@noble/curves 1.8.1 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +305 -433
- package/_shortw_utils.d.ts +2 -2
- package/_shortw_utils.js +2 -2
- package/abstract/bls.d.ts +5 -5
- package/abstract/bls.d.ts.map +1 -1
- package/abstract/bls.js +15 -16
- package/abstract/bls.js.map +1 -1
- package/abstract/curve.d.ts +11 -3
- package/abstract/curve.d.ts.map +1 -1
- package/abstract/curve.js +81 -78
- package/abstract/curve.js.map +1 -1
- package/abstract/edwards.d.ts +2 -2
- package/abstract/edwards.d.ts.map +1 -1
- package/abstract/edwards.js +58 -71
- package/abstract/edwards.js.map +1 -1
- package/abstract/hash-to-curve.d.ts +15 -9
- package/abstract/hash-to-curve.d.ts.map +1 -1
- package/abstract/hash-to-curve.js +49 -39
- package/abstract/hash-to-curve.js.map +1 -1
- package/abstract/modular.d.ts +11 -8
- package/abstract/modular.d.ts.map +1 -1
- package/abstract/modular.js +79 -67
- package/abstract/modular.js.map +1 -1
- package/abstract/montgomery.d.ts.map +1 -1
- package/abstract/montgomery.js +13 -12
- package/abstract/montgomery.js.map +1 -1
- package/abstract/poseidon.d.ts +40 -3
- package/abstract/poseidon.d.ts.map +1 -1
- package/abstract/poseidon.js +186 -7
- package/abstract/poseidon.js.map +1 -1
- package/abstract/tower.d.ts +2 -2
- package/abstract/tower.d.ts.map +1 -1
- package/abstract/tower.js +16 -17
- package/abstract/tower.js.map +1 -1
- package/abstract/utils.d.ts +5 -2
- package/abstract/utils.d.ts.map +1 -1
- package/abstract/utils.js +27 -14
- package/abstract/utils.js.map +1 -1
- package/abstract/weierstrass.d.ts +21 -9
- package/abstract/weierstrass.d.ts.map +1 -1
- package/abstract/weierstrass.js +103 -86
- package/abstract/weierstrass.js.map +1 -1
- package/bls12-381.d.ts +1 -1
- package/bls12-381.js +41 -41
- package/bls12-381.js.map +1 -1
- package/bn254.d.ts +3 -2
- package/bn254.d.ts.map +1 -1
- package/bn254.js +39 -29
- package/bn254.js.map +1 -1
- package/ed25519.d.ts +9 -6
- package/ed25519.d.ts.map +1 -1
- package/ed25519.js +70 -71
- package/ed25519.js.map +1 -1
- package/ed448.d.ts +7 -6
- package/ed448.d.ts.map +1 -1
- package/ed448.js +54 -56
- package/ed448.js.map +1 -1
- package/esm/_shortw_utils.d.ts +2 -2
- package/esm/_shortw_utils.js +1 -1
- package/esm/abstract/bls.d.ts +5 -5
- package/esm/abstract/bls.d.ts.map +1 -1
- package/esm/abstract/bls.js +6 -7
- package/esm/abstract/bls.js.map +1 -1
- package/esm/abstract/curve.d.ts +11 -3
- package/esm/abstract/curve.d.ts.map +1 -1
- package/esm/abstract/curve.js +77 -74
- package/esm/abstract/curve.js.map +1 -1
- package/esm/abstract/edwards.d.ts +2 -2
- package/esm/abstract/edwards.d.ts.map +1 -1
- package/esm/abstract/edwards.js +39 -52
- package/esm/abstract/edwards.js.map +1 -1
- package/esm/abstract/hash-to-curve.d.ts +15 -9
- package/esm/abstract/hash-to-curve.d.ts.map +1 -1
- package/esm/abstract/hash-to-curve.js +33 -23
- package/esm/abstract/hash-to-curve.js.map +1 -1
- package/esm/abstract/modular.d.ts +11 -8
- package/esm/abstract/modular.d.ts.map +1 -1
- package/esm/abstract/modular.js +71 -59
- package/esm/abstract/modular.js.map +1 -1
- package/esm/abstract/montgomery.d.ts.map +1 -1
- package/esm/abstract/montgomery.js +4 -3
- package/esm/abstract/montgomery.js.map +1 -1
- package/esm/abstract/poseidon.d.ts +40 -3
- package/esm/abstract/poseidon.d.ts.map +1 -1
- package/esm/abstract/poseidon.js +180 -5
- package/esm/abstract/poseidon.js.map +1 -1
- package/esm/abstract/tower.d.ts +2 -2
- package/esm/abstract/tower.d.ts.map +1 -1
- package/esm/abstract/tower.js +8 -9
- package/esm/abstract/tower.js.map +1 -1
- package/esm/abstract/utils.d.ts +5 -2
- package/esm/abstract/utils.d.ts.map +1 -1
- package/esm/abstract/utils.js +26 -13
- package/esm/abstract/utils.js.map +1 -1
- package/esm/abstract/weierstrass.d.ts +21 -9
- package/esm/abstract/weierstrass.d.ts.map +1 -1
- package/esm/abstract/weierstrass.js +76 -59
- package/esm/abstract/weierstrass.js.map +1 -1
- package/esm/bls12-381.d.ts +1 -1
- package/esm/bls12-381.js +9 -9
- package/esm/bls12-381.js.map +1 -1
- package/esm/bn254.d.ts +3 -2
- package/esm/bn254.d.ts.map +1 -1
- package/esm/bn254.js +17 -7
- package/esm/bn254.js.map +1 -1
- package/esm/ed25519.d.ts +9 -6
- package/esm/ed25519.d.ts.map +1 -1
- package/esm/ed25519.js +25 -26
- package/esm/ed25519.js.map +1 -1
- package/esm/ed448.d.ts +7 -6
- package/esm/ed448.d.ts.map +1 -1
- package/esm/ed448.js +17 -19
- package/esm/ed448.js.map +1 -1
- package/esm/jubjub.d.ts +7 -4
- package/esm/jubjub.d.ts.map +1 -1
- package/esm/jubjub.js +7 -60
- package/esm/jubjub.js.map +1 -1
- package/esm/misc.d.ts +21 -0
- package/esm/misc.d.ts.map +1 -0
- package/esm/misc.js +107 -0
- package/esm/misc.js.map +1 -0
- package/esm/nist.d.ts +29 -0
- package/esm/nist.d.ts.map +1 -0
- package/esm/nist.js +120 -0
- package/esm/nist.js.map +1 -0
- package/esm/p256.d.ts +9 -8
- package/esm/p256.d.ts.map +1 -1
