kyber-mini 1.0.0

package/README.md

@@ -0,0 +1,29 @@
+# kyber
+A minimalistic, high-performance TypeScript/JavaScript implementation of the Kyber KEM and PKE algorithms (standard specified by [FIPS203](https://csrc.nist.gov/pubs/fips/203/final)).
+
+## Performance
+Benchmarks indicate performance on par with noble/post-quantum in Node.js, and approximately 2x faster when running with Bun.
+
+## Usage
+kyber KEM usage example using ML_KEM1024:
+```ts
+import { kyber_kem1024 } from "kyber-mini";
+const keys = kyber_kem1024.keyGen(); // generates a pair of private and public keys.
+const encapsulatedKeys = kyber_kem1024.encapsulate(keys.publicKey); // creates a shared key and creates a ciphertext from which the recipient can recreate the shared key
+const sharedKey = kyber_kem1024.decapsulate(encapsulatedKeys.ciphertext, keys.privateKey); // recreates the shared key from ciphercode
+```
+kyber PKE usage example using ML_PKE1024:
+```ts
+import { kyber_pke1024 } from "kyber-mini";
+const keys = kyber_pke1024.keyGen(); // generates kyber_pke keys
+const message = new Uint8Array(32);
+// set a message
+const ciphertext = kyber_pke1024.encrypt(message, keys.publicKey); // encrypts the message with a public key
+const decryptedMessage = kyber_pke1024.decrypt(ciphertext, keys.privateKey); // decrypts the message with a private key
+```
+
+## Instalation
+npm install kyber-mini
+
+## Audit
+This library has not been audited by a third party.

package/build.ts

@@ -0,0 +1,16 @@
+import { rename } from "node:fs/promises";
+await Bun.build({
+    packages: "external",
+    entrypoints: ["index.ts"],
+    format: "cjs",
+    outdir: "dist",
+    minify: true,
+});
+await rename("dist/index.js", "dist/index.cjs");
+await Bun.build({
+    packages: "external",
+    entrypoints: ["index.ts"],
+    format: "esm",
+    outdir: "dist",
+    minify: true,
+});

package/index.ts

@@ -0,0 +1,327 @@
+import { sha3_256, sha3_512, shake256 } from "@noble/hashes/sha3.js";
+import {
+    addMod,
+    subMod,
+    NTT,
+    INTT,
+    mulNTT,
+    addPol,
+    byteDecodeTo,
+    byteEncode,
+    samplePolCBD,
+    pseudoRandom,
+    expandA,
+    compress,
+    decompress,
+    randomBytes,
+    round,
+} from "./utils.ts";
+
+const Q = 3329;
+const N = 256;
+const QHalf = (Q + 1) / 2;
+type kyberParams = {
+    K: number;
+    ETA1: number;
+    ETA2: number;
+    DU: number;
+    DV: number;
+};
+const kyberParams = {
+    v512: {
+        K: 2,
+        ETA1: 3,
+        ETA2: 2,
+        DU: 10,
+        DV: 4,
+    },
+    v768: {
+        K: 3,
+        ETA1: 2,
+        ETA2: 2,
+        DU: 10,
+        DV: 4,
+    },
+    v1024: {
+        K: 4,
+        ETA1: 2,
+        ETA2: 2,
+        DU: 11,
+        DV: 5,
+    },
+};
+
+class kyberPKE {
+    private privateKeyLen;
+    private publicKeyLen;
+    private ciphertextLen;
+    private par;
+    constructor(par: kyberParams) {
+        this.privateKeyLen = (3 * par.K * N) >> 1;
+        this.publicKeyLen = ((3 * N * par.K) >> 1) + (1 << 5);
+        this.ciphertextLen = (par.DU * N * par.K + N * par.DV) >> 3;
+        this.par = par;
+    }
+    keyGen(seed: Uint8Array = randomBytes(32)): { privateKey: Uint8Array; publicKey: Uint8Array; } {
+        if (seed.length !== 32)
+            throw new Error(`Seed should be of length 32`);
+
+        const seedsHasher = sha3_512.create();
+        seedsHasher.update(seed);
+        seedsHasher.update(new Uint8Array([this.par.K]));
+        const seedsHash = seedsHasher.digest();
+        const seedB = seedsHash.subarray(32, 64);
+
+        const s = new Uint16Array(this.par.K * N);
+        let counter = 0;
+        for (let i = 0; i < this.par.K; i++) {
+            const sSub = s.subarray(i * N, (i + 1) * N)
