jsnbuchanan/crowd-funder-for-time-pwa
1
0
Fork 1
forked from trent_larson/crowd-funder-for-time-pwa
Code Issues Pull Requests Projects Releases Wiki Activity
Files
d265a9f78c5f415e37b5a89ad8add52d43e94200
crowd-funder-for-time-pwa/sw_scripts/noble-curves.js
Matthew Aaron Raymer d93299c352 Update worker dependencies
2023-12-01 17:04:14 +08:00

5249 lines
177 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
"use strict";
var nobleCurves = (() => {
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __export = (target, all) => {
for (var name in all)
__defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
if ((from && typeof from === "object") || typeof from === "function") {
for (let key of __getOwnPropNames(from))
if (!__hasOwnProp.call(to, key) && key !== except)
__defProp(to, key, {
get: () => from[key],
enumerable:
!(desc = __getOwnPropDesc(from, key)) || desc.enumerable,
});
}
return to;
};
var __toCommonJS = (mod2) =>
__copyProps(__defProp({}, "__esModule", { value: true }), mod2);
// input.js
var input_exports = {};
__export(input_exports, {
bls12_381: () => bls12_381,
ed25519: () => ed25519,
ed25519_edwardsToMontgomeryPriv: () => edwardsToMontgomeryPriv,
ed25519_edwardsToMontgomeryPub: () => edwardsToMontgomeryPub,
ed448: () => ed448,
ed448_edwardsToMontgomeryPub: () => edwardsToMontgomeryPub2,
p256: () => p256,
p384: () => p384,
p521: () => p521,
secp256k1: () => secp256k1,
secp256k1_schnorr: () => schnorr,
utils: () => utils,
x25519: () => x25519,
x448: () => x448,
});
// ../esm/abstract/utils.js
var utils_exports = {};
__export(utils_exports, {
bitGet: () => bitGet,
bitLen: () => bitLen,
bitMask: () => bitMask,
bitSet: () => bitSet,
bytesToHex: () => bytesToHex,
bytesToNumberBE: () => bytesToNumberBE,
bytesToNumberLE: () => bytesToNumberLE,
concatBytes: () => concatBytes,
createHmacDrbg: () => createHmacDrbg,
ensureBytes: () => ensureBytes,
equalBytes: () => equalBytes,
hexToBytes: () => hexToBytes,
hexToNumber: () => hexToNumber,
numberToBytesBE: () => numberToBytesBE,
numberToBytesLE: () => numberToBytesLE,
numberToHexUnpadded: () => numberToHexUnpadded,
numberToVarBytesBE: () => numberToVarBytesBE,
utf8ToBytes: () => utf8ToBytes,
validateObject: () => validateObject,
});
var _0n = BigInt(0);
var _1n = BigInt(1);
var _2n = BigInt(2);
var u8a = (a) => a instanceof Uint8Array;
var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
i.toString(16).padStart(2, "0"),
);
function bytesToHex(bytes2) {
if (!u8a(bytes2)) throw new Error("Uint8Array expected");
let hex = "";
for (let i = 0; i < bytes2.length; i++) {
hex += hexes[bytes2[i]];
}
return hex;
}
function numberToHexUnpadded(num) {
const hex = num.toString(16);
return hex.length & 1 ? `0${hex}` : hex;
}
function hexToNumber(hex) {
if (typeof hex !== "string")
throw new Error("hex string expected, got " + typeof hex);
return BigInt(hex === "" ? "0" : `0x${hex}`);
}
function hexToBytes(hex) {
if (typeof hex !== "string")
throw new Error("hex string expected, got " + typeof hex);
const len = hex.length;
if (len % 2)
throw new Error(
"padded hex string expected, got unpadded hex of length " + len,
);
const array = new Uint8Array(len / 2);
for (let i = 0; i < array.length; i++) {
const j = i * 2;
const hexByte = hex.slice(j, j + 2);
const byte = Number.parseInt(hexByte, 16);
if (Number.isNaN(byte) || byte < 0)
throw new Error("Invalid byte sequence");
array[i] = byte;
}
return array;
}
function bytesToNumberBE(bytes2) {
return hexToNumber(bytesToHex(bytes2));
}
function bytesToNumberLE(bytes2) {