- package/esm/p256.js +6 -43
- package/esm/p256.js.map +1 -1
- package/esm/p384.d.ts +10 -8
- package/esm/p384.d.ts.map +1 -1
- package/esm/p384.js +7 -47
- package/esm/p384.js.map +1 -1
- package/esm/p521.d.ts +6 -6
- package/esm/p521.d.ts.map +1 -1
- package/esm/p521.js +6 -55
- package/esm/p521.js.map +1 -1
- package/esm/pasta.d.ts +5 -7
- package/esm/pasta.d.ts.map +1 -1
- package/esm/pasta.js +5 -33
- package/esm/pasta.js.map +1 -1
- package/esm/secp256k1.d.ts +15 -10
- package/esm/secp256k1.d.ts.map +1 -1
- package/esm/secp256k1.js +21 -18
- package/esm/secp256k1.js.map +1 -1
- package/jubjub.d.ts +7 -4
- package/jubjub.d.ts.map +1 -1
- package/jubjub.js +8 -63
- package/jubjub.js.map +1 -1
- package/misc.d.ts +21 -0
- package/misc.d.ts.map +1 -0
- package/misc.js +112 -0
- package/misc.js.map +1 -0
- package/nist.d.ts +29 -0
- package/nist.d.ts.map +1 -0
- package/nist.js +123 -0
- package/nist.js.map +1 -0
- package/p256.d.ts +9 -8
- package/p256.d.ts.map +1 -1
- package/p256.js +5 -48
- package/p256.js.map +1 -1
- package/p384.d.ts +10 -8
- package/p384.d.ts.map +1 -1
- package/p384.js +6 -52
- package/p384.js.map +1 -1
- package/p521.d.ts +6 -6
- package/p521.d.ts.map +1 -1
- package/p521.js +5 -60
- package/p521.js.map +1 -1
- package/package.json +116 -12
- package/pasta.d.ts +5 -7
- package/pasta.d.ts.map +1 -1
- package/pasta.js +6 -34
- package/pasta.js.map +1 -1
- package/secp256k1.d.ts +15 -10
- package/secp256k1.d.ts.map +1 -1
- package/secp256k1.js +60 -57
- package/secp256k1.js.map +1 -1
- package/src/_shortw_utils.ts +2 -2
- package/src/abstract/bls.ts +10 -10
- package/src/abstract/curve.ts +89 -80
- package/src/abstract/edwards.ts +56 -63
- package/src/abstract/hash-to-curve.ts +49 -39
- package/src/abstract/modular.ts +68 -59
- package/src/abstract/montgomery.ts +4 -3
- package/src/abstract/poseidon.ts +208 -13
- package/src/abstract/tower.ts +9 -10
- package/src/abstract/utils.ts +28 -15
- package/src/abstract/weierstrass.ts +105 -87
- package/src/bls12-381.ts +10 -10
- package/src/bn254.ts +18 -8
- package/src/ed25519.ts +31 -28
- package/src/ed448.ts +24 -21
- package/src/jubjub.ts +8 -63
- package/src/misc.ts +123 -0
- package/src/nist.ts +154 -0
- package/src/p256.ts +6 -49
- package/src/p384.ts +8 -53
- package/src/p521.ts +6 -70
- package/src/pasta.ts +5 -39
- package/src/secp256k1.ts +25 -20
|
@@ -5,10 +5,10 @@ exports.expand_message_xof = expand_message_xof;
|
|
|
5
5
|
exports.hash_to_field = hash_to_field;
|
|
6
6
|
exports.isogenyMap = isogenyMap;
|
|
7
7
|
exports.createHasher = createHasher;
|
|
8
|
-
const
|
|
9
|
-
const
|
|
8
|
+
const modular_ts_1 = require("./modular.js");
|
|
9
|
+
const utils_ts_1 = require("./utils.js");
|
|
10
10
|
// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
|
|
11
|
-
const os2ip =
|
|
11
|
+
const os2ip = utils_ts_1.bytesToNumberBE;
|
|
12
12
|
// Integer to Octet Stream (numberToBytesBE)
|
|
13
13
|
function i2osp(value, length) {
|
|
14
14
|
anum(value);
|
|
@@ -38,27 +38,27 @@ function anum(item) {
|
|
|
38
38
|
* [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
|
|
39
39
|
*/
|
|
40
40
|
function expand_message_xmd(msg, DST, lenInBytes, H) {
|
|
41
|
-
(0,
|
|
42
|
-
(0,
|
|
41
|
+
(0, utils_ts_1.abytes)(msg);
|
|
42
|
+
(0, utils_ts_1.abytes)(DST);
|
|
43
43
|
anum(lenInBytes);
|
|
44
44
|
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
|
|
45
45
|
if (DST.length > 255)
|
|
46
|
-
DST = H((0,
|
|
46
|
+
DST = H((0, utils_ts_1.concatBytes)((0, utils_ts_1.utf8ToBytes)('H2C-OVERSIZE-DST-'), DST));
|
|
47
47
|
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
|
|
48
48
|
const ell = Math.ceil(lenInBytes / b_in_bytes);
|
|
49
49
|
if (lenInBytes > 65535 || ell > 255)
|
|
50
50
|
throw new Error('expand_message_xmd: invalid lenInBytes');
|
|
51
|
-
const DST_prime = (0,
|
|
51
|
+
const DST_prime = (0, utils_ts_1.concatBytes)(DST, i2osp(DST.length, 1));
|
|
52
52
|
const Z_pad = i2osp(0, r_in_bytes);
|
|
53
53
|
const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
|
|
54
54
|
const b = new Array(ell);
|
|
55
|
-
const b_0 = H((0,
|
|
56
|
-
b[0] = H((0,
|
|
55
|
+
const b_0 = H((0, utils_ts_1.concatBytes)(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
|
|
56
|
+
b[0] = H((0, utils_ts_1.concatBytes)(b_0, i2osp(1, 1), DST_prime));
|
|
57
57
|
for (let i = 1; i <= ell; i++) {
|
|
58
58
|
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
|
|
59
|
-
b[i] = H((0,
|
|
59
|
+
b[i] = H((0, utils_ts_1.concatBytes)(...args));
|
|
60
60
|
}
|
|
61
|
-
const pseudo_random_bytes = (0,
|
|
61
|
+
const pseudo_random_bytes = (0, utils_ts_1.concatBytes)(...b);
|
|
62
62
|
return pseudo_random_bytes.slice(0, lenInBytes);
|
|
63
63
|
}
|
|
64
64
|
/**
|
|
@@ -69,14 +69,14 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
|
|
|
69
69
|
* [RFC 9380 5.3.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2).
