np-dms/lcbp3.np-dms.work
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e6230e7220dd6be65373790162366f527688474
lcbp3.np-dms.work/frontend/node_modules/@noble/curves/esm/abstract/weierstrass.js
admin 2e6230e722 first commit
2025-09-21 20:29:15 +07:00

1413 lines
58 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
/**
* Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
*
* ### Design rationale for types
*
* * Interaction between classes from different curves should fail:
* `k256.Point.BASE.add(p256.Point.BASE)`
* * For this purpose we want to use `instanceof` operator, which is fast and works during runtime
* * Different calls of `curve()` would return different classes -
* `curve(params) !== curve(params)`: if somebody decided to monkey-patch their curve,
* it won't affect others
*
* TypeScript can't infer types for classes created inside a function. Classes is one instance
* of nominative types in TypeScript and interfaces only check for shape, so it's hard to create
* unique type for every function call.
*
* We can use generic types via some param, like curve opts, but that would:
* 1. Enable interaction between `curve(params)` and `curve(params)` (curves of same params)
* which is hard to debug.
* 2. Params can be generic and we can't enforce them to be constant value:
* if somebody creates curve from non-constant params,
* it would be allowed to interact with other curves with non-constant params
*
* @todo https://www.typescriptlang.org/docs/handbook/release-notes/typescript-2-7.html#unique-symbol
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { hmac as nobleHmac } from '@noble/hashes/hmac.js';
import { ahash } from '@noble/hashes/utils';
import { _validateObject, _abool2 as abool, _abytes2 as abytes, aInRange, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes, inRange, isBytes, memoized, numberToHexUnpadded, randomBytes as randomBytesWeb, } from "../utils.js";
import { _createCurveFields, mulEndoUnsafe, negateCt, normalizeZ, pippenger, wNAF, } from "./curve.js";
import { Field, FpInvertBatch, getMinHashLength, mapHashToField, nLength, validateField, } from "./modular.js";
// We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n) / den;
/**
* Splits scalar for GLV endomorphism.
*/
export function _splitEndoScalar(k, basis, n) {
// Split scalar into two such that part is ~half bits: `abs(part) < sqrt(N)`
// Since part can be negative, we need to do this on point.
// TODO: verifyScalar function which consumes lambda
const [[a1, b1], [a2, b2]] = basis;
const c1 = divNearest(b2 * k, n);
const c2 = divNearest(-b1 * k, n);
// |k1|/|k2| is < sqrt(N), but can be negative.
// If we do `k1 mod N`, we'll get big scalar (`> sqrt(N)`): so, we do cheaper negation instead.
let k1 = k - c1 * a1 - c2 * a2;
let k2 = -c1 * b1 - c2 * b2;
const k1neg = k1 < _0n;
const k2neg = k2 < _0n;
if (k1neg)
k1 = -k1;
if (k2neg)
k2 = -k2;
// Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
// This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n; // Half bits of N
if (k1 < _0n || k1 >= MAX_NUM || k2 < _0n || k2 >= MAX_NUM) {
throw new Error('splitScalar (endomorphism): failed, k=' + k);
}
return { k1neg, k1, k2neg, k2 };
}
function validateSigFormat(format) {
if (!['compact', 'recovered', 'der'].includes(format))
throw new Error('Signature format must be "compact", "recovered", or "der"');
return format;
}
function validateSigOpts(opts, def) {
const optsn = {};
for (let optName of Object.keys(def)) {
// @ts-ignore
optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
}
abool(optsn.lowS, 'lowS');
abool(optsn.prehash, 'prehash');
if (optsn.format !== undefined)
validateSigFormat(optsn.format);
return optsn;
}
export class DERErr extends Error {
constructor(m = '') {
super(m);
}
}
/**
* ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
*
* [0x30 (SEQUENCE), bytelength, 0x02 (INTEGER), intLength, R, 0x02 (INTEGER), intLength, S]
*
* Docs: https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/, https://luca.ntop.org/Teaching/Appunti/asn1.html
*/
export const DER = {
// asn.1 DER encoding utils
Err: DERErr,
// Basic building block is TLV (Tag-Length-Value)
_tlv: {
encode: (tag, data) => {
const { Err: E } = DER;
if (tag < 0 || tag > 256)
throw new E('tlv.encode: wrong tag');
if (data.length & 1)
throw new E('tlv.encode: unpadded data');
const dataLen = data.length / 2;
const len = numberToHexUnpadded(dataLen);
if ((len.length / 2) & 128)
throw new E('tlv.encode: long form length too big');
// length of length with long form flag
const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
const t = numberToHexUnpadded(tag);
return t + lenLen + len + data;
},
// v - value, l - left bytes (unparsed)
decode(tag, data) {
const { Err: E } = DER;
let pos = 0;
if (tag < 0 || tag > 256)
throw new E('tlv.encode: wrong tag');
if (data.length < 2 || data[pos++] !== tag)
throw new E('tlv.decode: wrong tlv');
const first = data[pos++];
const isLong = !!(first & 128); // First bit of first length byte is flag for short/long form
let length = 0;
if (!isLong)
length = first;
else {
// Long form: [longFlag(1bit), lengthLength(7bit), length (BE)]
const lenLen = first & 127;
if (!lenLen)
throw new E('tlv.decode(long): indefinite length not supported');
if (lenLen > 4)
throw new E('tlv.decode(long): byte length is too big'); // this will overflow u32 in js
const lengthBytes = data.subarray(pos, pos + lenLen);
if (lengthBytes.length !== lenLen)
throw new E('tlv.decode: length bytes not complete');
if (lengthBytes[0] === 0)
throw new E('tlv.decode(long): zero leftmost byte');
for (const b of lengthBytes)
