@session.js/blinded-session-id 1.0.3 → 1.0.5

package/README.md

@@ -1,39 +1,179 @@
 # @session.js/blinded-session-id
 
-Utility JavaScript library with methods to work with Session's blinded Session ID.
+Utility JavaScript library with methods to work with Session's blinded Session ID. Uses [noble v2](https://www.npmjs.com/package/@noble/ciphers) under the hood.
 
-Example of normal Session ID:
+Example of unblinded Session ID (05-prefixed):
 `057aeb66e45660c3bdfb7c62706f6440226af43ec13f3b6f899c1dd4db1b8fce5b`
 
-Example of blinded Session ID:
+Example of blinded Session ID (15-prefixed):
 `15d9fd3a6c3c5ddf7500b862174f205ab27164232d9b10fe31f145e61629b676e3`
 
+Example of blinded Session ID (25-prefixed):
+`253b991dcbba44cfdb45d5b38880d95cff723309e3ece6fd01415ad5fa1dccc7ac`
+
 Blinded IDs are used on Session SOGS to conceal identity of room's users.
 
+- [@session.js/blinded-session-id](#sessionjsblinded-session-id)
+	- [Usage](#usage)
+		- [Blinding](#blinding)
+			- [Blinding with Session ID or x25519 public key](#blinding-with-session-id-or-x25519-public-key)
+			- [Blinding with ed25519 public key](#blinding-with-ed25519-public-key)
+		- [Unblinding](#unblinding)
+			- [Unblinding 15-prefixed Session IDs](#unblinding-15-prefixed-session-ids)
+			- [Unblinding 25-prefixed Session IDs](#unblinding-25-prefixed-session-ids)
+		- [Advanced usage](#advanced-usage)
+			- [getBlindingK](#getblindingk)
+	- [Acknowledgements](#acknowledgements)
+	- [Made for Session.js](#made-for-sessionjs)
+	- [Donate](#donate)
+	- [License](#license)
+
 ## Usage
 
+### Blinding
+
+#### Blinding with Session ID or x25519 public key
+
+To "blind" Session ID, we need the Sesion ID itself and the SOGS's public key (the part after `?public_key=` in the SOGS url).
+
+You have multiple choices on input format. All blindSessionId signatures require `type` property defining type of the output Session ID (15- or 25-prefixed). The simpliest format is passing both sessionId and sogsPublicKey as hex-encoded strings.
+
+You'll get two variants of the blinded Session ID. **Both outputs are valid and possible and there is absolutely no way to determine which one is correct** (unless you have user's ed25519 key, more on that below).
+
+```ts
+import { blindSessionId } from "@session.js/blinded-session-id";
+
+blindSessionId({
+	type: "15",
+	sessionId: "057aeb66e45660c3bdfb7c62706f6440226af43ec13f3b6f899c1dd4db1b8fce5b",
+	sogsPublicKey: "cb4fd6199b84dc3664f0373354341a01007ecaa99a388496fe8775b9b76a253b",
+});
+// Either of those will be the blinded ID
+// => [
+//      "15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a5663",
+//      "15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a56e3"
+//    ]
+```
+
+You can also pass sogsPublicKey as Uint8Array, in case you already have it decoded in your app. You can also pass Session ID as x25519 public key as Uint8Array in case you already have it decoded in your app, but keep in mind that Session ID is 33 bytes long and x25519 public key is 32 bytes long, because Session ID has a prefix byte (0x05, 0x15 or 0x25).
+
+```ts
+import { blindSessionId } from "@session.js/blinded-session-id";
+
+blindSessionId({
+	type: "15",
+	x25519PublicKey: new Uint8Array([
+		122, 235, 102, 228, 86, 96, 195, 189, 251, 124, 98, 112, 111, 100, 64, 34, 106, 244, 62, 193,
+		63, 59, 111, 137, 156, 29, 212, 219, 27, 143, 206, 91,
+	]),
+	sogsPublicKey: new Uint8Array([
+		203, 79, 214, 25, 155, 132, 220, 54, 100, 240, 55, 51, 84, 52, 26, 1, 0, 126, 202, 169, 154, 56,
+		132, 150, 254, 135, 117, 185, 183, 106, 37, 59,
+	]),
+});
+// Either of those will be the blinded ID
+// => [
+//      "15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a5663",
+//      "15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a56e3"
+//    ]
+```
+
+When converting Session's x25519 (Session ID) to the ed25519 key (needed for blinding), the sign (+/-) information is lost, producing two equally valid possibilities. So unless you have user's ed25519 public key, you cannot have a guaranteed determenistic correct single output for blinding, you will always have to account for two outputs.
+
+<details>
+<summary>But why two blinded IDs?</summary>
+
+Hang on tight, we're diving into some real nerdy cryptography here!
+
+You know how Session actually has two keypairs — x25519 (public, secret) and ed25519 (public, secret), all of which are derived from the main secret seed (which can be encoded into words with mnemonic/secret phrase) and Session ID is the public x25519 key?
+
+In order to "blind" Session ID we first calculate a "blinding factor" `k` using modulo of SOGS public key and ed25519's ORDER constant. Then we calculate `kA` by multiplying user's ed25519 public key and `k`. Finally, we convert `kA` to hex and prepend it with `15` to mark it as a "blinded" Session ID.
+
+But wait a second, where did "user's ed25519 public key" come from? Remember, Session ID is a x25519 public key, not ed25519 public key. These are two different keypairs, two different elliptic curves and they behave in very different ways!
+
+That's where the major flaw of Session comes in. Technically, we could just settle on some way of converting value from one curve to another and vice verse. In fact, that's precisely what libsodium (and official Session clients) do using crypto_sign_curve25519_pk_to_ed25519. In the end, both curves are just mathematical curves and translating one to another should be determenistic.
+
+There is just one problem though: x25519 does not have negative values, while ed25519 does have them. So ed25519's `123` converted to x25519 would be `456` and vice-verse, but what happens when we convert ed25519's `-123` to x25519 curve is... `456` too! See the problem? Two different values producing same output. 
+
+And this wouldn't be bad if we only wanted x25519 for blinding, but as you saw earlier, we need ed25519 keys. Now you want to convert x25519 back to ed25519 and only have this x25519 value: `456`. Was it `123` or `-123` in ed25519 that produced that number?
+
+So what happens when we try to convert x25519 public key (Session ID) -> ed25519 public key (for blinding) is that we end up with two keys since we don't know whether ed25519 should be positive or negative.
+
+If only we had user's secret seed (mnemonic), we could easily calculate ed25519 and avoid x25519 -> ed25519 conversion issue at all... But alas, Session IDs are using x25519 and converting x25519 to ed25519 produces two results because of the lost signing bit.
+
+More on blinding: <a href="https://blog.li0ard.rest/blindedid">“Blinded ID в Session и что с ними не так” by li0ard</a>
+</details>
+
+#### Blinding with ed25519 public key
+
+If you do have user's ed25519 public key (e.g. you control the secret seed, running from the user's client, etc), you can pass it directly instead of Session ID or x25519PublicKey and get a single, correct blinded ID.
+
+```ts
+import { blindSessionId } from "@session.js/blinded-session-id"
+
+blindSessionId({
+	type: "15",
+	ed25519PublicKey: new Uint8Array([
+		240, 55, 163, 9, 91, 114, 247, 212, 93, 217, 12, 245, 213, 114, 251, 182, 195, 95, 46, 4, 211,
+		85, 177, 217, 201, 218, 3, 95, 202, 132, 158, 151,
+	]),
+	sogsPublicKey: "cb4fd6199b84dc3664f0373354341a01007ecaa99a388496fe8775b9b76a253b",
+});
+// => 15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a56e3
+```
+
+There is no way to convert x25519 public key to ed25519 public key without losing the sign bit and thus getting two possible ed25519 keys and two possible blinded Session IDs.
+
+### Unblinding
+
+Unblinding is a security vulnerability [discovered by li0ard](https://blog.li0ard.rest/blindedid) possible because 15-prefixed IDs use SOGS's public key as blake2b hash input, which is publicly known, making it possible to reverse 15-prefixed blinding by using the same sogsPublicKey.
+
+In 25-prefixed IDs this issue was fixed by using both x25519 public key and SOGS's public key as blake2b hash input, so unless you know user's 05-prefixed Session ID it's impossible to unblind 25-prefixed Session ID, and if you do, there is no sense to unblind it anyway.
+
+#### Unblinding 15-prefixed Session IDs
+
+To unblind a Session ID, pass it as `sessionId` and SOGS's public key in either hex-encoded string or as Uint8Array.
+
 ```ts
-import { blindSessionId } from '@session.js/blinded-session-id'
+import { unblindSessionId } from "@session.js/blinded-session-id"
 
-await blindSessionId({
-  sessionId: '057aeb66e45660c3bdfb7c62706f6440226af43ec13f3b6f899c1dd4db1b8fce5b',
-  serverPk: 'cb4fd6199b84dc3664f0373354341a01007ecaa99a388496fe8775b9b76a253b'
-}) // => 15383d0a3ba605abe3b5b7343102be3fc0026056b9812e06f6daee3be62a6a56e3
+unblindSessionId({
+	sessionId: "15264c132e2e72a9c50b7a981eac11a48b3e51ae5a0ea45ea47deb519a3fa76612",
+	sogsPublicKey: "ac9c872e525a58970df6971655abb944a30b38853442a793b29843d20795e840",
+});
+// => 057aeb66e45660c3bdfb7c62706f6440226af43ec13f3b6f899c1dd4db1b8fce5b
 ```
 