|
|
70
70
|
*/
|
|
71
71
|
function expand_message_xof(msg, DST, lenInBytes, k, H) {
|
|
72
|
-
(0,
|
|
73
|
-
(0,
|
|
72
|
+
(0, utils_ts_1.abytes)(msg);
|
|
73
|
+
(0, utils_ts_1.abytes)(DST);
|
|
74
74
|
anum(lenInBytes);
|
|
75
75
|
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
|
|
76
76
|
// DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
|
|
77
77
|
if (DST.length > 255) {
|
|
78
78
|
const dkLen = Math.ceil((2 * k) / 8);
|
|
79
|
-
DST = H.create({ dkLen }).update((0,
|
|
79
|
+
DST = H.create({ dkLen }).update((0, utils_ts_1.utf8ToBytes)('H2C-OVERSIZE-DST-')).update(DST).digest();
|
|
80
80
|
}
|
|
81
81
|
if (lenInBytes > 65535 || DST.length > 255)
|
|
82
82
|
throw new Error('expand_message_xof: invalid lenInBytes');
|
|
@@ -97,7 +97,7 @@ function expand_message_xof(msg, DST, lenInBytes, k, H) {
|
|
|
97
97
|
* @returns [u_0, ..., u_(count - 1)], a list of field elements.
|
|
98
98
|
*/
|
|
99
99
|
function hash_to_field(msg, count, options) {
|
|
100
|
-
(0,
|
|
100
|
+
(0, utils_ts_1.validateObject)(options, {
|
|
101
101
|
DST: 'stringOrUint8Array',
|
|
102
102
|
p: 'bigint',
|
|
103
103
|
m: 'isSafeInteger',
|
|
@@ -105,9 +105,9 @@ function hash_to_field(msg, count, options) {
|
|
|
105
105
|
hash: 'hash',
|
|
106
106
|
});
|
|
107
107
|
const { p, k, m, hash, expand, DST: _DST } = options;
|
|
108
|
-
(0,
|
|
108
|
+
(0, utils_ts_1.abytes)(msg);
|
|
109
109
|
anum(count);
|
|
110
|
-
const DST = typeof _DST === 'string' ? (0,
|
|
110
|
+
const DST = typeof _DST === 'string' ? (0, utils_ts_1.utf8ToBytes)(_DST) : _DST;
|
|
111
111
|
const log2p = p.toString(2).length;
|
|
112
112
|
const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
|
|
113
113
|
const len_in_bytes = count * m * L;
|
|
@@ -131,7 +131,7 @@ function hash_to_field(msg, count, options) {
|
|
|
131
131
|
for (let j = 0; j < m; j++) {
|
|
132
132
|
const elm_offset = L * (j + i * m);
|
|
133
133
|
const tv = prb.subarray(elm_offset, elm_offset + L);
|
|
134
|
-
e[j] = (0,
|
|
134
|
+
e[j] = (0, modular_ts_1.mod)(os2ip(tv), p);
|
|
135
135
|
}
|
|
136
136
|
u[i] = e;
|
|
137
137
|
}
|
|
@@ -139,47 +139,57 @@ function hash_to_field(msg, count, options) {
|
|
|
139
139
|
}
|
|
140
140
|
function isogenyMap(field, map) {
|
|
141
141
|
// Make same order as in spec
|
|
142
|
-
const
|
|
142
|
+
const coeff = map.map((i) => Array.from(i).reverse());
|
|
143
143
|
return (x, y) => {
|
|
144
|
-
const [
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
144
|
+
const [xn, xd, yn, yd] = coeff.map((val) => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));
|
|
145
|
+
// 6.6.3
|
|
146
|
+
// Exceptional cases of iso_map are inputs that cause the denominator of
|
|
147
|
+
// either rational function to evaluate to zero; such cases MUST return
|
|
148
|
+
// the identity point on E.
|
|
149
|
+
const [xd_inv, yd_inv] = (0, modular_ts_1.FpInvertBatch)(field, [xd, yd], true);
|
|
150
|
+
x = field.mul(xn, xd_inv); // xNum / xDen
|
|
151
|
+
y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
|
|
152
|
+
return { x, y };
|
|
148
153
|
};
|
|
149
154
|
}
|
|
150
155
|
/** Creates hash-to-curve methods from EC Point and mapToCurve function. */
|
|
151
|
-
function createHasher(Point, mapToCurve,
|
|
156
|
+
function createHasher(Point, mapToCurve, defaults) {
|
|
152
157
|
if (typeof mapToCurve !== 'function')
|
|
153
158
|
throw new Error('mapToCurve() must be defined');
|
|
159
|
+
function map(num) {
|
|
160
|
+
return Point.fromAffine(mapToCurve(num));
|
|
161
|
+
}
|
|
162
|
+
function clear(initial) {
|
|
163
|
+
const P = initial.clearCofactor();
|
|
164
|
+
if (P.equals(Point.ZERO))
|
|
165
|
+
return Point.ZERO; // zero will throw in assert
|
|
166
|
+
P.assertValidity();
|
|
167
|
+
return P;
|
|
168
|
+
}
|
|
154
169
|
return {
|
|
170
|
+
defaults,
|
|
155
171
|
// Encodes byte string to elliptic curve.
