@noble/curves 1.9.0 → 1.9.2

package/src/abstract/curve.ts

@@ -4,8 +4,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { type IField, nLength, validateField } from './modular.ts';
-import { bitLen, bitMask, validateObject } from './utils.ts';
+import { bitLen, bitMask, validateObject } from '../utils.ts';
+import { Field, FpInvertBatch, type IField, nLength, validateField } from './modular.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -22,19 +22,43 @@ export interface Group<T extends Group<T>> {
   subtract(other: T): T;
   equals(other: T): boolean;
   multiply(scalar: bigint): T;
+  toAffine?(invertedZ?: any): AffinePoint<any>;
 }
 
 export type GroupConstructor<T> = {
   BASE: T;
   ZERO: T;
 };
+export type ExtendedGroupConstructor<T> = GroupConstructor<T> & {
+  Fp: IField<any>;
+  Fn: IField<bigint>;
+  fromAffine(ap: AffinePoint<any>): T;
+};
 export type Mapper<T> = (i: T[]) => T[];
 
-function constTimeNegate<T extends Group<T>>(condition: boolean, item: T): T {
+export function negateCt<T extends Group<T>>(condition: boolean, item: T): T {
   const neg = item.negate();
   return condition ? neg : item;
 }
 
+/**
+ * Takes a bunch of Projective Points but executes only one
+ * inversion on all of them. Inversion is very slow operation,
+ * so this improves performance massively.
+ * Optimization: converts a list of projective points to a list of identical points with Z=1.
+ */
+export function normalizeZ<T>(
+  c: ExtendedGroupConstructor<T>,
+  property: 'pz' | 'ez',
+  points: T[]
+): T[] {
+  const getz = property === 'pz' ? (p: any) => p.pz : (p: any) => p.ez;
+  const toInv = FpInvertBatch(c.Fp, points.map(getz));
+  // @ts-ignore
+  const affined = points.map((p, i) => p.toAffine(toInv[i]));
+  return affined.map(c.fromAffine);
+}
+
 function validateW(W: number, bits: number) {
   if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
     throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
@@ -107,16 +131,20 @@ function getW(P: any): number {
   return pointWindowSizes.get(P) || 1;
 }
 
+function assert0(n: bigint): void {
+  if (n !== _0n) throw new Error('invalid wNAF');
+}
+
 export type IWNAF<T extends Group<T>> = {
   constTimeNegate: <T extends Group<T>>(condition: boolean, item: T) => T;
   hasPrecomputes(elm: T): boolean;
   unsafeLadder(elm: T, n: bigint, p?: T): T;
   precomputeWindow(elm: T, W: number): Group<T>[];
-  getPrecomputes(W: number, P: T, transform: Mapper<T>): T[];
+  getPrecomputes(W: number, P: T, transform?: Mapper<T>): T[];
   wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T };
   wNAFUnsafe(W: number, precomputes: T[], n: bigint, acc?: T): T;
-  wNAFCached(P: T, n: bigint, transform: Mapper<T>): { p: T; f: T };
-  wNAFCachedUnsafe(P: T, n: bigint, transform: Mapper<T>, prev?: T): T;
+  wNAFCached(P: T, n: bigint, transform?: Mapper<T>): { p: T; f: T };
+  wNAFCachedUnsafe(P: T, n: bigint, transform?: Mapper<T>, prev?: T): T;
   setWindowSize(P: T, W: number): void;
 };
 
@@ -136,7 +164,7 @@ export type IWNAF<T extends Group<T>> = {
  */
 export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number): IWNAF<T> {
   return {
-    constTimeNegate,
+    constTimeNegate: negateCt,
 
     hasPrecomputes(elm: T) {
       return getW(elm) !== 1;
@@ -212,12 +240,13 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
         if (isZero) {
           // bits are 0: add garbage to fake point
           // Important part for const-time getPublicKey: add random "noise" point to f.
-          f = f.add(constTimeNegate(isNegF, precomputes[offsetF]));
+          f = f.add(negateCt(isNegF, precomputes[offsetF]));
         } else {
           // bits are 1: add to result point
-          p = p.add(constTimeNegate(isNeg, precomputes[offset]));
+          p = p.add(negateCt(isNeg, precomputes[offset]));
         }
       }
+      assert0(n);
       // Return both real and fake points: JIT won't eliminate f.
       // At this point there is a way to F be infinity-point even if p is not,
       // which makes it less const-time: around 1 bigint multiply.
@@ -247,25 +276,30 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
           acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
         }
       }
+      assert0(n);
       return acc;
     },
 
-    getPrecomputes(W: number, P: T, transform: Mapper<T>): T[] {
+    getPrecomputes(W: number, P: T, transform?: Mapper<T>): T[] {
       // Calculate precomputes on a first run, reuse them after
       let comp = pointPrecomputes.get(P);
       if (!comp) {
         comp = this.precomputeWindow(P, W) as T[];
-        if (W !== 1) pointPrecomputes.set(P, transform(comp));
+        if (W !== 1) {
+          // Doing transform outside of if brings 15% perf hit
+          if (typeof transform === 'function') comp = transform(comp);
+          pointPrecomputes.set(P, comp);
+        }
       }
       return comp;
     },
 
