yoyuz/my_site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修改后台权限

Browse Source
This commit is contained in:
yoyuzh
2026-03-24 14:30:59 +08:00
parent 00f902f475
commit b2d9db7be9
9310 changed files with 1246063 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
node_modules/@noble/curves/esm/_shortw_utils.d.ts generated vendored Normal file
View File

@@ -0,0 +1,19 @@
/**
* Utilities for short weierstrass curves, combined with noble-hashes.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type CurveFn, type CurveType } from './abstract/weierstrass.ts';
import type { CHash } from './utils.ts';
/** connects noble-curves to noble-hashes */
export declare function getHash(hash: CHash): {
hash: CHash;
};
/** Same API as @noble/hashes, with ability to create curve with custom hash */
export type CurveDef = Readonly<Omit<CurveType, 'hash'>>;
export type CurveFnWithCreate = CurveFn & {
create: (hash: CHash) => CurveFn;
};
/** @deprecated use new `weierstrass()` and `ecdsa()` methods */
export declare function createCurve(curveDef: CurveDef, defHash: CHash): CurveFnWithCreate;
//# sourceMappingURL=_shortw_utils.d.ts.map

1
node_modules/@noble/curves/esm/_shortw_utils.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_shortw_utils.d.ts","sourceRoot":"","sources":["../src/_shortw_utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAE,KAAK,OAAO,EAAE,KAAK,SAAS,EAAe,MAAM,2BAA2B,CAAC;AACtF,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,4CAA4C;AAC5C,wBAAgB,OAAO,CAAC,IAAI,EAAE,KAAK,GAAG;IAAE,IAAI,EAAE,KAAK,CAAA;CAAE,CAEpD;AACD,+EAA+E;AAC/E,MAAM,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;AACzD,MAAM,MAAM,iBAAiB,GAAG,OAAO,GAAG;IAAE,MAAM,EAAE,CAAC,IAAI,EAAE,KAAK,KAAK,OAAO,CAAA;CAAE,CAAC;AAE/E,gEAAgE;AAChE,wBAAgB,WAAW,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,GAAG,iBAAiB,CAGjF"}

16
node_modules/@noble/curves/esm/_shortw_utils.js generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* Utilities for short weierstrass curves, combined with noble-hashes.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { weierstrass } from "./abstract/weierstrass.js";
/** connects noble-curves to noble-hashes */
export function getHash(hash) {
return { hash };
}
/** @deprecated use new `weierstrass()` and `ecdsa()` methods */
export function createCurve(curveDef, defHash) {
const create = (hash) => weierstrass({ ...curveDef, hash: hash });
return { ...create(defHash), create };
}
//# sourceMappingURL=_shortw_utils.js.map

1
node_modules/@noble/curves/esm/_shortw_utils.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"_shortw_utils.js","sourceRoot":"","sources":["../src/_shortw_utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAgC,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAGtF,4CAA4C;AAC5C,MAAM,UAAU,OAAO,CAAC,IAAW;IACjC,OAAO,EAAE,IAAI,EAAE,CAAC;AAClB,CAAC;AAKD,gEAAgE;AAChE,MAAM,UAAU,WAAW,CAAC,QAAkB,EAAE,OAAc;IAC5D,MAAM,MAAM,GAAG,CAAC,IAAW,EAAW,EAAE,CAAC,WAAW,CAAC,EAAE,GAAG,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IAClF,OAAO,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;AACxC,CAAC"}

190
node_modules/@noble/curves/esm/abstract/bls.d.ts generated vendored Normal file
View File

@@ -0,0 +1,190 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type CHash, type Hex, type PrivKey } from '../utils.ts';
import { type H2CHasher, type H2CHashOpts, type H2COpts, type htfBasicOpts, type MapToCurve } from './hash-to-curve.ts';
import { type IField } from './modular.ts';
import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6Bls } from './tower.ts';
import { type CurvePointsRes, type CurvePointsType, type WeierstrassPoint, type WeierstrassPointCons } from './weierstrass.ts';
type Fp = bigint;
export type TwistType = 'multiplicative' | 'divisive';
export type ShortSignatureCoder<Fp> = {
fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp>;
fromHex(hex: Hex): WeierstrassPoint<Fp>;
toBytes(point: WeierstrassPoint<Fp>): Uint8Array;
toHex(point: WeierstrassPoint<Fp>): string;
/** @deprecated use `toBytes` */
toRawBytes(point: WeierstrassPoint<Fp>): Uint8Array;
};
export type SignatureCoder<Fp> = {
fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp>;
fromHex(hex: Hex): WeierstrassPoint<Fp>;
toBytes(point: WeierstrassPoint<Fp>): Uint8Array;
toHex(point: WeierstrassPoint<Fp>): string;
/** @deprecated use `toBytes` */
toRawBytes(point: WeierstrassPoint<Fp>): Uint8Array;
};
export type BlsFields = {
Fp: IField<Fp>;
Fr: IField<bigint>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
};
export type PostPrecomputePointAddFn = (Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2) => {
Rx: Fp2;
Ry: Fp2;
Rz: Fp2;
};
export type PostPrecomputeFn = (Rx: Fp2, Ry: Fp2, Rz: Fp2, Qx: Fp2, Qy: Fp2, pointAdd: PostPrecomputePointAddFn) => void;
export type BlsPairing = {
Fp12: Fp12Bls;
calcPairingPrecomputes: (p: WeierstrassPoint<Fp2>) => Precompute;
millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
pairing: (P: WeierstrassPoint<Fp>, Q: WeierstrassPoint<Fp2>, withFinalExponent?: boolean) => Fp12;
pairingBatch: (pairs: {
g1: WeierstrassPoint<Fp>;
g2: WeierstrassPoint<Fp2>;
}[], withFinalExponent?: boolean) => Fp12;
};
export type BlsPairingParams = {
ateLoopSize: bigint;
xNegative: boolean;
twistType: TwistType;
postPrecompute?: PostPrecomputeFn;
};
export type CurveType = {
G1: CurvePointsType<Fp> & {
ShortSignature: SignatureCoder<Fp>;
mapToCurve: MapToCurve<Fp>;
htfDefaults: H2COpts;
};
G2: CurvePointsType<Fp2> & {
Signature: SignatureCoder<Fp2>;
mapToCurve: MapToCurve<Fp2>;
htfDefaults: H2COpts;
};
fields: BlsFields;
params: {
ateLoopSize: BlsPairingParams['ateLoopSize'];
xNegative: BlsPairingParams['xNegative'];
r: bigint;
twistType: BlsPairingParams['twistType'];
};
htfDefaults: H2COpts;
hash: CHash;
randomBytes?: (bytesLength?: number) => Uint8Array;
postPrecompute?: PostPrecomputeFn;
};
type PrecomputeSingle = [Fp2, Fp2, Fp2][];
type Precompute = PrecomputeSingle[];
/**
* BLS consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
*/
export interface BLSCurvePair {
longSignatures: BLSSigs<bigint, Fp2>;
shortSignatures: BLSSigs<Fp2, bigint>;
millerLoopBatch: BlsPairing['millerLoopBatch'];
pairing: BlsPairing['pairing'];
pairingBatch: BlsPairing['pairingBatch'];
G1: {
Point: WeierstrassPointCons<bigint>;
} & H2CHasher<Fp>;
G2: {
Point: WeierstrassPointCons<Fp2>;
} & H2CHasher<Fp2>;
fields: {
Fp: IField<Fp>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
Fr: IField<bigint>;
};
utils: {
randomSecretKey: () => Uint8Array;
/** @deprecated use randomSecretKey */
randomPrivateKey: () => Uint8Array;
calcPairingPrecomputes: BlsPairing['calcPairingPrecomputes'];
};
}
export type CurveFn = BLSCurvePair & {
/** @deprecated use `longSignatures.getPublicKey` */
getPublicKey: (secretKey: PrivKey) => Uint8Array;
/** @deprecated use `shortSignatures.getPublicKey` */
getPublicKeyForShortSignatures: (secretKey: PrivKey) => Uint8Array;
/** @deprecated use `longSignatures.sign` */
sign: {
(message: Hex, secretKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
(message: WeierstrassPoint<Fp2>, secretKey: PrivKey, htfOpts?: htfBasicOpts): WeierstrassPoint<Fp2>;
};
/** @deprecated use `shortSignatures.sign` */
signShortSignature: {
(message: Hex, secretKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
(message: WeierstrassPoint<Fp>, secretKey: PrivKey, htfOpts?: htfBasicOpts): WeierstrassPoint<Fp>;
};
/** @deprecated use `longSignatures.verify` */
verify: (signature: Hex | WeierstrassPoint<Fp2>, message: Hex | WeierstrassPoint<Fp2>, publicKey: Hex | WeierstrassPoint<Fp>, htfOpts?: htfBasicOpts) => boolean;
/** @deprecated use `shortSignatures.verify` */
verifyShortSignature: (signature: Hex | WeierstrassPoint<Fp>, message: Hex | WeierstrassPoint<Fp>, publicKey: Hex | WeierstrassPoint<Fp2>, htfOpts?: htfBasicOpts) => boolean;
verifyBatch: (signature: Hex | WeierstrassPoint<Fp2>, messages: (Hex | WeierstrassPoint<Fp2>)[], publicKeys: (Hex | WeierstrassPoint<Fp>)[], htfOpts?: htfBasicOpts) => boolean;
/** @deprecated use `longSignatures.aggregatePublicKeys` */
aggregatePublicKeys: {
(publicKeys: Hex[]): Uint8Array;
(publicKeys: WeierstrassPoint<Fp>[]): WeierstrassPoint<Fp>;
};
/** @deprecated use `longSignatures.aggregateSignatures` */
aggregateSignatures: {
(signatures: Hex[]): Uint8Array;
(signatures: WeierstrassPoint<Fp2>[]): WeierstrassPoint<Fp2>;
};
/** @deprecated use `shortSignatures.aggregateSignatures` */
aggregateShortSignatures: {
(signatures: Hex[]): Uint8Array;
(signatures: WeierstrassPoint<Fp>[]): WeierstrassPoint<Fp>;
};
G1: CurvePointsRes<Fp> & H2CHasher<Fp>;
G2: CurvePointsRes<Fp2> & H2CHasher<Fp2>;
/** @deprecated use `longSignatures.Signature` */
Signature: SignatureCoder<Fp2>;
/** @deprecated use `shortSignatures.Signature` */
ShortSignature: ShortSignatureCoder<Fp>;
params: {
ateLoopSize: bigint;
r: bigint;
twistType: TwistType;
/** @deprecated */
G1b: bigint;
/** @deprecated */
G2b: Fp2;
};
};
type BLSInput = Hex | Uint8Array;
export interface BLSSigs<P, S> {
getPublicKey(secretKey: PrivKey): WeierstrassPoint<P>;
sign(hashedMessage: WeierstrassPoint<S>, secretKey: PrivKey): WeierstrassPoint<S>;
verify(signature: WeierstrassPoint<S> | BLSInput, message: WeierstrassPoint<S>, publicKey: WeierstrassPoint<P> | BLSInput): boolean;
verifyBatch: (signature: WeierstrassPoint<S> | BLSInput, messages: WeierstrassPoint<S>[], publicKeys: (WeierstrassPoint<P> | BLSInput)[]) => boolean;
aggregatePublicKeys(publicKeys: (WeierstrassPoint<P> | BLSInput)[]): WeierstrassPoint<P>;
aggregateSignatures(signatures: (WeierstrassPoint<S> | BLSInput)[]): WeierstrassPoint<S>;
hash(message: Uint8Array, DST?: string | Uint8Array, hashOpts?: H2CHashOpts): WeierstrassPoint<S>;
Signature: SignatureCoder<S>;
}
export declare function bls(CURVE: CurveType): CurveFn;
export {};
//# sourceMappingURL=bls.d.ts.map

1
node_modules/@noble/curves/esm/abstract/bls.d.ts.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

408
node_modules/@noble/curves/esm/abstract/bls.js generated vendored Normal file
View File

@@ -0,0 +1,408 @@
/**
* BLS != BLS.
* The file implements BLS (Boneh-Lynn-Shacham) signatures.
* Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
* families of pairing-friendly curves.
* Consists of two curves: G1 and G2:
* - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
* - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
* - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
* Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
* Pairing is used to aggregate and verify signatures.
* There are two modes of operation:
* - Long signatures: X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
* - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
* @module
**/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { abytes, ensureBytes, memoized, randomBytes, } from "../utils.js";
import { normalizeZ } from "./curve.js";
import { createHasher, } from "./hash-to-curve.js";
import { getMinHashLength, mapHashToField } from "./modular.js";
import { _normFnElement, weierstrassPoints, } from "./weierstrass.js";
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
// Not used with BLS12-381 (no sequential `11` in X). Useful for other curves.
function NAfDecomposition(a) {
const res = [];
// a>1 because of marker bit
for (; a > _1n; a >>= _1n) {
if ((a & _1n) === _0n)
res.unshift(0);
else if ((a & _3n) === _3n) {
res.unshift(-1);
a += _1n;
}
else
res.unshift(1);
}
return res;
}
function aNonEmpty(arr) {
if (!Array.isArray(arr) || arr.length === 0)
throw new Error('expected non-empty array');
}
// This should be enough for bn254, no need to export full stuff?
function createBlsPairing(fields, G1, G2, params) {
const { Fp2, Fp12 } = fields;
const { twistType, ateLoopSize, xNegative, postPrecompute } = params;
// Applies sparse multiplication as line function
let lineFunction;
if (twistType === 'multiplicative') {
lineFunction = (c0, c1, c2, f, Px, Py) => Fp12.mul014(f, c0, Fp2.mul(c1, Px), Fp2.mul(c2, Py));
}
else if (twistType === 'divisive') {
// NOTE: it should be [c0, c1, c2], but we use different order here to reduce complexity of
// precompute calculations.
lineFunction = (c0, c1, c2, f, Px, Py) => Fp12.mul034(f, Fp2.mul(c2, Py), Fp2.mul(c1, Px), c0);
}
else
throw new Error('bls: unknown twist type');
const Fp2div2 = Fp2.div(Fp2.ONE, Fp2.mul(Fp2.ONE, _2n));
function pointDouble(ell, Rx, Ry, Rz) {
const t0 = Fp2.sqr(Ry); // Ry²
const t1 = Fp2.sqr(Rz); // Rz²
const t2 = Fp2.mulByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
const t3 = Fp2.mul(t2, _3n); // 3 * T2
const t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
const c0 = Fp2.sub(t2, t0); // T2 - T0 (i)
const c1 = Fp2.mul(Fp2.sqr(Rx), _3n); // 3 * Rx²
const c2 = Fp2.neg(t4); // -T4 (-h)
ell.push([c0, c1, c2]);
Rx = Fp2.mul(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), Fp2div2); // ((T0 - T3) * Rx * Ry) / 2
Ry = Fp2.sub(Fp2.sqr(Fp2.mul(Fp2.add(t0, t3), Fp2div2)), Fp2.mul(Fp2.sqr(t2), _3n)); // ((T0 + T3) / 2)² - 3 * T2²
Rz = Fp2.mul(t0, t4); // T0 * T4
return { Rx, Ry, Rz };
}
function pointAdd(ell, Rx, Ry, Rz, Qx, Qy) {
// Addition
const t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
const t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
const c0 = Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)); // T0 * Qx - T1 * Qy == Ry * Qx - Rx * Qy
const c1 = Fp2.neg(t0); // -T0 == Qy * Rz - Ry
const c2 = t1; // == Rx - Qx * Rz
ell.push([c0, c1, c2]);
const t2 = Fp2.sqr(t1); // T1²
const t3 = Fp2.mul(t2, t1); // T2 * T1
const t4 = Fp2.mul(t2, Rx); // T2 * Rx
const t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
Rx = Fp2.mul(t1, t5); // T1 * T5
Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
Rz = Fp2.mul(Rz, t3); // Rz * T3
return { Rx, Ry, Rz };
}
// Pre-compute coefficients for sparse multiplication
// Point addition and point double calculations is reused for coefficients
// pointAdd happens only if bit set, so wNAF is reasonable. Unfortunately we cannot combine
// add + double in windowed precomputes here, otherwise it would be single op (since X is static)
const ATE_NAF = NAfDecomposition(ateLoopSize);
const calcPairingPrecomputes = memoized((point) => {
const p = point;
const { x, y } = p.toAffine();
// prettier-ignore
const Qx = x, Qy = y, negQy = Fp2.neg(y);
// prettier-ignore
let Rx = Qx, Ry = Qy, Rz = Fp2.ONE;
const ell = [];
for (const bit of ATE_NAF) {
const cur = [];
({ Rx, Ry, Rz } = pointDouble(cur, Rx, Ry, Rz));
if (bit)
({ Rx, Ry, Rz } = pointAdd(cur, Rx, Ry, Rz, Qx, bit === -1 ? negQy : Qy));
ell.push(cur);
}
if (postPrecompute) {
const last = ell[ell.length - 1];
postPrecompute(Rx, Ry, Rz, Qx, Qy, pointAdd.bind(null, last));
}
return ell;
});
function millerLoopBatch(pairs, withFinalExponent = false) {
let f12 = Fp12.ONE;
if (pairs.length) {
const ellLen = pairs[0][0].length;
for (let i = 0; i < ellLen; i++) {
f12 = Fp12.sqr(f12); // This allows us to do sqr only one time for all pairings
// NOTE: we apply multiple pairings in parallel here
for (const [ell, Px, Py] of pairs) {
for (const [c0, c1, c2] of ell[i])
f12 = lineFunction(c0, c1, c2, f12, Px, Py);
}
}
}
if (xNegative)
f12 = Fp12.conjugate(f12);
return withFinalExponent ? Fp12.finalExponentiate(f12) : f12;
}
// Calculates product of multiple pairings
// This up to x2 faster than just `map(({g1, g2})=>pairing({g1,g2}))`
function pairingBatch(pairs, withFinalExponent = true) {
const res = [];
// Cache precomputed toAffine for all points
normalizeZ(G1, pairs.map(({ g1 }) => g1));
normalizeZ(G2, pairs.map(({ g2 }) => g2));
for (const { g1, g2 } of pairs) {
if (g1.is0() || g2.is0())
throw new Error('pairing is not available for ZERO point');
// This uses toAffine inside
g1.assertValidity();
g2.assertValidity();
const Qa = g1.toAffine();
res.push([calcPairingPrecomputes(g2), Qa.x, Qa.y]);
}
return millerLoopBatch(res, withFinalExponent);
}
// Calculates bilinear pairing
function pairing(Q, P, withFinalExponent = true) {
return pairingBatch([{ g1: Q, g2: P }], withFinalExponent);
}
return {
Fp12, // NOTE: we re-export Fp12 here because pairing results are Fp12!
millerLoopBatch,
pairing,
pairingBatch,
calcPairingPrecomputes,
};
}
function createBlsSig(blsPairing, PubCurve, SigCurve, SignatureCoder, isSigG1) {
const { Fp12, pairingBatch } = blsPairing;
function normPub(point) {
return point instanceof PubCurve.Point ? point : PubCurve.Point.fromHex(point);
}
function normSig(point) {
return point instanceof SigCurve.Point ? point : SigCurve.Point.fromHex(point);
}
function amsg(m) {
if (!(m instanceof SigCurve.Point))
throw new Error(`expected valid message hashed to ${!isSigG1 ? 'G2' : 'G1'} curve`);
return m;
}
// What matters here is what point pairing API accepts as G1 or G2, not actual size or names
const pair = !isSigG1
? (a, b) => ({ g1: a, g2: b })
: (a, b) => ({ g1: b, g2: a });
return {
// P = pk x G
getPublicKey(secretKey) {
// TODO: replace with
// const sec = PubCurve.Point.Fn.fromBytes(secretKey);
const sec = _normFnElement(PubCurve.Point.Fn, secretKey);
return PubCurve.Point.BASE.multiply(sec);
},
// S = pk x H(m)
sign(message, secretKey, unusedArg) {
if (unusedArg != null)
throw new Error('sign() expects 2 arguments');
// TODO: replace with
// PubCurve.Point.Fn.fromBytes(secretKey)
const sec = _normFnElement(PubCurve.Point.Fn, secretKey);
amsg(message).assertValidity();
return message.multiply(sec);
},
// Checks if pairing of public key & hash is equal to pairing of generator & signature.
// e(P, H(m)) == e(G, S)
// e(S, G) == e(H(m), P)
verify(signature, message, publicKey, unusedArg) {
if (unusedArg != null)
throw new Error('verify() expects 3 arguments');
signature = normSig(signature);
publicKey = normPub(publicKey);
const P = publicKey.negate();
const G = PubCurve.Point.BASE;
const Hm = amsg(message);
const S = signature;
// This code was changed in 1.9.x:
// Before it was G.negate() in G2, now it's always pubKey.negate
// e(P, -Q)===e(-P, Q)==e(P, Q)^-1. Negate can be done anywhere (as long it is done once per pair).
// We just moving sign, but since pairing is multiplicative, we doing X * X^-1 = 1
const exp = pairingBatch([pair(P, Hm), pair(G, S)]);
return Fp12.eql(exp, Fp12.ONE);
},
// https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
// e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
// TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
verifyBatch(signature, messages, publicKeys) {
aNonEmpty(messages);
if (publicKeys.length !== messages.length)
throw new Error('amount of public keys and messages should be equal');
const sig = normSig(signature);
const nMessages = messages;
const nPublicKeys = publicKeys.map(normPub);
// NOTE: this works only for exact same object
const messagePubKeyMap = new Map();
for (let i = 0; i < nPublicKeys.length; i++) {
const pub = nPublicKeys[i];
const msg = nMessages[i];
let keys = messagePubKeyMap.get(msg);
if (keys === undefined) {
keys = [];
messagePubKeyMap.set(msg, keys);
}
keys.push(pub);
}
const paired = [];
const G = PubCurve.Point.BASE;
try {
for (const [msg, keys] of messagePubKeyMap) {
const groupPublicKey = keys.reduce((acc, msg) => acc.add(msg));
paired.push(pair(groupPublicKey, msg));
}
paired.push(pair(G.negate(), sig));
return Fp12.eql(pairingBatch(paired), Fp12.ONE);
}
catch {
return false;
}
},
// Adds a bunch of public key points together.
// pk1 + pk2 + pk3 = pkA
aggregatePublicKeys(publicKeys) {
aNonEmpty(publicKeys);
publicKeys = publicKeys.map((pub) => normPub(pub));
const agg = publicKeys.reduce((sum, p) => sum.add(p), PubCurve.Point.ZERO);
agg.assertValidity();
return agg;
},
// Adds a bunch of signature points together.
// pk1 + pk2 + pk3 = pkA
aggregateSignatures(signatures) {
aNonEmpty(signatures);
signatures = signatures.map((sig) => normSig(sig));
const agg = signatures.reduce((sum, s) => sum.add(s), SigCurve.Point.ZERO);
agg.assertValidity();
return agg;
},
hash(messageBytes, DST) {
abytes(messageBytes);
const opts = DST ? { DST } : undefined;
return SigCurve.hashToCurve(messageBytes, opts);
},
Signature: SignatureCoder,
};
}
// G1_Point: ProjConstructor<bigint>, G2_Point: ProjConstructor<Fp2>,
export function bls(CURVE) {
// Fields are specific for curve, so for now we'll need to pass them with opts
const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE.fields;
// Point on G1 curve: (x, y)
const G1_ = weierstrassPoints(CURVE.G1);
const G1 = Object.assign(G1_, createHasher(G1_.Point, CURVE.G1.mapToCurve, {
...CURVE.htfDefaults,
...CURVE.G1.htfDefaults,
}));
// Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
const G2_ = weierstrassPoints(CURVE.G2);
const G2 = Object.assign(G2_, createHasher(G2_.Point, CURVE.G2.mapToCurve, {
...CURVE.htfDefaults,
...CURVE.G2.htfDefaults,
}));
const pairingRes = createBlsPairing(CURVE.fields, G1.Point, G2.Point, {
...CURVE.params,
postPrecompute: CURVE.postPrecompute,
});
const { millerLoopBatch, pairing, pairingBatch, calcPairingPrecomputes } = pairingRes;
const longSignatures = createBlsSig(pairingRes, G1, G2, CURVE.G2.Signature, false);
const shortSignatures = createBlsSig(pairingRes, G2, G1, CURVE.G1.ShortSignature, true);
const rand = CURVE.randomBytes || randomBytes;
const randomSecretKey = () => {
const length = getMinHashLength(Fr.ORDER);
return mapHashToField(rand(length), Fr.ORDER);
};
const utils = {
randomSecretKey,
randomPrivateKey: randomSecretKey,
calcPairingPrecomputes,
};
const { ShortSignature } = CURVE.G1;
const { Signature } = CURVE.G2;
function normP1Hash(point, htfOpts) {
return point instanceof G1.Point
? point
: shortSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
}
function normP2Hash(point, htfOpts) {
return point instanceof G2.Point
? point
: longSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
}
function getPublicKey(privateKey) {
return longSignatures.getPublicKey(privateKey).toBytes(true);
}
function getPublicKeyForShortSignatures(privateKey) {
return shortSignatures.getPublicKey(privateKey).toBytes(true);
}
function sign(message, privateKey, htfOpts) {
const Hm = normP2Hash(message, htfOpts);
const S = longSignatures.sign(Hm, privateKey);
return message instanceof G2.Point ? S : Signature.toBytes(S);
}
function signShortSignature(message, privateKey, htfOpts) {
const Hm = normP1Hash(message, htfOpts);
const S = shortSignatures.sign(Hm, privateKey);
return message instanceof G1.Point ? S : ShortSignature.toBytes(S);
}
function verify(signature, message, publicKey, htfOpts) {
const Hm = normP2Hash(message, htfOpts);
return longSignatures.verify(signature, Hm, publicKey);
}
function verifyShortSignature(signature, message, publicKey, htfOpts) {
const Hm = normP1Hash(message, htfOpts);
return shortSignatures.verify(signature, Hm, publicKey);
}
function aggregatePublicKeys(publicKeys) {
const agg = longSignatures.aggregatePublicKeys(publicKeys);
return publicKeys[0] instanceof G1.Point ? agg : agg.toBytes(true);
}
function aggregateSignatures(signatures) {
const agg = longSignatures.aggregateSignatures(signatures);
return signatures[0] instanceof G2.Point ? agg : Signature.toBytes(agg);
}
function aggregateShortSignatures(signatures) {
const agg = shortSignatures.aggregateSignatures(signatures);
return signatures[0] instanceof G1.Point ? agg : ShortSignature.toBytes(agg);
}
function verifyBatch(signature, messages, publicKeys, htfOpts) {
const Hm = messages.map((m) => normP2Hash(m, htfOpts));
return longSignatures.verifyBatch(signature, Hm, publicKeys);
}
G1.Point.BASE.precompute(4);
return {
longSignatures,
shortSignatures,
millerLoopBatch,
pairing,
pairingBatch,
verifyBatch,
fields: {
Fr,
Fp,
Fp2,
Fp6,
Fp12,
},
params: {
ateLoopSize: CURVE.params.ateLoopSize,
twistType: CURVE.params.twistType,
// deprecated
r: CURVE.params.r,
G1b: CURVE.G1.b,
G2b: CURVE.G2.b,
},
utils,
// deprecated
getPublicKey,
getPublicKeyForShortSignatures,
sign,
signShortSignature,
verify,
verifyShortSignature,
aggregatePublicKeys,
aggregateSignatures,
aggregateShortSignatures,
G1,
G2,
Signature,
ShortSignature,
};
}
//# sourceMappingURL=bls.js.map

1
node_modules/@noble/curves/esm/abstract/bls.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

231
node_modules/@noble/curves/esm/abstract/curve.d.ts generated vendored Normal file
View File

@@ -0,0 +1,231 @@
import { type IField } from './modular.ts';
export type AffinePoint<T> = {
x: T;
y: T;
} & {
Z?: never;
};
export interface Group<T extends Group<T>> {
double(): T;
negate(): T;
add(other: T): T;
subtract(other: T): T;
equals(other: T): boolean;
multiply(scalar: bigint): T;
toAffine?(invertedZ?: any): AffinePoint<any>;
}
/** Base interface for all elliptic curve Points. */
export interface CurvePoint<F, P extends CurvePoint<F, P>> extends Group<P> {
/** Affine x coordinate. Different from projective / extended X coordinate. */
x: F;
/** Affine y coordinate. Different from projective / extended Y coordinate. */
y: F;
Z?: F;
double(): P;
negate(): P;
add(other: P): P;
subtract(other: P): P;
equals(other: P): boolean;
multiply(scalar: bigint): P;
assertValidity(): void;
clearCofactor(): P;
is0(): boolean;
isTorsionFree(): boolean;
isSmallOrder(): boolean;
multiplyUnsafe(scalar: bigint): P;
/**
* Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}.
* @param isLazy calculate cache now. Default (true) ensures it's deferred to first `multiply()`
*/
precompute(windowSize?: number, isLazy?: boolean): P;
/** Converts point to 2D xy affine coordinates */
toAffine(invertedZ?: F): AffinePoint<F>;
toBytes(): Uint8Array;
toHex(): string;
}
/** Base interface for all elliptic curve Point constructors. */
export interface CurvePointCons<P extends CurvePoint<any, P>> {
[Symbol.hasInstance]: (item: unknown) => boolean;
BASE: P;
ZERO: P;
/** Field for basic curve math */
Fp: IField<P_F<P>>;
/** Scalar field, for scalars in multiply and others */
Fn: IField<bigint>;
/** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */
fromAffine(p: AffinePoint<P_F<P>>): P;
fromBytes(bytes: Uint8Array): P;
fromHex(hex: Uint8Array | string): P;
}
/** Returns Fp type from Point (P_F<P> == P.F) */
export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never;
/** Returns Fp type from PointCons (PC_F<PC> == PC.P.F) */
export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO'];
/** Returns Point type from PointCons (PC_P<PC> == PC.P) */
export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO'];
export type PC_ANY = CurvePointCons<CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, any>>>>>>>>>>>;
export interface CurveLengths {
secretKey?: number;
publicKey?: number;
publicKeyUncompressed?: number;
publicKeyHasPrefix?: boolean;
signature?: number;
seed?: number;
}
export type GroupConstructor<T> = {
BASE: T;
ZERO: T;
};
/** @deprecated */
export type ExtendedGroupConstructor<T> = GroupConstructor<T> & {
Fp: IField<any>;
Fn: IField<bigint>;
fromAffine(ap: AffinePoint<any>): T;
};
export type Mapper<T> = (i: T[]) => T[];
export declare function negateCt<T extends {
negate: () => T;
}>(condition: boolean, item: T): T;
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
*/
export declare function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[]): P[];
/** Internal wNAF opts for specific W and scalarBits */
export type WOpts = {
windows: number;
windowSize: number;
mask: bigint;
maxNumber: number;
shiftBy: bigint;
};
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* @todo Research returning 2d JS array of windows, instead of a single window.
* This would allow windows to be in different memory locations
*/
export declare class wNAF<PC extends PC_ANY> {
private readonly BASE;
private readonly ZERO;
private readonly Fn;
readonly bits: number;
constructor(Point: PC, bits: number);
_unsafeLadder(elm: PC_P<PC>, n: bigint, p?: PC_P<PC>): PC_P<PC>;
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point Point instance
* @param W window size
* @returns precomputed point tables flattened to a single array
*/
private precomputeWindow;
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
private wNAF;
/**
* Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
* @param acc accumulator point to add result of multiplication
* @returns point
*/
private wNAFUnsafe;
private getPrecomputes;
cached(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>): {
p: PC_P<PC>;
f: PC_P<PC>;
};
unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC>;
createCache(P: PC_P<PC>, W: number): void;
hasCache(elm: PC_P<PC>): boolean;
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
*/
export declare function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(Point: PC, point: P, k1: bigint, k2: bigint): {
p1: P;
p2: P;
};
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @param scalars array of L scalars (aka secret keys / bigints)
*/
export declare function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, fieldN: IField<bigint>, points: P[], scalars: bigint[]): P;
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @returns function which multiplies points with scaars
*/
export declare function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, fieldN: IField<bigint>, points: P[], windowSize: number): (scalars: bigint[]) => P;
/**
* Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
* Though generator can be different (Fp2 / Fp6 for BLS).
*/
export type BasicCurve<T> = {
Fp: IField<T>;
n: bigint;
nBitLength?: number;
nByteLength?: number;
h: bigint;
hEff?: bigint;
Gx: T;
Gy: T;
allowInfinityPoint?: boolean;
};
/** @deprecated */
export declare function validateBasic<FP, T>(curve: BasicCurve<FP> & T): Readonly<{
readonly nBitLength: number;
readonly nByteLength: number;
} & BasicCurve<FP> & T & {
p: bigint;
}>;
export type ValidCurveParams<T> = {
p: bigint;
n: bigint;
h: bigint;
a: T;
b?: T;
d?: T;
Gx: T;
Gy: T;
};
export type FpFn<T> = {
Fp: IField<T>;
Fn: IField<bigint>;
};
/** Validates CURVE opts and creates fields */
export declare function _createCurveFields<T>(type: 'weierstrass' | 'edwards', CURVE: ValidCurveParams<T>, curveOpts?: Partial<FpFn<T>>, FpFnLE?: boolean): FpFn<T> & {
CURVE: ValidCurveParams<T>;
};
//# sourceMappingURL=curve.d.ts.map

1
node_modules/@noble/curves/esm/abstract/curve.d.ts.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

465
node_modules/@noble/curves/esm/abstract/curve.js generated vendored Normal file
View File

@@ -0,0 +1,465 @@
/**
* Methods for elliptic curve multiplication by scalars.
* Contains wNAF, pippenger.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitLen, bitMask, validateObject } from "../utils.js";
import { Field, FpInvertBatch, nLength, validateField } from "./modular.js";
const _0n = BigInt(0);
const _1n = BigInt(1);
export function negateCt(condition, item) {
const neg = item.negate();
return condition ? neg : item;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
*/
export function normalizeZ(c, points) {
const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
}
function validateW(W, bits) {
if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
}
function calcWOpts(W, scalarBits) {
validateW(W, scalarBits);
const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
const maxNumber = 2 ** W; // W=8 256
const mask = bitMask(W); // W=8 255 == mask 0b11111111
const shiftBy = BigInt(W); // W=8 8
return { windows, windowSize, mask, maxNumber, shiftBy };
}
function calcOffsets(n, window, wOpts) {
const { windowSize, mask, maxNumber, shiftBy } = wOpts;
let wbits = Number(n & mask); // extract W bits.
let nextN = n >> shiftBy; // shift number by W bits.
// What actually happens here:
// const highestBit = Number(mask ^ (mask >> 1n));
// let wbits2 = wbits - 1; // skip zero
// if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
// split if bits > max: +224 => 256-32
if (wbits > windowSize) {
// we skip zero, which means instead of `>= size-1`, we do `> size`
wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
nextN += _1n; // +256 (carry)
}
const offsetStart = window * windowSize;
const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
const isZero = wbits === 0; // is current window slice a 0?
const isNeg = wbits < 0; // is current window slice negative?
const isNegF = window % 2 !== 0; // fake random statement for noise
const offsetF = offsetStart; // fake offset for noise
return { nextN, offset, isZero, isNeg, isNegF, offsetF };
}
function validateMSMPoints(points, c) {
if (!Array.isArray(points))
throw new Error('array expected');
points.forEach((p, i) => {
if (!(p instanceof c))
throw new Error('invalid point at index ' + i);
});
}
function validateMSMScalars(scalars, field) {
if (!Array.isArray(scalars))
throw new Error('array of scalars expected');
scalars.forEach((s, i) => {
if (!field.isValid(s))
throw new Error('invalid scalar at index ' + i);
});
}
// Since points in different groups cannot be equal (different object constructor),
// we can have single place to store precomputes.
// Allows to make points frozen / immutable.
const pointPrecomputes = new WeakMap();
const pointWindowSizes = new WeakMap();
function getW(P) {
// To disable precomputes:
// return 1;
return pointWindowSizes.get(P) || 1;
}
function assert0(n) {
if (n !== _0n)
throw new Error('invalid wNAF');
}
/**
* Elliptic curve multiplication of Point by scalar. Fragile.
* Table generation takes **30MB of ram and 10ms on high-end CPU**,
* but may take much longer on slow devices. Actual generation will happen on
* first call of `multiply()`. By default, `BASE` point is precomputed.
*
* Scalars should always be less than curve order: this should be checked inside of a curve itself.
* Creates precomputation tables for fast multiplication:
* - private scalar is split by fixed size windows of W bits
* - every window point is collected from window's table & added to accumulator
* - since windows are different, same point inside tables won't be accessed more than once per calc
* - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
* - +1 window is neccessary for wNAF
* - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
*
* @todo Research returning 2d JS array of windows, instead of a single window.
* This would allow windows to be in different memory locations
*/
export class wNAF {
// Parametrized with a given Point class (not individual point)
constructor(Point, bits) {
this.BASE = Point.BASE;
this.ZERO = Point.ZERO;
this.Fn = Point.Fn;
this.bits = bits;
}
// non-const time multiplication ladder
_unsafeLadder(elm, n, p = this.ZERO) {
let d = elm;
while (n > _0n) {
if (n & _1n)
p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @param point Point instance
* @param W window size
* @returns precomputed point tables flattened to a single array
*/
precomputeWindow(point, W) {
const { windows, windowSize } = calcWOpts(W, this.bits);
const points = [];
let p = point;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
// i=1, bc we skip 0
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* More compact implementation:
* https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
* @returns real and fake (for const-time) points
*/
wNAF(W, precomputes, n) {
// Scalar should be smaller than field order
if (!this.Fn.isValid(n))
throw new Error('invalid scalar');
// Accumulators
let p = this.ZERO;
let f = this.BASE;
// This code was first written with assumption that 'f' and 'p' will never be infinity point:
// since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
// there is negate now: it is possible that negated element from low value
// would be the same as high element, which will create carry into next window.
// It's not obvious how this can fail, but still worth investigating later.
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
// (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// bits are 0: add garbage to fake point
// Important part for const-time getPublicKey: add random "noise" point to f.
f = f.add(negateCt(isNegF, precomputes[offsetF]));
}
else {
// bits are 1: add to result point
p = p.add(negateCt(isNeg, precomputes[offset]));
}
}
assert0(n);
// Return both real and fake points: JIT won't eliminate f.
// At this point there is a way to F be infinity-point even if p is not,
// which makes it less const-time: around 1 bigint multiply.
return { p, f };
}
/**
* Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
* @param acc accumulator point to add result of multiplication
* @returns point
*/
wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
const wo = calcWOpts(W, this.bits);
for (let window = 0; window < wo.windows; window++) {
if (n === _0n)
break; // Early-exit, skip 0 value
const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
n = nextN;
if (isZero) {
// Window bits are 0: skip processing.
// Move to next window.
continue;
}
else {
const item = precomputes[offset];
acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
}
}
assert0(n);
return acc;
}
getPrecomputes(W, point, transform) {
// Calculate precomputes on a first run, reuse them after
let comp = pointPrecomputes.get(point);
if (!comp) {
comp = this.precomputeWindow(point, W);
if (W !== 1) {
// Doing transform outside of if brings 15% perf hit
if (typeof transform === 'function')
comp = transform(comp);
pointPrecomputes.set(point, comp);
}
}
return comp;
}
cached(point, scalar, transform) {
const W = getW(point);
return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
}
unsafe(point, scalar, transform, prev) {
const W = getW(point);
if (W === 1)
return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
}
// We calculate precomputes for elliptic curve point multiplication
// using windowed method. This specifies window size and
// stores precomputed values. Usually only base point would be precomputed.
createCache(P, W) {
validateW(W, this.bits);
pointWindowSizes.set(P, W);
pointPrecomputes.delete(P);
}
hasCache(elm) {
return getW(elm) !== 1;
}
}
/**
* Endomorphism-specific multiplication for Koblitz curves.
* Cost: 128 dbl, 0-256 adds.
*/
export function mulEndoUnsafe(Point, point, k1, k2) {
let acc = point;
let p1 = Point.ZERO;
let p2 = Point.ZERO;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n)
p1 = p1.add(acc);
if (k2 & _1n)
p2 = p2.add(acc);
acc = acc.double();
k1 >>= _1n;
k2 >>= _1n;
}
return { p1, p2 };
}
/**
* Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* 30x faster vs naive addition on L=4096, 10x faster than precomputes.
* For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
* Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @param scalars array of L scalars (aka secret keys / bigints)
*/
export function pippenger(c, fieldN, points, scalars) {
// If we split scalars by some window (let's say 8 bits), every chunk will only
// take 256 buckets even if there are 4096 scalars, also re-uses double.
// TODO:
// - https://eprint.iacr.org/2024/750.pdf
// - https://tches.iacr.org/index.php/TCHES/article/view/10287
// 0 is accepted in scalars
validateMSMPoints(points, c);
validateMSMScalars(scalars, fieldN);
const plength = points.length;
const slength = scalars.length;
if (plength !== slength)
throw new Error('arrays of points and scalars must have equal length');
// if (plength === 0) throw new Error('array must be of length >= 2');
const zero = c.ZERO;
const wbits = bitLen(BigInt(plength));
let windowSize = 1; // bits
if (wbits > 12)
windowSize = wbits - 3;
else if (wbits > 4)
windowSize = wbits - 2;
else if (wbits > 0)
windowSize = 2;
const MASK = bitMask(windowSize);
const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
let sum = zero;
for (let i = lastBits; i >= 0; i -= windowSize) {
buckets.fill(zero);
for (let j = 0; j < slength; j++) {
const scalar = scalars[j];
const wbits = Number((scalar >> BigInt(i)) & MASK);
buckets[wbits] = buckets[wbits].add(points[j]);
}
let resI = zero; // not using this will do small speed-up, but will lose ct
// Skip first bucket, because it is zero
for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
sumI = sumI.add(buckets[j]);
resI = resI.add(sumI);
}
sum = sum.add(resI);
if (i !== 0)
for (let j = 0; j < windowSize; j++)
sum = sum.double();
}
return sum;
}
/**
* Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
* @param c Curve Point constructor
* @param fieldN field over CURVE.N - important that it's not over CURVE.P
* @param points array of L curve points
* @returns function which multiplies points with scaars
*/
export function precomputeMSMUnsafe(c, fieldN, points, windowSize) {
/**
* Performance Analysis of Window-based Precomputation
*
* Base Case (256-bit scalar, 8-bit window):
* - Standard precomputation requires:
* - 31 additions per scalar × 256 scalars = 7,936 ops
* - Plus 255 summary additions = 8,191 total ops
* Note: Summary additions can be optimized via accumulator
*
* Chunked Precomputation Analysis:
* - Using 32 chunks requires:
* - 255 additions per chunk
* - 256 doublings
* - Total: (255 × 32) + 256 = 8,416 ops
*
* Memory Usage Comparison:
* Window Size | Standard Points | Chunked Points
* ------------|-----------------|---------------
* 4-bit | 520 | 15
* 8-bit | 4,224 | 255
* 10-bit | 13,824 | 1,023
* 16-bit | 557,056 | 65,535
*
* Key Advantages:
* 1. Enables larger window sizes due to reduced memory overhead
* 2. More efficient for smaller scalar counts:
* - 16 chunks: (16 × 255) + 256 = 4,336 ops
* - ~2x faster than standard 8,191 ops
*
* Limitations:
* - Not suitable for plain precomputes (requires 256 constant doublings)
* - Performance degrades with larger scalar counts:
* - Optimal for ~256 scalars
* - Less efficient for 4096+ scalars (Pippenger preferred)
*/
validateW(windowSize, fieldN.BITS);
validateMSMPoints(points, c);
const zero = c.ZERO;
const tableSize = 2 ** windowSize - 1; // table size (without zero)
const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
const MASK = bitMask(windowSize);
const tables = points.map((p) => {
const res = [];
for (let i = 0, acc = p; i < tableSize; i++) {
res.push(acc);
acc = acc.add(p);
}
return res;
});
return (scalars) => {
validateMSMScalars(scalars, fieldN);
if (scalars.length > points.length)
throw new Error('array of scalars must be smaller than array of points');
let res = zero;
for (let i = 0; i < chunks; i++) {
// No need to double if accumulator is still zero.
if (res !== zero)
for (let j = 0; j < windowSize; j++)
res = res.double();
const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
for (let j = 0; j < scalars.length; j++) {
const n = scalars[j];
const curr = Number((n >> shiftBy) & MASK);
if (!curr)
continue; // skip zero scalars chunks
res = res.add(tables[j][curr - 1]);
}
}
return res;
};
}
// TODO: remove
/** @deprecated */
export function validateBasic(curve) {
validateField(curve.Fp);
validateObject(curve, {
n: 'bigint',
h: 'bigint',
Gx: 'field',
Gy: 'field',
}, {
nBitLength: 'isSafeInteger',
nByteLength: 'isSafeInteger',
});
// Set defaults
return Object.freeze({
...nLength(curve.n, curve.nBitLength),
...curve,
...{ p: curve.Fp.ORDER },
});
}
function createField(order, field, isLE) {
if (field) {
if (field.ORDER !== order)
throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
validateField(field);
return field;
}
else {
return Field(order, { isLE });
}
}
/** Validates CURVE opts and creates fields */
export function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
if (FpFnLE === undefined)
FpFnLE = type === 'edwards';
if (!CURVE || typeof CURVE !== 'object')
throw new Error(`expected valid ${type} CURVE object`);
for (const p of ['p', 'n', 'h']) {
const val = CURVE[p];
if (!(typeof val === 'bigint' && val > _0n))
throw new Error(`CURVE.${p} must be positive bigint`);
}
const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
const _b = type === 'weierstrass' ? 'b' : 'd';
const params = ['Gx', 'Gy', 'a', _b];
for (const p of params) {
// @ts-ignore
if (!Fp.isValid(CURVE[p]))
throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
}
CURVE = Object.freeze(Object.assign({}, CURVE));
return { CURVE, Fp, Fn };
}
//# sourceMappingURL=curve.js.map