|
|
156
172
|
// hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
|
|
157
173
|
hashToCurve(msg, options) {
|
|
158
|
-
const u = hash_to_field(msg, 2, { ...
|
|
159
|
-
const u0 =
|
|
160
|
-
const u1 =
|
|
161
|
-
|
|
162
|
-
P.assertValidity();
|
|
163
|
-
return P;
|
|
174
|
+
const u = hash_to_field(msg, 2, { ...defaults, DST: defaults.DST, ...options });
|
|
175
|
+
const u0 = map(u[0]);
|
|
176
|
+
const u1 = map(u[1]);
|
|
177
|
+
return clear(u0.add(u1));
|
|
164
178
|
},
|
|
165
179
|
// Encodes byte string to elliptic curve.
|
|
166
180
|
// encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
|
|
167
181
|
encodeToCurve(msg, options) {
|
|
168
|
-
const u = hash_to_field(msg, 1, { ...
|
|
169
|
-
|
|
170
|
-
P.assertValidity();
|
|
171
|
-
return P;
|
|
182
|
+
const u = hash_to_field(msg, 1, { ...defaults, DST: defaults.encodeDST, ...options });
|
|
183
|
+
return clear(map(u[0]));
|
|
172
184
|
},
|
|
173
185
|
// Same as encodeToCurve, but without hash
|
|
174
186
|
mapToCurve(scalars) {
|
|
175
187
|
if (!Array.isArray(scalars))
|
|
176
|
-
throw new Error('
|
|
188
|
+
throw new Error('expected array of bigints');
|
|
177
189
|
for (const i of scalars)
|
|
178
190
|
if (typeof i !== 'bigint')
|
|
179
|
-
throw new Error('
|
|
180
|
-
|
|
181
|
-
P.assertValidity();
|
|
182
|
-
return P;
|
|
191
|
+
throw new Error('expected array of bigints');
|
|
192
|
+
return clear(map(scalars));
|
|
183
193
|
},
|
|
184
194
|
};
|
|
185
195
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hash-to-curve.js","sourceRoot":"","sources":["../src/abstract/hash-to-curve.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"hash-to-curve.js","sourceRoot":"","sources":["../src/abstract/hash-to-curve.ts"],"names":[],"mappings":";;AA+DA,gDA0BC;AASD,gDA2BC;AAUD,sCAqCC;AAID,gCAgBC;AA6BD,oCA2CC;AAhQD,6CAA+D;AAE/D,yCAA+F;AAqB/F,6FAA6F;AAC7F,MAAM,KAAK,GAAG,0BAAe,CAAC;AAE9B,4CAA4C;AAC5C,SAAS,KAAK,CAAC,KAAa,EAAE,MAAc;IAC1C,IAAI,CAAC,KAAK,CAAC,CAAC;IACZ,IAAI,CAAC,MAAM,CAAC,CAAC;IACb,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,KAAK,CAAC,CAAC;IAC9F,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAa,CAAC;IACvD,KAAK,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,GAAG,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC;QACtB,KAAK,MAAM,CAAC,CAAC;IACf,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,SAAS,MAAM,CAAC,CAAa,EAAE,CAAa;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,IAAI,CAAC,IAAa;IACzB,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACtE,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAChC,GAAe,EACf,GAAe,EACf,UAAkB,EAClB,CAAQ;IAER,IAAA,iBAAM,EAAC,GAAG,CAAC,CAAC;IACZ,IAAA,iBAAM,EAAC,GAAG,CAAC,CAAC;IACZ,IAAI,CAAC,UAAU,CAAC,CAAC;IACjB,uDAAuD;IACvD,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;QAAE,GAAG,GAAG,CAAC,CAAC,IAAA,sBAAW,EAAC,IAAA,sBAAW,EAAC,mBAAmB,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IAClF,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,GAAG,KAAK,IAAI,GAAG,GAAG,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC/F,MAAM,SAAS,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,CAAC,mBAAmB;IAC3D,MAAM,CAAC,GAAG,IAAI,KAAK,CAAa,GAAG,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAA,sBAAW,EAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAA,sBAAW,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IACnD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAA,sBAAW,EAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IACjC,CAAC;IACD,MAAM,mBAAmB,GAAG,IAAA,sBAAW,EAAC,GAAG,CAAC,CAAC,CAAC;IAC9C,OAAO,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,kBAAkB,CAChC,GAAe,EACf,GAAe,EACf,UAAkB,EAClB,CAAS,EACT,CAAQ;IAER,IAAA,iBAAM,EAAC,GAAG,CAAC,CAAC;IACZ,IAAA,iBAAM,EAAC,GAAG,CAAC,CAAC;IACZ,IAAI,CAAC,UAAU,CAAC,CAAC;IACjB,uDAAuD;IACvD,oFAAoF;IACpF,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,IAAA,sBAAW,EAAC,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1F,CAAC;IACD,IAAI,UAAU,GAAG,KAAK,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;QACxC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,OAAO,CACL,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;SAC5B,MAAM,CAAC,GAAG,CAAC;SACX,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QAC7B,2CAA2C;SAC1C,MAAM,CAAC,GAAG,CAAC;SACX,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;SAC5B,MAAM,EAAE,CACZ,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,aAAa,CAAC,GAAe,EAAE,KAAa,EAAE,OAAa;IACzE,IAAA,yBAAc,EAAC,OAAO,EAAE;QACtB,GAAG,EAAE,oBAAoB;QACzB,CAAC,EAAE,QAAQ;QACX,CAAC,EAAE,eAAe;QAClB,CAAC,EAAE,eAAe;QAClB,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACrD,IAAA,iBAAM,EAAC,GAAG,CAAC,CAAC;IACZ,IAAI,CAAC,KAAK,CAAC,CAAC;IACZ,MAAM,GAAG,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAA,sBAAW,