if (!u8a(bytes2)) throw new Error("Uint8Array expected");
return hexToNumber(bytesToHex(Uint8Array.from(bytes2).reverse()));
}
function numberToBytesBE(n, len) {
return hexToBytes(n.toString(16).padStart(len * 2, "0"));
}
function numberToBytesLE(n, len) {
return numberToBytesBE(n, len).reverse();
}
function numberToVarBytesBE(n) {
return hexToBytes(numberToHexUnpadded(n));
}
function ensureBytes(title, hex, expectedLength) {
let res;
if (typeof hex === "string") {
try {
res = hexToBytes(hex);
} catch (e) {
throw new Error(
`${title} must be valid hex string, got "${hex}". Cause: ${e}`,
);
}
} else if (u8a(hex)) {
res = Uint8Array.from(hex);
} else {
throw new Error(`${title} must be hex string or Uint8Array`);
}
const len = res.length;
if (typeof expectedLength === "number" && len !== expectedLength)
throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
return res;
}
function concatBytes(...arrays) {
const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
let pad = 0;
arrays.forEach((a) => {
if (!u8a(a)) throw new Error("Uint8Array expected");
r.set(a, pad);
pad += a.length;
});
return r;
}
function equalBytes(b1, b2) {
if (b1.length !== b2.length) return false;
for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
return true;
}
function utf8ToBytes(str) {
if (typeof str !== "string")
throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
return new Uint8Array(new TextEncoder().encode(str));
}
function bitLen(n) {
let len;
for (len = 0; n > _0n; n >>= _1n, len += 1);
return len;
}
function bitGet(n, pos) {
return (n >> BigInt(pos)) & _1n;
}
var bitSet = (n, pos, value) => {
return n | ((value ? _1n : _0n) << BigInt(pos));
};
var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
var u8n = (data) => new Uint8Array(data);
var u8fr = (arr) => Uint8Array.from(arr);
function createHmacDrbg(hashLen, qByteLen, hmacFn) {
if (typeof hashLen !== "number" || hashLen < 2)
throw new Error("hashLen must be a number");
if (typeof qByteLen !== "number" || qByteLen < 2)
throw new Error("qByteLen must be a number");
if (typeof hmacFn !== "function")
throw new Error("hmacFn must be a function");
let v = u8n(hashLen);
let k = u8n(hashLen);
let i = 0;
const reset = () => {
v.fill(1);
k.fill(0);
i = 0;
};
const h = (...b) => hmacFn(k, v, ...b);
const reseed = (seed = u8n()) => {
k = h(u8fr([0]), seed);
v = h();
if (seed.length === 0) return;
k = h(u8fr([1]), seed);
v = h();
};
const gen2 = () => {
if (i++ >= 1e3) throw new Error("drbg: tried 1000 values");
let len = 0;
const out = [];
while (len < qByteLen) {
v = h();
const sl = v.slice();
out.push(sl);
len += v.length;
}
return concatBytes(...out);
};
const genUntil = (seed, pred) => {
reset();
reseed(seed);
let res = void 0;
while (!(res = pred(gen2()))) reseed();
reset();
return res;
};
return genUntil;
}
var validatorFns = {
bigint: (val) => typeof val === "bigint",
function: (val) => typeof val === "function",
boolean: (val) => typeof val === "boolean",
string: (val) => typeof val === "string",
stringOrUint8Array: (val) =>
typeof val === "string" || val instanceof Uint8Array,
isSafeInteger: (val) => Number.isSafeInteger(val),
array: (val) => Array.isArray(val),
field: (val, object) => object.Fp.isValid(val),
hash: (val) =>
typeof val === "function" && Number.isSafeInteger(val.outputLen),
};
function validateObject(object, validators, optValidators = {}) {
const checkField = (fieldName, type, isOptional) => {
const checkVal = validatorFns[type];
if (typeof checkVal !== "function")