1
node_modules/@noble/curves/esm/abstract/curve.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

243
node_modules/@noble/curves/esm/abstract/edwards.d.ts generated vendored Normal file
View File

@@ -0,0 +1,243 @@
/**
* Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
* For design rationale of types / exports, see weierstrass module documentation.
* Untwisted Edwards curves exist, but they aren't used in real-world protocols.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type FHash, type Hex } from '../utils.ts';
import { type AffinePoint, type BasicCurve, type CurveLengths, type CurvePoint, type CurvePointCons } from './curve.ts';
import { type IField, type NLength } from './modular.ts';
export type UVRatio = (u: bigint, v: bigint) => {
isValid: boolean;
value: bigint;
};
/** Instance of Extended Point with coordinates in X, Y, Z, T. */
export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
/** extended X coordinate. Different from affine x. */
readonly X: bigint;
/** extended Y coordinate. Different from affine y. */
readonly Y: bigint;
/** extended Z coordinate */
readonly Z: bigint;
/** extended T coordinate */
readonly T: bigint;
/** @deprecated use `toBytes` */
toRawBytes(): Uint8Array;
/** @deprecated use `p.precompute(windowSize)` */
_setWindowSize(windowSize: number): void;
/** @deprecated use .X */
readonly ex: bigint;
/** @deprecated use .Y */
readonly ey: bigint;
/** @deprecated use .Z */
readonly ez: bigint;
/** @deprecated use .T */
readonly et: bigint;
}
/** Static methods of Extended Point with coordinates in X, Y, Z, T. */
export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
CURVE(): EdwardsOpts;
fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
}
/** @deprecated use EdwardsPoint */
export type ExtPointType = EdwardsPoint;
/** @deprecated use EdwardsPointCons */
export type ExtPointConstructor = EdwardsPointCons;
/**
* Twisted Edwards curve options.
*
* * a: formula param
* * d: formula param
* * p: prime characteristic (order) of finite field, in which arithmetics is done
* * n: order of prime subgroup a.k.a total amount of valid curve points
* * h: cofactor. h*n is group order; n is subgroup order
* * Gx: x coordinate of generator point a.k.a. base point
* * Gy: y coordinate of generator point
*/
export type EdwardsOpts = Readonly<{
p: bigint;
n: bigint;
h: bigint;
a: bigint;
d: bigint;
Gx: bigint;
Gy: bigint;
}>;
/**
* Extra curve options for Twisted Edwards.
*
* * Fp: redefined Field over curve.p
* * Fn: redefined Field over curve.n
* * uvRatio: helper function for decompression, calculating √(u/v)
*/
export type EdwardsExtraOpts = Partial<{
Fp: IField<bigint>;
Fn: IField<bigint>;
FpFnLE: boolean;
uvRatio: (u: bigint, v: bigint) => {
isValid: boolean;
value: bigint;
};
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) options.
*
* * hash: hash function used to hash secret keys and messages
* * adjustScalarBytes: clears bits to get valid field element
* * domain: Used for hashing
* * mapToCurve: for hash-to-curve standard
* * prehash: RFC 8032 pre-hashing of messages to sign() / verify()
* * randomBytes: function generating random bytes, used for randomSecretKey
*/
export type EdDSAOpts = Partial<{
adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
mapToCurve: (scalar: bigint[]) => AffinePoint<bigint>;
prehash: FHash;
randomBytes: (bytesLength?: number) => Uint8Array;
}>;
/**
* EdDSA (Edwards Digital Signature algorithm) interface.
*
* Allows to create and verify signatures, create public and secret keys.
*/
export interface EdDSA {
keygen: (seed?: Uint8Array) => {
secretKey: Uint8Array;
publicKey: Uint8Array;
};
getPublicKey: (secretKey: Hex) => Uint8Array;
sign: (message: Hex, secretKey: Hex, options?: {
context?: Hex;
}) => Uint8Array;
verify: (sig: Hex, message: Hex, publicKey: Hex, options?: {
context?: Hex;
zip215: boolean;
}) => boolean;
Point: EdwardsPointCons;
utils: {
randomSecretKey: (seed?: Uint8Array) => Uint8Array;
isValidSecretKey: (secretKey: Uint8Array) => boolean;
isValidPublicKey: (publicKey: Uint8Array, zip215?: boolean) => boolean;
/**
* Converts ed public key to x public key.
*
* There is NO `fromMontgomery`:
* - There are 2 valid ed25519 points for every x25519, with flipped coordinate
* - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
* accepts inputs on the quadratic twist, which can't be moved to ed25519
*
* @example
* ```js
* const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
* const aPriv = x25519.utils.randomSecretKey();
* x25519.getSharedSecret(aPriv, ed25519.utils.toMontgomery(someonesPub))
* ```
*/
toMontgomery: (publicKey: Uint8Array) => Uint8Array;
/**
* Converts ed secret key to x secret key.
* @example
* ```js
* const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
* const aPriv = ed25519.utils.randomSecretKey();
* x25519.getSharedSecret(ed25519.utils.toMontgomerySecret(aPriv), someonesPub)
* ```
*/
toMontgomerySecret: (privateKey: Uint8Array) => Uint8Array;
getExtendedPublicKey: (key: Hex) => {
head: Uint8Array;
prefix: Uint8Array;
scalar: bigint;
point: EdwardsPoint;
pointBytes: Uint8Array;
};
/** @deprecated use `randomSecretKey` */
randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `point.precompute()` */
precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
};
lengths: CurveLengths;
}
export declare function edwards(params: EdwardsOpts, extraOpts?: EdwardsExtraOpts): EdwardsPointCons;
/**
* Base class for prime-order points like Ristretto255 and Decaf448.
* These points eliminate cofactor issues by representing equivalence classes
* of Edwards curve points.
*/
export declare abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>> implements CurvePoint<bigint, T> {
static BASE: PrimeEdwardsPoint<any>;
static ZERO: PrimeEdwardsPoint<any>;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
protected readonly ep: EdwardsPoint;
constructor(ep: EdwardsPoint);
abstract toBytes(): Uint8Array;
abstract equals(other: T): boolean;
static fromBytes(_bytes: Uint8Array): any;
static fromHex(_hex: Hex): any;
get x(): bigint;
get y(): bigint;
clearCofactor(): T;
assertValidity(): void;
toAffine(invertedZ?: bigint): AffinePoint<bigint>;
toHex(): string;
toString(): string;
isTorsionFree(): boolean;
isSmallOrder(): boolean;
add(other: T): T;
subtract(other: T): T;
multiply(scalar: bigint): T;
multiplyUnsafe(scalar: bigint): T;
double(): T;
negate(): T;
precompute(windowSize?: number, isLazy?: boolean): T;
abstract is0(): boolean;
protected abstract assertSame(other: T): void;
protected abstract init(ep: EdwardsPoint): T;
/** @deprecated use `toBytes` */
toRawBytes(): Uint8Array;
}
/**
* Initializes EdDSA signatures over given Edwards curve.
*/
export declare function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts?: EdDSAOpts): EdDSA;
export type CurveType = BasicCurve<bigint> & {
a: bigint;
d: bigint;
/** @deprecated the property will be removed in next release */
hash: FHash;
randomBytes?: (bytesLength?: number) => Uint8Array;
adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
uvRatio?: UVRatio;
prehash?: FHash;
mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>;
};
export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
export type CurveFn = {
/** @deprecated the property will be removed in next release */
CURVE: CurveType;
keygen: EdDSA['keygen'];
getPublicKey: EdDSA['getPublicKey'];
sign: EdDSA['sign'];
verify: EdDSA['verify'];
Point: EdwardsPointCons;
/** @deprecated use `Point` */
ExtendedPoint: EdwardsPointCons;
utils: EdDSA['utils'];
lengths: CurveLengths;
};
export type EdComposed = {
CURVE: EdwardsOpts;
curveOpts: EdwardsExtraOpts;
hash: FHash;
eddsaOpts: EdDSAOpts;
};
export declare function twistedEdwards(c: CurveTypeWithLength): CurveFn;
//# sourceMappingURL=edwards.d.ts.map

1
node_modules/@noble/curves/esm/abstract/edwards.d.ts.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

627
node_modules/@noble/curves/esm/abstract/edwards.js generated vendored Normal file
View File

@@ -0,0 +1,627 @@
/**
* Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
* For design rationale of types / exports, see weierstrass module documentation.
* Untwisted Edwards curves exist, but they aren't used in real-world protocols.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { _validateObject, _abool2 as abool, _abytes2 as abytes, aInRange, bytesToHex, bytesToNumberLE, concatBytes, copyBytes, ensureBytes, isBytes, memoized, notImplemented, randomBytes as randomBytesWeb, } from "../utils.js";
import { _createCurveFields, normalizeZ, pippenger, wNAF, } from "./curve.js";
import { Field } from "./modular.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
function isEdValidXY(Fp, CURVE, x, y) {
const x2 = Fp.sqr(x);
const y2 = Fp.sqr(y);
const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
return Fp.eql(left, right);
}
export function edwards(params, extraOpts = {}) {
const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
const { Fp, Fn } = validated;
let CURVE = validated.CURVE;
const { h: cofactor } = CURVE;
_validateObject(extraOpts, {}, { uvRatio: 'function' });
// Important:
// There are some places where Fp.BYTES is used instead of nByteLength.
// So far, everything has been tested with curves of Fp.BYTES == nByteLength.
// TODO: test and find curves which behave otherwise.
const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
const modP = (n) => Fp.create(n); // Function overrides
// sqrt(u/v)
const uvRatio = extraOpts.uvRatio ||
((u, v) => {
try {
return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
}
catch (e) {
return { isValid: false, value: _0n };
}
});
// Validate whether the passed curve params are valid.
// equation ax² + y² = 1 + dx²y² should work for generator point.
if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
throw new Error('bad curve params: generator point');
/**
* Asserts coordinate is valid: 0 <= n < MASK.
* Coordinates >= Fp.ORDER are allowed for zip215.
*/
function acoord(title, n, banZero = false) {
const min = banZero ? _1n : _0n;
aInRange('coordinate ' + title, n, min, MASK);
return n;
}
function aextpoint(other) {
if (!(other instanceof Point))
throw new Error('ExtendedPoint expected');
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
const toAffineMemo = memoized((p, iz) => {
const { X, Y, Z } = p;
const is0 = p.is0();
if (iz == null)
iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily
const x = modP(X * iz);
const y = modP(Y * iz);
const zz = Fp.mul(Z, iz);
if (is0)
return { x: _0n, y: _1n };
if (zz !== _1n)
throw new Error('invZ was invalid');
return { x, y };
});
const assertValidMemo = memoized((p) => {
const { a, d } = CURVE;
if (p.is0())
throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
// Equation in affine coordinates: ax² + y² = 1 + dx²y²
// Equation in projective coordinates (X/Z, Y/Z, Z): (aX² + Y²)Z² = Z⁴ + dX²Y²
const { X, Y, Z, T } = p;
const X2 = modP(X * X); // X²
const Y2 = modP(Y * Y); // Y²
const Z2 = modP(Z * Z); // Z²
const Z4 = modP(Z2 * Z2); // Z⁴
const aX2 = modP(X2 * a); // aX²
const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
if (left !== right)
throw new Error('bad point: equation left != right (1)');
// In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
const XY = modP(X * Y);
const ZT = modP(Z * T);
if (XY !== ZT)
throw new Error('bad point: equation left != right (2)');
return true;
});
// Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
// https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
class Point {
constructor(X, Y, Z, T) {
this.X = acoord('x', X);
this.Y = acoord('y', Y);
this.Z = acoord('z', Z, true);
this.T = acoord('t', T);
Object.freeze(this);
}
static CURVE() {
return CURVE;
}
static fromAffine(p) {
if (p instanceof Point)
throw new Error('extended point not allowed');
const { x, y } = p || {};
acoord('x', x);
acoord('y', y);
return new Point(x, y, _1n, modP(x * y));
}
// Uses algo from RFC8032 5.1.3.
static fromBytes(bytes, zip215 = false) {
const len = Fp.BYTES;
const { a, d } = CURVE;
bytes = copyBytes(abytes(bytes, len, 'point'));
abool(zip215, 'zip215');
const normed = copyBytes(bytes); // copy again, we'll manipulate it
const lastByte = bytes[len - 1]; // select last byte
normed[len - 1] = lastByte & ~0x80; // clear last bit
const y = bytesToNumberLE(normed);
// zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
// RFC8032 prohibits >= p, but ZIP215 doesn't
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
const max = zip215 ? MASK : Fp.ORDER;
aInRange('point.y', y, _0n, max);
// Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
// ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
const y2 = modP(y * y); // denominator is always non-0 mod p.
const u = modP(y2 - _1n); // u = y² - 1
const v = modP(d * y2 - a); // v = d y² + 1.
let { isValid, value: x } = uvRatio(u, v); // √(u/v)
if (!isValid)
throw new Error('bad point: invalid y coordinate');
const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
if (!zip215 && x === _0n && isLastByteOdd)
// if x=0 and x_0 = 1, fail
throw new Error('bad point: x=0 and x_0=1');
if (isLastByteOdd !== isXOdd)
x = modP(-x); // if x_0 != x mod 2, set x = p-x
return Point.fromAffine({ x, y });
}
static fromHex(bytes, zip215 = false) {
return Point.fromBytes(ensureBytes('point', bytes), zip215);
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
precompute(windowSize = 8, isLazy = true) {
wnaf.createCache(this, windowSize);
if (!isLazy)
this.multiply(_2n); // random number
return this;
}
// Useful in fromAffine() - not for fromBytes(), which always created valid points.
assertValidity() {
assertValidMemo(this);
}
// Compare one point to another.
equals(other) {
aextpoint(other);
const { X: X1, Y: Y1, Z: Z1 } = this;
const { X: X2, Y: Y2, Z: Z2 } = other;
const X1Z2 = modP(X1 * Z2);
const X2Z1 = modP(X2 * Z1);
const Y1Z2 = modP(Y1 * Z2);
const Y2Z1 = modP(Y2 * Z1);
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
}
is0() {
return this.equals(Point.ZERO);
}
negate() {
// Flips point sign to a negative one (-x, y in affine coords)
return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
}
// Fast algo for doubling Extended Point.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
// Cost: 4M + 4S + 1*a + 6add + 1*2.
double() {
const { a } = CURVE;
const { X: X1, Y: Y1, Z: Z1 } = this;
const A = modP(X1 * X1); // A = X12
const B = modP(Y1 * Y1); // B = Y12
const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
const D = modP(a * A); // D = a*A
const x1y1 = X1 + Y1;
const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
const G = D + B; // G = D+B
const F = G - C; // F = G-C
const H = D - B; // H = D-B
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
// Fast algo for adding 2 Extended Points.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
// Cost: 9M + 1*a + 1*d + 7add.
add(other) {
aextpoint(other);
const { a, d } = CURVE;
const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
const A = modP(X1 * X2); // A = X1*X2
const B = modP(Y1 * Y2); // B = Y1*Y2
const C = modP(T1 * d * T2); // C = T1*d*T2
const D = modP(Z1 * Z2); // D = Z1*Z2
const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
const F = D - C; // F = D-C
const G = D + C; // G = D+C
const H = modP(B - a * A); // H = B-a*A
const X3 = modP(E * F); // X3 = E*F
const Y3 = modP(G * H); // Y3 = G*H
const T3 = modP(E * H); // T3 = E*H
const Z3 = modP(F * G); // Z3 = F*G
return new Point(X3, Y3, Z3, T3);
}
subtract(other) {
return this.add(other.negate());
}
// Constant-time multiplication.
multiply(scalar) {
// 1 <= scalar < L
if (!Fn.isValidNot0(scalar))
throw new Error('invalid scalar: expected 1 <= sc < curve.n');
const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
return normalizeZ(Point, [p, f])[0];
}
// Non-constant-time multiplication. Uses double-and-add algorithm.
// It's faster, but should only be used when you don't care about
// an exposed private key e.g. sig verification.
// Does NOT allow scalars higher than CURVE.n.
// Accepts optional accumulator to merge with multiply (important for sparse scalars)
multiplyUnsafe(scalar, acc = Point.ZERO) {
// 0 <= scalar < L
if (!Fn.isValid(scalar))
throw new Error('invalid scalar: expected 0 <= sc < curve.n');
if (scalar === _0n)
return Point.ZERO;
if (this.is0() || scalar === _1n)
return this;
return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);
}
// Checks if point is of small order.
// If you add something to small order point, you will have "dirty"
// point with torsion component.
// Multiplies point by cofactor and checks if the result is 0.
isSmallOrder() {
return this.multiplyUnsafe(cofactor).is0();
}
// Multiplies point by curve order and checks if the result is 0.
// Returns `false` is the point is dirty.
isTorsionFree() {
return wnaf.unsafe(this, CURVE.n).is0();
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
toAffine(invertedZ) {
return toAffineMemo(this, invertedZ);
}
clearCofactor() {
if (cofactor === _1n)
return this;
return this.multiplyUnsafe(cofactor);
}
toBytes() {
const { x, y } = this.toAffine();
// Fp.toBytes() allows non-canonical encoding of y (>= p).
const bytes = Fp.toBytes(y);
// Each y has 2 valid points: (x, y), (x,-y).
// When compressing, it's enough to store y and use the last byte to encode sign of x
bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;
return bytes;
}
toHex() {
return bytesToHex(this.toBytes());
}
toString() {
return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
}
// TODO: remove
get ex() {
return this.X;
}
get ey() {
return this.Y;
}
get ez() {
return this.Z;
}
get et() {
return this.T;
}
static normalizeZ(points) {
return normalizeZ(Point, points);
}
static msm(points, scalars) {
return pippenger(Point, Fn, points, scalars);
}
_setWindowSize(windowSize) {
this.precompute(windowSize);
}
toRawBytes() {
return this.toBytes();
}
}
// base / generator point
Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
// zero / infinity / identity point
Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
// math field
Point.Fp = Fp;
// scalar field
Point.Fn = Fn;
const wnaf = new wNAF(Point, Fn.BITS);
Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
return Point;
}
/**
* Base class for prime-order points like Ristretto255 and Decaf448.
* These points eliminate cofactor issues by representing equivalence classes
* of Edwards curve points.
*/
export class PrimeEdwardsPoint {
constructor(ep) {
this.ep = ep;
}
// Static methods that must be implemented by subclasses
static fromBytes(_bytes) {
notImplemented();
}
static fromHex(_hex) {
notImplemented();
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
// Common implementations
clearCofactor() {
// no-op for prime-order groups
return this;
}
assertValidity() {
this.ep.assertValidity();
}
toAffine(invertedZ) {
return this.ep.toAffine(invertedZ);
}
toHex() {
return bytesToHex(this.toBytes());
}
toString() {
return this.toHex();
}
isTorsionFree() {
return true;
}
isSmallOrder() {
return false;
}
add(other) {
this.assertSame(other);
return this.init(this.ep.add(other.ep));
}
subtract(other) {
this.assertSame(other);
return this.init(this.ep.subtract(other.ep));
}
multiply(scalar) {
return this.init(this.ep.multiply(scalar));
}
multiplyUnsafe(scalar) {
return this.init(this.ep.multiplyUnsafe(scalar));
}
double() {
return this.init(this.ep.double());
}
negate() {
return this.init(this.ep.negate());
}
precompute(windowSize, isLazy) {
return this.init(this.ep.precompute(windowSize, isLazy));
}
/** @deprecated use `toBytes` */
toRawBytes() {
return this.toBytes();
}
}
/**
* Initializes EdDSA signatures over given Edwards curve.
*/
export function eddsa(Point, cHash, eddsaOpts = {}) {
if (typeof cHash !== 'function')
throw new Error('"hash" function param is required');
_validateObject(eddsaOpts, {}, {
adjustScalarBytes: 'function',
randomBytes: 'function',
domain: 'function',
prehash: 'function',
mapToCurve: 'function',
});
const { prehash } = eddsaOpts;
const { BASE, Fp, Fn } = Point;
const randomBytes = eddsaOpts.randomBytes || randomBytesWeb;
const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
const domain = eddsaOpts.domain ||
((data, ctx, phflag) => {
abool(phflag, 'phflag');
if (ctx.length || phflag)
throw new Error('Contexts/pre-hash are not supported');
return data;
}); // NOOP
// Little-endian SHA512 with modulo n
function modN_LE(hash) {
return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit
}
// Get the hashed private scalar per RFC8032 5.1.5
function getPrivateScalar(key) {
const len = lengths.secretKey;
key = ensureBytes('private key', key, len);
// Hash private key with curve's hash function to produce uniformingly random input
// Check byte lengths: ensure(64, h(ensure(32, key)))
const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);
const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
const scalar = modN_LE(head); // The actual private scalar
return { head, prefix, scalar };
}
/** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
function getExtendedPublicKey(secretKey) {
const { head, prefix, scalar } = getPrivateScalar(secretKey);
const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
const pointBytes = point.toBytes();
return { head, prefix, scalar, point, pointBytes };
}
/** Calculates EdDSA pub key. RFC8032 5.1.5. */
function getPublicKey(secretKey) {
return getExtendedPublicKey(secretKey).pointBytes;
}
// int('LE', SHA512(dom2(F, C) || msgs)) mod N
function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
const msg = concatBytes(...msgs);
return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
}
/** Signs message with privateKey. RFC8032 5.1.6 */
function sign(msg, secretKey, options = {}) {
msg = ensureBytes('message', msg);
if (prehash)
msg = prehash(msg); // for ed25519ph etc.
const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
const R = BASE.multiply(r).toBytes(); // R = rG
const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
if (!Fn.isValid(s))
throw new Error('sign failed: invalid s'); // 0 <= s < L
const rs = concatBytes(R, Fn.toBytes(s));
return abytes(rs, lengths.signature, 'result');
}
// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
const verifyOpts = { zip215: true };
/**
* Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
* An extended group equation is checked.
*/
function verify(sig, msg, publicKey, options = verifyOpts) {
const { context, zip215 } = options;
const len = lengths.signature;
sig = ensureBytes('signature', sig, len);
msg = ensureBytes('message', msg);
publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);
if (zip215 !== undefined)
abool(zip215, 'zip215');
if (prehash)
msg = prehash(msg); // for ed25519ph, etc
const mid = len / 2;
const r = sig.subarray(0, mid);
const s = bytesToNumberLE(sig.subarray(mid, len));
let A, R, SB;
try {
// zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
// zip215=true: 0 <= y < MASK (2^256 for ed25519)
// zip215=false: 0 <= y < P (2^255-19 for ed25519)
A = Point.fromBytes(publicKey, zip215);
R = Point.fromBytes(r, zip215);
SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
}
catch (error) {
return false;
}
if (!zip215 && A.isSmallOrder())
return false; // zip215 allows public keys of small order
const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
const RkA = R.add(A.multiplyUnsafe(k));
// Extended group equation
// [8][S]B = [8]R + [8][k]A'
return RkA.subtract(SB).clearCofactor().is0();
}
const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
const lengths = {
secretKey: _size,
publicKey: _size,
signature: 2 * _size,
seed: _size,
};
function randomSecretKey(seed = randomBytes(lengths.seed)) {
return abytes(seed, lengths.seed, 'seed');
}
function keygen(seed) {
const secretKey = utils.randomSecretKey(seed);
return { secretKey, publicKey: getPublicKey(secretKey) };
}
function isValidSecretKey(key) {
return isBytes(key) && key.length === Fn.BYTES;
}
function isValidPublicKey(key, zip215) {
try {
return !!Point.fromBytes(key, zip215);
}
catch (error) {
return false;
}
}
const utils = {
getExtendedPublicKey,
randomSecretKey,
isValidSecretKey,
isValidPublicKey,
/**
* Converts ed public key to x public key. Uses formula:
* - ed25519:
* - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
* - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
* - ed448:
* - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
* - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
*/
toMontgomery(publicKey) {
const { y } = Point.fromBytes(publicKey);
const size = lengths.publicKey;
const is25519 = size === 32;
if (!is25519 && size !== 57)
throw new Error('only defined for 25519 and 448');
const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
return Fp.toBytes(u);
},
toMontgomerySecret(secretKey) {
const size = lengths.secretKey;
abytes(secretKey, size);
const hashed = cHash(secretKey.subarray(0, size));
return adjustScalarBytes(hashed).subarray(0, size);
},
/** @deprecated */
randomPrivateKey: randomSecretKey,
/** @deprecated */
precompute(windowSize = 8, point = Point.BASE) {
return point.precompute(windowSize, false);
},
};
return Object.freeze({
keygen,
getPublicKey,
sign,
verify,
utils,
Point,
lengths,
});
}
function _eddsa_legacy_opts_to_new(c) {
const CURVE = {
a: c.a,
d: c.d,
p: c.Fp.ORDER,
n: c.n,
h: c.h,
Gx: c.Gx,
Gy: c.Gy,
};
const Fp = c.Fp;
const Fn = Field(CURVE.n, c.nBitLength, true);
const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };
const eddsaOpts = {
randomBytes: c.randomBytes,
adjustScalarBytes: c.adjustScalarBytes,
domain: c.domain,
prehash: c.prehash,
mapToCurve: c.mapToCurve,
};
return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
}
function _eddsa_new_output_to_legacy(c, eddsa) {
const Point = eddsa.Point;
const legacy = Object.assign({}, eddsa, {
ExtendedPoint: Point,
CURVE: c,
nBitLength: Point.Fn.BITS,
nByteLength: Point.Fn.BYTES,
});
return legacy;
}
// TODO: remove. Use eddsa
export function twistedEdwards(c) {
const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
const Point = edwards(CURVE, curveOpts);
const EDDSA = eddsa(Point, hash, eddsaOpts);
return _eddsa_new_output_to_legacy(c, EDDSA);
}
//# sourceMappingURL=edwards.js.map

1
node_modules/@noble/curves/esm/abstract/edwards.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

122
node_modules/@noble/curves/esm/abstract/fft.d.ts generated vendored Normal file
View File

@@ -0,0 +1,122 @@
/**
* Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
* API may change at any time. The code has not been audited. Feature requests are welcome.
* @module
*/
import type { IField } from './modular.ts';
export interface MutableArrayLike<T> {
[index: number]: T;
length: number;
slice(start?: number, end?: number): this;
[Symbol.iterator](): Iterator<T>;
}
/** Checks if integer is in form of `1 << X` */
export declare function isPowerOfTwo(x: number): boolean;
export declare function nextPowerOfTwo(n: number): number;
export declare function reverseBits(n: number, bits: number): number;
/** Similar to `bitLen(x)-1` but much faster for small integers, like indices */
export declare function log2(n: number): number;
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
*/
export declare function bitReversalInplace<T extends MutableArrayLike<any>>(values: T): T;
export declare function bitReversalPermutation<T>(values: T[]): T[];
export type RootsOfUnity = {
roots: (bits: number) => bigint[];
brp(bits: number): bigint[];
inverse(bits: number): bigint[];
omega: (bits: number) => bigint;
clear: () => void;
};
/** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */
export declare function rootsOfUnity(field: IField<bigint>, generator?: bigint): RootsOfUnity;
export type Polynomial<T> = MutableArrayLike<T>;
/**
* Maps great to Field<bigint>, but not to Group (EC points):
* - inv from scalar field
* - we need multiplyUnsafe here, instead of multiply for speed
* - multiplyUnsafe is safe in the context: we do mul(rootsOfUnity), which are public and sparse
*/
export type FFTOpts<T, R> = {
add: (a: T, b: T) => T;
sub: (a: T, b: T) => T;
mul: (a: T, scalar: R) => T;
inv: (a: R) => R;
};
export type FFTCoreOpts<R> = {
N: number;
roots: Polynomial<R>;
dit: boolean;
invertButterflies?: boolean;
skipStages?: number;
brp?: boolean;
};
export type FFTCoreLoop<T> = <P extends Polynomial<T>>(values: P) => P;
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves -> root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root -> leaves), GentlemanSande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
*/
export declare const FFTCore: <T, R>(F: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>) => FFTCoreLoop<T>;
export type FFTMethods<T> = {
direct<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
inverse<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
*/
export declare function FFT<T>(roots: RootsOfUnity, opts: FFTOpts<T, bigint>): FFTMethods<T>;
export type CreatePolyFn<P extends Polynomial<T>, T> = (len: number, elm?: T) => P;
export type PolyFn<P extends Polynomial<T>, T> = {
roots: RootsOfUnity;
create: CreatePolyFn<P, T>;
length?: number;
degree: (a: P) => number;
extend: (a: P, len: number) => P;
add: (a: P, b: P) => P;
sub: (a: P, b: P) => P;
mul: (a: P, b: P | T) => P;
dot: (a: P, b: P) => P;
convolve: (a: P, b: P) => P;
shift: (p: P, factor: bigint) => P;
clone: (a: P) => P;
eval: (a: P, basis: P) => T;
monomial: {
basis: (x: T, n: number) => P;
eval: (a: P, x: T) => T;
};
lagrange: {
basis: (x: T, n: number, brp?: boolean) => P;
eval: (a: P, x: T, brp?: boolean) => T;
};
vanishing: (roots: P) => P;
};
/**
* Poly wants a cracker.
*
* Polynomials are functions like `y=f(x)`, which means when we multiply two polynomials, result is
* function `f3(x) = f1(x) * f2(x)`, we don't multiply values. Key takeaways:
*
* - **Polynomial** is an array of coefficients: `f(x) = sum(coeff[i] * basis[i](x))`
* - **Basis** is array of functions
* - **Monominal** is Polynomial where `basis[i](x) == x**i` (powers)
* - **Array size** is domain size
* - **Lattice** is matrix (Polynomial of Polynomials)
*/
export declare function poly<T>(field: IField<T>, roots: RootsOfUnity, create?: undefined, fft?: FFTMethods<T>, length?: number): PolyFn<T[], T>;
export declare function poly<T, P extends Polynomial<T>>(field: IField<T>, roots: RootsOfUnity, create: CreatePolyFn<P, T>, fft?: FFTMethods<T>, length?: number): PolyFn<P, T>;
//# sourceMappingURL=fft.d.ts.map

1
node_modules/@noble/curves/esm/abstract/fft.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"fft.d.ts","sourceRoot":"","sources":["../../src/abstract/fft.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAE3C,MAAM,WAAW,gBAAgB,CAAC,CAAC;IACjC,CAAC,KAAK,EAAE,MAAM,GAAG,CAAC,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1C,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,CAAC;CAClC;AASD,+CAA+C;AAC/C,wBAAgB,YAAY,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAG/C;AAED,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAIhD;AAED,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAK3D;AAED,gFAAgF;AAChF,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAGtC;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,gBAAgB,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAchF;AAED,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,CAE1D;AASD,MAAM,MAAM,YAAY,GAAG;IACzB,KAAK,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;IAClC,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAChC,KAAK,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,CAAC;IAChC,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB,CAAC;AACF,wFAAwF;AACxF,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,YAAY,CAiEpF;AAED,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC,CAAC;AAEhD;;;;;GAKG;AACH,MAAM,MAAM,OAAO,CAAC,CAAC,EAAE,CAAC,IAAI;IAC1B,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC;IAC5B,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI;IAC3B,CAAC,EAAE,MAAM,CAAC;IACV,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC;IACrB,GAAG,EAAE,OAAO,CAAC;IACb,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf,CAAC;AAEF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC;AAEvE;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,OAAO,GAAI,CAAC,EAAE,CAAC,EAAE,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,UAAU,WAAW,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,CAAC,CA2CvF,CAAC;AAEF,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI;IAC1B,MAAM,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;IACvF,OAAO,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,QAAQ,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;CACzF,CAAC;AAEF;;;GAGG;AACH,wBAAgB,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAoCnF;AAED,MAAM,MAAM,YAAY,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;AAEnF,MAAM,MAAM,MAAM,CAAC,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI;IAC/C,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,MAAM,CAAC;IACzB,MAAM,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,MAAM,KAAK,CAAC,CAAC;IACjC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC3B,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IACvB,QAAQ,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IAC5B,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC,CAAC;IACnC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;IAEnB,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC;IAC5B,QAAQ,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC,CAAC;QAC9B,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;KACzB,CAAC;IACF,QAAQ,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,CAAC,CAAC;QAC7C,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,OAAO,KAAK,CAAC,CAAC;KACxC,CAAC;IAEF,SAAS,EAAE,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC;CAC5B,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,wBAAgB,IAAI,CAAC,CAAC,EACpB,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAChB,KAAK,EAAE,YAAY,EACnB,MAAM,CAAC,EAAE,SAAS,EAClB,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;AAClB,wBAAgB,IAAI,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAC7C,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,EAChB,KAAK,EAAE,YAAY,EACnB,MAAM,EAAE,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,EAC1B,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC"}

425
node_modules/@noble/curves/esm/abstract/fft.js generated vendored Normal file
View File