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;IACnC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,uCAAuC;IAC7E,MAAM,YAAY,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,CAAC,sBAAsB;IAC/B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,GAAG,GAAG,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC;IACzD,CAAC;SAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QAC5B,GAAG,GAAG,kBAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;IAC5D,CAAC;SAAM,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;QACvC,0BAA0B;QAC1B,GAAG,GAAG,GAAG,CAAC;IACZ,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,UAAU,GAAG,CAAC,CAAC,CAAC;YACpD,CAAC,CAAC,CAAC,CAAC,GAAG,IAAA,gBAAG,EAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3B,CAAC;QACD,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACX,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAID,SAAgB,UAAU,CAAyB,KAAQ,EAAE,GAAe;IAC1E,6BAA6B;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IACtD,OAAO,CAAC,CAAI,EAAE,CAAI,EAAE,EAAE;QACpB,MAAM,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CACzC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CACxD,CAAC;QACF,QAAQ;QACR,wEAAwE;QACxE,uEAAuE;QACvE,2BAA2B;QAC3B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAA,0BAAa,EAAC,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,cAAc;QACzC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,oBAAoB;QAC7D,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AA4BD,2EAA2E;AAC3E,SAAgB,YAAY,CAC1B,KAA6B,EAC7B,UAAyB,EACzB,QAA+C;IAE/C,IAAI,OAAO,UAAU,KAAK,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IACtF,SAAS,GAAG,CAAC,GAAa;QACxB,OAAO,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,SAAS,KAAK,CAAC,OAAoB;QACjC,MAAM,CAAC,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,4BAA4B;QACzE,CAAC,CAAC,cAAc,EAAE,CAAC;QACnB,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO;QACL,QAAQ;QAER,yCAAyC;QACzC,sEAAsE;QACtE,WAAW,CAAC,GAAe,EAAE,OAAsB;YACjD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,GAAG,QAAQ,EAAE,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,GAAG,OAAO,EAAU,CAAC,CAAC;YACxF,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACrB,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACrB,OAAO,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,yCAAyC;QACzC,wEAAwE;QACxE,aAAa,CAAC,GAAe,EAAE,OAAsB;YACnD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,GAAG,QAAQ,EAAE,GAAG,EAAE,QAAQ,CAAC,SAAS,EAAE,GAAG,OAAO,EAAU,CAAC,CAAC;YAC9F,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1B,CAAC;QAED,0CAA0C;QAC1C,UAAU,CAAC,OAAiB;YAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC1E,KAAK,MAAM,CAAC,IAAI,OAAO;gBACrB,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;YAC1E,OAAO,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7B,CAAC;KACF,CAAC;AACJ,CAAC"}
|
package/abstract/modular.d.ts
CHANGED
|
@@ -2,7 +2,7 @@ export declare function mod(a: bigint, b: bigint): bigint;
|
|
|
2
2
|
/**
|
|
3
3
|
* Efficiently raise num to power and do modular division.
|
|
4
4
|
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
|
|
5
|
-
*
|
|
5
|
+
* TODO: remove.
|
|
6
6
|
* @example
|
|
7
7
|
* pow(2n, 6n, 11n) // 64n % 11n == 9n
|
|
8
8
|
*/
|
|
@@ -18,7 +18,6 @@ export declare function invert(number: bigint, modulo: bigint): bigint;
|
|
|
18
18
|
* Tonelli-Shanks square root search algorithm.
|
|
19
19
|
* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
|
|
20
20
|
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
|
|
21
|
-
* Will start an infinite loop if field order P is not prime.
|
|
22
21
|
* @param P field order
|
|
23
22
|
* @returns function that takes field Fp (created from P) and number n
|
|
24
23
|
*/
|
|
@@ -74,21 +73,25 @@ export declare function validateField<T>(field: IField<T>): IField<T>;
|
|
|
74
73
|
* Same as `pow` but for Fp: non-constant-time.
|
|
75
74
|
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
|
|
76
75
|
*/
|
|
77
|
-
export declare function FpPow<T>(
|
|
76
|
+
export declare function FpPow<T>(Fp: IField<T>, num: T, power: bigint): T;
|
|
78
77
|
/**
|
|
79
78
|
* Efficiently invert an array of Field elements.
|
|
80
|
-
*
|
|
79
|
+
* Exception-free. Will return `undefined` for 0 elements.
|
|
80
|
+
* @param passZero map 0 to 0 (instead of undefined)
|
|
81
81
|
*/
|
|
82
|
-
export declare function FpInvertBatch<T>(
|
|
83
|
-
export declare function FpDiv<T>(
|
|
82
|
+
export declare function FpInvertBatch<T>(Fp: IField<T>, nums: T[], passZero?: boolean): T[];
|
|
83
|
+
export declare function FpDiv<T>(Fp: IField<T>, lhs: T, rhs: T | bigint): T;
|
|
84
84
|
/**
|
|
85
85
|
* Legendre symbol.
|
|
86
|
+
* Legendre constant is used to calculate Legendre symbol (a | p)
|
|
87
|
+
* which denotes the value of a^((p-1)/2) (mod p)..
