functionalscript 0.8.1 → 0.8.2

package/crypto/secp/module.f.d.ts

@@ -1,5 +1,5 @@
 import type { Equal, Fold, Reduce } from '../../types/function/operator/module.f.ts';
-import { type PrimeField } from '../prime_field/module.f.ts';
+import { type PrimeField } from '../../types/prime_field/module.f.ts';
 /**
  * A 2D point represented as a pair of `bigint` values `[x, y]`.
  */
@@ -24,6 +24,7 @@ export type Init = {
 export type Curve = {
     readonly pf: PrimeField;
     readonly nf: PrimeField;
+    readonly g: Point;
     readonly y2: (x: bigint) => bigint;
     readonly y: (x: bigint) => bigint | null;
     readonly neg: (a: Point) => Point;
@@ -50,27 +51,29 @@ export type Curve = {
  * const mulPoint = curveInstance.mul([1n, 1n])(3n); // Multiply a point by 3
  * ```
  */
-export declare const curve: ({ p, a: [a0, a1], n }: Init) => Curve;
+export declare const curve: ({ p, a: [a0, a1], n, g }: Init) => Curve;
 export declare const eq: Equal<Point>;
 /**
  * https://neuromancer.sk/std/secg/secp192r1
+ * NIST P-192
  */
-export declare const secp192r1: Init;
+export declare const secp192r1: Curve;
 /**
  * https://en.bitcoin.it/wiki/Secp256k1
  * https://neuromancer.sk/std/secg/secp256k1
  */
-export declare const secp256k1: Init;
+export declare const secp256k1: Curve;
 /**
  * https://neuromancer.sk/std/secg/secp256r1
+ * NIST P-256
  */
-export declare const secp256r1: Init;
+export declare const secp256r1: Curve;
 /**
  * https://neuromancer.sk/std/secg/secp384r1
  */
-export declare const secp384r1: Init;
+export declare const secp384r1: Curve;
 /**
  * https://neuromancer.sk/std/secg/secp521r1
  */
-export declare const secp521r1: Init;
+export declare const secp521r1: Curve;
 export {};

package/crypto/secp/module.f.js

@@ -1,4 +1,4 @@
-import { prime_field, sqrt } from "../prime_field/module.f.js";
+import { prime_field, sqrt } from "../../types/prime_field/module.f.js";
 import { repeat } from "../../types/monoid/module.f.js";
 /**
  * Constructs an elliptic curve with the given initialization parameters.
@@ -20,7 +20,7 @@ import { repeat } from "../../types/monoid/module.f.js";
  * const mulPoint = curveInstance.mul([1n, 1n])(3n); // Multiply a point by 3
  * ```
  */
-export const curve = ({ p, a: [a0, a1], n }) => {
+export const curve = ({ p, a: [a0, a1], n, g }) => {
     const pf = prime_field(p);
     const { pow2, pow3, sub, add, mul, neg, div } = pf;
     const mul3 = mul(3n);
@@ -60,6 +60,7 @@ export const curve = ({ p, a: [a0, a1], n }) => {
     return {
         pf,
         nf: prime_field(n),
+        g,
         y2,
         y: x => sqrt_p(y2(x)),
         neg: p => {
@@ -83,8 +84,9 @@ export const eq = a => b => {
 };
 /**
  * https://neuromancer.sk/std/secg/secp192r1
+ * NIST P-192
  */
-export const secp192r1 = {
+export const secp192r1 = curve({
     p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
     a: [
         0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
@@ -95,12 +97,29 @@ export const secp192r1 = {
         0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n
     ],
     n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
-};
+});
+// The curve doesn't have a simple square root function.
+// /**
+//  * https://std.neuromancer.sk/nist/P-224
+//  * NIST P-224
+//  */
+// export const secp224r1: Curve = curve({
+//     p: 0xffffffff_ffffffff_ffffffff_ffffffff_00000000_00000000_00000001n,
+//     a: [
+//         0xb4050a85_0c04b3ab_f5413256_5044b0b7_d7bfd8ba_270b3943_2355ffb4n,
+//         0xffffffff_ffffffff_ffffffff_fffffffe_ffffffff_ffffffff_fffffffen,
+//     ],
+//     g: [
+//         0xb70e0cbd_6bb4bf7f_321390b9_4a03c1d3_56c21122_343280d6_115c1d21n,
+//         0xbd376388_b5f723fb_4c22dfe6_cd4375a0_5a074764_44d58199_85007e34n,
+//     ],
+//     n: 0xffffffff_ffffffff_ffffffff_ffff16a2_e0b8f03e_13dd2945_5c5c2a3dn,
+// })
 /**
  * https://en.bitcoin.it/wiki/Secp256k1
  * https://neuromancer.sk/std/secg/secp256k1
  */
-export const secp256k1 = {
+export const secp256k1 = curve({
     p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
     a: [7n, 0n],
     g: [
@@ -108,11 +127,12 @@ export const secp256k1 = {
         0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8n
     ],
     n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp256r1
+ * NIST P-256
  */
-export const secp256r1 = {
+export const secp256r1 = curve({
     p: 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffn,
     a: [
         0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604bn, //< b
@@ -123,11 +143,11 @@ export const secp256r1 = {
         0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5n, //< y
     ],
     n: 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp384r1
  */
-export const secp384r1 = {
+export const secp384r1 = curve({
     p: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffn,
     a: [
         0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aefn, //< b
@@ -138,11 +158,11 @@ export const secp384r1 = {
         0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5fn, //< y
     ],
     n: 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973n,
-};
+});
 /**
  * https://neuromancer.sk/std/secg/secp521r1
  */
-export const secp521r1 = {
+export const secp521r1 = curve({
     p: 0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
     a: [
         0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00n, //< b
@@ -153,4 +173,4 @@ export const secp521r1 = {
         0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650n,
     ],
     n: 0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409n
-};
+});