length = (length << 8) | b;
pos += lenLen;
if (length < 128)
throw new E('tlv.decode(long): not minimal encoding');
}
const v = data.subarray(pos, pos + length);
if (v.length !== length)
throw new E('tlv.decode: wrong value length');
return { v, l: data.subarray(pos + length) };
},
},
// https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
// since we always use positive integers here. It must always be empty:
// - add zero byte if exists
// - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
_int: {
encode(num) {
const { Err: E } = DER;
if (num < _0n)
throw new E('integer: negative integers are not allowed');
let hex = numberToHexUnpadded(num);
// Pad with zero byte if negative flag is present
if (Number.parseInt(hex[0], 16) & 0b1000)
hex = '00' + hex;
if (hex.length & 1)
throw new E('unexpected DER parsing assertion: unpadded hex');
return hex;
},
decode(data) {
const { Err: E } = DER;
if (data[0] & 128)
throw new E('invalid signature integer: negative');
if (data[0] === 0x00 && !(data[1] & 128))
throw new E('invalid signature integer: unnecessary leading zero');
return bytesToNumberBE(data);
},
},
toSig(hex) {
// parse DER signature
const { Err: E, _int: int, _tlv: tlv } = DER;
const data = ensureBytes('signature', hex);
const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
if (seqLeftBytes.length)
throw new E('invalid signature: left bytes after parsing');
const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);
if (sLeftBytes.length)
throw new E('invalid signature: left bytes after parsing');
return { r: int.decode(rBytes), s: int.decode(sBytes) };
},
hexFromSig(sig) {
const { _tlv: tlv, _int: int } = DER;
const rs = tlv.encode(0x02, int.encode(sig.r));
const ss = tlv.encode(0x02, int.encode(sig.s));
const seq = rs + ss;
return tlv.encode(0x30, seq);
},
};
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
export function _normFnElement(Fn, key) {
const { BYTES: expected } = Fn;
let num;
if (typeof key === 'bigint') {
num = key;
}
else {
let bytes = ensureBytes('private key', key);
try {
num = Fn.fromBytes(bytes);
}
catch (error) {
throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
}
}
if (!Fn.isValidNot0(num))
throw new Error('invalid private key: out of range [1..N-1]');
return num;
}
/**
* Creates weierstrass Point constructor, based on specified curve options.
*
* @example
```js
const opts = {
p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
h: BigInt(1),
a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
};
const p256_Point = weierstrass(opts);
```
*/
export function weierstrassN(params, extraOpts = {}) {
const validated = _createCurveFields('weierstrass', params, extraOpts);
const { Fp, Fn } = validated;
let CURVE = validated.CURVE;
const { h: cofactor, n: CURVE_ORDER } = CURVE;
_validateObject(extraOpts, {}, {
allowInfinityPoint: 'boolean',
clearCofactor: 'function',
isTorsionFree: 'function',
fromBytes: 'function',
toBytes: 'function',
endo: 'object',
wrapPrivateKey: 'boolean',
});
const { endo } = extraOpts;
if (endo) {
// validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
throw new Error('invalid endo: expected "beta": bigint and "basises": array');
}
}
const lengths = getWLengths(Fp, Fn);
function assertCompressionIsSupported() {
if (!Fp.isOdd)
throw new Error('compression is not supported: Field does not have .isOdd()');
}
// Implements IEEE P1363 point encoding
function pointToBytes(_c, point, isCompressed) {
const { x, y } = point.toAffine();
const bx = Fp.toBytes(x);
abool(isCompressed, 'isCompressed');
if (isCompressed) {
assertCompressionIsSupported();
const hasEvenY = !Fp.isOdd(y);
return concatBytes(pprefix(hasEvenY), bx);
}
else {
return concatBytes(Uint8Array.of(0x04), bx, Fp.toBytes(y));
}
}
function pointFromBytes(bytes) {
abytes(bytes, undefined, 'Point');
const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
const length = bytes.length;
const head = bytes[0];
const tail = bytes.subarray(1);
// No actual validation is done here: use .assertValidity()
if (length === comp && (head === 0x02 || head === 0x03)) {
const x = Fp.fromBytes(tail);
if (!Fp.isValid(x))
throw new Error('bad point: is not on curve, wrong x');
const y2 = weierstrassEquation(x); // y² = x³ + ax + b
let y;
try {
y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
}
catch (sqrtError) {
const err = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
throw new Error('bad point: is not on curve, sqrt error' + err);
}
assertCompressionIsSupported();
const isYOdd = Fp.isOdd(y); // (y & _1n) === _1n;
const isHeadOdd = (head & 1) === 1; // ECDSA-specific
if (isHeadOdd !== isYOdd)
y = Fp.neg(y);
return { x, y };
}
else if (length === uncomp && head === 0x04) {
// TODO: more checks
const L = Fp.BYTES;
const x = Fp.fromBytes(tail.subarray(0, L));
const y = Fp.fromBytes(tail.subarray(L, L * 2));
if (!isValidXY(x, y))
throw new Error('bad point: is not on curve');
return { x, y };
}
else {
throw new Error(`bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`);
}
}
const encodePoint = extraOpts.toBytes || pointToBytes;
const decodePoint = extraOpts.fromBytes || pointFromBytes;
function weierstrassEquation(x) {
const x2 = Fp.sqr(x); // x * x
const x3 = Fp.mul(x2, x); // x² * x
return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b); // x³ + a * x + b
}
// TODO: move top-level
/** Checks whether equation holds for given x, y: y² == x³ + ax + b */
function isValidXY(x, y) {
const left = Fp.sqr(y); // y²
const right = weierstrassEquation(x); // x³ + ax + b
return Fp.eql(left, right);
}
// Validate whether the passed curve params are valid.
