utxo-lib 1.1.2 → 1.1.4
Sign up to get free protection for your applications and to get access to all the features.
- package/README.md +16 -19
- package/dist/src/bitgo/PsbtUtil.d.ts +0 -5
- package/dist/src/bitgo/PsbtUtil.d.ts.map +1 -1
- package/dist/src/bitgo/PsbtUtil.js +2 -15
- package/dist/src/bitgo/UtxoPsbt.d.ts +0 -9
- package/dist/src/bitgo/UtxoPsbt.d.ts.map +1 -1
- package/dist/src/bitgo/UtxoPsbt.js +12 -42
- package/dist/src/bitgo/index.d.ts +0 -1
- package/dist/src/bitgo/index.d.ts.map +1 -1
- package/dist/src/bitgo/index.js +2 -3
- package/dist/src/bitgo/parseInput.js +2 -2
- package/dist/src/bitgo/wallet/Psbt.d.ts +0 -14
- package/dist/src/bitgo/wallet/Psbt.d.ts.map +1 -1
- package/dist/src/bitgo/wallet/Psbt.js +3 -71
- package/dist/src/bitgo/wallet/WalletOutput.d.ts +1 -17
- package/dist/src/bitgo/wallet/WalletOutput.d.ts.map +1 -1
- package/dist/src/bitgo/wallet/WalletOutput.js +23 -64
- package/dist/src/bitgo/wallet/chains.d.ts +1 -1
- package/dist/src/bitgo/zcash/ZcashPsbt.d.ts +1 -0
- package/dist/src/bitgo/zcash/ZcashPsbt.d.ts.map +1 -1
- package/dist/src/bitgo/zcash/ZcashPsbt.js +12 -3
- package/dist/src/testutil/keys.d.ts +0 -3
- package/dist/src/testutil/keys.d.ts.map +1 -1
- package/dist/src/testutil/keys.js +2 -17
- package/dist/src/testutil/psbt.d.ts +5 -23
- package/dist/src/testutil/psbt.d.ts.map +1 -1
- package/dist/src/testutil/psbt.js +13 -16
- package/dist/src/testutil/transaction.d.ts +5 -14
- package/dist/src/testutil/transaction.d.ts.map +1 -1
- package/dist/src/testutil/transaction.js +9 -9
- package/package.json +5 -5
- package/dist/src/base_crypto.d.ts +0 -14
- package/dist/src/base_crypto.d.ts.map +0 -1
- package/dist/src/base_crypto.js +0 -215
- package/dist/src/bitgo/legacysafe/index.d.ts +0 -15
- package/dist/src/bitgo/legacysafe/index.d.ts.map +0 -1
- package/dist/src/bitgo/legacysafe/index.js +0 -61
- package/dist/src/musig.d.ts +0 -390
- package/dist/src/musig.d.ts.map +0 -1
- package/dist/src/musig.js +0 -447
package/dist/src/musig.js
DELETED
@@ -1,447 +0,0 @@
|
|
1
|
-
"use strict";
|
2
|
-
/* ! musig-js - MIT License (c) 2022 Brandon Black */
|
3
|
-
// https://github.com/ElementsProject/secp256k1-zkp/blob/master/doc/musig-spec.mediawiki
|
4
|
-
// Roughly based on the secp256k1-zkp implementation
|
5
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
6
|
-
exports.MuSigFactory = void 0;
|
7
|
-
const TAGS = {
|
8
|
-
challenge: 'BIP0340/challenge',
|
9
|
-
keyagg_list: 'KeyAgg list',
|
10
|
-
keyagg_coef: 'KeyAgg coefficient',
|
11
|
-
musig_aux: 'MuSig/aux',
|
12
|
-
musig_nonce: 'MuSig/nonce',
|
13
|
-
musig_deterministic_nonce: 'MuSig/deterministic/nonce',
|
14
|
-
musig_noncecoef: 'MuSig/noncecoef',
|
15
|
-
};
|
16
|
-
/**
|
17
|
-
* Compares two 32-byte Uint8Arrays in byte order.
|
18
|
-
* @returns < 0, 0, > 0 if a is < b, === b or > b respectively
|
19
|
-
*/
|
20
|
-
function compare32b(a, b) {
|
21
|
-
if (a.length !== 32 || b.length !== 32)
|
22
|
-
throw new Error('Invalid array');
|
23
|
-
const aD = new DataView(a.buffer, a.byteOffset, a.length);
|
24
|
-
const bD = new DataView(b.buffer, b.byteOffset, b.length);
|
25
|
-
for (let i = 0; i < 8; i++) {
|
26
|
-
const cmp = aD.getUint32(i * 4) - bD.getUint32(i * 4);
|
27
|
-
if (cmp !== 0)
|
28
|
-
return cmp;
|
29
|
-
}
|
30
|
-
return 0;
|
31
|
-
}
|
32
|
-
/**
|
33
|
-
* Compares two 33-byte Uint8Arrays in byte order.
|
34
|
-
* @returns < 0, 0, > 0 if a is < b, === b or > b respectively
|
35
|
-
*/
|
36
|
-
function compare33b(a, b) {
|
37
|
-
if (a.length !== 33 || b.length !== 33)
|
38
|
-
throw new Error('Invalid array');
|
39
|
-
const cmp = a[0] - b[0];
|
40
|
-
if (cmp !== 0)
|
41
|
-
return cmp;
|
42
|
-
return compare32b(a.subarray(1), b.subarray(1));
|
43
|
-
}
|
44
|
-
const makeSessionId = typeof self === 'object' && (self.crypto || self.msCrypto)
|
45
|
-
? () => (self.crypto || self.msCrypto).getRandomValues(new Uint8Array(32)) // Browsers
|
46
|
-
: () => require('crypto').randomBytes(32); // Node
|
47
|
-
const _keyAggCache = new WeakMap();
|
48
|
-
// Caches coefficients associated with an array of public keys
|
49
|
-
const _coefCache = new WeakMap();
|
50
|
-
// Caches secret nonces. We do this internally to help users ensure that they
|
51
|
-
// do not reuse a secret nonce.
|
52
|
-
const _nonceCache = new WeakMap();
|
53
|
-
// Caches signing sessions. We do this internally to help users ensure that
|
54
|
-
// these session values were generated on the signer, and are not accepted from
|
55
|
-
// an untrusted third party.
|
56
|
-
const _sessionCache = new WeakMap();
|
57
|
-
function MuSigFactory(ecc) {
|
58
|
-
const CPOINT_INF = new Uint8Array(33);
|
59
|
-
const SCALAR_0 = new Uint8Array(32);
|
60
|
-
const SCALAR_1 = new Uint8Array(32);
|
61
|
-
SCALAR_1[31] = 1;
|
62
|
-
const SCALAR_MINUS_1 = ecc.scalarNegate(SCALAR_1);
|
63
|
-
function keyAggCoeff(publicKeys, publicKey) {
|
64
|
-
let coefCache = _coefCache.get(publicKeys);
|
65
|
-
if (coefCache === undefined) {
|
66
|
-
coefCache = new Map();
|
67
|
-
_coefCache.set(publicKeys, coefCache);
|
68
|
-
}
|
69
|
-
let coefficient = coefCache.get(publicKey);
|
70
|
-
if (coefficient)
|
71
|
-
return coefficient;
|
72
|
-
coefficient = SCALAR_1;
|
73
|
-
let secondPublicKey;
|
74
|
-
let publicKeyHash;
|
75
|
-
let keyAggCache = _keyAggCache.get(publicKeys);
|
76
|
-
if (keyAggCache === undefined) {
|
77
|
-
// Index of the first occurrence of the second unique public key.
|
78
|
-
const pkIdx2 = publicKeys.findIndex((pk) => compare33b(pk, publicKeys[0]) !== 0);
|
79
|
-
secondPublicKey = publicKeys[pkIdx2]; // undefined if pkIdx2 === -1
|
80
|
-
publicKeyHash = ecc.taggedHash(TAGS.keyagg_list, ...publicKeys);
|
81
|
-
keyAggCache = { publicKeyHash, secondPublicKey };
|
82
|
-
_keyAggCache.set(publicKeys, keyAggCache);
|
83
|
-
}
|
84
|
-
else {
|
85
|
-
({ publicKeyHash, secondPublicKey } = keyAggCache);
|
86
|
-
}
|
87
|
-
if (secondPublicKey === undefined || compare33b(publicKey, secondPublicKey) !== 0) {
|
88
|
-
coefficient = ecc.taggedHash(TAGS.keyagg_coef, publicKeyHash, publicKey);
|
89
|
-
}
|
90
|
-
coefCache.set(publicKey, coefficient);
|
91
|
-
return coefficient;
|
92
|
-
}
|
93
|
-
function addTweak(ctx, t) {
|
94
|
-
const tweak = 'tweak' in t ? t : { tweak: t };
|
95
|
-
if (!ecc.isScalar(tweak.tweak))
|
96
|
-
throw new TypeError('Expected tweak to be a valid scalar with curve order');
|
97
|
-
let { gacc, tacc } = ctx;
|
98
|
-
let aggPublicKey = ctx.aggPublicKey;
|
99
|
-
if (!ecc.hasEvenY(aggPublicKey) && tweak.xOnly) {
|
100
|
-
// g = -1
|
101
|
-
gacc = ecc.scalarNegate(gacc); // g * gacc mod n
|
102
|
-
tacc = ecc.scalarNegate(tacc); // g * tacc mod n
|
103
|
-
aggPublicKey = ecc.pointNegate(aggPublicKey); // g * Q
|
104
|
-
}
|
105
|
-
aggPublicKey = ecc.pointAddTweak(aggPublicKey, tweak.tweak, false); // g * Q + t * G
|
106
|
-
if (aggPublicKey === null)
|
107
|
-
throw new Error('Unexpected point at infinity during tweaking');
|
108
|
-
tacc = ecc.scalarAdd(tweak.tweak, tacc); // t + g * tacc mod n
|
109
|
-
return { aggPublicKey, gacc, tacc };
|
110
|
-
}
|
111
|
-
function keyAgg(publicKeys, ...tweaks) {
|
112
|
-
checkArgs({ publicKeys });
|
113
|
-
const multipliedPublicKeys = publicKeys.map((publicKey) => {
|
114
|
-
const coefficient = keyAggCoeff(publicKeys, publicKey);
|
115
|
-
let multipliedPublicKey;
|
116
|
-
if (compare32b(coefficient, SCALAR_1) === 0) {
|
117
|
-
multipliedPublicKey = publicKey;
|
118
|
-
}
|
119
|
-
else {
|
120
|
-
multipliedPublicKey = ecc.pointMultiplyUnsafe(publicKey, coefficient, false);
|
121
|
-
}
|
122
|
-
if (multipliedPublicKey === null)
|
123
|
-
throw new Error('Point at infinity during aggregation');
|
124
|
-
return multipliedPublicKey;
|
125
|
-
});
|
126
|
-
const aggPublicKey = multipliedPublicKeys.reduce((a, b) => {
|
127
|
-
const next = ecc.pointAdd(a, b, false);
|
128
|
-
if (next === null)
|
129
|
-
throw new Error('Point at infinity during aggregation');
|
130
|
-
return next;
|
131
|
-
});
|
132
|
-
return tweaks.reduce((ctx, tweak) => addTweak(ctx, tweak), {
|
133
|
-
aggPublicKey,
|
134
|
-
gacc: SCALAR_1,
|
135
|
-
tacc: SCALAR_0,
|
136
|
-
});
|
137
|
-
}
|
138
|
-
function getSessionValues(sessionKey) {
|
139
|
-
const sessionValues = _sessionCache.get(sessionKey);
|
140
|
-
if (!sessionValues)
|
141
|
-
throw new Error('Invalid session key, please call `startSigningSession`');
|
142
|
-
return sessionValues;
|
143
|
-
}
|
144
|
-
function nonceAgg(publicNonces) {
|
145
|
-
checkArgs({ publicNonces });
|
146
|
-
const aggNonces = [publicNonces[0].subarray(0, 33), publicNonces[0].subarray(33)];
|
147
|
-
for (let i = 1; i < publicNonces.length; i++) {
|
148
|
-
if (aggNonces[0] !== null)
|
149
|
-
aggNonces[0] = ecc.pointAdd(aggNonces[0], publicNonces[i].subarray(0, 33), false);
|
150
|
-
if (aggNonces[1] !== null)
|
151
|
-
aggNonces[1] = ecc.pointAdd(aggNonces[1], publicNonces[i].subarray(33), false);
|
152
|
-
}
|
153
|
-
const aggNonce = new Uint8Array(66);
|
154
|
-
if (aggNonces[0] !== null)
|
155
|
-
