@noble/curves 1.9.2 → 1.9.3

package/esm/abstract/curve.d.ts

@@ -1,3 +1,10 @@
+/**
+ * Methods for elliptic curve multiplication by scalars.
+ * Contains wNAF, pippenger.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { type Hex } from '../utils.ts';
 import { type IField } from './modular.ts';
 export type AffinePoint<T> = {
     x: T;
@@ -15,24 +22,76 @@ export interface Group<T extends Group<T>> {
     multiply(scalar: bigint): T;
     toAffine?(invertedZ?: any): AffinePoint<any>;
 }
+/** Base interface for all elliptic curve Points. */
+export interface CurvePoint<F, P extends CurvePoint<F, P>> extends Group<P> {
+    /** Affine x coordinate. Different from projective / extended X coordinate. */
+    x: F;
+    /** Affine y coordinate. Different from projective / extended Y coordinate. */
+    y: F;
+    Z?: F;
+    assertValidity(): void;
+    clearCofactor(): P;
+    is0(): boolean;
+    isTorsionFree(): boolean;
+    isSmallOrder(): boolean;
+    multiplyUnsafe(scalar: bigint): P;
+    /**
+     * Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
+     * @param isLazy calculate cache now. Default (true) ensures it's deferred to first `multiply()`
+     */
+    precompute(windowSize?: number, isLazy?: boolean): P;
+    /** Converts point to 2D xy affine coordinates */
+    toAffine(invertedZ?: F): AffinePoint<F>;
+    toBytes(): Uint8Array;
+    toHex(): string;
+}
+/** Base interface for all elliptic curve Point constructors. */
+export interface CurvePointCons<F, P extends CurvePoint<F, P>> extends GroupConstructor<P> {
+    BASE: P;
+    ZERO: P;
+    /** Field for basic curve math */
+    Fp: IField<F>;
+    /** Scalar field, for scalars in multiply and others */
+    Fn: IField<bigint>;
+    /** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */
+    fromAffine(p: AffinePoint<F>): P;
+    fromBytes(bytes: Uint8Array): P;
+    fromHex(hex: Hex): P;
+}
+export type GetPointConsF<PC> = PC extends CurvePointCons<infer F, any> ? F : never;
+export type GetPointConsPoint<PC> = PC extends CurvePointCons<any, infer P> ? P : never;
+export interface CurveInfo {
+    type: 'weierstrass' | 'edwards' | 'montgomery';
+    publicKeyHasPrefix?: boolean;
+    lengths: {
+        secret: number;
+        public: number;
+        publicUncompressed?: number;
+        signature: number;
+        seed: number;
+    };
+}
 export type GroupConstructor<T> = {
     BASE: T;
     ZERO: T;
 };
+/** @deprecated */
 export type ExtendedGroupConstructor<T> = GroupConstructor<T> & {
     Fp: IField<any>;
     Fn: IField<bigint>;
     fromAffine(ap: AffinePoint<any>): T;
 };
 export type Mapper<T> = (i: T[]) => T[];
-export declare function negateCt<T extends Group<T>>(condition: boolean, item: T): T;
+export declare function negateCt<T extends {
+    negate: () => T;
+}>(condition: boolean, item: T): T;
 /**
  * Takes a bunch of Projective Points but executes only one
  * inversion on all of them. Inversion is very slow operation,
  * so this improves performance massively.
  * Optimization: converts a list of projective points to a list of identical points with Z=1.