// Test 1: equation y² = x³ + ax + b should work for generator point.
if (!isValidXY(CURVE.Gx, CURVE.Gy))
throw new Error('bad curve params: generator point');
// Test 2: discriminant Δ part should be non-zero: 4a³ + 27b² != 0.
// Guarantees curve is genus-1, smooth (non-singular).
const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n), _4n);
const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
if (Fp.is0(Fp.add(_4a3, _27b2)))
throw new Error('bad curve params: a or b');
/** Asserts coordinate is valid: 0 <= n < Fp.ORDER. */
function acoord(title, n, banZero = false) {
if (!Fp.isValid(n) || (banZero && Fp.is0(n)))
throw new Error(`bad point coordinate ${title}`);
return n;
}
function aprjpoint(other) {
if (!(other instanceof Point))
throw new Error('ProjectivePoint expected');
}
function splitEndoScalarN(k) {
if (!endo || !endo.basises)
throw new Error('no endo');
return _splitEndoScalar(k, endo.basises, Fn.ORDER);
}
// Memoized toAffine / validity check. They are heavy. Points are immutable.
// Converts Projective point to affine (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
// (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
const toAffineMemo = memoized((p, iz) => {
const { X, Y, Z } = p;
// Fast-path for normalized points
if (Fp.eql(Z, Fp.ONE))
return { x: X, y: Y };
const is0 = p.is0();
// If invZ was 0, we return zero point. However we still want to execute
// all operations, so we replace invZ with a random number, 1.
if (iz == null)
iz = is0 ? Fp.ONE : Fp.inv(Z);
const x = Fp.mul(X, iz);
const y = Fp.mul(Y, iz);
const zz = Fp.mul(Z, iz);
if (is0)
return { x: Fp.ZERO, y: Fp.ZERO };
if (!Fp.eql(zz, Fp.ONE))
throw new Error('invZ was invalid');
return { x, y };
});
// NOTE: on exception this will crash 'cached' and no value will be set.
// Otherwise true will be return
const assertValidMemo = memoized((p) => {
if (p.is0()) {
// (0, 1, 0) aka ZERO is invalid in most contexts.
// In BLS, ZERO can be serialized, so we allow it.
// (0, 0, 0) is invalid representation of ZERO.
if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y))
return;
throw new Error('bad point: ZERO');
}
// Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
const { x, y } = p.toAffine();
if (!Fp.isValid(x) || !Fp.isValid(y))
throw new Error('bad point: x or y not field elements');
if (!isValidXY(x, y))
throw new Error('bad point: equation left != right');
if (!p.isTorsionFree())
throw new Error('bad point: not in prime-order subgroup');
return true;
});
function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
k1p = negateCt(k1neg, k1p);
k2p = negateCt(k2neg, k2p);
return k1p.add(k2p);
}
/**
* Projective Point works in 3d / projective (homogeneous) coordinates:(X, Y, Z) ∋ (x=X/Z, y=Y/Z).
* Default Point works in 2d / affine coordinates: (x, y).
* We're doing calculations in projective, because its operations don't require costly inversion.
*/
class Point {
/** Does NOT validate if the point is valid. Use `.assertValidity()`. */
constructor(X, Y, Z) {
this.X = acoord('x', X);
this.Y = acoord('y', Y, true);
this.Z = acoord('z', Z);
Object.freeze(this);
}
static CURVE() {
return CURVE;
}
/** Does NOT validate if the point is valid. Use `.assertValidity()`. */
static fromAffine(p) {
const { x, y } = p || {};
if (!p || !Fp.isValid(x) || !Fp.isValid(y))
throw new Error('invalid affine point');
if (p instanceof Point)
throw new Error('projective point not allowed');
// (0, 0) would've produced (0, 0, 1) - instead, we need (0, 1, 0)
if (Fp.is0(x) && Fp.is0(y))
return Point.ZERO;
return new Point(x, y, Fp.ONE);
}
static fromBytes(bytes) {
const P = Point.fromAffine(decodePoint(abytes(bytes, undefined, 'point')));
P.assertValidity();
return P;
}
static fromHex(hex) {
return Point.fromBytes(ensureBytes('pointHex', hex));
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
/**
*
* @param windowSize
* @param isLazy true will defer table computation until the first multiplication
* @returns
*/
precompute(windowSize = 8, isLazy = true) {
wnaf.createCache(this, windowSize);
if (!isLazy)
this.multiply(_3n); // random number
return this;
}
// TODO: return `this`
/** A point on curve is valid if it conforms to equation. */
assertValidity() {
assertValidMemo(this);
}
hasEvenY() {
const { y } = this.toAffine();
if (!Fp.isOdd)
throw new Error("Field doesn't support isOdd");
return !Fp.isOdd(y);
}
/** Compare one point to another. */
equals(other) {
aprjpoint(other);
const { X: X1, Y: Y1, Z: Z1 } = this;
const { X: X2, Y: Y2, Z: Z2 } = other;
const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
return U1 && U2;
}
/** Flips point to one corresponding to (x, -y) in Affine coordinates. */
negate() {
return new Point(this.X, Fp.neg(this.Y), this.Z);
}
// Renes-Costello-Batina exception-free doubling formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 3
// Cost: 8M + 3S + 3*a + 2*b3 + 15add.