-    wNAFCached(P: T, n: bigint, transform: Mapper<T>): { p: T; f: T } {
+    wNAFCached(P: T, n: bigint, transform?: Mapper<T>): { p: T; f: T } {
       const W = getW(P);
       return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
     },
 
-    wNAFCachedUnsafe(P: T, n: bigint, transform: Mapper<T>, prev?: T): T {
+    wNAFCachedUnsafe(P: T, n: bigint, transform?: Mapper<T>, prev?: T): T {
       const W = getW(P);
       if (W === 1) return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
       return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
@@ -283,6 +317,29 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number):
   };
 }
 
+/**
+ * Endomorphism-specific multiplication for Koblitz curves.
+ * Cost: 128 dbl, 0-256 adds.
+ */
+export function mulEndoUnsafe<T extends Group<T>>(
+  c: GroupConstructor<T>,
+  point: T,
+  k1: bigint,
+  k2: bigint
+): { p1: T; p2: T } {
+  let acc = point;
+  let p1 = c.ZERO;
+  let p2 = c.ZERO;
+  while (k1 > _0n || k2 > _0n) {
+    if (k1 & _1n) p1 = p1.add(acc);
+    if (k2 & _1n) p2 = p2.add(acc);
+    acc = acc.double();
+    k1 >>= _1n;
+    k2 >>= _1n;
+  }
+  return { p1, p2 };
+}
+
 /**
  * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
  * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
@@ -307,18 +364,23 @@ export function pippenger<T extends Group<T>>(
   // 0 is accepted in scalars
   validateMSMPoints(points, c);
   validateMSMScalars(scalars, fieldN);
-  if (points.length !== scalars.length)
-    throw new Error('arrays of points and scalars must have equal length');
+  const plength = points.length;
+  const slength = scalars.length;
+  if (plength !== slength) throw new Error('arrays of points and scalars must have equal length');
+  // if (plength === 0) throw new Error('array must be of length >= 2');
   const zero = c.ZERO;
-  const wbits = bitLen(BigInt(points.length));
-  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
+  const wbits = bitLen(BigInt(plength));
+  let windowSize = 1; // bits
+  if (wbits > 12) windowSize = wbits - 3;
+  else if (wbits > 4) windowSize = wbits - 2;
+  else if (wbits > 0) windowSize = 2;
   const MASK = bitMask(windowSize);
   const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
   const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
   let sum = zero;
   for (let i = lastBits; i >= 0; i -= windowSize) {
     buckets.fill(zero);
-    for (let j = 0; j < scalars.length; j++) {
+    for (let j = 0; j < slength; j++) {
       const scalar = scalars[j];
       const wbits = Number((scalar >> BigInt(i)) & MASK);
       buckets[wbits] = buckets[wbits].add(points[j]);
@@ -432,6 +494,8 @@ export type BasicCurve<T> = {
   allowInfinityPoint?: boolean; // bls12-381 requires it. ZERO point is valid, but invalid pubkey
 };
 
+// TODO: remove
+/** @deprecated */
 export function validateBasic<FP, T>(
   curve: BasicCurve<FP> & T
 ): Readonly<
@@ -464,3 +528,46 @@ export function validateBasic<FP, T>(
     ...{ p: curve.Fp.ORDER },
   } as const);
 }
+
+export type ValidCurveParams<T> = {
+  a: T;
+  p: bigint;
+  n: bigint;
+  h: bigint;
+  Gx: T;
+  Gy: T;
+} & ({ b: T } | { d: T });
+
+function createField<T>(order: bigint, field?: IField<T>): IField<T> {
+  if (field) {
+    if (field.ORDER !== order) throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
+    validateField(field);
+    return field;
+  } else {
+    return Field(order) as unknown as IField<T>;
+  }
+}
+export type FpFn<T> = { Fp: IField<T>; Fn: IField<bigint> };
+/** Validates CURVE opts and creates fields */
+export function _createCurveFields<T>(
+  type: 'weierstrass' | 'edwards',
+  CURVE: ValidCurveParams<T>,
+  curveOpts: Partial<FpFn<T>> = {}
+): FpFn<T> {
+  if (!CURVE || typeof CURVE !== 'object') throw new Error(`expected valid ${type} CURVE object`);
+  for (const p of ['p', 'n', 'h'] as const) {
+    const val = CURVE[p];
+    if (!(typeof val === 'bigint' && val > _0n))
+      throw new Error(`CURVE.${p} must be positive bigint`);
+  }
+  const Fp = createField(CURVE.p, curveOpts.Fp);
+  const Fn = createField(CURVE.n, curveOpts.Fn);
+  const _b: 'b' | 'd' = type === 'weierstrass' ? 'b' : 'd';
+  const params = ['Gx', 'Gy', 'a', _b] as const;
+  for (const p of params) {
+    // @ts-ignore
+    if (!Fp.isValid(CURVE[p]))
+      throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+  }
+  return { Fp, Fn };
+}