-## Advanced use
+#### Unblinding 25-prefixed Session IDs
+
+Unblinding 25-prefixed Session IDs is impossible.
+
+### Advanced usage
+
+#### getBlindingK
+
+generates a hash for blinding/unblinding using blake2b
+
+```ts
+import { getBlindingK } from "@session.js/blinded-session-id/utils.js";
+
+const sogsPublicKey = new Uint8Array([
+	203, 79, 214, 25, 155, 132, 220, 54, 100, 240, 55, 51, 84, 52, 26, 1, 0, 126, 202, 169, 154, 56,
+	132, 150, 254, 135, 117, 185, 183, 106, 37, 59,
+]);
+getBlindingK(sogsPublicKey);
+// => Uint8Array(32) [ 27, 203, 111, 10, 221, 88, 187, 146, 221, 11, 206, 55, 7, 86, 218, 223, 21, 123, 29, 214, 198, 182, 3, 40, 188, 123, 190, 73, 35, 122, 140, 13 ]
+```
 
-- generateBlindedIds — returns legacy and modern blinded id
-- generateKAs — returns legacy and modern KAs as Uint8Array
-- convertToX25519Key, convertToEd25519Key — self explanatory
+## Acknowledgements
 
-## Credit
+Credit to li0ard for [https://github.com/theinfinityway/session_id/](https://github.com/theinfinityway/session_id/) (MIT license)
 
-Credit to li0ard, this code was mostly taken from [https://github.com/theinfinityway/session_id/](https://github.com/theinfinityway/session_id/)
+Credit to [xHD-Wallet-API-ts](https://github.com/algorandfoundation/xHD-Wallet-API-ts) for scalar multiplication functions implementations (Apache-2.0 license)
 
-## Made for session.js
+## Made for Session.js
 
-Use Session messenger programmatically with [Session.js](https://github.com/sessionjs/client): Session bots, custom Session clients, and more.
+Use Session messenger programmatically with [Session.js](https://git.hloth.dev/session.js/client): Session bots, custom Session clients, and more.
 
 ## Donate
 

package/dist/blinding.d.ts

@@ -0,0 +1,23 @@
+export declare function blindKey15({ ed25519PublicKey, serverPublicKey, }: {
+    ed25519PublicKey: Uint8Array;
+    serverPublicKey: Uint8Array;
+}): Uint8Array;
+export declare function blindKey25({ x25519PublicKey, ed25519PublicKey, serverPublicKey, }: {
+    x25519PublicKey: Uint8Array;
+    ed25519PublicKey: Uint8Array;
+    serverPublicKey: Uint8Array;
+}): Uint8Array;
+export declare function blindSessionId(options: {
+    ed25519PublicKey: Uint8Array;
+} & {
+    sogsPublicKey: string | Uint8Array;
+    type: "15" | "25";
+}): string;
+export declare function blindSessionId(options: ({
+    sessionId: string;
+} | {
+    x25519PublicKey: Uint8Array;
+}) & {
+    sogsPublicKey: string | Uint8Array;
+    type: "15" | "25";
+}): [string, string];