|
|
88
|
+
*
|
|
86
89
|
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
|
|
87
90
|
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
|
|
88
91
|
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
|
|
89
92
|
*/
|
|
90
|
-
export declare function FpLegendre
|
|
91
|
-
export declare function FpIsSquare<T>(
|
|
93
|
+
export declare function FpLegendre<T>(Fp: IField<T>, n: T): number;
|
|
94
|
+
export declare function FpIsSquare<T>(Fp: IField<T>, n: T): boolean;
|
|
92
95
|
export declare function nLength(n: bigint, nBitLength?: number): {
|
|
93
96
|
nBitLength: number;
|
|
94
97
|
nByteLength: number;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"modular.d.ts","sourceRoot":"","sources":["../src/abstract/modular.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"modular.d.ts","sourceRoot":"","sources":["../src/abstract/modular.ts"],"names":[],"mappings":"AA0BA,wBAAgB,GAAG,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAGhD;AACD;;;;;;GAMG;AACH,wBAAgB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAWtE;AAED,4DAA4D;AAC5D,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAoB7D;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CA0DtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAuD/D;AAGD,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,EAAE,QAAQ,MAAM,KAAG,OACzB,CAAC;AAEnC,yEAAyE;AACzE,MAAM,WAAW,MAAM,CAAC,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,CAAC,CAAC;IACR,GAAG,EAAE,CAAC,CAAC;IAEP,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACtB,OAAO,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,OAAO,CAAC;IAC7B,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,OAAO,CAAC;IACzB,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACf,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACf,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAChB,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAEf,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;IAC7B,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvB,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvB,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAChC,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAMhB,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;IAExB,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAAC;IAC9B,WAAW,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;IAC/B,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,UAAU,CAAC;IAC5B,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;CACjC;AAOD,wBAAgB,aAAa,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAY5D;AAID;;;GAGG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAahE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,QAAQ,UAAQ,GAAG,CAAC,EAAE,CAiBhF;AAGD,wBAAgB,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAElE;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,MAAM,CAQzD;AAGD,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,OAAO,CAG1D;AAGD,wBAAgB,OAAO,CACrB,CAAC,EAAE,MAAM,EACT,UAAU,CAAC,EAAE,MAAM,GAClB;IACD,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB,CAMA;AAED,KAAK,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACxE;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,KAAK,CACnB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,MAAM,EACf,IAAI,UAAQ,EACZ,KAAK,GAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAM,GAClC,QAAQ,CAAC,OAAO,CAAC,CAyDnB;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAIrD;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAItD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,GAAG,UAAU,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,UAAQ,GACX,MAAM,CAUR;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAI9D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAG3D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,UAAQ,GAAG,UAAU,CAW5F"}
|
package/abstract/modular.js
CHANGED
|
@@ -28,7 +28,8 @@ exports.mapHashToField = mapHashToField;
|
|
|
28
28
|
* @module
|
|
29
29
|
*/
|
|
30
30
|
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
|
|
31
|
-
const
|
|
31
|
+
const utils_1 = require("@noble/hashes/utils");
|
|
32
|
+
const utils_ts_1 = require("./utils.js");
|
|
32
33
|
// prettier-ignore
|
|
33
34
|
const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
|
|
34
35
|
// prettier-ignore
|
|
@@ -43,7 +44,7 @@ function mod(a, b) {
|
|
|
43
44
|
/**
|
|
44
45
|
* Efficiently raise num to power and do modular division.
|
|
45
46
|
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
|
|
46
|
-
*
|
|
47
|
+
* TODO: remove.
|
|
47
48
|
* @example
|
|
48
49
|
* pow(2n, 6n, 11n) // 64n % 11n == 9n
|
|
49
50
|
*/
|
|
@@ -104,27 +105,25 @@ function invert(number, modulo) {
|
|
|
104
105
|
* Tonelli-Shanks square root search algorithm.
|
|
105
106
|
* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
|
|
106
107
|
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
|
|
107
|
-
* Will start an infinite loop if field order P is not prime.
|
|
108
108
|
* @param P field order
|
|
109
109
|
* @returns function that takes field Fp (created from P) and number n
|
|
110
110
|
*/
|
|
111
111
|
function tonelliShanks(P) {
|
|
112
|
-
//
|
|
113
|
-
// which denotes the value of a^((p-1)/2) (mod p).
|
|
114
|
-
// (a | p) ≡ 1 if a is a square (mod p)
|
|
115
|
-
// (a | p) ≡ -1 if a is not a square (mod p)
|
|
116
|
-
// (a | p) ≡ 0 if a ≡ 0 (mod p)
|
|
117
|
-
const legendreC = (P - _1n) / _2n;
|
|
118
|
-
let Q, S, Z;
|
|
112
|
+
// Do expensive precomputation step
|
|
119
113
|
// Step 1: By factoring out powers of 2 from p - 1,
|
|
120
|
-
// find q and s such that p
|
|
121
|
-
|
|
122
|
-
|
|
114
|
+
// find q and s such that p-1 == q*(2^s) with q odd
|
|
115
|
+
let Q = P - _1n;
|
|
116
|
+
let S = 0;
|
|
117
|
+
while (Q % _2n === _0n) {
|
|
118
|
+
Q /= _2n;
|
|
119
|
+
S++;
|
|
120
|
+
}
|
|
123
121
|
// Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
122
|
+
let Z = _2n;
|
|
123
|
+
const _Fp = Field(P);
|
|
124
|
+
while (Z < P && FpIsSquare(_Fp, Z)) {
|
|
125
|
+
if (Z++ > 1000)
|
|
126
|
+
throw new Error('Cannot find square root: probably non-prime P');
|
|
128
127
|
}
|
|
129
128
|
// Fast-path
|
|
130
129
|
if (S === 1) {
|
|
@@ -140,16 +139,18 @@ function tonelliShanks(P) {
|
|
|
140
139
|
const Q1div2 = (Q + _1n) / _2n;
|
|
141
140
|
return function tonelliSlow(Fp, n) {
|
|
142
141
|
// Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
|
|
143
|
-
if (Fp
|
|
142
|
+
if (!FpIsSquare(Fp, n))
|
|
144
143
|
throw new Error('Cannot find square root');
|
|
145
144
|
let r = S;
|
|
146
|
-
// TODO:
|
|
145
|
+
// TODO: test on Fp2 and others
|
|
147
146
|
let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
|
|
148
147
|
let x = Fp.pow(n, Q1div2); // first guess at the square root
|
|
149
148
|
let b = Fp.pow(n, Q); // first guess at the fudge factor
|
|
150
149
|
while (!Fp.eql(b, Fp.ONE)) {
|
|
150
|
+
// (4. If t = 0, return r = 0)
|
|
151
|
+
// https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm
|
|
151
152
|
if (Fp.eql(b, Fp.ZERO))
|
|
152
|
-
return Fp.ZERO;
|
|
153
|
+
return Fp.ZERO;
|
|
153
154
|
// Find m such b^(2^m)==1
|
|
154
155
|
let m = 1;
|
|
155
156
|
for (let t2 = Fp.sqr(b); m < r; m++) {
|
|
@@ -157,7 +158,8 @@ function tonelliShanks(P) {
|
|
|
157
158
|
break;
|
|
158
159
|
t2 = Fp.sqr(t2); // t2 *= t2
|
|
159
160
|
}
|
|
160
|
-
// NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift,
|
|
161
|
+
// NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift,
|
|
162
|
+
// otherwise there will be overflow.