double() {
const { a, b } = CURVE;
const b3 = Fp.mul(b, _3n);
const { X: X1, Y: Y1, Z: Z1 } = this;
let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
let t0 = Fp.mul(X1, X1); // step 1
let t1 = Fp.mul(Y1, Y1);
let t2 = Fp.mul(Z1, Z1);
let t3 = Fp.mul(X1, Y1);
t3 = Fp.add(t3, t3); // step 5
Z3 = Fp.mul(X1, Z1);
Z3 = Fp.add(Z3, Z3);
X3 = Fp.mul(a, Z3);
Y3 = Fp.mul(b3, t2);
Y3 = Fp.add(X3, Y3); // step 10
X3 = Fp.sub(t1, Y3);
Y3 = Fp.add(t1, Y3);
Y3 = Fp.mul(X3, Y3);
X3 = Fp.mul(t3, X3);
Z3 = Fp.mul(b3, Z3); // step 15
t2 = Fp.mul(a, t2);
t3 = Fp.sub(t0, t2);
t3 = Fp.mul(a, t3);
t3 = Fp.add(t3, Z3);
Z3 = Fp.add(t0, t0); // step 20
t0 = Fp.add(Z3, t0);
t0 = Fp.add(t0, t2);
t0 = Fp.mul(t0, t3);
Y3 = Fp.add(Y3, t0);
t2 = Fp.mul(Y1, Z1); // step 25
t2 = Fp.add(t2, t2);
t0 = Fp.mul(t2, t3);
X3 = Fp.sub(X3, t0);
Z3 = Fp.mul(t2, t1);
Z3 = Fp.add(Z3, Z3); // step 30
Z3 = Fp.add(Z3, Z3);
return new Point(X3, Y3, Z3);
}
// Renes-Costello-Batina exception-free addition formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 1
// Cost: 12M + 0S + 3*a + 3*b3 + 23add.
add(other) {
aprjpoint(other);
const { X: X1, Y: Y1, Z: Z1 } = this;
const { X: X2, Y: Y2, Z: Z2 } = other;
let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
const a = CURVE.a;
const b3 = Fp.mul(CURVE.b, _3n);
let t0 = Fp.mul(X1, X2); // step 1
let t1 = Fp.mul(Y1, Y2);
let t2 = Fp.mul(Z1, Z2);
let t3 = Fp.add(X1, Y1);
let t4 = Fp.add(X2, Y2); // step 5
t3 = Fp.mul(t3, t4);
t4 = Fp.add(t0, t1);
t3 = Fp.sub(t3, t4);
t4 = Fp.add(X1, Z1);
let t5 = Fp.add(X2, Z2); // step 10
t4 = Fp.mul(t4, t5);
t5 = Fp.add(t0, t2);
t4 = Fp.sub(t4, t5);
t5 = Fp.add(Y1, Z1);
X3 = Fp.add(Y2, Z2); // step 15
t5 = Fp.mul(t5, X3);
X3 = Fp.add(t1, t2);
t5 = Fp.sub(t5, X3);
Z3 = Fp.mul(a, t4);
X3 = Fp.mul(b3, t2); // step 20
Z3 = Fp.add(X3, Z3);
X3 = Fp.sub(t1, Z3);
Z3 = Fp.add(t1, Z3);
Y3 = Fp.mul(X3, Z3);
t1 = Fp.add(t0, t0); // step 25
t1 = Fp.add(t1, t0);
t2 = Fp.mul(a, t2);
t4 = Fp.mul(b3, t4);
t1 = Fp.add(t1, t2);
t2 = Fp.sub(t0, t2); // step 30
t2 = Fp.mul(a, t2);
t4 = Fp.add(t4, t2);
t0 = Fp.mul(t1, t4);
Y3 = Fp.add(Y3, t0);
t0 = Fp.mul(t5, t4); // step 35
X3 = Fp.mul(t3, X3);
X3 = Fp.sub(X3, t0);
t0 = Fp.mul(t3, t1);
Z3 = Fp.mul(t5, Z3);
Z3 = Fp.add(Z3, t0); // step 40
return new Point(X3, Y3, Z3);
}
subtract(other) {
return this.add(other.negate());
}
is0() {
return this.equals(Point.ZERO);
}
/**
* Constant time multiplication.
* Uses wNAF method. Windowed method may be 10% faster,
* but takes 2x longer to generate and consumes 2x memory.
* Uses precomputes when available.
* Uses endomorphism for Koblitz curves.
* @param scalar by which the point would be multiplied
* @returns New point
*/
multiply(scalar) {
const { endo } = extraOpts;
if (!Fn.isValidNot0(scalar))
throw new Error('invalid scalar: out of range'); // 0 is invalid
let point, fake; // Fake point is used to const-time mult
const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
/** See docs for {@link EndomorphismOpts} */
if (endo) {
const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
const { p: k1p, f: k1f } = mul(k1);
const { p: k2p, f: k2f } = mul(k2);
fake = k1f.add(k2f);
point = finishEndo(endo.beta, k1p, k2p, k1neg, k2neg);
}
else {
const { p, f } = mul(scalar);
point = p;
fake = f;
}
// Normalize `z` for both points, but return only real one
return normalizeZ(Point, [point, fake])[0];
}
/**
* Non-constant-time multiplication. Uses double-and-add algorithm.
* It's faster, but should only be used when you don't care about
* an exposed secret key e.g. sig verification, which works over *public* keys.
*/
multiplyUnsafe(sc) {
const { endo } = extraOpts;
const p = this;
if (!Fn.isValid(sc))
throw new Error('invalid scalar: out of range'); // 0 is valid
if (sc === _0n || p.is0())
return Point.ZERO;
if (sc === _1n)
return p; // fast-path
if (wnaf.hasCache(this))
return this.multiply(sc);
if (endo) {
const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
}
else {
return wnaf.unsafe(p, sc);
}
}
multiplyAndAddUnsafe(Q, a, b) {
const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
return sum.is0() ? undefined : sum;
}
/**
* Converts Projective point to affine (x, y) coordinates.
* @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
*/
toAffine(invertedZ) {
return toAffineMemo(this, invertedZ);
}
/**
* Checks whether Point is free of torsion elements (is in prime subgroup).
* Always torsion-free for cofactor=1 curves.
