@protontech/openpgp 6.0.0-beta.0.patch.0 → 6.0.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +2 -2
  2. package/dist/lightweight/argon2id.min.mjs +2 -2
  3. package/dist/lightweight/argon2id.min.mjs.map +1 -1
  4. package/dist/lightweight/argon2id.mjs +5 -28
  5. package/dist/lightweight/legacy_ciphers.min.mjs +2 -2
  6. package/dist/lightweight/legacy_ciphers.min.mjs.map +1 -1
  7. package/dist/lightweight/legacy_ciphers.mjs +6 -51
  8. package/dist/lightweight/noble_curves.min.mjs +11 -11
  9. package/dist/lightweight/noble_curves.min.mjs.map +1 -1
  10. package/dist/lightweight/noble_curves.mjs +477 -465
  11. package/dist/lightweight/noble_hashes.min.mjs +2 -2
  12. package/dist/lightweight/noble_hashes.min.mjs.map +1 -1
  13. package/dist/lightweight/noble_hashes.mjs +19 -31
  14. package/dist/lightweight/openpgp.min.mjs +3 -2
  15. package/dist/lightweight/openpgp.min.mjs.map +1 -1
  16. package/dist/lightweight/openpgp.mjs +1529 -552
  17. package/dist/lightweight/sha3.min.mjs +3 -3
  18. package/dist/lightweight/sha3.min.mjs.map +1 -1
  19. package/dist/lightweight/sha3.mjs +80 -80
  20. package/dist/node/openpgp.cjs +2199 -5545
  21. package/dist/node/openpgp.min.cjs +12 -12
  22. package/dist/node/openpgp.min.cjs.map +1 -1
  23. package/dist/node/openpgp.min.mjs +12 -12
  24. package/dist/node/openpgp.min.mjs.map +1 -1
  25. package/dist/node/openpgp.mjs +2198 -5545
  26. package/dist/openpgp.js +2188 -5542
  27. package/dist/openpgp.min.js +12 -12
  28. package/dist/openpgp.min.js.map +1 -1
  29. package/dist/openpgp.min.mjs +12 -12
  30. package/dist/openpgp.min.mjs.map +1 -1
  31. package/dist/openpgp.mjs +2188 -5542
  32. package/openpgp.d.ts +69 -61
  33. package/package.json +20 -13
  34. package/dist/lightweight/bn.interface.min.mjs +0 -3
  35. package/dist/lightweight/bn.interface.min.mjs.map +0 -1
  36. package/dist/lightweight/bn.interface.mjs +0 -3807
  37. package/dist/lightweight/interface.min.mjs +0 -3
  38. package/dist/lightweight/interface.min.mjs.map +0 -1
  39. package/dist/lightweight/interface.mjs +0 -16
  40. package/dist/lightweight/native.interface.min.mjs +0 -3
  41. package/dist/lightweight/native.interface.min.mjs.map +0 -1
  42. package/dist/lightweight/native.interface.mjs +0 -456
package/dist/lightweight/noble_curves.mjs CHANGED
@@ -1,10 +1,7 @@
1
- /*! OpenPGP.js v6.0.0-beta.0.patch.0 - 2024-04-19 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
1
+ /*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
2
2
  const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
3
3
 
4
4
  import { H as Hash, h as hash, t as toBytes, e as exists, b as bytes, c as concatBytes$1, r as randomBytes, s as sha256, a as sha384, d as sha512, w as wrapConstructor, u as utf8ToBytes$1, f as shake256 } from './sha3.mjs';
5
- import { B as BigInteger } from './interface.mjs';
6
- import './native.interface.mjs';
7
- import './bn.interface.mjs';
8
5
 
9
6
  // HMAC (RFC 2104)
10
7
  class HMAC extends Hash {
@@ -81,25 +78,29 @@ class HMAC extends Hash {
81
78
  const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
82
79
  hmac.create = (hash, key) => new HMAC(hash, key);
83
80
 
84
- // TODOOOOOO use noble-hashes utils instead
85
81
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
86
82
  // 100 lines of code in the file are duplicated from noble-hashes (utils).
87
83
  // This is OK: `abstract` directory does not use noble-hashes.
88
84
  // User may opt-in into using different hashing library. This way, noble-hashes
89
85
  // won't be included into their bundle.
90
- const _2n$5 = Object.freeze(BigInteger.new(2));
86
+ const _0n$5 = BigInt(0);
87
+ const _1n$7 = BigInt(1);
88
+ const _2n$4 = BigInt(2);
91
89
  function isBytes(a) {
92
90
  return (a instanceof Uint8Array ||
93
91
  (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
94
92
  }
93
+ function abytes(item) {
94
+ if (!isBytes(item))
95
+ throw new Error('Uint8Array expected');
96
+ }
95
97
  // Array where index 0xf0 (240) is mapped to string 'f0'
96
98
  const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
97
99
  /**
98
100
  * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
99
101
  */
100
102
  function bytesToHex(bytes) {
101
- if (!isBytes(bytes))
102
- throw new Error('Uint8Array expected');
103
+ abytes(bytes);
103
104
  // pre-caching improves the speed 6x
104
105
  let hex = '';
105
106
  for (let i = 0; i < bytes.length; i++) {
@@ -108,14 +109,14 @@ function bytesToHex(bytes) {
108
109
  return hex;
109
110
  }
110
111
  function numberToHexUnpadded(num) {
111
- const hex = num instanceof BigInteger ? bytesToHex(num.toUint8Array()) : num.toString(16);
112
+ const hex = num.toString(16);
112
113
  return hex.length & 1 ? `0${hex}` : hex;
113
114
  }
114
115
  function hexToNumber(hex) {
115
116
  if (typeof hex !== 'string')
116
117
  throw new Error('hex string expected, got ' + typeof hex);
117
118
  // Big Endian
118
- return BigInteger.new(hex === '' ? '0' : `0x${hex}`);
119
+ return BigInt(hex === '' ? '0' : `0x${hex}`);
119
120
  }
120
121
  // We use optimized technique to convert hex string to byte array
121
122
  const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 };
@@ -152,20 +153,19 @@ function hexToBytes(hex) {
152
153
  }
153
154
  // BE: Big Endian, LE: Little Endian
154
155
  function bytesToNumberBE(bytes) {
155
- return BigInteger.new(bytes);
156
+ return hexToNumber(bytesToHex(bytes));
156
157
  }
157
158
  function bytesToNumberLE(bytes) {
158
- if (!isBytes(bytes))
159
- throw new Error('Uint8Array expected');
160
- return BigInteger.new(bytes.slice().reverse()); // reverse() is in place
159
+ abytes(bytes);
160
+ return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
161
161
  }
162
162
  function numberToBytesBE(n, len) {
163
- return n.toUint8Array('be', len);
163
+ return hexToBytes(n.toString(16).padStart(len * 2, '0'));
164
164
  }
165
165
  function numberToBytesLE(n, len) {
166
- return n.toUint8Array('le', len);
166
+ return numberToBytesBE(n, len).reverse();
167
167
  }
168
- // Returns variable number bytes (minimal bigint encoding?)
168
+ // Unpadded, rarely used
169
169
  function numberToVarBytesBE(n) {
170
170
  return hexToBytes(numberToHexUnpadded(n));
171
171
  }
@@ -191,7 +191,7 @@ function ensureBytes(title, hex, expectedLength) {
191
191
  else if (isBytes(hex)) {
192
192
  // Uint8Array.from() instead of hash.slice() because node.js Buffer
193
193
  // is instance of Uint8Array, and its slice() creates **mutable** copy
194
- res = new Uint8Array(hex);
194
+ res = Uint8Array.from(hex);
195
195
  }
196
196
  else {
197
197
  throw new Error(`${title} must be hex string or Uint8Array`);
@@ -208,13 +208,11 @@ function concatBytes(...arrays) {
208
208
  let sum = 0;
209
209
  for (let i = 0; i < arrays.length; i++) {
210
210
  const a = arrays[i];
211
- if (!isBytes(a))
212
- throw new Error('Uint8Array expected');
211
+ abytes(a);
213
212
  sum += a.length;
214
213
  }
215
- let res = new Uint8Array(sum);
216
- let pad = 0;
217
- for (let i = 0; i < arrays.length; i++) {
214
+ const res = new Uint8Array(sum);
215
+ for (let i = 0, pad = 0; i < arrays.length; i++) {
218
216
  const a = arrays[i];
219
217
  res.set(a, pad);
220
218
  pad += a.length;
@@ -244,27 +242,30 @@ function utf8ToBytes(str) {
244
242
  * Same as `n.toString(2).length`
245
243
  */
246
244
  function bitLen(n) {
247
- return n.bitLength();
245
+ let len;
246
+ for (len = 0; n > _0n$5; n >>= _1n$7, len += 1)
247
+ ;
248
+ return len;
248
249
  }
249
250
  /**
250
251
  * Gets single bit at position.
251
252
  * NOTE: first bit position is 0 (same as arrays)
252
253
  * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
253
254
  */
254
- const bitGet = (n, pos) => n.getBit(pos);
255
+ function bitGet(n, pos) {
256
+ return (n >> BigInt(pos)) & _1n$7;
257
+ }
255
258
  /**
256
259
  * Sets single bit at position.
257
260
  */
258
- // @ts-ignore unused params
259
- const bitSet = (n, pos, value) => {
260
- throw new Error('unsupported bitSet');
261
- // return n | ((value ? _1n : _0n) << BigInt(pos));
262
- };
261
+ function bitSet(n, pos, value) {
262
+ return n | ((value ? _1n$7 : _0n$5) << BigInt(pos));
263
+ }
263
264
  /**
264
265
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
265
266
  * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
266
267
  */
267
- const bitMask = (n) => (_2n$5.leftShift(BigInteger.new(n - 1))).idec();
268
+ const bitMask = (n) => (_2n$4 << BigInt(n - 1)) - _1n$7;
268
269
  // DRBG
269
270
  const u8n = (data) => new Uint8Array(data); // creates Uint8Array
270
271
  const u8fr = (arr) => Uint8Array.from(arr); // another shortcut
@@ -328,7 +329,7 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
328
329
  }
329
330
  // Validating curves and fields
330
331
  const validatorFns = {
331
- BigInteger: (val) => val instanceof BigInteger,
332
+ bigint: (val) => typeof val === 'bigint',
332
333
  function: (val) => typeof val === 'function',
333
334
  boolean: (val) => typeof val === 'boolean',
334
335
  string: (val) => typeof val === 'string',
@@ -342,9 +343,8 @@ const validatorFns = {
342
343
  function validateObject(object, validators, optValidators = {}) {
343
344
  const checkField = (fieldName, type, isOptional) => {
344
345
  const checkVal = validatorFns[type];
345
- if (typeof checkVal !== 'function') {
346
+ if (typeof checkVal !== 'function')
346
347
  throw new Error(`Invalid validator "${type}", expected function`);
347
- }
348
348
  const val = object[fieldName];
349
349
  if (isOptional && val === undefined)
350
350
  return;
@@ -369,6 +369,7 @@ function validateObject(object, validators, optValidators = {}) {
369
369
 
370
370
  var ut = /*#__PURE__*/Object.freeze({
371
371
  __proto__: null,
372
+ abytes: abytes,
372
373
  bitGet: bitGet,
373
374
  bitLen: bitLen,
374
375
  bitMask: bitMask,
@@ -393,18 +394,16 @@ var ut = /*#__PURE__*/Object.freeze({
393
394
 
394
395
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
395
396
  // Utilities for modular arithmetics and finite fields
396
- const _0n$4 = Object.freeze(BigInteger.new(0));
397
- const _1n$6 = Object.freeze(BigInteger.new(1));
398
- const _2n$4 = Object.freeze(BigInteger.new(2));
399
- const _3n$3 = Object.freeze(BigInteger.new(3));
400
- const _4n = Object.freeze(BigInteger.new(4));
401
- const _5n = Object.freeze(BigInteger.new(5));
402
- const _8n$1 = Object.freeze(BigInteger.new(8));
403
- const _9n = Object.freeze(BigInteger.new(9));
404
- const _16n = Object.freeze(BigInteger.new(16));
397
+ // prettier-ignore
398
+ const _0n$4 = BigInt(0), _1n$6 = BigInt(1), _2n$3 = BigInt(2), _3n$2 = BigInt(3);
399
+ // prettier-ignore
400
+ const _4n = BigInt(4), _5n = BigInt(5), _8n$1 = BigInt(8);
401
+ // prettier-ignore
402
+ BigInt(9); BigInt(16);
405
403
  // Calculates a modulo b
406
404
  function mod(a, b) {
407
- return a.mod(b);
405
+ const result = a % b;
406
+ return result >= _0n$4 ? result : b + result;
408
407
  }
409
408
  /**
410
409
  * Efficiently raise num to power and do modular division.
