functionalscript 0.8.0 → 0.8.2

package/crypto/secp/module.f.js

@@ -1,4 +1,4 @@
-import { prime_field, sqrt } from "../prime_field/module.f.js";
+import { prime_field, sqrt } from "../../types/prime_field/module.f.js";
 import { repeat } from "../../types/monoid/module.f.js";
 /**
  * Constructs an elliptic curve with the given initialization parameters.
@@ -20,7 +20,7 @@ import { repeat } from "../../types/monoid/module.f.js";
  * const mulPoint = curveInstance.mul([1n, 1n])(3n); // Multiply a point by 3
  * ```
  */
-export const curve = ({ p, a: [a0, a1], n }) => {
+export const curve = ({ p, a: [a0, a1], n, g }) => {
     const pf = prime_field(p);
     const { pow2, pow3, sub, add, mul, neg, div } = pf;
     const mul3 = mul(3n);
@@ -60,6 +60,7 @@ export const curve = ({ p, a: [a0, a1], n }) => {
     return {
         pf,
         nf: prime_field(n),
+        g,
         y2,
         y: x => sqrt_p(y2(x)),
         neg: p => {
@@ -73,7 +74,7 @@ export const curve = ({ p, a: [a0, a1], n }) => {
         mul: repeat({ identity: null, operation: addPoint })
     };
 };
-export const eq = (a) => (b) => {
+export const eq = a => b => {
     if (a === null || b === null) {
         return a === b;
     }
@@ -83,8 +84,9 @@ export const eq = (a) => (b) => {
 };
 /**
  * https://neuromancer.sk/std/secg/secp192r1
+ * NIST P-192
  */
-export const secp192r1 = {
+export const secp192r1 = curve({
     p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
     a: [
         0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
@@ -95,12 +97,29 @@ export const secp192r1 = {
         0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n
     ],
     n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
-};
+});
+// The curve doesn't have a simple square root function.
+// /**
+//  * https://std.neuromancer.sk/nist/P-224
+//  * NIST P-224
+//  */
+// export const secp224r1: Curve = curve({
+//     p: 0xffffffff_ffffffff_ffffffff_ffffffff_00000000_00000000_00000001n,
+//     a: [
+//         0xb4050a85_0c04b3ab_f5413256_5044b0b7_d7bfd8ba_270b3943_2355ffb4n,
+//         0xffffffff_ffffffff_ffffffff_fffffffe_ffffffff_ffffffff_fffffffen,
+//     ],
+//     g: [
+//         0xb70e0cbd_6bb4bf7f_321390b9_4a03c1d3_56c21122_343280d6_115c1d21n,
+//         0xbd376388_b5f723fb_4c22dfe6_cd4375a0_5a074764_44d58199_85007e34n,
+//     ],
+//     n: 0xffffffff_ffffffff_ffffffff_ffff16a2_e0b8f03e_13dd2945_5c5c2a3dn,
+// })
 /**
  * https://en.bitcoin.it/wiki/Secp256k1
  * https://neuromancer.sk/std/secg/secp256k1
  */
-export const secp256k1 = {
+export const secp256k1 = curve({
     p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
     a: [7n, 0n],
     g: [
@@ -108,11 +127,12 @@ export const secp256k1 = {
         0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8n
     ],
     n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp256r1
+ * NIST P-256
  */
-export const secp256r1 = {
+export const secp256r1 = curve({
     p: 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffn,
     a: [
         0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604bn, //< b
@@ -123,11 +143,11 @@ export const secp256r1 = {
         0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5n, //< y
     ],
     n: 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp384r1
  */
-export const secp384r1 = {
+export const secp384r1 = curve({
     p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffn,
     a: [
         0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefn, //< b
@@ -138,11 +158,11 @@ export const secp384r1 = {
         0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fn, //< y
     ],
     n: 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp521r1
  */
-export const secp521r1 = {
+export const secp521r1 = curve({
     p: 0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
     a: [
         0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00n, //< b
@@ -153,4 +173,4 @@ export const secp521r1 = {
         0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650n,
     ],