*/
isTorsionFree() {
const { isTorsionFree } = extraOpts;
if (cofactor === _1n)
return true;
if (isTorsionFree)
return isTorsionFree(Point, this);
return wnaf.unsafe(this, CURVE_ORDER).is0();
}
clearCofactor() {
const { clearCofactor } = extraOpts;
if (cofactor === _1n)
return this; // Fast-path
if (clearCofactor)
return clearCofactor(Point, this);
return this.multiplyUnsafe(cofactor);
}
isSmallOrder() {
// can we use this.clearCofactor()?
return this.multiplyUnsafe(cofactor).is0();
}
toBytes(isCompressed = true) {
abool(isCompressed, 'isCompressed');
this.assertValidity();
return encodePoint(Point, this, isCompressed);
}
toHex(isCompressed = true) {
return bytesToHex(this.toBytes(isCompressed));
}
toString() {
return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
}
// TODO: remove
get px() {
return this.X;
}
get py() {
return this.X;
}
get pz() {
return this.Z;
}
toRawBytes(isCompressed = true) {
return this.toBytes(isCompressed);
}
_setWindowSize(windowSize) {
this.precompute(windowSize);
}
static normalizeZ(points) {
return normalizeZ(Point, points);
}
static msm(points, scalars) {
return pippenger(Point, Fn, points, scalars);
}
static fromPrivateKey(privateKey) {
return Point.BASE.multiply(_normFnElement(Fn, privateKey));
}
}
// base / generator point
Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
// zero / infinity / identity point
Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
// math field
Point.Fp = Fp;
// scalar field
Point.Fn = Fn;
const bits = Fn.BITS;
const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
return Point;
}
// Points start with byte 0x02 when y is even; otherwise 0x03
function pprefix(hasEvenY) {
return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
}
/**
* Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
* TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
* b = True and y = sqrt(u / v) if (u / v) is square in F, and
* b = False and y = sqrt(Z * (u / v)) otherwise.
* @param Fp
* @param Z
* @returns
*/
export function SWUFpSqrtRatio(Fp, Z) {
// Generic implementation
const q = Fp.ORDER;
let l = _0n;
for (let o = q - _1n; o % _2n === _0n; o /= _2n)
l += _1n;
const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
// We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
// 2n ** c1 == 2n << (c1-1)
const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1) # Integer arithmetic
const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2 # Integer arithmetic
const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1 # Integer arithmetic
const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1) # Integer arithmetic
const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
let sqrtRatio = (u, v) => {
let tv1 = c6; // 1. tv1 = c6
let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2
tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1
tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
// 17. for i in (c1, c1 - 1, ..., 2):
for (let i = c1; i > _1n; i--) {
let tv5 = i - _2n; // 18. tv5 = i - 2
tv5 = _2n << (tv5 - _1n); // 19. tv5 = 2^tv5
let tvv5 = Fp.pow(tv4, tv5); // 20. tv5 = tv4^tv5
const e1 = Fp.eql(tvv5, Fp.ONE); // 21. e1 = tv5 == 1
tv2 = Fp.mul(tv3, tv1); // 22. tv2 = tv3 * tv1
tv1 = Fp.mul(tv1, tv1); // 23. tv1 = tv1 * tv1
tvv5 = Fp.mul(tv4, tv1); // 24. tv5 = tv4 * tv1
tv3 = Fp.cmov(tv2, tv3, e1); // 25. tv3 = CMOV(tv2, tv3, e1)
tv4 = Fp.cmov(tvv5, tv4, e1); // 26. tv4 = CMOV(tv5, tv4, e1)
}
return { isValid: isQR, value: tv3 };
};
if (Fp.ORDER % _4n === _3n) {
// sqrt_ratio_3mod4(u, v)
const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4 # Integer arithmetic
const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
sqrtRatio = (u, v) => {
let tv1 = Fp.sqr(v); // 1. tv1 = v^2
const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u
let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
};
}
// No curves uses that
// if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
return sqrtRatio;
}
/**
* Simplified Shallue-van de Woestijne-Ulas Method
* https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
*/
export function mapToCurveSimpleSWU(Fp, opts) {
validateField(Fp);
const { A, B, Z } = opts;
if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
throw new Error('mapToCurveSimpleSWU: invalid opts');
const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
if (!Fp.isOdd)
throw new Error('Field does not have .isOdd()');
// Input: u, an element of F.
// Output: (x, y), a point on E.
return (u) => {
// prettier-ignore
let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
tv1 = Fp.sqr(u); // 1. tv1 = u^2
tv1 = Fp.mul(tv1, Z); // 2. tv1 = Z * tv1
tv2 = Fp.sqr(tv1); // 3. tv2 = tv1^2
tv2 = Fp.add(tv2, tv1); // 4. tv2 = tv2 + tv1
tv3 = Fp.add(tv2, Fp.ONE); // 5. tv3 = tv2 + 1
tv3 = Fp.mul(tv3, B); // 6. tv3 = B * tv3
tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7. tv4 = CMOV(Z, -tv2, tv2 != 0)
tv4 = Fp.mul(tv4, A); // 8. tv4 = A * tv4
tv2 = Fp.sqr(tv3); // 9. tv2 = tv3^2
tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
x = Fp.mul(tv1, tv3); // 17. x = tv1 * tv3
const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
y = Fp.mul(tv1, u); // 19. y = tv1 * u -> Z * u^3 * y1
y = Fp.mul(y, value); // 20. y = y * y1
x = Fp.cmov(x, tv3, isValid); // 21. x = CMOV(x, tv3, is_gx1_square)
y = Fp.cmov(y, value, isValid); // 22. y = CMOV(y, y1, is_gx1_square)
const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23. e1 = sgn0(u) == sgn0(y)
y = Fp.cmov(Fp.neg(y), y, e1); // 24. y = CMOV(-y, y, e1)
const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
x = Fp.mul(x, tv4_inv); // 25. x = x / tv4
return { x, y };
};
}
function getWLengths(Fp, Fn) {
return {
secretKey: Fn.BYTES,
publicKey: 1 + Fp.BYTES,
publicKeyUncompressed: 1 + 2 * Fp.BYTES,
publicKeyHasPrefix: true,
signature: 2 * Fn.BYTES,
};
}
/**
* Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
* This helper ensures no signature functionality is present. Less code, smaller bundle size.