aggNonce.set(ecc.pointCompress(aggNonces[0]), 0);
|
156
|
-
if (aggNonces[1] !== null)
|
157
|
-
aggNonce.set(ecc.pointCompress(aggNonces[1]), 33);
|
158
|
-
return aggNonce;
|
159
|
-
}
|
160
|
-
function startSigningSessionInner(aggNonce, msg, publicKeys, ctx) {
|
161
|
-
const pubKeyX = ecc.pointX(ctx.aggPublicKey);
|
162
|
-
const coefficient = ecc.taggedHash(TAGS.musig_noncecoef, aggNonce, pubKeyX, msg);
|
163
|
-
const aggNonces = [aggNonce.subarray(0, 33), aggNonce.subarray(33)];
|
164
|
-
// This is kinda ugly, but crypto.pointAdd doesn't work on 0-coded infinity
|
165
|
-
let r = null;
|
166
|
-
if (compare33b(aggNonces[1], CPOINT_INF) !== 0 && compare33b(aggNonces[0], CPOINT_INF) !== 0) {
|
167
|
-
r = ecc.pointMultiplyAndAddUnsafe(aggNonces[1], coefficient, aggNonces[0], false);
|
168
|
-
}
|
169
|
-
else if (compare33b(aggNonces[0], CPOINT_INF) !== 0) {
|
170
|
-
r = ecc.pointCompress(aggNonces[0], false);
|
171
|
-
}
|
172
|
-
else if (compare33b(aggNonces[1], CPOINT_INF) !== 0) {
|
173
|
-
r = ecc.pointMultiplyUnsafe(aggNonces[1], coefficient, false);
|
174
|
-
}
|
175
|
-
if (r === null)
|
176
|
-
r = ecc.getPublicKey(SCALAR_1, false);
|
177
|
-
if (r === null)
|
178
|
-
throw new Error('Failed to get G');
|
179
|
-
const challenge = ecc.scalarMod(ecc.taggedHash(TAGS.challenge, ecc.pointX(r), pubKeyX, msg));
|
180
|
-
const key = { publicKey: ctx.aggPublicKey, aggNonce, msg };
|
181
|
-
_sessionCache.set(key, { ...ctx, coefficient, challenge, finalNonce: r, publicKeys });
|
182
|
-
return key;
|
183
|
-
}
|
184
|
-
function partialVerifyInner({ sig, publicKey, publicNonces, sessionKey, }) {
|
185
|
-
const { msg } = sessionKey;
|
186
|
-
const { aggPublicKey, gacc, challenge, coefficient, finalNonce, publicKeys } = getSessionValues(sessionKey);
|
187
|
-
const rePrime = ecc.pointMultiplyAndAddUnsafe(publicNonces[1], coefficient, publicNonces[0], false);
|
188
|
-
if (rePrime === null)
|
189
|
-
throw new Error('Unexpected public nonce at infinity');
|
190
|
-
const re = ecc.hasEvenY(finalNonce) ? rePrime : ecc.pointNegate(rePrime);
|
191
|
-
const a = keyAggCoeff(publicKeys, publicKey);
|
192
|
-
const g = ecc.hasEvenY(aggPublicKey) ? gacc : ecc.scalarNegate(gacc);
|
193
|
-
const ea = ecc.scalarMultiply(challenge, a);
|
194
|
-
const eag = ecc.scalarMultiply(ea, g);
|
195
|
-
const ver = ecc.pointMultiplyAndAddUnsafe(publicKey, eag, re, true);
|
196
|
-
if (ver === null)
|
197
|
-
throw new Error('Unexpected verification point at infinity');
|
198
|
-
const sG = ecc.getPublicKey(sig, true);
|
199
|
-
if (sG === null)
|
200
|
-
throw new Error('Unexpected signature point at infinity');
|
201
|
-
return compare33b(ver, sG) === 0;
|
202
|
-
}
|
203
|
-
function partialSignInner({ secretKey, publicKey, secretNonces, sessionKey, }) {
|
204
|
-
const { msg } = sessionKey;
|
205
|
-
const { aggPublicKey, gacc, challenge, coefficient, finalNonce, publicKeys } = getSessionValues(sessionKey);
|
206
|
-
const [k1, k2] = secretNonces.map((k) => (ecc.hasEvenY(finalNonce) ? k : ecc.scalarNegate(k)));
|
207
|
-
const a = keyAggCoeff(publicKeys, publicKey);
|
208
|
-
const g = ecc.hasEvenY(aggPublicKey) ? gacc : ecc.scalarNegate(gacc);
|
209
|
-
const d = ecc.scalarMultiply(g, secretKey);
|
210
|
-
const bk2 = ecc.scalarMultiply(coefficient, k2);
|
211
|
-
const k1bk2 = ecc.scalarAdd(k1, bk2);
|
212
|
-
const ea = ecc.scalarMultiply(challenge, a);
|
213
|
-
const ead = ecc.scalarMultiply(ea, d);
|
214
|
-
const sig = ecc.scalarAdd(k1bk2, ead);
|
215
|
-
return sig;
|
216
|
-
}
|
217
|
-
function partialSign({ secretKey, publicNonce, sessionKey, verify = true, }) {
|
218
|
-
checkArgs({ publicNonce, secretKey });
|
219
|
-
const secretNonce = _nonceCache.get(publicNonce);
|
220
|
-
if (secretNonce === undefined)
|
221
|
-
throw new Error('No secret nonce found for specified public nonce');
|
222
|
-
_nonceCache.delete(publicNonce);
|
223
|
-
const publicKey = ecc.getPublicKey(secretKey, true);
|
224
|
-
if (publicKey === null)
|
225
|
-
throw new Error('Invalid secret key, no corresponding public key');
|
226
|
-
if (compare33b(publicKey, secretNonce.subarray(64)) !== 0)
|
227
|
-
throw new Error('Secret nonce pubkey mismatch');
|
228
|
-
const secretNonces = [secretNonce.subarray(0, 32), secretNonce.subarray(32, 64)];
|
229
|
-
const sig = partialSignInner({
|
230
|
-
secretKey,
|
231
|
-
publicKey,
|
232
|
-
secretNonces,
|
233
|
-
sessionKey,
|
234
|
-
});
|
235
|
-
if (verify) {
|
236
|
-
const publicNonces = [publicNonce.subarray(0, 33), publicNonce.subarray(33)];
|
237
|
-
const valid = partialVerifyInner({
|
238
|
-
sig,
|
239
|
-
publicKey,
|
240
|
-
publicNonces,
|
241
|
-
sessionKey,
|
242
|
-
});
|
243
|
-
if (!valid)
|
244
|
-
throw new Error('Partial signature failed verification');
|
245
|
-
}
|
246
|
-
return sig;
|
247
|
-
}
|
248
|
-
function deterministicSign({ secretKey, aggOtherNonce, publicKeys, tweaks = [], msg, rand, verify = true, nonceOnly = false, }) {
|
249
|
-
// No need to check msg, its max size is larger than JS typed array limit
|
250
|
-
checkArgs({ rand, secretKey, aggOtherNonce });
|
251
|
-
const publicKey = ecc.getPublicKey(secretKey, true);
|
252
|
-
if (publicKey === null)
|
253
|
-
throw new Error('Secret key has no corresponding public key');
|
254
|
-
let secretKeyPrime;
|
255
|
-
if (rand !== undefined) {
|
256
|
-
secretKeyPrime = ecc.taggedHash(TAGS.musig_aux, rand);
|
257
|
-
for (let i = 0; i < 32; i++) {
|
258
|
-
secretKeyPrime[i] = secretKeyPrime[i] ^ secretKey[i];
|
259
|
-
}
|
260
|
-
}
|
261
|
-
else {
|
262
|
-
secretKeyPrime = secretKey;
|
263
|
-
}
|
264
|
-
const ctx = keyAgg(publicKeys, ...tweaks);
|
265
|
-
const aggPublicKey = ecc.pointX(ctx.aggPublicKey);
|
266
|
-
const mLength = new Uint8Array(8);
|
267
|
-
new DataView(mLength.buffer).setBigUint64(0, BigInt(msg.length));
|
268
|
-
const secretNonce = new Uint8Array(97);
|
269
|
-
const publicNonce = new Uint8Array(66);
|
270
|
-
for (let i = 0; i < 2; i++) {
|
271
|
-
const kH = ecc.taggedHash(TAGS.musig_deterministic_nonce, ...[secretKeyPrime, aggOtherNonce, aggPublicKey, mLength, msg, Uint8Array.of(i)]);
|
272
|
-
const k = ecc.scalarMod(kH);
|
273
|
-
if (compare32b(SCALAR_0, k) === 0)
|
274
|
-
throw new Error('0 secret nonce');
|
275
|
-
const pub = ecc.getPublicKey(k, true);
|
276
|
-
if (pub === null)
|
277
|
-
throw new Error('Secret nonce has no corresponding public nonce');
|
278
|
-
secretNonce.set(k, i * 32);
|
279
|
-
publicNonce.set(pub, i * 33);
|
280
|
-
}
|
281
|
-
secretNonce.set(publicKey, 64);
|
282
|
-
if (nonceOnly)
|
283
|
-
return { publicNonce };
|
284
|
-
_nonceCache.set(publicNonce, secretNonce);
|
285
|
-
const aggNonce = nonceAgg([aggOtherNonce, publicNonce]);
|
286
|
-
const sessionKey = startSigningSessionInner(aggNonce, msg, publicKeys, ctx);
|
287
|
-
const sig = partialSign({
|
288
|
-
secretKey,
|
289
|
-
publicNonce,
|
290
|
-
sessionKey,
|
291
|
-
verify,
|
292
|
-
});
|
293
|
-
return { sig, sessionKey, publicNonce };
|
294
|
-
}
|
295
|
-
// TODO: Improve arg checking now that we have startSigningSession
|
296
|
-
const pubKeyArgs = ['publicKey', 'publicKeys'];
|
297
|
-
const scalarArgs = ['tweak', 'sig', 'sigs', 'tacc', 'gacc'];
|
298
|
-
const otherArgs32b = ['xOnlyPublicKey', 'rand', 'sessionId'];
|
299
|
-
const args32b = ['secretKey', ...scalarArgs, ...otherArgs32b];
|
300
|
-
const pubNonceArgs = ['publicNonce', 'publicNonces', 'aggNonce', 'aggOtherNonce', 'finalNonce'];
|
301
|
-
const otherArgs = ['aggPublicKey', 'secretNonce'];
|
302
|
-
const argLengths = new Map();
|
303
|
-
args32b.forEach((a) => argLengths.set(a, 32));
|
304
|
-
pubKeyArgs.forEach((a) => argLengths.set(a, 33));
|
305
|
-
pubNonceArgs.forEach((a) => argLengths.set(a, 66));
|
306
|
-
argLengths.set('secretNonce', 97);
|
307
|
-
argLengths.set('aggPublicKey', 65);
|
308
|
-
const scalarNames = new Set();
|
309
|
-
scalarArgs.forEach((n) => scalarNames.add(n));
|
310
|
-
function checkArgs(args) {
|
311
|
-
for (let [name, values] of Object.entries(args)) {
|
312
|
-
if (values === undefined)
|
313
|
-
continue;
|
314
|
-
values = Array.isArray(values) ? values : [values];
|
315
|
-
if (values.length === 0)
|
316
|
-
throw new TypeError(`0-length ${name}s not supported`);
|
317
|
-
for (const value of values) {
|
318
|
-
if (argLengths.get(name) !== value.length)
|
319
|
-
throw new TypeError(`Invalid ${name} length (${value.length})`);
|
320
|
-
if (name === 'secretKey') {
|
321
|
-
if (!ecc.isSecret(value))
|
322
|
-
throw new TypeError(`Invalid secretKey`);
|
323
|
-
}
|
324
|
-
else if (name === 'secretNonce') {
|
325
|
-
for (let i = 0; i < 64; i += 32) {
|
326
|
-
if (!ecc.isSecret(value.subarray(i, i + 32)))
|
327
|
-
throw new TypeError(`Invalid secretNonce`);
|
328
|
-
}
|
329
|
-
}
|
330
|
-
else if (scalarNames.has(name)) {
|
331
|
-
for (let i = 0; i < value.length; i += 32) {
|
332
|
-
if (!ecc.isScalar(value.subarray(i, i + 32)))
|
333
|
-
throw new TypeError(`Invalid ${name}`);
|
334
|
-
}
|
335
|
-
}
|
336
|
-
// No need for a public key x-to-curve check. They're liftX'd for use any way.