     n: 0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409n
-};
+});

package/crypto/secp/test.f.js

@@ -1,11 +1,11 @@
-import { prime_field } from "../prime_field/module.f.js";
+import { prime_field } from "../../types/prime_field/module.f.js";
 import { curve, secp256k1, secp192r1, secp256r1, eq, secp384r1, secp521r1 } from "./module.f.js";
 const poker = (param) => () => {
     // (c ^ x) ^ y = c ^ (x * y)
     // c ^ ((x * y) * (1/x * 1/y)) = c
-    const { g, n } = param;
-    const { mul, y } = curve(param);
-    const f = (m) => (pList) => pList.map(i => mul(i)(m));
+    // const { g, n } = param
+    const { mul, y, nf: { p: n } } = param;
+    const f = (m) => (pList) => pList.map(mul(m));
     //
     const pf = prime_field(n);
     //           0        1        2        3        4        5        6        7
@@ -65,12 +65,11 @@ export default {
         // Access curve operations
         const point = c.add([1n, 1n])([2n, 5n]); // Add two points
         const negPoint = c.neg([1n, 1n]); // Negate a point
-        const mulPoint = c.mul([1n, 1n])(3n); // Multiply a point by 3
+        const mulPoint = c.mul(3n)([1n, 1n]); // Multiply a point by 3
     },
     test: () => {
         const test_curve = c => {
-            const { g } = c;
-            const { mul, neg, pf: { abs }, y: yf, nf: { p: n } } = curve(c);
+            const { mul, neg, pf: { abs }, y: yf, nf: { p: n }, g } = c;
             const point_check = (p) => {
                 if (p === null) {
                     throw 'p === null';
@@ -87,23 +86,23 @@ export default {
             point_check(g);
             point_check(neg(g));
             const test_mul = (p) => {
-                if (mul(p)(0n) !== null) {
+                if (mul(0n)(p) !== null) {
                     throw 'O';
                 }
-                if (mul(p)(1n) !== p) {
+                if (mul(1n)(p) !== p) {
                     throw 'p';
                 }
-                if (mul(p)(n) !== null) {
+                if (mul(n)(p) !== null) {
                     throw 'n';
                 }
                 const pn = neg(p);
-                if (!eq(mul(p)(n - 1n))(pn)) {
+                if (!eq(mul(n - 1n)(p))(pn)) {
                     throw 'n - 1';
                 }
                 const f = s => {
-                    const r = mul(p)(s);
+                    const r = mul(s)(p);
                     point_check(r);
-                    const rn = mul(pn)(s);
+                    const rn = mul(s)(pn);
                     point_check(rn);
                     if (!eq(r)(neg(rn))) {
                         throw 'r != -rn';

package/crypto/sha2/module.f.d.ts

@@ -1,5 +1,11 @@
+/**
+ * See https://www.rfc-editor.org/rfc/rfc6234
+ *
+ * @module
+ */
 import type { Array16, Array8 } from '../../types/array/module.f.ts';
 import { type Vec } from '../../types/bit_vec/module.f.ts';
+import type { Fold } from '../../types/function/operator/module.f.ts';
 import { type List } from '../../types/list/module.f.ts';
 export type V8 = Array8<bigint>;
 export type V16 = Array16<bigint>;
@@ -25,8 +31,8 @@ export type Base = {
     readonly chunkLength: bigint;
     readonly compress: (i: V8) => (u: bigint) => V8;
     readonly fromV8: (a: V8) => bigint;
-    readonly append: (state: State) => (v: Vec) => State;
-    readonly end: (hashLength: bigint) => (state: State) => bigint;
+    readonly append: Fold<Vec, State>;
+    readonly end: (hashLength: bigint) => (state: State) => Vec;
 };
 /**
  * SHA2. See https://en.wikipedia.org/wiki/SHA-2
@@ -56,18 +62,18 @@ export type Sha2 = {
     /**
      * Appends data to the state and returns the new state.
      *
-     * @param state The current state.
      * @param v The data to append.
+     * @param state The current state.
      * @returns The new state after appending data.
      */
-    readonly append: (state: State) => (v: Vec) => State;
+    readonly append: Fold<Vec, State>;
     /**
      * Finalizes the hash and returns the result as a bigint.
      *
      * @param state The final state.
      * @returns The resulting hash.