throw new Error(`Invalid validator "${type}", expected function`);
const val = object[fieldName];
if (isOptional && val === void 0) return;
if (!checkVal(val, object)) {
throw new Error(
`Invalid param ${String(
fieldName,
)}=${val} (${typeof val}), expected ${type}`,
);
}
};
for (const [fieldName, type] of Object.entries(validators))
checkField(fieldName, type, false);
for (const [fieldName, type] of Object.entries(optValidators))
checkField(fieldName, type, true);
return object;
}
// ../node_modules/@noble/hashes/esm/_assert.js
function number(n) {
if (!Number.isSafeInteger(n) || n < 0)
throw new Error(`Wrong positive integer: ${n}`);
}
function bytes(b, ...lengths) {
if (!(b instanceof Uint8Array)) throw new Error("Expected Uint8Array");
if (lengths.length > 0 && !lengths.includes(b.length))
throw new Error(
`Expected Uint8Array of length ${lengths}, not of length=${b.length}`,
);
}
function hash(hash2) {
if (typeof hash2 !== "function" || typeof hash2.create !== "function")
throw new Error("Hash should be wrapped by utils.wrapConstructor");
number(hash2.outputLen);
number(hash2.blockLen);
}
function exists(instance, checkFinished = true) {
if (instance.destroyed) throw new Error("Hash instance has been destroyed");
if (checkFinished && instance.finished)
throw new Error("Hash#digest() has already been called");
}
function output(out, instance) {
bytes(out);
const min = instance.outputLen;
if (out.length < min) {
throw new Error(
`digestInto() expects output buffer of length at least ${min}`,
);
}
}
// ../node_modules/@noble/hashes/esm/crypto.js
var crypto =
typeof globalThis === "object" && "crypto" in globalThis
? globalThis.crypto
: void 0;
// ../node_modules/@noble/hashes/esm/utils.js
var u8a2 = (a) => a instanceof Uint8Array;
var u32 = (arr) =>
new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
var createView = (arr) =>
new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
var rotr = (word, shift) => (word << (32 - shift)) | (word >>> shift);
var isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
if (!isLE) throw new Error("Non little-endian hardware is not supported");
function utf8ToBytes2(str) {
if (typeof str !== "string")
throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
return new Uint8Array(new TextEncoder().encode(str));
}
function toBytes(data) {
if (typeof data === "string") data = utf8ToBytes2(data);
if (!u8a2(data)) throw new Error(`expected Uint8Array, got ${typeof data}`);
return data;
}
function concatBytes2(...arrays) {
const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
let pad = 0;
arrays.forEach((a) => {
if (!u8a2(a)) throw new Error("Uint8Array expected");
r.set(a, pad);
pad += a.length;
});
return r;
}
var Hash = class {
// Safe version that clones internal state
clone() {
return this._cloneInto();
}
};
var toStr = {}.toString;
function wrapConstructor(hashCons) {
const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
const tmp = hashCons();
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = () => hashCons();
return hashC;
}
function wrapXOFConstructorWithOpts(hashCons) {
const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
const tmp = hashCons({});
hashC.outputLen = tmp.outputLen;
hashC.blockLen = tmp.blockLen;
hashC.create = (opts) => hashCons(opts);
return hashC;
}
function randomBytes(bytesLength = 32) {
if (crypto && typeof crypto.getRandomValues === "function") {
return crypto.getRandomValues(new Uint8Array(bytesLength));
}
throw new Error("crypto.getRandomValues must be defined");
}
// ../node_modules/@noble/hashes/esm/_sha2.js