*/
export function ecdh(Point, ecdhOpts = {}) {
const { Fn } = Point;
const randomBytes_ = ecdhOpts.randomBytes || randomBytesWeb;
const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
function isValidSecretKey(secretKey) {
try {
return !!_normFnElement(Fn, secretKey);
}
catch (error) {
return false;
}
}
function isValidPublicKey(publicKey, isCompressed) {
const { publicKey: comp, publicKeyUncompressed } = lengths;
try {
const l = publicKey.length;
if (isCompressed === true && l !== comp)
return false;
if (isCompressed === false && l !== publicKeyUncompressed)
return false;
return !!Point.fromBytes(publicKey);
}
catch (error) {
return false;
}
}
/**
* Produces cryptographically secure secret key from random of size
* (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
*/
function randomSecretKey(seed = randomBytes_(lengths.seed)) {
return mapHashToField(abytes(seed, lengths.seed, 'seed'), Fn.ORDER);
}
/**
* Computes public key for a secret key. Checks for validity of the secret key.
* @param isCompressed whether to return compact (default), or full key
* @returns Public key, full when isCompressed=false; short when isCompressed=true
*/
function getPublicKey(secretKey, isCompressed = true) {
return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
}
function keygen(seed) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: getPublicKey(secretKey) };
}
/**
* Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
*/
function isProbPub(item) {
if (typeof item === 'bigint')
return false;
if (item instanceof Point)
return true;
const { secretKey, publicKey, publicKeyUncompressed } = lengths;
if (Fn.allowedLengths || secretKey === publicKey)
return undefined;
const l = ensureBytes('key', item).length;
return l === publicKey || l === publicKeyUncompressed;
}
/**
* ECDH (Elliptic Curve Diffie Hellman).
* Computes shared public key from secret key A and public key B.
* Checks: 1) secret key validity 2) shared key is on-curve.
* Does NOT hash the result.
* @param isCompressed whether to return compact (default), or full key
* @returns shared public key
*/
function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
if (isProbPub(secretKeyA) === true)
throw new Error('first arg must be private key');
if (isProbPub(publicKeyB) === false)
throw new Error('second arg must be public key');
const s = _normFnElement(Fn, secretKeyA);
const b = Point.fromHex(publicKeyB); // checks for being on-curve
return b.multiply(s).toBytes(isCompressed);
}
const utils = {
isValidSecretKey,
isValidPublicKey,
randomSecretKey,
// TODO: remove
isValidPrivateKey: isValidSecretKey,
randomPrivateKey: randomSecretKey,
normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
precompute(windowSize = 8, point = Point.BASE) {
return point.precompute(windowSize, false);
},
};
return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
}
/**
* Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
* We need `hash` for 2 features:
* 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
* 2. k generation in `sign`, using HMAC-drbg(hash)
*
* ECDSAOpts are only rarely needed.
*
* @example
* ```js
* const p256_Point = weierstrass(...);
* const p256_sha256 = ecdsa(p256_Point, sha256);
* const p256_sha224 = ecdsa(p256_Point, sha224);
* const p256_sha224_r = ecdsa(p256_Point, sha224, { randomBytes: (length) => { ... } });
* ```
*/
export function ecdsa(Point, hash, ecdsaOpts = {}) {
ahash(hash);
_validateObject(ecdsaOpts, {}, {
hmac: 'function',
lowS: 'boolean',
randomBytes: 'function',
bits2int: 'function',
bits2int_modN: 'function',
});
const randomBytes = ecdsaOpts.randomBytes || randomBytesWeb;
const hmac = ecdsaOpts.hmac ||
((key, ...msgs) => nobleHmac(hash, key, concatBytes(...msgs)));
const { Fp, Fn } = Point;
const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
const defaultSigOpts = {
prehash: false,
lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : false,
format: undefined, //'compact' as ECDSASigFormat,
extraEntropy: false,
};
const defaultSigOpts_format = 'compact';
function isBiggerThanHalfOrder(number) {
const HALF = CURVE_ORDER >> _1n;
return number > HALF;
}
function validateRS(title, num) {
if (!Fn.isValidNot0(num))
throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
return num;
}
function validateSigLength(bytes, format) {
validateSigFormat(format);
const size = lengths.signature;
const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
return abytes(bytes, sizer, `${format} signature`);
}
/**
* ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
*/
class Signature {
constructor(r, s, recovery) {
this.r = validateRS('r', r); // r in [1..N-1];
this.s = validateRS('s', s); // s in [1..N-1];
if (recovery != null)
this.recovery = recovery;
Object.freeze(this);
}
static fromBytes(bytes, format = defaultSigOpts_format) {
validateSigLength(bytes, format);
let recid;
if (format === 'der') {
const { r, s } = DER.toSig(abytes(bytes));
return new Signature(r, s);
}
if (format === 'recovered') {
recid = bytes[0];
format = 'compact';
bytes = bytes.subarray(1);
}
const L = Fn.BYTES;
const r = bytes.subarray(0, L);
const s = bytes.subarray(L, L * 2);
return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
}
static fromHex(hex, format) {
return this.fromBytes(hexToBytes(hex), format);
}
addRecoveryBit(recovery) {
return new Signature(this.r, this.s, recovery);
}
recoverPublicKey(messageHash) {
const FIELD_ORDER = Fp.ORDER;
const { r, s, recovery: rec } = this;
if (rec == null || ![0, 1, 2, 3].includes(rec))
throw new Error('recovery id invalid');
// ECDSA recovery is hard for cofactor > 1 curves.