+            sSub.set(samplePolCBD(pseudoRandom(seedB, counter++, this.par.ETA1), this.par.ETA1));
+            NTT(sSub);
+        }
+
+        const t = new Uint16Array(this.par.K * N);
+        const seedA = seedsHash.subarray(0, 32);
+        const aNTT = expandA(seedA, this.par.K);
+        for (let i = 0; i < this.par.K; i++) {
+            const ti = t.subarray(i * N, (i + 1) * N);
+            for (let j = 0; j < this.par.K; j++) {
+                const aNTTij = aNTT.subarray((i * this.par.K + j) * N, (i * this.par.K + j + 1) * N);
+                const sj = s.subarray(j * N, (j + 1) * N);
+                mulNTT(aNTTij, sj);
+                addPol(ti, aNTTij);
+            }
+            const ei = samplePolCBD(pseudoRandom(seedB, counter++, this.par.ETA1), this.par.ETA1);
+            NTT(ei);
+            addPol(ti, ei);
+        }
+        const privateKey = byteEncode(s, 12);
+
+        const publicKey = new Uint8Array(this.publicKeyLen);
+        publicKey.set(byteEncode(t, 12));
+        publicKey.set(seedA, 12 * this.par.K * N / 8);
+        return {
+            privateKey,
+            publicKey,
+        };
+    }
+    encrypt(plaintext: Uint8Array, publicKey: Uint8Array, seed: Uint8Array = randomBytes(32)): Uint8Array {
+        if (publicKey.length !== this.publicKeyLen)
+            throw new Error(`Public key should be of length ${this.publicKeyLen}`);
+        if (plaintext.length !== 32)
+            throw new Error(`Plaintext should be of length 32`);
+        if (seed.length !== 32)
+            throw new Error(`Seed should be of length 32`);
+
+        let salt = 0;
+        const rNTT = new Uint16Array(this.par.K * N);
+        for (let i = 0; i < this.par.K; i++) {
+            const rNTTi = rNTT.subarray(i * N, (i + 1) * N);
+            rNTTi.set(samplePolCBD(pseudoRandom(seed, salt++, this.par.ETA1), this.par.ETA1));
+            NTT(rNTTi);
+        }
+
+        const seedA = publicKey.subarray((12 * N * this.par.K) / 8);
+        const aNTT = expandA(seedA, this.par.K);
+        const u = new Uint16Array(this.par.K * N);
+        for (let i = 0; i < this.par.K; i++) {
+            const ui = u.subarray(i * N, (i + 1) * N);
+            for (let j = 0; j < this.par.K; j++) {
+                //note that this is a transposed a
+                const aNTTji = aNTT.subarray((j * this.par.K + i) * N, (j * this.par.K + i + 1) * N);
+                const rNTTj = rNTT.subarray(j * N, (j + 1) * N);
+                mulNTT(aNTTji, rNTTj);
+                addPol(ui, aNTTji);
+            }
+            INTT(ui);
+
+            const e1i = samplePolCBD(pseudoRandom(seed, salt++, this.par.ETA2), this.par.ETA2);
+            addPol(ui, e1i);
+        }
+
+        const ciphertext = new Uint8Array(this.ciphertextLen);
+        compress(u, this.par.DU);
+        ciphertext.set(byteEncode(u, this.par.DU));
+
+        let v: Uint16Array = new Uint16Array(N);
+        for (let i = 0; i < this.par.K; i++) {
+            const ti = new Uint16Array(N);
+            byteDecodeTo(
+                ti,
+                publicKey.subarray((i * 12 * N) / 8, ((i + 1) * 12 * N) / 8),
+                12,
+            );
+            const rNTTi = rNTT.subarray(i * N, (i + 1) * N);
+            mulNTT(ti, rNTTi);
+            addPol(v, ti);
+        }
+        INTT(v);
+        const e2 = samplePolCBD(pseudoRandom(seed, salt, this.par.ETA2), this.par.ETA2);
+        addPol(v, e2);
+
+        for (let i = 0, byte = 0, number = 0; i < N; i++) {
+            const bit = 1 & (plaintext[byte] >> number++);
+            v[i] = addMod(v[i], QHalf * bit);
+            if (number === 8) {
+                byte++;
+                number = 0;
+            }