@@ -414,29 +413,51 @@ function mod(a, b) {
414
413
  */
415
414
  // TODO: use field version && remove
416
415
  function pow(num, power, modulo) {
417
- // if (modulo <= _0n || power < _0n) throw new Error('Expected power/modulo > 0');
418
- // if (modulo === _1n) return _0n;
419
- // let res = _1n;
420
- // while (power > _0n) {
421
- // if (power & _1n) res = (res * num) % modulo;
422
- // num = (num * num) % modulo;
423
- // power >>= _1n;
424
- // }
425
- return num.modExp(power, modulo);
416
+ if (modulo <= _0n$4 || power < _0n$4)
417
+ throw new Error('Expected power/modulo > 0');
418
+ if (modulo === _1n$6)
419
+ return _0n$4;
420
+ let res = _1n$6;
421
+ while (power > _0n$4) {
422
+ if (power & _1n$6)
423
+ res = (res * num) % modulo;
424
+ num = (num * num) % modulo;
425
+ power >>= _1n$6;
426
+ }
427
+ return res;
426
428
  }
427
429
  // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
428
430
  function pow2(x, power, modulo) {
429
- // let res = x;
430
- // while (power-- > _0n) {
431
- // res *= res;
432
- // res %= modulo;
433
- // }
434
- // return res;
435
- return x.modExp(_2n$4.leftShift(power.dec()), modulo);
431
+ let res = x;
432
+ while (power-- > _0n$4) {
433
+ res *= res;
434
+ res %= modulo;
435
+ }
436
+ return res;
436
437
  }
437
438
  // Inverses number over modulo
438
439
  function invert(number, modulo) {
439
- return number.modInv(modulo);
440
+ if (number === _0n$4 || modulo <= _0n$4) {
441
+ throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
442
+ }
443
+ // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
444
+ // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
445
+ let a = mod(number, modulo);
446
+ let b = modulo;
447
+ // prettier-ignore
448
+ let x = _0n$4, u = _1n$6;
449
+ while (a !== _0n$4) {
450
+ // JIT applies optimization if those two lines follow each other
451
+ const q = b / a;
452
+ const r = b % a;
453
+ const m = x - u * q;
454
+ // prettier-ignore
455
+ b = a, a = r, x = u, u = m;
456
+ }
457
+ const gcd = b;
458
+ if (gcd !== _1n$6)
459
+ throw new Error('invert: does not exist');
460
+ return mod(x, modulo);
440
461
  }
441
462
  /**
442
463
  * Tonelli-Shanks square root search algorithm.
@@ -452,24 +473,18 @@ function tonelliShanks(P) {
452
473
  // (a | p) ≡ 1 if a is a square (mod p)
453
474
  // (a | p) ≡ -1 if a is not a square (mod p)
454
475
  // (a | p) ≡ 0 if a ≡ 0 (mod p)
455
- const legendreC = P.dec().rightShift(_1n$6);
456
- let Q = P.dec();
457
- let S = BigInteger.new(0);
476
+ const legendreC = (P - _1n$6) / _2n$3;
477
+ let Q, S, Z;
458
478
  // Step 1: By factoring out powers of 2 from p - 1,
459
479
  // find q and s such that p - 1 = q*(2^s) with q odd
460
- while (Q.isEven()) {
461
- Q.irightShift(_1n$6);
462
- S.iinc();
463
- }
464
- let Z = BigInteger.new(2);
465
- const Pminus1 = P.dec();
480
+ for (Q = P - _1n$6, S = 0; Q % _2n$3 === _0n$4; Q /= _2n$3, S++)
481
+ ;
466
482
  // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
467
- while (Z.lt(P) && !pow(Z, legendreC, P).equal(Pminus1)) {
468
- Z.iinc();
469
- }
483
+ for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$6; Z++)
484
+ ;
470
485
  // Fast-path
471
- if (S.isOne()) {
472
- const p1div4 = P.inc().irightShift(_2n$4);
486
+ if (S === 1) {
487
+ const p1div4 = (P + _1n$6) / _4n;
473
488
  return function tonelliFast(Fp, n) {
474
489
  const root = Fp.pow(n, p1div4);
475
490
  if (!Fp.eql(Fp.sqr(root), n))
@@ -478,10 +493,10 @@ function tonelliShanks(P) {
478
493
  };
479
494
  }
480
495
  // Slow-path
481
- const Q1div2 = Q.inc().irightShift(_1n$6);
496
+ const Q1div2 = (Q + _1n$6) / _2n$3;
482
497
  return function tonelliSlow(Fp, n) {
483
498
  // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
484
- if (Fp.eql(Fp.pow(n, legendreC), Fp.neg(Fp.ONE)))
499
+ if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
485
500
  throw new Error('Cannot find square root');
486
501
  let r = S;
487
502
  // TODO: will fail at Fp2/etc
@@ -492,14 +507,14 @@ function tonelliShanks(P) {
492
507
  if (Fp.eql(b, Fp.ZERO))
493
508
  return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
494
509
  // Find m such b^(2^m)==1
495
- let m = BigInteger.new(1);
496
- for (let t2 = Fp.sqr(b); m.lt(r); m.iinc()) {
510
+ let m = 1;
511
+ for (let t2 = Fp.sqr(b); m < r; m++) {
497
512
  if (Fp.eql(t2, Fp.ONE))
498
513
  break;
499
514
  t2 = Fp.sqr(t2); // t2 *= t2
500
515
  }
501
516
  // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
502
- const ge = Fp.pow(g, _1n$6.leftShift(r.sub(m).idec())); // ge = 2^(r-m-1)
517
+ const ge = Fp.pow(g, _1n$6 << BigInt(r - m - 1)); // ge = 2^(r-m-1)
503
518
  g = Fp.sqr(ge); // g = ge * ge
504
519
  x = Fp.mul(x, ge); // x *= ge
505
520
  b = Fp.mul(b, g); // b *= g
@@ -513,12 +528,12 @@ function FpSqrt(P) {
513
528
  // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
514
529
  // P ≡ 3 (mod 4)
515
530
  // √n = n^((P+1)/4)
516
- if (P.mod(_4n).equal(_3n$3)) {
531
+ if (P % _4n === _3n$2) {
517
532
  // Not all roots possible!
518
533
  // const ORDER =
519
534
  // 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
520
535
  // const NUM = 72057594037927816n;
521
- const p1div4 = P.add(_1n$6).irightShift(_2n$4); // .idiv(_4n);
536
+ const p1div4 = (P + _1n$6) / _4n;
522
537
  return function sqrt3mod4(Fp, n) {
523
538
  const root = Fp.pow(n, p1div4);
524
539
  // Throw if root**2 != n
@@ -528,21 +543,19 @@ function FpSqrt(P) {
528
543
  };
529
544
  }
530
545
  // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
531
- if (P.mod(_8n$1).equal(_5n)) {
532
- const c1 = P.sub(_5n).irightShift(_3n$3);
546
+ if (P % _8n$1 === _5n) {
547
+ const c1 = (P - _5n) / _8n$1;
533
548
  return function sqrt5mod8(Fp, n) {
534
- const n2 = Fp.mul(n, _2n$4);
549
+ const n2 = Fp.mul(n, _2n$3);
535
550
  const v = Fp.pow(n2, c1);
536
551
  const nv = Fp.mul(n, v);
537
- const i = Fp.mul(Fp.mul(nv, _2n$4), v);
552
+ const i = Fp.mul(Fp.mul(nv, _2n$3), v);
538
553
  const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
539
554
  if (!Fp.eql(Fp.sqr(root), n))
540
555
  throw new Error('Cannot find square root');
541
556
  return root;
542
557
  };
543
558
  }
544
- // P ≡ 9 (mod 16)
545
- if (P.mod(_16n).equal(_9n)) ;
546
559
  // Other cases: Tonelli-Shanks algorithm
547
560
  return tonelliShanks(P);
548
561
  }
@@ -554,8 +567,8 @@ const FIELD_FIELDS = [
554
567
  ];
555
568
  function validateField(field) {
556
569
  const initial = {
557
- ORDER: 'BigInteger',
558
- MASK: 'BigInteger',
570
+ ORDER: 'bigint',
571
+ MASK: 'bigint',
559
572
  BYTES: 'isSafeInteger',
560
573
  BITS: 'isSafeInteger',
561
574
  };
@@ -573,19 +586,19 @@ function validateField(field) {
573
586
  function FpPow(f, num, power) {
574
587
  // Should have same speed as pow for bigints
575
588
  // TODO: benchmark!