      */
-    readonly end: (state: State) => bigint;
+    readonly end: (state: State) => Vec;
 };
 export declare const computeSync: ({ append, init, end }: Sha2) => (list: List<Vec>) => Vec;
 export declare const base32: Base;

package/crypto/sha2/module.f.js

@@ -115,13 +115,14 @@ const base = ({ logBitLen, k, bs0, bs1, ss0, ss1 }) => {
     };
     const chunkLength = bitLength << 4n; // * 16
     const fromV8 = (a) => a.reduce((p, v) => (p << bitLength) | v);
-    const lastChunkLength = chunkLength - 65n;
+    // See https://www.rfc-editor.org/rfc/rfc6234#section-4
+    const lastChunkLength = chunkLength - 1n - (bitLength << 1n);
     return {
         bitLength,
         chunkLength,
         compress,
         fromV8,
-        append: (state) => (v) => {
+        append: (v) => (state) => {
             let { remainder, hash, len } = state;
             remainder = concat(remainder)(v);
             let remainderLen = length(remainder);
@@ -168,7 +169,7 @@ const sha2 = ({ append, end, chunkLength }, hash, hashLength) => ({
     end: end(hashLength),
 });
 export const computeSync = ({ append, init, end }) => {
-    const f = fold(flip(append))(init);
+    const f = fold(append)(init);
     return (list) => end(f(list));
 };
 export const base32 = base({

package/crypto/sha2/test.f.d.ts

@@ -6,7 +6,7 @@ declare const _default: {
         };
         b64: () => {
             s512: () => void;
-            s385: () => void;
+            s384: () => void;
             s512x256: () => void;
             s512x224: () => void;
         };
@@ -24,5 +24,8 @@ declare const _default: {
         8: () => void;
         16: () => void;
     };
+    padding: {
+        overflow: () => void;
+    };
 };
 export default _default;

package/crypto/sha2/test.f.js

@@ -1,12 +1,11 @@
-import { msbUtf8 } from "../../text/module.f.js";
-import { empty, msb, vec } from "../../types/bit_vec/module.f.js";
+import { utf8 } from "../../text/module.f.js";
+import { repeat, uint, vec } from "../../types/bit_vec/module.f.js";
+import { flip } from "../../types/function/module.f.js";
 import { map } from "../../types/list/module.f.js";
-import { repeat } from "../../types/monoid/module.f.js";
 import { base32, base64, computeSync, sha224, sha256, sha384, sha512, sha512x224, sha512x256, } from "./module.f.js";
-const { concat: beConcat } = msb;
-const checkEmpty = ({ init, end }) => (x) => {
+const checkEmpty = ({ init, end, hashLength }) => (x) => {
     const result = end(init);
-    if (result !== x) {
+    if (result !== vec(hashLength)(x)) {
         throw [result, x];
     }
 };
@@ -46,7 +45,7 @@ export default {
                         throw [result, x];
                     }
                 },
-                s385: () => {
+                s384: () => {
                     const result = fromV8(compress(sha384.init.hash)(e)) >> 128n;
                     const x = 0x38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95bn;
                     if (result !== x) {
@@ -71,72 +70,83 @@ export default {
         }
     },
     sha2: {
-        sha256: () => checkEmpty(sha256)(0x1e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855n),
-        sha224: () => checkEmpty(sha224)(0x1d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42fn),
-        sha512: () => checkEmpty(sha512)(0x1cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3en),
-        sha384: () => checkEmpty(sha384)(0x138b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95bn),
-        sha512x256: () => checkEmpty(sha512x256)(0x1c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967an),
-        sha512x224: () => checkEmpty(sha512x224)(0x16ed0dd02806fa89e25de060c19d3ac86cabb87d6a0ddd05c333b84f4n),
+        sha256: () => checkEmpty(sha256)(0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855n),
+        sha224: () => checkEmpty(sha224)(0xd14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42fn),
+        sha512: () => checkEmpty(sha512)(0xcf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3en),
+        sha384: () => checkEmpty(sha384)(0x38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95bn),
+        sha512x256: () => checkEmpty(sha512x256)(0xc672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967an),
+        sha512x224: () => checkEmpty(sha512x224)(0x6ed0dd02806fa89e25de060c19d3ac86cabb87d6a0ddd05c333b84f4n),
     },
     utf8: [
         () => {
-            const e = 0x1730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525n;
+            const e = 0x730e109bd7a8a32b1cb9d9a09aa2325d2430587ddbc0c38bad911525n;
             {
-                const s = msbUtf8("The quick brown fox jumps over the lazy dog");
+                const s = utf8("The quick brown fox jumps over the lazy dog");
                 const h = computeSync(sha224)([s]);
-                if (h !== e) {
+                if (uint(h) !== e) {
                     throw h;
