@noble/curves 1.9.1 → 1.9.3

package/src/abstract/montgomery.ts

@@ -5,14 +5,16 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { mod } from './modular.ts';
 import {
+  _validateObject,
   aInRange,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesLE,
-  validateObject,
-} from './utils.ts';
+  randomBytes,
+} from '../utils.ts';
+import type { CurveInfo } from './curve.ts';
+import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -24,31 +26,43 @@ export type CurveType = {
   type: 'x25519' | 'x448';
   adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
   powPminus2: (x: bigint) => bigint;
-  randomBytes: (bytesLength?: number) => Uint8Array;
+  randomBytes?: (bytesLength?: number) => Uint8Array;
 };
 
-export type CurveFn = {
+export type MontgomeryECDH = {
   scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
   scalarMultBase: (scalar: Hex) => Uint8Array;
-  getSharedSecret: (privateKeyA: Hex, publicKeyB: Hex) => Uint8Array;
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  utils: { randomPrivateKey: () => Uint8Array };
+  getSharedSecret: (secretKeyA: Hex, publicKeyB: Hex) => Uint8Array;
+  getPublicKey: (secretKey: Hex) => Uint8Array;
+  utils: {
+    randomSecretKey: () => Uint8Array;
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: () => Uint8Array;
+  };
   GuBytes: Uint8Array;
+  info: {
+    type: 'montgomery';
+    lengths: Omit<CurveInfo['lengths'], 'signature'>;
+    publicKeyHasPrefix?: boolean;
+  };
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
 };
+export type CurveFn = MontgomeryECDH;
 
 function validateOpts(curve: CurveType) {
-  validateObject(curve, {
+  _validateObject(curve, {
     adjustScalarBytes: 'function',
     powPminus2: 'function',
   });
   return Object.freeze({ ...curve } as const);
 }
 
-export function montgomery(curveDef: CurveType): CurveFn {
+export function montgomery(curveDef: CurveType): MontgomeryECDH {
   const CURVE = validateOpts(curveDef);
-  const { P, type, adjustScalarBytes, powPminus2 } = CURVE;
+  const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
   const is25519 = type === 'x25519';
   if (!is25519 && type !== 'x448') throw new Error('invalid type');
+  const randomBytes_ = rand || randomBytes;
 
   const montgomeryBits = is25519 ? 255 : 448;
   const fieldLen = is25519 ? 32 : 56;
@@ -153,13 +167,28 @@ export function montgomery(curveDef: CurveType): CurveFn {
     const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
     return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
-
+  const randomSecretKey = (seed = randomBytes_(fieldLen)) => seed;
+  const utils = {
+    randomSecretKey,
+    randomPrivateKey: randomSecretKey,
+  };
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: scalarMultBase(secretKey) };
+  }
+  const lengths = {
+    secret: fieldLen,
+    public: fieldLen,
+    seed: fieldLen,
+  };
   return {
+    keygen,
+    getSharedSecret: (secretKey: Hex, publicKey: Hex) => scalarMult(secretKey, publicKey),
+    getPublicKey: (secretKey: Hex): Uint8Array => scalarMultBase(secretKey),
     scalarMult,
     scalarMultBase,
-    getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
-    getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    utils: { randomPrivateKey: () => CURVE.randomBytes!(fieldLen) },
+    utils,
     GuBytes: GuBytes.slice(),
+    info: { type: 'montgomery' as const, lengths },
   };
 }

package/src/abstract/poseidon.ts

@@ -7,8 +7,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { _validateObject, bitGet } from '../utils.ts';
 import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
-import { bitGet } from './utils.ts';
 
 // Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
 function grainLFSR(state: number[]): () => boolean {
@@ -41,20 +41,28 @@ export type PoseidonBasicOpts = {
   isSboxInverse?: boolean;
 };
 