|
337
|
-
}
|
338
|
-
}
|
339
|
-
}
|
340
|
-
return {
|
341
|
-
getXOnlyPubkey: (ctx) => {
|
342
|
-
if ('aggPublicKey' in ctx)
|
343
|
-
return ecc.pointX(ctx.aggPublicKey);
|
344
|
-
return ecc.pointX(getSessionValues(ctx).aggPublicKey);
|
345
|
-
},
|
346
|
-
getPlainPubkey: (ctx) => {
|
347
|
-
if ('aggPublicKey' in ctx)
|
348
|
-
return ecc.pointCompress(ctx.aggPublicKey);
|
349
|
-
return ecc.pointCompress(getSessionValues(ctx).aggPublicKey);
|
350
|
-
},
|
351
|
-
keySort: (publicKeys) => {
|
352
|
-
checkArgs({ publicKeys });
|
353
|
-
// do not modify the original array
|
354
|
-
return [...publicKeys].sort((a, b) => compare33b(a, b));
|
355
|
-
},
|
356
|
-
keyAgg,
|
357
|
-
addTweaks: (ctx, ...tweaks) => {
|
358
|
-
checkArgs(ctx);
|
359
|
-
return tweaks.reduce((c, tweak) => addTweak(c, tweak), ctx);
|
360
|
-
},
|
361
|
-
nonceGen: ({ sessionId = makeSessionId(), secretKey, publicKey, xOnlyPublicKey, msg, extraInput, }) => {
|
362
|
-
if (extraInput !== undefined && extraInput.length > Math.pow(2, 32) - 1) {
|
363
|
-
throw new TypeError('extraInput is limited to 2^32-1 bytes');
|
364
|
-
}
|
365
|
-
// No need to check msg, its max size is larger than JS typed array limit
|
366
|
-
checkArgs({ sessionId, secretKey, publicKey, xOnlyPublicKey });
|
367
|
-
let rand;
|
368
|
-
if (secretKey !== undefined) {
|
369
|
-
rand = ecc.taggedHash(TAGS.musig_aux, sessionId);
|
370
|
-
for (let i = 0; i < 32; i++) {
|
371
|
-
rand[i] = rand[i] ^ secretKey[i];
|
372
|
-
}
|
373
|
-
}
|
374
|
-
else {
|
375
|
-
rand = sessionId;
|
376
|
-
}
|
377
|
-
if (xOnlyPublicKey === undefined)
|
378
|
-
xOnlyPublicKey = new Uint8Array();
|
379
|
-
const mPrefixed = [Uint8Array.of(0)];
|
380
|
-
if (msg !== undefined) {
|
381
|
-
mPrefixed[0][0] = 1;
|
382
|
-
mPrefixed.push(new Uint8Array(8));
|
383
|
-
new DataView(mPrefixed[1].buffer).setBigUint64(0, BigInt(msg.length));
|
384
|
-
mPrefixed.push(msg);
|
385
|
-
}
|
386
|
-
if (extraInput === undefined)
|
387
|
-
extraInput = new Uint8Array();
|
388
|
-
const eLength = new Uint8Array(4);
|
389
|
-
new DataView(eLength.buffer).setUint32(0, extraInput.length);
|
390
|
-
const secretNonce = new Uint8Array(97);
|
391
|
-
const publicNonce = new Uint8Array(66);
|
392
|
-
for (let i = 0; i < 2; i++) {
|
393
|
-
const kH = ecc.taggedHash(TAGS.musig_nonce, rand, Uint8Array.of(publicKey.length), publicKey, Uint8Array.of(xOnlyPublicKey.length), xOnlyPublicKey, ...mPrefixed, eLength, extraInput, Uint8Array.of(i));
|
394
|
-
const k = ecc.scalarMod(kH);
|
395
|
-
if (compare32b(SCALAR_0, k) === 0)
|
396
|
-
throw new Error('0 secret nonce');
|
397
|
-
const pub = ecc.getPublicKey(k, true);
|
398
|
-
if (pub === null)
|
399
|
-
throw new Error('Secret nonce has no corresponding public nonce');
|
400
|
-
secretNonce.set(k, i * 32);
|
401
|
-
publicNonce.set(pub, i * 33);
|
402
|
-
}
|
403
|
-
secretNonce.set(publicKey, 64);
|
404
|
-
_nonceCache.set(publicNonce, secretNonce);
|
405
|
-
return publicNonce;
|
406
|
-
},
|
407
|
-
addExternalNonce: (publicNonce, secretNonce) => {
|
408
|
-
checkArgs({ publicNonce, secretNonce });
|
409
|
-
_nonceCache.set(publicNonce, secretNonce);
|
410
|
-
},
|
411
|
-
deterministicNonceGen: (args) => deterministicSign({ ...args, nonceOnly: true }),
|
412
|
-
deterministicSign,
|
413
|
-
nonceAgg,
|
414
|
-
startSigningSession: (aggNonce, msg, publicKeys, ...tweaks) => {
|
415
|
-
checkArgs({ aggNonce });
|
416
|
-
const ctx = keyAgg(publicKeys, ...tweaks);
|
417
|
-
return startSigningSessionInner(aggNonce, msg, publicKeys, ctx);
|
418
|
-
},
|
419
|
-
partialSign,
|
420
|
-
partialVerify: ({ sig, publicKey, publicNonce, sessionKey, }) => {
|
421
|
-
checkArgs({ sig, publicKey, publicNonce });
|
422
|
-
const publicNonces = [publicNonce.subarray(0, 33), publicNonce.subarray(33)];
|
423
|
-
const valid = partialVerifyInner({
|
424
|
-
sig,
|
425
|
-
publicKey,
|
426
|
-
publicNonces,
|
427
|
-
sessionKey,
|
428
|
-
});
|
429
|
-
return valid;
|
430
|
-
},
|
431
|
-
signAgg: (sigs, sessionKey) => {
|
432
|
-
checkArgs({ sigs });
|
433
|
-
const { aggPublicKey, tacc, challenge, finalNonce } = getSessionValues(sessionKey);
|
434
|
-
let sPart = ecc.scalarMultiply(challenge, tacc);
|
435
|
-
if (!ecc.hasEvenY(aggPublicKey)) {
|
436
|
-
sPart = ecc.scalarNegate(sPart);
|
437
|
-
}
|
438
|
-
const aggS = sigs.reduce((a, b) => ecc.scalarAdd(a, b), sPart);
|
439
|
-
const sig = new Uint8Array(64);
|
440
|
-
sig.set(ecc.pointX(finalNonce), 0);
|
441
|
-
sig.set(aggS, 32);
|
442
|
-
return sig;
|
443
|
-
},
|
444
|
-
};
|
445
|
-
}
|
446
|
-
exports.MuSigFactory = MuSigFactory;
|
447
|
-
//# sourceMappingURL=data:application/json;base64,{"version":3,"file":"musig.js","sourceRoot":"","sources":["../../src/musig.ts"],"names":[],"mappings":";AAAA,qDAAqD;AACrD,wFAAwF;AACxF,oDAAoD;;;AAkbpD,MAAM,IAAI,GAAG;IACX,SAAS,EAAE,mBAAmB;IAC9B,WAAW,EAAE,aAAa;IAC1B,WAAW,EAAE,oBAAoB;IACjC,SAAS,EAAE,WAAW;IACtB,WAAW,EAAE,aAAa;IAC1B,yBAAyB,EAAE,2BAA2B;IACtD,eAAe,EAAE,iBAAiB;CAC1B,CAAC;AAEX;;;GAGG;AACH,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IACzE,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1D,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAC1D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1B,MAAM,GAAG,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtD,IAAI,GAAG,KAAK,CAAC;YAAE,OAAO,GAAG,CAAC;KAC3B;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,eAAe,CAAC,CAAC;IACzE,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACxB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAC1B,OAAO,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAGD,MAAM,aAAa,GACjB,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC;IACxD,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW;IACtF,CAAC,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO;AAOtD,MAAM,YAAY,GAAG,IAAI,OAAO,EAA6B,CAAC;AAE9D,8DAA8D;AAC9D,MAAM,UAAU,GAAG,IAAI,OAAO,EAA6C,CAAC;AAE5E,6EAA6E;AAC7E,+BAA+B;AAC/B,MAAM,WAAW,GAAG,IAAI,OAAO,EAA0B,CAAC;AAE1D,2EAA2E;AAC3E,+EAA+E;AAC/E,4BAA4B;AAC5B,MAAM,aAAa,GAAG,IAAI,OAAO,EAA6B,CAAC;AAE/D,SAAgB,YAAY,CAAC,GAAW;IACtC,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACpC,QAAQ,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IACjB,MAAM,cAAc,GAAG,GAAG,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElD,SAAS,WAAW,CAAC,UAAwB,EAAE,SAAqB;QAClE,IAAI,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3C,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;YAC9C,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;SACvC;QACD,IAAI,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,WAAW;YAAE,OAAO,WAAW,CAAC;QAEpC,WAAW,GAAG,QAAQ,CAAC;QACvB,IAAI,eAAe,CAAC;QACpB,IAAI,aAAa,CAAC;QAClB,IAAI,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,WAAW,KAAK,SAAS,EAAE;YAC7B,iEAAiE;YACjE,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;YACjF,eAAe,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,6BAA6B;YACnE,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,UAAU,CAAC,CAAC;YAChE,WAAW,GAAG,EAAE,aAAa,EAAE,eAAe,EAAE,CAAC;YACjD,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;SAC3C;aAAM;YACL,CAAC,EAAE,aAAa,EAAE,eAAe,EAAE,GAAG,WAAW,CAAC,CAAC;SACpD;QACD,IAAI,eAAe,KAAK,SAAS,IAAI,UAAU,CAAC,SAAS,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE;YACjF,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;SAC1E;QACD,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;QACtC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,SAAS,QAAQ,CAAC,GAAkB,EAAE,CAAQ;QAC5C,MAAM,KAAK,GAAG,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;QAC9C,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAC;QAC5G,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACzB,IAAI,YAAY,GAAsB,GAAG,CAAC,YAAY,CAAC;QAEvD,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE;YAC9C,SAAS;YACT,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAiB;YAChD,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAiB;YAChD,YAAY,GAAG,GAAG,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ;SACvD;QACD,YAAY,GAAG,GAAG,CAAC,aAAa,CAAC,YAAY,EAAE,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,gBAAgB;QACpF,IAAI,YAAY,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAC3F,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB;QAE9D,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,CAAC;IAED,SAAS,MAAM,CAAC,UAAwB,EAAE,GAAG,MAAe;QAC1D,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1B,MAAM,oBAAoB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE;YACxD,MAAM,WAAW,GAAG,WAAW,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YACvD,IAAI,mBAAsC,CAAC;YAC3C,IAAI,UAAU,CAAC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,EAAE;gBAC3C,mBAAmB,GAAG,SAAS,CAAC;aACjC;iBAAM;gBACL,mBAAmB,GAAG,GAAG,CAAC,mBAAmB,CAAC,SAAS,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC;aAC9E;YACD,IAAI,mBAAmB,KAAK,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC1F,OAAO,mBAAmB,CAAC;QAC7B,CAAC,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YACxD,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YACvC,IAAI,IAAI,KAAK,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;YAC3E,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE;YACzD,YAAY;YACZ,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB,CAAC,UAAsB;QAC9C,MAAM,aAAa,GAAG,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACpD,IAAI,CAAC,aAAa;YAAE,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC9F,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,SAAS,QAAQ,CAAC,YAA0B;QAC1C,SAAS,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;QAE5B,MAAM,SAAS,GAA6B,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5G,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;YAC5C,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAC7G,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;SAC3G;QACD,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACpC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC7E,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,SAAS,wBAAwB,CAC/B,QAAoB,EACpB,GAAe,EACf,UAAwB,EACxB,GAAkB;QAElB,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAE7C,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAEjF,MAAM,SAAS,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;QAEpE,2EAA2E;QAC3E,IAAI,CAAC,GAAsB,IAAI,CAAC;QAChC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE;YAC5F,CAAC,GAAG,GAAG,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;SACnF;aAAM,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE;YACrD,CAAC,GAAG,GAAG,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;SAC5C;aAAM,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE;YACrD,CAAC,GAAG,GAAG,CAAC,mBAAmB,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC;SAC/D;QACD,IAAI,CAAC,KAAK,IAAI;YAAE,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QACtD,IAAI,CAAC,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAEnD,MAAM,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC;QAE7F,MAAM,GAAG,GAAG,EAAE,SAAS,EAAE,GAAG,CAAC,YAAY,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC;QAC3D,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,GAAG,EAAE,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;QACtF,OAAO,GAAG,CAAC;IACb,CAAC;IAED,SAAS,kBAAkB,CAAC,EAC1B,GAAG,EACH,SAAS,EACT,YAAY,EACZ,UAAU,GAMX;QACC,MAAM,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC;QAC3B,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAE5G,MAAM,OAAO,GAAG,GAAG,CAAC,yBAAyB,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACpG,IAAI,OAAO,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAC7E,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAEzE,MAAM,CAAC,GAAG,WAAW,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAErE,MAAM,EAAE,GAAG,GAAG,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,GAAG,CAAC,yBAAyB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,CAAC,CAAC;QACpE,IAAI,GAAG,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAE/E,MAAM,EAAE,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACvC,IAAI,EAAE,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAE3E,OAAO,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,SAAS,gBAAgB,CAAC,EACxB,SAAS,EACT,SAAS,EACT,YAAY,EACZ,UAAU,GAMX;QACC,MAAM,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC;QAC3B,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAE5G,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAE/F,MAAM,CAAC,GAAG,WAAW,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAE7C,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QACrE,MAAM,CAAC,GAAG,GAAG,CAAC,cAAc,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QAE3C,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAErC,MAAM,EAAE,GAAG,GAAG,CAAC,cAAc,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,GAAG,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QAEtC,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAEtC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,SAAS,WAAW,CAAC,EACnB,SAAS,EACT,WAAW,EACX,UAAU,EACV,MAAM,GAAG,IAAI,GAMd;QACC,SAAS,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;QAEtC,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACjD,IAAI,WAAW,KAAK,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACnG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEhC,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACpD,IAAI,SAAS,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QAC3F,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC3G,MAAM,YAAY,GAA6B,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,WAAW,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QAC3G,MAAM,GAAG,GAAG,gBAAgB,CAAC;YAC3B,SAAS;YACT,SAAS;YACT,YAAY;YACZ,UAAU;SACX,CAAC,CAAC;QAEH,IAAI,MAAM,EAAE;YACV,MAAM,YAAY,GAA6B,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YACvG,MAAM,KAAK,GAAG,kBAAkB,CAAC;gBAC/B,GAAG;gBACH,SAAS;gBACT,YAAY;gBACZ,UAAU;aACX,CAAC,CAAC;YACH,IAAI,CAAC,KAAK;gBAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;SACtE;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IA0BD,SAAS,iBAAiB,CAAC,EACzB,SAAS,EACT,aAAa,EACb,UAAU,EACV,MAAM,GAAG,EAAE,EACX,GAAG,EACH,IAAI,EACJ,MAAM,GAAG,IAAI,EACb,SAAS,GAAG,KAAK,GACK;QAKtB,yEAAyE;QACzE,SAAS,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QACpD,IAAI,SAAS,KAAK,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAEtF,IAAI,cAAc,CAAC;QACnB,IAAI,IAAI,KAAK,SAAS,EAAE;YACtB,cAAc,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YACtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;gBAC3B,cAAc,CAAC,CAAC,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;aACtD;SACF;aAAM;YACL,cAAc,GAAG,SAAS,CAAC;SAC5B;QACD,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,GAAG,MAAM,CAAC,CAAC;QAC1C,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAElD,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;QAClC,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;QAEjE,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACvC,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE;YAC1B,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CACvB,IAAI,CAAC,yBAAyB,EAC9B,GAAG,CAAC,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,OAAO,EAAE,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CACjF,CAAC;YACF,MAAM,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YAC5B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACrE,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YACtC,IAAI,GAAG,KAAK,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAEpF,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;YAC3B,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;SAC9B;QACD,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAE/B,IAAI,SAAS;YAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QAEtC,WAAW,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,wBAAwB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC5E,MAAM,GAAG,GAAG,WAAW,CAAC;YACtB,SAAS;YACT,WAAW;YACX,UAAU;YACV,MAAM;SACP,CAAC,CAAC;QAEH,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IAED,kEAAkE;IAClE,MAAM,UAAU,GAAG,CAAC,WAAW,EAAE,YAAY,CAAU,CAAC;IACxD,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAU,CAAC;IACrE,MAAM,YAAY,GAAG,CAAC,gBAAgB,EAAE,MAAM,EAAE,WAAW,CAAU,CAAC;IACtE,MAAM,OAAO,GAAG,CAAC,WAAW,EAAE,GAAG,UAAU,EAAE,GAAG,YAAY,CAAU,CAAC;IACvE,MAAM,YAAY,GAAG,CAAC,aAAa,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,YAAY,CAAU,CAAC;IACzG,MAAM,SAAS,GAAG,CAAC,cAAc,EAAE,aAAa,CAAU,CAAC;IAQ3D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC7C,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC9C,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACjD,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACnD,UAAU,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;IAClC,UAAU,CAAC,GAAG,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IACtC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,SAAS,SAAS,CAAC,IAAU;QAC3B,KAAK,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;YAC/C,IAAI,MAAM,KAAK,SAAS;gBAAE,SAAS;YACnC,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YACnD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,MAAM,IAAI,SAAS,CAAC,YAAY,IAAI,iBAAiB,CAAC,CAAC;YAChF,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE;gBAC1B,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,MAAM;oBAAE,MAAM,IAAI,SAAS,CAAC,WAAW,IAAI,YAAY,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;gBAC3G,IAAI,IAAI,KAAK,WAAW,EAAE;oBACxB,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAAE,MAAM,IAAI,SAAS,CAAC,mBAAmB,CAAC,CAAC;iBACpE;qBAAM,IAAI,IAAI,KAAK,aAAa,EAAE;oBACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE;wBAC/B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;4BAAE,MAAM,IAAI,SAAS,CAAC,qBAAqB,CAAC,CAAC;qBAC1F;iBACF;qBAAM,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;oBAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;wBACzC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;4BAAE,MAAM,IAAI,SAAS,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;qBACtF;iBACF;gBACD,8EAA8E;aAC/E;SACF;IACH,CAAC;IAED,OAAO;QACL,cAAc,EAAE,CAAC,GAA+B,EAAc,EAAE;YAC9D,IAAI,cAAc,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAC/D,OAAO,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC;QACxD,CAAC;QACD,cAAc,EAAE,CAAC,GAA+B,EAAc,EAAE;YAC9D,IAAI,cAAc,IAAI,GAAG;gBAAE,OAAO,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACtE,OAAO,GAAG,CAAC,aAAa,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,EAAE,CAAC,UAAwB,EAAgB,EAAE;YAClD,SAAS,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC;YAC1B,mCAAmC;YACnC,OAAO,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM;QACN,SAAS,EAAE,CAAC,GAAkB,EAAE,GAAG,MAAe,EAAiB,EAAE;YACnE,SAAS,CAAC,GAAG,CAAC,CAAC;YACf,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,QAAQ,EAAE,CAAC,EACT,SAAS,GAAG,aAAa,EAAE,EAC3B,SAAS,EACT,SAAS,EACT,cAAc,EACd,GAAG,EACH,UAAU,GAQX,EAAc,EAAE;YACf,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE;gBACvE,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;aAC9D;YACD,yEAAyE;YACzE,SAAS,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,CAAC,CAAC;YAC/D,IAAI,IAAgB,CAAC;YACrB,IAAI,SAAS,KAAK,SAAS,EAAE;gBAC3B,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;gBACjD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;oBAC3B,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;iBAClC;aACF;iBAAM;gBACL,IAAI,GAAG,SAAS,CAAC;aAClB;YAED,IAAI,cAAc,KAAK,SAAS;gBAAE,cAAc,GAAG,IAAI,UAAU,EAAE,CAAC;YAEpE,MAAM,SAAS,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACrC,IAAI,GAAG,KAAK,SAAS,EAAE;gBACrB,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACpB,SAAS,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;gBAClC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;gBACtE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;aACrB;YAED,IAAI,UAAU,KAAK,SAAS;gBAAE,UAAU,GAAG,IAAI,UAAU,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;YAE7D,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACvC,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE;gBAC1B,MAAM,EAAE,GAAG,GAAG,CAAC,UAAU,CACvB,IAAI,CAAC,WAAW,EAChB,IAAI,EACJ,UAAU,CAAC,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,EAC/B,SAAS,EACT,UAAU,CAAC,EAAE,CAAC,cAAc,CAAC,MAAM,CAAC,EACpC,cAAc,EACd,GAAG,SAAS,EACZ,OAAO,EACP,UAAU,EACV,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CACjB,CAAC;gBACF,MAAM,CAAC,GAAG,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;gBAC5B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC;oBAAE,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;gBACrE,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;gBACtC,IAAI,GAAG,KAAK,IAAI;oBAAE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBAEpF,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;gBAC3B,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;aAC9B;YACD,WAAW,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC/B,WAAW,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;YAC1C,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,gBAAgB,EAAE,CAAC,WAAuB,EAAE,WAAuB,EAAQ,EAAE;YAC3E,SAAS,CAAC,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC,CAAC;YACxC,WAAW,CAAC,GAAG,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;QAC5C,CAAC;QAED,qBAAqB,EAAE,CAAC,IAA+B,EAA+B,EAAE,CACtF,iBAAiB,CAAC,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAEjD,iBAAiB;QAEjB,QAAQ;QAER,mBAAmB,EAAE,CACnB,QAAoB,EACpB,GAAe,EACf,UAAwB,EACxB,GAAG,MAAe,EACN,EAAE;YACd,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;YACxB,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,GAAG,MAAM,CAAC,CAAC;YAC1C,OAAO,wBAAwB,CAAC,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;QAED,WAAW;QAEX,aAAa,EAAE,CAAC,EACd,GAAG,EACH,SAAS,EACT,WAAW,EACX,UAAU,GAMX,EAAW,EAAE;YACZ,SAAS,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;YAE3C,MAAM,YAAY,GAA6B,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YAEvG,MAAM,KAAK,GAAG,kBAAkB,CAAC;gBAC/B,GAAG;gBACH,SAAS;gBACT,YAAY;gBACZ,UAAU;aACX,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,EAAE,CAAC,IAAkB,EAAE,UAAsB,EAAc,EAAE;YAClE,SAAS,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;YAEpB,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;YACnF,IAAI,KAAK,GAAe,GAAG,CAAC,cAAc,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAC5D,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE;gBAC/B,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;aACjC;YACD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAC/D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;YAC/B,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;YACnC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YAClB,OAAO,GAAG,CAAC;QACb,CAAC;KACF,CAAC;AACJ,CAAC;AAphBD,oCAohBC","sourcesContent":["/* ! musig-js - MIT License (c) 2022 Brandon Black */\n// https://github.com/ElementsProject/secp256k1-zkp/blob/master/doc/musig-spec.mediawiki\n// Roughly based on the secp256k1-zkp implementation\n\nexport interface MuSig {\n  /**\n   * Gets the X-only public key associated with this context.\n   *\n   * @param ctx the key gen context or a signing session key\n   * @returns the X-only public key associated with this context\n   */\n  getXOnlyPubkey(ctx: KeyGenContext | SessionKey): Uint8Array;\n\n  /**\n   * Gets the plain public key associated with this context.\n   *\n   * @param ctx the key gen context or a signing session key\n   * @returns plain public key associated with this context in compressed DER format\n   */\n  getPlainPubkey(ctx: KeyGenContext | SessionKey): Uint8Array;\n\n  /**\n   * Sorts compressed DER format public keys lexicographically.\n   *\n   * @param publicKeys array of compressed DER encoded public keys to aggregate\n   * @returns sorted public keys (in a new array)\n   */\n  keySort(publicKeys: Uint8Array[]): Uint8Array[];\n\n  /**\n   * Performs MuSig key aggregation on 1+ x-only public keys.\n   *\n   * @param publicKeys array of compressed DER encoded public keys to aggregate\n   * @param tweaks tweaks (0 < tweak < n) to apply to the aggregate key,\n   * and optionally booleans to indicate x-only tweaking\n   * @returns an opaque key gen context for use with other MuSig operations\n   */\n  keyAgg(publicKeys: Uint8Array[], ...tweaks: Tweak[]): KeyGenContext;\n\n  /**\n   * Apply one or more x-only or ordinary tweaks to an aggregate public key.\n   *\n   * @param ctx the key generation context, as returned from `keyAgg`.\n   * @param tweaks tweaks (0 < tweak < n) to apply to the aggregate key,\n   * and optionally booleans to indicate x-only tweaking\n   * @returns an opaque key gen context for use with other MuSig operations\n   */\n  addTweaks(ctx: KeyGenContext, ...tweaks: Tweak[]): KeyGenContext;\n\n  /**\n   * Generate a MuSig nonce pair based on the provided values.\n   *\n   * The caller must not use the same sessionId for multiple calls to nonceGen\n   * with other parameters held constant.\n   *\n   * The secret nonce (97 bytes) is cached internally, and will be deleted\n   * from the cache prior to use in a signature. The secret nonce will also be\n   * deleted if the returned public nonce is deleted.\n   *\n   * @param sessionId if no secret key is provided, uniformly 32-bytes of\n   * random data, otherwise a value guaranteed not to repeat for the secret\n   * key. If no sessionId is provided a reasonably high quality random one will\n   * be generated.\n   * @param secretKey the secret key which will eventually sign with this nonce\n   * @param publicKey the public key for which this nonce will be signed (required)\n   * @param xOnlyPublicKey the x-coordinate of the aggregate public key that this\n   * nonce will be signing a part of\n   * @param msg the message which will eventually be signed with this nonce\n   * (any possible Uint8Array length)\n   * @param extraInput additional input which will contribute to the generated\n   * nonce (0 <= extraInput.length <= 2^32-1)\n   * @return the generated public nonce (66 bytes)\n   */\n  nonceGen(args: {\n    sessionId?: Uint8Array;\n    secretKey?: Uint8Array;\n    publicKey: Uint8Array;\n    xOnlyPublicKey?: Uint8Array;\n    msg?: Uint8Array;\n    extraInput?: Uint8Array;\n  }): Uint8Array;\n\n  /**\n   * Add an externally generated nonce to the cache.\n   *\n   * NOT RECOMMENDED, but useful in testing at least.\n   * @param publicNonce 66-byte public nonce (2 points in compressed DER)\n   * @param secretNonce 97-byte secret nonce (2 32-byte scalars, and the public\n   * key which will sign for this nonce in compressed DER)\n   */\n  addExternalNonce(publicNonce: Uint8Array, secretNonce: Uint8Array): void;\n\n  /**\n   * Combine public nonces from all signers into a single aggregate public nonce.\n   *\n   * Per the spec, this function prefers to succeed with an invalid nonce at\n   * infinity than to fail, to enable a dishonest signer to be detected later.\n   *\n   * This can be run by an untrusted node without breaking the security of the\n   * protocol. An untrusted aggregator can cause the protocol to fail, but not\n   * forge a signature.\n   *\n   * @param nonces n-signers public nonces (66-bytes each)\n   * @return the aggregate public nonce (66-bytes)\n   */\n  nonceAgg(nonces: Uint8Array[]): Uint8Array;\n\n  /**\n   * Creates an opaque signing session for used in partial signing, partial\n   * verification, or signature aggregation. This may be saved by a\n   * participant, but may not be provided by an untrusted party.\n   *\n   * @param aggNonce this signing session's aggregate nonce\n   * @param msg the 32-byte message to sign for, most commonly a transaction hash.\n   * @param publicKeys array of compressed DER encoded public keys to aggregate\n   * @param tweaks tweaks (0 < tweak < n) to apply to the aggregate key,\n   * and optionally booleans to indicate x-only tweaking\n   * @return session key for `partialSign`, `partialVerify` and `signAgg`\n   */\n  startSigningSession(aggNonce: Uint8Array, msg: Uint8Array, publicKeys: Uint8Array[], ...tweaks: Tweak[]): SessionKey;\n\n  /**\n   * Creates a MuSig partial signature for the given values.\n   *\n   * Verifies the resulting partial signature by default, as recommended in the\n   * specification.\n   *\n   * Note: Calling `partialSign` with the same `publicNonce` more than once\n   * will not work, as the corresponding secret nonce is deleted. Generate a\n   * new public nonce and try again.\n   *\n   * @param secretKey signer's secret key\n   * @param publicNonce signer's public nonce\n   * @param sessionKey signing session key (from startSigningSession)\n   * @param verify if false, don't verify partial signature\n   * @return resulting signature\n   */\n  partialSign(args: {\n    secretKey: Uint8Array;\n    publicNonce: Uint8Array;\n    sessionKey: SessionKey;\n    verify?: boolean;\n  }): Uint8Array;\n\n  /**\n   * Verifies a MuSig partial signature for the given values.\n   *\n   * @param sig the 32-byte MuSig partial signature to verify\n   * @param msg the 32-byte message to sign for, most commonly a transaction hash\n   * @param publicKey signer's public key\n   * @param publicNonce signer's public nonce\n   * @param aggNonce this signing session's aggregate nonce\n   * @param sessionKey signing session key (from startSigningSession)\n   * @return true if the partial signature is valid, otherwise false\n   */\n  partialVerify(args: {\n    sig: Uint8Array;\n    publicKey: Uint8Array;\n    publicNonce: Uint8Array;\n    sessionKey: SessionKey;\n  }): boolean;\n\n  /**\n   * Aggregates MuSig partial signatures. May be run by an untrusted party.\n   *\n   * @param sigs array of 32-bytes MuSig partial signatures.\n   * @param sessionKey signing session key (from startSigningSession)\n   * @return the resulting aggregate signature.\n   */\n  signAgg(sigs: Uint8Array[], sessionKey: SessionKey): Uint8Array;\n\n  /**\n   * Deterministically generate nonces and partially sign for a MuSig key.\n   * The security of this method depends on its being run after all other\n   * parties have provided their nonces.\n   *\n   * @param secretKey signer's secret key\n   * @param aggOtherNonce the result of calling `nonceAgg` on all other signing\n   * parties' nonces\n   * @param publicKeys array of compressed DER encoded public keys to aggregate\n   * @param tweaks tweaks (0 < tweak < n) to apply to the aggregate key,\n   * and optionally booleans to indicate x-only tweaking\n   * @param msg the 32-byte message to sign for, most commonly a transaction hash.