  */
-export declare function normalizeZ<T>(c: ExtendedGroupConstructor<T>, property: 'pz' | 'ez', points: T[]): T[];
+export declare function normalizeZ<PC extends CurvePointCons<any, any>, F = GetPointConsF<PC>, P extends CurvePoint<F, P> = GetPointConsPoint<PC>>(c: CurvePointCons<F, P>, points: P[]): P[];
 /** Internal wNAF opts for specific W and scalarBits */
 export type WOpts = {
     windows: number;
@@ -41,26 +100,12 @@ export type WOpts = {
     maxNumber: number;
     shiftBy: bigint;
 };
-export type IWNAF<T extends Group<T>> = {
-    constTimeNegate: <T extends Group<T>>(condition: boolean, item: T) => T;
-    hasPrecomputes(elm: T): boolean;
-    unsafeLadder(elm: T, n: bigint, p?: T): T;
-    precomputeWindow(elm: T, W: number): Group<T>[];
-    getPrecomputes(W: number, P: T, transform?: Mapper<T>): T[];
-    wNAF(W: number, precomputes: T[], n: bigint): {
-        p: T;
-        f: T;
-    };
-    wNAFUnsafe(W: number, precomputes: T[], n: bigint, acc?: T): T;
-    wNAFCached(P: T, n: bigint, transform?: Mapper<T>): {
-        p: T;
-        f: T;
-    };
-    wNAFCachedUnsafe(P: T, n: bigint, transform?: Mapper<T>, prev?: T): T;
-    setWindowSize(P: T, W: number): void;
-};
 /**
  * Elliptic curve multiplication of Point by scalar. Fragile.
+ * Table generation takes **30MB of ram and 10ms on high-end CPU**,
+ * but may take much longer on slow devices. Actual generation will happen on
+ * first call of `multiply()`. By default, `BASE` point is precomputed.
+ *
  * Scalars should always be less than curve order: this should be checked inside of a curve itself.
  * Creates precomputation tables for fast multiplication:
  * - private scalar is split by fixed size windows of W bits
@@ -73,12 +118,53 @@ export type IWNAF<T extends Group<T>> = {
  * @todo Research returning 2d JS array of windows, instead of a single window.
  * This would allow windows to be in different memory locations
  */
-export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number): IWNAF<T>;
+export declare class wNAF<F, P extends CurvePoint<F, P>> {
+    private readonly BASE;
+    private readonly ZERO;
+    private readonly Fn;
+    readonly bits: number;
+    constructor(Point: CurvePointCons<F, P>, bits: number);
+    _unsafeLadder(elm: P, n: bigint, p?: P): P;
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    private precomputeWindow;
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    private wNAF;
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    private wNAFUnsafe;
+    private getPrecomputes;
+    cached(point: P, scalar: bigint, transform?: Mapper<P>): {
+        p: P;
+        f: P;
+    };
+    unsafe(point: P, scalar: bigint, transform?: Mapper<P>, prev?: P): P;
+    createCache(P: P, W: number): void;
+    hasCache(elm: P): boolean;
+}
 /**
  * Endomorphism-specific multiplication for Koblitz curves.
  * Cost: 128 dbl, 0-256 adds.
  */
-export declare function mulEndoUnsafe<T extends Group<T>>(c: GroupConstructor<T>, point: T, k1: bigint, k2: bigint): {
+export declare function mulEndoUnsafe<T extends Group<T>>(Point: GroupConstructor<T>, point: T, k1: bigint, k2: bigint): {
     p1: T;
     p2: T;
 };
@@ -90,7 +176,7 @@ export declare function mulEndoUnsafe<T extends Group<T>>(c: GroupConstructor<T>
  * @param c Curve Point constructor
  * @param fieldN field over CURVE.N - important that it's not over CURVE.P
  * @param points array of L curve points
- * @param scalars array of L scalars (aka private keys / bigints)
+ * @param scalars array of L scalars (aka secret keys / bigints)
  */
 export declare function pippenger<T extends Group<T>>(c: GroupConstructor<T>, fieldN: IField<bigint>, points: T[], scalars: bigint[]): T;
 /**