function setBigUint64(view, byteOffset, value, isLE2) {
if (typeof view.setBigUint64 === "function")
return view.setBigUint64(byteOffset, value, isLE2);
const _32n2 = BigInt(32);
const _u32_max = BigInt(4294967295);
const wh = Number((value >> _32n2) & _u32_max);
const wl = Number(value & _u32_max);
const h = isLE2 ? 4 : 0;
const l = isLE2 ? 0 : 4;
view.setUint32(byteOffset + h, wh, isLE2);
view.setUint32(byteOffset + l, wl, isLE2);
}
var SHA2 = class extends Hash {
constructor(blockLen, outputLen, padOffset, isLE2) {
super();
this.blockLen = blockLen;
this.outputLen = outputLen;
this.padOffset = padOffset;
this.isLE = isLE2;
this.finished = false;
this.length = 0;
this.pos = 0;
this.destroyed = false;
this.buffer = new Uint8Array(blockLen);
this.view = createView(this.buffer);
}
update(data) {
exists(this);
const { view, buffer, blockLen } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
if (take === blockLen) {
const dataView = createView(data);
for (; blockLen <= len - pos; pos += blockLen)
this.process(dataView, pos);
continue;
}
buffer.set(data.subarray(pos, pos + take), this.pos);
this.pos += take;
pos += take;
if (this.pos === blockLen) {
this.process(view, 0);
this.pos = 0;
}
}
this.length += data.length;
this.roundClean();
return this;
}
digestInto(out) {
exists(this);
output(out, this);
this.finished = true;
const { buffer, view, blockLen, isLE: isLE2 } = this;
let { pos } = this;
buffer[pos++] = 128;
this.buffer.subarray(pos).fill(0);
if (this.padOffset > blockLen - pos) {
this.process(view, 0);
pos = 0;
}
for (let i = pos; i < blockLen; i++) buffer[i] = 0;
setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE2);
this.process(view, 0);
const oview = createView(out);
const len = this.outputLen;
if (len % 4)
throw new Error("_sha2: outputLen should be aligned to 32bit");
const outLen = len / 4;
const state = this.get();
if (outLen > state.length)
throw new Error("_sha2: outputLen bigger than state");
for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE2);
}
digest() {
const { buffer, outputLen } = this;
this.digestInto(buffer);
const res = buffer.slice(0, outputLen);
this.destroy();
return res;
}
_cloneInto(to) {
to || (to = new this.constructor());
to.set(...this.get());
const { blockLen, buffer, length, finished, destroyed, pos } = this;
to.length = length;
to.pos = pos;
to.finished = finished;
to.destroyed = destroyed;
if (length % blockLen) to.buffer.set(buffer);
return to;
}
};
// ../node_modules/@noble/hashes/esm/sha256.js
var Chi = (a, b, c) => (a & b) ^ (~a & c);
var Maj = (a, b, c) => (a & b) ^ (a & c) ^ (b & c);
var SHA256_K = /* @__PURE__ */ new Uint32Array([
1116352408, 1899447441, 3049323471, 3921009573, 961987163, 1508970993,
2453635748, 2870763221, 3624381080, 310598401, 607225278, 1426881987,
1925078388, 2162078206, 2614888103, 3248222580, 3835390401, 4022224774,
264347078, 604807628, 770255983, 1249150122, 1555081692, 1996064986,
2554220882, 2821834349, 2952996808, 3210313671, 3336571891, 3584528711,
113926993, 338241895, 666307205, 773529912, 1294757372, 1396182291,
1695183700, 1986661051, 2177026350, 2456956037, 2730485921, 2820302411,
3259730800, 3345764771, 3516065817, 3600352804, 4094571909, 275423344,
430227734, 506948616, 659060556, 883997877, 958139571, 1322822218,
1537002063, 1747873779, 1955562222, 2024104815, 2227730452, 2361852424,
2428436474, 2756734187, 3204031479, 3329325298,
]);
var IV = /* @__PURE__ */ new Uint32Array([
1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924,
528734635, 1541459225,