package/crypto/secp/test.f.js

@@ -1,10 +1,10 @@
-import { prime_field } from "../prime_field/module.f.js";
+import { prime_field } from "../../types/prime_field/module.f.js";
 import { curve, secp256k1, secp192r1, secp256r1, eq, secp384r1, secp521r1 } from "./module.f.js";
 const poker = (param) => () => {
     // (c ^ x) ^ y = c ^ (x * y)
     // c ^ ((x * y) * (1/x * 1/y)) = c
-    const { g, n } = param;
-    const { mul, y } = curve(param);
+    // const { g, n } = param
+    const { mul, y, nf: { p: n } } = param;
     const f = (m) => (pList) => pList.map(mul(m));
     //
     const pf = prime_field(n);
@@ -69,8 +69,7 @@ export default {
     },
     test: () => {
         const test_curve = c => {
-            const { g } = c;
-            const { mul, neg, pf: { abs }, y: yf, nf: { p: n } } = curve(c);
+            const { mul, neg, pf: { abs }, y: yf, nf: { p: n }, g } = c;
             const point_check = (p) => {
                 if (p === null) {
                     throw 'p === null';

package/crypto/sign/module.f.d.ts

@@ -1,5 +1,18 @@
+import type { Array2 } from '../../types/array/module.f.ts';
 import { type Vec } from '../../types/bit_vec/module.f.ts';
-import { type Init } from '../secp/module.f.ts';
-import type { Sha2 } from '../sha2/module.f.ts';
-export declare const newPrivateKey: (i: Init) => (random: Vec) => bigint;
-export declare const sign: (sha2: Sha2) => (curveInit: Init) => (privateKey: Vec) => (messageHash: Vec) => readonly [bigint, bigint];
+import type { Curve } from '../secp/module.f.ts';
+import { type Sha2 } from '../sha2/module.f.ts';
+export type All = {
+    readonly q: bigint;
+    readonly qlen: bigint;
+    readonly bits2int: (b: Vec) => bigint;
+    readonly int2octets: (x: bigint) => Vec;
+    readonly bits2octets: (b: Vec) => Vec;
+};
+export declare const all: (q: bigint) => All;
+export declare const fromCurve: (c: Curve) => All;
+export declare const concat: (...x: readonly Vec[]) => Vec;
+export declare const computeK: (_: All) => (_: Sha2) => (x: bigint) => (m: Vec) => bigint;
+type Signature = Array2<bigint>;
+export declare const sign: (c: Curve) => (hf: Sha2) => (x: bigint) => (m: Vec) => Signature;
+export {};