-function validateBasicOpts(opts: PoseidonBasicOpts) {
+function assertValidPosOpts(opts: PoseidonBasicOpts) {
   const { Fp, roundsFull } = opts;
   validateField(Fp);
+  _validateObject(
+    opts,
+    {
+      t: 'number',
+      roundsFull: 'number',
+      roundsPartial: 'number',
+    },
+    {
+      isSboxInverse: 'boolean',
+    }
+  );
   for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
+    if (!Number.isSafeInteger(opts[i]) || opts[i] < 1) throw new Error('invalid number ' + i);
   }
-  if (opts.isSboxInverse !== undefined && typeof opts.isSboxInverse !== 'boolean')
-    throw new Error(`Poseidon: invalid param isSboxInverse=${opts.isSboxInverse}`);
   if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
 }
 
 function poseidonGrain(opts: PoseidonBasicOpts) {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp } = opts;
   const state = Array(80).fill(1);
   let pos = 0;
@@ -140,7 +148,7 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
   sboxPower?: number;
   reversePartialPowIdx?: boolean; // Hack for stark
 }> {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
   const { roundsFull, roundsPartial, sboxPower, t } = opts;
 
@@ -196,12 +204,13 @@ export function splitConstants(rc: bigint[], t: number): bigint[][] {
   return res;
 }
 
-/** Poseidon NTT-friendly hash. */
-export function poseidon(opts: PoseidonOpts): {
+export type PoseidonFn = {
   (values: bigint[]): bigint[];
   // For verification in tests
   roundConstants: bigint[][];
-} {
+};
+/** Poseidon NTT-friendly hash. */
+export function poseidon(opts: PoseidonOpts): PoseidonFn {
   const _opts = validateOpts(opts);
   const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
   const halfRoundsFull = _opts.roundsFull / 2;
@@ -242,17 +251,12 @@ export class PoseidonSponge {
   private Fp: IField<bigint>;
   readonly rate: number;
   readonly capacity: number;
-  readonly hash: ReturnType<typeof poseidon>;
+  readonly hash: PoseidonFn;
   private state: bigint[]; // [...capacity, ...rate]
   private pos = 0;
   private isAbsorbing = true;
 
-  constructor(
-    Fp: IField<bigint>,
-    rate: number,
-    capacity: number,
-    hash: ReturnType<typeof poseidon>
-  ) {
+  constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn) {
     this.Fp = Fp;
     this.hash = hash;
     this.rate = rate;

package/src/abstract/tower.ts

@@ -10,9 +10,9 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { bitLen, bitMask, concatBytes, notImplemented } from '../utils.ts';
 import * as mod from './modular.ts';
-import { bitLen, bitMask, concatBytes, notImplemented } from './utils.ts';
-import type { ProjConstructor, ProjPointType } from './weierstrass.ts';
+import type { WeierstrassPoint, WeierstrassPointCons } from './weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -34,19 +34,33 @@ export type BigintTwelve = [
 ];
 
 export type Fp2Bls = mod.IField<Fp2> & {
-  reim: (num: Fp2) => { re: Fp; im: Fp };
-  mulByB: (num: Fp2) => Fp2;
   frobeniusMap(num: Fp2, power: number): Fp2;
   fromBigTuple(num: [bigint, bigint]): Fp2;
+  mulByB: (num: Fp2) => Fp2;
+  mulByNonresidue: (num: Fp2) => Fp2;
+  reim: (num: Fp2) => { re: Fp; im: Fp };
+  NONRESIDUE: Fp2;
+};
+
+export type Fp6Bls = mod.IField<Fp6> & {
+  frobeniusMap(num: Fp6, power: number): Fp6;
+  fromBigSix: (tuple: BigintSix) => Fp6;
+  mul1(num: Fp6, b1: Fp2): Fp6;
+  mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
+  mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
+  mulByNonresidue: (num: Fp6) => Fp6;
 };
 
 export type Fp12Bls = mod.IField<Fp12> & {
   frobeniusMap(num: Fp12, power: number): Fp12;
+  fromBigTwelve: (t: BigintTwelve) => Fp12;
   mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
   mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
+  mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
   conjugate(num: Fp12): Fp12;
   finalExponentiate(num: Fp12): Fp12;
-  fromBigTwelve(num: BigintTwelve): Fp12;
+  _cyclotomicSquare(num: Fp12): Fp12;
+  _cyclotomicExp(num: Fp12, n: bigint): Fp12;
 };
 