package/esm/abstract/curve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"curve.d.ts","sourceRoot":"","sources":["../../src/abstract/curve.ts"],"names":[],"mappings":"AAOA,OAAO,EAAwB,KAAK,MAAM,EAA0B,MAAM,cAAc,CAAC;AAKzF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI;IAC3B,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,EAAE,CAAC,CAAC;CACN,GAAG;IAAE,CAAC,CAAC,EAAE,KAAK,CAAC;IAAC,CAAC,CAAC,EAAE,KAAK,CAAA;CAAE,CAAC;AAE7B,MAAM,WAAW,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC;IACvC,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,IAAI,CAAC,CAAC;IACZ,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACjB,QAAQ,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACtB,MAAM,CAAC,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC;IAC5B,QAAQ,CAAC,CAAC,SAAS,CAAC,EAAE,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;CAC9C;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,IAAI,EAAE,CAAC,CAAC;IACR,IAAI,EAAE,CAAC,CAAC;CACT,CAAC;AACF,MAAM,MAAM,wBAAwB,CAAC,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC,GAAG;IAC9D,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;CACrC,CAAC;AACF,MAAM,MAAM,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;AAExC,wBAAgB,QAAQ,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAG3E;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAC1B,CAAC,EAAE,wBAAwB,CAAC,CAAC,CAAC,EAC9B,QAAQ,EAAE,IAAI,GAAG,IAAI,EACrB,MAAM,EAAE,CAAC,EAAE,GACV,CAAC,EAAE,CAML;AAOD,uDAAuD;AACvD,MAAM,MAAM,KAAK,GAAG;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAgEF,MAAM,MAAM,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,IAAI;IACtC,eAAe,EAAE,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC;IACxE,cAAc,CAAC,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;IAChC,YAAY,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IAC1C,gBAAgB,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAChD,cAAc,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IAC5D,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,GAAG;QAAE,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC,EAAE,CAAC,CAAA;KAAE,CAAC;IAC7D,UAAU,CAAC,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IAC/D,UAAU,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG;QAAE,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC,EAAE,CAAC,CAAA;KAAE,CAAC;IACnE,gBAAgB,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IACtE,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtC,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,wBAAgB,IAAI,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAyJvF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAC9C,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EACtB,KAAK,EAAE,CAAC,EACR,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IAAE,EAAE,EAAE,CAAC,CAAC;IAAC,EAAE,EAAE,CAAC,CAAA;CAAE,CAYlB;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAC1C,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EACtB,MAAM,EAAE,CAAC,EAAE,EACX,OAAO,EAAE,MAAM,EAAE,GAChB,CAAC,CAwCH;AACD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EACpD,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EACtB,MAAM,EAAE,CAAC,EAAE,EACX,UAAU,EAAE,MAAM,GACjB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAoE1B;AAED;;;GAGG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI;IAC1B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IACd,CAAC,EAAE,MAAM,CAAC;IACV,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,CAAC,EAAE,MAAM,CAAC;IACV,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;IACN,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAGF,kBAAkB;AAClB,wBAAgB,aAAa,CAAC,EAAE,EAAE,CAAC,EACjC,KAAK,EAAE,UAAU,CAAC,EAAE,CAAC,GAAG,CAAC,GACxB,QAAQ,CACT;IACE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,GAAG,UAAU,CAAC,EAAE,CAAC,GAChB,CAAC,GAAG;IACF,CAAC,EAAE,MAAM,CAAC;CACX,CACJ,CAqBA;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,EAAE,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;CACP,GAAG,CAAC;IAAE,CAAC,EAAE,CAAC,CAAA;CAAE,GAAG;IAAE,CAAC,EAAE,CAAC,CAAA;CAAE,CAAC,CAAC;AAW1B,MAAM,MAAM,IAAI,CAAC,CAAC,IAAI;IAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;CAAE,CAAC;AAC5D,8CAA8C;AAC9C,wBAAgB,kBAAkB,CAAC,CAAC,EAClC,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC1B,SAAS,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAM,GAC/B,IAAI,CAAC,CAAC,CAAC,CAiBT"}
