@noble/curves 1.9.2 → 1.9.3

package/src/nist.ts

@@ -7,8 +7,12 @@
 import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
 import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
 import { createHasher, type H2CHasher } from './abstract/hash-to-curve.ts';
-import { Field, type IField } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU, type WeierstrassOpts } from './abstract/weierstrass.ts';
+import { Field } from './abstract/modular.ts';
+import {
+  mapToCurveSimpleSWU,
+  type WeierstrassOpts,
+  type WeierstrassPointCons,
+} from './abstract/weierstrass.ts';
 
 // p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
 // a = Fp256.create(BigInt('-3'));
@@ -76,8 +80,8 @@ type SwuOpts = {
   B: bigint;
   Z: bigint;
 };
-function createSWU(field: IField<bigint>, opts: SwuOpts) {
-  const map = mapToCurveSimpleSWU(field, opts);
+function createSWU(Point: WeierstrassPointCons<bigint>, opts: SwuOpts) {
+  const map = mapToCurveSimpleSWU(Point.Fp, opts);
   return (scalars: bigint[]) => map(scalars[0]);
 }
 
@@ -86,16 +90,14 @@ export const p256: CurveFnWithCreate = createCurve(
   { ...p256_CURVE, Fp: Fp256, lowS: false },
   sha256
 );
-/** Alias to p256. */
-export const secp256r1: CurveFnWithCreate = p256;
 /** Hashing / encoding to p256 points / field. RFC 9380 methods. */
 export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   return createHasher(
     p256.Point,
-    createSWU(Fp256, {
+    createSWU(p256.Point, {
       A: p256_CURVE.a,
       B: p256_CURVE.b,
-      Z: Fp256.create(BigInt('-10')),
+      Z: p256.Point.Fp.create(BigInt('-10')),
     }),
     {
       DST: 'P256_XMD:SHA-256_SSWU_RO_',
@@ -109,21 +111,27 @@ export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   );
 })();
 
+// export const p256_oprf: OPRF = createORPF({
+//   name: 'P256-SHA256',
+//   Point: p256.Point,
+//   hash: sha256,
+//   hashToGroup: p256_hasher.hashToCurve,
+//   hashToScalar: p256_hasher.hashToScalar,
+// });
+
 /** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
 export const p384: CurveFnWithCreate = createCurve(
   { ...p384_CURVE, Fp: Fp384, lowS: false },
   sha384
 );
-/** Alias to p384. */
-export const secp384r1: CurveFnWithCreate = p384;
 /** Hashing / encoding to p384 points / field. RFC 9380 methods. */
 export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   return createHasher(
     p384.Point,
-    createSWU(Fp384, {
+    createSWU(p384.Point, {
       A: p384_CURVE.a,
       B: p384_CURVE.b,
-      Z: Fp384.create(BigInt('-12')),
+      Z: p384.Point.Fp.create(BigInt('-12')),
     }),
     {
       DST: 'P384_XMD:SHA-384_SSWU_RO_',
@@ -137,21 +145,29 @@ export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   );
 })();
 
+// export const p384_oprf: OPRF = createORPF({
+//   name: 'P384-SHA384',
+//   Point: p384.Point,
+//   hash: sha384,
+//   hashToGroup: p384_hasher.hashToCurve,
+//   hashToScalar: p384_hasher.hashToScalar,
+// });
+
+// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
 /** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
 export const p521: CurveFnWithCreate = createCurve(
   { ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] },
   sha512
 );
-/** Alias to p521. */
-export const secp521r1: CurveFnWithCreate = p521;
+
 /** Hashing / encoding to p521 points / field. RFC 9380 methods. */
 export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   return createHasher(
     p521.Point,
-    createSWU(Fp521, {
+    createSWU(p521.Point, {
       A: p521_CURVE.a,
       B: p521_CURVE.b,
-      Z: Fp521.create(BigInt('-4')),
+      Z: p521.Point.Fp.create(BigInt('-4')),
     }),
     {
       DST: 'P521_XMD:SHA-512_SSWU_RO_',
@@ -164,3 +180,11 @@ export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
     }
   );
 })();
+
+// export const p521_oprf: OPRF = createORPF({
+//   name: 'P521-SHA512',
+//   Point: p521.Point,
+//   hash: sha512,
+//   hashToGroup: p521_hasher.hashToCurve,
+//   hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
+// });

package/src/p256.ts

@@ -5,7 +5,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p256_hasher, p256 as p256n } from './nist.ts';
+/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
 export const p256: typeof p256n = p256n;
+/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
 export const secp256r1: typeof p256n = p256n;
+/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
 export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
+/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
 export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

package/src/p384.ts

@@ -5,9 +5,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p384_hasher, p384 as p384n } from './nist.ts';
+/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
 export const p384: typeof p384n = p384n;
+/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
 export const secp384r1: typeof p384n = p384n;
+/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
 export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
+/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
 export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
-
-/** @deprecated Use `import { p384_hasher } from "@noble/curves/nist"` module. */