|
|
161
163
|
const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
|
|
162
164
|
g = Fp.sqr(ge); // g = ge * ge
|
|
163
165
|
x = Fp.mul(x, ge); // x *= ge
|
|
@@ -186,8 +188,8 @@ function FpSqrt(P) {
|
|
|
186
188
|
// const ORDER =
|
|
187
189
|
// 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
|
|
188
190
|
// const NUM = 72057594037927816n;
|
|
189
|
-
const p1div4 = (P + _1n) / _4n;
|
|
190
191
|
return function sqrt3mod4(Fp, n) {
|
|
192
|
+
const p1div4 = (P + _1n) / _4n;
|
|
191
193
|
const root = Fp.pow(n, p1div4);
|
|
192
194
|
// Throw if root**2 != n
|
|
193
195
|
if (!Fp.eql(Fp.sqr(root), n))
|
|
@@ -197,9 +199,9 @@ function FpSqrt(P) {
|
|
|
197
199
|
}
|
|
198
200
|
// Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
|
|
199
201
|
if (P % _8n === _5n) {
|
|
200
|
-
const c1 = (P - _5n) / _8n;
|
|
201
202
|
return function sqrt5mod8(Fp, n) {
|
|
202
203
|
const n2 = Fp.mul(n, _2n);
|
|
204
|
+
const c1 = (P - _5n) / _8n;
|
|
203
205
|
const v = Fp.pow(n2, c1);
|
|
204
206
|
const nv = Fp.mul(n, v);
|
|
205
207
|
const i = Fp.mul(Fp.mul(nv, _2n), v);
|
|
@@ -254,80 +256,89 @@ function validateField(field) {
|
|
|
254
256
|
map[val] = 'function';
|
|
255
257
|
return map;
|
|
256
258
|
}, initial);
|
|
257
|
-
return (0,
|
|
259
|
+
return (0, utils_ts_1.validateObject)(field, opts);
|
|
258
260
|
}
|
|
259
261
|
// Generic field functions
|
|
260
262
|
/**
|
|
261
263
|
* Same as `pow` but for Fp: non-constant-time.
|
|
262
264
|
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
|
|
263
265
|
*/
|
|
264
|
-
function FpPow(
|
|
265
|
-
// Should have same speed as pow for bigints
|
|
266
|
-
// TODO: benchmark!
|
|
266
|
+
function FpPow(Fp, num, power) {
|
|
267
267
|
if (power < _0n)
|
|
268
268
|
throw new Error('invalid exponent, negatives unsupported');
|
|
269
269
|
if (power === _0n)
|
|
270
|
-
return
|
|
270
|
+
return Fp.ONE;
|
|
271
271
|
if (power === _1n)
|
|
272
272
|
return num;
|
|
273
|
-
|
|
273
|
+
// @ts-ignore
|
|
274
|
+
let p = Fp.ONE;
|
|
274
275
|
let d = num;
|
|
275
276
|
while (power > _0n) {
|
|
276
277
|
if (power & _1n)
|
|
277
|
-
p =
|
|
278
|
-
d =
|
|
278
|
+
p = Fp.mul(p, d);
|
|
279
|
+
d = Fp.sqr(d);
|
|
279
280
|
power >>= _1n;
|
|
280
281
|
}
|
|
281
282
|
return p;
|
|
282
283
|
}
|
|
283
284
|
/**
|
|
284
285
|
* Efficiently invert an array of Field elements.
|
|
285
|
-
*
|
|
286
|
+
* Exception-free. Will return `undefined` for 0 elements.
|
|
287
|
+
* @param passZero map 0 to 0 (instead of undefined)
|
|
286
288
|
*/
|
|
287
|
-
function FpInvertBatch(
|
|
288
|
-
const
|
|
289
|
+
function FpInvertBatch(Fp, nums, passZero = false) {
|
|
290
|
+
const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
|
|
289
291
|
// Walk from first to last, multiply them by each other MOD p
|
|
290
|
-
const
|
|
291
|
-
if (
|
|
292
|
+
const multipliedAcc = nums.reduce((acc, num, i) => {
|
|
293
|
+
if (Fp.is0(num))
|
|
292
294
|
return acc;
|
|
293
|
-
|
|
294
|
-
return
|
|
295
|
-
},
|
|
295
|
+
inverted[i] = acc;
|
|
296
|
+
return Fp.mul(acc, num);
|
|
297
|
+
}, Fp.ONE);
|
|
296
298
|
// Invert last element
|
|
297
|
-
const
|
|
299
|
+
const invertedAcc = Fp.inv(multipliedAcc);
|
|
298
300
|
// Walk from last to first, multiply them by inverted each other MOD p
|
|
299
301
|
nums.reduceRight((acc, num, i) => {
|
|
300
|
-
if (
|
|
302
|
+
if (Fp.is0(num))
|
|
301
303
|
return acc;
|
|
302
|
-
|
|
303
|
-
return
|
|
304
|
-
},
|
|
305
|
-
return
|
|
304
|
+
inverted[i] = Fp.mul(acc, inverted[i]);
|
|
305
|
+
return Fp.mul(acc, num);
|
|
306
|
+
}, invertedAcc);
|
|
307
|
+
return inverted;
|
|
306
308
|
}
|
|
307
|
-
|
|
308
|
-
|
|
309
|
+
// TODO: remove
|
|
310
|
+
function FpDiv(Fp, lhs, rhs) {
|
|
311
|
+
return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
|
|
309
312
|
}
|
|
310
313
|
/**
|
|
311
314
|
* Legendre symbol.
|
|
315
|
+
* Legendre constant is used to calculate Legendre symbol (a | p)
|
|
316
|
+
* which denotes the value of a^((p-1)/2) (mod p)..