@@ -0,0 +1,425 @@
function checkU32(n) {
// 0xff_ff_ff_ff
if (!Number.isSafeInteger(n) || n < 0 || n > 0xffffffff)
throw new Error('wrong u32 integer:' + n);
return n;
}
/** Checks if integer is in form of `1 << X` */
export function isPowerOfTwo(x) {
checkU32(x);
return (x & (x - 1)) === 0 && x !== 0;
}
export function nextPowerOfTwo(n) {
checkU32(n);
if (n <= 1)
return 1;
return (1 << (log2(n - 1) + 1)) >>> 0;
}
export function reverseBits(n, bits) {
checkU32(n);
let reversed = 0;
for (let i = 0; i < bits; i++, n >>>= 1)
reversed = (reversed << 1) | (n & 1);
return reversed;
}
/** Similar to `bitLen(x)-1` but much faster for small integers, like indices */
export function log2(n) {
checkU32(n);
return 31 - Math.clz32(n);
}
/**
* Moves lowest bit to highest position, which at first step splits
* array on even and odd indices, then it applied again to each part,
* which is core of fft
*/
export function bitReversalInplace(values) {
const n = values.length;
if (n < 2 || !isPowerOfTwo(n))
throw new Error('n must be a power of 2 and greater than 1. Got ' + n);
const bits = log2(n);
for (let i = 0; i < n; i++) {
const j = reverseBits(i, bits);
if (i < j) {
const tmp = values[i];
values[i] = values[j];
values[j] = tmp;
}
}
return values;
}
export function bitReversalPermutation(values) {
return bitReversalInplace(values.slice());
}
const _1n = /** @__PURE__ */ BigInt(1);
function findGenerator(field) {
let G = BigInt(2);
for (; field.eql(field.pow(G, field.ORDER >> _1n), field.ONE); G++)
;
return G;
}
/** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */
export function rootsOfUnity(field, generator) {
// Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
let oddFactor = field.ORDER - _1n;
let powerOfTwo = 0;
for (; (oddFactor & _1n) !== _1n; powerOfTwo++, oddFactor >>= _1n)
;
// Find non quadratic residue
let G = generator !== undefined ? BigInt(generator) : findGenerator(field);
// Powers of generator
const omegas = new Array(powerOfTwo + 1);
omegas[powerOfTwo] = field.pow(G, oddFactor);
for (let i = powerOfTwo; i > 0; i--)
omegas[i - 1] = field.sqr(omegas[i]);
// Compute all roots of unity for powers up to maxPower
const rootsCache = [];
const checkBits = (bits) => {
checkU32(bits);
if (bits > 31 || bits > powerOfTwo)
throw new Error('rootsOfUnity: wrong bits ' + bits + ' powerOfTwo=' + powerOfTwo);
return bits;
};
const precomputeRoots = (maxPower) => {
checkBits(maxPower);
for (let power = maxPower; power >= 0; power--) {
if (rootsCache[power])
continue; // Skip if we've already computed roots for this power
const rootsAtPower = [];
for (let j = 0, cur = field.ONE; j < 2 ** power; j++, cur = field.mul(cur, omegas[power]))
rootsAtPower.push(cur);
rootsCache[power] = rootsAtPower;
}
return rootsCache[maxPower];
};
const brpCache = new Map();
const inverseCache = new Map();
// NOTE: we use bits instead of power, because power = 2**bits,
// but power is not neccesary isPowerOfTwo(power)!
return {
roots: (bits) => {
const b = checkBits(bits);
return precomputeRoots(b);
},
brp(bits) {
const b = checkBits(bits);
if (brpCache.has(b))
return brpCache.get(b);
else {
const res = bitReversalPermutation(this.roots(b));
brpCache.set(b, res);
return res;
}
},
inverse(bits) {
const b = checkBits(bits);
if (inverseCache.has(b))
return inverseCache.get(b);
else {
const res = field.invertBatch(this.roots(b));
inverseCache.set(b, res);
return res;
}
},
omega: (bits) => omegas[checkBits(bits)],
clear: () => {
rootsCache.splice(0, rootsCache.length);
brpCache.clear();
},
};
}
/**
* Constructs different flavors of FFT. radix2 implementation of low level mutating API. Flavors:
*
* - DIT (Decimation-in-Time): Bottom-Up (leaves -> root), Cool-Turkey
* - DIF (Decimation-in-Frequency): Top-Down (root -> leaves), GentlemanSande
*
* DIT takes brp input, returns natural output.
* DIF takes natural input, returns brp output.
*
* The output is actually identical. Time / frequence distinction is not meaningful
* for Polynomial multiplication in fields.
* Which means if protocol supports/needs brp output/inputs, then we can skip this step.
*
* Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
* Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
*/
export const FFTCore = (F, coreOpts) => {
const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
const bits = log2(N);
if (!isPowerOfTwo(N))
throw new Error('FFT: Polynomial size should be power of two');
const isDit = dit !== invertButterflies;
isDit;
return (values) => {
if (values.length !== N)
throw new Error('FFT: wrong Polynomial length');
if (dit && brp)
bitReversalInplace(values);
for (let i = 0, g = 1; i < bits - skipStages; i++) {
// For each stage s (sub-FFT length m = 2^s)
const s = dit ? i + 1 + skipStages : bits - i;
const m = 1 << s;
const m2 = m >> 1;
const stride = N >> s;
// Loop over each subarray of length m
for (let k = 0; k < N; k += m) {
// Loop over each butterfly within the subarray
for (let j = 0, grp = g++; j < m2; j++) {
const rootPos = invertButterflies ? (dit ? N - grp : grp) : j * stride;
const i0 = k + j;
const i1 = k + j + m2;
const omega = roots[rootPos];
const b = values[i1];
const a = values[i0];
// Inlining gives us 10% perf in kyber vs functions
if (isDit) {
const t = F.mul(b, omega); // Standard DIT butterfly
values[i0] = F.add(a, t);
values[i1] = F.sub(a, t);
}
else if (invertButterflies) {
values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
values[i1] = F.mul(F.sub(b, a), omega);
}
else {
values[i0] = F.add(a, b); // Standard DIF butterfly
values[i1] = F.mul(F.sub(a, b), omega);
}
}
}
}
if (!dit && brp)
bitReversalInplace(values);
return values;
};
};
/**
* NTT aka FFT over finite field (NOT over complex numbers).
* Naming mirrors other libraries.
*/
export function FFT(roots, opts) {
const getLoop = (N, roots, brpInput = false, brpOutput = false) => {
if (brpInput && brpOutput) {
// we cannot optimize this case, but lets support it anyway
return (values) => FFTCore(opts, { N, roots, dit: false, brp: false })(bitReversalInplace(values));
}
if (brpInput)
return FFTCore(opts, { N, roots, dit: true, brp: false });
if (brpOutput)
return FFTCore(opts, { N, roots, dit: false, brp: false });
return FFTCore(opts, { N, roots, dit: true, brp: true }); // all natural
};
return {
direct(values, brpInput = false, brpOutput = false) {
const N = values.length;
if (!isPowerOfTwo(N))
throw new Error('FFT: Polynomial size should be power of two');
const bits = log2(N);
return getLoop(N, roots.roots(bits), brpInput, brpOutput)(values.slice());
},
inverse(values, brpInput = false, brpOutput = false) {
const N = values.length;
const bits = log2(N);
const res = getLoop(N, roots.inverse(bits), brpInput, brpOutput)(values.slice());
const ivm = opts.inv(BigInt(values.length)); // scale
// we can get brp output if we use dif instead of dit!
for (let i = 0; i < res.length; i++)
res[i] = opts.mul(res[i], ivm);
// Allows to re-use non-inverted roots, but is VERY fragile
// return [res[0]].concat(res.slice(1).reverse());
// inverse calculated as pow(-1), which transforms into ω^{-kn} (-> reverses indices)
return res;
},
};
}
export function poly(field, roots, create, fft, length) {
const F = field;
const _create = create ||
((len, elm) => new Array(len).fill(elm ?? F.ZERO));
const isPoly = (x) => Array.isArray(x) || ArrayBuffer.isView(x);
const checkLength = (...lst) => {
if (!lst.length)
return 0;
for (const i of lst)
if (!isPoly(i))
throw new Error('poly: not polynomial: ' + i);
const L = lst[0].length;
for (let i = 1; i < lst.length; i++)
if (lst[i].length !== L)
throw new Error(`poly: mismatched lengths ${L} vs ${lst[i].length}`);
if (length !== undefined && L !== length)
throw new Error(`poly: expected fixed length ${length}, got ${L}`);
return L;
};
function findOmegaIndex(x, n, brp = false) {
const bits = log2(n);
const omega = brp ? roots.brp(bits) : roots.roots(bits);
for (let i = 0; i < n; i++)
if (F.eql(x, omega[i]))
return i;
return -1;
}
// TODO: mutating versions for mlkem/mldsa
return {
roots,
create: _create,
length,
extend: (a, len) => {
checkLength(a);
const out = _create(len, F.ZERO);
for (let i = 0; i < a.length; i++)
out[i] = a[i];
return out;
},
degree: (a) => {
checkLength(a);
for (let i = a.length - 1; i >= 0; i--)
if (!F.is0(a[i]))
return i;
return -1;
},
add: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.add(a[i], b[i]);
return out;
},
sub: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.sub(a[i], b[i]);
return out;
},
dot: (a, b) => {
const len = checkLength(a, b);
const out = _create(len);
for (let i = 0; i < len; i++)
out[i] = F.mul(a[i], b[i]);
return out;
},
mul: (a, b) => {
if (isPoly(b)) {
const len = checkLength(a, b);
if (fft) {
const A = fft.direct(a, false, true);
const B = fft.direct(b, false, true);
for (let i = 0; i < A.length; i++)
A[i] = F.mul(A[i], B[i]);
return fft.inverse(A, true, false);
}
else {
// NOTE: this is quadratic and mostly for compat tests with FFT
const res = _create(len);
for (let i = 0; i < len; i++) {
for (let j = 0; j < len; j++) {
const k = (i + j) % len; // wrap mod length
res[k] = F.add(res[k], F.mul(a[i], b[j]));
}
}
return res;
}
}
else {
const out = _create(checkLength(a));
for (let i = 0; i < out.length; i++)
out[i] = F.mul(a[i], b);
return out;
}
},
convolve(a, b) {
const len = nextPowerOfTwo(a.length + b.length - 1);
return this.mul(this.extend(a, len), this.extend(b, len));
},
shift(p, factor) {
const out = _create(checkLength(p));
out[0] = p[0];
for (let i = 1, power = F.ONE; i < p.length; i++) {
power = F.mul(power, factor);
out[i] = F.mul(p[i], power);
}
return out;
},
clone: (a) => {
checkLength(a);
const out = _create(a.length);
for (let i = 0; i < a.length; i++)
out[i] = a[i];
return out;
},
eval: (a, basis) => {
checkLength(a);
let acc = F.ZERO;
for (let i = 0; i < a.length; i++)
acc = F.add(acc, F.mul(a[i], basis[i]));
return acc;
},
monomial: {
basis: (x, n) => {
const out = _create(n);
let pow = F.ONE;
for (let i = 0; i < n; i++) {
out[i] = pow;
pow = F.mul(pow, x);
}
return out;
},
eval: (a, x) => {
checkLength(a);
// Same as eval(a, monomialBasis(x, a.length)), but it is faster this way
let acc = F.ZERO;
for (let i = a.length - 1; i >= 0; i--)
acc = F.add(F.mul(acc, x), a[i]);
return acc;
},
},
lagrange: {
basis: (x, n, brp = false, weights) => {
const bits = log2(n);
const cache = weights || brp ? roots.brp(bits) : roots.roots(bits); // [ω⁰, ω¹, ..., ωⁿ⁻¹]
const out = _create(n);
// Fast Kronecker-δ shortcut
const idx = findOmegaIndex(x, n, brp);
if (idx !== -1) {
out[idx] = F.ONE;
return out;
}
const tm = F.pow(x, BigInt(n));
const c = F.mul(F.sub(tm, F.ONE), F.inv(BigInt(n))); // c = (xⁿ - 1)/n
const denom = _create(n);
for (let i = 0; i < n; i++)
denom[i] = F.sub(x, cache[i]);
const inv = F.invertBatch(denom);
for (let i = 0; i < n; i++)
out[i] = F.mul(c, F.mul(cache[i], inv[i]));
return out;
},
eval(a, x, brp = false) {
checkLength(a);
const idx = findOmegaIndex(x, a.length, brp);
if (idx !== -1)
return a[idx]; // fast path
const L = this.basis(x, a.length, brp); // Lᵢ(x)
let acc = F.ZERO;
for (let i = 0; i < a.length; i++)
if (!F.is0(a[i]))
acc = F.add(acc, F.mul(a[i], L[i]));
return acc;
},
},
vanishing(roots) {
checkLength(roots);
const out = _create(roots.length + 1, F.ZERO);
out[0] = F.ONE;
for (const r of roots) {
const neg = F.neg(r);
for (let j = out.length - 1; j > 0; j--)
out[j] = F.add(F.mul(out[j], neg), out[j - 1]);
out[0] = F.mul(out[0], neg);
}
return out;
},
};
}
//# sourceMappingURL=fft.js.map

1
node_modules/@noble/curves/esm/abstract/fft.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

102
node_modules/@noble/curves/esm/abstract/hash-to-curve.d.ts generated vendored Normal file
View File

@@ -0,0 +1,102 @@
/**
* hash-to-curve from RFC 9380.
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* https://www.rfc-editor.org/rfc/rfc9380
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import type { CHash } from '../utils.ts';
import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
import { type IField } from './modular.ts';
export type UnicodeOrBytes = string | Uint8Array;
/**
* * `DST` is a domain separation tag, defined in section 2.2.5
* * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
* * `m` is extension degree (1 for prime fields)
* * `k` is the target security target in bits (e.g. 128), from section 5.1
* * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
* * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
*/
export type H2COpts = {
DST: UnicodeOrBytes;
expand: 'xmd' | 'xof';
hash: CHash;
p: bigint;
m: number;
k: number;
};
export type H2CHashOpts = {
expand: 'xmd' | 'xof';
hash: CHash;
};
export type Opts = H2COpts;
/**
* Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
* [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
*/
export declare function expand_message_xmd(msg: Uint8Array, DST: UnicodeOrBytes, lenInBytes: number, H: CHash): Uint8Array;
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* [RFC 9380 5.3.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2).
*/
export declare function expand_message_xof(msg: Uint8Array, DST: UnicodeOrBytes, lenInBytes: number, k: number, H: CHash): Uint8Array;
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* [RFC 9380 5.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
* @param msg a byte string containing the message to hash
* @param count the number of elements of F to output
* @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
* @returns [u_0, ..., u_(count - 1)], a list of field elements.
*/
export declare function hash_to_field(msg: Uint8Array, count: number, options: H2COpts): bigint[][];
export type XY<T> = (x: T, y: T) => {
x: T;
y: T;
};
export type XYRatio<T> = [T[], T[], T[], T[]];
export declare function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T>;
/** Point interface, which curves must implement to work correctly with the module. */
export interface H2CPoint<T> extends Group<H2CPoint<T>> {
add(rhs: H2CPoint<T>): H2CPoint<T>;
toAffine(iz?: bigint): AffinePoint<T>;
clearCofactor(): H2CPoint<T>;
assertValidity(): void;
}
export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
}
export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
export type htfBasicOpts = {
DST: UnicodeOrBytes;
};
export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
export type HTFMethod<T> = H2CMethod<T>;
export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
export type H2CHasherBase<T> = {
hashToCurve: H2CMethod<T>;
hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
};
/**
* RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
*
* * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
* * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
* * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
*/
export type H2CHasher<T> = H2CHasherBase<T> & {
encodeToCurve: H2CMethod<T>;
mapToCurve: MapMethod<T>;
defaults: H2COpts & {
encodeDST?: UnicodeOrBytes;
};
};
export type Hasher<T> = H2CHasher<T>;
export declare const _DST_scalar: Uint8Array;
/** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
export declare function createHasher<T>(Point: H2CPointConstructor<T>, mapToCurve: MapToCurve<T>, defaults: H2COpts & {
encodeDST?: UnicodeOrBytes;
}): H2CHasher<T>;
//# sourceMappingURL=hash-to-curve.d.ts.map

1
node_modules/@noble/curves/esm/abstract/hash-to-curve.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"hash-to-curve.d.ts","sourceRoot":"","sources":["../../src/abstract/hash-to-curve.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,sEAAsE;AACtE,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAUzC,OAAO,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AACvE,OAAO,EAAsB,KAAK,MAAM,EAAE,MAAM,cAAc,CAAC;AAE/D,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,CAAC;AAEjD;;;;;;;GAOG;AACH,MAAM,MAAM,OAAO,GAAG;IACpB,GAAG,EAAE,cAAc,CAAC;IACpB,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,IAAI,EAAE,KAAK,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;IACV,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AACF,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,KAAK,GAAG,KAAK,CAAC;IACtB,IAAI,EAAE,KAAK,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,IAAI,GAAG,OAAO,CAAC;AAmC3B;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,cAAc,EACnB,UAAU,EAAE,MAAM,EAClB,CAAC,EAAE,KAAK,GACP,UAAU,CAqBZ;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,cAAc,EACnB,UAAU,EAAE,MAAM,EAClB,CAAC,EAAE,MAAM,EACT,CAAC,EAAE,KAAK,GACP,UAAU,CAqBZ;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,MAAM,EAAE,EAAE,CAoC1F;AAED,MAAM,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK;IAAE,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC,EAAE,CAAC,CAAA;CAAE,CAAC;AACnD,MAAM,MAAM,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;AAC9C,wBAAgB,UAAU,CAAC,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAgBnF;AAED,sFAAsF;AACtF,MAAM,WAAW,QAAQ,CAAC,CAAC,CAAE,SAAQ,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IACrD,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IACnC,QAAQ,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IACtC,aAAa,IAAI,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC7B,cAAc,IAAI,IAAI,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB,CAAC,CAAC,CAAE,SAAQ,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC3E,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;CAC7C;AAED,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,WAAW,CAAC,CAAC,CAAC,CAAC;AAIjE,MAAM,MAAM,YAAY,GAAG;IAAE,GAAG,EAAE,cAAc,CAAA;CAAE,CAAC;AACnD,MAAM,MAAM,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC;AAEpF,MAAM,MAAM,SAAS,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC;AACxC,MAAM,MAAM,SAAS,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC;AAC9D,MAAM,MAAM,aAAa,CAAC,CAAC,IAAI;IAC7B,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1B,YAAY,EAAE,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,KAAK,MAAM,CAAC;CAClE,CAAC;AACF;;;;;;GAMG;AACH,MAAM,MAAM,SAAS,CAAC,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC,GAAG;IAC5C,aAAa,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IAC5B,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;IACzB,QAAQ,EAAE,OAAO,GAAG;QAAE,SAAS,CAAC,EAAE,cAAc,CAAA;KAAE,CAAC;CACpD,CAAC;AAEF,MAAM,MAAM,MAAM,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,CAAC;AAErC,eAAO,MAAM,WAAW,EAAE,UAAyC,CAAC;AAEpE,kGAAkG;AAClG,wBAAgB,YAAY,CAAC,CAAC,EAC5B,KAAK,EAAE,mBAAmB,CAAC,CAAC,CAAC,EAC7B,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC,EACzB,QAAQ,EAAE,OAAO,GAAG;IAAE,SAAS,CAAC,EAAE,cAAc,CAAA;CAAE,GACjD,SAAS,CAAC,CAAC,CAAC,CA8Cd"}

203
node_modules/@noble/curves/esm/abstract/hash-to-curve.js generated vendored Normal file
View File

@@ -0,0 +1,203 @@
import { _validateObject, abytes, bytesToNumberBE, concatBytes, isBytes, isHash, utf8ToBytes, } from "../utils.js";
import { FpInvertBatch, mod } from "./modular.js";
// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
const os2ip = bytesToNumberBE;
// Integer to Octet Stream (numberToBytesBE)
function i2osp(value, length) {
anum(value);
anum(length);
if (value < 0 || value >= 1 << (8 * length))
throw new Error('invalid I2OSP input: ' + value);
const res = Array.from({ length }).fill(0);
for (let i = length - 1; i >= 0; i--) {
res[i] = value & 0xff;
value >>>= 8;
}
return new Uint8Array(res);
}
function strxor(a, b) {
const arr = new Uint8Array(a.length);
for (let i = 0; i < a.length; i++) {
arr[i] = a[i] ^ b[i];
}
return arr;
}
function anum(item) {
if (!Number.isSafeInteger(item))
throw new Error('number expected');
}
function normDST(DST) {
if (!isBytes(DST) && typeof DST !== 'string')
throw new Error('DST must be Uint8Array or string');
return typeof DST === 'string' ? utf8ToBytes(DST) : DST;
}
/**
* Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
* [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
*/
export function expand_message_xmd(msg, DST, lenInBytes, H) {
abytes(msg);
anum(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
if (DST.length > 255)
DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
const ell = Math.ceil(lenInBytes / b_in_bytes);
if (lenInBytes > 65535 || ell > 255)
throw new Error('expand_message_xmd: invalid lenInBytes');
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
const Z_pad = i2osp(0, r_in_bytes);
const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
const b = new Array(ell);
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
for (let i = 1; i <= ell; i++) {
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
b[i] = H(concatBytes(...args));
}
const pseudo_random_bytes = concatBytes(...b);
return pseudo_random_bytes.slice(0, lenInBytes);
}
/**
* Produces a uniformly random byte string using an extendable-output function (XOF) H.
* 1. The collision resistance of H MUST be at least k bits.
* 2. H MUST be an XOF that has been proved indifferentiable from
* a random oracle under a reasonable cryptographic assumption.
* [RFC 9380 5.3.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2).
*/
export function expand_message_xof(msg, DST, lenInBytes, k, H) {
abytes(msg);
anum(lenInBytes);
DST = normDST(DST);
// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
// DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
if (DST.length > 255) {
const dkLen = Math.ceil((2 * k) / 8);
DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
}
if (lenInBytes > 65535 || DST.length > 255)
throw new Error('expand_message_xof: invalid lenInBytes');
return (H.create({ dkLen: lenInBytes })
.update(msg)
.update(i2osp(lenInBytes, 2))
// 2. DST_prime = DST || I2OSP(len(DST), 1)
.update(DST)
.update(i2osp(DST.length, 1))
.digest());
}
/**
* Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
* [RFC 9380 5.2](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
* @param msg a byte string containing the message to hash
* @param count the number of elements of F to output
* @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
* @returns [u_0, ..., u_(count - 1)], a list of field elements.
*/
export function hash_to_field(msg, count, options) {
_validateObject(options, {
p: 'bigint',
m: 'number',
k: 'number',
hash: 'function',
});
const { p, k, m, hash, expand, DST } = options;
if (!isHash(options.hash))
throw new Error('expected valid hash');
abytes(msg);
anum(count);
const log2p = p.toString(2).length;
const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
const len_in_bytes = count * m * L;
let prb; // pseudo_random_bytes
if (expand === 'xmd') {
prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
}
else if (expand === 'xof') {
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
}
else if (expand === '_internal_pass') {
// for internal tests only
prb = msg;
}
else {
throw new Error('expand must be "xmd" or "xof"');
}
const u = new Array(count);
for (let i = 0; i < count; i++) {
const e = new Array(m);
for (let j = 0; j < m; j++) {
const elm_offset = L * (j + i * m);
const tv = prb.subarray(elm_offset, elm_offset + L);
e[j] = mod(os2ip(tv), p);
}
u[i] = e;
}
return u;
}
export function isogenyMap(field, map) {
// Make same order as in spec
const coeff = map.map((i) => Array.from(i).reverse());
return (x, y) => {
const [xn, xd, yn, yd] = coeff.map((val) => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));
// 6.6.3
// Exceptional cases of iso_map are inputs that cause the denominator of
// either rational function to evaluate to zero; such cases MUST return
// the identity point on E.
const [xd_inv, yd_inv] = FpInvertBatch(field, [xd, yd], true);
x = field.mul(xn, xd_inv); // xNum / xDen
y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
return { x, y };
};
}
export const _DST_scalar = utf8ToBytes('HashToScalar-');
/** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
export function createHasher(Point, mapToCurve, defaults) {
if (typeof mapToCurve !== 'function')
throw new Error('mapToCurve() must be defined');
function map(num) {
return Point.fromAffine(mapToCurve(num));
}
function clear(initial) {
const P = initial.clearCofactor();
if (P.equals(Point.ZERO))
return Point.ZERO; // zero will throw in assert
P.assertValidity();
return P;
}
return {
defaults,
hashToCurve(msg, options) {
const opts = Object.assign({}, defaults, options);
const u = hash_to_field(msg, 2, opts);
const u0 = map(u[0]);
const u1 = map(u[1]);
return clear(u0.add(u1));
},
encodeToCurve(msg, options) {
const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
const opts = Object.assign({}, defaults, optsDst, options);
const u = hash_to_field(msg, 1, opts);
const u0 = map(u[0]);
return clear(u0);
},
/** See {@link H2CHasher} */
mapToCurve(scalars) {
if (!Array.isArray(scalars))
throw new Error('expected array of bigints');
for (const i of scalars)
if (typeof i !== 'bigint')
throw new Error('expected array of bigints');
return clear(map(scalars));
},
// hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
// RFC 9380, draft-irtf-cfrg-bbs-signatures-08
hashToScalar(msg, options) {
// @ts-ignore
const N = Point.Fn.ORDER;
const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);
return hash_to_field(msg, 1, opts)[0][0];
},
};
}
//# sourceMappingURL=hash-to-curve.js.map

1
node_modules/@noble/curves/esm/abstract/hash-to-curve.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

171
node_modules/@noble/curves/esm/abstract/modular.d.ts generated vendored Normal file
View File

@@ -0,0 +1,171 @@
export declare function mod(a: bigint, b: bigint): bigint;
/**
* Efficiently raise num to power and do modular division.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* @example
* pow(2n, 6n, 11n) // 64n % 11n == 9n
*/
export declare function pow(num: bigint, power: bigint, modulo: bigint): bigint;
/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
export declare function pow2(x: bigint, power: bigint, modulo: bigint): bigint;
/**
* Inverses number over modulo.
* Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
*/
export declare function invert(number: bigint, modulo: bigint): bigint;
/**
* Tonelli-Shanks square root search algorithm.
* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
* @param P field order
* @returns function that takes field Fp (created from P) and number n
*/
export declare function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T;
/**
* Square root for a finite field. Will try optimized versions first:
*
* 1. P ≡ 3 (mod 4)
* 2. P ≡ 5 (mod 8)
* 3. P ≡ 9 (mod 16)
* 4. Tonelli-Shanks algorithm
*
* Different algorithms can give different roots, it is up to user to decide which one they want.
* For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
*/
export declare function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T;
export declare const isNegativeLE: (num: bigint, modulo: bigint) => boolean;
/** Field is not always over prime: for example, Fp2 has ORDER(q)=p^m. */
export interface IField<T> {
ORDER: bigint;
isLE: boolean;
BYTES: number;
BITS: number;
MASK: bigint;
ZERO: T;
ONE: T;
create: (num: T) => T;
isValid: (num: T) => boolean;
is0: (num: T) => boolean;
isValidNot0: (num: T) => boolean;
neg(num: T): T;
inv(num: T): T;
sqrt(num: T): T;
sqr(num: T): T;
eql(lhs: T, rhs: T): boolean;
add(lhs: T, rhs: T): T;
sub(lhs: T, rhs: T): T;
mul(lhs: T, rhs: T | bigint): T;
pow(lhs: T, power: bigint): T;
div(lhs: T, rhs: T | bigint): T;
addN(lhs: T, rhs: T): T;
subN(lhs: T, rhs: T): T;
mulN(lhs: T, rhs: T | bigint): T;
sqrN(num: T): T;
isOdd?(num: T): boolean;
allowedLengths?: number[];
invertBatch: (lst: T[]) => T[];
toBytes(num: T): Uint8Array;
fromBytes(bytes: Uint8Array, skipValidation?: boolean): T;
cmov(a: T, b: T, c: boolean): T;
}
export declare function validateField<T>(field: IField<T>): IField<T>;
/**
* Same as `pow` but for Fp: non-constant-time.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
*/
export declare function FpPow<T>(Fp: IField<T>, num: T, power: bigint): T;
/**
* Efficiently invert an array of Field elements.
* Exception-free. Will return `undefined` for 0 elements.
* @param passZero map 0 to 0 (instead of undefined)
*/
export declare function FpInvertBatch<T>(Fp: IField<T>, nums: T[], passZero?: boolean): T[];
export declare function FpDiv<T>(Fp: IField<T>, lhs: T, rhs: T | bigint): T;
/**
* Legendre symbol.
* Legendre constant is used to calculate Legendre symbol (a | p)
* which denotes the value of a^((p-1)/2) (mod p).
*
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
*/
export declare function FpLegendre<T>(Fp: IField<T>, n: T): -1 | 0 | 1;
export declare function FpIsSquare<T>(Fp: IField<T>, n: T): boolean;
export type NLength = {
nByteLength: number;
nBitLength: number;
};
export declare function nLength(n: bigint, nBitLength?: number): NLength;
type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
type SqrtFn = (n: bigint) => bigint;
type FieldOpts = Partial<{
sqrt: SqrtFn;
isLE: boolean;
BITS: number;
modFromBytes: boolean;
allowedLengths?: readonly number[];
}>;
/**
* Creates a finite field. Major performance optimizations:
* * 1. Denormalized operations like mulN instead of mul.
* * 2. Identical object shape: never add or remove keys.
* * 3. `Object.freeze`.
* Fragile: always run a benchmark on a change.
* Security note: operations don't check 'isValid' for all elements for performance reasons,
* it is caller responsibility to check this.
* This is low-level code, please make sure you know what you're doing.
*
* Note about field properties:
* * CHARACTERISTIC p = prime number, number of elements in main subgroup.
* * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
*
* @param ORDER field order, probably prime, or could be composite
* @param bitLen how many bits the field consumes
* @param isLE (default: false) if encoding / decoding should be in little-endian
* @param redef optional faster redefinitions of sqrt and other methods
*/
export declare function Field(ORDER: bigint, bitLenOrOpts?: number | FieldOpts, // TODO: use opts only in v2?
isLE?: boolean, opts?: {
sqrt?: SqrtFn;
}): Readonly<FpField>;
export declare function FpSqrtOdd<T>(Fp: IField<T>, elm: T): T;
export declare function FpSqrtEven<T>(Fp: IField<T>, elm: T): T;
/**
* "Constant-time" private key generation utility.
* Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
* Which makes it slightly more biased, less secure.
* @deprecated use `mapKeyToField` instead
*/
export declare function hashToPrivateScalar(hash: string | Uint8Array, groupOrder: bigint, isLE?: boolean): bigint;
/**
* Returns total number of bytes consumed by the field element.
* For example, 32 bytes for usual 256-bit weierstrass curve.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of field
*/
export declare function getFieldBytesLength(fieldOrder: bigint): number;
/**
* Returns minimal amount of bytes that can be safely reduced
* by field order.
* Should be 2^-128 for 128-bit curve such as P256.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of target hash
*/
export declare function getMinHashLength(fieldOrder: bigint): number;
/**
* "Constant-time" private key generation utility.
* Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
* and convert them into private scalar, with the modulo bias being negligible.
* Needs at least 48 bytes of input for 32-byte private key.
* https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
* FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
* RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
* @param hash hash output from SHA3 or a similar function
* @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
* @param isLE interpret hash bytes as LE num
* @returns valid private scalar
*/
export declare function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE?: boolean): Uint8Array;
export {};
//# sourceMappingURL=modular.d.ts.map

1
node_modules/@noble/curves/esm/abstract/modular.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"modular.d.ts","sourceRoot":"","sources":["../../src/abstract/modular.ts"],"names":[],"mappings":"AA0BA,wBAAgB,GAAG,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAGhD;AACD;;;;;GAKG;AACH,wBAAgB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAEtE;AAED,4DAA4D;AAC5D,wBAAgB,IAAI,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAOrE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAoB7D;AAqDD;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAgEtE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,KAAK,CAAC,CAS/D;AAGD,eAAO,MAAM,YAAY,GAAI,KAAK,MAAM,EAAE,QAAQ,MAAM,KAAG,OACzB,CAAC;AAEnC,yEAAyE;AACzE,MAAM,WAAW,MAAM,CAAC,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,CAAC,CAAC;IACR,GAAG,EAAE,CAAC,CAAC;IAEP,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;IACtB,OAAO,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,OAAO,CAAC;IAC7B,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,OAAO,CAAC;IACzB,WAAW,EAAE,CAAC,GAAG,EAAE,CAAC,KAAK,OAAO,CAAC;IACjC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACf,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACf,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAChB,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAEf,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;IAC7B,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvB,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvB,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAChC,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAEhC,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAMhB,KAAK,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,OAAO,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B,WAAW,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;IAC/B,OAAO,CAAC,GAAG,EAAE,CAAC,GAAG,UAAU,CAAC;IAC5B,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE,cAAc,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;IAE1D,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,GAAG,CAAC,CAAC;CACjC;AAOD,wBAAgB,aAAa,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAgB5D;AAID;;;GAGG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC,CAYhE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,EAAE,QAAQ,UAAQ,GAAG,CAAC,EAAE,CAiBhF;AAGD,wBAAgB,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,GAAG,CAAC,CAElE;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAU7D;AAGD,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,OAAO,CAG1D;AAED,MAAM,MAAM,OAAO,GAAG;IAAE,WAAW,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC;AAElE,wBAAgB,OAAO,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAM/D;AAED,KAAK,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AACxE,KAAK,MAAM,GAAG,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;AACpC,KAAK,SAAS,GAAG,OAAO,CAAC;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,OAAO,CAAC;IACtB,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC,CAAC,CAAC;AACH;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,KAAK,CACnB,KAAK,EAAE,MAAM,EACb,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,EAAE,6BAA6B;AAChE,IAAI,UAAQ,EACZ,IAAI,GAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAO,GAC3B,QAAQ,CAAC,OAAO,CAAC,CA6FnB;AAgBD,wBAAgB,SAAS,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAIrD;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAItD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,GAAG,UAAU,EACzB,UAAU,EAAE,MAAM,EAClB,IAAI,UAAQ,GACX,MAAM,CAUR;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAI9D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAG3D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,UAAQ,GAAG,UAAU,CAW5F"}

530
node_modules/@noble/curves/esm/abstract/modular.js generated vendored Normal file
View File

@@ -0,0 +1,530 @@
/**
* Utils for modular division and fields.
* Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
* There is no division: it is replaced by modular multiplicative inverse.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { _validateObject, anumber, bitMask, bytesToNumberBE, bytesToNumberLE, ensureBytes, numberToBytesBE, numberToBytesLE, } from "../utils.js";
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
// prettier-ignore
const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
// prettier-ignore
const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
// Calculates a modulo b
export function mod(a, b) {
const result = a % b;
return result >= _0n ? result : b + result;
}
/**
* Efficiently raise num to power and do modular division.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
* @example
* pow(2n, 6n, 11n) // 64n % 11n == 9n
*/
export function pow(num, power, modulo) {
return FpPow(Field(modulo), num, power);
}
/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
export function pow2(x, power, modulo) {
let res = x;
while (power-- > _0n) {
res *= res;
res %= modulo;
}
return res;
}
/**
* Inverses number over modulo.
* Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
*/
export function invert(number, modulo) {
if (number === _0n)
throw new Error('invert: expected non-zero number');
if (modulo <= _0n)
throw new Error('invert: expected positive modulus, got ' + modulo);
// Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
let a = mod(number, modulo);
let b = modulo;
// prettier-ignore
let x = _0n, y = _1n, u = _1n, v = _0n;
while (a !== _0n) {
// JIT applies optimization if those two lines follow each other
const q = b / a;
const r = b % a;
const m = x - u * q;
const n = y - v * q;
// prettier-ignore
b = a, a = r, x = u, y = v, u = m, v = n;
}
const gcd = b;
if (gcd !== _1n)
throw new Error('invert: does not exist');
return mod(x, modulo);
}
function assertIsSquare(Fp, root, n) {
if (!Fp.eql(Fp.sqr(root), n))
throw new Error('Cannot find square root');
}
// Not all roots are possible! Example which will throw:
// const NUM =
// n = 72057594037927816n;
// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
function sqrt3mod4(Fp, n) {
const p1div4 = (Fp.ORDER + _1n) / _4n;
const root = Fp.pow(n, p1div4);
assertIsSquare(Fp, root, n);
return root;
}
function sqrt5mod8(Fp, n) {
const p5div8 = (Fp.ORDER - _5n) / _8n;
const n2 = Fp.mul(n, _2n);
const v = Fp.pow(n2, p5div8);
const nv = Fp.mul(n, v);
const i = Fp.mul(Fp.mul(nv, _2n), v);
const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
assertIsSquare(Fp, root, n);
return root;
}
// Based on RFC9380, Kong algorithm
// prettier-ignore
function sqrt9mod16(P) {
const Fp_ = Field(P);
const tn = tonelliShanks(P);
const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); // 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
const c2 = tn(Fp_, c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
const c3 = tn(Fp_, Fp_.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
const c4 = (P + _7n) / _16n; // 4. c4 = (q + 7) / 16 # Integer arithmetic
return (Fp, n) => {
let tv1 = Fp.pow(n, c4); // 1. tv1 = x^c4
let tv2 = Fp.mul(tv1, c1); // 2. tv2 = c1 * tv1
const tv3 = Fp.mul(tv1, c2); // 3. tv3 = c2 * tv1
const tv4 = Fp.mul(tv1, c3); // 4. tv4 = c3 * tv1
const e1 = Fp.eql(Fp.sqr(tv2), n); // 5. e1 = (tv2^2) == x
const e2 = Fp.eql(Fp.sqr(tv3), n); // 6. e2 = (tv3^2) == x
tv1 = Fp.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x
tv2 = Fp.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x
const e3 = Fp.eql(Fp.sqr(tv2), n); // 9. e3 = (tv2^2) == x
const root = Fp.cmov(tv1, tv2, e3); // 10. z = CMOV(tv1, tv2, e3) # Select sqrt from tv1 & tv2
assertIsSquare(Fp, root, n);
return root;
};
}
/**
* Tonelli-Shanks square root search algorithm.
* 1. https://eprint.iacr.org/2012/685.pdf (page 12)
* 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
* @param P field order
* @returns function that takes field Fp (created from P) and number n
*/
export function tonelliShanks(P) {
// Initialization (precomputation).
// Caching initialization could boost perf by 7%.
if (P < _3n)
throw new Error('sqrt is not defined for small field');
// Factor P - 1 = Q * 2^S, where Q is odd
let Q = P - _1n;
let S = 0;
while (Q % _2n === _0n) {
Q /= _2n;
S++;
}
// Find the first quadratic non-residue Z >= 2
let Z = _2n;
const _Fp = Field(P);
while (FpLegendre(_Fp, Z) === 1) {
// Basic primality test for P. After x iterations, chance of
// not finding quadratic non-residue is 2^x, so 2^1000.
if (Z++ > 1000)
throw new Error('Cannot find square root: probably non-prime P');
}
// Fast-path; usually done before Z, but we do "primality test".
if (S === 1)
return sqrt3mod4;
// Slow-path
// TODO: test on Fp2 and others
let cc = _Fp.pow(Z, Q); // c = z^Q
const Q1div2 = (Q + _1n) / _2n;
return function tonelliSlow(Fp, n) {
if (Fp.is0(n))
return n;
// Check if n is a quadratic residue using Legendre symbol
if (FpLegendre(Fp, n) !== 1)
throw new Error('Cannot find square root');
// Initialize variables for the main loop
let M = S;
let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor
let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
// Main loop
// while t != 1
while (!Fp.eql(t, Fp.ONE)) {
if (Fp.is0(t))
return Fp.ZERO; // if t=0 return R=0
let i = 1;
// Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
let t_tmp = Fp.sqr(t); // t^(2^1)
while (!Fp.eql(t_tmp, Fp.ONE)) {
i++;
t_tmp = Fp.sqr(t_tmp); // t^(2^2)...
if (i === M)
throw new Error('Cannot find square root');
}
// Calculate the exponent for b: 2^(M - i - 1)
const exponent = _1n << BigInt(M - i - 1); // bigint is important
const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
// Update variables
M = i;
c = Fp.sqr(b); // c = b^2
t = Fp.mul(t, c); // t = (t * b^2)
R = Fp.mul(R, b); // R = R*b
}
return R;
};
}
/**
* Square root for a finite field. Will try optimized versions first:
*
* 1. P ≡ 3 (mod 4)
* 2. P ≡ 5 (mod 8)
* 3. P ≡ 9 (mod 16)
* 4. Tonelli-Shanks algorithm
*
* Different algorithms can give different roots, it is up to user to decide which one they want.
* For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
*/
export function FpSqrt(P) {
// P ≡ 3 (mod 4) => √n = n^((P+1)/4)
if (P % _4n === _3n)
return sqrt3mod4;
// P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
if (P % _8n === _5n)
return sqrt5mod8;
// P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
if (P % _16n === _9n)
return sqrt9mod16(P);
// Tonelli-Shanks algorithm
return tonelliShanks(P);
}
// Little-endian check for first LE bit (last BE bit);
export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
// prettier-ignore
const FIELD_FIELDS = [
'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
'eql', 'add', 'sub', 'mul', 'pow', 'div',
'addN', 'subN', 'mulN', 'sqrN'
];
export function validateField(field) {
const initial = {
ORDER: 'bigint',
MASK: 'bigint',
BYTES: 'number',
BITS: 'number',
};
const opts = FIELD_FIELDS.reduce((map, val) => {
map[val] = 'function';
return map;
}, initial);
_validateObject(field, opts);
// const max = 16384;
// if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
// if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
return field;
}
// Generic field functions
/**
* Same as `pow` but for Fp: non-constant-time.
* Unsafe in some contexts: uses ladder, so can expose bigint bits.
*/
export function FpPow(Fp, num, power) {
if (power < _0n)
throw new Error('invalid exponent, negatives unsupported');
if (power === _0n)
return Fp.ONE;
if (power === _1n)
return num;
let p = Fp.ONE;
let d = num;
while (power > _0n) {
if (power & _1n)
p = Fp.mul(p, d);
d = Fp.sqr(d);
power >>= _1n;
}
return p;
}
/**
* Efficiently invert an array of Field elements.
* Exception-free. Will return `undefined` for 0 elements.
* @param passZero map 0 to 0 (instead of undefined)
*/
export function FpInvertBatch(Fp, nums, passZero = false) {
const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
// Walk from first to last, multiply them by each other MOD p
const multipliedAcc = nums.reduce((acc, num, i) => {
if (Fp.is0(num))
return acc;
inverted[i] = acc;
return Fp.mul(acc, num);
}, Fp.ONE);
// Invert last element
const invertedAcc = Fp.inv(multipliedAcc);
// Walk from last to first, multiply them by inverted each other MOD p
nums.reduceRight((acc, num, i) => {
if (Fp.is0(num))
return acc;
inverted[i] = Fp.mul(acc, inverted[i]);
return Fp.mul(acc, num);
}, invertedAcc);
return inverted;
}
// TODO: remove
export function FpDiv(Fp, lhs, rhs) {
return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
}
/**
* Legendre symbol.
* Legendre constant is used to calculate Legendre symbol (a | p)
* which denotes the value of a^((p-1)/2) (mod p).
*
* * (a | p) ≡ 1 if a is a square (mod p), quadratic residue
* * (a | p) ≡ -1 if a is not a square (mod p), quadratic non residue
* * (a | p) ≡ 0 if a ≡ 0 (mod p)
*/
export function FpLegendre(Fp, n) {
// We can use 3rd argument as optional cache of this value
// but seems unneeded for now. The operation is very fast.
const p1mod2 = (Fp.ORDER - _1n) / _2n;
const powered = Fp.pow(n, p1mod2);
const yes = Fp.eql(powered, Fp.ONE);
const zero = Fp.eql(powered, Fp.ZERO);
const no = Fp.eql(powered, Fp.neg(Fp.ONE));
if (!yes && !zero && !no)
throw new Error('invalid Legendre symbol result');
return yes ? 1 : zero ? 0 : -1;
}
// This function returns True whenever the value x is a square in the field F.
export function FpIsSquare(Fp, n) {
const l = FpLegendre(Fp, n);
return l === 1;
}
// CURVE.n lengths
export function nLength(n, nBitLength) {
// Bit size, byte size of CURVE.n
if (nBitLength !== undefined)
anumber(nBitLength);
const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
const nByteLength = Math.ceil(_nBitLength / 8);
return { nBitLength: _nBitLength, nByteLength };
}
/**
* Creates a finite field. Major performance optimizations:
* * 1. Denormalized operations like mulN instead of mul.
* * 2. Identical object shape: never add or remove keys.
* * 3. `Object.freeze`.
* Fragile: always run a benchmark on a change.
* Security note: operations don't check 'isValid' for all elements for performance reasons,
* it is caller responsibility to check this.
* This is low-level code, please make sure you know what you're doing.
*
* Note about field properties:
* * CHARACTERISTIC p = prime number, number of elements in main subgroup.
* * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
*
* @param ORDER field order, probably prime, or could be composite
* @param bitLen how many bits the field consumes
* @param isLE (default: false) if encoding / decoding should be in little-endian
* @param redef optional faster redefinitions of sqrt and other methods
*/
export function Field(ORDER, bitLenOrOpts, // TODO: use opts only in v2?
isLE = false, opts = {}) {
if (ORDER <= _0n)
throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
let _nbitLength = undefined;
let _sqrt = undefined;
let modFromBytes = false;
let allowedLengths = undefined;
if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
if (opts.sqrt || isLE)
throw new Error('cannot specify opts in two arguments');
const _opts = bitLenOrOpts;
if (_opts.BITS)
_nbitLength = _opts.BITS;
if (_opts.sqrt)
_sqrt = _opts.sqrt;
if (typeof _opts.isLE === 'boolean')
isLE = _opts.isLE;
if (typeof _opts.modFromBytes === 'boolean')
modFromBytes = _opts.modFromBytes;
allowedLengths = _opts.allowedLengths;
}
else {
if (typeof bitLenOrOpts === 'number')
_nbitLength = bitLenOrOpts;
if (opts.sqrt)
_sqrt = opts.sqrt;
}
const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
if (BYTES > 2048)
throw new Error('invalid field: expected ORDER of <= 2048 bytes');
let sqrtP; // cached sqrtP
const f = Object.freeze({
ORDER,
isLE,
BITS,
BYTES,
MASK: bitMask(BITS),
ZERO: _0n,
ONE: _1n,
allowedLengths: allowedLengths,
create: (num) => mod(num, ORDER),
isValid: (num) => {
if (typeof num !== 'bigint')
throw new Error('invalid field element: expected bigint, got ' + typeof num);
return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
},
is0: (num) => num === _0n,
// is valid and invertible
isValidNot0: (num) => !f.is0(num) && f.isValid(num),
isOdd: (num) => (num & _1n) === _1n,
neg: (num) => mod(-num, ORDER),
eql: (lhs, rhs) => lhs === rhs,
sqr: (num) => mod(num * num, ORDER),
add: (lhs, rhs) => mod(lhs + rhs, ORDER),
sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
pow: (num, power) => FpPow(f, num, power),
div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
// Same as above, but doesn't normalize
sqrN: (num) => num * num,
addN: (lhs, rhs) => lhs + rhs,
subN: (lhs, rhs) => lhs - rhs,
mulN: (lhs, rhs) => lhs * rhs,
inv: (num) => invert(num, ORDER),
sqrt: _sqrt ||
((n) => {
if (!sqrtP)
sqrtP = FpSqrt(ORDER);
return sqrtP(f, n);
}),
toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
fromBytes: (bytes, skipValidation = true) => {
if (allowedLengths) {
if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
}
const padded = new Uint8Array(BYTES);
// isLE add 0 to right, !isLE to the left.
padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
bytes = padded;
}
if (bytes.length !== BYTES)
throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
if (modFromBytes)
scalar = mod(scalar, ORDER);
if (!skipValidation)
if (!f.isValid(scalar))
throw new Error('invalid field element: outside of range 0..ORDER');
// NOTE: we don't validate scalar here, please use isValid. This done such way because some
// protocol may allow non-reduced scalar that reduced later or changed some other way.
return scalar;
},
// TODO: we don't need it here, move out to separate fn
invertBatch: (lst) => FpInvertBatch(f, lst),
// We can't move this out because Fp6, Fp12 implement it
// and it's unclear what to return in there.
cmov: (a, b, c) => (c ? b : a),
});
return Object.freeze(f);
}
// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
// which mean we cannot force this via opts.
// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
// Probably need to export getMinHashLength somewhere?
// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
// const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
// if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
// const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
// // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
// const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
// return reduced;
// },
export function FpSqrtOdd(Fp, elm) {
if (!Fp.isOdd)
throw new Error("Field doesn't have isOdd");
const root = Fp.sqrt(elm);
return Fp.isOdd(root) ? root : Fp.neg(root);
}
export function FpSqrtEven(Fp, elm) {
if (!Fp.isOdd)
throw new Error("Field doesn't have isOdd");
const root = Fp.sqrt(elm);
return Fp.isOdd(root) ? Fp.neg(root) : root;
}
/**
* "Constant-time" private key generation utility.
* Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
* Which makes it slightly more biased, less secure.
* @deprecated use `mapKeyToField` instead
*/
export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
hash = ensureBytes('privateHash', hash);
const hashLen = hash.length;
const minLen = nLength(groupOrder).nByteLength + 8;
if (minLen < 24 || hashLen < minLen || hashLen > 1024)
throw new Error('hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen);
const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
return mod(num, groupOrder - _1n) + _1n;
}
/**
* Returns total number of bytes consumed by the field element.
* For example, 32 bytes for usual 256-bit weierstrass curve.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of field
*/
export function getFieldBytesLength(fieldOrder) {
if (typeof fieldOrder !== 'bigint')
throw new Error('field order must be bigint');
const bitLength = fieldOrder.toString(2).length;
return Math.ceil(bitLength / 8);
}
/**
* Returns minimal amount of bytes that can be safely reduced
* by field order.
* Should be 2^-128 for 128-bit curve such as P256.
* @param fieldOrder number of field elements, usually CURVE.n
* @returns byte length of target hash
*/
export function getMinHashLength(fieldOrder) {
const length = getFieldBytesLength(fieldOrder);
return length + Math.ceil(length / 2);
}
/**
* "Constant-time" private key generation utility.
* Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
* and convert them into private scalar, with the modulo bias being negligible.
* Needs at least 48 bytes of input for 32-byte private key.
* https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
* FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
* RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
* @param hash hash output from SHA3 or a similar function
* @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
* @param isLE interpret hash bytes as LE num
* @returns valid private scalar
*/
export function mapHashToField(key, fieldOrder, isLE = false) {
const len = key.length;
const fieldLen = getFieldBytesLength(fieldOrder);
const minLen = getMinHashLength(fieldOrder);
// No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
if (len < 16 || len < minLen || len > 1024)
throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
// `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
const reduced = mod(num, fieldOrder - _1n) + _1n;
return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
}
//# sourceMappingURL=modular.js.map