+{"version":3,"file":"curve.d.ts","sourceRoot":"","sources":["../../src/abstract/curve.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAmC,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAgD,KAAK,MAAM,EAAE,MAAM,cAAc,CAAC;AAKzF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI;IAC3B,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,EAAE,CAAC,CAAC;CACN,GAAG;IAAE,CAAC,CAAC,EAAE,KAAK,CAAC;IAAC,CAAC,CAAC,EAAE,KAAK,CAAA;CAAE,CAAC;AAI7B,MAAM,WAAW,KAAK,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC;IACvC,MAAM,IAAI,CAAC,CAAC;IACZ,MAAM,IAAI,CAAC,CAAC;IACZ,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACjB,QAAQ,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC;IACtB,MAAM,CAAC,KAAK,EAAE,CAAC,GAAG,OAAO,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC;IAC5B,QAAQ,CAAC,CAAC,SAAS,CAAC,EAAE,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;CAC9C;AAKD,oDAAoD;AACpD,MAAM,WAAW,UAAU,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,SAAQ,KAAK,CAAC,CAAC,CAAC;IACzE,8EAA8E;IAC9E,CAAC,EAAE,CAAC,CAAC;IACL,8EAA8E;IAC9E,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,CAAC,EAAE,CAAC,CAAC;IACN,cAAc,IAAI,IAAI,CAAC;IACvB,aAAa,IAAI,CAAC,CAAC;IACnB,GAAG,IAAI,OAAO,CAAC;IACf,aAAa,IAAI,OAAO,CAAC;IACzB,YAAY,IAAI,OAAO,CAAC;IACxB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,CAAC,CAAC;IAClC;;;OAGG;IACH,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;IACrD,iDAAiD;IACjD,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IACxC,OAAO,IAAI,UAAU,CAAC;IACtB,KAAK,IAAI,MAAM,CAAC;CACjB;AAED,gEAAgE;AAChE,MAAM,WAAW,cAAc,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAE,SAAQ,gBAAgB,CAAC,CAAC,CAAC;IACxF,IAAI,EAAE,CAAC,CAAC;IACR,IAAI,EAAE,CAAC,CAAC;IACR,iCAAiC;IACjC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IACd,uDAAuD;IACvD,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,iGAAiG;IACjG,UAAU,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACjC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,CAAC,CAAC;IAChC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAC;CACtB;AAID,MAAM,MAAM,aAAa,CAAC,EAAE,IAAI,EAAE,SAAS,cAAc,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;AACpF,MAAM,MAAM,iBAAiB,CAAC,EAAE,IAAI,EAAE,SAAS,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;AAGxF,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,aAAa,GAAG,SAAS,GAAG,YAAY,CAAC;IAC/C,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,OAAO,EAAE;QACP,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;QAC5B,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AACD,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,IAAI,EAAE,CAAC,CAAC;IACR,IAAI,EAAE,CAAC,CAAC;CACT,CAAC;AACF,kBAAkB;AAClB,MAAM,MAAM,wBAAwB,CAAC,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC,GAAG;IAC9D,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;CACrC,CAAC;AACF,MAAM,MAAM,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;AAExC,wBAAgB,QAAQ,CAAC,CAAC,SAAS;IAAE,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAGtF;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CACxB,EAAE,SAAS,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,EACnC,CAAC,GAAG,aAAa,CAAC,EAAE,CAAC,EACrB,CAAC,SAAS,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,iBAAiB,CAAC,EAAE,CAAC,EAClD,CAAC,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,CAM3C;AAOD,uDAAuD;AACvD,MAAM,MAAM,KAAK,GAAG;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAkEF;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,IAAI,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAI;IACzB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAI;IACzB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAA6B;IAChD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBAGV,KAAK,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM;IAQrD,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,GAAE,CAAa,GAAG,CAAC;IAUrD;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,gBAAgB;IAkBxB;;;;;OAKG;IACH,OAAO,CAAC,IAAI;IAgCZ;;;;OAIG;IACH,OAAO,CAAC,UAAU;IAmBlB,OAAO,CAAC,cAAc;IActB,MAAM,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG;QAAE,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC,EAAE,CAAC,CAAA;KAAE;IAKvE,MAAM,CAAC,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC;IASpE,WAAW,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI;IAMlC,QAAQ,CAAC,GAAG,EAAE,CAAC,GAAG,OAAO;CAG1B;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAC9C,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC1B,KAAK,EAAE,CAAC,EACR,EAAE,EAAE,MAAM,EACV,EAAE,EAAE,MAAM,GACT;IAAE,EAAE,EAAE,CAAC,CAAC;IAAC,EAAE,EAAE,CAAC,CAAA;CAAE,CAYlB;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAC1C,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EACtB,MAAM,EAAE,CAAC,EAAE,EACX,OAAO,EAAE,MAAM,EAAE,GAChB,CAAC,CAwCH;AACD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EACpD,CAAC,EAAE,gBAAgB,CAAC,CAAC,CAAC,EACtB,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EACtB,MAAM,EAAE,CAAC,EAAE,EACX,UAAU,EAAE,MAAM,GACjB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAoE1B;AAGD;;;GAGG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI;IAC1B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IACd,CAAC,EAAE,MAAM,CAAC;IACV,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,CAAC,EAAE,MAAM,CAAC;IACV,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;IACN,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B,CAAC;AAGF,kBAAkB;AAClB,wBAAgB,aAAa,CAAC,EAAE,EAAE,CAAC,EACjC,KAAK,EAAE,UAAU,CAAC,EAAE,CAAC,GAAG,CAAC,GACxB,QAAQ,CACT;IACE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B,GAAG,UAAU,CAAC,EAAE,CAAC,GAChB,CAAC,GAAG;IACF,CAAC,EAAE,MAAM,CAAC;CACX,CACJ,CAqBA;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,IAAI;IAChC,CAAC,EAAE,CAAC,CAAC;IACL,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,EAAE,EAAE,CAAC,CAAC;IACN,EAAE,EAAE,CAAC,CAAC;CACP,GAAG,CAAC;IAAE,CAAC,EAAE,CAAC,CAAA;CAAE,GAAG;IAAE,CAAC,EAAE,CAAC,CAAA;CAAE,CAAC,CAAC;AAW1B,MAAM,MAAM,IAAI,CAAC,CAAC,IAAI;IAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAA;CAAE,CAAC;AAC5D,8CAA8C;AAC9C,wBAAgB,kBAAkB,CAAC,CAAC,EAClC,IAAI,EAAE,aAAa,GAAG,SAAS,EAC/B,KAAK,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC1B,SAAS,GAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAM,GAC/B,IAAI,CAAC,CAAC,CAAC,CAiBT"}

package/esm/abstract/curve.js

@@ -1,6 +1,6 @@
 /**
  * Methods for elliptic curve multiplication by scalars.
- * Contains wNAF, pippenger
+ * Contains wNAF, pippenger.
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
@@ -18,12 +18,9 @@ export function negateCt(condition, item) {
  * so this improves performance massively.
  * Optimization: converts a list of projective points to a list of identical points with Z=1.
  */
-export function normalizeZ(c, property, points) {
-    const getz = property === 'pz' ? (p) => p.pz : (p) => p.ez;
-    const toInv = FpInvertBatch(c.Fp, points.map(getz));
-    // @ts-ignore
-    const affined = points.map((p, i) => p.toAffine(toInv[i]));
-    return affined.map(c.fromAffine);
+export function normalizeZ(c, points) {
+    const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
+    return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
 }
 function validateW(W, bits) {
     if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
@@ -82,6 +79,8 @@ function validateMSMScalars(scalars, field) {
 const pointPrecomputes = new WeakMap();
 const pointWindowSizes = new WeakMap();
 function getW(P) {
+    // To disable precomputes:
+    // return 1;
     return pointWindowSizes.get(P) || 1;
 }
 function assert0(n) {
@@ -90,6 +89,10 @@ function assert0(n) {
 }
 /**
  * Elliptic curve multiplication of Point by scalar. Fragile.
+ * Table generation takes **30MB of ram and 10ms on high-end CPU**,
+ * but may take much longer on slow devices. Actual generation will happen on
+ * first call of `multiply()`. By default, `BASE` point is precomputed.
+ *
  * Scalars should always be less than curve order: this should be checked inside of a curve itself.
  * Creates precomputation tables for fast multiplication:
  * - private scalar is split by fixed size windows of W bits
@@ -102,164 +105,162 @@ function assert0(n) {
  * @todo Research returning 2d JS array of windows, instead of a single window.
  * This would allow windows to be in different memory locations
  */
-export function wNAF(c, bits) {
-    return {
-        constTimeNegate: negateCt,
-        hasPrecomputes(elm) {
-            return getW(elm) !== 1;
-        },
-        // non-const time multiplication ladder
-        unsafeLadder(elm, n, p = c.ZERO) {
-            let d = elm;
-            while (n > _0n) {
-                if (n & _1n)
-                    p = p.add(d);
-                d = d.double();
-                n >>= _1n;
-            }
-            return p;
-        },
-        /**
-         * Creates a wNAF precomputation window. Used for caching.