                 }
             }
             {
                 const s = ['The', ' quick', ' brown', ' fox', ' jumps', ' over', ' the', ' lazy', ' dog'];
-                const h = computeSync(sha224)(map(msbUtf8)(s));
-                if (h !== e) {
+                const h = computeSync(sha224)(map(utf8)(s));
+                if (uint(h) !== e) {
                     throw h;
                 }
             }
         },
         () => {
-            const s = msbUtf8("The quick brown fox jumps over the lazy dog.");
+            const s = utf8("The quick brown fox jumps over the lazy dog.");
             const h = computeSync(sha224)([s]);
-            if (h !== 0x1619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4cn) {
+            if (uint(h) !== 0x619cba8e8e05826e9b8c519c0a5c68f4fb653e8a3d8aa04bb2c8cd4cn) {
                 throw h;
             }
         },
         () => {
-            const s = msbUtf8("hello world");
-            if (s !== 0x168656c6c6f20776f726c64n) {
+            const s = utf8("hello world");
+            if (uint(s) !== 0x68656c6c6f20776f726c64n) {
                 throw s;
             }
             let state = sha256.init;
-            state = sha256.append(state)(s);
+            state = sha256.append(s)(state);
             const h = sha256.end(state);
-            if (h !== 0x1b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9n) {
+            if (uint(h) !== 0xb94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9n) {
                 throw h;
             }
         }
     ],
     fill: () => {
-        const times = repeat({ identity: empty, operation: beConcat })(vec(32n)(0x31313131n));
+        const times = flip(repeat)(vec(32n)(0x31313131n));
         return {
             8: () => {
                 const r = times(8n);
                 let state = sha256.init;
-                state = sha256.append(state)(r);
-                const h = sha256.end(state);
-                if (h >> 224n !== 0x18a83665fn) {
+                state = sha256.append(r)(state);
+                const h = uint(sha256.end(state));
+                if (h >> 224n !== 0x8a83665fn) {
                     throw h;
                 }
             },
             16: () => {
                 const r = times(16n);
                 let state = sha256.init;
-                state = sha256.append(state)(r);
+                state = sha256.append(r)(state);
                 const h = sha256.end(state);
-                if (h !== 0x13138bb9bc78df27c473ecfd1410f7bd45ebac1f59cf3ff9cfe4db77aab7aedd3n) {
+                if (uint(h) !== 0x3138bb9bc78df27c473ecfd1410f7bd45ebac1f59cf3ff9cfe4db77aab7aedd3n) {
                     throw h;
                 }
             }
         };
-    }
+    },
+    padding: {
+        overflow: () => {
+            const zero = vec(8n)(0n);
+            const msg = flip(repeat)(zero)(113n);
+            const h = computeSync(sha384)([msg]);
+            const x = 0x6be9af2cf3cd5dd12c8d9399ec2b34e66034fbd699d4e0221d39074172a380656089caafe8f39963f94cc7c0a07e3d21n;
+            if (uint(h) !== x) {
+                throw h;
+            }
+        },
+    },
 };

package/crypto/sign/module.f.d.ts

@@ -1,5 +1,18 @@
+import type { Array2 } from '../../types/array/module.f.ts';
 import { type Vec } from '../../types/bit_vec/module.f.ts';
-import { type Init } from '../secp/module.f.ts';
-import type { Sha2 } from '../sha2/module.f.ts';
-export declare const newPrivateKey: (i: Init) => (random: Vec) => Vec;
-export declare const sign: (sha2: Sha2) => (curveInit: Init) => (privateKey: Vec) => (messageHash: Vec) => readonly [bigint, bigint];
+import type { Curve } from '../secp/module.f.ts';
+import { type Sha2 } from '../sha2/module.f.ts';
+export type All = {
+    readonly q: bigint;
+    readonly qlen: bigint;
+    readonly bits2int: (b: Vec) => bigint;
+    readonly int2octets: (x: bigint) => Vec;
+    readonly bits2octets: (b: Vec) => Vec;
+};
+export declare const all: (q: bigint) => All;
+export declare const fromCurve: (c: Curve) => All;
+export declare const concat: (...x: readonly Vec[]) => Vec;
+export declare const computeK: (_: All) => (_: Sha2) => (x: bigint) => (m: Vec) => bigint;
+type Signature = Array2<bigint>;
+export declare const sign: (c: Curve) => (hf: Sha2) => (x: bigint) => (m: Vec) => Signature;
+export {};

package/crypto/sign/module.f.js

@@ -1,53 +1,148 @@
-import { listToVec, msb, uint, vec, vec8, length } from "../../types/bit_vec/module.f.js";
+import { bitLength, divUp, roundUp } from "../../types/bigint/module.f.js";
+import { empty, length, listToVec, msb, repeat, unpack, vec, vec8 } from "../../types/bit_vec/module.f.js";
 import { hmac } from "../hmac/module.f.js";
-import { curve } from "../secp/module.f.js";
-const concat = listToVec(msb);
-const v00 = vec8(0x00n);
-const v01 = vec8(0x01n);
-/**
- * The size of the result equals the size of the hash.