package/dist/blinding.js

@@ -0,0 +1,107 @@
+import { hexToBytes } from "@noble/curves/utils.js";
+import { SessionValidationError, SessionValidationErrorCode } from "@session.js/errors";
+import { crypto_scalarmult_ed25519_noclamp, crypto_sign_curve25519_pk_to_ed25519, } from "./scalar-math";
+import { getBlindingK, hexRegex, keyToSessionId } from "./utils";
+export function blindKey15({ ed25519PublicKey, serverPublicKey, }) {
+    const blindingKInput = serverPublicKey;
+    const k = getBlindingK(blindingKInput);
+    const kA = crypto_scalarmult_ed25519_noclamp(k, ed25519PublicKey);
+    return kA;
+}
+export function blindKey25({ x25519PublicKey, ed25519PublicKey, serverPublicKey, }) {
+    const blindingKInput = new Uint8Array([0x05, ...x25519PublicKey, ...serverPublicKey]);
+    const k = getBlindingK(blindingKInput);
+    const kA = crypto_scalarmult_ed25519_noclamp(k, ed25519PublicKey);
+    return kA;
+}
+export function blindSessionId(options) {
+    let x25519PublicKey;
+    let serverPublicKey;
+    let ed25519PublicKey;
+    if ("ed25519PublicKey" in options) {
+        if (options.ed25519PublicKey.length !== 32) {
+            throw new SessionValidationError({
+                code: SessionValidationErrorCode.InvalidOptions,
+                message: "ed25519PublicKey must be 32 bytes long",
+            });
+        }
+        ed25519PublicKey = options.ed25519PublicKey;
+        x25519PublicKey = crypto_sign_curve25519_pk_to_ed25519(ed25519PublicKey);
+    }
+    else {
+        if ("sessionId" in options) {
+            if (!hexRegex.test(options.sessionId) || options.sessionId.length % 2 !== 0) {
+                throw new SessionValidationError({
+                    code: SessionValidationErrorCode.InvalidSessionID,
+                    message: "Session ID must be a hex string",
+                });
+            }
+            const sessionIdBytes = hexToBytes(options.sessionId);
+            if (sessionIdBytes.length !== 33) {
+                throw new SessionValidationError({
+                    code: SessionValidationErrorCode.InvalidSessionID,
+                    message: "Session ID must be 33 bytes long",
+                });
+            }
+            if (sessionIdBytes[0] !== 0x05) {
+                throw new SessionValidationError({
+                    code: SessionValidationErrorCode.InvalidSessionID,
+                    message: "Session ID must start with 05 to blind it",
+                });
+            }
+            x25519PublicKey = sessionIdBytes.subarray(1);
+        }
+        else {
+            if (options.x25519PublicKey.length !== 32) {
+                throw new SessionValidationError({
+                    code: SessionValidationErrorCode.InvalidOptions,
+                    message: "x25519PublicKey must be 32 bytes long",
+                });
+            }
+            x25519PublicKey = options.x25519PublicKey;
+        }
+        ed25519PublicKey = crypto_sign_curve25519_pk_to_ed25519(x25519PublicKey);
+    }
+    if (typeof options.sogsPublicKey === "string") {
+        if (!hexRegex.test(options.sogsPublicKey) || options.sogsPublicKey.length % 2 !== 0) {
+            throw new SessionValidationError({
+                code: SessionValidationErrorCode.InvalidOptions,
+                message: "sogsPublicKey must be a 64-character hex string",
+            });
+        }
+        serverPublicKey = hexToBytes(options.sogsPublicKey);
+    }
+    else {
+        serverPublicKey = options.sogsPublicKey;
+    }
+    if (serverPublicKey.length !== 32) {
+        throw new SessionValidationError({
+            code: SessionValidationErrorCode.InvalidOptions,
+            message: "sogsPublicKey must be 32 bytes long",
+        });
+    }
+    let kA;
+    if (options.type === "15") {
+        kA = blindKey15({ ed25519PublicKey, serverPublicKey });
+    }
+    else if (options.type === "25") {
+        kA = blindKey25({ x25519PublicKey, ed25519PublicKey, serverPublicKey });
+    }
+    else {
+        throw new SessionValidationError({
+            code: SessionValidationErrorCode.InvalidOptions,
+            message: "type must be either '15' or '25' for blindSessionId",
+        });
+    }
+    const prefix = options.type === "15" ? 0x15 : 0x25;
+    const ftSessionId = (kA) => keyToSessionId(prefix, kA);
+    if ("ed25519PublicKey" in options) {
+        return ftSessionId(kA);
+    }
+    else {
+        const kA2 = new Uint8Array(32);
+        kA2.set(kA);
+        kA2[31] = kA[31] ^ 0b1000_0000;
+        return [ftSessionId(kA), ftSessionId(kA2)];
+    }
+}

package/dist/index.d.ts

@@ -1,10 +1,2 @@
-export declare function crypto_sign_curve25519_pk_to_ed25519(pk: Uint8Array): Uint8Array;
-export declare const convertToEd25519Key: (key: string) => string;
-export declare const convertToX25519Key: (key: string) => string;
-export declare function crypto_core_ed25519_scalar_reduce(scalar: Uint8Array): Uint8Array;
-export declare const generateKA: (sessionId: string, serverPk: string) => Uint8Array;
-export declare const generateBlindedKeys: (sessionId: string, serverPk: string) => Uint8Array[];
-export declare const blindSessionId: ({ sessionId, serverPk }: {
-    sessionId: string;
-    serverPk: string;
-}) => string;
+export { blindSessionId } from "./blinding";
+export { unblindSessionId } from "./unblinding";