// In sign, `r = q.x mod n`, and here we recover q.x from r.
// While recovering q.x >= n, we need to add r+n for cofactor=1 curves.
// However, for cofactor>1, r+n may not get q.x:
// r+n*i would need to be done instead where i is unknown.
// To easily get i, we either need to:
// a. increase amount of valid recid values (4, 5...); OR
// b. prohibit non-prime-order signatures (recid > 1).
const hasCofactor = CURVE_ORDER * _2n < FIELD_ORDER;
if (hasCofactor && rec > 1)
throw new Error('recovery id is ambiguous for h>1 curve');
const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
if (!Fp.isValid(radj))
throw new Error('recovery id 2 or 3 invalid');
const x = Fp.toBytes(radj);
const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
const ir = Fn.inv(radj); // r^-1
const h = bits2int_modN(ensureBytes('msgHash', messageHash)); // Truncate hash
const u1 = Fn.create(-h * ir); // -hr^-1
const u2 = Fn.create(s * ir); // sr^-1
// (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
if (Q.is0())
throw new Error('point at infinify');
Q.assertValidity();
return Q;
}
// Signatures should be low-s, to prevent malleability.
hasHighS() {
return isBiggerThanHalfOrder(this.s);
}
toBytes(format = defaultSigOpts_format) {
validateSigFormat(format);
if (format === 'der')
return hexToBytes(DER.hexFromSig(this));
const r = Fn.toBytes(this.r);
const s = Fn.toBytes(this.s);
if (format === 'recovered') {
if (this.recovery == null)
throw new Error('recovery bit must be present');
return concatBytes(Uint8Array.of(this.recovery), r, s);
}
return concatBytes(r, s);
}
toHex(format) {
return bytesToHex(this.toBytes(format));
}
// TODO: remove
assertValidity() { }
static fromCompact(hex) {
return Signature.fromBytes(ensureBytes('sig', hex), 'compact');
}
static fromDER(hex) {
return Signature.fromBytes(ensureBytes('sig', hex), 'der');
}
normalizeS() {
return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
}
toDERRawBytes() {
return this.toBytes('der');
}
toDERHex() {
return bytesToHex(this.toBytes('der'));
}
toCompactRawBytes() {
return this.toBytes('compact');
}
toCompactHex() {
return bytesToHex(this.toBytes('compact'));
}
}
// RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
// FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
// bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.
// int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
const bits2int = ecdsaOpts.bits2int ||
function bits2int_def(bytes) {
// Our custom check "just in case", for protection against DoS
if (bytes.length > 8192)
throw new Error('input is too large');
// For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
// for some cases, since bytes.length * 8 is not actual bitLength.
const num = bytesToNumberBE(bytes); // check for == u8 done here
const delta = bytes.length * 8 - fnBits; // truncate to nBitLength leftmost bits
return delta > 0 ? num >> BigInt(delta) : num;
};
const bits2int_modN = ecdsaOpts.bits2int_modN ||
function bits2int_modN_def(bytes) {
return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
};
// Pads output with zero as per spec
const ORDER_MASK = bitMask(fnBits);
/** Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`. */
function int2octets(num) {
// IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
aInRange('num < 2^' + fnBits, num, _0n, ORDER_MASK);
return Fn.toBytes(num);
}
function validateMsgAndHash(message, prehash) {
abytes(message, undefined, 'message');
return prehash ? abytes(hash(message), undefined, 'prehashed message') : message;
}
/**
* Steps A, D of RFC6979 3.2.
* Creates RFC6979 seed; converts msg/privKey to numbers.
* Used only in sign, not in verify.
*
* Warning: we cannot assume here that message has same amount of bytes as curve order,
* this will be invalid at least for P521. Also it can be bigger for P224 + SHA256.
*/
function prepSig(message, privateKey, opts) {
if (['recovered', 'canonical'].some((k) => k in opts))
throw new Error('sign() legacy options not supported');
const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
message = validateMsgAndHash(message, prehash); // RFC6979 3.2 A: h1 = H(m)
// We can't later call bits2octets, since nested bits2int is broken for curves
// with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
// const bits2octets = (bits) => int2octets(bits2int_modN(bits))
const h1int = bits2int_modN(message);
const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
const seedArgs = [int2octets(d), int2octets(h1int)];
// extraEntropy. RFC6979 3.6: additional k' (optional).
if (extraEntropy != null && extraEntropy !== false) {
// K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
// gen random bytes OR pass as-is
const e = extraEntropy === true ? randomBytes(lengths.secretKey) : extraEntropy;
seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
}
const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
// Converts signature params into point w r/s, checks result for validity.
// To transform k => Signature:
// q = k⋅G
// r = q.x mod n
// s = k^-1(m + rd) mod n
// Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q1] according to
// https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
// a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
function k2sig(kBytes) {
// RFC 6979 Section 3.2, step 3: k = bits2int(T)
// Important: all mod() calls here must be done over N
const k = bits2int(kBytes); // mod n, not mod p
if (!Fn.isValidNot0(k))
return; // Valid scalars (including k) must be in 1..N-1
const ik = Fn.inv(k); // k^-1 mod n
const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
const r = Fn.create(q.x); // r = q.x mod n
if (r === _0n)
return;
const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
if (s === _0n)
return;
let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
let normS = s;
if (lowS && isBiggerThanHalfOrder(s)) {
normS = Fn.neg(s); // if lowS was passed, ensure s is always
recovery ^= 1; // // in the bottom half of N
}
return new Signature(r, normS, recovery); // use normS, not s
}
return { seed, k2sig };
}
/**
* Signs message hash with a secret key.