+        }
+        compress(v, this.par.DV);
+        ciphertext.set(byteEncode(v, this.par.DV), this.par.DU * N * this.par.K / 8);
+        return ciphertext;
+    }
+    decrypt(ciphertext: Uint8Array, privateKey: Uint8Array): Uint8Array {
+        if (privateKey.length !== this.privateKeyLen)
+            throw new Error(`Private key should be of length ${this.privateKeyLen}`);
+
+        if (ciphertext.length !== this.ciphertextLen)
+            throw new Error(`Ciphertext should be of length ${this.ciphertextLen}`);
+
+        const s = new Uint16Array(this.par.K * N);
+        byteDecodeTo(s, privateKey.subarray(0, this.par.K * 12 * N / 8), 12);
+
+        const u = new Uint16Array(this.par.K * N);
+        byteDecodeTo(
+            u,
+            ciphertext.subarray(0, this.par.K * this.par.DU * N / 8),
+            this.par.DU,
+        );
+        decompress(u, this.par.DU);
+
+        let tr: Uint16Array = new Uint16Array(N);
+        for (let i = 0; i < this.par.K; i++) {
+            const si = s.subarray(i * N, (i + 1) * N);
+            const ui = u.subarray(i * N, (i + 1) * N);
+            NTT(ui);
+            mulNTT(si, ui);
+            INTT(si);
+            addPol(tr, si);
+        }
+
+        const v = new Uint16Array(N);
+        byteDecodeTo(
+            v,
+            ciphertext.subarray(this.par.K * this.par.DU * N / 8),
+            this.par.DV,
+        );
+        decompress(v, this.par.DV);
+        const plaintext = new Uint8Array(N / 8);
+        for (let i = 0, byte = 0, number = 0; i < N; i++) {
+            const bit = round(subMod(v[i], tr[i]))
+            plaintext[byte] += bit << number++;
+            if (number === 8) {
+                byte++;
+                number = 0;
+            }
+        }
+        return plaintext;
+    }
+};
+class kyberKEM {
+    publicKeyLen;
+    privateKeyLen;
+    ciphertextLen;
+    par;
+    PKE;
+    constructor(par: kyberParams, PKE: kyberPKE) {
+        this.publicKeyLen = ((3 * N * par.K) >> 1) + (1 << 5);
+        this.privateKeyLen = ((3 * par.K * N) >> 1) + this.publicKeyLen + (1 << 6);
+        this.ciphertextLen = (par.DU * N * par.K + N * par.DV) >> 3;
+        this.par = par;
+        this.PKE = PKE;
+    }
+    keyGen(seed: Uint8Array = randomBytes(64)): { publicKey: Uint8Array, privateKey: Uint8Array } {
+        if (seed.length !== 64)
+            throw new Error(`Seed should be of length 64`);
+        const seedA = seed.subarray(0, 32);
+        const seedB = seed.subarray(32, 64);
+
+        const keys = this.PKE.keyGen(seedA);
+
+        const hasher = sha3_256.create();
+        hasher.update(keys.publicKey);
+        const hash = hasher.digest();
+
+        const privateKey = new Uint8Array(this.privateKeyLen);
+        privateKey.set(keys.privateKey);
+        privateKey.set(keys.publicKey, keys.privateKey.length);
+        privateKey.set(hash, keys.privateKey.length + keys.publicKey.length);
+        privateKey.set(seedB, keys.privateKey.length + keys.publicKey.length + 32);
+
+        return {
+            publicKey: keys.publicKey,
+            privateKey,
+        };
+    }
+    encapsulate(publicKey: Uint8Array, seed: Uint8Array = randomBytes(32)): { sharedKey: Uint8Array, ciphertext: Uint8Array } {
+        if (publicKey.length !== this.publicKeyLen)
+            throw new Error(`Public key should be of length ${this.publicKeyLen}`);
+        if (seed.length !== 32)
+            throw new Error(`Seed should be of length 32`);
+
+        const ek = publicKey.subarray(0, 384 * this.par.K);
+        const eke = new Uint16Array(N * this.par.K);
+        byteDecodeTo(eke, ek, 12);
+        if (!eke.every((value) => value < Q))
+            throw new Error(`Invalid private key - values are not in range [0, 3329)`);