package/dist/index.js

@@ -1,589 +1,2 @@
-// Huge thanks to li0ard for this code
-// CREDIT: https://github.com/theinfinityway/session_id/
-/* eslint-disable prefer-const */
-import { ed25519 } from "@noble/curves/ed25519.js";
-import { bytesToHex, hexToBytes } from "@noble/curves/utils.js";
-import { blake2b } from "@noble/hashes/blake2.js";
-import { mod } from "@noble/curves/abstract/modular.js";
-function bytesToNumberLE(bytes) {
-    let value = 0n;
-    for (let i = bytes.length - 1; i >= 0; i--) {
-        value = (value << 8n) + BigInt(bytes[i]);
-    }
-    return value;
-}
-function numberToBytesLE(num, length) {
-    const out = new Uint8Array(length);
-    let n = num;
-    for (let i = 0; i < length; i++) {
-        out[i] = Number(n & 0xffn);
-        n >>= 8n;
-    }
-    return out;
-}
-function ed25519ScalarmultNoClamp(scalar32, point32) {
-    if (scalar32.length !== 32) {
-        throw new Error(`ed25519ScalarmultNoClamp: expected 32-byte scalar, got ${scalar32.length}`);
-    }
-    if (point32.length !== 32) {
-        throw new Error(`ed25519ScalarmultNoClamp: expected 32-byte point, got ${point32.length}`);
-    }
-    const L = ed25519.Point.Fn.ORDER;
-    const s = bytesToNumberLE(scalar32) % L;
-    const P = ed25519.Point.fromBytes(point32);
-    if (P.isSmallOrder()) {
-        throw new Error("ed25519ScalarmultNoClamp: invalid point (small order)");
-    }
-    return P.multiply(s).toBytes();
-}
-function gf(init) {
-    let i, r = new Float64Array(16);
-    if (init)
-        for (i = 0; i < init.length; i++)
-            r[i] = init[i];
-    return r;
-}
-function unpack25519(o, n) {
-    let i;
-    for (i = 0; i < 16; i++)
-        o[i] = n[2 * i] + (n[2 * i + 1] << 8);
-    o[15] &= 0x7fff;
-}
-function A(o, a, b) {
-    for (let i = 0; i < 16; i++)
-        o[i] = a[i] + b[i];
-}
-function Z(o, a, b) {
-    for (let i = 0; i < 16; i++)
-        o[i] = a[i] - b[i];
-}
-function S(o, a) {
-    M(o, a, a);
-}
-function inv25519(o, i) {
-    const c = gf();
-    let a;
-    for (a = 0; a < 16; a++)
-        c[a] = i[a];
-    for (a = 253; a >= 0; a--) {
-        S(c, c);
-        if (a !== 2 && a !== 4)
-            M(c, c, i);
-    }
-    for (a = 0; a < 16; a++)
-        o[a] = c[a];
-}
-function M(o, a, b) {
-    let v, c, t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0, t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0, t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0, t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0, b0 = b[0], b1 = b[1], b2 = b[2], b3 = b[3], b4 = b[4], b5 = b[5], b6 = b[6], b7 = b[7], b8 = b[8], b9 = b[9], b10 = b[10], b11 = b[11], b12 = b[12], b13 = b[13], b14 = b[14], b15 = b[15];
-    v = a[0];
-    t0 += v * b0;
-    t1 += v * b1;
-    t2 += v * b2;
-    t3 += v * b3;
-    t4 += v * b4;
-    t5 += v * b5;
-    t6 += v * b6;
-    t7 += v * b7;
-    t8 += v * b8;
-    t9 += v * b9;
-    t10 += v * b10;
-    t11 += v * b11;
-    t12 += v * b12;
-    t13 += v * b13;
-    t14 += v * b14;
-    t15 += v * b15;
-    v = a[1];
-    t1 += v * b0;
-    t2 += v * b1;
-    t3 += v * b2;
-    t4 += v * b3;
-    t5 += v * b4;
-    t6 += v * b5;
-    t7 += v * b6;
-    t8 += v * b7;
-    t9 += v * b8;
-    t10 += v * b9;
-    t11 += v * b10;
-    t12 += v * b11;
-    t13 += v * b12;
-    t14 += v * b13;
-    t15 += v * b14;
-    t16 += v * b15;
-    v = a[2];
-    t2 += v * b0;
-    t3 += v * b1;
-    t4 += v * b2;
-    t5 += v * b3;
-    t6 += v * b4;
-    t7 += v * b5;
-    t8 += v * b6;
-    t9 += v * b7;
-    t10 += v * b8;
-    t11 += v * b9;
-    t12 += v * b10;
-    t13 += v * b11;
-    t14 += v * b12;
-    t15 += v * b13;
-    t16 += v * b14;
-    t17 += v * b15;
-    v = a[3];
-    t3 += v * b0;
-    t4 += v * b1;
-    t5 += v * b2;
-    t6 += v * b3;
-    t7 += v * b4;
-    t8 += v * b5;
-    t9 += v * b6;
-    t10 += v * b7;
-    t11 += v * b8;
-    t12 += v * b9;
-    t13 += v * b10;
-    t14 += v * b11;
-    t15 += v * b12;
-    t16 += v * b13;
-    t17 += v * b14;
-    t18 += v * b15;
-    v = a[4];
-    t4 += v * b0;
-    t5 += v * b1;
-    t6 += v * b2;
-    t7 += v * b3;
-    t8 += v * b4;
-    t9 += v * b5;
-    t10 += v * b6;
-    t11 += v * b7;
-    t12 += v * b8;
-    t13 += v * b9;
-    t14 += v * b10;
-    t15 += v * b11;
-    t16 += v * b12;
-    t17 += v * b13;
-    t18 += v * b14;
-    t19 += v * b15;
-    v = a[5];
-    t5 += v * b0;
-    t6 += v * b1;
-    t7 += v * b2;
-    t8 += v * b3;
-    t9 += v * b4;
-    t10 += v * b5;
-    t11 += v * b6;
-    t12 += v * b7;
-    t13 += v * b8;
-    t14 += v * b9;
-    t15 += v * b10;
-    t16 += v * b11;
-    t17 += v * b12;
-    t18 += v * b13;
-    t19 += v * b14;
-    t20 += v * b15;
-    v = a[6];
-    t6 += v * b0;
-    t7 += v * b1;
-    t8 += v * b2;
-    t9 += v * b3;
-    t10 += v * b4;
-    t11 += v * b5;
-    t12 += v * b6;
-    t13 += v * b7;
-    t14 += v * b8;
-    t15 += v * b9;
-    t16 += v * b10;
-    t17 += v * b11;
-    t18 += v * b12;