\n   * @param rand optional additional randomness for nonce generation\n   * @param verify if false, don't verify partial signature\n   * @return resulting signature, session key (for signature aggregation), and\n   * public nonce (for partial verification)\n   */\n  deterministicSign(args: {\n    secretKey: Uint8Array;\n    aggOtherNonce: Uint8Array;\n    publicKeys: Uint8Array[];\n    tweaks?: Tweak[];\n    msg: Uint8Array;\n    rand?: Uint8Array;\n    verify?: boolean;\n  }): {\n    sig: Uint8Array;\n    sessionKey: SessionKey;\n    publicNonce: Uint8Array;\n  };\n\n  /**\n   * Deterministically generate nonces. This is identical to deterministicSign,\n   * except that it aborts after nonce generation and before signing, and\n   * returns only the public nonce. This security of this method of nonce\n   * generation depends on its being run after all other parties have provided\n   * their nonces.\n   *\n   * A public nonce generated in this way cannot be directly used for signing\n   * (no secret nonce is saved), but a matching partial signature can be\n   * generated by subsequently calling deterministicSign with the same\n   * arguments as the call to deterministicNonceGen.\n   *\n   * This can be useful in a case where a stateless signer only wants to\n   * provide its partial signature after seeing valid partial signatures from\n   * other parties.\n   *\n   * @param secretKey signer's secret key\n   * @param aggOtherNonce the result of calling `nonceAgg` on all other signing\n   * parties' nonces\n   * @param publicKeys array of compressed DER encoded public keys to aggregate\n   * @param tweaks tweaks (0 < tweak < n) to apply to the aggregate key,\n   * and optionally booleans to indicate x-only tweaking\n   * @param msg the 32-byte message to sign for, most commonly a transaction hash.\n   * @param rand optional additional randomness for nonce generation\n   * @param verify if false, don't verify partial signature\n   * @return public nonce\n   */\n  deterministicNonceGen(args: {\n    secretKey: Uint8Array;\n    aggOtherNonce: Uint8Array;\n    publicKeys: Uint8Array[];\n    tweaks?: Tweak[];\n    msg: Uint8Array;\n    rand?: Uint8Array;\n  }): { publicNonce: Uint8Array };\n  // TODO: Discuss with HSM team the generation of all the nonces and any\n  // potential scaling concerns (3x the total cost of schnorr signing)\n}\n\nexport interface Crypto {\n  /**\n   * Adds a tweak to a point.\n   *\n   * @param p A point, compressed or uncompressed\n   * @param t A tweak, 0 < t < n\n   * @param compressed Whether the resulting point should be compressed.\n   * @returns The tweaked point, compressed or uncompressed, null if the result\n   * is the point at infinity.\n   */\n  pointAddTweak(p: Uint8Array, t: Uint8Array, compressed: boolean): Uint8Array | null;\n\n  /**\n   * Adds two points.\n   *\n   * @param a An addend point, compressed or uncompressed\n   * @param b An addend point, compressed or uncompressed\n   * @param compressed Whether the resulting point should be compressed.\n   * @returns The sum point, compressed or uncompressed, null if the result is\n   * the point at infinity.\n   */\n  pointAdd(a: Uint8Array, b: Uint8Array, compressed: boolean): Uint8Array | null;\n\n  /**\n   * Multiplies a point by a scalar.\n   * This function may use non-constant time operations, as no secret\n   * information is processed.\n   *\n   * @param p A point multiplicand, compressed or uncompressed\n   * @param a The multiplier, 0 < a < n\n   * @param compressed Whether the resulting point should be compressed.\n   * @returns The product point, compressed or uncompressed, null if the result\n   * is the point at infinity.\n   */\n  pointMultiplyUnsafe(p: Uint8Array, a: Uint8Array, compressed: boolean): Uint8Array | null;\n\n  /**\n   * Multiplies point 1 by a scalar and adds it to point 2.\n   * This function may use non-constant time operations, as no secret\n   * information is processed.\n   *\n   * @param p1 point multiplicand, compressed or uncompressed\n   * @param a The multiplier, 0 < a < n\n   * @param p2 point addend, compressed or uncompressed\n   * @param compressed Whether the resulting point should be compressed.\n   * @returns The product/sum point, compressed or uncompressed, null if the\n   * result is the point at infinity.\n   */\n  pointMultiplyAndAddUnsafe(p1: Uint8Array, a: Uint8Array, p2: Uint8Array, compressed: boolean): Uint8Array | null;\n\n  /**\n   * Negates a point, ie. returns the point with the opposite parity.\n   *\n   * @param p A point to negate, compressed or uncompressed\n   * @returns The negated point, with same compression as input.\n   */\n  pointNegate(p: Uint8Array): Uint8Array;\n\n  /**\n   * Compresses a point.\n   *\n   * @param p A point, compressed or uncompressed\n   * @param compress [default=true] if false, uncompress the point\n   * @returns The point, compressed if compress is true, or uncompressed if false.\n   */\n  pointCompress(p: Uint8Array, compress?: boolean): Uint8Array;\n\n  /**\n   * Adds one value to another, mod n.\n   *\n   * @param a An addend, 0 <= a < n\n   * @param b An addend, 0 <= b < n\n   * @returns The sum, 0 <= sum < n\n   */\n  scalarAdd(a: Uint8Array, b: Uint8Array): Uint8Array;\n\n  /**\n   * Multiply one value by another, mod n.\n   *\n   * @param a The multiplicand, 0 <= a < n\n   * @param b The multiplier, 0 <= b < n\n   * @returns The product, 0 <= product < n\n   */\n  scalarMultiply(a: Uint8Array, b: Uint8Array): Uint8Array;\n\n  /**\n   * Negates a value, mod n.\n   *\n   * @param a The value to negate, 0 <= a < n\n   * @returns The negated value, 0 <= negated < n\n   */\n  scalarNegate(a: Uint8Array): Uint8Array;\n\n  /**\n   * @param a The value to reduce\n   * @returns a mod n\n   */\n  scalarMod(a: Uint8Array): Uint8Array;\n\n  /**\n   * @param s A buffer to check against the curve order\n   * @returns true if s is a 32-byte array 0 <= s < n\n   */\n  isScalar(s: Uint8Array): boolean;\n\n  /**\n   * @param s A buffer to check against the curve order\n   * @returns true if s is a 32-byte array 0 < s < n\n   */\n  isSecret(s: Uint8Array): boolean;\n\n  /**\n   * @param p A buffer to check against the curve equation, compressed or\n   * uncompressed.\n   * @returns true if p is a valid point on secp256k1, false otherwise\n   */\n  isPoint(p: Uint8Array): boolean;\n\n  /**\n   * @param p A buffer to check against the curve equation.\n   * @returns true if p is the x coordinate of a valid point on secp256k1,\n   * false otherwise\n   */\n  isXOnlyPoint(p: Uint8Array): boolean;\n\n  /**\n   * @param p an x coordinate\n   * @returns the xy, uncompressed point if p is on the curve, otherwise null.\n   */\n  liftX(p: Uint8Array): Uint8Array | null;\n\n  /**\n   * @param p x-only, compressed or uncompressed\n   * @returns the x coordinate of p\n   */\n  pointX(p: Uint8Array): Uint8Array;\n\n  /**\n   * @param p a point, compressed or uncompressed\n   * @returns true if p has an even y coordinate, false otherwise\n   */\n  hasEvenY(p: Uint8Array): boolean;\n\n  /**\n   * Gets a public key for secret key.\n   *\n   * @param s Secret key\n   * @param compressed Whether the resulting point should be compressed.\n   * @returns The public key, compressed or uncompressed\n   */\n  getPublicKey(s: Uint8Array, compressed: boolean): Uint8Array | null;\n\n  /**\n   * Performs a BIP340-style tagged hash.\n   *\n   * @param tag\n   * @param messages Array of data to hash.\n   * @return The 32-byte BIP340-style tagged hash.\n   */\n  taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array;\n\n  /**\n   * SHA256 hash.\n   *\n   * @param messages Array of data to hash.\n   * @return The 32-byte SHA256 digest.\n   */\n  sha256(...messages: Uint8Array[]): Uint8Array;\n}\n\nexport type Tweak = TypedTweak | Uint8Array;\nexport interface TypedTweak {\n  tweak: Uint8Array;\n  xOnly?: boolean;\n}\n\nexport interface KeyGenContext {\n  aggPublicKey: Uint8Array; // a point on the curve\n  gacc: Uint8Array; // accumulated negation factor from X-only tweaking\n  tacc: Uint8Array; // 32-byte accumulated tweak (mod n)\n}\n\ninterface SessionValues extends KeyGenContext {\n  coefficient: Uint8Array; // 32-byte nonce coefficient (mod n)\n  finalNonce: Uint8Array; // a point on the curve\n  challenge: Uint8Array; // 32-byte challenge (mod n)\n  publicKeys: Uint8Array[]; // individual public keys in compressed DER format\n}\n\nexport interface SessionKey {\n  publicKey: Uint8Array;\n  aggNonce: Uint8Array;\n  msg: Uint8Array;\n}\n\nconst TAGS = {\n  challenge: 'BIP0340/challenge',\n  keyagg_list: 'KeyAgg list',\n  keyagg_coef: 'KeyAgg coefficient',\n  musig_aux: 'MuSig/aux',\n  musig_nonce: 'MuSig/nonce',\n  musig_deterministic_nonce: 'MuSig/deterministic/nonce',\n  musig_noncecoef: 'MuSig/noncecoef',\n} as const;\n\n/**\n * Compares two 32-byte Uint8Arrays in byte order.\n * @returns < 0, 0, > 0 if a is < b, === b or > b respectively\n */\nfunction compare32b(a: Uint8Array, b: Uint8Array): number {\n  if (a.length !== 32 || b.length !== 32) throw new Error('Invalid array');\n  const aD = new DataView(a.buffer, a.byteOffset, a.length);\n  const bD = new DataView(b.buffer, b.byteOffset, b.length);\n  for (let i = 0; i < 8; i++) {\n    const cmp = aD.getUint32(i * 4) - bD.getUint32(i * 4);\n    if (cmp !== 0) return cmp;\n  }\n  return 0;\n}\n\n/**\n * Compares two 33-byte Uint8Arrays in byte order.\n * @returns < 0, 0, > 0 if a is < b, === b or > b respectively\n */\nfunction compare33b(a: Uint8Array, b: Uint8Array): number {\n  if (a.length !== 33 || b.length !== 33) throw new Error('Invalid array');\n  const cmp = a[0] - b[0];\n  if (cmp !== 0) return cmp;\n  return compare32b(a.subarray(1), b.subarray(1));\n}\n\ndeclare const self: Record<string, any> | undefined;\nconst makeSessionId =\n  typeof self === 'object' && (self.crypto || self.msCrypto)\n    ? () => (self.crypto || self.msCrypto).getRandomValues(new Uint8Array(32)) // Browsers\n    : () => require('crypto').randomBytes(32); // Node\n\n// Caches values needed to compute key agg coefficients for an array of public keys\ninterface KeyAggCache {\n  publicKeyHash: Uint8Array;\n  secondPublicKey?: Uint8Array;\n}\nconst _keyAggCache = new WeakMap<Uint8Array[], KeyAggCache>();\n\n// Caches coefficients associated with an array of public keys\nconst _coefCache = new WeakMap<Uint8Array[], Map<Uint8Array, Uint8Array>>();\n\n// Caches secret nonces. We do this internally to help users ensure that they\n// do not reuse a secret nonce.