1
node_modules/@noble/curves/esm/abstract/modular.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

30
node_modules/@noble/curves/esm/abstract/montgomery.d.ts generated vendored Normal file
View File

@@ -0,0 +1,30 @@
import type { CurveLengths } from './curve.ts';
type Hex = string | Uint8Array;
export type CurveType = {
P: bigint;
type: 'x25519' | 'x448';
adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
powPminus2: (x: bigint) => bigint;
randomBytes?: (bytesLength?: number) => Uint8Array;
};
export type MontgomeryECDH = {
scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
scalarMultBase: (scalar: Hex) => Uint8Array;
getSharedSecret: (secretKeyA: Hex, publicKeyB: Hex) => Uint8Array;
getPublicKey: (secretKey: Hex) => Uint8Array;
utils: {
randomSecretKey: () => Uint8Array;
/** @deprecated use `randomSecretKey` */
randomPrivateKey: () => Uint8Array;
};
GuBytes: Uint8Array;
lengths: CurveLengths;
keygen: (seed?: Uint8Array) => {
secretKey: Uint8Array;
publicKey: Uint8Array;
};
};
export type CurveFn = MontgomeryECDH;
export declare function montgomery(curveDef: CurveType): MontgomeryECDH;
export {};
//# sourceMappingURL=montgomery.d.ts.map

1
node_modules/@noble/curves/esm/abstract/montgomery.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"montgomery.d.ts","sourceRoot":"","sources":["../../src/abstract/montgomery.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM/C,KAAK,GAAG,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/B,MAAM,MAAM,SAAS,GAAG;IACtB,CAAC,EAAE,MAAM,CAAC;IACV,IAAI,EAAE,QAAQ,GAAG,MAAM,CAAC;IACxB,iBAAiB,EAAE,CAAC,KAAK,EAAE,UAAU,KAAK,UAAU,CAAC;IACrD,UAAU,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAClC,WAAW,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,MAAM,KAAK,UAAU,CAAC;CACpD,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,UAAU,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK,UAAU,CAAC;IAChD,cAAc,EAAE,CAAC,MAAM,EAAE,GAAG,KAAK,UAAU,CAAC;IAC5C,eAAe,EAAE,CAAC,UAAU,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,KAAK,UAAU,CAAC;IAClE,YAAY,EAAE,CAAC,SAAS,EAAE,GAAG,KAAK,UAAU,CAAC;IAC7C,KAAK,EAAE;QACL,eAAe,EAAE,MAAM,UAAU,CAAC;QAClC,wCAAwC;QACxC,gBAAgB,EAAE,MAAM,UAAU,CAAC;KACpC,CAAC;IACF,OAAO,EAAE,UAAU,CAAC;IACpB,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,UAAU,KAAK;QAAE,SAAS,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,UAAU,CAAA;KAAE,CAAC;CACjF,CAAC;AACF,MAAM,MAAM,OAAO,GAAG,cAAc,CAAC;AAUrC,wBAAgB,UAAU,CAAC,QAAQ,EAAE,SAAS,GAAG,cAAc,CAyI9D"}

157
node_modules/@noble/curves/esm/abstract/montgomery.js generated vendored Normal file
View File

@@ -0,0 +1,157 @@
/**
* Montgomery curve methods. It's not really whole montgomery curve,
* just bunch of very specific methods for X25519 / X448 from
* [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { _validateObject, abytes, aInRange, bytesToNumberLE, ensureBytes, numberToBytesLE, randomBytes, } from "../utils.js";
import { mod } from "./modular.js";
const _0n = BigInt(0);
const _1n = BigInt(1);
const _2n = BigInt(2);
function validateOpts(curve) {
_validateObject(curve, {
adjustScalarBytes: 'function',
powPminus2: 'function',
});
return Object.freeze({ ...curve });
}
export function montgomery(curveDef) {
const CURVE = validateOpts(curveDef);
const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
const is25519 = type === 'x25519';
if (!is25519 && type !== 'x448')
throw new Error('invalid type');
const randomBytes_ = rand || randomBytes;
const montgomeryBits = is25519 ? 255 : 448;
const fieldLen = is25519 ? 32 : 56;
const Gu = is25519 ? BigInt(9) : BigInt(5);
// RFC 7748 #5:
// The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
// (156326 - 2) / 4 = 39081 for curve448/X448
// const a = is25519 ? 156326n : 486662n;
const a24 = is25519 ? BigInt(121665) : BigInt(39081);
// RFC: x25519 "the resulting integer is of the form 2^254 plus
// eight times a value between 0 and 2^251 - 1 (inclusive)"
// x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
const maxAdded = is25519
? BigInt(8) * _2n ** BigInt(251) - _1n
: BigInt(4) * _2n ** BigInt(445) - _1n;
const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
const modP = (n) => mod(n, P);
const GuBytes = encodeU(Gu);
function encodeU(u) {
return numberToBytesLE(modP(u), fieldLen);
}
function decodeU(u) {
const _u = ensureBytes('u coordinate', u, fieldLen);
// RFC: When receiving such an array, implementations of X25519
// (but not X448) MUST mask the most significant bit in the final byte.
if (is25519)
_u[31] &= 127; // 0b0111_1111
// RFC: Implementations MUST accept non-canonical values and process them as
// if they had been reduced modulo the field prime. The non-canonical
// values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
// - 1 through 2^448 - 1 for X448.
return modP(bytesToNumberLE(_u));
}
function decodeScalar(scalar) {
return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
}
function scalarMult(scalar, u) {
const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
// Some public keys are useless, of low-order. Curve author doesn't think
// it needs to be validated, but we do it nonetheless.
// https://cr.yp.to/ecdh.html#validate
if (pu === _0n)
throw new Error('invalid private or public key received');
return encodeU(pu);
}
// Computes public key from private. By doing scalar multiplication of base point.
function scalarMultBase(scalar) {
return scalarMult(scalar, GuBytes);
}
// cswap from RFC7748 "example code"
function cswap(swap, x_2, x_3) {
// dummy = mask(swap) AND (x_2 XOR x_3)
// Where mask(swap) is the all-1 or all-0 word of the same length as x_2
// and x_3, computed, e.g., as mask(swap) = 0 - swap.
const dummy = modP(swap * (x_2 - x_3));
x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
return { x_2, x_3 };
}
/**
* Montgomery x-only multiplication ladder.
* @param pointU u coordinate (x) on Montgomery Curve 25519
* @param scalar by which the point would be multiplied
* @returns new Point on Montgomery curve
*/
function montgomeryLadder(u, scalar) {
aInRange('u', u, _0n, P);
aInRange('scalar', scalar, minScalar, maxScalar);
const k = scalar;
const x_1 = u;
let x_2 = _1n;
let z_2 = _0n;
let x_3 = u;
let z_3 = _1n;
let swap = _0n;
for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
const k_t = (k >> t) & _1n;
swap ^= k_t;
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
swap = k_t;
const A = x_2 + z_2;
const AA = modP(A * A);
const B = x_2 - z_2;
const BB = modP(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP(D * A);
const CB = modP(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP(dacb * dacb);
z_3 = modP(x_1 * modP(da_cb * da_cb));
x_2 = modP(AA * BB);
z_2 = modP(E * (AA + modP(a24 * E)));
}
({ x_2, x_3 } = cswap(swap, x_2, x_3));
({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
}
const lengths = {
secretKey: fieldLen,
publicKey: fieldLen,
seed: fieldLen,
};
const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
abytes(seed, lengths.seed);
return seed;
};
function keygen(seed) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: scalarMultBase(secretKey) };
}
const utils = {
randomSecretKey,
randomPrivateKey: randomSecretKey,
};
return {
keygen,
getSharedSecret: (secretKey, publicKey) => scalarMult(secretKey, publicKey),
getPublicKey: (secretKey) => scalarMultBase(secretKey),
scalarMult,
scalarMultBase,
utils,
GuBytes: GuBytes.slice(),
lengths,
};
}
//# sourceMappingURL=montgomery.js.map

1
node_modules/@noble/curves/esm/abstract/montgomery.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

68
node_modules/@noble/curves/esm/abstract/poseidon.d.ts generated vendored Normal file
View File

@@ -0,0 +1,68 @@
import { type IField } from './modular.ts';
export type PoseidonBasicOpts = {
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
isSboxInverse?: boolean;
};
export type PoseidonGrainOpts = PoseidonBasicOpts & {
sboxPower?: number;
};
type PoseidonConstants = {
mds: bigint[][];
roundConstants: bigint[][];
};
export declare function grainGenConstants(opts: PoseidonGrainOpts, skipMDS?: number): PoseidonConstants;
export type PoseidonOpts = PoseidonBasicOpts & PoseidonConstants & {
sboxPower?: number;
reversePartialPowIdx?: boolean;
};
export declare function validateOpts(opts: PoseidonOpts): Readonly<{
rounds: number;
sboxFn: (n: bigint) => bigint;
roundConstants: bigint[][];
mds: bigint[][];
Fp: IField<bigint>;
t: number;
roundsFull: number;
roundsPartial: number;
sboxPower?: number;
reversePartialPowIdx?: boolean;
}>;
export declare function splitConstants(rc: bigint[], t: number): bigint[][];
export type PoseidonFn = {
(values: bigint[]): bigint[];
roundConstants: bigint[][];
};
/** Poseidon NTT-friendly hash. */
export declare function poseidon(opts: PoseidonOpts): PoseidonFn;
export declare class PoseidonSponge {
private Fp;
readonly rate: number;
readonly capacity: number;
readonly hash: PoseidonFn;
private state;
private pos;
private isAbsorbing;
constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn);
private process;
absorb(input: bigint[]): void;
squeeze(count: number): bigint[];
clean(): void;
clone(): PoseidonSponge;
}
export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
rate: number;
capacity: number;
};
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms
* - https://github.com/arkworks-rs/crypto-primitives/tree/main
*/
export declare function poseidonSponge(opts: PoseidonSpongeOpts): () => PoseidonSponge;
export {};
//# sourceMappingURL=poseidon.d.ts.map

1
node_modules/@noble/curves/esm/abstract/poseidon.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"poseidon.d.ts","sourceRoot":"","sources":["../../src/abstract/poseidon.ts"],"names":[],"mappings":"AAUA,OAAO,EAAwB,KAAK,MAAM,EAAiB,MAAM,cAAc,CAAC;AAyBhF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC;IACV,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB,CAAC;AA0DF,MAAM,MAAM,iBAAiB,GAAG,iBAAiB,GAAG;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,KAAK,iBAAiB,GAAG;IAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAAC,cAAc,EAAE,MAAM,EAAE,EAAE,CAAA;CAAE,CAAC;AAIzE,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,iBAAiB,EAAE,OAAO,GAAE,MAAU,GAAG,iBAAiB,CAuBjG;AAED,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAC1C,iBAAiB,GAAG;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC,CAAC;AAEJ,wBAAgB,YAAY,CAAC,IAAI,EAAE,YAAY,GAAG,QAAQ,CAAC;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;IAC9B,cAAc,EAAE,MAAM,EAAE,EAAE,CAAC;IAC3B,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC;IACV,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC,CAAC,CAwCD;AAED,wBAAgB,cAAc,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,CAalE;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAE7B,cAAc,EAAE,MAAM,EAAE,EAAE,CAAC;CAC5B,CAAC;AACF,kCAAkC;AAClC,wBAAgB,QAAQ,CAAC,IAAI,EAAE,YAAY,GAAG,UAAU,CAmCvD;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,EAAE,CAAiB;IAC3B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,OAAO,CAAC,KAAK,CAAW;IACxB,OAAO,CAAC,GAAG,CAAK;IAChB,OAAO,CAAC,WAAW,CAAQ;gBAEf,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU;IAQhF,OAAO,CAAC,OAAO;IAGf,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI;IAgB7B,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE;IAahC,KAAK,IAAI,IAAI;IAKb,KAAK,IAAI,cAAc;CAMxB;AAED,MAAM,MAAM,kBAAkB,GAAG,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,MAAM,cAAc,CAW7E"}

296
node_modules/@noble/curves/esm/abstract/poseidon.js generated vendored Normal file
View File

@@ -0,0 +1,296 @@
/**
* Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
*
* There are many poseidon variants with different constants.
* We don't provide them: you should construct them manually.
* Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { _validateObject, bitGet } from "../utils.js";
import { FpInvertBatch, FpPow, validateField } from "./modular.js";
// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
function grainLFSR(state) {
let pos = 0;
if (state.length !== 80)
throw new Error('grainLFRS: wrong state length, should be 80 bits');
const getBit = () => {
const r = (offset) => state[(pos + offset) % 80];
const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
state[pos] = bit;
pos = ++pos % 80;
return !!bit;
};
for (let i = 0; i < 160; i++)
getBit();
return () => {
// https://en.wikipedia.org/wiki/Shrinking_generator
while (true) {
const b1 = getBit();
const b2 = getBit();
if (!b1)
continue;
return b2;
}
};
}
function assertValidPosOpts(opts) {
const { Fp, roundsFull } = opts;
validateField(Fp);
_validateObject(opts, {
t: 'number',
roundsFull: 'number',
roundsPartial: 'number',
}, {
isSboxInverse: 'boolean',
});
for (const i of ['t', 'roundsFull', 'roundsPartial']) {
if (!Number.isSafeInteger(opts[i]) || opts[i] < 1)
throw new Error('invalid number ' + i);
}
if (roundsFull & 1)
throw new Error('roundsFull is not even' + roundsFull);
}
function poseidonGrain(opts) {
assertValidPosOpts(opts);
const { Fp } = opts;
const state = Array(80).fill(1);
let pos = 0;
const writeBits = (value, bitCount) => {
for (let i = bitCount - 1; i >= 0; i--)
state[pos++] = Number(bitGet(value, i));
};
const _0n = BigInt(0);
const _1n = BigInt(1);
writeBits(_1n, 2); // prime field
writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
writeBits(BigInt(Fp.BITS), 12); // b6..b17
writeBits(BigInt(opts.t), 12); // b18..b29
writeBits(BigInt(opts.roundsFull), 10); // b30..b39
writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
const getBit = grainLFSR(state);
return (count, reject) => {
const res = [];
for (let i = 0; i < count; i++) {
while (true) {
let num = _0n;
for (let i = 0; i < Fp.BITS; i++) {
num <<= _1n;
if (getBit())
num |= _1n;
}
if (reject && num >= Fp.ORDER)
continue; // rejection sampling
res.push(Fp.create(num));
break;
}
}
return res;
};
}
// NOTE: this is not standard but used often for constant generation for poseidon
// (grain LFRS-like structure)
export function grainGenConstants(opts, skipMDS = 0) {
const { Fp, t, roundsFull, roundsPartial } = opts;
const rounds = roundsFull + roundsPartial;
const sample = poseidonGrain(opts);
const roundConstants = [];
for (let r = 0; r < rounds; r++)
roundConstants.push(sample(t, true));
if (skipMDS > 0)
for (let i = 0; i < skipMDS; i++)
sample(2 * t, false);
const xs = sample(t, false);
const ys = sample(t, false);
// Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
const mds = [];
for (let i = 0; i < t; i++) {
const row = [];
for (let j = 0; j < t; j++) {
const xy = Fp.add(xs[i], ys[j]);
if (Fp.is0(xy))
throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
row.push(xy);
}
mds.push(FpInvertBatch(Fp, row));
}
return { roundConstants, mds };
}
export function validateOpts(opts) {
assertValidPosOpts(opts);
const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
const { roundsFull, roundsPartial, sboxPower, t } = opts;
// MDS is TxT matrix
if (!Array.isArray(mds) || mds.length !== t)
throw new Error('Poseidon: invalid MDS matrix');
const _mds = mds.map((mdsRow) => {
if (!Array.isArray(mdsRow) || mdsRow.length !== t)
throw new Error('invalid MDS matrix row: ' + mdsRow);
return mdsRow.map((i) => {
if (typeof i !== 'bigint')
throw new Error('invalid MDS matrix bigint: ' + i);
return Fp.create(i);
});
});
if (rev !== undefined && typeof rev !== 'boolean')
throw new Error('invalid param reversePartialPowIdx=' + rev);
if (roundsFull & 1)
throw new Error('roundsFull is not even' + roundsFull);
const rounds = roundsFull + roundsPartial;
if (!Array.isArray(rc) || rc.length !== rounds)
throw new Error('Poseidon: invalid round constants');
const roundConstants = rc.map((rc) => {
if (!Array.isArray(rc) || rc.length !== t)
throw new Error('invalid round constants');
return rc.map((i) => {
if (typeof i !== 'bigint' || !Fp.isValid(i))
throw new Error('invalid round constant');
return Fp.create(i);
});
});
if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower))
throw new Error('invalid sboxPower');
const _sboxPower = BigInt(sboxPower);
let sboxFn = (n) => FpPow(Fp, n, _sboxPower);
// Unwrapped sbox power for common cases (195->142μs)
if (sboxPower === 3)
sboxFn = (n) => Fp.mul(Fp.sqrN(n), n);
else if (sboxPower === 5)
sboxFn = (n) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds: _mds });
}
export function splitConstants(rc, t) {
if (typeof t !== 'number')
throw new Error('poseidonSplitConstants: invalid t');
if (!Array.isArray(rc) || rc.length % t)
throw new Error('poseidonSplitConstants: invalid rc');
const res = [];
let tmp = [];
for (let i = 0; i < rc.length; i++) {
tmp.push(rc[i]);
if (tmp.length === t) {
res.push(tmp);
tmp = [];
}
}
return res;
}
/** Poseidon NTT-friendly hash. */
export function poseidon(opts) {
const _opts = validateOpts(opts);
const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
const halfRoundsFull = _opts.roundsFull / 2;
const partialIdx = _opts.reversePartialPowIdx ? t - 1 : 0;
const poseidonRound = (values, isFull, idx) => {
values = values.map((i, j) => Fp.add(i, roundConstants[idx][j]));
if (isFull)
values = values.map((i) => sboxFn(i));
else
values[partialIdx] = sboxFn(values[partialIdx]);
// Matrix multiplication
values = mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
return values;
};
const poseidonHash = function poseidonHash(values) {
if (!Array.isArray(values) || values.length !== t)
throw new Error('invalid values, expected array of bigints with length ' + t);
values = values.map((i) => {
if (typeof i !== 'bigint')
throw new Error('invalid bigint=' + i);
return Fp.create(i);
});
let lastRound = 0;
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++)
values = poseidonRound(values, true, lastRound++);
// Apply r_p partial rounds.
for (let i = 0; i < roundsPartial; i++)
values = poseidonRound(values, false, lastRound++);
// Apply r_f/2 full rounds.
for (let i = 0; i < halfRoundsFull; i++)
values = poseidonRound(values, true, lastRound++);
if (lastRound !== totalRounds)
throw new Error('invalid number of rounds');
return values;
};
// For verification in tests
poseidonHash.roundConstants = roundConstants;
return poseidonHash;
}
export class PoseidonSponge {
constructor(Fp, rate, capacity, hash) {
this.pos = 0;
this.isAbsorbing = true;
this.Fp = Fp;
this.hash = hash;
this.rate = rate;
this.capacity = capacity;
this.state = new Array(rate + capacity);
this.clean();
}
process() {
this.state = this.hash(this.state);
}
absorb(input) {
for (const i of input)
if (typeof i !== 'bigint' || !this.Fp.isValid(i))
throw new Error('invalid input: ' + i);
for (let i = 0; i < input.length;) {
if (!this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = true;
}
const chunk = Math.min(this.rate - this.pos, input.length - i);
for (let j = 0; j < chunk; j++) {
const idx = this.capacity + this.pos++;
this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
}
}
}
squeeze(count) {
const res = [];
while (res.length < count) {
if (this.isAbsorbing || this.pos === this.rate) {
this.process();
this.pos = 0;
this.isAbsorbing = false;
}
const chunk = Math.min(this.rate - this.pos, count - res.length);
for (let i = 0; i < chunk; i++)
res.push(this.state[this.capacity + this.pos++]);
}
return res;
}
clean() {
this.state.fill(this.Fp.ZERO);
this.isAbsorbing = true;
this.pos = 0;
}
clone() {
const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
c.pos = this.pos;
c.state = [...this.state];
return c;
}
}
/**
* The method is not defined in spec, but nevertheless used often.
* Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
* We cross-test against:
* - https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms
* - https://github.com/arkworks-rs/crypto-primitives/tree/main
*/
export function poseidonSponge(opts) {
for (const i of ['rate', 'capacity']) {
if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
throw new Error('invalid number ' + i);
}
const { rate, capacity } = opts;
const t = opts.rate + opts.capacity;
// Re-use hash instance between multiple instances
const hash = poseidon({ ...opts, t });
const { Fp } = opts;
return () => new PoseidonSponge(Fp, rate, capacity, hash);
}
//# sourceMappingURL=poseidon.js.map

1
node_modules/@noble/curves/esm/abstract/poseidon.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

95
node_modules/@noble/curves/esm/abstract/tower.d.ts generated vendored Normal file
View File

@@ -0,0 +1,95 @@
import * as mod from './modular.ts';
import type { WeierstrassPoint, WeierstrassPointCons } from './weierstrass.ts';
export type BigintTuple = [bigint, bigint];
export type Fp = bigint;
export type Fp2 = {
c0: bigint;
c1: bigint;
};
export type BigintSix = [bigint, bigint, bigint, bigint, bigint, bigint];
export type Fp6 = {
c0: Fp2;
c1: Fp2;
c2: Fp2;
};
export type Fp12 = {
c0: Fp6;
c1: Fp6;
};
export type BigintTwelve = [
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint,
bigint
];
export type Fp2Bls = mod.IField<Fp2> & {
Fp: mod.IField<Fp>;
frobeniusMap(num: Fp2, power: number): Fp2;
fromBigTuple(num: BigintTuple): Fp2;
mulByB: (num: Fp2) => Fp2;
mulByNonresidue: (num: Fp2) => Fp2;
reim: (num: Fp2) => {
re: Fp;
im: Fp;
};
Fp4Square: (a: Fp2, b: Fp2) => {
first: Fp2;
second: Fp2;
};
NONRESIDUE: Fp2;
};
export type Fp6Bls = mod.IField<Fp6> & {
Fp2: Fp2Bls;
frobeniusMap(num: Fp6, power: number): Fp6;
fromBigSix: (tuple: BigintSix) => Fp6;
mul1(num: Fp6, b1: Fp2): Fp6;
mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
mulByNonresidue: (num: Fp6) => Fp6;
};
export type Fp12Bls = mod.IField<Fp12> & {
Fp6: Fp6Bls;
frobeniusMap(num: Fp12, power: number): Fp12;
fromBigTwelve: (t: BigintTwelve) => Fp12;
mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
conjugate(num: Fp12): Fp12;
finalExponentiate(num: Fp12): Fp12;
_cyclotomicSquare(num: Fp12): Fp12;
_cyclotomicExp(num: Fp12, n: bigint): Fp12;
};
export declare function psiFrobenius(Fp: mod.IField<Fp>, Fp2: Fp2Bls, base: Fp2): {
psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
G2psi: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
G2psi2: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
PSI_X: Fp2;
PSI_Y: Fp2;
PSI2_X: Fp2;
PSI2_Y: Fp2;
};
export type Tower12Opts = {
ORDER: bigint;
X_LEN: number;
NONRESIDUE?: Fp;
FP2_NONRESIDUE: BigintTuple;
Fp2sqrt?: (num: Fp2) => Fp2;
Fp2mulByB: (num: Fp2) => Fp2;
Fp12finalExponentiate: (num: Fp12) => Fp12;
};
export declare function tower12(opts: Tower12Opts): {
Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, 'isOdd'>>>;
Fp2: Fp2Bls;
Fp6: Fp6Bls;
Fp12: Fp12Bls;
};
//# sourceMappingURL=tower.d.ts.map

1
node_modules/@noble/curves/esm/abstract/tower.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"tower.d.ts","sourceRoot":"","sources":["../../src/abstract/tower.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AACpC,OAAO,KAAK,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAO/E,MAAM,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAC3C,MAAM,MAAM,EAAE,GAAG,MAAM,CAAC;AAGxB,MAAM,MAAM,GAAG,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CAAC;AAC7C,MAAM,MAAM,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACzE,MAAM,MAAM,GAAG,GAAG;IAAE,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAA;CAAE,CAAC;AAChD,MAAM,MAAM,IAAI,GAAG;IAAE,EAAE,EAAE,GAAG,CAAC;IAAC,EAAE,EAAE,GAAG,CAAA;CAAE,CAAC;AAExC,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAC9C,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;IAAE,MAAM;CAC/C,CAAC;AAEF,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;IACrC,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACnB,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;IAC3C,YAAY,CAAC,GAAG,EAAE,WAAW,GAAG,GAAG,CAAC;IACpC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC1B,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IACnC,IAAI,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK;QAAE,EAAE,EAAE,EAAE,CAAC;QAAC,EAAE,EAAE,EAAE,CAAA;KAAE,CAAC;IACvC,SAAS,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK;QAAE,KAAK,EAAE,GAAG,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,CAAC;IAC3D,UAAU,EAAE,GAAG,CAAC;CACjB,CAAC;AAEF,MAAM,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,CAAC;IAC3C,UAAU,EAAE,CAAC,KAAK,EAAE,SAAS,KAAK,GAAG,CAAC;IACtC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,GAAG,CAAC;IAC7B,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,GAAG,CAAC;IACvC,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,GAAG,CAAC;IAClC,eAAe,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;CACpC,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7C,aAAa,EAAE,CAAC,CAAC,EAAE,YAAY,KAAK,IAAI,CAAC;IACzC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,CAAC;IACnD,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,CAAC;IACpC,SAAS,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,iBAAiB,CAAC,GAAG,EAAE,IAAI,GAAG,IAAI,CAAC;IACnC,cAAc,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5C,CAAC;AA2BF,wBAAgB,YAAY,CAC1B,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAClB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,GAAG,GACR;IACD,GAAG,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,KAAK,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,KAAK,EAAE,CAAC,CAAC,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACzF,MAAM,EAAE,CAAC,CAAC,EAAE,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,gBAAgB,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAC1F,KAAK,EAAE,GAAG,CAAC;IACX,KAAK,EAAE,GAAG,CAAC;IACX,MAAM,EAAE,GAAG,CAAC;IACZ,MAAM,EAAE,GAAG,CAAC;CACb,CA8BA;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,EAAE,CAAC;IAChB,cAAc,EAAE,WAAW,CAAC;IAC5B,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC5B,SAAS,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,CAAC;IAC7B,qBAAqB,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,IAAI,CAAC;CAC5C,CAAC;AAosBF,wBAAgB,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG;IAC1C,EAAE,EAAE,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;IAC/E,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,OAAO,CAAC;CACf,CAMA"}

714
node_modules/@noble/curves/esm/abstract/tower.js generated vendored Normal file
View File