-    t19 += v * b13;
-    t20 += v * b14;
-    t21 += v * b15;
-    v = a[7];
-    t7 += v * b0;
-    t8 += v * b1;
-    t9 += v * b2;
-    t10 += v * b3;
-    t11 += v * b4;
-    t12 += v * b5;
-    t13 += v * b6;
-    t14 += v * b7;
-    t15 += v * b8;
-    t16 += v * b9;
-    t17 += v * b10;
-    t18 += v * b11;
-    t19 += v * b12;
-    t20 += v * b13;
-    t21 += v * b14;
-    t22 += v * b15;
-    v = a[8];
-    t8 += v * b0;
-    t9 += v * b1;
-    t10 += v * b2;
-    t11 += v * b3;
-    t12 += v * b4;
-    t13 += v * b5;
-    t14 += v * b6;
-    t15 += v * b7;
-    t16 += v * b8;
-    t17 += v * b9;
-    t18 += v * b10;
-    t19 += v * b11;
-    t20 += v * b12;
-    t21 += v * b13;
-    t22 += v * b14;
-    t23 += v * b15;
-    v = a[9];
-    t9 += v * b0;
-    t10 += v * b1;
-    t11 += v * b2;
-    t12 += v * b3;
-    t13 += v * b4;
-    t14 += v * b5;
-    t15 += v * b6;
-    t16 += v * b7;
-    t17 += v * b8;
-    t18 += v * b9;
-    t19 += v * b10;
-    t20 += v * b11;
-    t21 += v * b12;
-    t22 += v * b13;
-    t23 += v * b14;
-    t24 += v * b15;
-    v = a[10];
-    t10 += v * b0;
-    t11 += v * b1;
-    t12 += v * b2;
-    t13 += v * b3;
-    t14 += v * b4;
-    t15 += v * b5;
-    t16 += v * b6;
-    t17 += v * b7;
-    t18 += v * b8;
-    t19 += v * b9;
-    t20 += v * b10;
-    t21 += v * b11;
-    t22 += v * b12;
-    t23 += v * b13;
-    t24 += v * b14;
-    t25 += v * b15;
-    v = a[11];
-    t11 += v * b0;
-    t12 += v * b1;
-    t13 += v * b2;
-    t14 += v * b3;
-    t15 += v * b4;
-    t16 += v * b5;
-    t17 += v * b6;
-    t18 += v * b7;
-    t19 += v * b8;
-    t20 += v * b9;
-    t21 += v * b10;
-    t22 += v * b11;
-    t23 += v * b12;
-    t24 += v * b13;
-    t25 += v * b14;
-    t26 += v * b15;
-    v = a[12];
-    t12 += v * b0;
-    t13 += v * b1;
-    t14 += v * b2;
-    t15 += v * b3;
-    t16 += v * b4;
-    t17 += v * b5;
-    t18 += v * b6;
-    t19 += v * b7;
-    t20 += v * b8;
-    t21 += v * b9;
-    t22 += v * b10;
-    t23 += v * b11;
-    t24 += v * b12;
-    t25 += v * b13;
-    t26 += v * b14;
-    t27 += v * b15;
-    v = a[13];
-    t13 += v * b0;
-    t14 += v * b1;
-    t15 += v * b2;
-    t16 += v * b3;
-    t17 += v * b4;
-    t18 += v * b5;
-    t19 += v * b6;
-    t20 += v * b7;
-    t21 += v * b8;
-    t22 += v * b9;
-    t23 += v * b10;
-    t24 += v * b11;
-    t25 += v * b12;
-    t26 += v * b13;
-    t27 += v * b14;
-    t28 += v * b15;
-    v = a[14];
-    t14 += v * b0;
-    t15 += v * b1;
-    t16 += v * b2;
-    t17 += v * b3;
-    t18 += v * b4;
-    t19 += v * b5;
-    t20 += v * b6;
-    t21 += v * b7;
-    t22 += v * b8;
-    t23 += v * b9;
-    t24 += v * b10;
-    t25 += v * b11;
-    t26 += v * b12;
-    t27 += v * b13;
-    t28 += v * b14;
-    t29 += v * b15;
-    v = a[15];
-    t15 += v * b0;
-    t16 += v * b1;
-    t17 += v * b2;
-    t18 += v * b3;
-    t19 += v * b4;
-    t20 += v * b5;
-    t21 += v * b6;
-    t22 += v * b7;
-    t23 += v * b8;
-    t24 += v * b9;
-    t25 += v * b10;
-    t26 += v * b11;
-    t27 += v * b12;
-    t28 += v * b13;
-    t29 += v * b14;
-    t30 += v * b15;
-    t0 += 38 * t16;
-    t1 += 38 * t17;
-    t2 += 38 * t18;
-    t3 += 38 * t19;
-    t4 += 38 * t20;
-    t5 += 38 * t21;
-    t6 += 38 * t22;
-    t7 += 38 * t23;
-    t8 += 38 * t24;
-    t9 += 38 * t25;
-    t10 += 38 * t26;
-    t11 += 38 * t27;
-    t12 += 38 * t28;
-    t13 += 38 * t29;
-    t14 += 38 * t30;
-    // t15 left as is
-    // first car
-    c = 1;
-    v = t0 + c + 65535;
-    c = Math.floor(v / 65536);
-    t0 = v - c * 65536;
-    v = t1 + c + 65535;
-    c = Math.floor(v / 65536);
-    t1 = v - c * 65536;
-    v = t2 + c + 65535;
-    c = Math.floor(v / 65536);
-    t2 = v - c * 65536;
-    v = t3 + c + 65535;
-    c = Math.floor(v / 65536);
-    t3 = v - c * 65536;
-    v = t4 + c + 65535;
-    c = Math.floor(v / 65536);
-    t4 = v - c * 65536;
-    v = t5 + c + 65535;
-    c = Math.floor(v / 65536);
-    t5 = v - c * 65536;
-    v = t6 + c + 65535;
-    c = Math.floor(v / 65536);
-    t6 = v - c * 65536;
-    v = t7 + c + 65535;
-    c = Math.floor(v / 65536);
-    t7 = v - c * 65536;
-    v = t8 + c + 65535;
-    c = Math.floor(v / 65536);
-    t8 = v - c * 65536;
-    v = t9 + c + 65535;
-    c = Math.floor(v / 65536);
-    t9 = v - c * 65536;
-    v = t10 + c + 65535;
-    c = Math.floor(v / 65536);
-    t10 = v - c * 65536;
-    v = t11 + c + 65535;
-    c = Math.floor(v / 65536);
-    t11 = v - c * 65536;
-    v = t12 + c + 65535;
-    c = Math.floor(v / 65536);
-    t12 = v - c * 65536;
-    v = t13 + c + 65535;
-    c = Math.floor(v / 65536);
-    t13 = v - c * 65536;
-    v = t14 + c + 65535;
-    c = Math.floor(v / 65536);
-    t14 = v - c * 65536;
-    v = t15 + c + 65535;
-    c = Math.floor(v / 65536);
-    t15 = v - c * 65536;
-    t0 += c - 1 + 37 * (c - 1);
-    // second car
-    c = 1;
-    v = t0 + c + 65535;
-    c = Math.floor(v / 65536);
-    t0 = v - c * 65536;
-    v = t1 + c + 65535;