\nconst _nonceCache = new WeakMap<Uint8Array, Uint8Array>();\n\n// Caches signing sessions. We do this internally to help users ensure that\n// these session values were generated on the signer, and are not accepted from\n// an untrusted third party.\nconst _sessionCache = new WeakMap<SessionKey, SessionValues>();\n\nexport function MuSigFactory(ecc: Crypto): MuSig {\n  const CPOINT_INF = new Uint8Array(33);\n  const SCALAR_0 = new Uint8Array(32);\n  const SCALAR_1 = new Uint8Array(32);\n  SCALAR_1[31] = 1;\n  const SCALAR_MINUS_1 = ecc.scalarNegate(SCALAR_1);\n\n  function keyAggCoeff(publicKeys: Uint8Array[], publicKey: Uint8Array): Uint8Array {\n    let coefCache = _coefCache.get(publicKeys);\n    if (coefCache === undefined) {\n      coefCache = new Map<Uint8Array, Uint8Array>();\n      _coefCache.set(publicKeys, coefCache);\n    }\n    let coefficient = coefCache.get(publicKey);\n    if (coefficient) return coefficient;\n\n    coefficient = SCALAR_1;\n    let secondPublicKey;\n    let publicKeyHash;\n    let keyAggCache = _keyAggCache.get(publicKeys);\n    if (keyAggCache === undefined) {\n      // Index of the first occurrence of the second unique public key.\n      const pkIdx2 = publicKeys.findIndex((pk) => compare33b(pk, publicKeys[0]) !== 0);\n      secondPublicKey = publicKeys[pkIdx2]; // undefined if pkIdx2 === -1\n      publicKeyHash = ecc.taggedHash(TAGS.keyagg_list, ...publicKeys);\n      keyAggCache = { publicKeyHash, secondPublicKey };\n      _keyAggCache.set(publicKeys, keyAggCache);\n    } else {\n      ({ publicKeyHash, secondPublicKey } = keyAggCache);\n    }\n    if (secondPublicKey === undefined || compare33b(publicKey, secondPublicKey) !== 0) {\n      coefficient = ecc.taggedHash(TAGS.keyagg_coef, publicKeyHash, publicKey);\n    }\n    coefCache.set(publicKey, coefficient);\n    return coefficient;\n  }\n\n  function addTweak(ctx: KeyGenContext, t: Tweak): KeyGenContext {\n    const tweak = 'tweak' in t ? t : { tweak: t };\n    if (!ecc.isScalar(tweak.tweak)) throw new TypeError('Expected tweak to be a valid scalar with curve order');\n    let { gacc, tacc } = ctx;\n    let aggPublicKey: Uint8Array | null = ctx.aggPublicKey;\n\n    if (!ecc.hasEvenY(aggPublicKey) && tweak.xOnly) {\n      // g = -1\n      gacc = ecc.scalarNegate(gacc); // g * gacc mod n\n      tacc = ecc.scalarNegate(tacc); // g * tacc mod n\n      aggPublicKey = ecc.pointNegate(aggPublicKey); // g * Q\n    }\n    aggPublicKey = ecc.pointAddTweak(aggPublicKey, tweak.tweak, false); // g * Q + t * G\n    if (aggPublicKey === null) throw new Error('Unexpected point at infinity during tweaking');\n    tacc = ecc.scalarAdd(tweak.tweak, tacc); // t + g * tacc mod n\n\n    return { aggPublicKey, gacc, tacc };\n  }\n\n  function keyAgg(publicKeys: Uint8Array[], ...tweaks: Tweak[]): KeyGenContext {\n    checkArgs({ publicKeys });\n    const multipliedPublicKeys = publicKeys.map((publicKey) => {\n      const coefficient = keyAggCoeff(publicKeys, publicKey);\n      let multipliedPublicKey: Uint8Array | null;\n      if (compare32b(coefficient, SCALAR_1) === 0) {\n        multipliedPublicKey = publicKey;\n      } else {\n        multipliedPublicKey = ecc.pointMultiplyUnsafe(publicKey, coefficient, false);\n      }\n      if (multipliedPublicKey === null) throw new Error('Point at infinity during aggregation');\n      return multipliedPublicKey;\n    });\n\n    const aggPublicKey = multipliedPublicKeys.reduce((a, b) => {\n      const next = ecc.pointAdd(a, b, false);\n      if (next === null) throw new Error('Point at infinity during aggregation');\n      return next;\n    });\n\n    return tweaks.reduce((ctx, tweak) => addTweak(ctx, tweak), {\n      aggPublicKey,\n      gacc: SCALAR_1,\n      tacc: SCALAR_0,\n    });\n  }\n\n  function getSessionValues(sessionKey: SessionKey): SessionValues {\n    const sessionValues = _sessionCache.get(sessionKey);\n    if (!sessionValues) throw new Error('Invalid session key, please call `startSigningSession`');\n    return sessionValues;\n  }\n\n  function nonceAgg(publicNonces: Uint8Array[]): Uint8Array {\n    checkArgs({ publicNonces });\n\n    const aggNonces: Array<Uint8Array | null> = [publicNonces[0].subarray(0, 33), publicNonces[0].subarray(33)];\n    for (let i = 1; i < publicNonces.length; i++) {\n      if (aggNonces[0] !== null) aggNonces[0] = ecc.pointAdd(aggNonces[0], publicNonces[i].subarray(0, 33), false);\n      if (aggNonces[1] !== null) aggNonces[1] = ecc.pointAdd(aggNonces[1], publicNonces[i].subarray(33), false);\n    }\n    const aggNonce = new Uint8Array(66);\n    if (aggNonces[0] !== null) aggNonce.set(ecc.pointCompress(aggNonces[0]), 0);\n    if (aggNonces[1] !== null) aggNonce.set(ecc.pointCompress(aggNonces[1]), 33);\n    return aggNonce;\n  }\n\n  function startSigningSessionInner(\n    aggNonce: Uint8Array,\n    msg: Uint8Array,\n    publicKeys: Uint8Array[],\n    ctx: KeyGenContext\n  ): SessionKey {\n    const pubKeyX = ecc.pointX(ctx.aggPublicKey);\n\n    const coefficient = ecc.taggedHash(TAGS.musig_noncecoef, aggNonce, pubKeyX, msg);\n\n    const aggNonces = [aggNonce.subarray(0, 33), aggNonce.subarray(33)];\n\n    // This is kinda ugly, but crypto.pointAdd doesn't work on 0-coded infinity\n    let r: Uint8Array | null = null;\n    if (compare33b(aggNonces[1], CPOINT_INF) !== 0 && compare33b(aggNonces[0], CPOINT_INF) !== 0) {\n      r = ecc.pointMultiplyAndAddUnsafe(aggNonces[1], coefficient, aggNonces[0], false);\n    } else if (compare33b(aggNonces[0], CPOINT_INF) !== 0) {\n      r = ecc.pointCompress(aggNonces[0], false);\n    } else if (compare33b(aggNonces[1], CPOINT_INF) !== 0) {\n      r = ecc.pointMultiplyUnsafe(aggNonces[1], coefficient, false);\n    }\n    if (r === null) r = ecc.getPublicKey(SCALAR_1, false);\n    if (r === null) throw new Error('Failed to get G');\n\n    const challenge = ecc.scalarMod(ecc.taggedHash(TAGS.challenge, ecc.pointX(r), pubKeyX, msg));\n\n    const key = { publicKey: ctx.aggPublicKey, aggNonce, msg };\n    _sessionCache.set(key, { ...ctx, coefficient, challenge, finalNonce: r, publicKeys });\n    return key;\n  }\n\n  function partialVerifyInner({\n    sig,\n    publicKey,\n    publicNonces,\n    sessionKey,\n  }: {\n    sig: Uint8Array;\n    publicKey: Uint8Array;\n    publicNonces: [Uint8Array, Uint8Array];\n    sessionKey: SessionKey;\n  }): boolean {\n    const { msg } = sessionKey;\n    const { aggPublicKey, gacc, challenge, coefficient, finalNonce, publicKeys } = getSessionValues(sessionKey);\n\n    const rePrime = ecc.pointMultiplyAndAddUnsafe(publicNonces[1], coefficient, publicNonces[0], false);\n    if (rePrime === null) throw new Error('Unexpected public nonce at infinity');\n    const re = ecc.hasEvenY(finalNonce) ? rePrime : ecc.pointNegate(rePrime);\n\n    const a = keyAggCoeff(publicKeys, publicKey);\n\n    const g = ecc.hasEvenY(aggPublicKey) ? gacc : ecc.scalarNegate(gacc);\n\n    const ea = ecc.scalarMultiply(challenge, a);\n    const eag = ecc.scalarMultiply(ea, g);\n    const ver = ecc.pointMultiplyAndAddUnsafe(publicKey, eag, re, true);\n    if (ver === null) throw new Error('Unexpected verification point at infinity');\n\n    const sG = ecc.getPublicKey(sig, true);\n    if (sG === null) throw new Error('Unexpected signature point at infinity');\n\n    return compare33b(ver, sG) === 0;\n  }\n\n  function partialSignInner({\n    secretKey,\n    publicKey,\n    secretNonces,\n    sessionKey,\n  }: {\n    secretKey: Uint8Array;\n    publicKey: Uint8Array;\n    secretNonces: [Uint8Array, Uint8Array];\n    sessionKey: SessionKey;\n  }): Uint8Array {\n    const { msg } = sessionKey;\n    const { aggPublicKey, gacc, challenge, coefficient, finalNonce, publicKeys } = getSessionValues(sessionKey);\n\n    const [k1, k2] = secretNonces.map((k) => (ecc.hasEvenY(finalNonce) ? k : ecc.scalarNegate(k)));\n\n    const a = keyAggCoeff(publicKeys, publicKey);\n\n    const g = ecc.hasEvenY(aggPublicKey) ? gacc : ecc.scalarNegate(gacc);\n    const d = ecc.scalarMultiply(g, secretKey);\n\n    const bk2 = ecc.scalarMultiply(coefficient, k2);\n    const k1bk2 = ecc.scalarAdd(k1, bk2);\n\n    const ea = ecc.scalarMultiply(challenge, a);\n    const ead = ecc.scalarMultiply(ea, d);\n\n    const sig = ecc.scalarAdd(k1bk2, ead);\n\n    return sig;\n  }\n\n  function partialSign({\n    secretKey,\n    publicNonce,\n    sessionKey,\n    verify = true,\n  }: {\n    secretKey: Uint8Array;\n    publicNonce: Uint8Array;\n    sessionKey: SessionKey;\n    verify: boolean;\n  }): Uint8Array {\n    checkArgs({ publicNonce, secretKey });\n\n    const secretNonce = _nonceCache.get(publicNonce);\n    if (secretNonce === undefined) throw new Error('No secret nonce found for specified public nonce');\n    _nonceCache.delete(publicNonce);\n\n    const publicKey = ecc.getPublicKey(secretKey, true);\n    if (publicKey === null) throw new Error('Invalid secret key, no corresponding public key');\n    if (compare33b(publicKey, secretNonce.subarray(64)) !