576
- if (power.isNegative())
589
+ if (power < _0n$4)
577
590
  throw new Error('Expected power > 0');
578
- if (power.isZero())
591
+ if (power === _0n$4)
579
592
  return f.ONE;
580
- if (power.isOne())
593
+ if (power === _1n$6)
581
594
  return num;
582
595
  let p = f.ONE;
583
596
  let d = num;
584
- while (power.gt(_0n$4)) {
585
- if (!power.isEven())
597
+ while (power > _0n$4) {
598
+ if (power & _1n$6)
586
599
  p = f.mul(p, d);
587
600
  d = f.sqr(d);
588
- power = power.rightShift(_1n$6);
601
+ power >>= _1n$6;
589
602
  }
590
603
  return p;
591
604
  }
@@ -616,7 +629,7 @@ function FpInvertBatch(f, nums) {
616
629
  // CURVE.n lengths
617
630
  function nLength(n, nBitLength) {
618
631
  // Bit size, byte size of CURVE.n
619
- const _nBitLength = nBitLength !== undefined ? nBitLength : n.bitLength();
632
+ const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
620
633
  const nByteLength = Math.ceil(_nBitLength / 8);
621
634
  return { nBitLength: _nBitLength, nByteLength };
622
635
  }
@@ -633,7 +646,7 @@ function nLength(n, nBitLength) {
633
646
  * @param redef optional faster redefinitions of sqrt and other methods
634
647
  */
635
648
  function Field(ORDER, bitLen, isLE = false, redef = {}) {
636
- if (ORDER.lte(_0n$4))
649
+ if (ORDER <= _0n$4)
637
650
  throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
638
651
  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
639
652
  if (BYTES > 2048)
@@ -648,25 +661,25 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
648
661
  ONE: _1n$6,
649
662
  create: (num) => mod(num, ORDER),
650
663
  isValid: (num) => {
651
- if (!(num instanceof BigInteger))
664
+ if (typeof num !== 'bigint')
652
665
  throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
653
- return _0n$4.lte(num) && num.lt(ORDER); // 0 is valid element, but it's not invertible
666
+ return _0n$4 <= num && num < ORDER; // 0 is valid element, but it's not invertible
654
667
  },
655
- is0: (num) => num.isZero(),
656
- isOdd: (num) => !num.isEven(),
657
- neg: (num) => mod(num.negate(), ORDER),
658
- eql: (lhs, rhs) => lhs.equal(rhs),
659
- sqr: (num) => mod(num.mul(num), ORDER),
660
- add: (lhs, rhs) => mod(lhs.add(rhs), ORDER),
661
- sub: (lhs, rhs) => mod(lhs.sub(rhs), ORDER),
662
- mul: (lhs, rhs) => mod(lhs.mul(rhs), ORDER),
668
+ is0: (num) => num === _0n$4,
669
+ isOdd: (num) => (num & _1n$6) === _1n$6,
670
+ neg: (num) => mod(-num, ORDER),
671
+ eql: (lhs, rhs) => lhs === rhs,
672
+ sqr: (num) => mod(num * num, ORDER),
673
+ add: (lhs, rhs) => mod(lhs + rhs, ORDER),
674
+ sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
675
+ mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
663
676
  pow: (num, power) => FpPow(f, num, power),
664
- div: (lhs, rhs) => mod(lhs.mul(invert(rhs, ORDER)), ORDER),
677
+ div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
665
678
  // Same as above, but doesn't normalize
666
- sqrN: (num) => num.mul(num),
667
- addN: (lhs, rhs) => lhs.add(rhs),
668
- subN: (lhs, rhs) => lhs.sub(rhs),
669
- mulN: (lhs, rhs) => lhs.mul(rhs),
679
+ sqrN: (num) => num * num,
680
+ addN: (lhs, rhs) => lhs + rhs,
681
+ subN: (lhs, rhs) => lhs - rhs,
682
+ mulN: (lhs, rhs) => lhs * rhs,
670
683
  inv: (num) => invert(num, ORDER),
671
684
  sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
672
685
  invertBatch: (lst) => FpInvertBatch(f, lst),
@@ -689,9 +702,10 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
689
702
  * @returns byte length of field
690
703
  */
691
704
  function getFieldBytesLength(fieldOrder) {
692
- if (!(fieldOrder instanceof BigInteger))
705
+ if (typeof fieldOrder !== 'bigint')
693
706
  throw new Error('field order must be bigint');
694
- return fieldOrder.byteLength();
707
+ const bitLength = fieldOrder.toString(2).length;
708
+ return Math.ceil(bitLength / 8);
695
709
  }
696
710
  /**
697
711
  * Returns minimal amount of bytes that can be safely reduced
@@ -726,14 +740,14 @@ function mapHashToField(key, fieldOrder, isLE = false) {
726
740
  throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
727
741
  const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
728
742
  // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
729
- const reduced = mod(num, fieldOrder.dec()).inc();
743
+ const reduced = mod(num, fieldOrder - _1n$6) + _1n$6;
730
744
  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
731
745
  }
732
746
 
733
747
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
734
748
  // Abelian group utilities
735
- const _0n$3 = Object.freeze(BigInteger.new(0));
736
- const _1n$5 = Object.freeze(BigInteger.new(1));
749
+ const _0n$3 = BigInt(0);
750
+ const _1n$5 = BigInt(1);
737
751
  // Elliptic curve multiplication of Point by scalar. Fragile.
738
752
  // Scalars should always be less than curve order: this should be checked inside of a curve itself.
739
753
  // Creates precomputation tables for fast multiplication:
@@ -758,15 +772,14 @@ function wNAF(c, bits) {
758
772
  return {
759
773
  constTimeNegate,
760
774
  // non-const time multiplication ladder
761
- unsafeLadder(elm, exp) {
762
- const n = exp.clone();
775
+ unsafeLadder(elm, n) {
763
776
  let p = c.ZERO;
764
777
  let d = elm;
765
- while (n.gt(_0n$3)) {
766
- if (!n.isEven())
778
+ while (n > _0n$3) {
779
+ if (n & _1n$5)
767
780
  p = p.add(d);
768
781
  d = d.double();
769
- n.irightShift(_1n$5);
782
+ n >>= _1n$5;
770
783
  }
771
784
  return p;
772
785
  },
@@ -804,27 +817,26 @@ function wNAF(c, bits) {
804
817
  * @param n scalar (we don't check here, but should be less than curve order)
805
818
  * @returns real and fake (for const-time) points
806
819
  */
807
- wNAF(W, precomputes, scalar) {
808
- const n = scalar.clone();
820
+ wNAF(W, precomputes, n) {
809
821
  // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
810
822
  // But need to carefully remove other checks before wNAF. ORDER == bits here
811
823
  const { windows, windowSize } = opts(W);
812
824
  let p = c.ZERO;
813
825
  let f = c.BASE;
814
- const mask = BigInteger.new(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
826
+ const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
815
827
  const maxNumber = 2 ** W;
816
- const shiftBy = BigInteger.new(W);
828
+ const shiftBy = BigInt(W);
817
829
  for (let window = 0; window < windows; window++) {
818
830
  const offset = window * windowSize;
819
831
  // Extract W bits.
820
- let wbits = n.bitwiseAnd(mask).toNumber();
832
+ let wbits = Number(n & mask);
821
833
  // Shift number by W bits.
822
- n.irightShift(shiftBy);
834
+ n >>= shiftBy;
823
835
  // If the bits are bigger than max size, we'll split those.
824
836
  // +224 => 256 - 32
825
837
  if (wbits > windowSize) {
826
838
  wbits -= maxNumber;
827
- n.iinc();
839
+ n += _1n$5;
828
840
  }
829
841
  // This code was first written with assumption that 'f' and 'p' will never be infinity point:
830
842
  // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
@@ -870,8 +882,8 @@ function wNAF(c, bits) {
870
882
  function validateBasic(curve) {
871
883
  validateField(curve.Fp);
872
884
  validateObject(curve, {
873
- n: 'BigInteger',
874
- h: 'BigInteger',
885
+ n: 'bigint',
886
+ h: 'bigint',
875
887
  Gx: 'field',
876
888
  Gy: 'field',
877
889
  }, {
@@ -908,7 +920,7 @@ function validatePointOpts(curve) {
908
920
  throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
909
921
  }
910
922
  if (typeof endo !== 'object' ||
911
- !(endo.beta instanceof BigInteger) ||
923
+ typeof endo.beta !== 'bigint' ||
912
924
  typeof endo.splitScalar !== 'function') {
913
925
  throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
914
926
  }
@@ -946,8 +958,7 @@ const DER = {
946
958
  // parse DER signature
947
959
  const { Err: E } = DER;
948
960
  const data = typeof hex === 'string' ? h2b(hex) : hex;
949
- if (!isBytes(data))
950
- throw new Error('ui8a expected');
961
+ abytes(data);
951
962
  let l = data.length;
952
963
  if (l < 2 || data[0] != 0x30)
953
964
  throw new E('Invalid signature tag');
@@ -963,7 +974,7 @@ const DER = {
963
974
  // Add leading zero if first byte has negative bit enabled. More details in '_parseInt'
964
975
  const slice = (s) => (Number.parseInt(s[0], 16) & 0b1000 ? '00' + s : s);
965
976
  const h = (num) => {
966
- const hex = num instanceof BigInteger ? bytesToHex(num.toUint8Array()) : num.toString(16);
977
+ const hex = num.toString(16);
967
978
  return hex.length & 1 ? `0${hex}` : hex;
968
979
  };
969
980
  const s = slice(h(sig.s));
@@ -977,11 +988,7 @@ const DER = {
977
988
  };
978
989
  // Be friendly to bad ECMAScript parsers by not using bigint literals
979
990
  // prettier-ignore
980
- const _0n$2 = Object.freeze(BigInteger.new(0));
981
- const _1n$4 = Object.freeze(BigInteger.new(1));
982
- Object.freeze(BigInteger.new(2));
983
- const _3n$2 = Object.freeze(BigInteger.new(3));
984
- Object.freeze(BigInteger.new(4));
991
+ const _0n$2 = BigInt(0), _1n$4 = BigInt(1); BigInt(2); const _3n$1 = BigInt(3); BigInt(4);
985
992
  function weierstrassPoints(opts) {
986
993
  const CURVE = validatePointOpts(opts);
987
994
  const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
@@ -1017,7 +1024,7 @@ function weierstrassPoints(opts) {
1017
1024
  throw new Error('bad generator point: equation left != right');
1018
1025
  // Valid group elements reside in range 1..n-1
1019
1026
  function isWithinCurveOrder(num) {
1020
- return num instanceof BigInteger && _0n$2.lt(num) && num.lt(CURVE.n);
1027
+ return typeof num === 'bigint' && _0n$2 < num && num < CURVE.n;
1021
1028
  }
1022
1029
  function assertGE(num) {
1023
1030
  if (!isWithinCurveOrder(num))
@@ -1027,7 +1034,7 @@ function weierstrassPoints(opts) {
1027
1034
  // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
1028
1035
  function normPrivateKeyToScalar(key) {
1029
1036
  const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
1030
- if (lengths && !(key instanceof BigInteger)) {
1037
+ if (lengths && typeof key !== 'bigint') {
1031
1038
  if (isBytes(key))
1032
1039
  key = bytesToHex(key);
1033
1040
  // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
@@ -1038,7 +1045,7 @@ function weierstrassPoints(opts) {
1038
1045
  let num;
1039
1046
  try {
1040
1047
  num =
1041
- key instanceof BigInteger
1048
+ typeof key === 'bigint'
1042
1049
  ? key
1043
1050
  : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
1044
1051
  }
@@ -1171,7 +1178,7 @@ function weierstrassPoints(opts) {
1171
1178
  // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
1172
1179
  double() {
1173
1180
  const { a, b } = CURVE;
1174
- const b3 = Fp.mul(b, _3n$2);
1181
+ const b3 = Fp.mul(b, _3n$1);
1175
1182
  const { px: X1, py: Y1, pz: Z1 } = this;
1176
1183
  let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
1177
1184
  let t0 = Fp.mul(X1, X1); // step 1
@@ -1217,7 +1224,7 @@ function weierstrassPoints(opts) {
1217
1224
  const { px: X2, py: Y2, pz: Z2 } = other;
1218
1225
  let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
1219
1226
  const a = CURVE.a;
1220
- const b3 = Fp.mul(CURVE.b, _3n$2);
1227
+ const b3 = Fp.mul(CURVE.b, _3n$1);
1221
1228
  let t0 = Fp.mul(X1, X2); // step 1
1222
1229
  let t1 = Fp.mul(Y1, Y2);
1223
1230
  let t2 = Fp.mul(Z1, Z2);
@@ -1279,10 +1286,10 @@ function weierstrassPoints(opts) {
1279
1286
  */
1280
1287
  multiplyUnsafe(n) {
1281
1288
  const I = Point.ZERO;
1282
- if (n.isZero())
1289
+ if (n === _0n$2)
1283
1290
  return I;
1284
1291
  assertGE(n); // Will throw on 0
1285
- if (n.isOne())
1292
+ if (n === _1n$4)
1286
1293