-    c = Math.floor(v / 65536);
-    t1 = v - c * 65536;
-    v = t2 + c + 65535;
-    c = Math.floor(v / 65536);
-    t2 = v - c * 65536;
-    v = t3 + c + 65535;
-    c = Math.floor(v / 65536);
-    t3 = v - c * 65536;
-    v = t4 + c + 65535;
-    c = Math.floor(v / 65536);
-    t4 = v - c * 65536;
-    v = t5 + c + 65535;
-    c = Math.floor(v / 65536);
-    t5 = v - c * 65536;
-    v = t6 + c + 65535;
-    c = Math.floor(v / 65536);
-    t6 = v - c * 65536;
-    v = t7 + c + 65535;
-    c = Math.floor(v / 65536);
-    t7 = v - c * 65536;
-    v = t8 + c + 65535;
-    c = Math.floor(v / 65536);
-    t8 = v - c * 65536;
-    v = t9 + c + 65535;
-    c = Math.floor(v / 65536);
-    t9 = v - c * 65536;
-    v = t10 + c + 65535;
-    c = Math.floor(v / 65536);
-    t10 = v - c * 65536;
-    v = t11 + c + 65535;
-    c = Math.floor(v / 65536);
-    t11 = v - c * 65536;
-    v = t12 + c + 65535;
-    c = Math.floor(v / 65536);
-    t12 = v - c * 65536;
-    v = t13 + c + 65535;
-    c = Math.floor(v / 65536);
-    t13 = v - c * 65536;
-    v = t14 + c + 65535;
-    c = Math.floor(v / 65536);
-    t14 = v - c * 65536;
-    v = t15 + c + 65535;
-    c = Math.floor(v / 65536);
-    t15 = v - c * 65536;
-    t0 += c - 1 + 37 * (c - 1);
-    o[0] = t0;
-    o[1] = t1;
-    o[2] = t2;
-    o[3] = t3;
-    o[4] = t4;
-    o[5] = t5;
-    o[6] = t6;
-    o[7] = t7;
-    o[8] = t8;
-    o[9] = t9;
-    o[10] = t10;
-    o[11] = t11;
-    o[12] = t12;
-    o[13] = t13;
-    o[14] = t14;
-    o[15] = t15;
-}
-function car25519(o) {
-    let i, v, c = 1;
-    for (i = 0; i < 16; i++) {
-        v = o[i] + c + 65535;
-        c = Math.floor(v / 65536);
-        o[i] = v - c * 65536;
-    }
-    o[0] += c - 1 + 37 * (c - 1);
-}
-function sel25519(p, q, b) {
-    let t, c = ~(b - 1);
-    for (let i = 0; i < 16; i++) {
-        t = c & (p[i] ^ q[i]);
-        p[i] ^= t;
-        q[i] ^= t;
-    }
-}
-function pack25519(o, n) {
-    let i, j, b;
-    const m = gf(), t = gf();
-    for (i = 0; i < 16; i++)
-        t[i] = n[i];
-    car25519(t);
-    car25519(t);
-    car25519(t);
-    for (j = 0; j < 2; j++) {
-        m[0] = t[0] - 0xffed;
-        for (i = 1; i < 15; i++) {
-            m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1);
-            m[i - 1] &= 0xffff;
-        }
-        m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1);
-        b = (m[15] >> 16) & 1;
-        m[14] &= 0xffff;
-        sel25519(t, m, 1 - b);
-    }
-    for (i = 0; i < 16; i++) {
-        o[2 * i] = t[i] & 0xff;
-        o[2 * i + 1] = t[i] >> 8;
-    }
-}
-export function crypto_sign_curve25519_pk_to_ed25519(pk) {
-    return convertPublicKey(pk);
-}
-// Converts Curve25519 public key back to Ed25519 public key.
-// edwardsY = (montgomeryX - 1) / (montgomeryX + 1)
-function convertPublicKey(pk) {
-    const z = new Uint8Array(32), x = gf(), a = gf(), b = gf(), gf1 = gf([1]);
-    unpack25519(x, pk);
-    A(a, x, gf1);
-    Z(b, x, gf1);
-    inv25519(a, a);
-    M(a, a, b);
-    pack25519(z, a);
-    return z;
-}
-export const convertToEd25519Key = (key) => {
-    const inbin = hexToBytes(key);
-    const xEd25519Key = crypto_sign_curve25519_pk_to_ed25519(inbin);
-    return bytesToHex(xEd25519Key);
-};
-export const convertToX25519Key = (key) => {
-    const inbin = hexToBytes(key);
-    const xEd25519Key = ed25519.utils.toMontgomery(inbin);
-    return bytesToHex(xEd25519Key);
-};
-function combineKeys(lhsKeyBytes, rhsKeyBytes) {
-    return ed25519ScalarmultNoClamp(lhsKeyBytes, rhsKeyBytes);
-}
-export function crypto_core_ed25519_scalar_reduce(scalar) {
-    const scalarNum = bytesToNumberLE(scalar);
-    const result = mod(scalarNum, ed25519.Point.Fn.ORDER);
-    return numberToBytesLE(result, 32);
-}
-const generateBlindingFactor = (serverPk) => {
-    const hexServerPk = hexToBytes(serverPk);
-    const serverPkHash = blake2b(hexServerPk, {
-        dkLen: 64,
-    });
-    return crypto_core_ed25519_scalar_reduce(serverPkHash);
-};
-export const generateKA = (sessionId, serverPk) => {
-    const sessionIdNoPrefix = sessionId.substring(2);
-    const kBytes = generateBlindingFactor(serverPk);
-    const xEd25519Key = hexToBytes(convertToEd25519Key(sessionIdNoPrefix));
-    const kA = combineKeys(kBytes, xEd25519Key);
-    return kA;
-};
-export const generateBlindedKeys = (sessionId, serverPk) => {
-    const kA = generateKA(sessionId, serverPk);
-    const key1 = kA;
-    const modifiedByte = kA[31] & 0x7F;
-    const key2 = new Uint8Array(32);
-    key2.set(kA.slice(0, 31), 0);
-    key2[31] = modifiedByte;
-    return [key1, key2];
-};
-export const blindSessionId = ({ sessionId, serverPk }) => {
-    const [key1, key2] = generateBlindedKeys(sessionId, serverPk);
-    const isKey2 = key1[31] & 0x80;
-    if (isKey2) {
-        return '15' + bytesToHex(key2);
-    }
-    return '15' + bytesToHex(key1);
-};
+export { blindSessionId } from "./blinding";
+export { unblindSessionId } from "./unblinding";