]);
var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
var SHA256 = class extends SHA2 {
constructor() {
super(64, 32, 8, false);
this.A = IV[0] | 0;
this.B = IV[1] | 0;
this.C = IV[2] | 0;
this.D = IV[3] | 0;
this.E = IV[4] | 0;
this.F = IV[5] | 0;
this.G = IV[6] | 0;
this.H = IV[7] | 0;
}
get() {
const { A, B, C, D, E, F, G, H } = this;
return [A, B, C, D, E, F, G, H];
}
// prettier-ignore
set(A, B, C, D, E, F, G, H) {
this.A = A | 0;
this.B = B | 0;
this.C = C | 0;
this.D = D | 0;
this.E = E | 0;
this.F = F | 0;
this.G = G | 0;
this.H = H | 0;
}
process(view, offset) {
for (let i = 0; i < 16; i++, offset += 4)
SHA256_W[i] = view.getUint32(offset, false);
for (let i = 16; i < 64; i++) {
const W15 = SHA256_W[i - 15];
const W2 = SHA256_W[i - 2];
const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);
const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);
SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;
}
let { A, B, C, D, E, F, G, H } = this;
for (let i = 0; i < 64; i++) {
const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
const T2 = (sigma0 + Maj(A, B, C)) | 0;
H = G;
G = F;
F = E;
E = (D + T1) | 0;
D = C;
C = B;
B = A;
A = (T1 + T2) | 0;
}
A = (A + this.A) | 0;
B = (B + this.B) | 0;
C = (C + this.C) | 0;
D = (D + this.D) | 0;
E = (E + this.E) | 0;
F = (F + this.F) | 0;
G = (G + this.G) | 0;
H = (H + this.H) | 0;
this.set(A, B, C, D, E, F, G, H);
}
roundClean() {
SHA256_W.fill(0);
}
destroy() {
this.set(0, 0, 0, 0, 0, 0, 0, 0);
this.buffer.fill(0);
}
};
var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
// ../esm/abstract/modular.js
var _0n2 = BigInt(0);
var _1n2 = BigInt(1);
var _2n2 = BigInt(2);
var _3n = BigInt(3);
var _4n = BigInt(4);
var _5n = BigInt(5);
var _8n = BigInt(8);
var _9n = BigInt(9);
var _16n = BigInt(16);
function mod(a, b) {
const result = a % b;
return result >= _0n2 ? result : b + result;
}
function pow(num, power, modulo) {
if (modulo <= _0n2 || power < _0n2)
throw new Error("Expected power/modulo > 0");
if (modulo === _1n2) return _0n2;
let res = _1n2;
while (power > _0n2) {
if (power & _1n2) res = (res * num) % modulo;
num = (num * num) % modulo;
power >>= _1n2;
}
return res;
}
function pow2(x, power, modulo) {
let res = x;
while (power-- > _0n2) {
res *= res;
res %= modulo;
}
return res;
}
function invert(number2, modulo) {
if (number2 === _0n2 || modulo <= _0n2) {
throw new Error(
`invert: expected positive integers, got n=${number2} mod=${modulo}`,
);
}
let a = mod(number2, modulo);
let b = modulo;
let x = _0n2,
y = _1n2,
u = _1n2,
v = _0n2;
while (a !== _0n2) {
const q = b / a;
const r = b % a;
const m = x - u * q;
const n = y - v * q;
(b = a), (a = r), (x = u), (y = v), (u = m), (v = n);
}
const gcd = b;
if (gcd !== _1n2) throw new Error("invert: does not exist");
return mod(x, modulo);
}
function tonelliShanks(P3) {
const legendreC = (P3 - _1n2) / _2n2;
let Q, S, Z;
for (Q = P3 - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++);
for (Z = _2n2; Z < P3 && pow(Z, legendreC, P3) !== P3 - _1n2; Z++);
if (S === 1) {
const p1div4 = (P3 + _1n2) / _4n;
return function tonelliFast(Fp8, n) {
const root = Fp8.pow(n, p1div4);
if (!Fp8.eql(Fp8.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
const Q1div2 = (Q + _1n2) / _2n2;
return function tonelliSlow(Fp8, n) {
if (Fp8.pow(n, legendreC) === Fp8.neg(Fp8.ONE))
throw new Error("Cannot find square root");
let r = S;
let g = Fp8.pow(Fp8.mul(Fp8.ONE, Z), Q);
let x = Fp8.pow(n, Q1div2);
let b = Fp8.pow(n, Q);
while (!Fp8.eql(b, Fp8.ONE)) {