  return this;
1287
1294
  const { endo } = CURVE;
1288
1295
  if (!endo)
@@ -1292,14 +1299,14 @@ function weierstrassPoints(opts) {
1292
1299
  let k1p = I;
1293
1300
  let k2p = I;
1294
1301
  let d = this;
1295
- while (k1.gt(_0n$2) || k2.gt(_0n$2)) {
1296
- if (!k1.isEven())
1302
+ while (k1 > _0n$2 || k2 > _0n$2) {
1303
+ if (k1 & _1n$4)
1297
1304
  k1p = k1p.add(d);
1298
- if (!k2.isEven())
1305
+ if (k2 & _1n$4)
1299
1306
  k2p = k2p.add(d);
1300
1307
  d = d.double();
1301
- k1 = k1.rightShift(_1n$4);
1302
- k2 = k2.rightShift(_1n$4);
1308
+ k1 >>= _1n$4;
1309
+ k2 >>= _1n$4;
1303
1310
  }
1304
1311
  if (k1neg)
1305
1312
  k1p = k1p.negate();
@@ -1349,7 +1356,7 @@ function weierstrassPoints(opts) {
1349
1356
  multiplyAndAddUnsafe(Q, a, b) {
1350
1357
  const G = Point.BASE; // No Strauss-Shamir trick: we have 10% faster G precomputes
1351
1358
  const mul = (P, a // Select faster multiply() method
1352
- ) => (a.isZero() || a.isOne() || !P.equals(G) ? P.multiplyUnsafe(a) : P.multiply(a));
1359
+ ) => (a === _0n$2 || a === _1n$4 || !P.equals(G) ? P.multiplyUnsafe(a) : P.multiply(a));
1353
1360
  const sum = mul(this, a).add(mul(Q, b));
1354
1361
  return sum.is0() ? undefined : sum;
1355
1362
  }
@@ -1374,7 +1381,7 @@ function weierstrassPoints(opts) {
1374
1381
  }
1375
1382
  isTorsionFree() {
1376
1383
  const { h: cofactor, isTorsionFree } = CURVE;
1377
- if (cofactor.isOne())
1384
+ if (cofactor === _1n$4)
1378
1385
  return true; // No subgroups, always torsion-free
1379
1386
  if (isTorsionFree)
1380
1387
  return isTorsionFree(Point, this);
@@ -1382,7 +1389,7 @@ function weierstrassPoints(opts) {
1382
1389
  }
1383
1390
  clearCofactor() {
1384
1391
  const { h: cofactor, clearCofactor } = CURVE;
1385
- if (cofactor.isOne())
1392
+ if (cofactor === _1n$4)
1386
1393
  return this; // Fast-path
1387
1394
  if (clearCofactor)
1388
1395
  return clearCofactor(Point, this);
@@ -1428,7 +1435,7 @@ function weierstrass(curveDef) {
1428
1435
  const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
1429
1436
  const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
1430
1437
  function isValidFieldElement(num) {
1431
- return _0n$2.lt(num) && num.lt(Fp.ORDER); // 0 is banned since it's not invertible FE
1438
+ return _0n$2 < num && num < Fp.ORDER; // 0 is banned since it's not invertible FE
1432
1439
  }
1433
1440
  function modN(a) {
1434
1441
  return mod(a, CURVE_ORDER);
@@ -1459,8 +1466,15 @@ function weierstrass(curveDef) {
1459
1466
  if (!isValidFieldElement(x))
1460
1467
  throw new Error('Point is not on curve');
1461
1468
  const y2 = weierstrassEquation(x); // y² = x³ + ax + b
1462
- let y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
1463
- const isYOdd = !y.isEven();
1469
+ let y;
1470
+ try {
1471
+ y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
1472
+ }
1473
+ catch (sqrtError) {
1474
+ const suffix = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
1475
+ throw new Error('Point is not on curve' + suffix);
1476
+ }
1477
+ const isYOdd = (y & _1n$4) === _1n$4;
1464
1478
  // ECDSA
1465
1479
  const isHeadOdd = (head & 1) === 1;
1466
1480
  if (isHeadOdd !== isYOdd)
@@ -1479,11 +1493,11 @@ function weierstrass(curveDef) {
1479
1493
  });
1480
1494
  const numToNByteStr = (num) => bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
1481
1495
  function isBiggerThanHalfOrder(number) {
1482
- const HALF = CURVE_ORDER.rightShift(_1n$4);
1483
- return number.gt(HALF);
1496
+ const HALF = CURVE_ORDER >> _1n$4;
1497
+ return number > HALF;
1484
1498
  }
1485
1499
  function normalizeS(s) {
1486
- return isBiggerThanHalfOrder(s) ? modN(s.negate()) : s;
1500
+ return isBiggerThanHalfOrder(s) ? modN(-s) : s;
1487
1501
  }
1488
1502
  // slice bytes num
1489
1503
  const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
@@ -1524,14 +1538,14 @@ function weierstrass(curveDef) {
1524
1538
  const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash
1525
1539
  if (rec == null || ![0, 1, 2, 3].includes(rec))
1526
1540
  throw new Error('recovery id invalid');
1527
- const radj = rec === 2 || rec === 3 ? r.add(CURVE.n) : r;
1528
- if (radj.gte(Fp.ORDER))
1541
+ const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
1542
+ if (radj >= Fp.ORDER)
1529
1543
  throw new Error('recovery id 2 or 3 invalid');
1530
1544
  const prefix = (rec & 1) === 0 ? '02' : '03';
1531
1545
  const R = Point.fromHex(prefix + numToNByteStr(radj));
1532
1546
  const ir = invN(radj); // r^-1
1533
- const u1 = modN(h.negate().imul(ir)); // -hr^-1
1534
- const u2 = modN(s.mul(ir)); // sr^-1
1547
+ const u1 = modN(-h * ir); // -hr^-1
1548
+ const u2 = modN(s * ir); // sr^-1
1535
1549
  const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)
1536
1550
  if (!Q)
1537
1551
  throw new Error('point at infinify'); // unsafe is fine: no priv data leaked
@@ -1543,7 +1557,7 @@ function weierstrass(curveDef) {
1543
1557
  return isBiggerThanHalfOrder(this.s);
1544
1558
  }
1545
1559
  normalizeS() {
1546
- return this.hasHighS() ? new Signature(this.r, modN(this.s.negate()), this.recovery) : this;
1560
+ return this.hasHighS() ? new Signature(this.r, modN(-this.s), this.recovery) : this;
1547
1561
  }
1548
1562
  // DER-encoded
1549
1563
  toDERRawBytes() {
@@ -1589,7 +1603,7 @@ function weierstrass(curveDef) {
1589
1603
  */
1590
1604
  precompute(windowSize = 8, point = Point.BASE) {
1591
1605
  point._setWindowSize(windowSize);
1592
- point.multiply(BigInteger.new(3)); // 3 is arbitrary, just need any number here
1606
+ point.multiply(BigInt(3)); // 3 is arbitrary, just need any number here
1593
1607
  return point;
1594
1608
  },
1595
1609
  };
@@ -1645,7 +1659,7 @@ function weierstrass(curveDef) {
1645
1659
  // for some cases, since bytes.length * 8 is not actual bitLength.
1646
1660
  const num = bytesToNumberBE(bytes); // check for == u8 done here
1647
1661
  const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
1648
- return delta > 0 ? num.rightShift(BigInteger.new(delta)) : num;
1662
+ return delta > 0 ? num >> BigInt(delta) : num;
1649
1663
  };
1650
1664
  const bits2int_modN = CURVE.bits2int_modN ||
1651
1665
  function (bytes) {
@@ -1657,9 +1671,9 @@ function weierstrass(curveDef) {
1657
1671
  * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
1658
1672
  */
1659
1673
  function int2octets(num) {
1660
- if (!(num instanceof BigInteger))
1674
+ if (typeof num !== 'bigint')
1661
1675
  throw new Error('bigint expected');
1662
- if (!(_0n$2.lte(num) && num.lt(ORDER_MASK)))
1676
+ if (!(_0n$2 <= num && num < ORDER_MASK))
1663
1677
  throw new Error(`bigint expected < 2^${CURVE.nBitLength}`);
1664
1678
  // works with order, can have different size than numToField!
1665
1679
  return numberToBytesBE(num, CURVE.nByteLength);
@@ -1686,7 +1700,7 @@ function weierstrass(curveDef) {
1686
1700
  const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
1687
1701
  const seedArgs = [int2octets(d), int2octets(h1int)];
1688
1702
  // extraEntropy. RFC6979 3.6: additional k' (optional).
1689
- if (ent != null) {
1703
+ if (ent != null && ent !== false) {
1690
1704
  // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
1691
1705
  const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
1692
1706
  seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
@@ -1702,15 +1716,15 @@ function weierstrass(curveDef) {
1702
1716
  const ik = invN(k); // k^-1 mod n
1703
1717
  const q = Point.BASE.multiply(k).toAffine(); // q = Gk
1704
1718
  const r = modN(q.x); // r = q.x mod n
1705
- if (r.isZero())
1719
+ if (r === _0n$2)
1706
1720
  return;
1707
1721
  // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
1708
1722
  // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
1709
1723
  // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
1710
- const s = modN(ik.mul(modN(m.add(r.mul(d))))); // Not using blinding here
1711
- if (s.isZero())
1724
+ const s = modN(ik * modN(m + r * d)); // Not using blinding here
1725
+ if (s === _0n$2)
1712
1726
  return;
1713
- let recovery = (q.x.equal(r) ? 0 : 2) | q.y.getBit(0); // recovery bit (2 or 3, when q.x > n)
1727
+ let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n$4); // recovery bit (2 or 3, when q.x > n)
1714
1728
  let normS = s;
1715
1729
  if (lowS && isBiggerThanHalfOrder(s)) {
1716
1730
  normS = normalizeS(s); // if lowS was passed, ensure s is always
@@ -1779,7 +1793,7 @@ function weierstrass(curveDef) {
1779
1793
  _sig = Signature.fromCompact(sg);
1780
1794
  }
1781
1795
  }
1782
- else if (typeof sg === 'object' && sg.r instanceof BigInteger && sg.s instanceof BigInteger) {
1796
+ else if (typeof sg === 'object' && typeof sg.r === 'bigint' && typeof sg.s === 'bigint') {
1783
1797
  const { r, s } = sg;
1784
1798
  _sig = new Signature(r, s);
1785
1799
  }
@@ -1800,13 +1814,13 @@ function weierstrass(curveDef) {
1800
1814
  const { r, s } = _sig;
1801
1815
  const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
1802
1816
  const is = invN(s); // s^-1
1803
- const u1 = modN(h.mul(is)); // u1 = hs^-1 mod n
1804
- const u2 = modN(r.mul(is)); // u2 = rs^-1 mod n
1817
+ const u1 = modN(h * is); // u1 = hs^-1 mod n
1818
+ const u2 = modN(r * is); // u2 = rs^-1 mod n
1805
1819
  const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2)?.toAffine(); // R = u1⋅G + u2⋅P
1806
1820
  if (!R)
1807
1821
  return false;
1808
1822
  const v = modN(R.x);
1809
- return v.equal(r);
1823
+ return v === r;
1810
1824
  }
1811
1825
  return {
1812
1826
  CURVE,
@@ -1821,7 +1835,6 @@ function weierstrass(curveDef) {
1821
1835
  }
1822
1836
 
1823
1837
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
1824
- // import { BigInteger } from '@openpgp/noble-hashes/biginteger';
1825
1838
  // connects noble-curves to noble-hashes
1826
1839
  function getHash(hash) {
1827
1840
  return {
@@ -1838,20 +1851,20 @@ function createCurve(curveDef, defHash) {
1838
1851
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
1839
1852
  // NIST secp256r1 aka p256
1840
1853
  // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
1841
- const Fp$7 = Field(BigInteger.new('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
1842
- const CURVE_A$4 = Fp$7.create(BigInteger.new('-3'));
1843
- const CURVE_B$4 = BigInteger.new('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
1854
+ const Fp$7 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
1855
+ const CURVE_A$4 = Fp$7.create(BigInt('-3'));
1856
+ const CURVE_B$4 = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
1844
1857
  // prettier-ignore
1845
1858
  const p256 = createCurve({
1846
1859
  a: CURVE_A$4, // Equation params: a, b
1847
1860
  b: CURVE_B$4,
1848
1861
  Fp: Fp$7, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
1849
1862
  // Curve order, total count of valid points in the field
1850
- n: BigInteger.new('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
1863
+ n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
1851
1864
  // Base (generator) point (x, y)
1852
- Gx: BigInteger.new('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
1853
- Gy: BigInteger.new('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
1854
- h: BigInteger.new(1),
1865
+ Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
1866
+ Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
1867
+ h: BigInt(1),
1855
1868
  lowS: false,
1856
1869
  }, sha256);
1857
1870
 
@@ -1860,22 +1873,22 @@ const p256 = createCurve({
1860
1873
  // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
1861
1874
  // Field over which we'll do calculations.