package/dist/scalar-math.d.ts

@@ -0,0 +1,7 @@
+export declare function crypto_scalarmult_ed25519_base_noclamp(scalar: Uint8Array): Uint8Array;
+export declare function crypto_core_ed25519_scalar_add(scalarA: Uint8Array, scalarB: Uint8Array): Uint8Array;
+export declare function crypto_core_ed25519_scalar_mul(scalarA: Uint8Array, scalarB: Uint8Array): Uint8Array;
+export declare function crypto_core_ed25519_scalar_reduce(scalar: Uint8Array): Uint8Array;
+export declare function crypto_sign_ed25519_sk_to_curve25519(edPrivKey: Uint8Array): Uint8Array;
+export declare function crypto_sign_curve25519_pk_to_ed25519(x25519Pk: Uint8Array): Uint8Array;
+export declare function crypto_scalarmult_ed25519_noclamp(scalar32: Uint8Array, point32: Uint8Array): Uint8Array;

package/dist/scalar-math.js

@@ -0,0 +1,95 @@
+// Credit: https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/2c5afbf6a1bed04ed952b65b754a36ed31669872/src/sumo.facade.ts
+// License: Apache 2.0: https://github.com/algorandfoundation/xHD-Wallet-API-ts/blob/main/LICENSE
+import { ed25519 } from "@noble/curves/ed25519.js";
+import { mod } from "@noble/curves/abstract/modular.js";
+import { bytesToNumberLE, numberToBytesLE } from "@noble/curves/utils.js";
+const crypto_scalarmult_ed25519_SCALARBYTES = 32;
+export function crypto_scalarmult_ed25519_base_noclamp(scalar) {
+    if (scalar.length !== crypto_scalarmult_ed25519_SCALARBYTES) {
+        throw new Error(`scalar must be ${crypto_scalarmult_ed25519_SCALARBYTES} bytes`);
+    }
+    const scalarBigint = bytesToNumberLE(scalar);
+    try {
+        const point = ed25519.Point.BASE.multiply(scalarBigint);
+        return point.toBytes();
+    }
+    catch {
+        if (scalarBigint === 0n) {
+            const identity = new Uint8Array(32);
+            identity[0] = 1;
+            return identity;
+        }
+        const reducedScalar = mod(scalarBigint, ed25519.Point.Fn.ORDER);
+        if (reducedScalar === 0n) {
+            const identity = new Uint8Array(32);
+            identity[0] = 1;
+            return identity;
+        }
+        const point = ed25519.Point.BASE.multiply(reducedScalar);
+        return point.toBytes();
+    }
+}
+export function crypto_core_ed25519_scalar_add(scalarA, scalarB) {
+    const a = bytesToNumberLE(scalarA);
+    const b = bytesToNumberLE(scalarB);
+    const result = mod(a + b, ed25519.Point.Fn.ORDER);
+    return numberToBytesLE(result, 32);
+}
+export function crypto_core_ed25519_scalar_mul(scalarA, scalarB) {
+    const a = bytesToNumberLE(scalarA);
+    const b = bytesToNumberLE(scalarB);
+    const result = mod(a * b, ed25519.Point.Fn.ORDER);
+    return numberToBytesLE(result, 32);
+}
+export function crypto_core_ed25519_scalar_reduce(scalar) {
+    const scalarNum = bytesToNumberLE(scalar);
+    const result = mod(scalarNum, ed25519.Point.Fn.ORDER);
+    return numberToBytesLE(result, 32);
+}
+export function crypto_sign_ed25519_sk_to_curve25519(edPrivKey) {
+    const seed = edPrivKey.slice(0, 32);
+    return ed25519.utils.toMontgomerySecret(seed);
+}
+export function crypto_sign_curve25519_pk_to_ed25519(x25519Pk) {
+    const P = 2n ** 255n - 19n;
+    let u = 0n;
+    for (let i = 0; i < x25519Pk.length; i++) {
+        u += BigInt(x25519Pk[i]) << (8n * BigInt(i));
+    }
+    const modPow = (base, exp, mod) => {
+        let result = 1n;
+        base = base % mod;
+        while (exp > 0n) {
+            if (exp % 2n === 1n)
+                result = (result * base) % mod;
+            exp = exp >> 1n;
+            base = (base * base) % mod;
+        }
+        return result;
+    };
+    const modInv = (a) => modPow(a, P - 2n, P);
+    const y = (((u - 1n + P) % P) * modInv((u + 1n) % P)) % P;
+    const yBytes = new Uint8Array(32);
+    let yTemp = y;
+    for (let i = 0; i < 32; i++) {
+        yBytes[i] = Number(yTemp & 0xffn);
+        yTemp >>= 8n;
+    }
+    yBytes[31] &= 0x7f;
+    return yBytes;
+}
+export function crypto_scalarmult_ed25519_noclamp(scalar32, point32) {
+    if (scalar32.length !== 32) {
+        throw new Error(`crypto_scalarmult_ed25519_noclamp: expected 32-byte scalar, got ${scalar32.length}`);
+    }
+    if (point32.length !== 32) {
+        throw new Error(`crypto_scalarmult_ed25519_noclamp: expected 32-byte point, got ${point32.length}`);
+    }
+    const L = ed25519.Point.Fn.ORDER;
+    const s = bytesToNumberLE(scalar32) % L;
+    const P = ed25519.Point.fromBytes(point32);
+    if (P.isSmallOrder()) {
+        throw new Error("crypto_scalarmult_ed25519_noclamp: invalid point (small order)");
+    }
+    return P.multiply(s).toBytes();
+}

package/dist/unblinding.d.ts

@@ -0,0 +1,8 @@
+export declare function unblindKey15({ blindedKey, serverPublicKey, }: {
+    blindedKey: Uint8Array;
+    serverPublicKey: Uint8Array;
+}): Uint8Array;
+export declare function unblindSessionId({ sessionId, sogsPublicKey, }: {
+    sessionId: string | Uint8Array;
+    sogsPublicKey: string | Uint8Array;
+}): string | undefined;