-         * Default window size is set by `utils.precompute()` and is equal to 8.
-         * Number of precomputed points depends on the curve size:
-         * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-         * - 𝑊 is the window size
-         * - 𝑛 is the bitlength of the curve order.
-         * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-         * @param elm Point instance
-         * @param W window size
-         * @returns precomputed point tables flattened to a single array
-         */
-        precomputeWindow(elm, W) {
-            const { windows, windowSize } = calcWOpts(W, bits);
-            const points = [];
-            let p = elm;
-            let base = p;
-            for (let window = 0; window < windows; window++) {
-                base = p;
+export class wNAF {
+    // Parametrized with a given Point class (not individual point)
+    constructor(Point, bits) {
+        this.BASE = Point.BASE;
+        this.ZERO = Point.ZERO;
+        this.Fn = Point.Fn;
+        this.bits = bits;
+    }
+    // non-const time multiplication ladder
+    _unsafeLadder(elm, n, p = this.ZERO) {
+        let d = elm;
+        while (n > _0n) {
+            if (n & _1n)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n;
+        }
+        return p;
+    }
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    precomputeWindow(point, W) {
+        const { windows, windowSize } = calcWOpts(W, this.bits);
+        const points = [];
+        let p = point;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            // i=1, bc we skip 0
+            for (let i = 1; i < windowSize; i++) {
+                base = base.add(p);
                 points.push(base);
-                // i=1, bc we skip 0
-                for (let i = 1; i < windowSize; i++) {
-                    base = base.add(p);
-                    points.push(base);
-                }
-                p = base.double();
             }
-            return points;
-        },
-        /**
-         * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-         * @param W window size
-         * @param precomputes precomputed tables
-         * @param n scalar (we don't check here, but should be less than curve order)
-         * @returns real and fake (for const-time) points
-         */
-        wNAF(W, precomputes, n) {
-            // Smaller version:
-            // https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
-            // TODO: check the scalar is less than group order?
-            // wNAF behavior is undefined otherwise. But have to carefully remove
-            // other checks before wNAF. ORDER == bits here.
-            // Accumulators
-            let p = c.ZERO;
-            let f = c.BASE;
-            // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-            // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-            // there is negate now: it is possible that negated element from low value
-            // would be the same as high element, which will create carry into next window.
-            // It's not obvious how this can fail, but still worth investigating later.
-            const wo = calcWOpts(W, bits);
-            for (let window = 0; window < wo.windows; window++) {
-                // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
-                const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
-                n = nextN;
-                if (isZero) {
-                    // bits are 0: add garbage to fake point
-                    // Important part for const-time getPublicKey: add random "noise" point to f.
-                    f = f.add(negateCt(isNegF, precomputes[offsetF]));
-                }
-                else {
-                    // bits are 1: add to result point
-                    p = p.add(negateCt(isNeg, precomputes[offset]));
-                }
+            p = base.double();
+        }
+        return points;
+    }
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(W, precomputes, n) {
+        // Scalar should be smaller than field order
+        if (!this.Fn.isValid(n))
+            throw new Error('invalid scalar');
+        // Accumulators
+        let p = this.ZERO;
+        let f = this.BASE;
+        // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+        // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+        // there is negate now: it is possible that negated element from low value
+        // would be the same as high element, which will create carry into next window.
+        // It's not obvious how this can fail, but still worth investigating later.
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
+            const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // bits are 0: add garbage to fake point
+                // Important part for const-time getPublicKey: add random "noise" point to f.
+                f = f.add(negateCt(isNegF, precomputes[offsetF]));
+            }
+            else {
+                // bits are 1: add to result point
+                p = p.add(negateCt(isNeg, precomputes[offset]));
+            }
+        }
+        assert0(n);
+        // Return both real and fake points: JIT won't eliminate f.
+        // At this point there is a way to F be infinity-point even if p is not,
+        // which makes it less const-time: around 1 bigint multiply.
+        return { p, f };
+    }
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            if (n === _0n)
+                break; // Early-exit, skip 0 value
+            const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // Window bits are 0: skip processing.
+                // Move to next window.