if (Fp8.eql(b, Fp8.ZERO)) return Fp8.ZERO;
let m = 1;
for (let t2 = Fp8.sqr(b); m < r; m++) {
if (Fp8.eql(t2, Fp8.ONE)) break;
t2 = Fp8.sqr(t2);
}
const ge2 = Fp8.pow(g, _1n2 << BigInt(r - m - 1));
g = Fp8.sqr(ge2);
x = Fp8.mul(x, ge2);
b = Fp8.mul(b, g);
r = m;
}
return x;
};
}
function FpSqrt(P3) {
if (P3 % _4n === _3n) {
const p1div4 = (P3 + _1n2) / _4n;
return function sqrt3mod4(Fp8, n) {
const root = Fp8.pow(n, p1div4);
if (!Fp8.eql(Fp8.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
if (P3 % _8n === _5n) {
const c1 = (P3 - _5n) / _8n;
return function sqrt5mod8(Fp8, n) {
const n2 = Fp8.mul(n, _2n2);
const v = Fp8.pow(n2, c1);
const nv = Fp8.mul(n, v);
const i = Fp8.mul(Fp8.mul(nv, _2n2), v);
const root = Fp8.mul(nv, Fp8.sub(i, Fp8.ONE));
if (!Fp8.eql(Fp8.sqr(root), n))
throw new Error("Cannot find square root");
return root;
};
}
if (P3 % _16n === _9n) {
}
return tonelliShanks(P3);
}
var isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n2) === _1n2;
var FIELD_FIELDS = [
"create",
"isValid",
"is0",
"neg",
"inv",
"sqrt",
"sqr",
"eql",
"add",
"sub",
"mul",
"pow",
"div",
"addN",
"subN",
"mulN",
"sqrN",
];
function validateField(field) {
const initial = {
ORDER: "bigint",
MASK: "bigint",
BYTES: "isSafeInteger",
BITS: "isSafeInteger",
};
const opts = FIELD_FIELDS.reduce((map, val) => {
map[val] = "function";
return map;
}, initial);
return validateObject(field, opts);
}
function FpPow(f, num, power) {
if (power < _0n2) throw new Error("Expected power > 0");
if (power === _0n2) return f.ONE;
if (power === _1n2) return num;
let p = f.ONE;
let d = num;
while (power > _0n2) {
if (power & _1n2) p = f.mul(p, d);
d = f.sqr(d);
power >>= _1n2;
}
return p;
}
function FpInvertBatch(f, nums) {
const tmp = new Array(nums.length);
const lastMultiplied = nums.reduce((acc, num, i) => {
if (f.is0(num)) return acc;
tmp[i] = acc;
return f.mul(acc, num);
}, f.ONE);
const inverted = f.inv(lastMultiplied);
nums.reduceRight((acc, num, i) => {
if (f.is0(num)) return acc;
tmp[i] = f.mul(acc, tmp[i]);
return f.mul(acc, num);
}, inverted);
return tmp;
}
function nLength(n, nBitLength) {
const _nBitLength =
nBitLength !== void 0 ? nBitLength : n.toString(2).length;
const nByteLength = Math.ceil(_nBitLength / 8);
return { nBitLength: _nBitLength, nByteLength };
}
function Field(ORDER, bitLen2, isLE2 = false, redef = {}) {
if (ORDER <= _0n2)
throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
if (BYTES > 2048)
throw new Error("Field lengths over 2048 bytes are not supported");
const sqrtP = FpSqrt(ORDER);
const f = Object.freeze({
ORDER,
BITS,
BYTES,
MASK: bitMask(BITS),
ZERO: _0n2,
ONE: _1n2,
create: (num) => mod(num, ORDER),
isValid: (num) => {
if (typeof num !== "bigint")
throw new Error(
`Invalid field element: expected bigint, got ${typeof num}`,
);
return _0n2 <= num && num < ORDER;
},
is0: (num) => num === _0n2,
isOdd: (num) => (num & _1n2) === _1n2,
neg: (num) => mod(-num, ORDER),
eql: (lhs, rhs) => lhs === rhs,
sqr: (num) => mod(num * num, ORDER),
add: (lhs, rhs) => mod(lhs + rhs, ORDER),
sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
pow: (num, power) => FpPow(f, num, power),
div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
// Same as above, but doesn't normalize
sqrN: (num) => num * num,
addN: (lhs, rhs) => lhs + rhs,
subN: (lhs, rhs) => lhs - rhs,
mulN: (lhs, rhs) => lhs * rhs,
inv: (num) => invert(num, ORDER),
sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
invertBatch: (lst) => FpInvertBatch(f, lst),
// TODO: do we really need constant cmov?