package/dist/unblinding.js

@@ -0,0 +1,63 @@
+import { ed25519 } from "@noble/curves/ed25519.js";
+import { bytesToNumberLE, numberToBytesLE, hexToBytes } from "@noble/curves/utils.js";
+import { SessionValidationError, SessionValidationErrorCode } from "@session.js/errors";
+import { crypto_scalarmult_ed25519_noclamp } from "./scalar-math";
+import { getBlindingK, hexRegex, keyToSessionId } from "./utils";
+export function unblindKey15({ blindedKey, serverPublicKey, }) {
+    const blindingKInput = serverPublicKey;
+    const k = getBlindingK(blindingKInput);
+    const kInverted = numberToBytesLE(ed25519.Point.Fn.inv(bytesToNumberLE(k)), 32);
+    const kA = crypto_scalarmult_ed25519_noclamp(kInverted, blindedKey);
+    const x25519PublicKey = ed25519.utils.toMontgomery(kA);
+    return x25519PublicKey;
+}
+export function unblindSessionId({ sessionId, sogsPublicKey, }) {
+    let sessionIdBytes;
+    if (typeof sessionId === "string") {
+        if (!hexRegex.test(sessionId) || sessionId.length % 2 !== 0) {
+            throw new SessionValidationError({
+                code: SessionValidationErrorCode.InvalidSessionID,
+                message: "Session ID must be a hex string",
+            });
+        }
+        sessionIdBytes = hexToBytes(sessionId);
+    }
+    else {
+        sessionIdBytes = sessionId;
+    }
+    if (sessionIdBytes.length !== 33) {
+        throw new SessionValidationError({
+            code: SessionValidationErrorCode.InvalidSessionID,
+            message: "Session ID must be 33 bytes long",
+        });
+    }
+    const prefix = sessionIdBytes[0];
+    if (prefix !== 0x15) {
+        throw new SessionValidationError({
+            code: SessionValidationErrorCode.InvalidSessionID,
+            message: "Only 15-prefixed Session IDs can be unblinded with this function",
+        });
+    }
+    const blindedKey = sessionIdBytes.subarray(1);
+    let serverPublicKey;
+    if (typeof sogsPublicKey === "string") {
+        serverPublicKey = hexToBytes(sogsPublicKey);
+    }
+    else {
+        serverPublicKey = sogsPublicKey;
+    }
+    if (serverPublicKey.length !== 32) {
+        throw new SessionValidationError({
+            code: SessionValidationErrorCode.InvalidOptions,
+            message: "sogsPublicKey must be 32 bytes long",
+        });
+    }
+    const ftSessionId = (kA) => keyToSessionId(0x05, kA);
+    if (prefix === 0x15) {
+        const x25519PublicKey = unblindKey15({
+            blindedKey,
+            serverPublicKey,
+        });
+        return ftSessionId(x25519PublicKey);
+    }
+}

package/dist/utils.d.ts

@@ -0,0 +1,3 @@
+export declare const hexRegex: RegExp;
+export declare function getBlindingK(input: Uint8Array): Uint8Array;
+export declare function keyToSessionId(prefix: number, key: Uint8Array): string;

package/dist/utils.js

@@ -0,0 +1,14 @@
+import { blake2b } from "@noble/hashes/blake2.js";
+import { bytesToHex } from "@noble/curves/utils.js";
+import { crypto_core_ed25519_scalar_reduce } from "./scalar-math";
+export const hexRegex = /^[0-9a-fA-F]+$/i;
+export function getBlindingK(input) {
+    const serverPkHash = blake2b(input, {
+        dkLen: 64,
+    });
+    const k = crypto_core_ed25519_scalar_reduce(serverPkHash);
+    return k;
+}
+export function keyToSessionId(prefix, key) {
+    return bytesToHex(new Uint8Array([prefix, ...key]));
+}

package/package.json

@@ -1,37 +1,46 @@
 {
-  "name": "@session.js/blinded-session-id",
-  "type": "module",
-  "description": "Utility JavaScript library with methods to work with Session's blinded Session ID",
-  "version": "1.0.3",
-  "author": "Viktor Shchelochkov <hi@hloth.dev> (https://hloth.dev)",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "repository": {
-    "type": "git",
-    "url": "git+https://git.hloth.dev/session.js/blinded-session-id.git"
-  },
-  "bugs": {
-    "url": "https://git.hloth.dev/session.js/blinded-session-id/issues"
-  },
-  "homepage": "https://git.hloth.dev/session.js/blinded-session-id#readme",
-  "license": "MIT",
-  "funding": "https://hloth.dev/donate",
-  "scripts": {
-    "build": "rm -rf dist && tsc --project tsconfig.build.json"
-  },
-  "files": [
-    "dist/index.js",
-    "dist/index.d.ts"
-  ],
-  "dependencies": {
-    "@noble/curves": "^2.0.1",
-    "@noble/hashes": "^2.0.1"
-  },
-  "peerDependencies": {
-    "typescript": "^5.0.0"
-  },
-  "devDependencies": {
-    "@types/bun": "^1.1.6",
-    "@types/lodash": "^4.17.7"
-  }
+	"name": "@session.js/blinded-session-id",
+	"version": "1.0.5",
+	"description": "Utility JavaScript library with methods to work with Session's blinded Session ID",
+	"homepage": "https://git.hloth.dev/session.js/blinded-session-id#readme",
+	"bugs": {
+		"url": "https://git.hloth.dev/session.js/blinded-session-id/issues"
+	},
+	"repository": {
+		"type": "git",
+		"url": "https://git.hloth.dev/session.js/blinded-session-id.git"
+	},
+	"funding": "https://hloth.dev/donate",
+	"license": "MIT",
+	"author": "Viktor Shchelochkov <hi@hloth.dev> (https://hloth.dev)",
+	"type": "module",
+	"main": "dist/index.js",
+	"types": "dist/index.d.ts",
+	"files": [
+		"dist/**/*.js",
+		"dist/**/*.d.ts",
+		"README.md",
+		"LICENSE"
+	],
+	"scripts": {
+		"build": "rm -rf dist && tsc --project tsconfig.build.json"
+	},
+	"dependencies": {
+		"@noble/curves": "^2.0.1",
+		"@noble/hashes": "^2.0.1",
+		"@session.js/errors": "^1.0.11"
+	},
+	"devDependencies": {
+		"@eslint/compat": "^2.0.1",
+		"@eslint/js": "^9.39.2",
+		"@session.js/keypair": "^1.0.8",
+		"@session.js/mnemonic": "^1.0.6",
+		"@types/bun": "latest",
+		"eslint-config-prettier": "^10.1.8",
+		"prettier": "^3.8.0",
+		"typescript-eslint": "^8.53.1"
+	},
+	"peerDependencies": {
+		"typescript": "^5.0.0"
+	}
 }