1862
1875
  // prettier-ignore
1863
- const P$1 = BigInteger.new('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
1876
+ const P$1 = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
1864
1877
  const Fp$6 = Field(P$1);
1865
- const CURVE_A$3 = Fp$6.create(BigInteger.new('-3'));
1878
+ const CURVE_A$3 = Fp$6.create(BigInt('-3'));
1866
1879
  // prettier-ignore
1867
- const CURVE_B$3 = BigInteger.new('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
1880
+ const CURVE_B$3 = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
1868
1881
  // prettier-ignore
1869
1882
  const p384 = createCurve({
1870
1883
  a: CURVE_A$3, // Equation params: a, b
1871
1884
  b: CURVE_B$3,
1872
1885
  Fp: Fp$6, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
1873
1886
  // Curve order, total count of valid points in the field.
1874
- n: BigInteger.new('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
1887
+ n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
1875
1888
  // Base (generator) point (x, y)
1876
- Gx: BigInteger.new('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
1877
- Gy: BigInteger.new('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
1878
- h: BigInteger.new(1),
1889
+ Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
1890
+ Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
1891
+ h: BigInt(1),
1879
1892
  lowS: false,
1880
1893
  }, sha384);
1881
1894
 
@@ -1885,16 +1898,16 @@ const p384 = createCurve({
1885
1898
  // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
1886
1899
  // Field over which we'll do calculations.
1887
1900
  // prettier-ignore
1888
- const P = BigInteger.new('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
1901
+ const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
1889
1902
  const Fp$5 = Field(P);
1890
1903
  const CURVE = {
1891
- a: Fp$5.create(BigInteger.new('-3')),
1892
- b: BigInteger.new('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
1904
+ a: Fp$5.create(BigInt('-3')),
1905
+ b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
1893
1906
  Fp: Fp$5,
1894
- n: BigInteger.new('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
1895
- Gx: BigInteger.new('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
1896
- Gy: BigInteger.new('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
1897
- h: BigInteger.new(1),
1907
+ n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
1908
+ Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
1909
+ Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
1910
+ h: BigInt(1),
1898
1911
  };
1899
1912
  // prettier-ignore
1900
1913
  const p521 = createCurve({
@@ -1910,77 +1923,19 @@ const p521 = createCurve({
1910
1923
  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
1911
1924
  }, sha512);
1912
1925
 
1913
- // brainpoolP256r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.4
1914
- const Fp$4 = Field(BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'));
1915
- const CURVE_A$2 = Fp$4.create(BigInteger.new('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'));
1916
- const CURVE_B$2 = BigInteger.new('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6');
1917
- // prettier-ignore
1918
- const brainpoolP256r1 = createCurve({
1919
- a: CURVE_A$2, // Equation params: a, b
1920
- b: CURVE_B$2,
1921
- Fp: Fp$4,
1922
- // Curve order (q), total count of valid points in the field
1923
- n: BigInteger.new('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
1924
- // Base (generator) point (x, y)
1925
- Gx: BigInteger.new('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
1926
- Gy: BigInteger.new('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
1927
- h: BigInteger.new(1),
1928
- lowS: false,
1929
- }, sha256);
1930
-
1931
- // brainpoolP384 r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.6
1932
- const Fp$3 = Field(BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'));
1933
- const CURVE_A$1 = Fp$3.create(BigInteger.new('0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'));
1934
- const CURVE_B$1 = BigInteger.new('0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11');
1935
- // prettier-ignore
1936
- const brainpoolP384r1 = createCurve({
1937
- a: CURVE_A$1, // Equation params: a, b
1938
- b: CURVE_B$1,
1939
- Fp: Fp$3,
1940
- // Curve order (q), total count of valid points in the field
1941
- n: BigInteger.new('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'),
1942
- // Base (generator) point (x, y)
1943
- Gx: BigInteger.new('0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'),
1944
- Gy: BigInteger.new('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'),
1945
- h: BigInteger.new(1),
1946
- lowS: false,
1947
- }, sha384);
1948
-
1949
- // brainpoolP512r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.7
1950
- const Fp$2 = Field(BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'));
1951
- const CURVE_A = Fp$2.create(BigInteger.new('0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'));
1952
- const CURVE_B = BigInteger.new('0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723');
1953
- // prettier-ignore
1954
- const brainpoolP512r1 = createCurve({
1955
- a: CURVE_A, // Equation params: a, b
1956
- b: CURVE_B,
1957
- Fp: Fp$2,
1958
- // Curve order (q), total count of valid points in the field
1959
- n: BigInteger.new('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'),
1960
- // Base (generator) point (x, y)
1961
- Gx: BigInteger.new('0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'),
1962
- Gy: BigInteger.new('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'),
1963
- h: BigInteger.new(1),
1964
- lowS: false,
1965
- }, sha512);
1966
-
1967
1926
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
1968
1927
  // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
1969
1928
  // Be friendly to bad ECMAScript parsers by not using bigint literals
1970
1929
  // prettier-ignore
1971
- const _0n$1 = Object.freeze(BigInteger.new(0));
1972
- const _1n$3 = Object.freeze(BigInteger.new(1));
1973
- const _2n$3 = Object.freeze(BigInteger.new(2));
1974
- const _3n$1 = Object.freeze(BigInteger.new(3));
1975
- const _8n = Object.freeze(BigInteger.new(8));
1930
+ const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n = BigInt(8);
1976
1931
  // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
1977
1932
  const VERIFY_DEFAULT = { zip215: true };
1978
1933
  function validateOpts$1(curve) {
1979
1934
  const opts = validateBasic(curve);
1980
1935
  validateObject(curve, {
1981
1936
  hash: 'function',
1982
- a: 'BigInteger',
1983
- d: 'BigInteger',
1937
+ a: 'bigint',
1938
+ d: 'bigint',
1984
1939
  randomBytes: 'function',
1985
1940
  }, {
1986
1941
  adjustScalarBytes: 'function',
@@ -1995,14 +1950,13 @@ function validateOpts$1(curve) {
1995
1950
  function twistedEdwards(curveDef) {
1996
1951
  const CURVE = validateOpts$1(curveDef);
1997
1952
  const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
1998
- const MASK = _2n$3.leftShift(BigInteger.new(nByteLength * 8).idec());
1953
+ const MASK = _2n$2 << (BigInt(nByteLength * 8) - _1n$3);
1999
1954
  const modP = Fp.create; // Function overrides
2000
1955
  // sqrt(u/v)
2001
1956
  const uvRatio = CURVE.uvRatio ||
2002
1957
  ((u, v) => {
2003
1958
  try {
2004
- const res = { isValid: true, value: Fp.sqrt(u.mul(Fp.inv(v))) };
2005
- return res;
1959
+ return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
2006
1960
  }
2007
1961
  catch (e) {
2008
1962
  return { isValid: false, value: _0n$1 };
@@ -2015,9 +1969,9 @@ function twistedEdwards(curveDef) {
2015
1969
  throw new Error('Contexts/pre-hash are not supported');
2016
1970
  return data;
2017
1971
  }); // NOOP
2018
- const inBig = (n) => n instanceof BigInteger && n.gt(_0n$1); // n in [1..]
2019
- const inRange = (n, max) => inBig(n) && inBig(max) && n.lt(max); // n in [1..max-1]
2020
- const in0MaskRange = (n) => n.isZero() || inRange(n, MASK); // n in [0..MASK-1]
1972
+ const inBig = (n) => typeof n === 'bigint' && _0n$1 < n; // n in [1..]
1973
+ const inRange = (n, max) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
1974
+ const in0MaskRange = (n) => n === _0n$1 || inRange(n, MASK); // n in [0..MASK-1]
2021
1975
  function assertInRange(n, max) {
2022
1976
  // n in [1..max-1]
2023
1977
  if (inRange(n, max))
@@ -2026,7 +1980,7 @@ function twistedEdwards(curveDef) {
2026
1980
  }
2027
1981
  function assertGE0(n) {
2028
1982
  // n in [0..CURVE_ORDER-1]
2029
- return n.isZero() ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
1983
+ return n === _0n$1 ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
2030
1984
  }
2031
1985
  const pointPrecomputes = new Map();
2032
1986
  function isPoint(other) {
@@ -2062,7 +2016,7 @@ function twistedEdwards(curveDef) {
2062
2016
  const { x, y } = p || {};
2063
2017
  if (!in0MaskRange(x) || !in0MaskRange(y))
2064
2018
  throw new Error('invalid affine point');
2065
- return new Point(x, y, _1n$3, modP(x.mul(y)));
2019
+ return new Point(x, y, _1n$3, modP(x * y));
2066
2020
  }
2067
2021
  static normalizeZ(points) {
2068
2022
  const toInv = Fp.invertBatch(points.map((p) => p.ez));
@@ -2082,19 +2036,19 @@ function twistedEdwards(curveDef) {
2082
2036
  // Equation in affine coordinates: ax² + y² = 1 + dx²y²
2083
2037
  // Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²
2084
2038
  const { ex: X, ey: Y, ez: Z, et: T } = this;
2085
- const X2 = modP(X.mul(X)); // X²
2086
- const Y2 = modP(Y.mul(Y)); // Y²
2087
- const Z2 = modP(Z.mul(Z)); // Z²
2088
- const Z4 = modP(Z2.mul(Z2)); // Z⁴
2089
- const aX2 = modP(X2.mul(a)); // aX²
2090
- const left = modP(Z2.mul(modP(aX2.add(Y2)))); // (aX² + Y²)Z²
2091
- const right = modP(Z4.add(modP(d.mul(modP(X2.mul(Y2)))))); // Z⁴ + dX²Y²
2092
- if (!left.equal(right))
2039
+ const X2 = modP(X * X); // X²
2040
+ const Y2 = modP(Y * Y); // Y²
2041
+ const Z2 = modP(Z * Z); // Z²
2042
+ const Z4 = modP(Z2 * Z2); // Z⁴
2043
+ const aX2 = modP(X2 * a); // aX²
2044
+ const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
2045
+ const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
2046
+ if (left !== right)
2093
2047
  throw new Error('bad point: equation left != right (1)');
2094
2048
  // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
2095
- const XY = modP(X.mul(Y));
2096
- const ZT = modP(Z.mul(T));
2097
- if (!XY.equal(ZT))
2049
+ const XY = modP(X * Y);
2050
+ const ZT = modP(Z * T);
2051
+ if (XY !== ZT)
2098
2052
  throw new Error('bad point: equation left != right (2)');
2099
2053
  }
2100
2054
  // Compare one point to another.
@@ -2102,18 +2056,18 @@ function twistedEdwards(curveDef) {
2102
2056
  isPoint(other);
2103
2057
  const { ex: X1, ey: Y1, ez: Z1 } = this;
2104
2058
  const { ex: X2, ey: Y2, ez: Z2 } = other;
2105
- const X1Z2 = modP(X1.mul(Z2));
2106
- const X2Z1 = modP(X2.mul(Z1));
2107
- const Y1Z2 = modP(Y1.mul(Z2));
2108
- const Y2Z1 = modP(Y2.mul(Z1));
2109
- return X1Z2.equal(X2Z1) && Y1Z2.equal(Y2Z1);
2059
+ const X1Z2 = modP(X1 * Z2);
2060
+ const X2Z1 = modP(X2 * Z1);
2061
+ const Y1Z2 = modP(Y1 * Z2);
2062
+ const Y2Z1 = modP(Y2 * Z1);
2063
+ return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
2110
2064
  }
2111
2065
  is0() {
2112
2066
  return this.equals(Point.ZERO);
2113
2067
  }
2114
2068
  negate() {
2115
2069
  // Flips point sign to a negative one (-x, y in affine coords)
2116
- return new Point(modP(this.ex.negate()), this.ey, this.ez, modP(this.et.negate()));
2070
+ return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
2117
2071
  }
2118
2072
  // Fast algo for doubling Extended Point.