package/src/p521.ts

@@ -5,7 +5,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p521_hasher, p521 as p521n } from './nist.ts';
+/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
 export const p521: typeof p521n = p521n;
+/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
 export const secp521r1: typeof p521n = p521n;
+/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
 export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
+/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
 export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();

package/src/secp256k1.ts

@@ -9,18 +9,21 @@
 import { sha256 } from '@noble/hashes/sha2.js';
 import { randomBytes } from '@noble/hashes/utils.js';
 import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import type { CurveInfo } from './abstract/curve.ts';
 import {
   createHasher,
   type H2CHasher,
   type H2CMethod,
   isogenyMap,
 } from './abstract/hash-to-curve.ts';
-import { Field, mod, pow2 } from './abstract/modular.ts';
+import { Field, mapHashToField, mod, pow2 } from './abstract/modular.ts';
 import {
+  _normFnElement,
   type EndomorphismOpts,
   mapToCurveSimpleSWU,
-  type ProjPointType as PointType,
+  type WeierstrassPoint as PointType,
   type WeierstrassOpts,
+  type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
 import type { Hex, PrivKey } from './utils.ts';
 import {
@@ -44,10 +47,18 @@ const secp256k1_CURVE: WeierstrassOpts<bigint> = {
   Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
   Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
 };
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
+
+const secp256k1_ENDO: EndomorphismOpts = {
+  beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+  basises: [
+    [BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')],
+    [BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')],
+  ],
+};
+
+const _0n = /* @__PURE__ */ BigInt(0);
+const _1n = /* @__PURE__ */ BigInt(1);
+const _2n = /* @__PURE__ */ BigInt(2);
 
 /**
  * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
@@ -87,44 +98,14 @@ const Fpk1 = Field(secp256k1_CURVE.p, undefined, undefined, { sqrt: sqrtMod });
  * @example
  * ```js
  * import { secp256k1 } from '@noble/curves/secp256k1';
- * const priv = secp256k1.utils.randomPrivateKey();
- * const pub = secp256k1.getPublicKey(priv);
- * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
- * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
- * const isValid = secp256k1.verify(sig, msg, pub) === true;
+ * const { secretKey, publicKey } = secp256k1.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = secp256k1.sign(msg, secretKey);
+ * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
  * ```
  */
 export const secp256k1: CurveFnWithCreate = createCurve(
-  {
-    ...secp256k1_CURVE,
-    Fp: Fpk1,
-    lowS: true, // Allow only low-S signatures by default in sign() and verify()
-    endo: {
-      // Endomorphism, see above
-      beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
-      splitScalar: (k: bigint) => {
-        const n = secp256k1_CURVE.n;
-        const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
-        const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
-        const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
-        const b2 = a1;
-        const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
-
-        const c1 = divNearest(b2 * k, n);
-        const c2 = divNearest(-b1 * k, n);
-        let k1 = mod(k - c1 * a1 - c2 * a2, n);
-        let k2 = mod(-c1 * b1 - c2 * b2, n);
-        const k1neg = k1 > POW_2_128;
-        const k2neg = k2 > POW_2_128;
-        if (k1neg) k1 = n - k1;
-        if (k2neg) k2 = n - k2;
-        if (k1 > POW_2_128 || k2 > POW_2_128) {
-          throw new Error('splitScalar: Endomorphism failed, k=' + k);
-        }
-        return { k1neg, k1, k2neg, k2 };
-      },
-    } satisfies EndomorphismOpts,
-  },
+  { ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO },
   sha256
 );
 
@@ -152,10 +133,11 @@ const hasEven = (y: bigint) => y % _2n === _0n;
 
 // Calculate point, scalar and bytes
 function schnorrGetExtPubKey(priv: PrivKey) {
-  let d_ = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey
-  let p = Point.fromPrivateKey(d_); // P = d'⋅G; 0 < d' < n check is done inside
+  // TODO: replace with Point.Fn.fromBytes(priv)
+  let d_ = _normFnElement(Point.Fn, priv);
+  let p = Point.BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
   const scalar = hasEven(p.y) ? d_ : modN(-d_);
-  return { scalar: scalar, bytes: pointToBytes(p) };
+  return { scalar, bytes: pointToBytes(p) };
 }
 /**
  * lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
@@ -182,21 +164,17 @@ function challenge(...args: Uint8Array[]): bigint {
 /**
  * Schnorr public key is just `x` coordinate of Point as per BIP340.
  */
-function schnorrGetPublicKey(privateKey: Hex): Uint8Array {
-  return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
+function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
+  return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
 