package/crypto/sign/module.f.js

@@ -1,54 +1,148 @@
-import { bitLength } from "../../types/bigint/module.f.js";
-import { listToVec, msb, uint, vec, vec8, length } from "../../types/bit_vec/module.f.js";
+import { bitLength, divUp, roundUp } from "../../types/bigint/module.f.js";
+import { empty, length, listToVec, msb, repeat, unpack, vec, vec8 } from "../../types/bit_vec/module.f.js";
 import { hmac } from "../hmac/module.f.js";
-import { curve } from "../secp/module.f.js";
-const concat = listToVec(msb);
-const v00 = vec8(0x00n);
-const v01 = vec8(0x01n);
-/**
- * The size of the result equals the size of the hash.
- *
- * @param sha2 SHA2 hash function
- * @returns A function that accepts a private key, a message hash and returns `k`.
- */
-const createK = (sha2) => {
-    const h = hmac(sha2);
-    let vs = vec(sha2.hashLength);
-    let k0 = vs(0x00n);
-    let v0 = vs(0x01n);
-    return (privateKey) => (messageHash) => {
-        const pm = concat([privateKey, messageHash]);
-        let k = k0;
+import { computeSync } from "../sha2/module.f.js";
+// qlen to rlen
+const roundUp8 = roundUp(8n);
+const divUp8 = divUp(8n);
+export const all = (q) => {
+    const qlen = bitLength(q);
+    const bits2int = (b) => {
+        const { length, uint } = unpack(b);
+        const diff = length - qlen;
+        return diff > 0n ? uint >> diff : uint;
+    };
+    const int2octets = vec(roundUp8(qlen));
+    return {
+        q,
+        qlen,
+        bits2int,
+        int2octets,
+        // since z2 < 2*q, we can use simple mod with `z1 < q ? z1 : z1 - q`
+        bits2octets: b => int2octets(bits2int(b) % q),
+    };
+};
+export const fromCurve = (c) => all(c.nf.p);
+const x01 = vec8(0x01n);
+const x00 = vec8(0x00n);
+const ltov = listToVec(msb);
+export const concat = (...x) => ltov(x);
+export const computeK = ({ q, bits2int, qlen, int2octets, bits2octets }) => hf => {
+    // TODO: Look at https://www.rfc-editor.org/rfc/rfc6979#section-3.3 to reformulate
+    //       it using `HMAC_DRBG`.
+    const hmacf = hmac(hf);
+    // b. Set:
+    //      V = 0x01 0x01 0x01 ... 0x01
+    //    such that the length of V, in bits, is equal to 8*ceil(hlen/8).
+    //    For instance, on an octet-based system, if H is SHA-256, then V
+    //    is set to a sequence of 32 octets of value 1.  Note that in this
+    //    step and all subsequent steps, we use the same H function as the
+    //    one used in step 'a' to process the input message; this choice
+    //    will be discussed in more detail in Section 3.6.
+    const rep = repeat(divUp8(hf.hashLength));
+    const v0 = rep(x01);
+    // c. Set:
+    //      K = 0x00 0x00 0x00 ... 0x00
+    //    such that the length of K, in bits, is equal to 8*ceil(hlen/8).
+    const k0 = rep(x00);
+    //
+    return x => m => {
         let v = v0;
-        k = h(k)(concat([v, v00, pm]));
-        v = h(k)(v);
-        k = h(k)(concat([v, v01, pm]));
-        v = h(k)(v);
-        return uint(h(k)(v));
+        let k = k0;
+        // a. Process m through the hash function H, yielding:
+        //      h1 = H(m)
+        //   (h1 is a sequence of hlen bits).
+        const h1 = computeSync(hf)([m]);
+        // d. Set:
+        //      K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1))
+        //    where '||' denotes concatenation.
+        const xh1 = concat(int2octets(x), bits2octets(h1));
+        k = hmacf(k)(concat(v, x00, xh1));
+        // e. Set:
+        //      V = HMAC_K(V)
+        v = hmacf(k)(v);
+        // f. Set:
+        //      K = HMAC_K(V || 0x01 || int2octets(x) || bits2octets(h1))
+        k = hmacf(k)(concat(v, x01, xh1));
+        // g. Set:
+        //      V = HMAC_K(V)
+        v = hmacf(k)(v);
+        // h. Apply the following algorithm until a proper value is for `k`:
+        while (true) {
+            // h. Apply the following algorithm until a proper value is for `k`:
+            //    1. Set `T` to the empty sequence, so `tlen = 0`.
+            let t = empty;
+            //    2. while `tlen < qlen` do:
+            //       - `V = HMAC_K(V)`
+            //       - `T = T || V`
+            // Possible optimizations:
+            // - precompute number of iterations
+            // - `qlen` can't be 0, so we can avoid the first check and
+            //   first concatenation.
+            while (length(t) < qlen) {
+                v = hmacf(k)(v);
+                t = concat(t, v);
+            }
+            //    3. Compute `k = bits2int(T)`. If `k` is not in `[1, q-1]` or `kG = 0` then
+            //       - `K = HMAC_K(V || 0x00)`
+            //       - `V = HMAC_K(V)`
+            //       and loop (try to generate a new `T`, and so on). Return to step `1`.
+            const result = bits2int(t);
+            if (0n < result && result < q) {
+                return result;
+            }
+            k = hmacf(k)(concat(v, x00));
+            v = hmacf(k)(v);
+        }
     };
 };
-export const newPrivateKey = (i) => (random) => {
-    const { nf } = curve(i);
-    if (bitLength(nf.max) < length(random)) {
-        throw "need more random bits";
+export const sign = (c) => (hf) => (x) => (m) => {
+    // 2.4 Signature Generation
+    const { nf: { p: q, div }, g } = c;
+    const a = all(q);
+    const { bits2int } = a;
+    // The following steps are then applied:
+    //
+    // 1. H(m) is transformed into an integer modulo q using the bits2int
+    //    transform and an extra modular reduction:
+    //
+    //       h = bits2int(H(m)) mod q
+    //
+    //     As was noted in the description of bits2octets, the extra modular
+    //     reduction is no more than a conditional subtraction.
+    const hm = computeSync(hf)([m]);
+    const h = bits2int(hm) % q;
+    // 2. A random value modulo q, dubbed k, is generated.  That value
+    //    shall not be 0; hence, it lies in the [1, q-1] range.  Most of
+    //    the remainder of this document will revolve around the process
+    //    used to generate k.  In plain DSA or ECDSA, k should be selected
+    //    through a random selection that chooses a value among the q-1
+    //    possible values with uniform probability.
+    const k = computeK(a)(hf)(x)(m);
+    // 3.  A value r (modulo q) is computed from k and the key parameters:
+    //
+    //     *  For ECDSA: the point kG is computed; its X coordinate (a
+    //        member of the field over which E is defined) is converted to
+    //        an integer, which is reduced modulo q, yielding r.
+    //
+    //     If r turns out to be zero, a new k should be selected and r
+    //     computed again (this is an utterly improbable occurrence).
+    const rxy = c.mul(k)(g);
+    // TODO: implement the loop. `computeK` should either
+    // - accept a state (current `k`).
+    // - accept a `is_valid` function.
+    if (rxy === null) {
+        throw 'rxy === null';
     }
-    return uint(random) % nf.p;
-};
-export const sign = (sha2) => (curveInit) => (privateKey) => (messageHash) => {
-    const { mul, pf } = curve(curveInit);
-    // const curveVec = vec(length(pf.max))
-    //`k` is a unique for each `z` and secret.
-    const k = createK(sha2)(privateKey)(messageHash) % pf.p;
-    // `R = G * k`.
-    const rp = mul(k)(curveInit.g);
-    // `r = R.x`
-    const r = rp === null ? 0n : rp[0];
-    // `s = ((z + r * d) / k)`.
-    const d = uint(privateKey);
-    const z = uint(messageHash);
-    const rd = pf.mul(r)(d);
-    const zrd = pf.add(z)(rd);
-    const kn1 = pf.reciprocal(k);
-    const s = pf.mul(zrd)(kn1);
+    const [r] = rxy;
+    // 4.  The value s (modulo q) is computed:
+    //
+    //        s = (h+x*r)/k mod q
+    //
+    //     The pair (r, s) is the signature.  How a signature is to be
+    //     encoded is not covered by the DSA and ECDSA standards themselves;
+    //     a common way is to use a DER-encoded ASN.1 structure (a SEQUENCE
+    //     of two INTEGERs, for r and s, in that order).
+    const s = div(h + x * r)(k);
     return [r, s];
 };

package/crypto/sign/test.f.d.ts

@@ -1,2 +1,12 @@
-declare const _default: {};
+declare const _default: {
+    bits2int: () => void;
+    int2octets: () => void;
+    bit2octets: () => void;
+    k: () => void;
+    computeK: () => void;
+    investigate: () => void;
+    kk: () => void;
+    a2: () => void;
+    a2s: () => void;
+};
 export default _default;