|
|
317
|
+
*
|
|
312
318
|
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
|
|
313
319
|
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
|
|
314
320
|
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
|
|
315
321
|
*/
|
|
316
|
-
function FpLegendre(
|
|
317
|
-
const
|
|
318
|
-
|
|
322
|
+
function FpLegendre(Fp, n) {
|
|
323
|
+
const legc = (Fp.ORDER - _1n) / _2n;
|
|
324
|
+
const powered = Fp.pow(n, legc);
|
|
325
|
+
const yes = Fp.eql(powered, Fp.ONE);
|
|
326
|
+
const zero = Fp.eql(powered, Fp.ZERO);
|
|
327
|
+
const no = Fp.eql(powered, Fp.neg(Fp.ONE));
|
|
328
|
+
if (!yes && !zero && !no)
|
|
329
|
+
throw new Error('Cannot find square root: probably non-prime P');
|
|
330
|
+
return yes ? 1 : zero ? 0 : -1;
|
|
319
331
|
}
|
|
320
332
|
// This function returns True whenever the value x is a square in the field F.
|
|
321
|
-
function FpIsSquare(
|
|
322
|
-
const
|
|
323
|
-
return
|
|
324
|
-
const p = legendre(f, x);
|
|
325
|
-
return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
|
|
326
|
-
};
|
|
333
|
+
function FpIsSquare(Fp, n) {
|
|
334
|
+
const l = FpLegendre(Fp, n);
|
|
335
|
+
return l === 0 || l === 1;
|
|
327
336
|
}
|
|
328
337
|
// CURVE.n lengths
|
|
329
338
|
function nLength(n, nBitLength) {
|
|
330
339
|
// Bit size, byte size of CURVE.n
|
|
340
|
+
if (nBitLength !== undefined)
|
|
341
|
+
(0, utils_1.anumber)(nBitLength);
|
|
331
342
|
const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
|
|
332
343
|
const nByteLength = Math.ceil(_nBitLength / 8);
|
|
333
344
|
return { nBitLength: _nBitLength, nByteLength };
|
|
@@ -359,7 +370,7 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
|
|
|
359
370
|
isLE,
|
|
360
371
|
BITS,
|
|
361
372
|
BYTES,
|
|
362
|
-
MASK: (0,
|
|
373
|
+
MASK: (0, utils_ts_1.bitMask)(BITS),
|
|
363
374
|
ZERO: _0n,
|
|
364
375
|
ONE: _1n,
|
|
365
376
|
create: (num) => mod(num, ORDER),
|
|
@@ -390,16 +401,17 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
|
|
|
390
401
|
sqrtP = FpSqrt(ORDER);
|
|
391
402
|
return sqrtP(f, n);
|
|
392
403
|
}),
|
|
393
|
-
|
|
394
|
-
// TODO: do we really need constant cmov?
|
|
395
|
-
// We don't have const-time bigints anyway, so probably will be not very useful
|
|
396
|
-
cmov: (a, b, c) => (c ? b : a),
|
|
397
|
-
toBytes: (num) => (isLE ? (0, utils_js_1.numberToBytesLE)(num, BYTES) : (0, utils_js_1.numberToBytesBE)(num, BYTES)),
|
|
404
|
+
toBytes: (num) => (isLE ? (0, utils_ts_1.numberToBytesLE)(num, BYTES) : (0, utils_ts_1.numberToBytesBE)(num, BYTES)),
|
|
398
405
|
fromBytes: (bytes) => {
|
|
399
406
|
if (bytes.length !== BYTES)
|
|
400
407
|
throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
|
|
401
|
-
return isLE ? (0,
|
|
408
|
+
return isLE ? (0, utils_ts_1.bytesToNumberLE)(bytes) : (0, utils_ts_1.bytesToNumberBE)(bytes);
|
|
402
409
|
},
|
|
410
|
+
// TODO: we don't need it here, move out to separate fn
|
|
411
|
+
invertBatch: (lst) => FpInvertBatch(f, lst),
|
|
412
|
+
// We can't move this out because Fp6, Fp12 implement it
|
|
413
|
+
// and it's unclear what to return in there.
|
|
414
|
+
cmov: (a, b, c) => (c ? b : a),
|
|
403
415
|
});
|
|
404
416
|
return Object.freeze(f);
|
|
405
417
|
}
|
|
@@ -422,12 +434,12 @@ function FpSqrtEven(Fp, elm) {
|
|
|
422
434
|
* @deprecated use `mapKeyToField` instead
|
|
423
435
|
*/
|
|
424
436
|
function hashToPrivateScalar(hash, groupOrder, isLE = false) {
|
|
425
|
-
hash = (0,
|
|
437
|
+
hash = (0, utils_ts_1.ensureBytes)('privateHash', hash);
|
|
426
438
|
const hashLen = hash.length;
|
|
427
439
|
const minLen = nLength(groupOrder).nByteLength + 8;
|
|
428
440
|
if (minLen < 24 || hashLen < minLen || hashLen > 1024)
|
|
429
441
|
throw new Error('hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen);
|
|
430
|
-
const num = isLE ? (0,
|
|
442
|
+
const num = isLE ? (0, utils_ts_1.bytesToNumberLE)(hash) : (0, utils_ts_1.bytesToNumberBE)(hash);
|
|
431
443
|
return mod(num, groupOrder - _1n) + _1n;
|
|
432
444
|
}
|
|
433
445
|
/**
|
|
@@ -473,9 +485,9 @@ function mapHashToField(key, fieldOrder, isLE = false) {
|
|
|
473
485
|
// No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
|
|
474
486
|
if (len < 16 || len < minLen || len > 1024)
|
|
475
487
|
throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
|
|
476
|
-
const num = isLE ? (0,
|
|
488
|
+
const num = isLE ? (0, utils_ts_1.bytesToNumberLE)(key) : (0, utils_ts_1.bytesToNumberBE)(key);
|
|
477
489
|
// `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
|
|
478
490
|
const reduced = mod(num, fieldOrder - _1n) + _1n;
|
|
479
|
-
return isLE ? (0,
|
|
491
|
+
return isLE ? (0, utils_ts_1.numberToBytesLE)(reduced, fieldLen) : (0, utils_ts_1.numberToBytesBE)(reduced, fieldLen);
|
|
480
492
|
}
|
|
481
493
|
//# sourceMappingURL=modular.js.map
|