2119
2073
  // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
@@ -2121,19 +2075,19 @@ function twistedEdwards(curveDef) {
2121
2075
  double() {
2122
2076
  const { a } = CURVE;
2123
2077
  const { ex: X1, ey: Y1, ez: Z1 } = this;
2124
- const A = modP(X1.mul(X1)); // A = X12
2125
- const B = modP(Y1.mul(Y1)); // B = Y12
2126
- const C = modP(_2n$3.mul(modP(Z1.mul(Z1)))); // C = 2*Z12
2127
- const D = modP(a.mul(A)); // D = a*A
2128
- const x1y1 = X1.add(Y1);
2129
- const E = modP(modP(x1y1.mul(x1y1)).sub(A).isub(B)); // E = (X1+Y1)2-A-B
2130
- const G = D.add(B); // G = D+B
2131
- const F = G.sub(C); // F = G-C
2132
- const H = D.sub(B); // H = D-B
2133
- const X3 = modP(E.mul(F)); // X3 = E*F
2134
- const Y3 = modP(G.mul(H)); // Y3 = G*H
2135
- const T3 = modP(E.mul(H)); // T3 = E*H
2136
- const Z3 = modP(F.mul(G)); // Z3 = F*G
2078
+ const A = modP(X1 * X1); // A = X12
2079
+ const B = modP(Y1 * Y1); // B = Y12
2080
+ const C = modP(_2n$2 * modP(Z1 * Z1)); // C = 2*Z12
2081
+ const D = modP(a * A); // D = a*A
2082
+ const x1y1 = X1 + Y1;
2083
+ const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
2084
+ const G = D + B; // G = D+B
2085
+ const F = G - C; // F = G-C
2086
+ const H = D - B; // H = D-B
2087
+ const X3 = modP(E * F); // X3 = E*F
2088
+ const Y3 = modP(G * H); // Y3 = G*H
2089
+ const T3 = modP(E * H); // T3 = E*H
2090
+ const Z3 = modP(F * G); // Z3 = F*G
2137
2091
  return new Point(X3, Y3, Z3, T3);
2138
2092
  }
2139
2093
  // Fast algo for adding 2 Extended Points.
@@ -2148,35 +2102,35 @@ function twistedEdwards(curveDef) {
2148
2102
  // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
2149
2103
  // Cost: 8M + 8add + 2*2.
2150
2104
  // Note: It does not check whether the `other` point is valid.
2151
- if (a.equal(BigInteger.new(-1))) {
2152
- const A = modP(Y1.sub(X1).imul(Y2.add(X2)));
2153
- const B = modP(Y1.add(X1).imul(Y2.sub(X2)));
2154
- const F = modP(B.sub(A));
2155
- if (F.isZero())
2105
+ if (a === BigInt(-1)) {
2106
+ const A = modP((Y1 - X1) * (Y2 + X2));
2107
+ const B = modP((Y1 + X1) * (Y2 - X2));
2108
+ const F = modP(B - A);
2109
+ if (F === _0n$1)
2156
2110
  return this.double(); // Same point. Tests say it doesn't affect timing
2157
- const C = modP(Z1.mul(_2n$3).imul(T2));
2158
- const D = modP(T1.mul(_2n$3).imul(Z2));
2159
- const E = D.add(C);
2160
- const G = B.add(A);
2161
- const H = D.sub(C);
2162
- const X3 = modP(E.mul(F));
2163
- const Y3 = modP(G.mul(H));
2164
- const T3 = modP(E.mul(H));
2165
- const Z3 = modP(F.mul(G));
2111
+ const C = modP(Z1 * _2n$2 * T2);
2112
+ const D = modP(T1 * _2n$2 * Z2);
2113
+ const E = D + C;
2114
+ const G = B + A;
2115
+ const H = D - C;
2116
+ const X3 = modP(E * F);
2117
+ const Y3 = modP(G * H);
2118
+ const T3 = modP(E * H);
2119
+ const Z3 = modP(F * G);
2166
2120
  return new Point(X3, Y3, Z3, T3);
2167
2121
  }
2168
- const A = modP(X1.mul(X2)); // A = X1*X2
2169
- const B = modP(Y1.mul(Y2)); // B = Y1*Y2
2170
- const C = modP(T1.mul(d).imul(T2)); // C = T1*d*T2
2171
- const D = modP(Z1.mul(Z2)); // D = Z1*Z2
2172
- const E = modP(X1.add(Y1).imul(X2.add(Y2)).isub(A).isub(B)); // E = (X1+Y1)*(X2+Y2)-A-B
2173
- const F = D.sub(C); // F = D-C
2174
- const G = D.add(C); // G = D+C
2175
- const H = modP(B.sub(a.mul(A))); // H = B-a*A
2176
- const X3 = modP(E.mul(F)); // X3 = E*F
2177
- const Y3 = modP(G.mul(H)); // Y3 = G*H
2178
- const T3 = modP(E.mul(H)); // T3 = E*H
2179
- const Z3 = modP(F.mul(G)); // Z3 = F*G
2122
+ const A = modP(X1 * X2); // A = X1*X2
2123
+ const B = modP(Y1 * Y2); // B = Y1*Y2
2124
+ const C = modP(T1 * d * T2); // C = T1*d*T2
2125
+ const D = modP(Z1 * Z2); // D = Z1*Z2
2126
+ const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
2127
+ const F = D - C; // F = D-C
2128
+ const G = D + C; // G = D+C
2129
+ const H = modP(B - a * A); // H = B-a*A
2130
+ const X3 = modP(E * F); // X3 = E*F
2131
+ const Y3 = modP(G * H); // Y3 = G*H
2132
+ const T3 = modP(E * H); // T3 = E*H
2133
+ const Z3 = modP(F * G); // Z3 = F*G
2180
2134
  return new Point(X3, Y3, Z3, T3);
2181
2135
  }
2182
2136
  subtract(other) {
@@ -2196,9 +2150,9 @@ function twistedEdwards(curveDef) {
2196
2150
  // Does NOT allow scalars higher than CURVE.n.
2197
2151
  multiplyUnsafe(scalar) {
2198
2152
  let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
2199
- if (n.isZero())
2153
+ if (n === _0n$1)
2200
2154
  return I;
2201
- if (this.equals(I) || n.isOne())
2155
+ if (this.equals(I) || n === _1n$3)
2202
2156
  return this;
2203
2157
  if (this.equals(G))
2204
2158
  return this.wNAF(n).p;
@@ -2223,18 +2177,18 @@ function twistedEdwards(curveDef) {
2223
2177
  const is0 = this.is0();
2224
2178
  if (iz == null)
2225
2179
  iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
2226
- const ax = modP(x.mul(iz));
2227
- const ay = modP(y.mul(iz));
2228
- const zz = modP(z.mul(iz));
2180
+ const ax = modP(x * iz);
2181
+ const ay = modP(y * iz);
2182
+ const zz = modP(z * iz);
2229
2183
  if (is0)
2230
- return { x: _0n$1.clone(), y: _1n$3.clone() };
2231
- if (!zz.isOne())
2184
+ return { x: _0n$1, y: _1n$3 };
2185
+ if (zz !== _1n$3)
2232
2186
  throw new Error('invZ was invalid');
2233
2187
  return { x: ax, y: ay };
2234
2188
  }
2235
2189
  clearCofactor() {
2236
2190
  const { h: cofactor } = CURVE;
2237
- if (cofactor.isOne())
2191
+ if (cofactor === _1n$3)
2238
2192
  return this;
2239
2193
  return this.multiplyUnsafe(cofactor);
2240
2194
  }
@@ -2248,7 +2202,7 @@ function twistedEdwards(curveDef) {
2248
2202
  const lastByte = hex[len - 1]; // select last byte
2249
2203
  normed[len - 1] = lastByte & ~0x80; // clear last bit
2250
2204
  const y = bytesToNumberLE(normed);
2251
- if (y.isZero()) ;
2205
+ if (y === _0n$1) ;
2252
2206
  else {
2253
2207
  // RFC8032 prohibits >= p, but ZIP215 doesn't
2254
2208
  if (zip215)
@@ -2258,19 +2212,19 @@ function twistedEdwards(curveDef) {
2258
2212
  }
2259
2213
  // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
2260
2214
  // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
2261
- const y2 = modP(y.mul(y)); // denominator is always non-0 mod p.
2262
- const u = modP(y2.dec()); // u = y² - 1
2263
- const v = modP(d.mul(y2).isub(a)); // v = d y² + 1.
2215
+ const y2 = modP(y * y); // denominator is always non-0 mod p.
2216
+ const u = modP(y2 - _1n$3); // u = y² - 1
2217
+ const v = modP(d * y2 - a); // v = d y² + 1.
2264
2218
  let { isValid, value: x } = uvRatio(u, v); // √(u/v)
2265
2219
  if (!isValid)
2266
2220
  throw new Error('Point.fromHex: invalid y coordinate');
2267
- const isXOdd = !x.isEven(); // There are 2 square roots. Use x_0 bit to select proper
2221
+ const isXOdd = (x & _1n$3) === _1n$3; // There are 2 square roots. Use x_0 bit to select proper
2268
2222
  const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
2269
- if (!zip215 && x.isZero() && isLastByteOdd)
2223
+ if (!zip215 && x === _0n$1 && isLastByteOdd)
2270
2224
  // if x=0 and x_0 = 1, fail
2271
2225
  throw new Error('Point.fromHex: x=0 and x_0=1');
2272
2226
  if (isLastByteOdd !== isXOdd)
2273
- x = modP(x.negate()); // if x_0 != x mod 2, set x = p-x
2227
+ x = modP(-x); // if x_0 != x mod 2, set x = p-x
2274
2228
  return Point.fromAffine({ x, y });
2275
2229
  }
2276
2230
  static fromPrivateKey(privKey) {
@@ -2278,15 +2232,15 @@ function twistedEdwards(curveDef) {
2278
2232
  }
2279
2233
  toRawBytes() {
2280
2234
  const { x, y } = this.toAffine();
2281
- const bytes = y.toUint8Array('le', Fp.BYTES); // each y has 2 x values (x, -y)
2282
- bytes[bytes.length - 1] |= x.isEven() ? 0 : 0x80; // when compressing, it's enough to store y
2235
+ const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
2236
+ bytes[bytes.length - 1] |= x & _1n$3 ? 0x80 : 0; // when compressing, it's enough to store y
2283
2237
  return bytes; // and use the last byte to encode sign of x
2284
2238
  }
2285
2239
  toHex() {
2286
2240
  return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
2287
2241
  }
2288
2242
  }
2289
- Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n$3, modP(CURVE.Gx.mul(CURVE.Gy)));
2243
+ Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n$3, modP(CURVE.Gx * CURVE.Gy));
2290
2244
  Point.ZERO = new Point(_0n$1, _1n$3, _1n$3, _0n$1); // 0, 1, 1, 0
2291
2245
  const { BASE: G, ZERO: I } = Point;
2292
2246
  const wnaf = wNAF(Point, nByteLength * 8);
@@ -2329,9 +2283,9 @@ function twistedEdwards(curveDef) {
2329
2283
  const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
2330
2284
  const R = G.multiply(r).toRawBytes(); // R = rG
2331
2285
  const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
2332
- const s = modN(r.add(k.mul(scalar))); // S = (r + k * s) mod L
2286
+ const s = modN(r + k * scalar); // S = (r + k * s) mod L
2333
2287
  assertGE0(s); // 0 <= s < l
2334
- const res = concatBytes(R, s.toUint8Array('le', Fp.BYTES));
2288
+ const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
2335
2289
  return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
2336
2290
  }
2337
2291
  const verifyOpts = VERIFY_DEFAULT;
@@ -2374,7 +2328,7 @@ function twistedEdwards(curveDef) {
2374
2328
  */
2375
2329
  precompute(windowSize = 8, point = Point.BASE) {
2376
2330
  point._setWindowSize(windowSize);
2377
- point.multiply(_3n$1);
2331
+ point.multiply(BigInt(3));
2378
2332
  return point;
2379
2333
  },
2380
2334
  };
@@ -2389,19 +2343,18 @@ function twistedEdwards(curveDef) {
2389
2343
  }
2390
2344
 
2391
2345
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
2392
- const _0n = Object.freeze(BigInteger.new(0));
2393
- const _1n$2 = Object.freeze(BigInteger.new(1));
2394
- const _2n$2 = Object.freeze(BigInteger.new(2));
2346
+ const _0n = BigInt(0);
2347
+ const _1n$2 = BigInt(1);
2395
2348
  function validateOpts(curve) {
2396
2349
  validateObject(curve, {
2397
- a: 'BigInteger',
2350
+ a: 'bigint',
2398
2351
  }, {
2399
2352
  montgomeryBits: 'isSafeInteger',
2400
2353
  nByteLength: 'isSafeInteger',
2401
2354
  adjustScalarBytes: 'function',
2402
2355
  domain: 'function',
2403
2356
  powPminus2: 'function',
2404
- Gu: 'BigInteger',
2357
+ Gu: 'bigint',
2405
2358
  });
2406
2359
  // Set defaults
2407
2360
  return Object.freeze({ ...curve });
@@ -2416,7 +2369,7 @@ function montgomery(curveDef) {
2416
2369
  const montgomeryBytes = Math.ceil(montgomeryBits / 8);
2417
2370
  const fieldLen = CURVE.nByteLength;
2418
2371
  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
2419
- const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P.sub(_2n$2), P));
2372
+ const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
2420
2373
  // cswap from RFC7748. But it is not from RFC7748!