- *
- * @param sha2 SHA2 hash function
- * @returns A function that accepts a private key, a message hash and returns `k`.
- */
-const createK = (sha2) => {
-    const h = hmac(sha2);
-    let vs = vec(sha2.hashLength);
-    let k0 = vs(0x00n);
-    let v0 = vs(0x01n);
-    return (privateKey) => (messageHash) => {
-        const pm = concat([privateKey, messageHash]);
-        let k = k0;
+import { computeSync } from "../sha2/module.f.js";
+// qlen to rlen
+const roundUp8 = roundUp(8n);
+const divUp8 = divUp(8n);
+export const all = (q) => {
+    const qlen = bitLength(q);
+    const bits2int = (b) => {
+        const { length, uint } = unpack(b);
+        const diff = length - qlen;
+        return diff > 0n ? uint >> diff : uint;
+    };
+    const int2octets = vec(roundUp8(qlen));
+    return {
+        q,
+        qlen,
+        bits2int,
+        int2octets,
+        // since z2 < 2*q, we can use simple mod with `z1 < q ? z1 : z1 - q`
+        bits2octets: b => int2octets(bits2int(b) % q),
+    };
+};
+export const fromCurve = (c) => all(c.nf.p);
+const x01 = vec8(0x01n);
+const x00 = vec8(0x00n);
+const ltov = listToVec(msb);
+export const concat = (...x) => ltov(x);
+export const computeK = ({ q, bits2int, qlen, int2octets, bits2octets }) => hf => {
+    // TODO: Look at https://www.rfc-editor.org/rfc/rfc6979#section-3.3 to reformulate
+    //       it using `HMAC_DRBG`.
+    const hmacf = hmac(hf);
+    // b. Set:
+    //      V = 0x01 0x01 0x01 ... 0x01
+    //    such that the length of V, in bits, is equal to 8*ceil(hlen/8).
+    //    For instance, on an octet-based system, if H is SHA-256, then V
+    //    is set to a sequence of 32 octets of value 1.  Note that in this
+    //    step and all subsequent steps, we use the same H function as the
+    //    one used in step 'a' to process the input message; this choice
+    //    will be discussed in more detail in Section 3.6.
+    const rep = repeat(divUp8(hf.hashLength));
+    const v0 = rep(x01);
+    // c. Set:
+    //      K = 0x00 0x00 0x00 ... 0x00
+    //    such that the length of K, in bits, is equal to 8*ceil(hlen/8).
+    const k0 = rep(x00);
+    //
+    return x => m => {
         let v = v0;
-        k = h(k)(concat([v, v00, pm]));
-        v = h(k)(v);
-        k = h(k)(concat([v, v01, pm]));
-        v = h(k)(v);
-        return uint(h(k)(v));
+        let k = k0;
+        // a. Process m through the hash function H, yielding:
+        //      h1 = H(m)
+        //   (h1 is a sequence of hlen bits).
+        const h1 = computeSync(hf)([m]);
+        // d. Set:
+        //      K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))
+        //    where '||' denotes concatenation.
+        const xh1 = concat(int2octets(x), bits2octets(h1));
+        k = hmacf(k)(concat(v, x00, xh1));
+        // e. Set:
+        //      V = HMAC_K(V)
+        v = hmacf(k)(v);
+        // f. Set:
+        //      K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1))
+        k = hmacf(k)(concat(v, x01, xh1));
+        // g. Set:
+        //      V = HMAC_K(V)
+        v = hmacf(k)(v);
+        // h. Apply the following algorithm until a proper value is for `k`:
+        while (true) {
+            // h. Apply the following algorithm until a proper value is for `k`:
+            //    1. Set `T` to the empty sequence, so `tlen = 0`.