== 0) throw new Error('Secret nonce pubkey mismatch');\n    const secretNonces: [Uint8Array, Uint8Array] = [secretNonce.subarray(0, 32), secretNonce.subarray(32, 64)];\n    const sig = partialSignInner({\n      secretKey,\n      publicKey,\n      secretNonces,\n      sessionKey,\n    });\n\n    if (verify) {\n      const publicNonces: [Uint8Array, Uint8Array] = [publicNonce.subarray(0, 33), publicNonce.subarray(33)];\n      const valid = partialVerifyInner({\n        sig,\n        publicKey,\n        publicNonces,\n        sessionKey,\n      });\n      if (!valid) throw new Error('Partial signature failed verification');\n    }\n    return sig;\n  }\n\n  interface DeterministicSignArgsBase {\n    secretKey: Uint8Array;\n    aggOtherNonce: Uint8Array;\n    publicKeys: Uint8Array[];\n    tweaks?: Tweak[];\n    msg: Uint8Array;\n    rand?: Uint8Array;\n  }\n  interface DeterministicSignArgs extends DeterministicSignArgsBase {\n    verify?: boolean;\n    nonceOnly?: boolean;\n  }\n  interface DeterministicSignArgsSign extends DeterministicSignArgsBase {\n    verify: boolean;\n  }\n  interface DeterministicSignArgsNonceOnly extends DeterministicSignArgsBase {\n    nonceOnly: true;\n  }\n  function deterministicSign(args: DeterministicSignArgsSign): {\n    sig: Uint8Array;\n    sessionKey: SessionKey;\n    publicNonce: Uint8Array;\n  };\n  function deterministicSign(args: DeterministicSignArgsNonceOnly): { publicNonce: Uint8Array };\n  function deterministicSign({\n    secretKey,\n    aggOtherNonce,\n    publicKeys,\n    tweaks = [],\n    msg,\n    rand,\n    verify = true,\n    nonceOnly = false,\n  }: DeterministicSignArgs): {\n    sig?: Uint8Array;\n    sessionKey?: SessionKey;\n    publicNonce: Uint8Array;\n  } {\n    // No need to check msg, its max size is larger than JS typed array limit\n    checkArgs({ rand, secretKey, aggOtherNonce });\n    const publicKey = ecc.getPublicKey(secretKey, true);\n    if (publicKey === null) throw new Error('Secret key has no corresponding public key');\n\n    let secretKeyPrime;\n    if (rand !== undefined) {\n      secretKeyPrime = ecc.taggedHash(TAGS.musig_aux, rand);\n      for (let i = 0; i < 32; i++) {\n        secretKeyPrime[i] = secretKeyPrime[i] ^ secretKey[i];\n      }\n    } else {\n      secretKeyPrime = secretKey;\n    }\n    const ctx = keyAgg(publicKeys, ...tweaks);\n    const aggPublicKey = ecc.pointX(ctx.aggPublicKey);\n\n    const mLength = new Uint8Array(8);\n    new DataView(mLength.buffer).setBigUint64(0, BigInt(msg.length));\n\n    const secretNonce = new Uint8Array(97);\n    const publicNonce = new Uint8Array(66);\n    for (let i = 0; i < 2; i++) {\n      const kH = ecc.taggedHash(\n        TAGS.musig_deterministic_nonce,\n        ...[secretKeyPrime, aggOtherNonce, aggPublicKey, mLength, msg, Uint8Array.of(i)]\n      );\n      const k = ecc.scalarMod(kH);\n      if (compare32b(SCALAR_0, k) === 0) throw new Error('0 secret nonce');\n      const pub = ecc.getPublicKey(k, true);\n      if (pub === null) throw new Error('Secret nonce has no corresponding public nonce');\n\n      secretNonce.set(k, i * 32);\n      publicNonce.set(pub, i * 33);\n    }\n    secretNonce.set(publicKey, 64);\n\n    if (nonceOnly) return { publicNonce };\n\n    _nonceCache.set(publicNonce, secretNonce);\n    const aggNonce = nonceAgg([aggOtherNonce, publicNonce]);\n    const sessionKey = startSigningSessionInner(aggNonce, msg, publicKeys, ctx);\n    const sig = partialSign({\n      secretKey,\n      publicNonce,\n      sessionKey,\n      verify,\n    });\n\n    return { sig, sessionKey, publicNonce };\n  }\n\n  // TODO: Improve arg checking now that we have startSigningSession\n  const pubKeyArgs = ['publicKey', 'publicKeys'] as const;\n  const scalarArgs = ['tweak', 'sig', 'sigs', 'tacc', 'gacc'] as const;\n  const otherArgs32b = ['xOnlyPublicKey', 'rand', 'sessionId'] as const;\n  const args32b = ['secretKey', ...scalarArgs, ...otherArgs32b] as const;\n  const pubNonceArgs = ['publicNonce', 'publicNonces', 'aggNonce', 'aggOtherNonce', 'finalNonce'] as const;\n  const otherArgs = ['aggPublicKey', 'secretNonce'] as const;\n  type ArgName =\n    | typeof pubKeyArgs[number]\n    | typeof args32b[number]\n    | typeof pubNonceArgs[number]\n    | typeof otherArgs[number];\n  type Args = { [A in ArgName]?: Uint8Array | Uint8Array[] };\n\n  const argLengths = new Map<string, number>();\n  args32b.forEach((a) => argLengths.set(a, 32));\n  pubKeyArgs.forEach((a) => argLengths.set(a, 33));\n  pubNonceArgs.forEach((a) => argLengths.set(a, 66));\n  argLengths.set('secretNonce', 97);\n  argLengths.set('aggPublicKey', 65);\n  const scalarNames = new Set<string>();\n  scalarArgs.forEach((n) => scalarNames.add(n));\n\n  function checkArgs(args: Args): void {\n    for (let [name, values] of Object.entries(args)) {\n      if (values === undefined) continue;\n      values = Array.isArray(values) ? values : [values];\n      if (values.length === 0) throw new TypeError(`0-length ${name}s not supported`);\n      for (const value of values) {\n        if (argLengths.get(name) !== value.length) throw new TypeError(`Invalid ${name} length (${value.length})`);\n        if (name === 'secretKey') {\n          if (!ecc.isSecret(value)) throw new TypeError(`Invalid secretKey`);\n        } else if (name === 'secretNonce') {\n          for (let i = 0; i < 64; i += 32) {\n            if (!ecc.isSecret(value.subarray(i, i + 32))) throw new TypeError(`Invalid secretNonce`);\n          }\n        } else if (scalarNames.has(name)) {\n          for (let i = 0; i < value.length; i += 32) {\n            if (!ecc.isScalar(value.subarray(i, i + 32))) throw new TypeError(`Invalid ${name}`);\n          }\n        }\n        // No need for a public key x-to-curve check. They're liftX'd for use any way.\n      }\n    }\n  }\n\n  return {\n    getXOnlyPubkey: (ctx: KeyGenContext | SessionKey): Uint8Array => {\n      if ('aggPublicKey' in ctx) return ecc.pointX(ctx.aggPublicKey);\n      return ecc.pointX(getSessionValues(ctx).aggPublicKey);\n    },\n    getPlainPubkey: (ctx: KeyGenContext | SessionKey): Uint8Array => {\n      if ('aggPublicKey' in ctx) return ecc.pointCompress(ctx.aggPublicKey);\n      return ecc.pointCompress(getSessionValues(ctx).aggPublicKey);\n    },\n    keySort: (publicKeys: Uint8Array[]): Uint8Array[] => {\n      checkArgs({ publicKeys });\n      // do not modify the original array\n      return [...publicKeys].sort((a, b) => compare33b(a, b));\n    },\n    keyAgg,\n    addTweaks: (ctx: KeyGenContext, ...tweaks: Tweak[]): KeyGenContext => {\n      checkArgs(ctx);\n      return tweaks.reduce((c, tweak) => addTweak(c, tweak), ctx);\n    },\n\n    nonceGen: ({\n      sessionId = makeSessionId(),\n      secretKey,\n      publicKey,\n      xOnlyPublicKey,\n      msg,\n      extraInput,\n    }: {\n      sessionId: Uint8Array;\n      secretKey?: Uint8Array;\n      publicKey: Uint8Array;\n      xOnlyPublicKey?: Uint8Array;\n      msg?: Uint8Array;\n      extraInput?: Uint8Array;\n    }): Uint8Array => {\n      if (extraInput !== undefined && extraInput.length > Math.pow(2, 32) - 1) {\n        throw new TypeError('extraInput is limited to 2^32-1 bytes');\n      }\n      // No need to check msg, its max size is larger than JS typed array limit\n      checkArgs({ sessionId, secretKey, publicKey, xOnlyPublicKey });\n      let rand: Uint8Array;\n      if (secretKey !== undefined) {\n        rand = ecc.taggedHash(TAGS.musig_aux, sessionId);\n        for (let i = 0; i < 32; i++) {\n          rand[i] = rand[i] ^ secretKey[i];\n        }\n      } else {\n        rand = sessionId;\n      }\n\n      if (xOnlyPublicKey === undefined) xOnlyPublicKey = new Uint8Array();\n\n      const mPrefixed = [Uint8Array.of(0)];\n      if (msg !== undefined) {\n        mPrefixed[0][0] = 1;\n        mPrefixed.push(new Uint8Array(8));\n        new DataView(mPrefixed[1].buffer).setBigUint64(0, BigInt(msg.length));\n        mPrefixed.push(msg);\n      }\n\n      if (extraInput === undefined) extraInput = new Uint8Array();\n      const eLength = new Uint8Array(4);\n      new DataView(eLength.buffer).setUint32(0, extraInput.length);\n\n      const secretNonce = new Uint8Array(97);\n      const publicNonce = new Uint8Array(66);\n      for (let i = 0; i < 2; i++) {\n        const kH = ecc.taggedHash(\n          TAGS.musig_nonce,\n          rand,\n          Uint8Array.of(publicKey.length),\n          publicKey,\n          Uint8Array.of(xOnlyPublicKey.length),\n          xOnlyPublicKey,\n          ...mPrefixed,\n          eLength,\n          extraInput,\n          Uint8Array.of(i)\n        );\n        const k = ecc.scalarMod(kH);\n        if (compare32b(SCALAR_0, k) === 0) throw new Error('0 secret nonce');\n        const pub = ecc.getPublicKey(k, true);\n        if (pub === null) throw new Error('Secret nonce has no corresponding public nonce');\n\n        secretNonce.set(k, i * 32);\n        publicNonce.set(pub, i * 33);\n      }\n      secretNonce.set(publicKey, 64);\n      _nonceCache.set(publicNonce, secretNonce);\n      return publicNonce;\n    },\n\n    addExternalNonce: (publicNonce: Uint8Array, secretNonce: Uint8Array): void => {\n      checkArgs({ publicNonce, secretNonce });\n      _nonceCache.set(publicNonce, secretNonce);\n    },\n\n    deterministicNonceGen: (args: DeterministicSignArgsBase): { publicNonce: Uint8Array } =>\n      deterministicSign({ ...args, nonceOnly: true }),\n\n    deterministicSign,\n\n    nonceAgg,\n\n    startSigningSession: (\n      aggNonce: Uint8Array,\n      msg: Uint8Array,\n      publicKeys: Uint8Array[],\n      ...tweaks: Tweak[]\n    ): SessionKey => {\n      checkArgs({ aggNonce });\n      const ctx = keyAgg(publicKeys, ...tweaks);\n      return startSigningSessionInner(aggNonce, msg, publicKeys, ctx);\n    },\n\n    partialSign,\n\n    partialVerify: ({\n      sig,\n      publicKey,\n      publicNonce,\n      sessionKey,\n    }: {\n      sig: Uint8Array;\n      publicKey: Uint8Array;\n      publicNonce: Uint8Array;\n      sessionKey: SessionKey;\n    }): boolean => {\n      checkArgs({ sig, publicKey, publicNonce });\n\n      const publicNonces: [Uint8Array, Uint8Array] = [publicNonce.subarray(0, 33), publicNonce.subarray(33)];\n\n      const valid = partialVerifyInner({\n        sig,\n        publicKey,\n        publicNonces,\n        sessionKey,\n      });\n      return valid;\n    },\n\n    signAgg: (sigs: Uint8Array[], sessionKey: SessionKey): Uint8Array => {\n      checkArgs({ sigs });\n\n      const { aggPublicKey, tacc, challenge, finalNonce } = getSessionValues(sessionKey);\n      let sPart: Uint8Array = ecc.scalarMultiply(challenge, tacc);\n      if (!ecc.hasEvenY(aggPublicKey)) {\n        sPart = ecc.scalarNegate(sPart);\n      }\n      const aggS = sigs.reduce((a, b) => ecc.scalarAdd(a, b), sPart);\n      const sig = new Uint8Array(64);\n      sig.set(ecc.pointX(finalNonce), 0);\n      sig.set(aggS, 32);\n      return sig;\n    },\n  };\n}\n"]}
|