+
+        const hasherH = sha3_512.create();
+        hasherH.update(seed);
+
+        const hasherG = sha3_256.create();
+        hasherG.update(publicKey);
+        hasherH.update(hasherG.digest());
+
+        const hash = hasherH.digest();
+        const ciphertext = this.PKE.encrypt(seed, publicKey, hash.subarray(32));
+        return {
+            sharedKey: hash.subarray(0, 32),
+            ciphertext,
+        };
+    }
+    decapsulate(ciphertext: Uint8Array, privateKey: Uint8Array): Uint8Array {
+        if (ciphertext.length !== this.ciphertextLen)
+            throw new Error(`Ciphertext should be of length ${this.ciphertextLen}`);
+        if (privateKey.length !== this.privateKeyLen)
+            throw new Error(`Private key should be of length ${this.privateKeyLen}`);
+
+        const checkHasher = sha3_256.create();
+        const dKeyLen = 384 * this.par.K;
+        const eKeyLen = dKeyLen + 32;
+        const eKey = privateKey.subarray(dKeyLen, dKeyLen + eKeyLen);
+
+        checkHasher.update(eKey);
+        const checkHash = checkHasher.digest();
+        const hashInMessage = privateKey.subarray(dKeyLen + eKeyLen, dKeyLen + eKeyLen + 32);
+        if (!checkHash.every((index) => checkHash[index] === hashInMessage[index]))
+            throw new Error(`Decryption key does not math its hash encoded in private key`);
+
+        const dKey = privateKey.subarray(0, dKeyLen);
+        const cand = this.PKE.decrypt(ciphertext, dKey);
+
+        const hasherH = sha3_512.create();
+        hasherH.update(cand);
+        hasherH.update(checkHash);
+        const hash = hasherH.digest();
+
+        const resCiphertext = this.PKE.encrypt(cand, eKey, hash.subarray(32));
+
+        const rejZ = privateKey.subarray(dKeyLen + eKeyLen + 32);
+        const rejectionHasher = shake256.create({ dkLen: 32 });
+        rejectionHasher.update(rejZ);
+        rejectionHasher.update(ciphertext);
+        if (!ciphertext.every((index) => ciphertext[index] === resCiphertext[index]))
+            return rejectionHasher.digest();
+
+        return hash.subarray(0, 32);
+    }
+};
+
+export const kyber_pke512 = new kyberPKE(kyberParams.v512);
+export const kyber_pke768 = new kyberPKE(kyberParams.v768);
+export const kyber_pke1024 = new kyberPKE(kyberParams.v1024);
+
+export const kyber_kem512 = new kyberKEM(kyberParams.v512, kyber_pke512);
+export const kyber_kem768 = new kyberKEM(kyberParams.v768, kyber_pke768);
+export const kyber_kem1024 = new kyberKEM(kyberParams.v1024, kyber_pke1024);

package/package.json

@@ -0,0 +1,27 @@
+{
+    "name": "kyber-mini",
+    "version": "1.0.0",
+    "description": "A lightweight kyber PKE and KEM library",
+    "license": "MIT",
+    "author": "rag27",
+    "type": "module",
+    "main": "index.js",
+    "exports": {
+        ".": {
+            "types": "./index.ts",
+            "import": "./dist/index.js",
+            "require": "./dist/index.cjs"
+        }
+    },
+    "devDependencies": {
+        "@types/bun": "^1.3.6",
+        "@types/node": "^25.0.8"
+    },
+    "dependencies": {
+        "@noble/hashes": "^2.0.1"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://codeberg.org/RAG27/kyber"
+    }
+}

package/utils.ts

@@ -0,0 +1,202 @@
+import { shake128, shake256 } from "@noble/hashes/sha3.js";
+const Q = 3329;
+const N = 256;
+function mulMod(a: number, b: number) {
+    return (a * b) % Q;
+}
+export function addMod(a: number, b: number) {
+    return (a + b) % Q;
+}
+export function subMod(a: number, b: number) {
+    return (a - b + Q) % Q;
+}
+const zetas = new Uint16Array([
+    1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, 2786, 3260, 569, 1746, 296,