 function calcFrobeniusCoefficients<T>(
@@ -81,8 +95,8 @@ export function psiFrobenius(
 ): {
   psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
   psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
-  G2psi: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
-  G2psi2: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
+  G2psi: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
+  G2psi2: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
   PSI_X: Fp2;
   PSI_Y: Fp2;
   PSI2_X: Fp2;
@@ -109,7 +123,7 @@ export function psiFrobenius(
   // Map points
   const mapAffine =
     <T>(fn: (x: T, y: T) => [T, T]) =>
-    (c: ProjConstructor<T>, P: ProjPointType<T>) => {
+    (c: WeierstrassPointCons<T>, P: WeierstrassPoint<T>) => {
       const affine = P.toAffine();
       const p = fn(affine.x, affine.y);
       return c.fromAffine({ x: p[0], y: p[1] });
@@ -134,34 +148,10 @@ export type Tower12Opts = {
 
 export function tower12(opts: Tower12Opts): {
   Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, 'isOdd'>>>;
-  Fp2: mod.IField<Fp2> & {
-    NONRESIDUE: Fp2;
-    fromBigTuple: (tuple: BigintTuple | bigint[]) => Fp2;
-    reim: (num: Fp2) => { re: bigint; im: bigint };
-    mulByNonresidue: (num: Fp2) => Fp2;
-    mulByB: (num: Fp2) => Fp2;
-    frobeniusMap(num: Fp2, power: number): Fp2;
-  };
-  Fp6: mod.IField<Fp6> & {
-    fromBigSix: (tuple: BigintSix) => Fp6;
-    mulByNonresidue: (num: Fp6) => Fp6;
-    frobeniusMap(num: Fp6, power: number): Fp6;
-    mul1(num: Fp6, b1: Fp2): Fp6;
-    mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
-    mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
-  };
+  Fp2: Fp2Bls;
+  Fp6: Fp6Bls;
+  Fp12: Fp12Bls;
   Fp4Square: (a: Fp2, b: Fp2) => { first: Fp2; second: Fp2 };
-  Fp12: mod.IField<Fp12> & {
-    fromBigTwelve: (t: BigintTwelve) => Fp12;
-    frobeniusMap(num: Fp12, power: number): Fp12;
-    mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
-    mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
-    mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
-    conjugate(num: Fp12): Fp12;
-    finalExponentiate(num: Fp12): Fp12;
-    _cyclotomicSquare(num: Fp12): Fp12;
-    _cyclotomicExp(num: Fp12, n: bigint): Fp12;
-  };
 } {
   const { ORDER } = opts;
   // Fp
@@ -196,23 +186,19 @@ export function tower12(opts: Tower12Opts): {
     const c = Fp.add(c0, c0);
     return { c0: Fp.mul(a, b), c1: Fp.mul(c, c1) };
   };
-  type Fp2Utils = {
-    NONRESIDUE: Fp2;
-    fromBigTuple: (tuple: BigintTuple | bigint[]) => Fp2;
-    reim: (num: Fp2) => { re: bigint; im: bigint };
-    mulByNonresidue: (num: Fp2) => Fp2;
-    mulByB: (num: Fp2) => Fp2;
-    frobeniusMap(num: Fp2, power: number): Fp2;
-  };
   const Fp2fromBigTuple = (tuple: BigintTuple | bigint[]) => {
     if (tuple.length !== 2) throw new Error('invalid tuple');
     const fps = tuple.map((n) => Fp.create(n)) as [Fp, Fp];
     return { c0: fps[0], c1: fps[1] };
   };
 