 /**
  * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
  * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
  */
-function schnorrSign(
-  message: Hex,
-  privateKey: PrivKey,
-  auxRand: Hex = randomBytes(32)
-): Uint8Array {
+function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomBytes(32)): Uint8Array {
   const m = ensureBytes('message', message);
-  const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder
+  const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
   const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
   const t = numTo32b(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
   const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
@@ -239,18 +217,27 @@ function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
 }
 
 export type SecpSchnorr = {
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
   getPublicKey: typeof schnorrGetPublicKey;
   sign: typeof schnorrSign;
   verify: typeof schnorrVerify;
+  Point: WeierstrassPointCons<bigint>;
   utils: {
-    randomPrivateKey: () => Uint8Array;
-    lift_x: typeof lift_x;
+    randomSecretKey: (seed?: Uint8Array) => Uint8Array;
     pointToBytes: (point: PointType<bigint>) => Uint8Array;
+    lift_x: typeof lift_x;
+    taggedHash: typeof taggedHash;
+
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
+    /** @deprecated use `utils` */
     numberToBytesBE: typeof numberToBytesBE;
+    /** @deprecated use `utils` */
     bytesToNumberBE: typeof bytesToNumberBE;
-    taggedHash: typeof taggedHash;
+    /** @deprecated use `modular` */
     mod: typeof mod;
   };
+  info: { type: 'weierstrass'; publicKeyHasPrefix: false; lengths: CurveInfo['lengths'] };
 };
 /**
  * Schnorr signatures over secp256k1.
@@ -258,27 +245,55 @@ export type SecpSchnorr = {
  * @example
  * ```js
  * import { schnorr } from '@noble/curves/secp256k1';
- * const priv = schnorr.utils.randomPrivateKey();
- * const pub = schnorr.getPublicKey(priv);
+ * const { secretKey, publicKey } = schnorr.keygen();
+ * // const publicKey = schnorr.getPublicKey(secretKey);
  * const msg = new TextEncoder().encode('hello');
- * const sig = schnorr.sign(msg, priv);
- * const isValid = schnorr.verify(sig, msg, pub);
+ * const sig = schnorr.sign(msg, secretKey);
+ * const isValid = schnorr.verify(sig, msg, publicKey);
  * ```
  */
-export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => ({
-  getPublicKey: schnorrGetPublicKey,
-  sign: schnorrSign,
-  verify: schnorrVerify,
-  utils: {
-    randomPrivateKey: secp256k1.utils.randomPrivateKey,
-    lift_x,
-    pointToBytes,
-    numberToBytesBE,
-    bytesToNumberBE,
-    taggedHash,
-    mod,
-  },
-}))();
+export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
+  const size = 32;
+  const seedLength = 48;
+  const randomSecretKey = (seed = randomBytes(seedLength)): Uint8Array => {
+    return mapHashToField(seed, secp256k1_CURVE.n);
+  };
+  // TODO: remove
+  secp256k1.utils.randomSecretKey;
+  function keygen(seed?: Uint8Array) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
+  }
+  return {
+    keygen,
+    getPublicKey: schnorrGetPublicKey,
+    sign: schnorrSign,
+    verify: schnorrVerify,
+    Point,
+    utils: {
+      randomSecretKey: randomSecretKey,
+      randomPrivateKey: randomSecretKey,
+      taggedHash,
+
+      // TODO: remove
+      lift_x,
+      pointToBytes,
+      numberToBytesBE,
+      bytesToNumberBE,
+      mod,
+    },
+    info: {
+      type: 'weierstrass',
+      publicKeyHasPrefix: false,
+      lengths: {
+        secret: size,
+        public: size,
+        signature: size * 2,
+        seed: seedLength,
+      },
+    },
+  };
+})();
 
 const isoMap = /* @__PURE__ */ (() =>
   isogenyMap(
@@ -319,6 +334,7 @@ const mapSWU = /* @__PURE__ */ (() =>
     B: BigInt('1771'),
     Z: Fpk1.create(BigInt('-11')),
   }))();
+
 /** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
 export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
@@ -338,8 +354,10 @@ export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
     }
   ))();
 
+/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
 export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   secp256k1_hasher.hashToCurve)();
 
+/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
 export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   secp256k1_hasher.encodeToCurve)();

package/src/utils.ts

@@ -72,7 +72,7 @@ export function numberToVarBytesBE(n: number | bigint): Uint8Array {
  * Takes hex string or Uint8Array, converts to Uint8Array.
  * Validates output length.
  * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'private key'
+ * @param title descriptive title for an error e.g. 'secret key'
  * @param hex hex string or Uint8Array
  * @param expectedLength optional, will compare to result array's length
  * @returns

package/utils.d.ts

@@ -22,7 +22,7 @@ export declare function numberToVarBytesBE(n: number | bigint): Uint8Array;
  * Takes hex string or Uint8Array, converts to Uint8Array.
  * Validates output length.
  * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'private key'
+ * @param title descriptive title for an error e.g. 'secret key'
  * @param hex hex string or Uint8Array
  * @param expectedLength optional, will compare to result array's length
  * @returns

package/utils.js

@@ -75,7 +75,7 @@ function numberToVarBytesBE(n) {
  * Takes hex string or Uint8Array, converts to Uint8Array.
  * Validates output length.
  * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'private key'
+ * @param title descriptive title for an error e.g. 'secret key'
  * @param hex hex string or Uint8Array
  * @param expectedLength optional, will compare to result array's length
  * @returns