDefaults = Object.freeze({
   hash: sha256,
 } as const);
 
+export const _postPrecompute: PostPrecomputeFn = (
+  Rx: Fp2,
+  Ry: Fp2,
+  Rz: Fp2,
+  Qx: Fp2,
+  Qy: Fp2,
+  pointAdd: PostPrecomputePointAddFn
+) => {
+  const q = psi(Qx, Qy);
+  ({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
+  const q2 = psi(q[0], q[1]);
+  pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
+};
+
 /**
  * bn254 (a.k.a. alt_bn128) pairing-friendly curve.
  * Contains G1 / G2 operations and pairings.
@@ -212,12 +226,7 @@ export const bn254: CurveFn = bls({
   hash: sha256,
   randomBytes,
 
-  postPrecompute: (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
-    const q = psi(Qx, Qy);
-    ({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
-    const q2 = psi(q[0], q[1]);
-    pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
-  },
+  postPrecompute: _postPrecompute,
 });
 
 /**

package/src/ed448.ts

@@ -120,7 +120,7 @@ const ED448_DEF = {
   adjustScalarBytes,
   // dom4
   domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
+    if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
     return concatBytes(
       utf8ToBytes('SigEd448'),
       new Uint8Array([phflag ? 1 : 0, ctx.length]),

package/src/jubjub.ts

@@ -46,13 +46,18 @@ export function groupHash(tag: Uint8Array, personalization: Uint8Array) {
   return p;
 }
 
+// No secret data is leaked here at all.
+// It operates over public data:
+// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
 export function findGroupHash(m: Uint8Array, personalization: Uint8Array) {
   const tag = concatBytes(m, new Uint8Array([0]));
+  const hashes = [];
   for (let i = 0; i < 256; i++) {
     tag[tag.length - 1] = i;
     try {
-      return groupHash(tag, personalization);
+      hashes.push(groupHash(tag, personalization));
     } catch (e) {}
   }
-  throw new Error('findGroupHash tag overflow');
+  if (!hashes.length) throw new Error('findGroupHash tag overflow');
+  return hashes[0];
 }

package/src/p256.ts

@@ -8,15 +8,15 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // NIST secp256r1 aka p256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 
-const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A = Fp.create(BigInt('-3'));
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const CURVE_A = Fp256.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 
 // prettier-ignore
 export const p256 = createCurve({
   a: CURVE_A, // Equation params: a, b
   b: CURVE_B,
-  Fp, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+  Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
   // Curve order, total count of valid points in the field
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
   // Base (generator) point (x, y)
@@ -28,17 +28,17 @@ export const p256 = createCurve({
 export const secp256r1 = p256;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp256, {
     A: CURVE_A,
     B: CURVE_B,
-    Z: Fp.create(BigInt('-10')),
+    Z: Fp256.create(BigInt('-10')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P256_XMD:SHA-256_SSWU_RO_',
     encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp256.ORDER,
     m: 1,
     k: 128,
     expand: 'xmd',

package/src/p384.ts

@@ -11,8 +11,8 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp = Field(P);
-const CURVE_A = Fp.create(BigInt('-3'));
+const Fp384 = Field(P);
+const CURVE_A = Fp384.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 
@@ -20,7 +20,7 @@ const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe814112031408
 export const p384 = createCurve({
   a: CURVE_A, // Equation params: a, b
   b: CURVE_B,
-  Fp, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+  Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
   // Curve order, total count of valid points in the field.
   n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
   // Base (generator) point (x, y)
@@ -32,17 +32,17 @@ export const p384 = createCurve({
 export const secp384r1 = p384;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp384, {
     A: CURVE_A,
     B: CURVE_B,
-    Z: Fp.create(BigInt('-12')),
+    Z: Fp384.create(BigInt('-12')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P384_XMD:SHA-384_SSWU_RO_',
     encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp384.ORDER,
     m: 1,
     k: 192,
     expand: 'xmd',

package/src/p521.ts

@@ -12,14 +12,14 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp = Field(P);
+const Fp521 = Field(P);
 
 const CURVE = {
-  a: Fp.create(BigInt('-3')),
+  a: Fp521.create(BigInt('-3')),
   b: BigInt(
     '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
   ),
-  Fp,
+  Fp: Fp521,
   n: BigInt(
     '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
   ),
@@ -36,7 +36,7 @@ const CURVE = {
 export const p521 = createCurve({
   a: CURVE.a, // Equation params: a, b
   b: CURVE.b,
-  Fp, // Field: 2n**521n - 1n
+  Fp: Fp521, // Field: 2n**521n - 1n
   // Curve order, total count of valid points in the field
   n: CURVE.n,
   Gx: CURVE.Gx, // Base point (x, y) aka generator point
@@ -48,17 +48,17 @@ export const p521 = createCurve({
 export const secp521r1 = p521;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp521, {
     A: CURVE.a,
     B: CURVE.b,
-    Z: Fp.create(BigInt('-4')),
+    Z: Fp521.create(BigInt('-4')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P521_XMD:SHA-512_SSWU_RO_',
     encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp521.ORDER,
     m: 1,
     k: 256,
     expand: 'xmd',

package/src/secp256k1.ts

@@ -45,11 +45,11 @@ function sqrtMod(y: bigint): bigint {
   const t1 = (pow2(b223, _23n, P) * b22) % P;
   const t2 = (pow2(t1, _6n, P) * b2) % P;
   const root = pow2(t2, _2n, P);
-  if (!Fp.eql(Fp.sqr(root), y)) throw new Error('Cannot find square root');
+  if (!Fpk1.eql(Fpk1.sqr(root), y)) throw new Error('Cannot find square root');
   return root;
 }
 
-const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 
 /**
  * secp256k1 short weierstrass curve and ECDSA signatures over it.
@@ -58,7 +58,7 @@ export const secp256k1 = createCurve(
   {
     a: BigInt(0), // equation params: a, b
     b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
-    Fp, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
     n: secp256k1N, // Curve order, total count of valid points in the field
     // Base point (x, y) aka generator point
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
@@ -228,7 +228,7 @@ export const schnorr = /* @__PURE__ */ (() => ({
 
 const isoMap = /* @__PURE__ */ (() =>
   isogenyMap(
-    Fp,
+    Fpk1,
     [
       // xNum
       [
@@ -260,22 +260,22 @@ const isoMap = /* @__PURE__ */ (() =>
     ].map((i) => i.map((j) => BigInt(j))) as [bigint[], bigint[], bigint[], bigint[]]
   ))();
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fpk1, {
     A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
     B: BigInt('1771'),
-    Z: Fp.create(BigInt('-11')),
+    Z: Fpk1.create(BigInt('-11')),
   }))();
 const htf = /* @__PURE__ */ (() =>
   createHasher(
     secp256k1.ProjectivePoint,
     (scalars: bigint[]) => {
-      const { x, y } = mapSWU(Fp.create(scalars[0]));
+      const { x, y } = mapSWU(Fpk1.create(scalars[0]));
       return isoMap(x, y);
     },
     {
       DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
       encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
-      p: Fp.ORDER,
+      p: Fpk1.ORDER,
       m: 1,
       k: 128,
       expand: 'xmd',