@@ -0,0 +1,714 @@
/**
* Towered extension fields.
* Rather than implementing a massive 12th-degree extension directly, it is more efficient
* to build it up from smaller extensions: a tower of extensions.
*
* For BLS12-381, the Fp12 field is implemented as a quadratic (degree two) extension,
* on top of a cubic (degree three) extension, on top of a quadratic extension of Fp.
*
* For more info: "Pairings for beginners" by Costello, section 7.3.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { bitGet, bitLen, concatBytes, notImplemented } from "../utils.js";
import * as mod from "./modular.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
function calcFrobeniusCoefficients(Fp, nonResidue, modulus, degree, num = 1, divisor) {
const _divisor = BigInt(divisor === undefined ? degree : divisor);
const towerModulus = modulus ** BigInt(degree);
const res = [];
for (let i = 0; i < num; i++) {
const a = BigInt(i + 1);
const powers = [];
for (let j = 0, qPower = _1n; j < degree; j++) {
const power = ((a * qPower - a) / _divisor) % towerModulus;
powers.push(Fp.pow(nonResidue, power));
qPower *= modulus;
}
res.push(powers);
}
return res;
}
// This works same at least for bls12-381, bn254 and bls12-377
export function psiFrobenius(Fp, Fp2, base) {
// GLV endomorphism Ψ(P)
const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
function psi(x, y) {
// This x10 faster than previous version in bls12-381
const x2 = Fp2.mul(Fp2.frobeniusMap(x, 1), PSI_X);
const y2 = Fp2.mul(Fp2.frobeniusMap(y, 1), PSI_Y);
return [x2, y2];
}
// Ψ²(P) endomorphism (psi2(x) = psi(psi(x)))
const PSI2_X = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _3n); // u^((p^2 - 1)/3)
// This equals -1, which causes y to be Fp2.neg(y).
// But not sure if there are case when this is not true?
const PSI2_Y = Fp2.pow(base, (Fp.ORDER ** _2n - _1n) / _2n); // u^((p^2 - 1)/3)
if (!Fp2.eql(PSI2_Y, Fp2.neg(Fp2.ONE)))
throw new Error('psiFrobenius: PSI2_Y!==-1');
function psi2(x, y) {
return [Fp2.mul(x, PSI2_X), Fp2.neg(y)];
}
// Map points
const mapAffine = (fn) => (c, P) => {
const affine = P.toAffine();
const p = fn(affine.x, affine.y);
return c.fromAffine({ x: p[0], y: p[1] });
};
const G2psi = mapAffine(psi);
const G2psi2 = mapAffine(psi2);
return { psi, psi2, G2psi, G2psi2, PSI_X, PSI_Y, PSI2_X, PSI2_Y };
}
const Fp2fromBigTuple = (Fp, tuple) => {
if (tuple.length !== 2)
throw new Error('invalid tuple');
const fps = tuple.map((n) => Fp.create(n));
return { c0: fps[0], c1: fps[1] };
};
class _Field2 {
constructor(Fp, opts = {}) {
this.MASK = _1n;
const ORDER = Fp.ORDER;
const FP2_ORDER = ORDER * ORDER;
this.Fp = Fp;
this.ORDER = FP2_ORDER;
this.BITS = bitLen(FP2_ORDER);
this.BYTES = Math.ceil(bitLen(FP2_ORDER) / 8);
this.isLE = Fp.isLE;
this.ZERO = { c0: Fp.ZERO, c1: Fp.ZERO };
this.ONE = { c0: Fp.ONE, c1: Fp.ZERO };
this.Fp_NONRESIDUE = Fp.create(opts.NONRESIDUE || BigInt(-1));
this.Fp_div2 = Fp.div(Fp.ONE, _2n); // 1/2
this.NONRESIDUE = Fp2fromBigTuple(Fp, opts.FP2_NONRESIDUE);
// const Fp2Nonresidue = Fp2fromBigTuple(opts.FP2_NONRESIDUE);
this.FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(Fp, this.Fp_NONRESIDUE, Fp.ORDER, 2)[0];
this.mulByB = opts.Fp2mulByB;
Object.seal(this);
}
fromBigTuple(tuple) {
return Fp2fromBigTuple(this.Fp, tuple);
}
create(num) {
return num;
}
isValid({ c0, c1 }) {
function isValidC(num, ORDER) {
return typeof num === 'bigint' && _0n <= num && num < ORDER;
}
return isValidC(c0, this.ORDER) && isValidC(c1, this.ORDER);
}
is0({ c0, c1 }) {
return this.Fp.is0(c0) && this.Fp.is0(c1);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
eql({ c0, c1 }, { c0: r0, c1: r1 }) {
return this.Fp.eql(c0, r0) && this.Fp.eql(c1, r1);
}
neg({ c0, c1 }) {
return { c0: this.Fp.neg(c0), c1: this.Fp.neg(c1) };
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add(f1, f2) {
const { c0, c1 } = f1;
const { c0: r0, c1: r1 } = f2;
return {
c0: this.Fp.add(c0, r0),
c1: this.Fp.add(c1, r1),
};
}
sub({ c0, c1 }, { c0: r0, c1: r1 }) {
return {
c0: this.Fp.sub(c0, r0),
c1: this.Fp.sub(c1, r1),
};
}
mul({ c0, c1 }, rhs) {
const { Fp } = this;
if (typeof rhs === 'bigint')
return { c0: Fp.mul(c0, rhs), c1: Fp.mul(c1, rhs) };
// (a+bi)(c+di) = (acbd) + (ad+bc)i
const { c0: r0, c1: r1 } = rhs;
let t1 = Fp.mul(c0, r0); // c0 * o0
let t2 = Fp.mul(c1, r1); // c1 * o1
// (T1 - T2) + ((c0 + c1) * (r0 + r1) - (T1 + T2))*i
const o0 = Fp.sub(t1, t2);
const o1 = Fp.sub(Fp.mul(Fp.add(c0, c1), Fp.add(r0, r1)), Fp.add(t1, t2));
return { c0: o0, c1: o1 };
}
sqr({ c0, c1 }) {
const { Fp } = this;
const a = Fp.add(c0, c1);
const b = Fp.sub(c0, c1);
const c = Fp.add(c0, c0);
return { c0: Fp.mul(a, b), c1: Fp.mul(c, c1) };
}
// NonNormalized stuff
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
div(lhs, rhs) {
const { Fp } = this;
// @ts-ignore
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
inv({ c0: a, c1: b }) {
// We wish to find the multiplicative inverse of a nonzero
// element a + bu in Fp2. We leverage an identity
//
// (a + bu)(a - bu) = a² + b²
//
// which holds because u² = -1. This can be rewritten as
//
// (a + bu)(a - bu)/(a² + b²) = 1
//
// because a² + b² = 0 has no nonzero solutions for (a, b).
// This gives that (a - bu)/(a² + b²) is the inverse
// of (a + bu). Importantly, this can be computing using
// only a single inversion in Fp.
const { Fp } = this;
const factor = Fp.inv(Fp.create(a * a + b * b));
return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
}
sqrt(num) {
// This is generic for all quadratic extensions (Fp2)
const { Fp } = this;
const Fp2 = this;
const { c0, c1 } = num;
if (Fp.is0(c1)) {
// if c0 is quadratic residue
if (mod.FpLegendre(Fp, c0) === 1)
return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
else
return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, this.Fp_NONRESIDUE)) });
}
const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), this.Fp_NONRESIDUE)));
let d = Fp.mul(Fp.add(a, c0), this.Fp_div2);
const legendre = mod.FpLegendre(Fp, d);
// -1, Quadratic non residue
if (legendre === -1)
d = Fp.sub(d, a);
const a0 = Fp.sqrt(d);
const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, this.Fp_div2), a0) });
if (!Fp2.eql(Fp2.sqr(candidateSqrt), num))
throw new Error('Cannot find square root');
// Normalize root: at this point candidateSqrt ** 2 = num, but also -candidateSqrt ** 2 = num
const x1 = candidateSqrt;
const x2 = Fp2.neg(x1);
const { re: re1, im: im1 } = Fp2.reim(x1);
const { re: re2, im: im2 } = Fp2.reim(x2);
if (im1 > im2 || (im1 === im2 && re1 > re2))
return x1;
return x2;
}
// Same as sgn0_m_eq_2 in RFC 9380
isOdd(x) {
const { re: x0, im: x1 } = this.reim(x);
const sign_0 = x0 % _2n;
const zero_0 = x0 === _0n;
const sign_1 = x1 % _2n;
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n;
}
// Bytes util
fromBytes(b) {
const { Fp } = this;
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
return { c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)), c1: Fp.fromBytes(b.subarray(Fp.BYTES)) };
}
toBytes({ c0, c1 }) {
return concatBytes(this.Fp.toBytes(c0), this.Fp.toBytes(c1));
}
cmov({ c0, c1 }, { c0: r0, c1: r1 }, c) {
return {
c0: this.Fp.cmov(c0, r0, c),
c1: this.Fp.cmov(c1, r1, c),
};
}
reim({ c0, c1 }) {
return { re: c0, im: c1 };
}
Fp4Square(a, b) {
const Fp2 = this;
const a2 = Fp2.sqr(a);
const b2 = Fp2.sqr(b);
return {
first: Fp2.add(Fp2.mulByNonresidue(b2), a2), // b² * Nonresidue + a²
second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
};
}
// multiply by u + 1
mulByNonresidue({ c0, c1 }) {
return this.mul({ c0, c1 }, this.NONRESIDUE);
}
frobeniusMap({ c0, c1 }, power) {
return {
c0,
c1: this.Fp.mul(c1, this.FROBENIUS_COEFFICIENTS[power % 2]),
};
}
}
class _Field6 {
constructor(Fp2) {
this.MASK = _1n;
this.Fp2 = Fp2;
this.ORDER = Fp2.ORDER; // TODO: unused, but need to verify
this.BITS = 3 * Fp2.BITS;
this.BYTES = 3 * Fp2.BYTES;
this.isLE = Fp2.isLE;
this.ZERO = { c0: Fp2.ZERO, c1: Fp2.ZERO, c2: Fp2.ZERO };
this.ONE = { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO };
const { Fp } = Fp2;
const frob = calcFrobeniusCoefficients(Fp2, Fp2.NONRESIDUE, Fp.ORDER, 6, 2, 3);
this.FROBENIUS_COEFFICIENTS_1 = frob[0];
this.FROBENIUS_COEFFICIENTS_2 = frob[1];
Object.seal(this);
}
add({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return {
c0: Fp2.add(c0, r0),
c1: Fp2.add(c1, r1),
c2: Fp2.add(c2, r2),
};
}
sub({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return {
c0: Fp2.sub(c0, r0),
c1: Fp2.sub(c1, r1),
c2: Fp2.sub(c2, r2),
};
}
mul({ c0, c1, c2 }, rhs) {
const { Fp2 } = this;
if (typeof rhs === 'bigint') {
return {
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
};
}
const { c0: r0, c1: r1, c2: r2 } = rhs;
const t0 = Fp2.mul(c0, r0); // c0 * o0
const t1 = Fp2.mul(c1, r1); // c1 * o1
const t2 = Fp2.mul(c2, r2); // c2 * o2
return {
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
c0: Fp2.add(t0, Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), Fp2.add(r1, r2)), Fp2.add(t1, t2)))),
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
c1: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c1), Fp2.add(r0, r1)), Fp2.add(t0, t1)), Fp2.mulByNonresidue(t2)),
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
c2: Fp2.sub(Fp2.add(t1, Fp2.mul(Fp2.add(c0, c2), Fp2.add(r0, r2))), Fp2.add(t0, t2)),
};
}
sqr({ c0, c1, c2 }) {
const { Fp2 } = this;
let t0 = Fp2.sqr(c0); // c0²
let t1 = Fp2.mul(Fp2.mul(c0, c1), _2n); // 2 * c0 * c1
let t3 = Fp2.mul(Fp2.mul(c1, c2), _2n); // 2 * c1 * c2
let t4 = Fp2.sqr(c2); // c2²
return {
c0: Fp2.add(Fp2.mulByNonresidue(t3), t0), // T3 * (u + 1) + T0
c1: Fp2.add(Fp2.mulByNonresidue(t4), t1), // T4 * (u + 1) + T1
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
};
}
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
create(num) {
return num;
}
isValid({ c0, c1, c2 }) {
const { Fp2 } = this;
return Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2);
}
is0({ c0, c1, c2 }) {
const { Fp2 } = this;
return Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1, c2 }) {
const { Fp2 } = this;
return { c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) };
}
eql({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) {
const { Fp2 } = this;
return Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2);
}
sqrt(_) {
return notImplemented();
}
// Do we need division by bigint at all? Should be done via order:
div(lhs, rhs) {
const { Fp2 } = this;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
inv({ c0, c1, c2 }) {
const { Fp2 } = this;
let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
// 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
}
// Bytes utils
fromBytes(b) {
const { Fp2 } = this;
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
const B2 = Fp2.BYTES;
return {
c0: Fp2.fromBytes(b.subarray(0, B2)),
c1: Fp2.fromBytes(b.subarray(B2, B2 * 2)),
c2: Fp2.fromBytes(b.subarray(2 * B2)),
};
}
toBytes({ c0, c1, c2 }) {
const { Fp2 } = this;
return concatBytes(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2));
}
cmov({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) {
const { Fp2 } = this;
return {
c0: Fp2.cmov(c0, r0, c),
c1: Fp2.cmov(c1, r1, c),
c2: Fp2.cmov(c2, r2, c),
};
}
fromBigSix(t) {
const { Fp2 } = this;
if (!Array.isArray(t) || t.length !== 6)
throw new Error('invalid Fp6 usage');
return {
c0: Fp2.fromBigTuple(t.slice(0, 2)),
c1: Fp2.fromBigTuple(t.slice(2, 4)),
c2: Fp2.fromBigTuple(t.slice(4, 6)),
};
}
frobeniusMap({ c0, c1, c2 }, power) {
const { Fp2 } = this;
return {
c0: Fp2.frobeniusMap(c0, power),
c1: Fp2.mul(Fp2.frobeniusMap(c1, power), this.FROBENIUS_COEFFICIENTS_1[power % 6]),
c2: Fp2.mul(Fp2.frobeniusMap(c2, power), this.FROBENIUS_COEFFICIENTS_2[power % 6]),
};
}
mulByFp2({ c0, c1, c2 }, rhs) {
const { Fp2 } = this;
return {
c0: Fp2.mul(c0, rhs),
c1: Fp2.mul(c1, rhs),
c2: Fp2.mul(c2, rhs),
};
}
mulByNonresidue({ c0, c1, c2 }) {
const { Fp2 } = this;
return { c0: Fp2.mulByNonresidue(c2), c1: c0, c2: c1 };
}
// Sparse multiplication
mul1({ c0, c1, c2 }, b1) {
const { Fp2 } = this;
return {
c0: Fp2.mulByNonresidue(Fp2.mul(c2, b1)),
c1: Fp2.mul(c0, b1),
c2: Fp2.mul(c1, b1),
};
}
// Sparse multiplication
mul01({ c0, c1, c2 }, b0, b1) {
const { Fp2 } = this;
let t0 = Fp2.mul(c0, b0); // c0 * b0
let t1 = Fp2.mul(c1, b1); // c1 * b1
return {
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
c0: Fp2.add(Fp2.mulByNonresidue(Fp2.sub(Fp2.mul(Fp2.add(c1, c2), b1), t1)), t0),
// (b0 + b1) * (c0 + c1) - T0 - T1
c1: Fp2.sub(Fp2.sub(Fp2.mul(Fp2.add(b0, b1), Fp2.add(c0, c1)), t0), t1),
// (c0 + c2) * b0 - T0 + T1
c2: Fp2.add(Fp2.sub(Fp2.mul(Fp2.add(c0, c2), b0), t0), t1),
};
}
}
class _Field12 {
constructor(Fp6, opts) {
this.MASK = _1n;
const { Fp2 } = Fp6;
const { Fp } = Fp2;
this.Fp6 = Fp6;
this.ORDER = Fp2.ORDER; // TODO: verify if it's unuesd
this.BITS = 2 * Fp6.BITS;
this.BYTES = 2 * Fp6.BYTES;
this.isLE = Fp6.isLE;
this.ZERO = { c0: Fp6.ZERO, c1: Fp6.ZERO };
this.ONE = { c0: Fp6.ONE, c1: Fp6.ZERO };
this.FROBENIUS_COEFFICIENTS = calcFrobeniusCoefficients(Fp2, Fp2.NONRESIDUE, Fp.ORDER, 12, 1, 6)[0];
this.X_LEN = opts.X_LEN;
this.finalExponentiate = opts.Fp12finalExponentiate;
}
create(num) {
return num;
}
isValid({ c0, c1 }) {
const { Fp6 } = this;
return Fp6.isValid(c0) && Fp6.isValid(c1);
}
is0({ c0, c1 }) {
const { Fp6 } = this;
return Fp6.is0(c0) && Fp6.is0(c1);
}
isValidNot0(num) {
return !this.is0(num) && this.isValid(num);
}
neg({ c0, c1 }) {
const { Fp6 } = this;
return { c0: Fp6.neg(c0), c1: Fp6.neg(c1) };
}
eql({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return Fp6.eql(c0, r0) && Fp6.eql(c1, r1);
}
sqrt(_) {
notImplemented();
}
inv({ c0, c1 }) {
const { Fp6 } = this;
let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
}
div(lhs, rhs) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { Fp } = Fp2;
return this.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : this.inv(rhs));
}
pow(num, power) {
return mod.FpPow(this, num, power);
}
invertBatch(nums) {
return mod.FpInvertBatch(this, nums);
}
// Normalized
add({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return {
c0: Fp6.add(c0, r0),
c1: Fp6.add(c1, r1),
};
}
sub({ c0, c1 }, { c0: r0, c1: r1 }) {
const { Fp6 } = this;
return {
c0: Fp6.sub(c0, r0),
c1: Fp6.sub(c1, r1),
};
}
mul({ c0, c1 }, rhs) {
const { Fp6 } = this;
if (typeof rhs === 'bigint')
return { c0: Fp6.mul(c0, rhs), c1: Fp6.mul(c1, rhs) };
let { c0: r0, c1: r1 } = rhs;
let t1 = Fp6.mul(c0, r0); // c0 * r0
let t2 = Fp6.mul(c1, r1); // c1 * r1
return {
c0: Fp6.add(t1, Fp6.mulByNonresidue(t2)), // T1 + T2 * v
// (c0 + c1) * (r0 + r1) - (T1 + T2)
c1: Fp6.sub(Fp6.mul(Fp6.add(c0, c1), Fp6.add(r0, r1)), Fp6.add(t1, t2)),
};
}
sqr({ c0, c1 }) {
const { Fp6 } = this;
let ab = Fp6.mul(c0, c1); // c0 * c1
return {
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
c0: Fp6.sub(Fp6.sub(Fp6.mul(Fp6.add(Fp6.mulByNonresidue(c1), c0), Fp6.add(c0, c1)), ab), Fp6.mulByNonresidue(ab)),
c1: Fp6.add(ab, ab),
}; // AB + AB
}
// NonNormalized stuff
addN(a, b) {
return this.add(a, b);
}
subN(a, b) {
return this.sub(a, b);
}
mulN(a, b) {
return this.mul(a, b);
}
sqrN(a) {
return this.sqr(a);
}
// Bytes utils
fromBytes(b) {
const { Fp6 } = this;
if (b.length !== this.BYTES)
throw new Error('fromBytes invalid length=' + b.length);
return {
c0: Fp6.fromBytes(b.subarray(0, Fp6.BYTES)),
c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
};
}
toBytes({ c0, c1 }) {
const { Fp6 } = this;
return concatBytes(Fp6.toBytes(c0), Fp6.toBytes(c1));
}
cmov({ c0, c1 }, { c0: r0, c1: r1 }, c) {
const { Fp6 } = this;
return {
c0: Fp6.cmov(c0, r0, c),
c1: Fp6.cmov(c1, r1, c),
};
}
// Utils
// toString() {
// return '' + 'Fp12(' + this.c0 + this.c1 + '* w');
// },
// fromTuple(c: [Fp6, Fp6]) {
// return new Fp12(...c);
// }
fromBigTwelve(t) {
const { Fp6 } = this;
return {
c0: Fp6.fromBigSix(t.slice(0, 6)),
c1: Fp6.fromBigSix(t.slice(6, 12)),
};
}
// Raises to q**i -th power
frobeniusMap(lhs, power) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0, c1, c2 } = Fp6.frobeniusMap(lhs.c1, power);
const coeff = this.FROBENIUS_COEFFICIENTS[power % 12];
return {
c0: Fp6.frobeniusMap(lhs.c0, power),
c1: Fp6.create({
c0: Fp2.mul(c0, coeff),
c1: Fp2.mul(c1, coeff),
c2: Fp2.mul(c2, coeff),
}),
};
}
mulByFp2({ c0, c1 }, rhs) {
const { Fp6 } = this;
return {
c0: Fp6.mulByFp2(c0, rhs),
c1: Fp6.mulByFp2(c1, rhs),
};
}
conjugate({ c0, c1 }) {
return { c0, c1: this.Fp6.neg(c1) };
}
// Sparse multiplication
mul014({ c0, c1 }, o0, o1, o4) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
let t0 = Fp6.mul01(c0, o0, o1);
let t1 = Fp6.mul1(c1, o4);
return {
c0: Fp6.add(Fp6.mulByNonresidue(t1), t0), // T1 * v + T0
// (c1 + c0) * [o0, o1+o4] - T0 - T1
c1: Fp6.sub(Fp6.sub(Fp6.mul01(Fp6.add(c1, c0), o0, Fp2.add(o1, o4)), t0), t1),
};
}
mul034({ c0, c1 }, o0, o3, o4) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const a = Fp6.create({
c0: Fp2.mul(c0.c0, o0),
c1: Fp2.mul(c0.c1, o0),
c2: Fp2.mul(c0.c2, o0),
});
const b = Fp6.mul01(c1, o3, o4);
const e = Fp6.mul01(Fp6.add(c0, c1), Fp2.add(o0, o3), o4);
return {
c0: Fp6.add(Fp6.mulByNonresidue(b), a),
c1: Fp6.sub(e, Fp6.add(a, b)),
};
}
// A cyclotomic group is a subgroup of Fp^n defined by
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
// The result of any pairing is in a cyclotomic subgroup
// https://eprint.iacr.org/2009/565.pdf
// https://eprint.iacr.org/2010/354.pdf
_cyclotomicSquare({ c0, c1 }) {
const { Fp6 } = this;
const { Fp2 } = Fp6;
const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
const { first: t3, second: t4 } = Fp2.Fp4Square(c0c0, c1c1);
const { first: t5, second: t6 } = Fp2.Fp4Square(c1c0, c0c2);
const { first: t7, second: t8 } = Fp2.Fp4Square(c0c1, c1c2);
const t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
return {
c0: Fp6.create({
c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0) + T3
c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1) + T5
c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
}), // 2 * (T7 - c0c2) + T7
c1: Fp6.create({
c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
}),
}; // 2 * (T6 + c1c2) + T6
}
// https://eprint.iacr.org/2009/565.pdf
_cyclotomicExp(num, n) {
let z = this.ONE;
for (let i = this.X_LEN - 1; i >= 0; i--) {
z = this._cyclotomicSquare(z);
if (bitGet(n, i))
z = this.mul(z, num);
}
return z;
}
}
export function tower12(opts) {
const Fp = mod.Field(opts.ORDER);
const Fp2 = new _Field2(Fp, opts);
const Fp6 = new _Field6(Fp2);
const Fp12 = new _Field12(Fp6, opts);
return { Fp, Fp2, Fp6, Fp12 };
}
//# sourceMappingURL=tower.js.map

1
node_modules/@noble/curves/esm/abstract/tower.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

78
node_modules/@noble/curves/esm/abstract/utils.d.ts generated vendored Normal file
View File

@@ -0,0 +1,78 @@
/**
* Deprecated module: moved from curves/abstract/utils.js to curves/utils.js
* @module
*/
import * as u from '../utils.ts';
/** @deprecated moved to `@noble/curves/utils.js` */
export type Hex = u.Hex;
/** @deprecated moved to `@noble/curves/utils.js` */
export type PrivKey = u.PrivKey;
/** @deprecated moved to `@noble/curves/utils.js` */
export type CHash = u.CHash;
/** @deprecated moved to `@noble/curves/utils.js` */
export type FHash = u.FHash;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const abytes: typeof u.abytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const anumber: typeof u.anumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bytesToHex: typeof u.bytesToHex;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bytesToUtf8: typeof u.bytesToUtf8;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const concatBytes: typeof u.concatBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const hexToBytes: typeof u.hexToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const isBytes: typeof u.isBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const randomBytes: typeof u.randomBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const utf8ToBytes: typeof u.utf8ToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const abool: typeof u.abool;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const numberToHexUnpadded: typeof u.numberToHexUnpadded;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const hexToNumber: typeof u.hexToNumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bytesToNumberBE: typeof u.bytesToNumberBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bytesToNumberLE: typeof u.bytesToNumberLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const numberToBytesBE: typeof u.numberToBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const numberToBytesLE: typeof u.numberToBytesLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const numberToVarBytesBE: typeof u.numberToVarBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const ensureBytes: typeof u.ensureBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const equalBytes: typeof u.equalBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const copyBytes: typeof u.copyBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const asciiToBytes: typeof u.asciiToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const inRange: typeof u.inRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const aInRange: typeof u.aInRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bitLen: typeof u.bitLen;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bitGet: typeof u.bitGet;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bitSet: typeof u.bitSet;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const bitMask: typeof u.bitMask;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const createHmacDrbg: typeof u.createHmacDrbg;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const notImplemented: typeof u.notImplemented;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const memoized: typeof u.memoized;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const validateObject: typeof u.validateObject;
/** @deprecated moved to `@noble/curves/utils.js` */
export declare const isHash: typeof u.isHash;
//# sourceMappingURL=utils.d.ts.map

1
node_modules/@noble/curves/esm/abstract/utils.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/abstract/utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,CAAC,MAAM,aAAa,CAAC;AAEjC,oDAAoD;AACpD,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACxB,oDAAoD;AACpD,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC;AAChC,oDAAoD;AACpD,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;AAC5B,oDAAoD;AACpD,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;AAE5B,oDAAoD;AACpD,eAAO,MAAM,MAAM,EAAE,OAAO,CAAC,CAAC,MAAiB,CAAC;AAChD,oDAAoD;AACpD,eAAO,MAAM,OAAO,EAAE,OAAO,CAAC,CAAC,OAAmB,CAAC;AACnD,oDAAoD;AACpD,eAAO,MAAM,UAAU,EAAE,OAAO,CAAC,CAAC,UAAyB,CAAC;AAC5D,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAC/D,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAC/D,oDAAoD;AACpD,eAAO,MAAM,UAAU,EAAE,OAAO,CAAC,CAAC,UAAyB,CAAC;AAC5D,oDAAoD;AACpD,eAAO,MAAM,OAAO,EAAE,OAAO,CAAC,CAAC,OAAmB,CAAC;AACnD,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAC/D,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAE/D,oDAAoD;AACpD,eAAO,MAAM,KAAK,EAAE,OAAO,CAAC,CAAC,KAAe,CAAC;AAC7C,oDAAoD;AACpD,eAAO,MAAM,mBAAmB,EAAE,OAAO,CAAC,CAAC,mBAA2C,CAAC;AACvF,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAC/D,oDAAoD;AACpD,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,CAAC,eAAmC,CAAC;AAC3E,oDAAoD;AACpD,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,CAAC,eAAmC,CAAC;AAC3E,oDAAoD;AACpD,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,CAAC,eAAmC,CAAC;AAC3E,oDAAoD;AACpD,eAAO,MAAM,eAAe,EAAE,OAAO,CAAC,CAAC,eAAmC,CAAC;AAC3E,oDAAoD;AACpD,eAAO,MAAM,kBAAkB,EAAE,OAAO,CAAC,CAAC,kBAAyC,CAAC;AACpF,oDAAoD;AACpD,eAAO,MAAM,WAAW,EAAE,OAAO,CAAC,CAAC,WAA2B,CAAC;AAC/D,oDAAoD;AACpD,eAAO,MAAM,UAAU,EAAE,OAAO,CAAC,CAAC,UAAyB,CAAC;AAC5D,oDAAoD;AACpD,eAAO,MAAM,SAAS,EAAE,OAAO,CAAC,CAAC,SAAuB,CAAC;AACzD,oDAAoD;AACpD,eAAO,MAAM,YAAY,EAAE,OAAO,CAAC,CAAC,YAA6B,CAAC;AAClE,oDAAoD;AACpD,eAAO,MAAM,OAAO,EAAE,OAAO,CAAC,CAAC,OAAmB,CAAC;AACnD,oDAAoD;AACpD,eAAO,MAAM,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAqB,CAAC;AACtD,oDAAoD;AACpD,eAAO,MAAM,MAAM,EAAE,OAAO,CAAC,CAAC,MAAiB,CAAC;AAChD,oDAAoD;AACpD,eAAO,MAAM,MAAM,EAAE,OAAO,CAAC,CAAC,MAAiB,CAAC;AAChD,oDAAoD;AACpD,eAAO,MAAM,MAAM,EAAE,OAAO,CAAC,CAAC,MAAiB,CAAC;AAChD,oDAAoD;AACpD,eAAO,MAAM,OAAO,EAAE,OAAO,CAAC,CAAC,OAAmB,CAAC;AACnD,oDAAoD;AACpD,eAAO,MAAM,cAAc,EAAE,OAAO,CAAC,CAAC,cAAiC,CAAC;AACxE,oDAAoD;AACpD,eAAO,MAAM,cAAc,EAAE,OAAO,CAAC,CAAC,cAAiC,CAAC;AACxE,oDAAoD;AACpD,eAAO,MAAM,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAqB,CAAC;AACtD,oDAAoD;AACpD,eAAO,MAAM,cAAc,EAAE,OAAO,CAAC,CAAC,cAAiC,CAAC;AACxE,oDAAoD;AACpD,eAAO,MAAM,MAAM,EAAE,OAAO,CAAC,CAAC,MAAiB,CAAC"}

70
node_modules/@noble/curves/esm/abstract/utils.js generated vendored Normal file
View File

@@ -0,0 +1,70 @@
/**
* Deprecated module: moved from curves/abstract/utils.js to curves/utils.js
* @module
*/
import * as u from "../utils.js";
/** @deprecated moved to `@noble/curves/utils.js` */
export const abytes = u.abytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const anumber = u.anumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToHex = u.bytesToHex;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToUtf8 = u.bytesToUtf8;
/** @deprecated moved to `@noble/curves/utils.js` */
export const concatBytes = u.concatBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const hexToBytes = u.hexToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const isBytes = u.isBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const randomBytes = u.randomBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const utf8ToBytes = u.utf8ToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const abool = u.abool;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToHexUnpadded = u.numberToHexUnpadded;
/** @deprecated moved to `@noble/curves/utils.js` */
export const hexToNumber = u.hexToNumber;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToNumberBE = u.bytesToNumberBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bytesToNumberLE = u.bytesToNumberLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToBytesBE = u.numberToBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToBytesLE = u.numberToBytesLE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const numberToVarBytesBE = u.numberToVarBytesBE;
/** @deprecated moved to `@noble/curves/utils.js` */
export const ensureBytes = u.ensureBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const equalBytes = u.equalBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const copyBytes = u.copyBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const asciiToBytes = u.asciiToBytes;
/** @deprecated moved to `@noble/curves/utils.js` */
export const inRange = u.inRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export const aInRange = u.aInRange;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitLen = u.bitLen;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitGet = u.bitGet;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitSet = u.bitSet;
/** @deprecated moved to `@noble/curves/utils.js` */
export const bitMask = u.bitMask;
/** @deprecated moved to `@noble/curves/utils.js` */
export const createHmacDrbg = u.createHmacDrbg;
/** @deprecated moved to `@noble/curves/utils.js` */
export const notImplemented = u.notImplemented;
/** @deprecated moved to `@noble/curves/utils.js` */
export const memoized = u.memoized;
/** @deprecated moved to `@noble/curves/utils.js` */
export const validateObject = u.validateObject;
/** @deprecated moved to `@noble/curves/utils.js` */
export const isHash = u.isHash;
//# sourceMappingURL=utils.js.map

1
node_modules/@noble/curves/esm/abstract/utils.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/abstract/utils.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,KAAK,CAAC,MAAM,aAAa,CAAC;AAWjC,oDAAoD;AACpD,MAAM,CAAC,MAAM,MAAM,GAAoB,CAAC,CAAC,MAAM,CAAC;AAChD,oDAAoD;AACpD,MAAM,CAAC,MAAM,OAAO,GAAqB,CAAC,CAAC,OAAO,CAAC;AACnD,oDAAoD;AACpD,MAAM,CAAC,MAAM,UAAU,GAAwB,CAAC,CAAC,UAAU,CAAC;AAC5D,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAC/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAC/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,UAAU,GAAwB,CAAC,CAAC,UAAU,CAAC;AAC5D,oDAAoD;AACpD,MAAM,CAAC,MAAM,OAAO,GAAqB,CAAC,CAAC,OAAO,CAAC;AACnD,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAC/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAE/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,KAAK,GAAmB,CAAC,CAAC,KAAK,CAAC;AAC7C,oDAAoD;AACpD,MAAM,CAAC,MAAM,mBAAmB,GAAiC,CAAC,CAAC,mBAAmB,CAAC;AACvF,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAC/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,eAAe,GAA6B,CAAC,CAAC,eAAe,CAAC;AAC3E,oDAAoD;AACpD,MAAM,CAAC,MAAM,eAAe,GAA6B,CAAC,CAAC,eAAe,CAAC;AAC3E,oDAAoD;AACpD,MAAM,CAAC,MAAM,eAAe,GAA6B,CAAC,CAAC,eAAe,CAAC;AAC3E,oDAAoD;AACpD,MAAM,CAAC,MAAM,eAAe,GAA6B,CAAC,CAAC,eAAe,CAAC;AAC3E,oDAAoD;AACpD,MAAM,CAAC,MAAM,kBAAkB,GAAgC,CAAC,CAAC,kBAAkB,CAAC;AACpF,oDAAoD;AACpD,MAAM,CAAC,MAAM,WAAW,GAAyB,CAAC,CAAC,WAAW,CAAC;AAC/D,oDAAoD;AACpD,MAAM,CAAC,MAAM,UAAU,GAAwB,CAAC,CAAC,UAAU,CAAC;AAC5D,oDAAoD;AACpD,MAAM,CAAC,MAAM,SAAS,GAAuB,CAAC,CAAC,SAAS,CAAC;AACzD,oDAAoD;AACpD,MAAM,CAAC,MAAM,YAAY,GAA0B,CAAC,CAAC,YAAY,CAAC;AAClE,oDAAoD;AACpD,MAAM,CAAC,MAAM,OAAO,GAAqB,CAAC,CAAC,OAAO,CAAC;AACnD,oDAAoD;AACpD,MAAM,CAAC,MAAM,QAAQ,GAAsB,CAAC,CAAC,QAAQ,CAAC;AACtD,oDAAoD;AACpD,MAAM,CAAC,MAAM,MAAM,GAAoB,CAAC,CAAC,MAAM,CAAC;AAChD,oDAAoD;AACpD,MAAM,CAAC,MAAM,MAAM,GAAoB,CAAC,CAAC,MAAM,CAAC;AAChD,oDAAoD;AACpD,MAAM,CAAC,MAAM,MAAM,GAAoB,CAAC,CAAC,MAAM,CAAC;AAChD,oDAAoD;AACpD,MAAM,CAAC,MAAM,OAAO,GAAqB,CAAC,CAAC,OAAO,CAAC;AACnD,oDAAoD;AACpD,MAAM,CAAC,MAAM,cAAc,GAA4B,CAAC,CAAC,cAAc,CAAC;AACxE,oDAAoD;AACpD,MAAM,CAAC,MAAM,cAAc,GAA4B,CAAC,CAAC,cAAc,CAAC;AACxE,oDAAoD;AACpD,MAAM,CAAC,MAAM,QAAQ,GAAsB,CAAC,CAAC,QAAQ,CAAC;AACtD,oDAAoD;AACpD,MAAM,CAAC,MAAM,cAAc,GAA4B,CAAC,CAAC,cAAc,CAAC;AACxE,oDAAoD;AACpD,MAAM,CAAC,MAAM,MAAM,GAAoB,CAAC,CAAC,MAAM,CAAC"}

416
node_modules/@noble/curves/esm/abstract/weierstrass.d.ts generated vendored Normal file
View File

@@ -0,0 +1,416 @@
import { type CHash, type Hex, type PrivKey } from '../utils.ts';
import { type AffinePoint, type BasicCurve, type CurveLengths, type CurvePoint, type CurvePointCons } from './curve.ts';
import { type IField, type NLength } from './modular.ts';
export type { AffinePoint };
export type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
type EndoBasis = [[bigint, bigint], [bigint, bigint]];
/**
* When Weierstrass curve has `a=0`, it becomes Koblitz curve.
* Koblitz curves allow using **efficiently-computable GLV endomorphism ψ**.
* Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
* For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
*
* Endomorphism consists of beta, lambda and splitScalar:
*
* 1. GLV endomorphism ψ transforms a point: `P = (x, y) ↦ ψ(P) = (β·x mod p, y)`
* 2. GLV scalar decomposition transforms a scalar: `k ≡ k₁ + k₂·λ (mod n)`
* 3. Then these are combined: `k·P = k₁·P + k₂·ψ(P)`
* 4. Two 128-bit point-by-scalar multiplications + one point addition is faster than
* one 256-bit multiplication.
*
* where
* * beta: β ∈ Fₚ with β³ = 1, β ≠ 1
* * lambda: λ ∈ Fₙ with λ³ = 1, λ ≠ 1
* * splitScalar decomposes k ↦ k₁, k₂, by using reduced basis vectors.
* Gauss lattice reduction calculates them from initial basis vectors `(n, 0), (-λ, 0)`
*
* Check out `test/misc/endomorphism.js` and
* [gist](https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066).
*/
export type EndomorphismOpts = {
beta: bigint;
basises?: EndoBasis;
splitScalar?: (k: bigint) => {
k1neg: boolean;
k1: bigint;
k2neg: boolean;
k2: bigint;
};
};
export type ScalarEndoParts = {
k1neg: boolean;
k1: bigint;
k2neg: boolean;
k2: bigint;
};
/**
* Splits scalar for GLV endomorphism.
*/
export declare function _splitEndoScalar(k: bigint, basis: EndoBasis, n: bigint): ScalarEndoParts;
export type ECDSASigFormat = 'compact' | 'recovered' | 'der';
export type ECDSARecoverOpts = {
prehash?: boolean;
};
export type ECDSAVerifyOpts = {
prehash?: boolean;
lowS?: boolean;
format?: ECDSASigFormat;
};
export type ECDSASignOpts = {
prehash?: boolean;
lowS?: boolean;
format?: ECDSASigFormat;
extraEntropy?: Uint8Array | boolean;
};
/** Instance methods for 3D XYZ projective points. */
export interface WeierstrassPoint<T> extends CurvePoint<T, WeierstrassPoint<T>> {
/** projective X coordinate. Different from affine x. */
readonly X: T;
/** projective Y coordinate. Different from affine y. */
readonly Y: T;
/** projective z coordinate */
readonly Z: T;
/** affine x coordinate. Different from projective X. */
get x(): T;
/** affine y coordinate. Different from projective Y. */
get y(): T;
/** Encodes point using IEEE P1363 (DER) encoding. First byte is 2/3/4. Default = isCompressed. */
toBytes(isCompressed?: boolean): Uint8Array;
toHex(isCompressed?: boolean): string;
/** @deprecated use `.X` */
readonly px: T;
/** @deprecated use `.Y` */
readonly py: T;
/** @deprecated use `.Z` */
readonly pz: T;
/** @deprecated use `toBytes` */
toRawBytes(isCompressed?: boolean): Uint8Array;
/** @deprecated use `multiplyUnsafe` */
multiplyAndAddUnsafe(Q: WeierstrassPoint<T>, a: bigint, b: bigint): WeierstrassPoint<T> | undefined;
/** @deprecated use `p.y % 2n === 0n` */
hasEvenY(): boolean;
/** @deprecated use `p.precompute(windowSize)` */
_setWindowSize(windowSize: number): void;
}
/** Static methods for 3D XYZ projective points. */
export interface WeierstrassPointCons<T> extends CurvePointCons<WeierstrassPoint<T>> {
/** Does NOT validate if the point is valid. Use `.assertValidity()`. */
new (X: T, Y: T, Z: T): WeierstrassPoint<T>;
CURVE(): WeierstrassOpts<T>;
/** @deprecated use `Point.BASE.multiply(Point.Fn.fromBytes(privateKey))` */
fromPrivateKey(privateKey: PrivKey): WeierstrassPoint<T>;
/** @deprecated use `import { normalizeZ } from '@noble/curves/abstract/curve.js';` */
normalizeZ(points: WeierstrassPoint<T>[]): WeierstrassPoint<T>[];
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
msm(points: WeierstrassPoint<T>[], scalars: bigint[]): WeierstrassPoint<T>;
}
/**
* Weierstrass curve options.
*
* * p: prime characteristic (order) of finite field, in which arithmetics is done
* * n: order of prime subgroup a.k.a total amount of valid curve points
* * h: cofactor, usually 1. h*n is group order; n is subgroup order
* * a: formula param, must be in field of p
* * b: formula param, must be in field of p
* * Gx: x coordinate of generator point a.k.a. base point
* * Gy: y coordinate of generator point
*/
export type WeierstrassOpts<T> = Readonly<{
p: bigint;
n: bigint;
h: bigint;
a: T;
b: T;
Gx: T;
Gy: T;
}>;
export type WeierstrassExtraOpts<T> = Partial<{
Fp: IField<T>;
Fn: IField<bigint>;
allowInfinityPoint: boolean;
endo: EndomorphismOpts;
isTorsionFree: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
clearCofactor: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
fromBytes: (bytes: Uint8Array) => AffinePoint<T>;
toBytes: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>, isCompressed: boolean) => Uint8Array;
}>;
/**
* Options for ECDSA signatures over a Weierstrass curve.
*
* * lowS: (default: true) whether produced / verified signatures occupy low half of ecdsaOpts.p. Prevents malleability.
* * hmac: (default: noble-hashes hmac) function, would be used to init hmac-drbg for k generation.
* * randomBytes: (default: webcrypto os-level CSPRNG) custom method for fetching secure randomness.
* * bits2int, bits2int_modN: used in sigs, sometimes overridden by curves
*/
export type ECDSAOpts = Partial<{
lowS: boolean;
hmac: HmacFnSync;
randomBytes: (bytesLength?: number) => Uint8Array;
bits2int: (bytes: Uint8Array) => bigint;
bits2int_modN: (bytes: Uint8Array) => bigint;
}>;
/**
* Elliptic Curve Diffie-Hellman interface.
* Provides keygen, secret-to-public conversion, calculating shared secrets.
*/
export interface ECDH {
keygen: (seed?: Uint8Array) => {
secretKey: Uint8Array;
publicKey: Uint8Array;
};
getPublicKey: (secretKey: PrivKey, isCompressed?: boolean) => Uint8Array;
getSharedSecret: (secretKeyA: PrivKey, publicKeyB: Hex, isCompressed?: boolean) => Uint8Array;
Point: WeierstrassPointCons<bigint>;
utils: {
isValidSecretKey: (secretKey: PrivKey) => boolean;
isValidPublicKey: (publicKey: Uint8Array, isCompressed?: boolean) => boolean;
randomSecretKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `randomSecretKey` */
randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `isValidSecretKey` */
isValidPrivateKey: (secretKey: PrivKey) => boolean;
/** @deprecated use `Point.Fn.fromBytes()` */
normPrivateKeyToScalar: (key: PrivKey) => bigint;
/** @deprecated use `point.precompute()` */
precompute: (windowSize?: number, point?: WeierstrassPoint<bigint>) => WeierstrassPoint<bigint>;
};
lengths: CurveLengths;
}
/**
* ECDSA interface.
* Only supported for prime fields, not Fp2 (extension fields).
*/
export interface ECDSA extends ECDH {
sign: (message: Hex, secretKey: PrivKey, opts?: ECDSASignOpts) => ECDSASigRecovered;
verify: (signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array, opts?: ECDSAVerifyOpts) => boolean;
recoverPublicKey(signature: Uint8Array, message: Uint8Array, opts?: ECDSARecoverOpts): Uint8Array;
Signature: ECDSASignatureCons;
}
export declare class DERErr extends Error {
constructor(m?: string);
}
export type IDER = {
Err: typeof DERErr;
_tlv: {
encode: (tag: number, data: string) => string;
decode(tag: number, data: Uint8Array): {
v: Uint8Array;
l: Uint8Array;
};
};
_int: {
encode(num: bigint): string;
decode(data: Uint8Array): bigint;
};
toSig(hex: string | Uint8Array): {
r: bigint;
s: bigint;
};
hexFromSig(sig: {
r: bigint;
s: bigint;
}): string;
};
/**
* ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
*
* [0x30 (SEQUENCE), bytelength, 0x02 (INTEGER), intLength, R, 0x02 (INTEGER), intLength, S]
*
* Docs: https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/, https://luca.ntop.org/Teaching/Appunti/asn1.html
*/
export declare const DER: IDER;
export declare function _normFnElement(Fn: IField<bigint>, key: PrivKey): bigint;
/**
* Creates weierstrass Point constructor, based on specified curve options.
*
* @example
```js
const opts = {
p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
h: BigInt(1),
a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
};
const p256_Point = weierstrass(opts);
```
*/
export declare function weierstrassN<T>(params: WeierstrassOpts<T>, extraOpts?: WeierstrassExtraOpts<T>): WeierstrassPointCons<T>;
/** Methods of ECDSA signature instance. */
export interface ECDSASignature {
readonly r: bigint;
readonly s: bigint;
readonly recovery?: number;
addRecoveryBit(recovery: number): ECDSASigRecovered;
hasHighS(): boolean;
toBytes(format?: string): Uint8Array;
toHex(format?: string): string;
/** @deprecated */
assertValidity(): void;
/** @deprecated */
normalizeS(): ECDSASignature;
/** @deprecated use standalone method `curve.recoverPublicKey(sig.toBytes('recovered'), msg)` */
recoverPublicKey(msgHash: Hex): WeierstrassPoint<bigint>;
/** @deprecated use `.toBytes('compact')` */
toCompactRawBytes(): Uint8Array;
/** @deprecated use `.toBytes('compact')` */
toCompactHex(): string;
/** @deprecated use `.toBytes('der')` */
toDERRawBytes(): Uint8Array;
/** @deprecated use `.toBytes('der')` */
toDERHex(): string;
}
export type ECDSASigRecovered = ECDSASignature & {
readonly recovery: number;
};
/** Methods of ECDSA signature constructor. */
export type ECDSASignatureCons = {
new (r: bigint, s: bigint, recovery?: number): ECDSASignature;
fromBytes(bytes: Uint8Array, format?: ECDSASigFormat): ECDSASignature;
fromHex(hex: string, format?: ECDSASigFormat): ECDSASignature;
/** @deprecated use `.fromBytes(bytes, 'compact')` */
fromCompact(hex: Hex): ECDSASignature;
/** @deprecated use `.fromBytes(bytes, 'der')` */
fromDER(hex: Hex): ECDSASignature;
};
/**
* Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
* TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
* b = True and y = sqrt(u / v) if (u / v) is square in F, and
* b = False and y = sqrt(Z * (u / v)) otherwise.
* @param Fp
* @param Z
* @returns
*/
export declare function SWUFpSqrtRatio<T>(Fp: IField<T>, Z: T): (u: T, v: T) => {
isValid: boolean;
value: T;
};
/**
* Simplified Shallue-van de Woestijne-Ulas Method
* https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
*/
export declare function mapToCurveSimpleSWU<T>(Fp: IField<T>, opts: {
A: T;
B: T;
Z: T;
}): (u: T) => {
x: T;
y: T;
};
/**
* Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
* This helper ensures no signature functionality is present. Less code, smaller bundle size.
*/
export declare function ecdh(Point: WeierstrassPointCons<bigint>, ecdhOpts?: {
randomBytes?: (bytesLength?: number) => Uint8Array;
}): ECDH;
/**
* Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
* We need `hash` for 2 features:
* 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
* 2. k generation in `sign`, using HMAC-drbg(hash)
*
* ECDSAOpts are only rarely needed.
*
* @example
* ```js
* const p256_Point = weierstrass(...);
* const p256_sha256 = ecdsa(p256_Point, sha256);
* const p256_sha224 = ecdsa(p256_Point, sha224);
* const p256_sha224_r = ecdsa(p256_Point, sha224, { randomBytes: (length) => { ... } });
* ```
*/
export declare function ecdsa(Point: WeierstrassPointCons<bigint>, hash: CHash, ecdsaOpts?: ECDSAOpts): ECDSA;
/** @deprecated use ECDSASignature */
export type SignatureType = ECDSASignature;
/** @deprecated use ECDSASigRecovered */
export type RecoveredSignatureType = ECDSASigRecovered;
/** @deprecated switch to Uint8Array signatures in format 'compact' */
export type SignatureLike = {
r: bigint;
s: bigint;
};
export type ECDSAExtraEntropy = Hex | boolean;
/** @deprecated use `ECDSAExtraEntropy` */
export type Entropy = Hex | boolean;
export type BasicWCurve<T> = BasicCurve<T> & {
a: T;
b: T;
allowedPrivateKeyLengths?: readonly number[];
wrapPrivateKey?: boolean;
endo?: EndomorphismOpts;
isTorsionFree?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
clearCofactor?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
};
/** @deprecated use ECDSASignOpts */
export type SignOpts = ECDSASignOpts;
/** @deprecated use ECDSASignOpts */
export type VerOpts = ECDSAVerifyOpts;
/** @deprecated use WeierstrassPoint */
export type ProjPointType<T> = WeierstrassPoint<T>;
/** @deprecated use WeierstrassPointCons */
export type ProjConstructor<T> = WeierstrassPointCons<T>;
/** @deprecated use ECDSASignatureCons */
export type SignatureConstructor = ECDSASignatureCons;
export type CurvePointsType<T> = BasicWCurve<T> & {
fromBytes?: (bytes: Uint8Array) => AffinePoint<T>;
toBytes?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>, isCompressed: boolean) => Uint8Array;
};
export type CurvePointsTypeWithLength<T> = Readonly<CurvePointsType<T> & Partial<NLength>>;
export type CurvePointsRes<T> = {
Point: WeierstrassPointCons<T>;
/** @deprecated use `Point.CURVE()` */
CURVE: CurvePointsType<T>;
/** @deprecated use `Point` */
ProjectivePoint: WeierstrassPointCons<T>;
/** @deprecated use `Point.Fn.fromBytes(privateKey)` */
normPrivateKeyToScalar: (key: PrivKey) => bigint;
/** @deprecated */
weierstrassEquation: (x: T) => T;
/** @deprecated use `Point.Fn.isValidNot0(num)` */
isWithinCurveOrder: (num: bigint) => boolean;
};
/** @deprecated use `Uint8Array` */
export type PubKey = Hex | WeierstrassPoint<bigint>;
export type CurveType = BasicWCurve<bigint> & {
hash: CHash;
hmac?: HmacFnSync;
randomBytes?: (bytesLength?: number) => Uint8Array;
lowS?: boolean;
bits2int?: (bytes: Uint8Array) => bigint;
bits2int_modN?: (bytes: Uint8Array) => bigint;
};
export type CurveFn = {
/** @deprecated use `Point.CURVE()` */
CURVE: CurvePointsType<bigint>;
keygen: ECDSA['keygen'];
getPublicKey: ECDSA['getPublicKey'];
getSharedSecret: ECDSA['getSharedSecret'];
sign: ECDSA['sign'];
verify: ECDSA['verify'];
Point: WeierstrassPointCons<bigint>;
/** @deprecated use `Point` */
ProjectivePoint: WeierstrassPointCons<bigint>;
Signature: ECDSASignatureCons;
utils: ECDSA['utils'];
lengths: ECDSA['lengths'];
};
/** @deprecated use `weierstrass` in newer releases */
export declare function weierstrassPoints<T>(c: CurvePointsTypeWithLength<T>): CurvePointsRes<T>;
export type WsPointComposed<T> = {
CURVE: WeierstrassOpts<T>;
curveOpts: WeierstrassExtraOpts<T>;
};
export type WsComposed = {
/** @deprecated use `Point.CURVE()` */
CURVE: WeierstrassOpts<bigint>;
hash: CHash;
curveOpts: WeierstrassExtraOpts<bigint>;
ecdsaOpts: ECDSAOpts;
};
export declare function _legacyHelperEquat<T>(Fp: IField<T>, a: T, b: T): (x: T) => T;
export declare function weierstrass(c: CurveType): CurveFn;
//# sourceMappingURL=weierstrass.d.ts.map