2421
2374
  /*
2422
2375
  cswap(swap, x_2, x_3):
@@ -2428,20 +2381,20 @@ function montgomery(curveDef) {
2428
2381
  and x_3, computed, e.g., as mask(swap) = 0 - swap.
2429
2382
  */
2430
2383
  function cswap(swap, x_2, x_3) {
2431
- const dummy = modP(swap.mul(x_2.sub(x_3)));
2432
- x_2 = modP(x_2.sub(dummy));
2433
- x_3 = modP(x_3.add(dummy));
2384
+ const dummy = modP(swap * (x_2 - x_3));
2385
+ x_2 = modP(x_2 - dummy);
2386
+ x_3 = modP(x_3 + dummy);
2434
2387
  return [x_2, x_3];
2435
2388
  }
2436
2389
  // Accepts 0 as well
2437
2390
  function assertFieldElement(n) {
2438
- if (n instanceof BigInteger && !n.isNegative() && n.lt(P))
2391
+ if (typeof n === 'bigint' && _0n <= n && n < P)
2439
2392
  return n;
2440
2393
  throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
2441
2394
  }
2442
2395
  // x25519 from 4
2443
2396
  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
2444
- const a24 = CURVE.a.sub(_2n$2).irightShift(_2n$2);
2397
+ const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
2445
2398
  /**
2446
2399
  *
2447
2400
  * @param pointU u coordinate (x) on Montgomery Curve 25519
@@ -2458,11 +2411,11 @@ function montgomery(curveDef) {
2458
2411
  let z_2 = _0n;
2459
2412
  let x_3 = u;
2460
2413
  let z_3 = _1n$2;
2461
- let swap = _0n.clone();
2414
+ let swap = _0n;
2462
2415
  let sw;
2463
- for (let t = BigInteger.new(montgomeryBits - 1); !t.isNegative(); t.idec()) {
2464
- const k_t = BigInteger.new((k.rightShift(t)).getBit(0));
2465
- swap.ixor(k_t);
2416
+ for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
2417
+ const k_t = (k >> t) & _1n$2;
2418
+ swap ^= k_t;
2466
2419
  sw = cswap(swap, x_2, x_3);
2467
2420
  x_2 = sw[0];
2468
2421
  x_3 = sw[1];
@@ -2470,21 +2423,21 @@ function montgomery(curveDef) {
2470
2423
  z_2 = sw[0];
2471
2424
  z_3 = sw[1];
2472
2425
  swap = k_t;
2473
- const A = x_2.add(z_2);
2474
- const AA = modP(A.mul(A));
2475
- const B = x_2.sub(z_2);
2476
- const BB = modP(B.mul(B));
2477
- const E = AA.sub(BB);
2478
- const C = x_3.add(z_3);
2479
- const D = x_3.sub(z_3);
2480
- const DA = modP(D.mul(A));
2481
- const CB = modP(C.mul(B));
2482
- const dacb = DA.add(CB);
2483
- const da_cb = DA.sub(CB);
2484
- x_3 = modP(dacb.mul(dacb));
2485
- z_3 = modP(x_1.mul(modP(da_cb.mul(da_cb))));
2486
- x_2 = modP(AA.mul(BB));
2487
- z_2 = modP(E.mul(AA.add(modP(a24.mul(E)))));
2426
+ const A = x_2 + z_2;
2427
+ const AA = modP(A * A);
2428
+ const B = x_2 - z_2;
2429
+ const BB = modP(B * B);
2430
+ const E = AA - BB;
2431
+ const C = x_3 + z_3;
2432
+ const D = x_3 - z_3;
2433
+ const DA = modP(D * A);
2434
+ const CB = modP(C * B);
2435
+ const dacb = DA + CB;
2436
+ const da_cb = DA - CB;
2437
+ x_3 = modP(dacb * dacb);
2438
+ z_3 = modP(x_1 * modP(da_cb * da_cb));
2439
+ x_2 = modP(AA * BB);
2440
+ z_2 = modP(E * (AA + modP(a24 * E)));
2488
2441
  }
2489
2442
  // (x_2, x_3) = cswap(swap, x_2, x_3)
2490
2443
  sw = cswap(swap, x_2, x_3);
@@ -2497,7 +2450,7 @@ function montgomery(curveDef) {
2497
2450
  // z_2^(p - 2)
2498
2451
  const z2 = powPminus2(z_2);
2499
2452
  // Return x_2 * (z_2^(p - 2))
2500
- return modP(x_2.mul(z2));
2453
+ return modP(x_2 * z2);
2501
2454
  }
2502
2455
  function encodeUCoordinate(u) {
2503
2456
  return numberToBytesLE(modP(u), montgomeryBytes);
@@ -2523,7 +2476,7 @@ function montgomery(curveDef) {
2523
2476
  const pu = montgomeryLadder(pointU, _scalar);
2524
2477
  // The result was not contributory
2525
2478
  // https://cr.yp.to/ecdh.html#validate
2526
- if (pu.isZero())
2479
+ if (pu === _0n)
2527
2480
  throw new Error('Invalid private or public key received');
2528
2481
  return encodeUCoordinate(pu);
2529
2482
  }
@@ -2552,29 +2505,29 @@ function montgomery(curveDef) {
2552
2505
  */
2553
2506
  const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
2554
2507
  const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
2555
- const ed448P = BigInteger.new('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
2508
+ const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
2556
2509
  // prettier-ignore
2557
- const _1n$1 = BigInteger.new(1), _2n$1 = BigInteger.new(2), _3n = BigInteger.new(3), _11n = BigInteger.new(11);
2510
+ const _1n$1 = BigInt(1), _2n$1 = BigInt(2), _3n = BigInt(3); BigInt(4); const _11n = BigInt(11);
2558
2511
  // prettier-ignore
2559
- const _22n = BigInteger.new(22), _44n = BigInteger.new(44), _88n = BigInteger.new(88), _223n = BigInteger.new(223);
2512
+ const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
2560
2513
  // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
2561
2514
  // Used for efficient square root calculation.
2562
2515
  // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
2563
2516
  function ed448_pow_Pminus3div4(x) {
2564
2517
  const P = ed448P;
2565
- const b2 = x.modExp(_3n, P);
2566
- const b3 = b2.mul(b2).imul(x).imod(P);
2567
- const b6 = pow2(b3, _3n, P).imul(b3).imod(P);
2568
- const b9 = pow2(b6, _3n, P).imul(b3).imod(P);
2569
- const b11 = pow2(b9, _2n$1, P).imul(b2).imod(P);
2570
- const b22 = pow2(b11, _11n, P).imul(b11).imod(P);
2571
- const b44 = pow2(b22, _22n, P).imul(b22).imod(P);
2572
- const b88 = pow2(b44, _44n, P).imul(b44).imod(P);
2573
- const b176 = pow2(b88, _88n, P).imul(b88).imod(P);
2574
- const b220 = pow2(b176, _44n, P).imul(b44).imod(P);
2575
- const b222 = pow2(b220, _2n$1, P).imul(b2).imod(P);
2576
- const b223 = pow2(b222, _1n$1, P).imul(x).imod(P);
2577
- return pow2(b223, _223n, P).imul(b222).imod(P);
2518
+ const b2 = (x * x * x) % P;
2519
+ const b3 = (b2 * b2 * x) % P;
2520
+ const b6 = (pow2(b3, _3n, P) * b3) % P;
2521
+ const b9 = (pow2(b6, _3n, P) * b3) % P;
2522
+ const b11 = (pow2(b9, _2n$1, P) * b2) % P;
2523
+ const b22 = (pow2(b11, _11n, P) * b11) % P;
2524
+ const b44 = (pow2(b22, _22n, P) * b22) % P;
2525
+ const b88 = (pow2(b44, _44n, P) * b44) % P;
2526
+ const b176 = (pow2(b88, _88n, P) * b88) % P;
2527
+ const b220 = (pow2(b176, _44n, P) * b44) % P;
2528
+ const b222 = (pow2(b220, _2n$1, P) * b2) % P;
2529
+ const b223 = (pow2(b222, _1n$1, P) * x) % P;
2530
+ return (pow2(b223, _223n, P) * b222) % P;
2578
2531
  }
2579
2532
  function adjustScalarBytes(bytes) {
2580
2533
  // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
@@ -2596,35 +2549,35 @@ function uvRatio(u, v) {
2596
2549
  // following trick, to use a single modular powering for both the
2597
2550
  // inversion of v and the square root:
2598
2551
  // x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p)
2599
- const u2v = mod(u.mul(u).imul(v), P); // u²v
2600
- const u3v = mod(u2v.mul(u), P); // u³v
2601
- const u5v3 = mod(u3v.mul(u2v).imul(v), P); // u⁵v³
2552
+ const u2v = mod(u * u * v, P); // u²v
2553
+ const u3v = mod(u2v * u, P); // u³v
2554
+ const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
2602
2555
  const root = ed448_pow_Pminus3div4(u5v3);
2603
- const x = mod(u3v.mul(root), P);
2556
+ const x = mod(u3v * root, P);
2604
2557
  // Verify that root is exists
2605
- const x2 = mod(x.mul(x), P); // x²
2558
+ const x2 = mod(x * x, P); // x²
2606
2559
  // If vx² = u, the recovered x-coordinate is x. Otherwise, no
2607
2560
  // square root exists, and the decoding fails.