+    2447, 1339, 1476, 3046, 56, 2240, 1333, 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289,
+    331, 3253, 1756, 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, 2319,
+    1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, 2474, 3110, 1227, 910, 17,
+    2761, 583, 2649, 1637, 723, 2288, 1100, 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703,
+    1651, 2789, 1789, 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, 1584,
+    2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, 2099, 561, 2466, 2594, 2804,
+    1092, 403, 1026, 1143, 2150, 2775, 886, 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154,
+]);
+const invZetas = new Uint16Array([
+    1600, 40, 749, 2481, 1432, 2699, 687, 1583, 2760, 69, 543, 2532, 3136, 1410, 2267, 2508,
+    1355, 450, 936, 447, 2794, 1235, 1903, 1996, 1089, 3273, 283, 1853, 1990, 882, 3033, 2419,
+    2102, 219, 855, 2681, 1848, 712, 682, 927, 1795, 461, 1891, 2877, 2522, 1894, 1010, 1414,
+    2009, 3296, 464, 2697, 816, 1352, 2679, 1274, 1052, 1025, 2132, 1573, 76, 2998, 3040, 1175,
+    2444, 394, 1219, 2300, 1455, 2117, 1607, 2443, 554, 1179, 2186, 2303, 2926, 2237, 525, 735,
+    863, 2768, 1230, 2572, 556, 3010, 2266, 1684, 1239, 780, 2954, 109, 1292, 1031, 1745, 2688,
+    3061, 992, 2596, 941, 892, 1021, 2390, 642, 1868, 2377, 1482, 1540, 540, 1678, 1626, 279,
+    314, 1173, 2573, 3096, 48, 667, 1920, 2229, 1041, 2606, 1692, 680, 2746, 568, 3312,
+]);
+export function NTT(pol: Uint16Array) {
+    for (let endLength = N / 2, m = 0; endLength >= 2; endLength /= 2) {
+        for (let start = 0; start < N; start += 2 * endLength, m++) {
+            for (let index = start; index < start + endLength; index++) {
+                const t = mulMod(pol[index + endLength], zetas[m]);
+                pol[index + endLength] = subMod(pol[index], t);
+                pol[index] = addMod(pol[index], t);
+            }
+        }
+    }
+}
+const kyberInv2 = (((Q + 1) / 2)) % Q;
+export function INTT(pol: Uint16Array) {
+    for (let beginLength = 2, m = N / 2 - 2; beginLength <= 128; beginLength *= 2) {
+        for (let start = 256 - 2 * beginLength; start >= 0; start -= 2 * beginLength, m--) {
+            for (let index = start; index < start + beginLength; index++) {
+                const pa = pol[index];
+                pol[index] = mulMod(addMod(pol[index], pol[index + beginLength]), kyberInv2);
+                pol[index + beginLength] = mulMod(subMod(pa, pol[index + beginLength]), mulMod(kyberInv2, invZetas[m]));
+            }
+        }
+    }
+}
+export function mulNTT(pol1: Uint16Array, pol2: Uint16Array) {
+    const max = (N / 2 - 2);
+    let m = 0;
+    for (let index = N - 2; index >= 0; index -= 2) {
+        let z;
+        if ((m & 1) === 0)
+            z = subMod(0, zetas[max - m / 2]);
+        else
+            z = zetas[max - (m - 1) / 2];
+        const save = pol1[index];
+        pol1[index] = addMod(
+            mulMod(pol1[index], pol2[index]),
+            mulMod(
+                z,
+                mulMod(pol1[index + 1], pol2[index + 1])
+            )
+        );
+        pol1[index + 1] = addMod(
+            mulMod(save, pol2[index + 1]),
+            mulMod(pol2[index], pol1[index + 1])
+        );
+        m++;
+    }
+}
+export function addPol(pol1: Uint16Array, pol2: Uint16Array) {
+    for (let index = 0; index < N; index++)
+        pol1[index] = addMod(pol1[index], pol2[index]);
+}
+function sampleNTT(seed: Uint8Array, i: number, j: number) {
+    const ret: Uint16Array = new Uint16Array(N);
+    const hasher = shake128.create({ dkLen: 840 });
+    hasher.update(seed);
+    hasher.update(new Uint8Array([j]));
+    hasher.update(new Uint8Array([i]));
+    const allC = hasher.digest();