1
node_modules/@noble/curves/esm/abstract/weierstrass.d.ts.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

1413
node_modules/@noble/curves/esm/abstract/weierstrass.js generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

1
node_modules/@noble/curves/esm/abstract/weierstrass.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

16
node_modules/@noble/curves/esm/bls12-381.d.ts generated vendored Normal file
View File

@@ -0,0 +1,16 @@
import { type CurveFn } from './abstract/bls.ts';
import { type IField } from './abstract/modular.ts';
export declare const bls12_381_Fr: IField<bigint>;
/**
* bls12-381 pairing-friendly curve.
* @example
* import { bls12_381 as bls } from '@noble/curves/bls12-381';
* // G1 keys, G2 signatures
* const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
* const message = '64726e3da8';
* const publicKey = bls.getPublicKey(privateKey);
* const signature = bls.sign(message, privateKey);
* const isValid = bls.verify(signature, message, publicKey);
*/
export declare const bls12_381: CurveFn;
//# sourceMappingURL=bls12-381.d.ts.map

1
node_modules/@noble/curves/esm/bls12-381.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"bls12-381.d.ts","sourceRoot":"","sources":["../src/bls12-381.ts"],"names":[],"mappings":"AAgFA,OAAO,EAAO,KAAK,OAAO,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAmE3D,eAAO,MAAM,YAAY,EAAE,MAAM,CAAC,MAAM,CAGtC,CAAC;AAuTH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,SAAS,EAAE,OA8HtB,CAAC"}

705
node_modules/@noble/curves/esm/bls12-381.js generated vendored Normal file
View File

@@ -0,0 +1,705 @@
/**
* bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
* Construct zk-SNARKs at the ~120-bit security, as per [Barbulescu-Duquesne 2017](https://hal.science/hal-01534101/file/main.pdf)
* Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
BLS can mean 2 different things:
* Barreto-Lynn-Scott: BLS12, a Pairing Friendly Elliptic Curve
* Boneh-Lynn-Shacham: A Signature Scheme.
### Summary
1. BLS Relies on expensive bilinear pairing
2. Secret Keys: 32 bytes
3. Public Keys: 48 OR 96 bytes - big-endian x coordinate of point on G1 OR G2 curve
4. Signatures: 96 OR 48 bytes - big-endian x coordinate of point on G2 OR G1 curve
5. The 12 stands for the Embedding degree.
Modes of operation:
* Long signatures: 48-byte keys + 96-byte sigs (G1 keys + G2 sigs).
* Short signatures: 96-byte keys + 48-byte sigs (G2 keys + G1 sigs).
### Formulas
- `P = pk x G` - public keys
- `S = pk x H(m)` - signing, uses hash-to-curve on m
- `e(P, H(m)) == e(G, S)` - verification using pairings
- `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
### Curves
G1 is ordinary elliptic curve. G2 is extension field curve, think "over complex numbers".
- G1: y² = x³ + 4
- G2: y² = x³ + 4(u + 1) where u = √1; r-order subgroup of E'(Fp²), M-type twist
### Towers
Pairing G1 + G2 produces element in Fp₁₂, 12-degree polynomial.
Fp₁₂ is usually implemented using tower of lower-degree polynomials for speed.
- Fp₁₂ = Fp₆² => Fp₂³
- Fp(u) / (u² - β) where β = -1
- Fp₂(v) / (v³ - ξ) where ξ = u + 1
- Fp₆(w) / (w² - γ) where γ = v
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-1-u
- Fp¹²[w] = Fp⁶/w²-v
### Params
* Embedding degree (k): 12
* Seed is sometimes named x or t
* t = -15132376222941642752
* p = (t-1)² * (t⁴-t²+1)/3 + t
* r = t⁴-t²+1
* Ate loop size: X
To verify curve parameters, see
[pairing-friendly-curves spec](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11).
Basic math is done over finite fields over p.
More complicated math is done over polynominal extension fields.
### Compatibility and notes
1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC.
Filecoin uses little endian byte arrays for secret keys - make sure to reverse byte order.
2. Make sure to correctly select mode: "long signature" or "short signature".
3. Compatible with specs:
RFC 9380,
[cfrg-pairing-friendly-curves-11](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11),
[cfrg-bls-signature-05](https://datatracker.ietf.org/doc/draft-irtf-cfrg-bls-signature/).
*
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { bls } from "./abstract/bls.js";
import { Field } from "./abstract/modular.js";
import { abytes, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, ensureBytes, numberToBytesBE, } from "./utils.js";
// Types
import { isogenyMap } from "./abstract/hash-to-curve.js";
import { psiFrobenius, tower12 } from "./abstract/tower.js";
import { mapToCurveSimpleSWU, } from "./abstract/weierstrass.js";
// Be friendly to bad ECMAScript parsers by not using bigint literals
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
// To verify math:
// https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11
// The BLS parameter x (seed) for BLS12-381. NOTE: it is negative!
// x = -2^63 - 2^62 - 2^60 - 2^57 - 2^48 - 2^16
const BLS_X = BigInt('0xd201000000010000');
// t = x (called differently in different places)
// const t = -BLS_X;
const BLS_X_LEN = bitLen(BLS_X);
// a=0, b=4
// P is characteristic of field Fp, in which curve calculations are done.
// p = (t-1)² * (t⁴-t²+1)/3 + t
// bls12_381_Fp = (t-1n)**2n * (t**4n - t**2n + 1n) / 3n + t
// r*h is curve order, amount of points on curve,
// where r is order of prime subgroup and h is cofactor.
// r = t⁴-t²+1
// r = (t**4n - t**2n + 1n)
// cofactor h of G1: (t - 1)²/3
// cofactorG1 = (t-1n)**2n/3n
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
const bls12_381_CURVE_G1 = {
p: BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'),
n: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
h: BigInt('0x396c8c005555e1568c00aaab0000aaab'),
a: _0n,
b: _4n,
Gx: BigInt('0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb'),
Gy: BigInt('0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'),
};
// CURVE FIELDS
export const bls12_381_Fr = Field(bls12_381_CURVE_G1.n, {
modFromBytes: true,
isLE: true,
});
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bls12_381_CURVE_G1.p,
X_LEN: BLS_X_LEN,
// Finite extension field over irreducible polynominal.
// Fp(u) / (u² - β) where β = -1
FP2_NONRESIDUE: [_1n, _1n],
Fp2mulByB: ({ c0, c1 }) => {
const t0 = Fp.mul(c0, _4n); // 4 * c0
const t1 = Fp.mul(c1, _4n); // 4 * c1
// (T0-T1) + (T0+T1)*i
return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
},
Fp12finalExponentiate: (num) => {
const x = BLS_X;
// this^(q⁶) / this
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
// t0^(q²) * t0
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
const t6 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicExp(t5, x)), Fp12._cyclotomicSquare(t2));
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
const t6_t1c_pow_q1 = Fp12.frobeniusMap(Fp12.mul(t6, Fp12.conjugate(t1)), 1);
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
// (t2 * t5)^(q²) * (t4 * t1)^(q³) * (t6 * t1.conj)^(q^1) * t7 * t3.conj * t1
return Fp12.mul(Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1), t7_t3c_t1);
},
});
// GLV endomorphism Ψ(P), for fast cofactor clearing
const { G2psi, G2psi2 } = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)); // 1/(u+1)
/**
* Default hash_to_field / hash-to-curve for BLS.
* m: 1 for G1, 2 for G2
* k: target security level in bits
* hash: any function, e.g. BBS+ uses BLAKE2: see [github](https://github.com/hyperledger/aries-framework-go/issues/2247).
* Parameter values come from [section 8.8.2 of RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2).
*/
const htfDefaults = Object.freeze({
DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
// a=0, b=4
// cofactor h of G2
// (t^8 - 4t^7 + 5t^6 - 4t^4 + 6t^3 - 4t^2 - 4t + 13)/9
// cofactorG2 = (t**8n - 4n*t**7n + 5n*t**6n - 4n*t**4n + 6n*t**3n - 4n*t**2n - 4n*t+13n)/9n
// x = 3059144344244213709971259814753781636986470325476647558659373206291635324768958432433509563104347017837885763365758*u + 352701069587466618187139116011060144890029952792775240219908644239793785735715026873347600343865175952761926303160
// y = 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582*u + 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
const bls12_381_CURVE_G2 = {
p: Fp2.ORDER,
n: bls12_381_CURVE_G1.n,
h: BigInt('0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5'),
a: Fp2.ZERO,
b: Fp2.fromBigTuple([_4n, _4n]),
Gx: Fp2.fromBigTuple([
BigInt('0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8'),
BigInt('0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e'),
]),
Gy: Fp2.fromBigTuple([
BigInt('0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801'),
BigInt('0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be'),
]),
};
// Encoding utils
// Compressed point of infinity
// Set compressed & point-at-infinity bits
const COMPZERO = setMask(Fp.toBytes(_0n), { infinity: true, compressed: true });
function parseMask(bytes) {
// Copy, so we can remove mask data. It will be removed also later, when Fp.create will call modulo.
bytes = bytes.slice();
const mask = bytes[0] & 224;
const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
bytes[0] &= 31; // clear mask (zero first 3 bits)
return { compressed, infinity, sort, value: bytes };
}
function setMask(bytes, mask) {
if (bytes[0] & 224)
throw new Error('setMask: non-empty mask');
if (mask.compressed)
bytes[0] |= 128;
if (mask.infinity)
bytes[0] |= 64;
if (mask.sort)
bytes[0] |= 32;
return bytes;
}
function pointG1ToBytes(_c, point, isComp) {
const { BYTES: L, ORDER: P } = Fp;
const is0 = point.is0();
const { x, y } = point.toAffine();
if (isComp) {
if (is0)
return COMPZERO.slice();
const sort = Boolean((y * _2n) / P);
return setMask(numberToBytesBE(x, L), { compressed: true, sort });
}
else {
if (is0) {
return concatBytes(Uint8Array.of(0x40), new Uint8Array(2 * L - 1));
}
else {
return concatBytes(numberToBytesBE(x, L), numberToBytesBE(y, L));
}
}
}
function signatureG1ToBytes(point) {
point.assertValidity();
const { BYTES: L, ORDER: P } = Fp;
const { x, y } = point.toAffine();
if (point.is0())
return COMPZERO.slice();
const sort = Boolean((y * _2n) / P);
return setMask(numberToBytesBE(x, L), { compressed: true, sort });
}
function pointG1FromBytes(bytes) {
const { compressed, infinity, sort, value } = parseMask(bytes);
const { BYTES: L, ORDER: P } = Fp;
if (value.length === 48 && compressed) {
const compressedValue = bytesToNumberBE(value);
// Zero
const x = Fp.create(compressedValue & bitMask(Fp.BITS));
if (infinity) {
if (x !== _0n)
throw new Error('invalid G1 point: non-empty, at infinity, with compression');
return { x: _0n, y: _0n };
}
const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381_CURVE_G1.b)); // y² = x³ + b
let y = Fp.sqrt(right);
if (!y)
throw new Error('invalid G1 point: compressed point');
if ((y * _2n) / P !== BigInt(sort))
y = Fp.neg(y);
return { x: Fp.create(x), y: Fp.create(y) };
}
else if (value.length === 96 && !compressed) {
// Check if the infinity flag is set
const x = bytesToNumberBE(value.subarray(0, L));
const y = bytesToNumberBE(value.subarray(L));
if (infinity) {
if (x !== _0n || y !== _0n)
throw new Error('G1: non-empty point at infinity');
return bls12_381.G1.Point.ZERO.toAffine();
}
return { x: Fp.create(x), y: Fp.create(y) };
}
else {
throw new Error('invalid G1 point: expected 48/96 bytes');
}
}
function signatureG1FromBytes(hex) {
const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex, 48));
const P = Fp.ORDER;
const Point = bls12_381.G1.Point;
const compressedValue = bytesToNumberBE(value);
// Zero
if (infinity)
return Point.ZERO;
const x = Fp.create(compressedValue & bitMask(Fp.BITS));
const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381_CURVE_G1.b)); // y² = x³ + b
let y = Fp.sqrt(right);
if (!y)
throw new Error('invalid G1 point: compressed');
const aflag = BigInt(sort);
if ((y * _2n) / P !== aflag)
y = Fp.neg(y);
const point = Point.fromAffine({ x, y });
point.assertValidity();
return point;
}
function pointG2ToBytes(_c, point, isComp) {
const { BYTES: L, ORDER: P } = Fp;
const is0 = point.is0();
const { x, y } = point.toAffine();
if (isComp) {
if (is0)
return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
return concatBytes(setMask(numberToBytesBE(x.c1, L), { compressed: true, sort: flag }), numberToBytesBE(x.c0, L));
}
else {
if (is0)
return concatBytes(Uint8Array.of(0x40), new Uint8Array(4 * L - 1));
const { re: x0, im: x1 } = Fp2.reim(x);
const { re: y0, im: y1 } = Fp2.reim(y);
return concatBytes(numberToBytesBE(x1, L), numberToBytesBE(x0, L), numberToBytesBE(y1, L), numberToBytesBE(y0, L));
}
}
function signatureG2ToBytes(point) {
point.assertValidity();
const { BYTES: L } = Fp;
if (point.is0())
return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
const { x, y } = point.toAffine();
const { re: x0, im: x1 } = Fp2.reim(x);
const { re: y0, im: y1 } = Fp2.reim(y);
const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
const sort = Boolean((tmp / Fp.ORDER) & _1n);
const z2 = x0;
return concatBytes(setMask(numberToBytesBE(x1, L), { sort, compressed: true }), numberToBytesBE(z2, L));
}
function pointG2FromBytes(bytes) {
const { BYTES: L, ORDER: P } = Fp;
const { compressed, infinity, sort, value } = parseMask(bytes);
if ((!compressed && !infinity && sort) || // 00100000
(!compressed && infinity && sort) || // 01100000
(sort && infinity && compressed) // 11100000
) {
throw new Error('invalid encoding flag: ' + (bytes[0] & 224));
}
const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
if (value.length === 96 && compressed) {
if (infinity) {
// check that all bytes are 0
if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
throw new Error('invalid G2 point: compressed');
}
return { x: Fp2.ZERO, y: Fp2.ZERO };
}
const x_1 = slc(value, 0, L);
const x_0 = slc(value, L, 2 * L);
const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
const right = Fp2.add(Fp2.pow(x, _3n), bls12_381_CURVE_G2.b); // y² = x³ + 4 * (u+1) = x³ + b
let y = Fp2.sqrt(right);
const Y_bit = y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P ? _1n : _0n;
y = sort && Y_bit > 0 ? y : Fp2.neg(y);
return { x, y };
}
else if (value.length === 192 && !compressed) {
if (infinity) {
if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
throw new Error('invalid G2 point: uncompressed');
}
return { x: Fp2.ZERO, y: Fp2.ZERO };
}
const x1 = slc(value, 0 * L, 1 * L);
const x0 = slc(value, 1 * L, 2 * L);
const y1 = slc(value, 2 * L, 3 * L);
const y0 = slc(value, 3 * L, 4 * L);
return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
}
else {
throw new Error('invalid G2 point: expected 96/192 bytes');
}
}
function signatureG2FromBytes(hex) {
const { ORDER: P } = Fp;
// TODO: Optimize, it's very slow because of sqrt.
const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex));
const Point = bls12_381.G2.Point;
const half = value.length / 2;
if (half !== 48 && half !== 96)
throw new Error('invalid compressed signature length, expected 96/192 bytes');
const z1 = bytesToNumberBE(value.slice(0, half));
const z2 = bytesToNumberBE(value.slice(half));
// Indicates the infinity point
if (infinity)
return Point.ZERO;
const x1 = Fp.create(z1 & bitMask(Fp.BITS));
const x2 = Fp.create(z2);
const x = Fp2.create({ c0: x2, c1: x1 });
const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381_CURVE_G2.b); // y² = x³ + 4
// The slow part
let y = Fp2.sqrt(y2);
if (!y)
throw new Error('Failed to find a square root');
// Choose the y whose leftmost bit of the imaginary part is equal to the a_flag1
// If y1 happens to be zero, then use the bit of y0
const { re: y0, im: y1 } = Fp2.reim(y);
const aflag1 = BigInt(sort);
const isGreater = y1 > _0n && (y1 * _2n) / P !== aflag1;
const is0 = y1 === _0n && (y0 * _2n) / P !== aflag1;
if (isGreater || is0)
y = Fp2.neg(y);
const point = Point.fromAffine({ x, y });
point.assertValidity();
return point;
}
/**
* bls12-381 pairing-friendly curve.
* @example
* import { bls12_381 as bls } from '@noble/curves/bls12-381';
* // G1 keys, G2 signatures
* const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
* const message = '64726e3da8';
* const publicKey = bls.getPublicKey(privateKey);
* const signature = bls.sign(message, privateKey);
* const isValid = bls.verify(signature, message, publicKey);
*/
export const bls12_381 = bls({
// Fields
fields: {
Fp,
Fp2,
Fp6,
Fp12,
Fr: bls12_381_Fr,
},
// G1: y² = x³ + 4
G1: {
...bls12_381_CURVE_G1,
Fp,
htfDefaults: { ...htfDefaults, m: 1, DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_' },
wrapPrivateKey: true,
allowInfinityPoint: true,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, point) => {
// GLV endomorphism ψ(P)
const beta = BigInt('0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe');
const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
// TODO: unroll
const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
return u2P.equals(phi);
},
// Clear cofactor of G1
// https://eprint.iacr.org/2019/403
clearCofactor: (_c, point) => {
// return this.multiplyUnsafe(CURVE.h);
return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
},
mapToCurve: mapToG1,
fromBytes: pointG1FromBytes,
toBytes: pointG1ToBytes,
ShortSignature: {
fromBytes(bytes) {
abytes(bytes);
return signatureG1FromBytes(bytes);
},
fromHex(hex) {
return signatureG1FromBytes(hex);
},
toBytes(point) {
return signatureG1ToBytes(point);
},
toRawBytes(point) {
return signatureG1ToBytes(point);
},
toHex(point) {
return bytesToHex(signatureG1ToBytes(point));
},
},
},
G2: {
...bls12_381_CURVE_G2,
Fp: Fp2,
// https://datatracker.ietf.org/doc/html/rfc9380#name-clearing-the-cofactor
// https://datatracker.ietf.org/doc/html/rfc9380#name-cofactor-clearing-for-bls12
hEff: BigInt('0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'),
htfDefaults: { ...htfDefaults },
wrapPrivateKey: true,
allowInfinityPoint: true,
mapToCurve: mapToG2,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
// Older version: https://eprint.iacr.org/2019/814.pdf
isTorsionFree: (c, P) => {
return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
},
// Maps the point into the prime-order subgroup G2.
// clear_cofactor_bls12381_g2 from RFC 9380.
// https://eprint.iacr.org/2017/419.pdf
// prettier-ignore
clearCofactor: (c, P) => {
const x = BLS_X;
let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
let t2 = G2psi(c, P); // Ψ(P)
let t3 = P.double(); // 2P
t3 = G2psi2(c, t3); // Ψ²(2P)
t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
t2 = t1.add(t2); // [-x]P + Ψ(P)
t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
},
fromBytes: pointG2FromBytes,
toBytes: pointG2ToBytes,
Signature: {
fromBytes(bytes) {
abytes(bytes);
return signatureG2FromBytes(bytes);
},
fromHex(hex) {
return signatureG2FromBytes(hex);
},
toBytes(point) {
return signatureG2ToBytes(point);
},
toRawBytes(point) {
return signatureG2ToBytes(point);
},
toHex(point) {
return bytesToHex(signatureG2ToBytes(point));
},
},
},
params: {
ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
r: bls12_381_CURVE_G1.n, // order; z⁴ z² + 1; CURVE.n from other curves
xNegative: true,
twistType: 'multiplicative',
},
htfDefaults,
hash: sha256,
});
// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
const isogenyMapG2 = isogenyMap(Fp2, [
// xNum
[
[
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6',
],
[
'0x0',
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d',
],
[
'0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1',
'0x0',
],
],
// xDen
[
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63',
],
[
'0xc',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f',
],
['0x1', '0x0'], // LAST 1
],
// yNum
[
[
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
'0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706',
],
[
'0x0',
'0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be',
],
[
'0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c',
'0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f',
],
[
'0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10',
'0x0',
],
],
// yDen
[
[
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb',
],
[
'0x0',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3',
],
[
'0x12',
'0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99',
],
['0x1', '0x0'], // LAST 1
],
].map((i) => i.map((pair) => Fp2.fromBigTuple(pair.map(BigInt)))));
// 11-isogeny map from E' to E
const isogenyMapG1 = isogenyMap(Fp, [
// xNum
[
'0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7',
'0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb',
'0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0',
'0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861',
'0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9',
'0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983',
'0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84',
'0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e',
'0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317',
'0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e',
'0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b',
'0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229',
],
// xDen
[
'0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c',
'0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff',
'0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19',
'0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8',
'0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e',
'0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5',
'0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a',
'0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e',
'0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641',
'0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33',
'0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696',
'0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6',
'0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb',
'0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb',
'0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0',
'0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2',
'0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29',
'0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587',
'0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30',
'0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132',
'0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e',
'0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8',
'0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133',
'0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b',
'0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604',
],
// yDen
[
'0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1',
'0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d',
'0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2',
'0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416',
'0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d',
'0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac',
'0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c',
'0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9',
'0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a',
'0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55',
'0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8',
'0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092',
'0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc',
'0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7',
'0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f',
'0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j))));
// Optimized SWU Map - Fp to G1
const G1_SWU = mapToCurveSimpleSWU(Fp, {
A: Fp.create(BigInt('0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d')),
B: Fp.create(BigInt('0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0')),
Z: Fp.create(BigInt(11)),
});
// SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i
const G2_SWU = mapToCurveSimpleSWU(Fp2, {
A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
});
function mapToG1(scalars) {
const { x, y } = G1_SWU(Fp.create(scalars[0]));
return isogenyMapG1(x, y);
}
function mapToG2(scalars) {
const { x, y } = G2_SWU(Fp2.fromBigTuple(scalars));
return isogenyMapG2(x, y);
}
//# sourceMappingURL=bls12-381.js.map

1
node_modules/@noble/curves/esm/bls12-381.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

18
node_modules/@noble/curves/esm/bn254.d.ts generated vendored Normal file
View File

@@ -0,0 +1,18 @@
import { type CurveFn as BLSCurveFn, type PostPrecomputeFn } from './abstract/bls.ts';
import { type IField } from './abstract/modular.ts';
import { type CurveFn } from './abstract/weierstrass.ts';
export declare const bn254_Fr: IField<bigint>;
export declare const _postPrecompute: PostPrecomputeFn;
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings.
*/
export declare const bn254: BLSCurveFn;
/**
* bn254 weierstrass curve with ECDSA.
* This is very rare and probably not used anywhere.
* Instead, you should use G1 / G2, defined above.
* @deprecated
*/
export declare const bn254_weierstrass: CurveFn;
//# sourceMappingURL=bn254.d.ts.map

1
node_modules/@noble/curves/esm/bn254.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"bn254.d.ts","sourceRoot":"","sources":["../src/bn254.ts"],"names":[],"mappings":"AAyDA,OAAO,EAEL,KAAK,OAAO,IAAI,UAAU,EAC1B,KAAK,gBAAgB,EAEtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAG3D,OAAO,EAAE,KAAK,OAAO,EAAqC,MAAM,2BAA2B,CAAC;AAsB5F,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,MAAM,CAA2B,CAAC;AAsDhE,eAAO,MAAM,eAAe,EAAE,gBAY7B,CAAC;AAmBF;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,UAgDlB,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,EAAE,OAS9B,CAAC"}

214
node_modules/@noble/curves/esm/bn254.js generated vendored Normal file
View File

@@ -0,0 +1,214 @@
/**
* bn254, previously known as alt_bn_128, when it had 128-bit security.
Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
so the naming has been adjusted to its prime bit count:
https://hal.science/hal-01534101/file/main.pdf.
Compatible with EIP-196 and EIP-197.
There are huge compatibility issues in the ecosystem:
1. Different libraries call it in different ways: "bn254", "bn256", "alt_bn128", "bn128".
2. libff has bn128, but it's a different curve with different G2:
https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
3. halo2curves bn256 is also incompatible and returns different outputs
We don't implement Point methods toHex / toBytes.
To work around this limitation, has to initialize points on their own from BigInts.
Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
Points of divergence:
- Endianness: LE vs BE (byte-swapped)
- Flags as first hex bits (similar to BLS) vs no-flags
- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
The goal of our implementation is to support "Ethereum" variant of the curve,
because it at least has specs:
- EIP196 (https://eips.ethereum.org/EIPS/eip-196) describes bn254 ECADD and ECMUL opcodes for EVM
- EIP197 (https://eips.ethereum.org/EIPS/eip-197) describes bn254 pairings
- It's hard: EIPs don't have proper tests. EIP-197 returns boolean output instead of Fp12
- The existing implementations are bad. Some are deprecated:
- https://github.com/paritytech/bn (old version)
- https://github.com/ewasm/ethereum-bn128.rs (uses paritytech/bn)
- https://github.com/zcash-hackworks/bn
- https://github.com/arkworks-rs/curves/blob/master/bn254/src/lib.rs
- Python implementations use different towers and produce different Fp12 outputs:
- https://github.com/ethereum/py_pairing
- https://github.com/ethereum/execution-specs/blob/master/src/ethereum/crypto/alt_bn128.py
- Points are encoded differently in different implementations
### Params
Seed (X): 4965661367192848881
Fr: (36x⁴+36x³+18x²+6x+1)
Fp: (36x⁴+36x³+24x²+6x+1)
(E / Fp ): Y² = X³+3
(Et / Fp²): Y² = X³+3/(u+9) (D-type twist)
Ate loop size: 6x+2
### Towers
- Fp²[u] = Fp/u²+1
- Fp⁶[v] = Fp²/v³-9-u
- Fp¹²[w] = Fp⁶/w²-v
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { bls, } from "./abstract/bls.js";
import { Field } from "./abstract/modular.js";
import { psiFrobenius, tower12 } from "./abstract/tower.js";
import { weierstrass } from "./abstract/weierstrass.js";
import { bitLen, notImplemented } from "./utils.js";
// prettier-ignore
const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
const _6n = BigInt(6);
const BN_X = BigInt('4965661367192848881');
const BN_X_LEN = bitLen(BN_X);
const SIX_X_SQUARED = _6n * BN_X ** _2n;
const bn254_G1_CURVE = {
p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
h: _1n,
a: _0n,
b: _3n,
Gx: _1n,
Gy: BigInt(2),
};
// r == n
// Finite field over r. It's for convenience and is not used in the code below.
export const bn254_Fr = Field(bn254_G1_CURVE.n);
// Fp2.div(Fp2.mul(Fp2.ONE, _3n), Fp2.NONRESIDUE)
const Fp2B = {
c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
};
const { Fp, Fp2, Fp6, Fp12 } = tower12({
ORDER: bn254_G1_CURVE.p,
X_LEN: BN_X_LEN,
FP2_NONRESIDUE: [BigInt(9), _1n],
Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
Fp12finalExponentiate: (num) => {
const powMinusX = (num) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
const y1 = Fp12._cyclotomicSquare(powMinusX(r));
const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
const y4 = powMinusX(y2);
const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
const y9 = Fp12.mul(y8, y1);
return Fp12.mul(Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3), Fp12.mul(Fp12.frobeniusMap(y8, 2), Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))));
},
});
// END OF CURVE FIELDS
const { G2psi, psi } = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE);
/*
No hashToCurve for now (and signatures):
- RFC 9380 doesn't mention bn254 and doesn't provide test vectors
- Overall seems like nobody is using BLS signatures on top of bn254
- Seems like it can utilize SVDW, which is not implemented yet
*/
const htfDefaults = Object.freeze({
// DST: a domain separation tag defined in section 2.2.5
DST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
encodeDST: 'BN254G2_XMD:SHA-256_SVDW_RO_',
p: Fp.ORDER,
m: 2,
k: 128,
expand: 'xmd',
hash: sha256,
});
export const _postPrecompute = (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
const q = psi(Qx, Qy);
({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
const q2 = psi(q[0], q[1]);
pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
};
// cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
const bn254_G2_CURVE = {
p: Fp2.ORDER,
n: bn254_G1_CURVE.n,
h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
a: Fp2.ZERO,
b: Fp2B,
Gx: Fp2.fromBigTuple([
BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
]),
Gy: Fp2.fromBigTuple([
BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
]),
};
/**
* bn254 (a.k.a. alt_bn128) pairing-friendly curve.
* Contains G1 / G2 operations and pairings.
*/
export const bn254 = bls({
// Fields
fields: { Fp, Fp2, Fp6, Fp12, Fr: bn254_Fr },
G1: {
...bn254_G1_CURVE,
Fp,
htfDefaults: { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
wrapPrivateKey: true,
allowInfinityPoint: true,
mapToCurve: notImplemented,
fromBytes: notImplemented,
toBytes: notImplemented,
ShortSignature: {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toRawBytes: notImplemented,
toHex: notImplemented,
},
},
G2: {
...bn254_G2_CURVE,
Fp: Fp2,
hEff: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
htfDefaults: { ...htfDefaults },
wrapPrivateKey: true,
allowInfinityPoint: true,
isTorsionFree: (c, P) => P.multiplyUnsafe(SIX_X_SQUARED).equals(G2psi(c, P)), // [p]P = [6X^2]P
mapToCurve: notImplemented,
fromBytes: notImplemented,
toBytes: notImplemented,
Signature: {
fromBytes: notImplemented,
fromHex: notImplemented,
toBytes: notImplemented,
toRawBytes: notImplemented,
toHex: notImplemented,
},
},
params: {
ateLoopSize: BN_X * _6n + _2n,
r: bn254_Fr.ORDER,
xNegative: false,
twistType: 'divisive',
},
htfDefaults,
hash: sha256,
postPrecompute: _postPrecompute,
});
/**
* bn254 weierstrass curve with ECDSA.
* This is very rare and probably not used anywhere.
* Instead, you should use G1 / G2, defined above.
* @deprecated
*/
export const bn254_weierstrass = weierstrass({
a: BigInt(0),
b: BigInt(3),
Fp,
n: BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617'),
Gx: BigInt(1),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});
//# sourceMappingURL=bn254.js.map

1
node_modules/@noble/curves/esm/bn254.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

106
node_modules/@noble/curves/esm/ed25519.d.ts generated vendored Normal file
View File

@@ -0,0 +1,106 @@
import { type AffinePoint } from './abstract/curve.ts';
import { PrimeEdwardsPoint, type CurveFn, type EdwardsPoint } from './abstract/edwards.ts';
import { type H2CHasher, type H2CHasherBase, type H2CMethod, type htfBasicOpts } from './abstract/hash-to-curve.ts';
import { type IField } from './abstract/modular.ts';
import { type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
import { type Hex } from './utils.ts';
/**
* ed25519 curve with EdDSA signatures.
* @example
* import { ed25519 } from '@noble/curves/ed25519';
* const { secretKey, publicKey } = ed25519.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed25519.sign(msg, priv);
* ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
* ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
*/
export declare const ed25519: CurveFn;
/** Context of ed25519. Uses context for domain separation. */
export declare const ed25519ctx: CurveFn;
/** Prehashed version of ed25519. Accepts already-hashed messages in sign() and verify(). */
export declare const ed25519ph: CurveFn;
/**
* ECDH using curve25519 aka x25519.
* @example
* import { x25519 } from '@noble/curves/ed25519';
* const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
* const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
* x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
* x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
* x25519.getPublicKey(x25519.utils.randomSecretKey());
*/
export declare const x25519: XCurveFn;
/** Hashing to ed25519 points / field. RFC 9380 methods. */
export declare const ed25519_hasher: H2CHasher<bigint>;
type ExtendedPoint = EdwardsPoint;
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
declare class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
static BASE: _RistrettoPoint;
static ZERO: _RistrettoPoint;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
constructor(ep: ExtendedPoint);
static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint;
protected assertSame(other: _RistrettoPoint): void;
protected init(ep: EdwardsPoint): _RistrettoPoint;
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
static hashToCurve(hex: Hex): _RistrettoPoint;
static fromBytes(bytes: Uint8Array): _RistrettoPoint;
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex: Hex): _RistrettoPoint;
static msm(points: _RistrettoPoint[], scalars: bigint[]): _RistrettoPoint;
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes(): Uint8Array;
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other: _RistrettoPoint): boolean;
is0(): boolean;
}
export declare const ristretto255: {
Point: typeof _RistrettoPoint;
};
/** Hashing to ristretto255 points / field. RFC 9380 methods. */
export declare const ristretto255_hasher: H2CHasherBase<bigint>;
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
*/
export declare const ED25519_TORSION_SUBGROUP: string[];
/** @deprecated use `ed25519.utils.toMontgomery` */
export declare function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array;
/** @deprecated use `ed25519.utils.toMontgomery` */
export declare const edwardsToMontgomery: typeof edwardsToMontgomeryPub;
/** @deprecated use `ed25519.utils.toMontgomerySecret` */
export declare function edwardsToMontgomeryPriv(edwardsPriv: Uint8Array): Uint8Array;
/** @deprecated use `ristretto255.Point` */
export declare const RistrettoPoint: typeof _RistrettoPoint;
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
type RistHasher = (msg: Uint8Array, options: htfBasicOpts) => _RistrettoPoint;
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export declare const hashToRistretto255: RistHasher;
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export declare const hash_to_ristretto255: RistHasher;
export {};
//# sourceMappingURL=ed25519.d.ts.map

1
node_modules/@noble/curves/esm/ed25519.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../src/ed25519.ts"],"names":[],"mappings":"AAUA,OAAO,EAAa,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClE,OAAO,EACL,iBAAiB,EAEjB,KAAK,OAAO,EAEZ,KAAK,YAAY,EAClB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAIL,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAOL,KAAK,MAAM,EACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAc,KAAK,cAAc,IAAI,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAA4C,KAAK,GAAG,EAAE,MAAM,YAAY,CAAC;AA+FhF;;;;;;;;;GASG;AACH,eAAO,MAAM,OAAO,EAAE,OAAmE,CAAC;AAY1F,8DAA8D;AAC9D,eAAO,MAAM,UAAU,EAAE,OAIlB,CAAC;AAER,4FAA4F;AAC5F,eAAO,MAAM,SAAS,EAAE,OAMlB,CAAC;AAEP;;;;;;;;;GASG;AACH,eAAO,MAAM,MAAM,EAAE,QAYjB,CAAC;AA0EL,2DAA2D;AAC3D,eAAO,MAAM,cAAc,EAAE,SAAS,CAAC,MAAM,CAavC,CAAC;AA6BP,KAAK,aAAa,GAAG,YAAY,CAAC;AAsClC;;;;;;;;GAQG;AACH,cAAM,eAAgB,SAAQ,iBAAiB,CAAC,eAAe,CAAC;IAI9D,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;IAE/B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;gBAEnB,EAAE,EAAE,aAAa;IAI7B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,eAAe;IAI3D,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAIlD,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,eAAe;IAIjD,wFAAwF;IACxF,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG,eAAe;IAI7C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,eAAe;IA4BpD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,eAAe;IAIzC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,eAAe;IAIzE;;;OAGG;IACH,OAAO,IAAI,UAAU;IA4BrB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAWvC,GAAG,IAAI,OAAO;CAGf;AAED,eAAO,MAAM,YAAY,EAAE;IACzB,KAAK,EAAE,OAAO,eAAe,CAAC;CACF,CAAC;AAE/B,gEAAgE;AAChE,eAAO,MAAM,mBAAmB,EAAE,aAAa,CAAC,MAAM,CAUrD,CAAC;AAUF;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,EAS5C,CAAC;AAEF,mDAAmD;AACnD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,GAAG,GAAG,UAAU,CAElE;AACD,mDAAmD;AACnD,eAAO,MAAM,mBAAmB,EAAE,OAAO,sBAA+C,CAAC;AAEzF,yDAAyD;AACzD,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,UAAU,GAAG,UAAU,CAE3E;AAED,2CAA2C;AAC3C,eAAO,MAAM,cAAc,EAAE,OAAO,eAAiC,CAAC;AACtE,mFAAmF;AACnF,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAwD,CAAC;AACnG,mFAAmF;AACnF,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACX,CAAC;AAClC,KAAK,UAAU,GAAG,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,KAAK,eAAe,CAAC;AAC9E,wFAAwF;AACxF,eAAO,MAAM,kBAAkB,EAAE,UACiB,CAAC;AACnD,wFAAwF;AACxF,eAAO,MAAM,oBAAoB,EAAE,UACe,CAAC"}