*
* ```
* sign(m, d) where
* k = rfc6979_hmac_drbg(m, d)
* (x, y) = G × k
* r = x mod n
* s = (m + dr) / k mod n
* ```
*/
function sign(message, secretKey, opts = {}) {
message = ensureBytes('message', message);
const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac);
const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
return sig;
}
function tryParsingSig(sg) {
// Try to deduce format
let sig = undefined;
const isHex = typeof sg === 'string' || isBytes(sg);
const isObj = !isHex &&
sg !== null &&
typeof sg === 'object' &&
typeof sg.r === 'bigint' &&
typeof sg.s === 'bigint';
if (!isHex && !isObj)
throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
if (isObj) {
sig = new Signature(sg.r, sg.s);
}
else if (isHex) {
try {
sig = Signature.fromBytes(ensureBytes('sig', sg), 'der');
}
catch (derError) {
if (!(derError instanceof DER.Err))
throw derError;
}
if (!sig) {
try {
sig = Signature.fromBytes(ensureBytes('sig', sg), 'compact');
}
catch (error) {
return false;
}
}
}
if (!sig)
return false;
return sig;
}
/**
* Verifies a signature against message and public key.
* Rejects lowS signatures by default: see {@link ECDSAVerifyOpts}.
* Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
*
* ```
* verify(r, s, h, P) where
* u1 = hs^-1 mod n
* u2 = rs^-1 mod n
* R = u1⋅G + u2⋅P
* mod(R.x, n) == r
* ```
*/
function verify(signature, message, publicKey, opts = {}) {
const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
publicKey = ensureBytes('publicKey', publicKey);
message = validateMsgAndHash(ensureBytes('message', message), prehash);
if ('strict' in opts)
throw new Error('options.strict was renamed to lowS');
const sig = format === undefined
? tryParsingSig(signature)
: Signature.fromBytes(ensureBytes('sig', signature), format);
if (sig === false)
return false;
try {
const P = Point.fromBytes(publicKey);
if (lowS && sig.hasHighS())
return false;
const { r, s } = sig;
const h = bits2int_modN(message); // mod n, not mod p
const is = Fn.inv(s); // s^-1 mod n
const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2)); // u1⋅G + u2⋅P
if (R.is0())
return false;
const v = Fn.create(R.x); // v = r.x mod n
return v === r;
}
catch (e) {
return false;
}
}
function recoverPublicKey(signature, message, opts = {}) {
const { prehash } = validateSigOpts(opts, defaultSigOpts);
message = validateMsgAndHash(message, prehash);
return Signature.fromBytes(signature, 'recovered').recoverPublicKey(message).toBytes();
}
return Object.freeze({
keygen,
getPublicKey,
getSharedSecret,
utils,
lengths,
Point,
sign,
verify,
recoverPublicKey,
Signature,
hash,
});
}
/** @deprecated use `weierstrass` in newer releases */
export function weierstrassPoints(c) {
const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
const Point = weierstrassN(CURVE, curveOpts);
return _weierstrass_new_output_to_legacy(c, Point);
}
function _weierstrass_legacy_opts_to_new(c) {
const CURVE = {
a: c.a,
b: c.b,
p: c.Fp.ORDER,
n: c.n,
h: c.h,
Gx: c.Gx,
Gy: c.Gy,
};
const Fp = c.Fp;
let allowedLengths = c.allowedPrivateKeyLengths
? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
: undefined;
const Fn = Field(CURVE.n, {
BITS: c.nBitLength,
allowedLengths: allowedLengths,
modFromBytes: c.wrapPrivateKey,
});
const curveOpts = {
Fp,
Fn,
allowInfinityPoint: c.allowInfinityPoint,
endo: c.endo,
isTorsionFree: c.isTorsionFree,
clearCofactor: c.clearCofactor,
fromBytes: c.fromBytes,
toBytes: c.toBytes,
};
return { CURVE, curveOpts };
}
function _ecdsa_legacy_opts_to_new(c) {
const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
const ecdsaOpts = {
hmac: c.hmac,
randomBytes: c.randomBytes,
lowS: c.lowS,
bits2int: c.bits2int,
bits2int_modN: c.bits2int_modN,
};
return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
}
export function _legacyHelperEquat(Fp, a, b) {
/**
* y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
* @returns y²
*/
function weierstrassEquation(x) {
const x2 = Fp.sqr(x); // x * x
const x3 = Fp.mul(x2, x); // x² * x
return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
}
return weierstrassEquation;
}
function _weierstrass_new_output_to_legacy(c, Point) {
const { Fp, Fn } = Point;
function isWithinCurveOrder(num) {
return inRange(num, _1n, Fn.ORDER);
}
const weierstrassEquation = _legacyHelperEquat(Fp, c.a, c.b);
return Object.assign({}, {
CURVE: c,
Point: Point,
ProjectivePoint: Point,
normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
weierstrassEquation,
isWithinCurveOrder,
});
}
function _ecdsa_new_output_to_legacy(c, _ecdsa) {
const Point = _ecdsa.Point;
return Object.assign({}, _ecdsa, {
ProjectivePoint: Point,
CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS)),
});
}
// _ecdsa_legacy
export function weierstrass(c) {
const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
const Point = weierstrassN(CURVE, curveOpts);
const signs = ecdsa(Point, hash, ecdsaOpts);
return _ecdsa_new_output_to_legacy(c, signs);
}
//# sourceMappingURL=weierstrass.js.map
Reference in New Issue View Git Blame Copy Permalink