+    for (let i = 0, limit = 0; i < N && limit < 280; limit++) {
+        const d1 = allC[limit * 3] + N * (allC[limit * 3 + 1] & ((1 << 4) - 1));
+        const d2 = ((allC[limit * 3 + 1] >> 4) | 0) + (allC[limit * 3 + 2] << 4);
+        if (d1 < Q)
+            ret[i++] = d1;
+        if (d2 < Q && i < N)
+            ret[i++] = d2;
+    }
+    return ret;
+}
+export function byteDecodeTo(to: Uint16Array, bytes: Uint8Array, d: number) {
+    for (let i = 0, byte = 0, left = 8; i < to.length; i++) {
+        to[i] = 0;
+        for (let current = d; current > 0;) {
+            const move = Math.min(current, left);
+            to[i] += ((bytes[byte] >> (8 - left)) & ((1 << move) - 1)) << (d - current);
+            current -= move;
+            left -= move;
+            if (left === 0) {
+                left = 8;
+                byte++;
+            }
+        }
+    }
+}
+export function byteEncode(array: Uint16Array, d: number) {
+    const ret = new Uint8Array(Math.ceil(array.length * d / 8));
+    for (let i = 0, byte = 0, left = 8; i < array.length; i++) {
+        let a = array[i];
+        for (let current = d; current > 0;) {
+            const move = Math.min(current, left);
+            ret[byte] += (a & ((1 << move) - 1)) << (8 - left);
+            current -= move;
+            a >>= move;
+            left -= move;
+            if (left === 0) {
+                left = 8;
+                byte++;
+            }
+        }
+    }
+    return ret;
+}
+export function samplePolCBD(seed: Uint8Array, eta: number) {
+    const pol: Uint16Array = new Uint16Array(N);
+    for (let i = 0, byte = 0, number = 0; i < N; i++) {
+        let x = 0;
+        for (let j = 0; j < eta; j++) {
+            x += 1 & (seed[byte] >> number++);
+            if (number === 8) {
+                byte++;
+                number = 0;
+            }
+        }
+        let y = 0;
+        for (let j = 0; j < eta; j++) {
+            y += 1 & (seed[byte] >> number++);
+            if (number === 8) {
+                byte++;
+                number = 0;
+            }
+        }
+        pol[i] = subMod(x, y);
+    }
+    return pol;
+}
+export function pseudoRandom(seed: Uint8Array, salt: number, eta: number): Uint8Array {
+    const hasher = shake256.create({ dkLen: eta << 6 });
+    hasher.update(seed)
+    hasher.update(new Uint8Array([salt]));
+    return hasher.digest();
+}
+export function expandA(seed: Uint8Array, K: number) {
+    const ret = new Uint16Array(K * K * N);
+    for (let i = 0; i < K; i++) {
+        for (let j = 0; j < K; j++) {
+            const pol = sampleNTT(seed, i, j);
+            ret.set(pol, (i * K + j) * N);
+        }
+    }
+    return ret;
+}
+export function compress(array: Uint16Array, d: number) {
+    const powd = 1 << d;
+    for (let i = 0; i < array.length; i++) {
+        const mod = (array[i] * powd) % Q;
+        if (mod >= Q - mod)
+            array[i] = (((array[i] * powd + Q - 1) / Q) | 0) & (powd - 1);
+        else
+            array[i] = (((array[i] * powd) / Q) | 0) & (powd - 1);
+    }
+}
+export function decompress(array: Uint16Array, d: number) {
+    const powd = 1 << d;
+    for (let i = 0; i < array.length; i++) {
+        const mod = array[i] * Q & (powd - 1);
+        if ((array[i] * Q) >= powd - mod)
+            array[i] = (((array[i] * Q + powd - 1) / powd) | 0);
+        else
+            array[i] = (((array[i] * Q) / powd) | 0);
+    }
+}
+export function randomBytes(n: number): Uint8Array {
+    const ret = new Uint8Array(n);
+    crypto.getRandomValues(ret);
+    return ret;
+}
+export function round(n: number) {
+    if (n <= ((Q / 4) | 0) || n >= subMod(0, (Q / 4) | 0))
+        return 0;
+    return 1;
+}