467
node_modules/@noble/curves/esm/ed25519.js generated vendored Normal file
View File

@@ -0,0 +1,467 @@
/**
* ed25519 Twisted Edwards curve with following addons:
* - X25519 ECDH
* - Ristretto cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha512 } from '@noble/hashes/sha2.js';
import { abytes, concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
import { pippenger } from "./abstract/curve.js";
import { PrimeEdwardsPoint, twistedEdwards, } from "./abstract/edwards.js";
import { _DST_scalar, createHasher, expand_message_xmd, } from "./abstract/hash-to-curve.js";
import { Field, FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2, } from "./abstract/modular.js";
import { montgomery } from "./abstract/montgomery.js";
import { bytesToNumberLE, ensureBytes, equalBytes } from "./utils.js";
// prettier-ignore
const _0n = /* @__PURE__ */ BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
// prettier-ignore
const _5n = BigInt(5), _8n = BigInt(8);
// P = 2n**255n-19n
const ed25519_CURVE_p = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed');
// N = 2n**252n + 27742317777372353535851937790883648493n
// a = Fp.create(BigInt(-1))
// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
const ed25519_CURVE = /* @__PURE__ */ (() => ({
p: ed25519_CURVE_p,
n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
h: _8n,
a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
}))();
function ed25519_pow_2_252_3(x) {
// prettier-ignore
const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
const P = ed25519_CURVE_p;
const x2 = (x * x) % P;
const b2 = (x2 * x) % P; // x^3, 11
const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
const b10 = (pow2(b5, _5n, P) * b5) % P;
const b20 = (pow2(b10, _10n, P) * b10) % P;
const b40 = (pow2(b20, _20n, P) * b20) % P;
const b80 = (pow2(b40, _40n, P) * b40) % P;
const b160 = (pow2(b80, _80n, P) * b80) % P;
const b240 = (pow2(b160, _80n, P) * b80) % P;
const b250 = (pow2(b240, _10n, P) * b10) % P;
const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
// ^ To pow to (p+3)/8, multiply it by x.
return { pow_p_5_8, b2 };
}
function adjustScalarBytes(bytes) {
// Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
// set the three least significant bits of the first byte
bytes[0] &= 248; // 0b1111_1000
// and the most significant bit of the last to zero,
bytes[31] &= 127; // 0b0111_1111
// set the second most significant bit of the last byte to 1
bytes[31] |= 64; // 0b0100_0000
return bytes;
}
// √(-1) aka √(a) aka 2^((p-1)/4)
// Fp.sqrt(Fp.neg(1))
const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
// sqrt(u/v)
function uvRatio(u, v) {
const P = ed25519_CURVE_p;
const v3 = mod(v * v * v, P); // v³
const v7 = mod(v3 * v3 * v, P); // v⁷
// (p+3)/8 and (p-5)/8
const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
const vx2 = mod(v * x * x, P); // vx²
const root1 = x; // First root candidate
const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
if (useRoot1)
x = root1;
if (useRoot2 || noRoot)
x = root2; // We return root2 anyway, for const-time
if (isNegativeLE(x, P))
x = mod(-x, P);
return { isValid: useRoot1 || useRoot2, value: x };
}
const Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, { isLE: true }))();
const Fn = /* @__PURE__ */ (() => Field(ed25519_CURVE.n, { isLE: true }))();
const ed25519Defaults = /* @__PURE__ */ (() => ({
...ed25519_CURVE,
Fp,
hash: sha512,
adjustScalarBytes,
// dom2
// Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
// Constant-time, u/√v
uvRatio,
}))();
/**
* ed25519 curve with EdDSA signatures.
* @example
* import { ed25519 } from '@noble/curves/ed25519';
* const { secretKey, publicKey } = ed25519.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed25519.sign(msg, priv);
* ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
* ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
*/
export const ed25519 = /* @__PURE__ */ (() => twistedEdwards(ed25519Defaults))();
function ed25519_domain(data, ctx, phflag) {
if (ctx.length > 255)
throw new Error('Context is too big');
return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
}
/** Context of ed25519. Uses context for domain separation. */
export const ed25519ctx = /* @__PURE__ */ (() => twistedEdwards({
...ed25519Defaults,
domain: ed25519_domain,
}))();
/** Prehashed version of ed25519. Accepts already-hashed messages in sign() and verify(). */
export const ed25519ph = /* @__PURE__ */ (() => twistedEdwards(Object.assign({}, ed25519Defaults, {
domain: ed25519_domain,
prehash: sha512,
})))();
/**
* ECDH using curve25519 aka x25519.
* @example
* import { x25519 } from '@noble/curves/ed25519';
* const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
* const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
* x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
* x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
* x25519.getPublicKey(x25519.utils.randomSecretKey());
*/
export const x25519 = /* @__PURE__ */ (() => {
const P = Fp.ORDER;
return montgomery({
P,
type: 'x25519',
powPminus2: (x) => {
// x^(p-2) aka x^(2^255-21)
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
// SageMath returns different root first and everything falls apart
const ELL2_C1 = /* @__PURE__ */ (() => (ed25519_CURVE_p + _3n) / _8n)(); // 1. c1 = (q + 3) / 8 # Integer arithmetic
const ELL2_C2 = /* @__PURE__ */ (() => Fp.pow(_2n, ELL2_C1))(); // 2. c2 = 2^c1
const ELL2_C3 = /* @__PURE__ */ (() => Fp.sqrt(Fp.neg(Fp.ONE)))(); // 3. c3 = sqrt(-1)
// prettier-ignore
function map_to_curve_elligator2_curve25519(u) {
const ELL2_C4 = (ed25519_CURVE_p - _5n) / _8n; // 4. c4 = (q - 5) / 8 # Integer arithmetic
const ELL2_J = BigInt(486662);
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
tv1 = Fp.mul(tv1, _2n); // 2. tv1 = 2 * tv1
let xd = Fp.add(tv1, Fp.ONE); // 3. xd = tv1 + 1 # Nonzero: -1 is square (mod p), tv1 is not
let x1n = Fp.neg(ELL2_J); // 4. x1n = -J # x1 = x1n / xd = -J / (1 + 2 * u^2)
let tv2 = Fp.sqr(xd); // 5. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 6. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, ELL2_J); // 7. gx1 = J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 8. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 9. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 10. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 11. tv3 = gxd^2
tv2 = Fp.sqr(tv3); // 12. tv2 = tv3^2 # gxd^4
tv3 = Fp.mul(tv3, gxd); // 13. tv3 = tv3 * gxd # gxd^3
tv3 = Fp.mul(tv3, gx1); // 14. tv3 = tv3 * gx1 # gx1 * gxd^3
tv2 = Fp.mul(tv2, tv3); // 15. tv2 = tv2 * tv3 # gx1 * gxd^7
let y11 = Fp.pow(tv2, ELL2_C4); // 16. y11 = tv2^c4 # (gx1 * gxd^7)^((p - 5) / 8)
y11 = Fp.mul(y11, tv3); // 17. y11 = y11 * tv3 # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
let y12 = Fp.mul(y11, ELL2_C3); // 18. y12 = y11 * c3
tv2 = Fp.sqr(y11); // 19. tv2 = y11^2
tv2 = Fp.mul(tv2, gxd); // 20. tv2 = tv2 * gxd
let e1 = Fp.eql(tv2, gx1); // 21. e1 = tv2 == gx1
let y1 = Fp.cmov(y12, y11, e1); // 22. y1 = CMOV(y12, y11, e1) # If g(x1) is square, this is its sqrt
let x2n = Fp.mul(x1n, tv1); // 23. x2n = x1n * tv1 # x2 = x2n / xd = 2 * u^2 * x1n / xd
let y21 = Fp.mul(y11, u); // 24. y21 = y11 * u
y21 = Fp.mul(y21, ELL2_C2); // 25. y21 = y21 * c2
let y22 = Fp.mul(y21, ELL2_C3); // 26. y22 = y21 * c3
let gx2 = Fp.mul(gx1, tv1); // 27. gx2 = gx1 * tv1 # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
tv2 = Fp.sqr(y21); // 28. tv2 = y21^2
tv2 = Fp.mul(tv2, gxd); // 29. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx2); // 30. e2 = tv2 == gx2
let y2 = Fp.cmov(y22, y21, e2); // 31. y2 = CMOV(y22, y21, e2) # If g(x2) is square, this is its sqrt
tv2 = Fp.sqr(y1); // 32. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 33. tv2 = tv2 * gxd
let e3 = Fp.eql(tv2, gx1); // 34. e3 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e3); // 35. xn = CMOV(x2n, x1n, e3) # If e3, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e3); // 36. y = CMOV(y2, y1, e3) # If e3, y = y1, else y = y2
let e4 = Fp.isOdd(y); // 37. e4 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e3 !== e4); // 38. y = CMOV(y, -y, e3 XOR e4)
return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; // 39. return (xn, xd, y, 1)
}
const ELL2_C1_EDWARDS = /* @__PURE__ */ (() => FpSqrtEven(Fp, Fp.neg(BigInt(486664))))(); // sgn0(c1) MUST equal 0
function map_to_curve_elligator2_edwards25519(u) {
const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); // 1. (xMn, xMd, yMn, yMd) =
// map_to_curve_elligator2_curve25519(u)
let xn = Fp.mul(xMn, yMd); // 2. xn = xMn * yMd
xn = Fp.mul(xn, ELL2_C1_EDWARDS); // 3. xn = xn * c1
let xd = Fp.mul(xMd, yMn); // 4. xd = xMd * yMn # xn / xd = c1 * xM / yM
let yn = Fp.sub(xMn, xMd); // 5. yn = xMn - xMd
let yd = Fp.add(xMn, xMd); // 6. yd = xMn + xMd # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
let tv1 = Fp.mul(xd, yd); // 7. tv1 = xd * yd
let e = Fp.eql(tv1, Fp.ZERO); // 8. e = tv1 == 0
xn = Fp.cmov(xn, Fp.ZERO, e); // 9. xn = CMOV(xn, 0, e)
xd = Fp.cmov(xd, Fp.ONE, e); // 10. xd = CMOV(xd, 1, e)
yn = Fp.cmov(yn, Fp.ONE, e); // 11. yn = CMOV(yn, 1, e)
yd = Fp.cmov(yd, Fp.ONE, e); // 12. yd = CMOV(yd, 1, e)
const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; // 13. return (xn, xd, yn, yd)
}
/** Hashing to ed25519 points / field. RFC 9380 methods. */
export const ed25519_hasher = /* @__PURE__ */ (() => createHasher(ed25519.Point, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
p: ed25519_CURVE_p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha512,
}))();
// √(-1) aka √(a) aka 2^((p-1)/4)
const SQRT_M1 = ED25519_SQRT_M1;
// √(ad - 1)
const SQRT_AD_MINUS_ONE = /* @__PURE__ */ BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
// 1 / √(a-d)
const INVSQRT_A_MINUS_D = /* @__PURE__ */ BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
// 1-d²
const ONE_MINUS_D_SQ = /* @__PURE__ */ BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
// (d-1)²
const D_MINUS_ONE_SQ = /* @__PURE__ */ BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
// Calculates 1/√(number)
const invertSqrt = (number) => uvRatio(_1n, number);
const MAX_255B = /* @__PURE__ */ BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
const bytes255ToNumberLE = (bytes) => ed25519.Point.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
/**
* Computes Elligator map for Ristretto255.
* Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
* the [website](https://ristretto.group/formulas/elligator.html).
*/
function calcElligatorRistrettoMap(r0) {
const { d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const r = mod(SQRT_M1 * r0 * r0); // 1
const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
let c = BigInt(-1); // 3
const D = mod((c - d * r) * mod(r + d)); // 4
let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
let s_ = mod(s * r0); // 6
if (!isNegativeLE(s_, P))
s_ = mod(-s_);
if (!Ns_D_is_sq)
s = s_; // 7
if (!Ns_D_is_sq)
c = r; // 8
const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
const s2 = s * s;
const W0 = mod((s + s) * D); // 10
const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
const W2 = mod(_1n - s2); // 12
const W3 = mod(_1n + s2); // 13
return new ed25519.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
function ristretto255_map(bytes) {
abytes(bytes, 64);
const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
const R1 = calcElligatorRistrettoMap(r1);
const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
const R2 = calcElligatorRistrettoMap(r2);
return new _RistrettoPoint(R1.add(R2));
}
/**
* Wrapper over Edwards Point for ristretto255.
*
* Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
* Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _RistrettoPoint extends PrimeEdwardsPoint {
constructor(ep) {
super(ep);
}
static fromAffine(ap) {
return new _RistrettoPoint(ed25519.Point.fromAffine(ap));
}
assertSame(other) {
if (!(other instanceof _RistrettoPoint))
throw new Error('RistrettoPoint expected');
}
init(ep) {
return new _RistrettoPoint(ep);
}
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
static hashToCurve(hex) {
return ristretto255_map(ensureBytes('ristrettoHash', hex, 64));
}
static fromBytes(bytes) {
abytes(bytes, 32);
const { a, d } = ed25519_CURVE;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const s = bytes255ToNumberLE(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 3. Check that s is non-negative, or else abort
if (!equalBytes(Fp.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid ristretto255 encoding 1');
const s2 = mod(s * s);
const u1 = mod(_1n + a * s2); // 4 (a is -1)
const u2 = mod(_1n - a * s2); // 5
const u1_2 = mod(u1 * u1);
const u2_2 = mod(u2 * u2);
const v = mod(a * d * u1_2 - u2_2); // 6
const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
const Dx = mod(I * u2); // 8
const Dy = mod(I * Dx * v); // 9
let x = mod((s + s) * Dx); // 10
if (isNegativeLE(x, P))
x = mod(-x); // 10
const y = mod(u1 * Dy); // 11
const t = mod(x * y); // 12
if (!isValid || isNegativeLE(t, P) || y === _0n)
throw new Error('invalid ristretto255 encoding 2');
return new _RistrettoPoint(new ed25519.Point(x, y, _1n, t));
}
/**
* Converts ristretto-encoded string to ristretto point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
* @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
*/
static fromHex(hex) {
return _RistrettoPoint.fromBytes(ensureBytes('ristrettoHex', hex, 32));
}
static msm(points, scalars) {
return pippenger(_RistrettoPoint, ed25519.Point.Fn, points, scalars);
}
/**
* Encodes ristretto point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
*/
toBytes() {
let { X, Y, Z, T } = this.ep;
const P = ed25519_CURVE_p;
const mod = (n) => Fp.create(n);
const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
const u2 = mod(X * Y); // 2
// Square root always exists
const u2sq = mod(u2 * u2);
const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
const D1 = mod(invsqrt * u1); // 4
const D2 = mod(invsqrt * u2); // 5
const zInv = mod(D1 * D2 * T); // 6
let D; // 7
if (isNegativeLE(T * zInv, P)) {
let _x = mod(Y * SQRT_M1);
let _y = mod(X * SQRT_M1);
X = _x;
Y = _y;
D = mod(D1 * INVSQRT_A_MINUS_D);
}
else {
D = D2; // 8
}
if (isNegativeLE(X * zInv, P))
Y = mod(-Y); // 9
let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
if (isNegativeLE(s, P))
s = mod(-s);
return Fp.toBytes(s); // 11
}
/**
* Compares two Ristretto points.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
*/
equals(other) {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
const mod = (n) => Fp.create(n);
// (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
const one = mod(X1 * Y2) === mod(Y1 * X2);
const two = mod(Y1 * Y2) === mod(X1 * X2);
return one || two;
}
is0() {
return this.equals(_RistrettoPoint.ZERO);
}
}
// Do NOT change syntax: the following gymnastics is done,
// because typescript strips comments, which makes bundlers disable tree-shaking.
// prettier-ignore
_RistrettoPoint.BASE =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.BASE))();
// prettier-ignore
_RistrettoPoint.ZERO =
/* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.ZERO))();
// prettier-ignore
_RistrettoPoint.Fp =
/* @__PURE__ */ (() => Fp)();
// prettier-ignore
_RistrettoPoint.Fn =
/* @__PURE__ */ (() => Fn)();
export const ristretto255 = { Point: _RistrettoPoint };
/** Hashing to ristretto255 points / field. RFC 9380 methods. */
export const ristretto255_hasher = {
hashToCurve(msg, options) {
const DST = options?.DST || 'ristretto255_XMD:SHA-512_R255MAP_RO_';
const xmd = expand_message_xmd(msg, DST, 64, sha512);
return ristretto255_map(xmd);
},
hashToScalar(msg, options = { DST: _DST_scalar }) {
const xmd = expand_message_xmd(msg, options.DST, 64, sha512);
return Fn.create(bytesToNumberLE(xmd));
},
};
// export const ristretto255_oprf: OPRF = createORPF({
// name: 'ristretto255-SHA512',
// Point: RistrettoPoint,
// hash: sha512,
// hashToGroup: ristretto255_hasher.hashToCurve,
// hashToScalar: ristretto255_hasher.hashToScalar,
// });
/**
* Weird / bogus points, useful for debugging.
* All 8 ed25519 points of 8-torsion subgroup can be generated from the point
* T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
* ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
*/
export const ED25519_TORSION_SUBGROUP = [
'0100000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
'0000000000000000000000000000000000000000000000000000000000000080',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
'26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
'0000000000000000000000000000000000000000000000000000000000000000',
'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
];
/** @deprecated use `ed25519.utils.toMontgomery` */
export function edwardsToMontgomeryPub(edwardsPub) {
return ed25519.utils.toMontgomery(ensureBytes('pub', edwardsPub));
}
/** @deprecated use `ed25519.utils.toMontgomery` */
export const edwardsToMontgomery = edwardsToMontgomeryPub;
/** @deprecated use `ed25519.utils.toMontgomerySecret` */
export function edwardsToMontgomeryPriv(edwardsPriv) {
return ed25519.utils.toMontgomerySecret(ensureBytes('pub', edwardsPriv));
}
/** @deprecated use `ristretto255.Point` */
export const RistrettoPoint = _RistrettoPoint;
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export const hashToCurve = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => ed25519_hasher.encodeToCurve)();
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export const hashToRistretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
export const hash_to_ristretto255 = /* @__PURE__ */ (() => ristretto255_hasher.hashToCurve)();
//# sourceMappingURL=ed25519.js.map

1
node_modules/@noble/curves/esm/ed25519.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

100
node_modules/@noble/curves/esm/ed448.d.ts generated vendored Normal file
View File

@@ -0,0 +1,100 @@
import type { AffinePoint } from './abstract/curve.ts';
import { PrimeEdwardsPoint, type CurveFn, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
import { type H2CHasher, type H2CHasherBase, type H2CMethod, type htfBasicOpts } from './abstract/hash-to-curve.ts';
import { type IField } from './abstract/modular.ts';
import { type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
import { type Hex } from './utils.ts';
/**
* ed448 EdDSA curve and methods.
* @example
* import { ed448 } from '@noble/curves/ed448';
* const { secretKey, publicKey } = ed448.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
*/
export declare const ed448: CurveFn;
/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
export declare const ed448ph: CurveFn;
/**
* E448 curve, defined by NIST.
* E448 != edwards448 used in ed448.
* E448 is birationally equivalent to edwards448.
*/
export declare const E448: EdwardsPointCons;
/**
* ECDH using curve448 aka x448.
* x448 has 56-byte keys as per RFC 7748, while
* ed448 has 57-byte keys as per RFC 8032.
*/
export declare const x448: XCurveFn;
/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
export declare const ed448_hasher: H2CHasher<bigint>;
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
declare class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
static BASE: _DecafPoint;
static ZERO: _DecafPoint;
static Fp: IField<bigint>;
static Fn: IField<bigint>;
constructor(ep: EdwardsPoint);
static fromAffine(ap: AffinePoint<bigint>): _DecafPoint;
protected assertSame(other: _DecafPoint): void;
protected init(ep: EdwardsPoint): _DecafPoint;
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
static hashToCurve(hex: Hex): _DecafPoint;
static fromBytes(bytes: Uint8Array): _DecafPoint;
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex: Hex): _DecafPoint;
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint;
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes(): Uint8Array;
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other: _DecafPoint): boolean;
is0(): boolean;
}
export declare const decaf448: {
Point: typeof _DecafPoint;
};
/** Hashing to decaf448 points / field. RFC 9380 methods. */
export declare const decaf448_hasher: H2CHasherBase<bigint>;
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
* (0, 1), (0, -1), (-1, 0), (1, 0).
*/
export declare const ED448_TORSION_SUBGROUP: string[];
type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
/** @deprecated use `decaf448.Point` */
export declare const DecafPoint: typeof _DecafPoint;
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export declare const hashToDecaf448: DcfHasher;
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export declare const hash_to_decaf448: DcfHasher;
/** @deprecated use `ed448.utils.toMontgomery` */
export declare function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array;
/** @deprecated use `ed448.utils.toMontgomery` */
export declare const edwardsToMontgomery: typeof edwardsToMontgomeryPub;
export {};
//# sourceMappingURL=ed448.d.ts.map

1
node_modules/@noble/curves/esm/ed448.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["../src/ed448.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,EAEL,iBAAiB,EAEjB,KAAK,OAAO,EAEZ,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAIL,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAiD,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAc,KAAK,cAAc,IAAI,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAA0D,KAAK,GAAG,EAAE,MAAM,YAAY,CAAC;AAyI9F;;;;;;;;GAQG;AACH,eAAO,MAAM,KAAK,EAAE,OAAmC,CAAC;AAGxD,0FAA0F;AAC1F,eAAO,MAAM,OAAO,EAAE,OAIf,CAAC;AAER;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,gBAAsC,CAAC;AAE1D;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,QAYf,CAAC;AA+EL,oEAAoE;AACpE,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,MAAM,CASpC,CAAC;AAgER;;;;;;GAMG;AACH,cAAM,WAAY,SAAQ,iBAAiB,CAAC,WAAW,CAAC;IAGtD,MAAM,CAAC,IAAI,EAAE,WAAW,CAC0D;IAElF,MAAM,CAAC,IAAI,EAAE,WAAW,CACsC;IAE9D,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;IAElC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;gBAEtB,EAAE,EAAE,YAAY;IAI5B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,WAAW;IAIvD,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI9C,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,WAAW;IAI7C,kFAAkF;IAClF,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIzC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW;IA+BhD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIrC,qFAAqF;IACrF,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,WAAW;IAIjE;;;OAGG;IACH,OAAO,IAAI,UAAU;IAerB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO;IAQnC,GAAG,IAAI,OAAO;CAGf;AAED,eAAO,MAAM,QAAQ,EAAE;IACrB,KAAK,EAAE,OAAO,WAAW,CAAC;CACF,CAAC;AAE3B,4DAA4D;AAC5D,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAajD,CAAC;AAUF;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,EAK1C,CAAC;AAEF,KAAK,SAAS,GAAG,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,KAAK,WAAW,CAAC;AAEzE,uCAAuC;AACvC,eAAO,MAAM,UAAU,EAAE,OAAO,WAAyB,CAAC;AAC1D,+EAA+E;AAC/E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAsD,CAAC;AACjG,+EAA+E;AAC/E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACb,CAAC;AAChC,kFAAkF;AAClF,eAAO,MAAM,cAAc,EAAE,SACgB,CAAC;AAC9C,kFAAkF;AAClF,eAAO,MAAM,gBAAgB,EAAE,SACc,CAAC;AAC9C,iDAAiD;AACjD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAElF;AACD,iDAAiD;AACjD,eAAO,MAAM,mBAAmB,EAAE,OAAO,sBAA+C,CAAC"}

459
node_modules/@noble/curves/esm/ed448.js generated vendored Normal file
View File

@@ -0,0 +1,459 @@
/**
* Edwards448 (not Ed448-Goldilocks) curve with following addons:
* - X448 ECDH
* - Decaf cofactor elimination
* - Elligator hash-to-group / point indistinguishability
* Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { shake256 } from '@noble/hashes/sha3.js';
import { abytes, concatBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
import { pippenger } from "./abstract/curve.js";
import { edwards, PrimeEdwardsPoint, twistedEdwards, } from "./abstract/edwards.js";
import { _DST_scalar, createHasher, expand_message_xof, } from "./abstract/hash-to-curve.js";
import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from "./abstract/modular.js";
import { montgomery } from "./abstract/montgomery.js";
import { asciiToBytes, bytesToNumberLE, ensureBytes, equalBytes } from "./utils.js";
// edwards448 curve
// a = 1n
// d = Fp.neg(39081n)
// Finite field 2n**448n - 2n**224n - 1n
// Subgroup order
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
const ed448_CURVE = {
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
n: BigInt('0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'),
h: BigInt(4),
a: BigInt(1),
d: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'),
Gx: BigInt('0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'),
Gy: BigInt('0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'),
};
// E448 NIST curve is identical to edwards448, except for:
// d = 39082/39081
// Gx = 3/2
const E448_CURVE = Object.assign({}, ed448_CURVE, {
d: BigInt('0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'),
Gx: BigInt('0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'),
Gy: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'),
});
const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
// prettier-ignore
const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
// prettier-ignore
const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
// Used for efficient square root calculation.
// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
function ed448_pow_Pminus3div4(x) {
const P = ed448_CURVE.p;
const b2 = (x * x * x) % P;
const b3 = (b2 * b2 * x) % P;
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b222 = (pow2(b220, _2n, P) * b2) % P;
const b223 = (pow2(b222, _1n, P) * x) % P;
return (pow2(b223, _223n, P) * b222) % P;
}
function adjustScalarBytes(bytes) {
// Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
bytes[0] &= 252; // 0b11111100
// and the most significant bit of the last byte to 1.
bytes[55] |= 128; // 0b10000000
// NOTE: is NOOP for 56 bytes scalars (X25519/X448)
bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
return bytes;
}
// Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
// Uses algo from RFC8032 5.1.3.
function uvRatio(u, v) {
const P = ed448_CURVE.p;
// https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
// To compute the square root of (u/v), the first step is to compute the
// candidate root x = (u/v)^((p+1)/4). This can be done using the
// following trick, to use a single modular powering for both the
// inversion of v and the square root:
// x = (u/v)^((p+1)/4) = u³v(u⁵v³)^((p-3)/4) (mod p)
const u2v = mod(u * u * v, P); // u²v
const u3v = mod(u2v * u, P); // u³v
const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P);
// Verify that root is exists
const x2 = mod(x * x, P); // x²
// If vx² = u, the recovered x-coordinate is x. Otherwise, no
// square root exists, and the decoding fails.
return { isValid: mod(x2 * v, P) === u, value: x };
}
// Finite field 2n**448n - 2n**224n - 1n
// The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
// - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
// - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
// decaf448 uses 448-bit (56-byte) keys
const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 448, isLE: true }))();
const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
// SHAKE256(dom4(phflag,context)||x, 114)
function dom4(data, ctx, phflag) {
if (ctx.length > 255)
throw new Error('context must be smaller than 255, got: ' + ctx.length);
return concatBytes(asciiToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
}
// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
const ED448_DEF = /* @__PURE__ */ (() => ({
...ed448_CURVE,
Fp,
Fn,
nBitLength: Fn.BITS,
hash: shake256_114,
adjustScalarBytes,
domain: dom4,
uvRatio,
}))();
/**
* ed448 EdDSA curve and methods.
* @example
* import { ed448 } from '@noble/curves/ed448';
* const { secretKey, publicKey } = ed448.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = ed448.sign(msg, secretKey);
* const isValid = ed448.verify(sig, msg, publicKey);
*/
export const ed448 = twistedEdwards(ED448_DEF);
// There is no ed448ctx, since ed448 supports ctx by default
/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
export const ed448ph = /* @__PURE__ */ (() => twistedEdwards({
...ED448_DEF,
prehash: shake256_64,
}))();
/**
* E448 curve, defined by NIST.
* E448 != edwards448 used in ed448.
* E448 is birationally equivalent to edwards448.
*/
export const E448 = edwards(E448_CURVE);
/**
* ECDH using curve448 aka x448.
* x448 has 56-byte keys as per RFC 7748, while
* ed448 has 57-byte keys as per RFC 8032.
*/
export const x448 = /* @__PURE__ */ (() => {
const P = ed448_CURVE.p;
return montgomery({
P,
type: 'x448',
powPminus2: (x) => {
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, _2n, P);
return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
},
adjustScalarBytes,
});
})();
// Hash To Curve Elligator2 Map
const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4 # Integer arithmetic
const ELL2_J = /* @__PURE__ */ BigInt(156326);
function map_to_curve_elligator2_curve448(u) {
let tv1 = Fp.sqr(u); // 1. tv1 = u^2
let e1 = Fp.eql(tv1, Fp.ONE); // 2. e1 = tv1 == 1
tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3. tv1 = CMOV(tv1, 0, e1) # If Z * u^2 == -1, set tv1 = 0
let xd = Fp.sub(Fp.ONE, tv1); // 4. xd = 1 - tv1
let x1n = Fp.neg(ELL2_J); // 5. x1n = -J
let tv2 = Fp.sqr(xd); // 6. tv2 = xd^2
let gxd = Fp.mul(tv2, xd); // 7. gxd = tv2 * xd # gxd = xd^3
let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8. gx1 = -J * tv1 # x1n + J * xd
gx1 = Fp.mul(gx1, x1n); // 9. gx1 = gx1 * x1n # x1n^2 + J * x1n * xd
gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2 # x1n^2 + J * x1n * xd + xd^2
gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n # x1n^3 + J * x1n^2 * xd + x1n * xd^2
let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd # gx1 * gxd
tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2 # gx1 * gxd^3
let y1 = Fp.pow(tv3, ELL2_C1); // 15. y1 = tv3^c1 # (gx1 * gxd^3)^((p - 3) / 4)
y1 = Fp.mul(y1, tv2); // 16. y1 = y1 * tv2 # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n # x2 = x2n / xd = -1 * u^2 * x1n / xd
let y2 = Fp.mul(y1, u); // 18. y2 = y1 * u
y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19. y2 = CMOV(y2, 0, e1)
tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
let e2 = Fp.eql(tv2, gx1); // 22. e2 = tv2 == gx1
let xn = Fp.cmov(x2n, x1n, e2); // 23. xn = CMOV(x2n, x1n, e2) # If e2, x = x1, else x = x2
let y = Fp.cmov(y2, y1, e2); // 24. y = CMOV(y2, y1, e2) # If e2, y = y1, else y = y2
let e3 = Fp.isOdd(y); // 25. e3 = sgn0(y) == 1 # Fix sign of y
y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26. y = CMOV(y, -y, e2 XOR e3)
return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
}
function map_to_curve_elligator2_edwards448(u) {
let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
let xn2 = Fp.sqr(xn); // 2. xn2 = xn^2
let xd2 = Fp.sqr(xd); // 3. xd2 = xd^2
let xd4 = Fp.sqr(xd2); // 4. xd4 = xd2^2
let yn2 = Fp.sqr(yn); // 5. yn2 = yn^2
let yd2 = Fp.sqr(yd); // 6. yd2 = yd^2
let xEn = Fp.sub(xn2, xd2); // 7. xEn = xn2 - xd2
let tv2 = Fp.sub(xEn, xd2); // 8. tv2 = xEn - xd2
xEn = Fp.mul(xEn, xd2); // 9. xEn = xEn * xd2
xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
let e = Fp.eql(tv1, Fp.ZERO); // 33. e = tv1 == 0
xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
}
/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
export const ed448_hasher = /* @__PURE__ */ (() => createHasher(ed448.Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
p: Fp.ORDER,
m: 1,
k: 224,
expand: 'xof',
hash: shake256,
}))();
// 1-d
const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
// 1-2d
const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
// √(-d)
const SQRT_MINUS_D = /* @__PURE__ */ BigInt('98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214');
// 1 / √(-d)
const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt('315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716');
// Calculates 1/√(number)
const invertSqrt = (number) => uvRatio(_1n, number);
/**
* Elligator map for hash-to-curve of decaf448.
* Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
* and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
*/
function calcElligatorDecafMap(r0) {
const { d } = ed448_CURVE;
const P = Fp.ORDER;
const mod = (n) => Fp.create(n);
const r = mod(-(r0 * r0)); // 1
const u0 = mod(d * (r - _1n)); // 2
const u1 = mod((u0 + _1n) * (u0 - r)); // 3
const { isValid: was_square, value: v } = uvRatio(ONE_MINUS_TWO_D, mod((r + _1n) * u1)); // 4
let v_prime = v; // 5
if (!was_square)
v_prime = mod(r0 * v);
let sgn = _1n; // 6
if (!was_square)
sgn = mod(-_1n);
const s = mod(v_prime * (r + _1n)); // 7
let s_abs = s;
if (isNegativeLE(s, P))
s_abs = mod(-s);
const s2 = s * s;
const W0 = mod(s_abs * _2n); // 8
const W1 = mod(s2 + _1n); // 9
const W2 = mod(s2 - _1n); // 10
const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
}
function decaf448_map(bytes) {
abytes(bytes, 112);
const skipValidation = true;
// Note: Similar to the field element decoding described in
// [RFC7748], and unlike the field element decoding described in
// Section 5.3.1, non-canonical values are accepted.
const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
const R1 = calcElligatorDecafMap(r1);
const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
const R2 = calcElligatorDecafMap(r2);
return new _DecafPoint(R1.add(R2));
}
/**
* Each ed448/EdwardsPoint has 4 different equivalent points. This can be
* a source of bugs for protocols like ring signatures. Decaf was created to solve this.
* Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
* but it should work in its own namespace: do not combine those two.
* See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
*/
class _DecafPoint extends PrimeEdwardsPoint {
constructor(ep) {
super(ep);
}
static fromAffine(ap) {
return new _DecafPoint(ed448.Point.fromAffine(ap));
}
assertSame(other) {
if (!(other instanceof _DecafPoint))
throw new Error('DecafPoint expected');
}
init(ep) {
return new _DecafPoint(ep);
}
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
static hashToCurve(hex) {
return decaf448_map(ensureBytes('decafHash', hex, 112));
}
static fromBytes(bytes) {
abytes(bytes, 56);
const { d } = ed448_CURVE;
const P = Fp.ORDER;
const mod = (n) => Fp448.create(n);
const s = Fp448.fromBytes(bytes);
// 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
// 2. Check that s is non-negative, or else abort
if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
throw new Error('invalid decaf448 encoding 1');
const s2 = mod(s * s); // 1
const u1 = mod(_1n + s2); // 2
const u1sq = mod(u1 * u1);
const u2 = mod(u1sq - _4n * d * s2); // 3
const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
if (isNegativeLE(u3, P))
u3 = mod(-u3);
const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
const y = mod((_1n - s2) * invsqrt * u1); // 7
const t = mod(x * y); // 8
if (!isValid)
throw new Error('invalid decaf448 encoding 2');
return new _DecafPoint(new ed448.Point(x, y, _1n, t));
}
/**
* Converts decaf-encoded string to decaf point.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
* @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
*/
static fromHex(hex) {
return _DecafPoint.fromBytes(ensureBytes('decafHex', hex, 56));
}
/** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
static msm(points, scalars) {
return pippenger(_DecafPoint, Fn, points, scalars);
}
/**
* Encodes decaf point to Uint8Array.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
*/
toBytes() {
const { X, Z, T } = this.ep;
const P = Fp.ORDER;
const mod = (n) => Fp.create(n);
const u1 = mod(mod(X + T) * mod(X - T)); // 1
const x2 = mod(X * X);
const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
if (isNegativeLE(ratio, P))
ratio = mod(-ratio);
const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
if (isNegativeLE(s, P))
s = mod(-s);
return Fn448.toBytes(s);
}
/**
* Compare one point to another.
* Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
*/
equals(other) {
this.assertSame(other);
const { X: X1, Y: Y1 } = this.ep;
const { X: X2, Y: Y2 } = other.ep;
// (x1 * y2 == y1 * x2)
return Fp.create(X1 * Y2) === Fp.create(Y1 * X2);
}
is0() {
return this.equals(_DecafPoint.ZERO);
}
}
// The following gymnastics is done because typescript strips comments otherwise
// prettier-ignore
_DecafPoint.BASE =
/* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n))();
// prettier-ignore
_DecafPoint.ZERO =
/* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
// prettier-ignore
_DecafPoint.Fp =
/* @__PURE__ */ (() => Fp448)();
// prettier-ignore
_DecafPoint.Fn =
/* @__PURE__ */ (() => Fn448)();
export const decaf448 = { Point: _DecafPoint };
/** Hashing to decaf448 points / field. RFC 9380 methods. */
export const decaf448_hasher = {
hashToCurve(msg, options) {
const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake256));
},
// Warning: has big modulo bias of 2^-64.
// RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
// it must use 84-byte xof (56+56/2), not 64.
hashToScalar(msg, options = { DST: _DST_scalar }) {
// Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
return Fn448.create(bytesToNumberLE(xof));
},
};
// export const decaf448_oprf: OPRF = createORPF({
// name: 'decaf448-SHAKE256',
// Point: DecafPoint,
// hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
// hashToGroup: decaf448_hasher.hashToCurve,
// hashToScalar: decaf448_hasher.hashToScalar,
// });
/**
* Weird / bogus points, useful for debugging.
* Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
* Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
* (0, 1), (0, -1), (-1, 0), (1, 0).
*/
export const ED448_TORSION_SUBGROUP = [
'010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
'000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
];
/** @deprecated use `decaf448.Point` */
export const DecafPoint = _DecafPoint;
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export const hashToCurve = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => ed448_hasher.encodeToCurve)();
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export const hashToDecaf448 = /* @__PURE__ */ (() => decaf448_hasher.hashToCurve)();
/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
export const hash_to_decaf448 = /* @__PURE__ */ (() => decaf448_hasher.hashToCurve)();
/** @deprecated use `ed448.utils.toMontgomery` */
export function edwardsToMontgomeryPub(edwardsPub) {
return ed448.utils.toMontgomery(ensureBytes('pub', edwardsPub));
}
/** @deprecated use `ed448.utils.toMontgomery` */
export const edwardsToMontgomery = edwardsToMontgomeryPub;
//# sourceMappingURL=ed448.js.map

1
node_modules/@noble/curves/esm/ed448.js.map generated vendored Normal file
View File

File diff suppressed because one or more lines are too long

2
node_modules/@noble/curves/esm/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export {};
//# sourceMappingURL=index.d.ts.map

1
node_modules/@noble/curves/esm/index.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

17
node_modules/@noble/curves/esm/index.js generated vendored Normal file
View File

@@ -0,0 +1,17 @@
/**
* Audited & minimal JS implementation of elliptic curve cryptography.
* @module
* @example
```js
import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519.js';
import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
import { p256, p384, p521 } from '@noble/curves/nist.js';
import { bls12_381 } from '@noble/curves/bls12-381.js';
import { bn254 } from '@noble/curves/bn254.js';
import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
```
*/
throw new Error('root module cannot be imported: import submodules instead. Check out README');
export {};
//# sourceMappingURL=index.js.map

1
node_modules/@noble/curves/esm/index.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,MAAM,IAAI,KAAK,CAAC,6EAA6E,CAAC,CAAC"}

12
node_modules/@noble/curves/esm/jubjub.d.ts generated vendored Normal file
View File

@@ -0,0 +1,12 @@
/**
* @deprecated
* @module
*/
import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
/** @deprecated use `import { jubjub } from '@noble/curves/misc.js';` */
export declare const jubjub: typeof jubjubn;
/** @deprecated use `import { jubjub_findGroupHash } from '@noble/curves/misc.js';` */
export declare const findGroupHash: typeof jubjub_findGroupHash;
/** @deprecated use `import { jubjub_groupHash } from '@noble/curves/misc.js';` */
export declare const groupHash: typeof jubjub_groupHash;
//# sourceMappingURL=jubjub.d.ts.map

1
node_modules/@noble/curves/esm/jubjub.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"jubjub.d.ts","sourceRoot":"","sources":["../src/jubjub.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,WAAW,CAAC;AAEtF,wEAAwE;AACxE,eAAO,MAAM,MAAM,EAAE,OAAO,OAAiB,CAAC;AAC9C,sFAAsF;AACtF,eAAO,MAAM,aAAa,EAAE,OAAO,oBAA2C,CAAC;AAC/E,kFAAkF;AAClF,eAAO,MAAM,SAAS,EAAE,OAAO,gBAAmC,CAAC"}