+  function isValidC(num: bigint, ORDER: bigint) {
+    return typeof num === 'bigint' && _0n <= num && num < ORDER;
+  }
+
   const FP2_ORDER = ORDER * ORDER;
   const Fp2Nonresidue = Fp2fromBigTuple(opts.FP2_NONRESIDUE);
-  const Fp2: mod.IField<Fp2> & Fp2Utils = {
+  const Fp2: Fp2Bls = {
     ORDER: FP2_ORDER,
     isLE: Fp.isLE,
     NONRESIDUE: Fp2Nonresidue,
@@ -222,8 +208,9 @@ export function tower12(opts: Tower12Opts): {
     ZERO: { c0: Fp.ZERO, c1: Fp.ZERO },
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
-    isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
+    isValid: ({ c0, c1 }) => isValidC(c0, FP2_ORDER) && isValidC(c1, FP2_ORDER),
     is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    isValidNot0: (num) => !Fp2.is0(num) && Fp2.isValid(num),
     eql: ({ c0, c1 }: Fp2, { c0: r0, c1: r1 }: Fp2) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
     neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
@@ -361,15 +348,6 @@ export function tower12(opts: Tower12Opts): {
       c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
   };
-  type Fp6Utils = {
-    fromBigSix: (tuple: BigintSix) => Fp6;
-    mulByNonresidue: (num: Fp6) => Fp6;
-    frobeniusMap(num: Fp6, power: number): Fp6;
-    mul1(num: Fp6, b1: Fp2): Fp6;
-    mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
-    mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
-  };
-
   const [FP6_FROBENIUS_COEFFICIENTS_1, FP6_FROBENIUS_COEFFICIENTS_2] = calcFrobeniusCoefficients(
     Fp2,
     Fp2Nonresidue,
@@ -379,7 +357,7 @@ export function tower12(opts: Tower12Opts): {
     3
   );
 
-  const Fp6: mod.IField<Fp6> & Fp6Utils = {
+  const Fp6: Fp6Bls = {
     ORDER: Fp2.ORDER, // TODO: unused, but need to verify
     isLE: Fp2.isLE,
     BITS: 3 * Fp2.BITS,
@@ -390,6 +368,7 @@ export function tower12(opts: Tower12Opts): {
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
     is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    isValidNot0: (num) => !Fp6.is0(num) && Fp6.isValid(num),
     neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
     eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) =>
       Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
@@ -439,9 +418,9 @@ export function tower12(opts: Tower12Opts): {
     fromBigSix: (t: BigintSix): Fp6 => {
       if (!Array.isArray(t) || t.length !== 6) throw new Error('invalid Fp6 usage');
       return {
-        c0: Fp2.fromBigTuple(t.slice(0, 2)),
-        c1: Fp2.fromBigTuple(t.slice(2, 4)),
-        c2: Fp2.fromBigTuple(t.slice(4, 6)),
+        c0: Fp2.fromBigTuple(t.slice(0, 2) as BigintTuple),
+        c1: Fp2.fromBigTuple(t.slice(2, 4) as BigintTuple),
+        c2: Fp2.fromBigTuple(t.slice(4, 6) as BigintTuple),
       };
     },
     frobeniusMap: ({ c0, c1, c2 }, power: number) => ({
@@ -524,19 +503,8 @@ export function tower12(opts: Tower12Opts): {
       second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
   }
-  type Fp12Utils = {
-    fromBigTwelve: (t: BigintTwelve) => Fp12;
-    frobeniusMap(num: Fp12, power: number): Fp12;
-    mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
-    mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
-    mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
-    conjugate(num: Fp12): Fp12;
-    finalExponentiate(num: Fp12): Fp12;
-    _cyclotomicSquare(num: Fp12): Fp12;
-    _cyclotomicExp(num: Fp12, n: bigint): Fp12;
-  };
 
-  const Fp12: mod.IField<Fp12> & Fp12Utils = {
+  const Fp12: Fp12Bls = {
     ORDER: Fp2.ORDER, // TODO: unused, but need to verify
     isLE: Fp6.isLE,
     BITS: 2 * Fp6.BITS,
@@ -547,6 +515,7 @@ export function tower12(opts: Tower12Opts): {
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
     is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    isValidNot0: (num) => !Fp12.is0(num) && Fp12.isValid(num),
     neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
     eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: notImplemented,
@@ -646,5 +615,5 @@ export function tower12(opts: Tower12Opts): {
     finalExponentiate: opts.Fp12finalExponentiate,
   };
 
-  return { Fp, Fp2, Fp6, Fp4Square, Fp12 };
+  return { Fp, Fp2, Fp6, Fp12, Fp4Square };
 }