2608
- return { isValid: mod(x2.mul(v), P).equal(u), value: x };
2561
+ return { isValid: mod(x2 * v, P) === u, value: x };
2609
2562
  }
2610
- const Fp$1 = Field(ed448P, 456, true);
2563
+ const Fp$4 = Field(ed448P, 456, true);
2611
2564
  const ED448_DEF = {
2612
2565
  // Param: a
2613
- a: BigInteger.new(1),
2566
+ a: BigInt(1),
2614
2567
  // -39081. Negative number is P - number
2615
- d: BigInteger.new('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
2568
+ d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
2616
2569
  // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
2617
- Fp: Fp$1,
2570
+ Fp: Fp$4,
2618
2571
  // Subgroup order: how many points curve has;
2619
2572
  // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
2620
- n: BigInteger.new('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
2573
+ n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
2621
2574
  // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
2622
2575
  nBitLength: 456,
2623
2576
  // Cofactor
2624
- h: BigInteger.new(4),
2577
+ h: BigInt(4),
2625
2578
  // Base point (x, y) aka generator point
2626
- Gx: BigInteger.new('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
2627
- Gy: BigInteger.new('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
2579
+ Gx: BigInt('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
2580
+ Gy: BigInt('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
2628
2581
  // SHAKE256(dom4(phflag,context)||x, 114)
2629
2582
  hash: shake256_114,
2630
2583
  randomBytes,
@@ -2641,42 +2594,41 @@ const ed448 = /* @__PURE__ */ twistedEdwards(ED448_DEF);
2641
2594
  // NOTE: there is no ed448ctx, since ed448 supports ctx by default
2642
2595
  /* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
2643
2596
  const x448 = /* @__PURE__ */ (() => montgomery({
2644
- a: BigInteger.new(156326),
2597
+ a: BigInt(156326),
2598
+ // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
2645
2599
  montgomeryBits: 448,
2646
2600
  nByteLength: 56,
2647
2601
  P: ed448P,
2648
- Gu: BigInteger.new(5),
2602
+ Gu: BigInt(5),
2649
2603
  powPminus2: (x) => {
2650
2604
  const P = ed448P;
2651
2605
  const Pminus3div4 = ed448_pow_Pminus3div4(x);
2652
- const Pminus3 = pow2(Pminus3div4, BigInteger.new(2), P);
2653
- return mod(Pminus3.mul(x), P); // Pminus3 * x = Pminus2
2606
+ const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
2607
+ return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
2654
2608
  },
2655
2609
  adjustScalarBytes,
2656
2610
  randomBytes,
2657
2611
  }))();
2658
2612
  // TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
2659
- Object.freeze(BigInteger.new(4));
2660
2613
  // Hash To Curve Elligator2 Map
2661
- Fp$1.ORDER.sub(_3n).irightShift(_2n$1); // 1. c1 = (q - 3) / 4 # Integer arithmetic
2662
- BigInteger.new(156326);
2614
+ (Fp$4.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4 # Integer arithmetic
2615
+ BigInt(156326);
2663
2616
  // 1-d
2664
- BigInteger.new('39082');
2617
+ BigInt('39082');
2665
2618
  // 1-2d
2666
- BigInteger.new('78163');
2619
+ BigInt('78163');
2667
2620
  // √(-d)
2668
- BigInteger.new('98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214');
2621
+ BigInt('98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214');
2669
2622
  // 1 / √(-d)
2670
- BigInteger.new('315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716');
2671
- BigInteger.new('0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
2623
+ BigInt('315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716');
2624
+ BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
2672
2625
 
2673
2626
  /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
2674
- const secp256k1P = Object.freeze(BigInteger.new('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'));
2675
- const secp256k1N = Object.freeze(BigInteger.new('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'));
2676
- Object.freeze(BigInteger.new(0));
2677
- const _1n = Object.freeze(BigInteger.new(1));
2678
- const _2n = Object.freeze(BigInteger.new(2));
2679
- const divNearest = (a, b) => a.add(b.rightShift(_1n)).idiv(b);
2627
+ const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
2628
+ const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
2629
+ const _1n = BigInt(1);
2630
+ const _2n = BigInt(2);
2631
+ const divNearest = (a, b) => (a + b / _2n) / b;
2680
2632
  /**
2681
2633
  * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
2682
2634
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
@@ -2684,37 +2636,37 @@ const divNearest = (a, b) => a.add(b.rightShift(_1n)).idiv(b);
2684
2636
  function sqrtMod(y) {
2685
2637
  const P = secp256k1P;
2686
2638
  // prettier-ignore
2687
- const _3n = BigInteger.new(3), _6n = BigInteger.new(6), _11n = BigInteger.new(11), _22n = BigInteger.new(22);
2639
+ const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
2688
2640
  // prettier-ignore
2689
- const _23n = BigInteger.new(23), _44n = BigInteger.new(44), _88n = BigInteger.new(88);
2690
- const b2 = y.mul(y).imul(y).imod(P); // x^3, 11
2691
- const b3 = b2.mul(b2).imul(y).imod(P); // x^7
2692
- const b6 = pow2(b3, _3n, P).imul(b3).imod(P);
2693
- const b9 = pow2(b6, _3n, P).imul(b3).imod(P);
2694
- const b11 = pow2(b9, _2n, P).imul(b2).imod(P);
2695
- const b22 = pow2(b11, _11n, P).imul(b11).imod(P);
2696
- const b44 = pow2(b22, _22n, P).imul(b22).imod(P);
2697
- const b88 = pow2(b44, _44n, P).imul(b44).imod(P);
2698
- const b176 = pow2(b88, _88n, P).imul(b88).imod(P);
2699
- const b220 = pow2(b176, _44n, P).imul(b44).imod(P);
2700
- const b223 = pow2(b220, _3n, P).imul(b3).imod(P);
2701
- const t1 = pow2(b223, _23n, P).imul(b22).imod(P);
2702
- const t2 = pow2(t1, _6n, P).imul(b2).imod(P);
2641
+ const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
2642
+ const b2 = (y * y * y) % P; // x^3, 11
2643
+ const b3 = (b2 * b2 * y) % P; // x^7
2644
+ const b6 = (pow2(b3, _3n, P) * b3) % P;
2645
+ const b9 = (pow2(b6, _3n, P) * b3) % P;
2646
+ const b11 = (pow2(b9, _2n, P) * b2) % P;
2647
+ const b22 = (pow2(b11, _11n, P) * b11) % P;
2648
+ const b44 = (pow2(b22, _22n, P) * b22) % P;
2649
+ const b88 = (pow2(b44, _44n, P) * b44) % P;
2650
+ const b176 = (pow2(b88, _88n, P) * b88) % P;
2651
+ const b220 = (pow2(b176, _44n, P) * b44) % P;
2652
+ const b223 = (pow2(b220, _3n, P) * b3) % P;
2653
+ const t1 = (pow2(b223, _23n, P) * b22) % P;
2654
+ const t2 = (pow2(t1, _6n, P) * b2) % P;
2703
2655
  const root = pow2(t2, _2n, P);
2704
- if (!Fp.eql(Fp.sqr(root), y))
2656
+ if (!Fp$3.eql(Fp$3.sqr(root), y))
2705
2657
  throw new Error('Cannot find square root');
2706
2658
  return root;
2707
2659
  }
2708
- const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
2660
+ const Fp$3 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
2709
2661
  const secp256k1 = createCurve({
2710
- a: BigInteger.new(0), // equation params: a, b
2711
- b: BigInteger.new(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
2712
- Fp, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
2662
+ a: BigInt(0), // equation params: a, b
2663
+ b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
2664
+ Fp: Fp$3, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
2713
2665
  n: secp256k1N, // Curve order, total count of valid points in the field
2714
2666
  // Base point (x, y) aka generator point
2715
- Gx: BigInteger.new('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
2716
- Gy: BigInteger.new('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
2717
- h: BigInteger.new(1), // Cofactor
2667
+ Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
2668
+ Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
2669
+ h: BigInt(1), // Cofactor
2718
2670
  lowS: true, // Allow only low-S signatures by default in sign() and verify()
2719
2671
  /**
2720
2672
  * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
@@ -2723,33 +2675,93 @@ const secp256k1 = createCurve({
2723
2675
  * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
2724
2676
  */
2725
2677
  endo: {
2726
- beta: BigInteger.new('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
2678
+ beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
2727
2679
  splitScalar: (k) => {
2728
2680
  const n = secp256k1N;
2729
- const a1 = BigInteger.new('0x3086d221a7d46bcde86c90e49284eb15');
2730
- const b1 = _1n.negate().imul(BigInteger.new('0xe4437ed6010e88286f547fa90abfe4c3'));
2731
- const a2 = BigInteger.new('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
2681
+ const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
2682
+ const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
2683
+ const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
2732
2684
  const b2 = a1;
2733
- const POW_2_128 = BigInteger.new('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
2734
- const c1 = divNearest(b2.mul(k), n);
2735
- const c2 = divNearest(b1.negate().imul(k), n);
2736
- let k1 = mod(k.sub(c1.mul(a1)).sub(c2.mul(a2)), n);
2737
- let k2 = mod(c1.negate().mul(b1).isub(c2.mul(b2)), n);
2738
- const k1neg = k1.gt(POW_2_128);
2739
- const k2neg = k2.gt(POW_2_128);
2685
+ const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
2686
+ const c1 = divNearest(b2 * k, n);
2687
+ const c2 = divNearest(-b1 * k, n);
2688
+ let k1 = mod(k - c1 * a1 - c2 * a2, n);
2689
+ let k2 = mod(-c1 * b1 - c2 * b2, n);
2690
+ const k1neg = k1 > POW_2_128;
2691
+ const k2neg = k2 > POW_2_128;
2740
2692
  if (k1neg)
2741
- k1 = n.sub(k1);
2693
+ k1 = n - k1;
2742
2694
  if (k2neg)
2743
- k2 = n.sub(k2);
2744
- if (k1.gt(POW_2_128) || k2.gt(POW_2_128)) {
2695
+ k2 = n - k2;
2696
+ if (k1 > POW_2_128 || k2 > POW_2_128) {
2745
2697
  throw new Error('splitScalar: Endomorphism failed, k=' + k);
2746
2698
  }
2747
2699
  return { k1neg, k1, k2neg, k2 };
2748
2700
  },
2749
2701
  },
2750
2702
  }, sha256);
2703
+ // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
2704
+ // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
2705
+ BigInt(0);
2751
2706
  secp256k1.ProjectivePoint;
2752
2707
 
2708
+ // brainpoolP256r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.4
2709
+ // eslint-disable-next-line new-cap
2710
+ const Fp$2 = Field(BigInt('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'));
2711
+ const CURVE_A$2 = Fp$2.create(BigInt('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'));
2712
+ const CURVE_B$2 = BigInt('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6');
2713
+ // prettier-ignore
2714
+ const brainpoolP256r1 = createCurve({
2715
+ a: CURVE_A$2, // Equation params: a, b
2716
+ b: CURVE_B$2,
2717
+ Fp: Fp$2,
2718
+ // Curve order (q), total count of valid points in the field
2719
+ n: BigInt('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
2720
+ // Base (generator) point (x, y)
2721
+ Gx: BigInt('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
2722
+ Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
2723
+ h: BigInt(1),
2724
+ lowS: false
2725
+ }, sha256);
2726
+
2727
+ // brainpoolP384 r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.6
2728
+ // eslint-disable-next-line new-cap
2729
+ const Fp$1 = Field(BigInt('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'));
2730
+ const CURVE_A$1 = Fp$1.create(BigInt('0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'));
2731
+ const CURVE_B$1 = BigInt('0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11');
2732
+ // prettier-ignore
2733
+ const brainpoolP384r1 = createCurve({
2734
+ a: CURVE_A$1, // Equation params: a, b
2735
+ b: CURVE_B$1,
2736
+ Fp: Fp$1,
2737
+ // Curve order (q), total count of valid points in the field
2738
+ n: BigInt('0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'),
2739
+ // Base (generator) point (x, y)
2740
+ Gx: BigInt('0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'),
2741
+ Gy: BigInt('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'),
2742
+ h: BigInt(1),
2743
+ lowS: false
2744
+ }, sha384);
2745
+
2746
+ // brainpoolP512r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.7
2747
+ // eslint-disable-next-line new-cap
2748
+ const Fp = Field(BigInt('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'));
2749
+ const CURVE_A = Fp.create(BigInt('0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'));
2750
+ const CURVE_B = BigInt('0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723');
2751
+ // prettier-ignore
2752
+ const brainpoolP512r1 = createCurve({
2753
+ a: CURVE_A, // Equation params: a, b
2754
+ b: CURVE_B,
2755
+ Fp,
2756
+ // Curve order (q), total count of valid points in the field
2757
+ n: BigInt('0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'),
2758
+ // Base (generator) point (x, y)
2759
+ Gx: BigInt('0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'),
2760
+ Gy: BigInt('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'),
2761
+ h: BigInt(1),
2762
+ lowS: false
2763
+ }, sha512);
2764
+
2753
2765
  /**
2754
2766
  * This file is needed to dynamic import the noble-curves.
2755
2767
  * Separate dynamic imports are not convenient as they result in too many chunks,