+            let t = empty;
+            //    2. while `tlen < qlen` do:
+            //       - `V = HMAC_K(V)`
+            //       - `T = T || V`
+            // Possible optimizations:
+            // - precompute number of iterations
+            // - `qlen` can't be 0, so we can avoid the first check and
+            //   first concatenation.
+            while (length(t) < qlen) {
+                v = hmacf(k)(v);
+                t = concat(t, v);
+            }
+            //    3. Compute `k = bits2int(T)`. If `k` is not in `[1, q-1]` or `kG = 0` then
+            //       - `K = HMAC_K(V || 0x00)`
+            //       - `V = HMAC_K(V)`
+            //       and loop (try to generate a new `T`, and so on). Return to step `1`.
+            const result = bits2int(t);
+            if (0n < result && result < q) {
+                return result;
+            }
+            k = hmacf(k)(concat(v, x00));
+            v = hmacf(k)(v);
+        }
     };
 };
-export const newPrivateKey = (i) => (random) => {
-    const { nf } = curve(i);
-    if (length(nf.max) < length(random)) {
-        throw "need more random bits";
+export const sign = (c) => (hf) => (x) => (m) => {
+    // 2.4 Signature Generation
+    const { nf: { p: q, div }, g } = c;
+    const a = all(q);
+    const { bits2int } = a;
+    // The following steps are then applied:
+    //
+    // 1. H(m) is transformed into an integer modulo q using the bits2int
+    //    transform and an extra modular reduction:
+    //
+    //       h = bits2int(H(m)) mod q
+    //
+    //     As was noted in the description of bits2octets, the extra modular
+    //     reduction is no more than a conditional subtraction.
+    const hm = computeSync(hf)([m]);
+    const h = bits2int(hm) % q;
+    // 2. A random value modulo q, dubbed k, is generated.  That value
+    //    shall not be 0; hence, it lies in the [1, q-1] range.  Most of
+    //    the remainder of this document will revolve around the process
+    //    used to generate k.  In plain DSA or ECDSA, k should be selected
+    //    through a random selection that chooses a value among the q-1
+    //    possible values with uniform probability.
+    const k = computeK(a)(hf)(x)(m);
+    // 3.  A value r (modulo q) is computed from k and the key parameters:
+    //
+    //     *  For ECDSA: the point kG is computed; its X coordinate (a
+    //        member of the field over which E is defined) is converted to
+    //        an integer, which is reduced modulo q, yielding r.
+    //
+    //     If r turns out to be zero, a new k should be selected and r
+    //     computed again (this is an utterly improbable occurrence).
+    const rxy = c.mul(k)(g);
+    // TODO: implement the loop. `computeK` should either
+    // - accept a state (current `k`).
+    // - accept a `is_valid` function.
+    if (rxy === null) {
+        throw 'rxy === null';
     }
-    return uint(random) % nf.p;
-};
-export const sign = (sha2) => (curveInit) => (privateKey) => (messageHash) => {
-    const { mul, pf } = curve(curveInit);
-    // const curveVec = vec(length(pf.max))
-    //`k` is a unique for each `z` and secret.
-    const k = createK(sha2)(privateKey)(messageHash) % pf.p;
-    // `R = G * k`.
-    const rp = mul(curveInit.g)(k);
-    // `r = R.x`
-    const r = rp === null ? 0n : rp[0];
-    // `s = ((z + r * d) / k)`.
-    const d = uint(privateKey);
-    const z = uint(messageHash);
-    const rd = pf.mul(r)(d);
-    const zrd = pf.add(z)(rd);
-    const kn1 = pf.reciprocal(k);
-    const s = pf.mul(zrd)(kn1);
+    const [r] = rxy;
+    // 4.  The value s (modulo q) is computed:
+    //
+    //        s = (h+x*r)/k mod q
+    //
+    //     The pair (r, s) is the signature.  How a signature is to be
+    //     encoded is not covered by the DSA and ECDSA standards themselves;
+    //     a common way is to use a DER-encoded ASN.1 structure (a SEQUENCE
+    //     of two INTEGERs, for r and s, in that order).
+    const s = div(h + x * r)(k);
     return [r, s];
 };

package/crypto/sign/test.f.d.ts

@@ -1,2 +1,12 @@
-declare const _default: {};
+declare const _default: {
+    bits2int: () => void;
+    int2octets: () => void;
+    bit2octets: () => void;
+    k: () => void;
+    computeK: () => void;
+    investigate: () => void;
+    kk: () => void;
+    a2: () => void;
+    a2s: () => void;
+};
 export default _default;