+                continue;
             }
-            assert0(n);
-            // Return both real and fake points: JIT won't eliminate f.
-            // At this point there is a way to F be infinity-point even if p is not,
-            // which makes it less const-time: around 1 bigint multiply.
-            return { p, f };
-        },
-        /**
-         * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-         * @param W window size
-         * @param precomputes precomputed tables
-         * @param n scalar (we don't check here, but should be less than curve order)
-         * @param acc accumulator point to add result of multiplication
-         * @returns point
-         */
-        wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
-            const wo = calcWOpts(W, bits);
-            for (let window = 0; window < wo.windows; window++) {
-                if (n === _0n)
-                    break; // Early-exit, skip 0 value
-                const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
-                n = nextN;
-                if (isZero) {
-                    // Window bits are 0: skip processing.
-                    // Move to next window.
-                    continue;
-                }
-                else {
-                    const item = precomputes[offset];
-                    acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
-                }
+            else {
+                const item = precomputes[offset];
+                acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
             }
-            assert0(n);
-            return acc;
-        },
-        getPrecomputes(W, P, transform) {
-            // Calculate precomputes on a first run, reuse them after
-            let comp = pointPrecomputes.get(P);
-            if (!comp) {
-                comp = this.precomputeWindow(P, W);
-                if (W !== 1) {
-                    // Doing transform outside of if brings 15% perf hit
-                    if (typeof transform === 'function')
-                        comp = transform(comp);
-                    pointPrecomputes.set(P, comp);
-                }
+        }
+        assert0(n);
+        return acc;
+    }
+    getPrecomputes(W, point, transform) {
+        // Calculate precomputes on a first run, reuse them after
+        let comp = pointPrecomputes.get(point);
+        if (!comp) {
+            comp = this.precomputeWindow(point, W);
+            if (W !== 1) {
+                // Doing transform outside of if brings 15% perf hit
+                if (typeof transform === 'function')
+                    comp = transform(comp);
+                pointPrecomputes.set(point, comp);
             }
-            return comp;
-        },
-        wNAFCached(P, n, transform) {
-            const W = getW(P);
-            return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
-        },
-        wNAFCachedUnsafe(P, n, transform, prev) {
-            const W = getW(P);
-            if (W === 1)
-                return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
-            return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
-        },
-        // We calculate precomputes for elliptic curve point multiplication
-        // using windowed method. This specifies window size and
-        // stores precomputed values. Usually only base point would be precomputed.
-        setWindowSize(P, W) {
-            validateW(W, bits);
-            pointWindowSizes.set(P, W);
-            pointPrecomputes.delete(P);
-        },
-    };
+        }
+        return comp;
+    }
+    cached(point, scalar, transform) {
+        const W = getW(point);
+        return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
+    }
+    unsafe(point, scalar, transform, prev) {
+        const W = getW(point);
+        if (W === 1)
+            return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
+        return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
+    }
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    createCache(P, W) {
+        validateW(W, this.bits);
+        pointWindowSizes.set(P, W);
+        pointPrecomputes.delete(P);
+    }
+    hasCache(elm) {
+        return getW(elm) !== 1;
+    }
 }
 /**
  * Endomorphism-specific multiplication for Koblitz curves.
  * Cost: 128 dbl, 0-256 adds.
  */
-export function mulEndoUnsafe(c, point, k1, k2) {
+export function mulEndoUnsafe(Point, point, k1, k2) {
     let acc = point;
-    let p1 = c.ZERO;
-    let p2 = c.ZERO;
+    let p1 = Point.ZERO;
+    let p2 = Point.ZERO;
     while (k1 > _0n || k2 > _0n) {
         if (k1 & _1n)
             p1 = p1.add(acc);
@@ -279,7 +280,7 @@ export function mulEndoUnsafe(c, point, k1, k2) {
  * @param c Curve Point constructor
  * @param fieldN field over CURVE.N - important that it's not over CURVE.P
  * @param points array of L curve points
- * @param scalars array of L scalars (aka private keys / bigints)
+ * @param scalars array of L scalars (aka secret keys / bigints)
  */
 export function pippenger(c, fieldN, points, scalars) {
     // If we split scalars by some window (let's say 8 bits), every chunk will only