12
node_modules/@noble/curves/esm/jubjub.js generated vendored Normal file
View File

@@ -0,0 +1,12 @@
/**
* @deprecated
* @module
*/
import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from "./misc.js";
/** @deprecated use `import { jubjub } from '@noble/curves/misc.js';` */
export const jubjub = jubjubn;
/** @deprecated use `import { jubjub_findGroupHash } from '@noble/curves/misc.js';` */
export const findGroupHash = jubjub_findGroupHash;
/** @deprecated use `import { jubjub_groupHash } from '@noble/curves/misc.js';` */
export const groupHash = jubjub_groupHash;
//# sourceMappingURL=jubjub.js.map

1
node_modules/@noble/curves/esm/jubjub.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"jubjub.js","sourceRoot":"","sources":["../src/jubjub.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,IAAI,OAAO,EAAE,MAAM,WAAW,CAAC;AAEtF,wEAAwE;AACxE,MAAM,CAAC,MAAM,MAAM,GAAmB,OAAO,CAAC;AAC9C,sFAAsF;AACtF,MAAM,CAAC,MAAM,aAAa,GAAgC,oBAAoB,CAAC;AAC/E,kFAAkF;AAClF,MAAM,CAAC,MAAM,SAAS,GAA4B,gBAAgB,CAAC"}

19
node_modules/@noble/curves/esm/misc.d.ts generated vendored Normal file
View File

@@ -0,0 +1,19 @@
import { type CurveFn, type EdwardsPoint } from './abstract/edwards.ts';
import { type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
export declare const jubjub: CurveFn;
/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
export declare const babyjubjub: CurveFn;
export declare function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): EdwardsPoint;
export declare function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): EdwardsPoint;
export declare const pasta_p: bigint;
export declare const pasta_q: bigint;
/**
* @deprecated
*/
export declare const pallas: WCurveFn;
/**
* @deprecated
*/
export declare const vesta: WCurveFn;
//# sourceMappingURL=misc.d.ts.map

1
node_modules/@noble/curves/esm/misc.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"misc.d.ts","sourceRoot":"","sources":["../src/misc.ts"],"names":[],"mappings":"AAUA,OAAO,EAEL,KAAK,OAAO,EAEZ,KAAK,YAAY,EAClB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAe,KAAK,OAAO,IAAI,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAgBlF,8DAA8D;AAC9D,eAAO,MAAM,MAAM,EAAE,OAInB,CAAC;AAWH,gEAAgE;AAChE,eAAO,MAAM,UAAU,EAAE,OAIvB,CAAC;AAOH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,eAAe,EAAE,UAAU,GAAG,YAAY,CAU3F;AAKD,wBAAgB,oBAAoB,CAAC,CAAC,EAAE,UAAU,EAAE,eAAe,EAAE,UAAU,GAAG,YAAY,CAW7F;AAID,eAAO,MAAM,OAAO,EAAE,MAErB,CAAC;AACF,eAAO,MAAM,OAAO,EAAE,MAErB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,MAAM,EAAE,QASnB,CAAC;AACH;;GAEG;AACH,eAAO,MAAM,KAAK,EAAE,QASlB,CAAC"}

109
node_modules/@noble/curves/esm/misc.js generated vendored Normal file
View File

@@ -0,0 +1,109 @@
/**
* Miscellaneous, rarely used curves.
* jubjub, babyjubjub, pallas, vesta.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { blake256 } from '@noble/hashes/blake1.js';
import { blake2s } from '@noble/hashes/blake2.js';
import { sha256, sha512 } from '@noble/hashes/sha2.js';
import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
import { twistedEdwards, } from "./abstract/edwards.js";
import { Field, mod } from "./abstract/modular.js";
import { weierstrass } from "./abstract/weierstrass.js";
import { bls12_381_Fr } from "./bls12-381.js";
import { bn254_Fr } from "./bn254.js";
// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
// jubjub Fp = bls n. babyjubjub Fp = bn254 n.
// verify manually, check bls12-381.ts and bn254.ts.
const jubjub_CURVE = {
p: bls12_381_Fr.ORDER,
n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
h: BigInt(8),
a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
};
/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
export const jubjub = /* @__PURE__ */ twistedEdwards({
...jubjub_CURVE,
Fp: bls12_381_Fr,
hash: sha512,
});
const babyjubjub_CURVE = {
p: bn254_Fr.ORDER,
n: BigInt('0x30644e72e131a029b85045b68181585d59f76dc1c90770533b94bee1c9093788'),
h: BigInt(8),
a: BigInt('168700'),
d: BigInt('168696'),
Gx: BigInt('0x23343e3445b673d38bcba38f25645adb494b1255b1162bb40f41a59f4d4b45e'),
Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
};
/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
export const babyjubjub = /* @__PURE__ */ twistedEdwards({
...babyjubjub_CURVE,
Fp: bn254_Fr,
hash: blake256,
});
const jubjub_gh_first_block = utf8ToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
// Returns point at JubJub curve which is prime order and not zero
export function jubjub_groupHash(tag, personalization) {
const h = blake2s.create({ personalization, dkLen: 32 });
h.update(jubjub_gh_first_block);
h.update(tag);
// NOTE: returns ExtendedPoint, in case it will be multiplied later
let p = jubjub.Point.fromBytes(h.digest());
// NOTE: cannot replace with isSmallOrder, returns Point*8
p = p.multiply(jubjub_CURVE.h);
if (p.equals(jubjub.Point.ZERO))
throw new Error('Point has small order');
return p;
}
// No secret data is leaked here at all.
// It operates over public data:
// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
export function jubjub_findGroupHash(m, personalization) {
const tag = concatBytes(m, Uint8Array.of(0));
const hashes = [];
for (let i = 0; i < 256; i++) {
tag[tag.length - 1] = i;
try {
hashes.push(jubjub_groupHash(tag, personalization));
}
catch (e) { }
}
if (!hashes.length)
throw new Error('findGroupHash tag overflow');
return hashes[0];
}
// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
export const pasta_p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
export const pasta_q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
/**
* @deprecated
*/
export const pallas = weierstrass({
a: BigInt(0),
b: BigInt(5),
Fp: Field(pasta_p),
n: pasta_q,
Gx: mod(BigInt(-1), pasta_p),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});
/**
* @deprecated
*/
export const vesta = weierstrass({
a: BigInt(0),
b: BigInt(5),
Fp: Field(pasta_q),
n: pasta_p,
Gx: mod(BigInt(-1), pasta_q),
Gy: BigInt(2),
h: BigInt(1),
hash: sha256,
});
//# sourceMappingURL=misc.js.map

1
node_modules/@noble/curves/esm/misc.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"misc.js","sourceRoot":"","sources":["../src/misc.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EACL,cAAc,GAIf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,WAAW,EAA4B,MAAM,2BAA2B,CAAC;AAClF,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,6FAA6F;AAC7F,8CAA8C;AAC9C,oDAAoD;AACpD,MAAM,YAAY,GAAgB;IAChC,CAAC,EAAE,YAAY,CAAC,KAAK;IACrB,CAAC,EAAE,MAAM,CAAC,mEAAmE,CAAC;IAC9E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;CACjF,CAAC;AACF,8DAA8D;AAC9D,MAAM,CAAC,MAAM,MAAM,GAAY,eAAe,CAAC,cAAc,CAAC;IAC5D,GAAG,YAAY;IACf,EAAE,EAAE,YAAY;IAChB,IAAI,EAAE,MAAM;CACb,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAgB;IACpC,CAAC,EAAE,QAAQ,CAAC,KAAK;IACjB,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC,mEAAmE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,mEAAmE,CAAC;CAChF,CAAC;AACF,gEAAgE;AAChE,MAAM,CAAC,MAAM,UAAU,GAAY,eAAe,CAAC,cAAc,CAAC;IAChE,GAAG,gBAAgB;IACnB,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,QAAQ;CACf,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,WAAW,CACvC,kEAAkE,CACnE,CAAC;AAEF,kEAAkE;AAClE,MAAM,UAAU,gBAAgB,CAAC,GAAe,EAAE,eAA2B;IAC3E,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAChC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,mEAAmE;IACnE,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3C,0DAA0D;IAC1D,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC1E,OAAO,CAAC,CAAC;AACX,CAAC;AAED,wCAAwC;AACxC,gCAAgC;AAChC,iFAAiF;AACjF,MAAM,UAAU,oBAAoB,CAAC,CAAa,EAAE,eAA2B;IAC7E,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,EAAE,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IAChB,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAClE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,sFAAsF;AAEtF,MAAM,CAAC,MAAM,OAAO,GAAW,MAAM,CACnC,oEAAoE,CACrE,CAAC;AACF,MAAM,CAAC,MAAM,OAAO,GAAW,MAAM,CACnC,oEAAoE,CACrE,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAa,WAAW,CAAC;IAC1C,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC;IAClB,CAAC,EAAE,OAAO;IACV,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC;IAC5B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,MAAM;CACb,CAAC,CAAC;AACH;;GAEG;AACH,MAAM,CAAC,MAAM,KAAK,GAAa,WAAW,CAAC;IACzC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,KAAK,CAAC,OAAO,CAAC;IAClB,CAAC,EAAE,OAAO;IACV,EAAE,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC;IAC5B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,MAAM;CACb,CAAC,CAAC"}

21
node_modules/@noble/curves/esm/nist.d.ts generated vendored Normal file
View File

@@ -0,0 +1,21 @@
import { type CurveFnWithCreate } from './_shortw_utils.ts';
import { type H2CHasher } from './abstract/hash-to-curve.ts';
/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
export declare const p256: CurveFnWithCreate;
/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
export declare const p256_hasher: H2CHasher<bigint>;
/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
export declare const p384: CurveFnWithCreate;
/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
export declare const p384_hasher: H2CHasher<bigint>;
/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
export declare const p521: CurveFnWithCreate;
/** @deprecated use `p256` for consistency with `p256_hasher` */
export declare const secp256r1: typeof p256;
/** @deprecated use `p384` for consistency with `p384_hasher` */
export declare const secp384r1: typeof p384;
/** @deprecated use `p521` for consistency with `p521_hasher` */
export declare const secp521r1: typeof p521;
/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
export declare const p521_hasher: H2CHasher<bigint>;
//# sourceMappingURL=nist.d.ts.map

1
node_modules/@noble/curves/esm/nist.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"nist.d.ts","sourceRoot":"","sources":["../src/nist.ts"],"names":[],"mappings":"AAOA,OAAO,EAAe,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAgB,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AA+E3E,2EAA2E;AAC3E,eAAO,MAAM,IAAI,EAAE,iBAGlB,CAAC;AACF,mEAAmE;AACnE,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAkBtC,CAAC;AAUL,+DAA+D;AAC/D,eAAO,MAAM,IAAI,EAAE,iBAGlB,CAAC;AACF,mEAAmE;AACnE,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAkBtC,CAAC;AAWL,+DAA+D;AAC/D,eAAO,MAAM,IAAI,EAAE,iBAGlB,CAAC;AAEF,gEAAgE;AAChE,eAAO,MAAM,SAAS,EAAE,OAAO,IAAW,CAAC;AAC3C,gEAAgE;AAChE,eAAO,MAAM,SAAS,EAAE,OAAO,IAAW,CAAC;AAC3C,gEAAgE;AAChE,eAAO,MAAM,SAAS,EAAE,OAAO,IAAW,CAAC;AAE3C,mEAAmE;AACnE,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAkBtC,CAAC"}

132
node_modules/@noble/curves/esm/nist.js generated vendored Normal file
View File

@@ -0,0 +1,132 @@
/**
* Internal module for NIST P256, P384, P521 curves.
* Do not use for now.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
import { createCurve } from "./_shortw_utils.js";
import { createHasher } from "./abstract/hash-to-curve.js";
import { Field } from "./abstract/modular.js";
import { mapToCurveSimpleSWU, } from "./abstract/weierstrass.js";
// p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
// a = Fp256.create(BigInt('-3'));
const p256_CURVE = {
p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
h: BigInt(1),
a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
};
// p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
const p384_CURVE = {
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
h: BigInt(1),
a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
};
// p = 2n**521n - 1n
const p521_CURVE = {
p: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
h: BigInt(1),
a: BigInt('0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
};
const Fp256 = Field(p256_CURVE.p);
const Fp384 = Field(p384_CURVE.p);
const Fp521 = Field(p521_CURVE.p);
function createSWU(Point, opts) {
const map = mapToCurveSimpleSWU(Point.Fp, opts);
return (scalars) => map(scalars[0]);
}
/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
export const p256 = createCurve({ ...p256_CURVE, Fp: Fp256, lowS: false }, sha256);
/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
export const p256_hasher = /* @__PURE__ */ (() => {
return createHasher(p256.Point, createSWU(p256.Point, {
A: p256_CURVE.a,
B: p256_CURVE.b,
Z: p256.Point.Fp.create(BigInt('-10')),
}), {
DST: 'P256_XMD:SHA-256_SSWU_RO_',
encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
p: p256_CURVE.p,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
});
})();
// export const p256_oprf: OPRF = createORPF({
// name: 'P256-SHA256',
// Point: p256.Point,
// hash: sha256,
// hashToGroup: p256_hasher.hashToCurve,
// hashToScalar: p256_hasher.hashToScalar,
// });
/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
export const p384 = createCurve({ ...p384_CURVE, Fp: Fp384, lowS: false }, sha384);
/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
export const p384_hasher = /* @__PURE__ */ (() => {
return createHasher(p384.Point, createSWU(p384.Point, {
A: p384_CURVE.a,
B: p384_CURVE.b,
Z: p384.Point.Fp.create(BigInt('-12')),
}), {
DST: 'P384_XMD:SHA-384_SSWU_RO_',
encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
p: p384_CURVE.p,
m: 1,
k: 192,
expand: 'xmd',
hash: sha384,
});
})();
// export const p384_oprf: OPRF = createORPF({
// name: 'P384-SHA384',
// Point: p384.Point,
// hash: sha384,
// hashToGroup: p384_hasher.hashToCurve,
// hashToScalar: p384_hasher.hashToScalar,
// });
// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
export const p521 = createCurve({ ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] }, sha512);
/** @deprecated use `p256` for consistency with `p256_hasher` */
export const secp256r1 = p256;
/** @deprecated use `p384` for consistency with `p384_hasher` */
export const secp384r1 = p384;
/** @deprecated use `p521` for consistency with `p521_hasher` */
export const secp521r1 = p521;
/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
export const p521_hasher = /* @__PURE__ */ (() => {
return createHasher(p521.Point, createSWU(p521.Point, {
A: p521_CURVE.a,
B: p521_CURVE.b,
Z: p521.Point.Fp.create(BigInt('-4')),
}), {
DST: 'P521_XMD:SHA-512_SSWU_RO_',
encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
p: p521_CURVE.p,
m: 1,
k: 256,
expand: 'xmd',
hash: sha512,
});
})();
// export const p521_oprf: OPRF = createORPF({
// name: 'P521-SHA512',
// Point: p521.Point,
// hash: sha512,
// hashToGroup: p521_hasher.hashToCurve,
// hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
// });
//# sourceMappingURL=nist.js.map

1
node_modules/@noble/curves/esm/nist.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"nist.js","sourceRoot":"","sources":["../src/nist.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,sEAAsE;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAA0B,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,YAAY,EAAkB,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EACL,mBAAmB,GAGpB,MAAM,2BAA2B,CAAC;AAEnC,wDAAwD;AACxD,kCAAkC;AAClC,MAAM,UAAU,GAA4B;IAC1C,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;CACjF,CAAC;AAEF,mDAAmD;AACnD,MAAM,UAAU,GAA4B;IAC1C,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,CAAC,EAAE,MAAM,CACP,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;IACD,EAAE,EAAE,MAAM,CACR,oGAAoG,CACrG;CACF,CAAC;AAEF,oBAAoB;AACpB,MAAM,UAAU,GAA4B;IAC1C,CAAC,EAAE,MAAM,CACP,uIAAuI,CACxI;IACD,CAAC,EAAE,MAAM,CACP,wIAAwI,CACzI;IACD,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CACP,uIAAuI,CACxI;IACD,CAAC,EAAE,MAAM,CACP,wIAAwI,CACzI;IACD,EAAE,EAAE,MAAM,CACR,wIAAwI,CACzI;IACD,EAAE,EAAE,MAAM,CACR,wIAAwI,CACzI;CACF,CAAC;AAEF,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAClC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAClC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;AAMlC,SAAS,SAAS,CAAC,KAAmC,EAAE,IAAa;IACnE,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAChD,OAAO,CAAC,OAAiB,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,2EAA2E;AAC3E,MAAM,CAAC,MAAM,IAAI,GAAsB,WAAW,CAChD,EAAE,GAAG,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EACzC,MAAM,CACP,CAAC;AACF,mEAAmE;AACnE,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE;IAClE,OAAO,YAAY,CACjB,IAAI,CAAC,KAAK,EACV,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AAEL,8CAA8C;AAC9C,yBAAyB;AACzB,uBAAuB;AACvB,kBAAkB;AAClB,0CAA0C;AAC1C,4CAA4C;AAC5C,MAAM;AAEN,+DAA+D;AAC/D,MAAM,CAAC,MAAM,IAAI,GAAsB,WAAW,CAChD,EAAE,GAAG,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,EACzC,MAAM,CACP,CAAC;AACF,mEAAmE;AACnE,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE;IAClE,OAAO,YAAY,CACjB,IAAI,CAAC,KAAK,EACV,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACvC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AAEL,8CAA8C;AAC9C,yBAAyB;AACzB,uBAAuB;AACvB,kBAAkB;AAClB,0CAA0C;AAC1C,4CAA4C;AAC5C,MAAM;AAEN,yEAAyE;AACzE,+DAA+D;AAC/D,MAAM,CAAC,MAAM,IAAI,GAAsB,WAAW,CAChD,EAAE,GAAG,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EACpF,MAAM,CACP,CAAC;AAEF,gEAAgE;AAChE,MAAM,CAAC,MAAM,SAAS,GAAgB,IAAI,CAAC;AAC3C,gEAAgE;AAChE,MAAM,CAAC,MAAM,SAAS,GAAgB,IAAI,CAAC;AAC3C,gEAAgE;AAChE,MAAM,CAAC,MAAM,SAAS,GAAgB,IAAI,CAAC;AAE3C,mEAAmE;AACnE,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE;IAClE,OAAO,YAAY,CACjB,IAAI,CAAC,KAAK,EACV,SAAS,CAAC,IAAI,CAAC,KAAK,EAAE;QACpB,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;KACtC,CAAC,EACF;QACE,GAAG,EAAE,2BAA2B;QAChC,SAAS,EAAE,2BAA2B;QACtC,CAAC,EAAE,UAAU,CAAC,CAAC;QACf,CAAC,EAAE,CAAC;QACJ,CAAC,EAAE,GAAG;QACN,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CACF,CAAC;AACJ,CAAC,CAAC,EAAE,CAAC;AAEL,8CAA8C;AAC9C,yBAAyB;AACzB,uBAAuB;AACvB,kBAAkB;AAClB,0CAA0C;AAC1C,8EAA8E;AAC9E,MAAM"}

16
node_modules/@noble/curves/esm/p256.d.ts generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp256r1 aka p256.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p256 as p256n } from './nist.ts';
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export declare const p256: typeof p256n;
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export declare const secp256r1: typeof p256n;
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
//# sourceMappingURL=p256.d.ts.map

1
node_modules/@noble/curves/esm/p256.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p256.d.ts","sourceRoot":"","sources":["../src/p256.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAe,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,eAAO,MAAM,IAAI,EAAE,OAAO,KAAa,CAAC;AACxC,sEAAsE;AACtE,eAAO,MAAM,SAAS,EAAE,OAAO,KAAa,CAAC;AAC7C,6EAA6E;AAC7E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAqD,CAAC;AAChG,6EAA6E;AAC7E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CAAuD,CAAC"}

16
node_modules/@noble/curves/esm/p256.js generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp256r1 aka p256.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {} from "./abstract/hash-to-curve.js";
import { p256_hasher, p256 as p256n } from "./nist.js";
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export const p256 = p256n;
/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
export const secp256r1 = p256n;
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
/** @deprecated use `import { p256_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();
//# sourceMappingURL=p256.js.map

1
node_modules/@noble/curves/esm/p256.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p256.js","sourceRoot":"","sources":["../src/p256.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAkB,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,MAAM,CAAC,MAAM,IAAI,GAAiB,KAAK,CAAC;AACxC,sEAAsE;AACtE,MAAM,CAAC,MAAM,SAAS,GAAiB,KAAK,CAAC;AAC7C,6EAA6E;AAC7E,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;AAChG,6EAA6E;AAC7E,MAAM,CAAC,MAAM,aAAa,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC"}

16
node_modules/@noble/curves/esm/p384.d.ts generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp384r1 aka p384.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p384 as p384n } from './nist.ts';
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export declare const p384: typeof p384n;
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export declare const secp384r1: typeof p384n;
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
//# sourceMappingURL=p384.d.ts.map

1
node_modules/@noble/curves/esm/p384.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p384.d.ts","sourceRoot":"","sources":["../src/p384.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAe,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,eAAO,MAAM,IAAI,EAAE,OAAO,KAAa,CAAC;AACxC,sEAAsE;AACtE,eAAO,MAAM,SAAS,EAAE,OAAO,KAAa,CAAC;AAC7C,6EAA6E;AAC7E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAqD,CAAC;AAChG,6EAA6E;AAC7E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CAAuD,CAAC"}

16
node_modules/@noble/curves/esm/p384.js generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp384r1 aka p384.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {} from "./abstract/hash-to-curve.js";
import { p384_hasher, p384 as p384n } from "./nist.js";
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export const p384 = p384n;
/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
export const secp384r1 = p384n;
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
/** @deprecated use `import { p384_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
//# sourceMappingURL=p384.js.map

1
node_modules/@noble/curves/esm/p384.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p384.js","sourceRoot":"","sources":["../src/p384.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAkB,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,MAAM,CAAC,MAAM,IAAI,GAAiB,KAAK,CAAC;AACxC,sEAAsE;AACtE,MAAM,CAAC,MAAM,SAAS,GAAiB,KAAK,CAAC;AAC7C,6EAA6E;AAC7E,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;AAChG,6EAA6E;AAC7E,MAAM,CAAC,MAAM,aAAa,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC"}

16
node_modules/@noble/curves/esm/p521.d.ts generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp521r1 aka p521.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { type H2CMethod } from './abstract/hash-to-curve.ts';
import { p521 as p521n } from './nist.ts';
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export declare const p521: typeof p521n;
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export declare const secp521r1: typeof p521n;
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
//# sourceMappingURL=p521.d.ts.map

1
node_modules/@noble/curves/esm/p521.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p521.d.ts","sourceRoot":"","sources":["../src/p521.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAE,KAAK,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAe,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,eAAO,MAAM,IAAI,EAAE,OAAO,KAAa,CAAC;AACxC,sEAAsE;AACtE,eAAO,MAAM,SAAS,EAAE,OAAO,KAAa,CAAC;AAC7C,6EAA6E;AAC7E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAqD,CAAC;AAChG,6EAA6E;AAC7E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CAAuD,CAAC"}

16
node_modules/@noble/curves/esm/p521.js generated vendored Normal file
View File

@@ -0,0 +1,16 @@
/**
* NIST secp521r1 aka p521.
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import {} from "./abstract/hash-to-curve.js";
import { p521_hasher, p521 as p521n } from "./nist.js";
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export const p521 = p521n;
/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
export const secp521r1 = p521n;
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export const hashToCurve = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
/** @deprecated use `import { p521_hasher } from '@noble/curves/nist.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();
//# sourceMappingURL=p521.js.map

1
node_modules/@noble/curves/esm/p521.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"p521.js","sourceRoot":"","sources":["../src/p521.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,sEAAsE;AACtE,OAAO,EAAkB,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,IAAI,IAAI,KAAK,EAAE,MAAM,WAAW,CAAC;AACvD,sEAAsE;AACtE,MAAM,CAAC,MAAM,IAAI,GAAiB,KAAK,CAAC;AACxC,sEAAsE;AACtE,MAAM,CAAC,MAAM,SAAS,GAAiB,KAAK,CAAC;AAC7C,6EAA6E;AAC7E,MAAM,CAAC,MAAM,WAAW,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC;AAChG,6EAA6E;AAC7E,MAAM,CAAC,MAAM,aAAa,GAAsB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC"}

4
node_modules/@noble/curves/esm/package.json generated vendored Normal file
View File

@@ -0,0 +1,4 @@
{
"type": "module",
"sideEffects": false
}

10
node_modules/@noble/curves/esm/pasta.d.ts generated vendored Normal file
View File

@@ -0,0 +1,10 @@
/**
* @deprecated
* @module
*/
import { pallas as pn, vesta as vn } from './misc.ts';
/** @deprecated */
export declare const pallas: typeof pn;
/** @deprecated */
export declare const vesta: typeof vn;
//# sourceMappingURL=pasta.d.ts.map

1
node_modules/@noble/curves/esm/pasta.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"pasta.d.ts","sourceRoot":"","sources":["../src/pasta.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,MAAM,IAAI,EAAE,EAAE,KAAK,IAAI,EAAE,EAAE,MAAM,WAAW,CAAC;AACtD,kBAAkB;AAClB,eAAO,MAAM,MAAM,EAAE,OAAO,EAAO,CAAC;AACpC,kBAAkB;AAClB,eAAO,MAAM,KAAK,EAAE,OAAO,EAAO,CAAC"}

10
node_modules/@noble/curves/esm/pasta.js generated vendored Normal file
View File

@@ -0,0 +1,10 @@
/**
* @deprecated
* @module
*/
import { pallas as pn, vesta as vn } from "./misc.js";
/** @deprecated */
export const pallas = pn;
/** @deprecated */
export const vesta = vn;
//# sourceMappingURL=pasta.js.map

1
node_modules/@noble/curves/esm/pasta.js.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"pasta.js","sourceRoot":"","sources":["../src/pasta.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,MAAM,IAAI,EAAE,EAAE,KAAK,IAAI,EAAE,EAAE,MAAM,WAAW,CAAC;AACtD,kBAAkB;AAClB,MAAM,CAAC,MAAM,MAAM,GAAc,EAAE,CAAC;AACpC,kBAAkB;AAClB,MAAM,CAAC,MAAM,KAAK,GAAc,EAAE,CAAC"}

89
node_modules/@noble/curves/esm/secp256k1.d.ts generated vendored Normal file
View File

@@ -0,0 +1,89 @@
import { type CurveFnWithCreate } from './_shortw_utils.ts';
import type { CurveLengths } from './abstract/curve.ts';
import { type H2CHasher, type H2CMethod } from './abstract/hash-to-curve.ts';
import { mod } from './abstract/modular.ts';
import { type WeierstrassPoint as PointType, type WeierstrassPointCons } from './abstract/weierstrass.ts';
import type { Hex, PrivKey } from './utils.ts';
import { bytesToNumberBE, numberToBytesBE } from './utils.ts';
/**
* secp256k1 curve, ECDSA and ECDH methods.
*
* Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
*
* @example
* ```js
* import { secp256k1 } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = secp256k1.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = secp256k1.sign(msg, secretKey);
* const isValid = secp256k1.verify(sig, msg, publicKey) === true;
* ```
*/
export declare const secp256k1: CurveFnWithCreate;
declare function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array;
/**
* lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
* @returns valid point checked for being on-curve
*/
declare function lift_x(x: bigint): PointType<bigint>;
/**
* Schnorr public key is just `x` coordinate of Point as per BIP340.
*/
declare function schnorrGetPublicKey(secretKey: Hex): Uint8Array;
/**
* Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
* auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
*/
declare function schnorrSign(message: Hex, secretKey: PrivKey, auxRand?: Hex): Uint8Array;
/**
* Verifies Schnorr signature.
* Will swallow errors & return false except for initial type validation of arguments.
*/
declare function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean;
export type SecpSchnorr = {
keygen: (seed?: Uint8Array) => {
secretKey: Uint8Array;
publicKey: Uint8Array;
};
getPublicKey: typeof schnorrGetPublicKey;
sign: typeof schnorrSign;
verify: typeof schnorrVerify;
Point: WeierstrassPointCons<bigint>;
utils: {
randomSecretKey: (seed?: Uint8Array) => Uint8Array;
pointToBytes: (point: PointType<bigint>) => Uint8Array;
lift_x: typeof lift_x;
taggedHash: typeof taggedHash;
/** @deprecated use `randomSecretKey` */
randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
/** @deprecated use `utils` */
numberToBytesBE: typeof numberToBytesBE;
/** @deprecated use `utils` */
bytesToNumberBE: typeof bytesToNumberBE;
/** @deprecated use `modular` */
mod: typeof mod;
};
lengths: CurveLengths;
};
/**
* Schnorr signatures over secp256k1.
* https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
* @example
* ```js
* import { schnorr } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = schnorr.keygen();
* // const publicKey = schnorr.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello');
* const sig = schnorr.sign(msg, secretKey);
* const isValid = schnorr.verify(sig, msg, publicKey);
* ```
*/
export declare const schnorr: SecpSchnorr;
/** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
export declare const secp256k1_hasher: H2CHasher<bigint>;
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export declare const hashToCurve: H2CMethod<bigint>;
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export declare const encodeToCurve: H2CMethod<bigint>;
export {};
//# sourceMappingURL=secp256k1.d.ts.map

1
node_modules/@noble/curves/esm/secp256k1.d.ts.map generated vendored Normal file
View File

@@ -0,0 +1 @@
{"version":3,"file":"secp256k1.d.ts","sourceRoot":"","sources":["../src/secp256k1.ts"],"names":[],"mappings":"AAUA,OAAO,EAAe,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACzE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAEL,KAAK,SAAS,EACd,KAAK,SAAS,EAEf,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAyB,GAAG,EAAQ,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAIL,KAAK,gBAAgB,IAAI,SAAS,EAElC,KAAK,oBAAoB,EAC1B,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EACL,eAAe,EAIf,eAAe,EAEhB,MAAM,YAAY,CAAC;AAyDpB;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,SAAS,EAAE,iBAGvB,CAAC;AAMF,iBAAS,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,UAAU,EAAE,GAAG,UAAU,CAQtE;AAeD;;;GAGG;AACH,iBAAS,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC,CAY5C;AASD;;GAEG;AACH,iBAAS,mBAAmB,CAAC,SAAS,EAAE,GAAG,GAAG,UAAU,CAEvD;AAED;;;GAGG;AACH,iBAAS,WAAW,CAAC,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,GAAE,GAAqB,GAAG,UAAU,CAgBjG;AAED;;;GAGG;AACH,iBAAS,aAAa,CAAC,SAAS,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,GAAG,OAAO,CAsB5E;AAED,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,UAAU,KAAK;QAAE,SAAS,EAAE,UAAU,CAAC;QAAC,SAAS,EAAE,UAAU,CAAA;KAAE,CAAC;IAChF,YAAY,EAAE,OAAO,mBAAmB,CAAC;IACzC,IAAI,EAAE,OAAO,WAAW,CAAC;IACzB,MAAM,EAAE,OAAO,aAAa,CAAC;IAC7B,KAAK,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACpC,KAAK,EAAE;QACL,eAAe,EAAE,CAAC,IAAI,CAAC,EAAE,UAAU,KAAK,UAAU,CAAC;QACnD,YAAY,EAAE,CAAC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,UAAU,CAAC;QACvD,MAAM,EAAE,OAAO,MAAM,CAAC;QACtB,UAAU,EAAE,OAAO,UAAU,CAAC;QAE9B,wCAAwC;QACxC,gBAAgB,EAAE,CAAC,IAAI,CAAC,EAAE,UAAU,KAAK,UAAU,CAAC;QACpD,8BAA8B;QAC9B,eAAe,EAAE,OAAO,eAAe,CAAC;QACxC,8BAA8B;QAC9B,eAAe,EAAE,OAAO,eAAe,CAAC;QACxC,gCAAgC;QAChC,GAAG,EAAE,OAAO,GAAG,CAAC;KACjB,CAAC;IACF,OAAO,EAAE,YAAY,CAAC;CACvB,CAAC;AACF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,OAAO,EAAE,WAsClB,CAAC;AA0CL,wEAAwE;AACxE,eAAO,MAAM,gBAAgB,EAAE,SAAS,CAAC,MAAM,CAgBzC,CAAC;AAEP,uFAAuF;AACvF,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CACT,CAAC;AAElC,uFAAuF;AACvF,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACT,CAAC"}

294
node_modules/@noble/curves/esm/secp256k1.js generated vendored Normal file
View File

@@ -0,0 +1,294 @@
/**
* SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
*
* Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,
* check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).
* @module
*/
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
import { sha256 } from '@noble/hashes/sha2.js';
import { randomBytes } from '@noble/hashes/utils.js';
import { createCurve } from "./_shortw_utils.js";
import { createHasher, isogenyMap, } from "./abstract/hash-to-curve.js";
import { Field, mapHashToField, mod, pow2 } from "./abstract/modular.js";
import { _normFnElement, mapToCurveSimpleSWU, } from "./abstract/weierstrass.js";
import { bytesToNumberBE, concatBytes, ensureBytes, inRange, numberToBytesBE, utf8ToBytes, } from "./utils.js";
// Seems like generator was produced from some seed:
// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
const secp256k1_CURVE = {
p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
h: BigInt(1),
a: BigInt(0),
b: BigInt(7),
Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
};
const secp256k1_ENDO = {
beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
basises: [
[BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')],
[BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')],
],
};
const _0n = /* @__PURE__ */ BigInt(0);
const _1n = /* @__PURE__ */ BigInt(1);
const _2n = /* @__PURE__ */ BigInt(2);
/**
* √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
* (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
*/
function sqrtMod(y) {
const P = secp256k1_CURVE.p;
// prettier-ignore
const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
// prettier-ignore
const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
const b2 = (y * y * y) % P; // x^3, 11
const b3 = (b2 * b2 * y) % P; // x^7
const b6 = (pow2(b3, _3n, P) * b3) % P;
const b9 = (pow2(b6, _3n, P) * b3) % P;
const b11 = (pow2(b9, _2n, P) * b2) % P;
const b22 = (pow2(b11, _11n, P) * b11) % P;
const b44 = (pow2(b22, _22n, P) * b22) % P;
const b88 = (pow2(b44, _44n, P) * b44) % P;
const b176 = (pow2(b88, _88n, P) * b88) % P;
const b220 = (pow2(b176, _44n, P) * b44) % P;
const b223 = (pow2(b220, _3n, P) * b3) % P;
const t1 = (pow2(b223, _23n, P) * b22) % P;
const t2 = (pow2(t1, _6n, P) * b2) % P;
const root = pow2(t2, _2n, P);
if (!Fpk1.eql(Fpk1.sqr(root), y))
throw new Error('Cannot find square root');
return root;
}
const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
/**
* secp256k1 curve, ECDSA and ECDH methods.
*
* Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
*
* @example
* ```js
* import { secp256k1 } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = secp256k1.keygen();
* const msg = new TextEncoder().encode('hello');
* const sig = secp256k1.sign(msg, secretKey);
* const isValid = secp256k1.verify(sig, msg, publicKey) === true;
* ```
*/
export const secp256k1 = createCurve({ ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO }, sha256);
// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
const TAGGED_HASH_PREFIXES = {};
function taggedHash(tag, ...messages) {
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === undefined) {
const tagH = sha256(utf8ToBytes(tag));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return sha256(concatBytes(tagP, ...messages));
}
// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
const pointToBytes = (point) => point.toBytes(true).slice(1);
const Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
const hasEven = (y) => y % _2n === _0n;
// Calculate point, scalar and bytes
function schnorrGetExtPubKey(priv) {
const { Fn, BASE } = Pointk1;
const d_ = _normFnElement(Fn, priv);
const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
return { scalar, bytes: pointToBytes(p) };
}
/**
* lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.
* @returns valid point checked for being on-curve
*/
function lift_x(x) {
const Fp = Fpk1;
if (!Fp.isValidNot0(x))
throw new Error('invalid x: Fail if x ≥ p');
const xx = Fp.create(x * x);
const c = Fp.create(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
let y = Fp.sqrt(c); // Let y = c^(p+1)/4 mod p. Same as sqrt().
// Return the unique point P such that x(P) = x and
// y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
if (!hasEven(y))
y = Fp.neg(y);
const p = Pointk1.fromAffine({ x, y });
p.assertValidity();
return p;
}
const num = bytesToNumberBE;
/**
* Create tagged hash, convert it to bigint, reduce modulo-n.
*/
function challenge(...args) {
return Pointk1.Fn.create(num(taggedHash('BIP0340/challenge', ...args)));
}
/**
* Schnorr public key is just `x` coordinate of Point as per BIP340.
*/
function schnorrGetPublicKey(secretKey) {
return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
}
/**
* Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
* auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
*/
function schnorrSign(message, secretKey, auxRand = randomBytes(32)) {
const { Fn } = Pointk1;
const m = ensureBytes('message', message);
const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
// Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G
const { bytes: rx, scalar: k } = schnorrGetExtPubKey(rand);
const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
sig.set(rx, 0);
sig.set(Fn.toBytes(Fn.create(k + e * d)), 32);
// If Verify(bytes(P), m, sig) (see below) returns failure, abort
if (!schnorrVerify(sig, m, px))
throw new Error('sign: Invalid signature produced');
return sig;
}
/**
* Verifies Schnorr signature.
* Will swallow errors & return false except for initial type validation of arguments.
*/
function schnorrVerify(signature, message, publicKey) {
const { Fn, BASE } = Pointk1;
const sig = ensureBytes('signature', signature, 64);
const m = ensureBytes('message', message);
const pub = ensureBytes('publicKey', publicKey, 32);
try {
const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
if (!inRange(r, _1n, secp256k1_CURVE.p))
return false;
const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
if (!inRange(s, _1n, secp256k1_CURVE.n))
return false;
// int(challenge(bytes(r)||bytes(P)||m))%n
const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
// R = s⋅G - e⋅P, where -eP == (n-e)P
const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
const { x, y } = R.toAffine();
// Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
if (R.is0() || !hasEven(y) || x !== r)
return false;
return true;
}
catch (error) {
return false;
}
}
/**
* Schnorr signatures over secp256k1.
* https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
* @example
* ```js
* import { schnorr } from '@noble/curves/secp256k1';
* const { secretKey, publicKey } = schnorr.keygen();
* // const publicKey = schnorr.getPublicKey(secretKey);
* const msg = new TextEncoder().encode('hello');
* const sig = schnorr.sign(msg, secretKey);
* const isValid = schnorr.verify(sig, msg, publicKey);
* ```
*/
export const schnorr = /* @__PURE__ */ (() => {
const size = 32;
const seedLength = 48;
const randomSecretKey = (seed = randomBytes(seedLength)) => {
return mapHashToField(seed, secp256k1_CURVE.n);
};
// TODO: remove
secp256k1.utils.randomSecretKey;
function keygen(seed) {
const secretKey = randomSecretKey(seed);
return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
}
return {
keygen,
getPublicKey: schnorrGetPublicKey,
sign: schnorrSign,
verify: schnorrVerify,
Point: Pointk1,
utils: {
randomSecretKey: randomSecretKey,
randomPrivateKey: randomSecretKey,
taggedHash,
// TODO: remove
lift_x,
pointToBytes,
numberToBytesBE,
bytesToNumberBE,
mod,
},
lengths: {
secretKey: size,
publicKey: size,
publicKeyHasPrefix: false,
signature: size * 2,
seed: seedLength,
},
};
})();
const isoMap = /* @__PURE__ */ (() => isogenyMap(Fpk1, [
// xNum
[
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
'0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
'0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
'0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
],
// xDen
[
'0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
'0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
// yNum
[
'0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
'0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
'0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
'0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
],
// yDen
[
'0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
'0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
'0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
'0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
],
].map((i) => i.map((j) => BigInt(j)))))();
const mapSWU = /* @__PURE__ */ (() => mapToCurveSimpleSWU(Fpk1, {
A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
B: BigInt('1771'),
Z: Fpk1.create(BigInt('-11')),
}))();
/** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
export const secp256k1_hasher = /* @__PURE__ */ (() => createHasher(secp256k1.Point, (scalars) => {
const { x, y } = mapSWU(Fpk1.create(scalars[0]));
return isoMap(x, y);
}, {
DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
p: Fpk1.ORDER,
m: 1,
k: 128,
expand: 'xmd',
hash: sha256,
}))();
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export const hashToCurve = /* @__PURE__ */ (() => secp256k1_hasher.hashToCurve)();
/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
export const encodeToCurve = /* @__PURE__ */ (() => secp256k1_hasher.encodeToCurve)();
//# sourceMappingURL=secp256k1.js.map

Some files were not shown because too many files have changed in this diff Show More