// We don't have const-time bigints anyway, so probably will be not very useful
cmov: (a, b, c) => (c ? b : a),
toBytes: (num) =>
isLE2 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
fromBytes: (bytes2) => {
if (bytes2.length !== BYTES)
throw new Error(
`Fp.fromBytes: expected ${BYTES}, got ${bytes2.length}`,
);
return isLE2 ? bytesToNumberLE(bytes2) : bytesToNumberBE(bytes2);
},
});
return Object.freeze(f);
}
function FpSqrtEven(Fp8, elm) {
if (!Fp8.isOdd) throw new Error(`Field doesn't have isOdd`);
const root = Fp8.sqrt(elm);
return Fp8.isOdd(root) ? Fp8.neg(root) : root;
}
function getFieldBytesLength(fieldOrder) {
if (typeof fieldOrder !== "bigint")
throw new Error("field order must be bigint");
const bitLength = fieldOrder.toString(2).length;
return Math.ceil(bitLength / 8);
}
function getMinHashLength(fieldOrder) {
const length = getFieldBytesLength(fieldOrder);
return length + Math.ceil(length / 2);
}
function mapHashToField(key, fieldOrder, isLE2 = false) {
const len = key.length;
const fieldLen = getFieldBytesLength(fieldOrder);
const minLen = getMinHashLength(fieldOrder);
if (len < 16 || len < minLen || len > 1024)
throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
const num = isLE2 ? bytesToNumberBE(key) : bytesToNumberLE(key);
const reduced = mod(num, fieldOrder - _1n2) + _1n2;
return isLE2
? numberToBytesLE(reduced, fieldLen)
: numberToBytesBE(reduced, fieldLen);
}
// ../esm/abstract/curve.js
var _0n3 = BigInt(0);
var _1n3 = BigInt(1);
function wNAF(c, bits) {
const constTimeNegate = (condition, item) => {
const neg = item.negate();
return condition ? neg : item;
};
const opts = (W) => {
const windows = Math.ceil(bits / W) + 1;
const windowSize = 2 ** (W - 1);
return { windows, windowSize };
};
return {
constTimeNegate,
// non-const time multiplication ladder
unsafeLadder(elm, n) {
let p = c.ZERO;
let d = elm;
while (n > _0n3) {
if (n & _1n3) p = p.add(d);
d = d.double();
n >>= _1n3;
}
return p;
},
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Number of precomputed points depends on the curve size:
* 2^(𝑊1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
* - 𝑊 is the window size
* - 𝑛 is the bitlength of the curve order.
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
* @returns precomputed point tables flattened to a single array
*/
precomputeWindow(elm, W) {
const { windows, windowSize } = opts(W);
const points = [];
let p = elm;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
for (let i = 1; i < windowSize; i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
},
/**
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
* @param W window size
* @param precomputes precomputed tables
* @param n scalar (we don't check here, but should be less than curve order)
* @returns real and fake (for const-time) points
*/
wNAF(W, precomputes, n) {
const { windows, windowSize } = opts(W);
let p = c.ZERO;
let f = c.BASE;
const mask = BigInt(2 ** W - 1);
const maxNumber = 2 ** W;
const shiftBy = BigInt(W);
for (let window = 0; window < windows; window++) {
const offset = window * windowSize;
let wbits = Number(n & mask);
n >>= shiftBy;
if (wbits > windowSize) {
wbits -= maxNumber;
n += _1n3;
}
const offset1 = offset;
const offset2 = offset + Math.abs(wbits) - 1;
const cond1 = window % 2 !== 0;
const cond2 = wbits < 0;
if (wbits === 0) {
f = f.add(constTimeNegate(cond1, precomputes[offset1]));
} else {
p = p.add(constTimeNegate(cond2, precomputes[offset2]));
}
}
return { p, f };
},
wNAFCached(P3, precomputesMap, n, transform) {
const W = P3._WINDOW_SIZE || 1;
let comp = precomputesMap.get(P3);
if (!comp) {
comp = this.precomputeWindow(P3, W);
if (W !== 1) {
precomputesMap.set(P3, transform(comp));
}
}
return this.wNAF(W, comp, n);
},
};
}
function validateBasic(curve) {
validateField(curve.Fp);
validateObject(
curve,
{
n: "bigint",
h: "bigint",
Gx: "field",
Gy: "field",
},
{
nBitLength: "isSafeInteger",
nByteLength: "isSafeInteger",
},
);
return Object.freeze({
...nLength(curve.n, curve.nBitLength),
...curve,
...{ p: curve.Fp.ORDER },
});
}
// ../esm/abstract/weierstrass.js
function validatePointOpts(curve) {
const opts = validateBasic(curve);
validateObject(
opts,
{
a: "field",
b: "field",
},
{
allowedPrivateKeyLengths: "array",
wrapPrivateKey: "boolean",
isTorsionFree: "function",
clearCofactor: "function",
allowInfinityPoint: "boolean",
fromBytes: "function",
toBytes: "function",
},
);
const { endo, Fp: Fp8, a } = opts;
if (endo) {
if (!Fp8.eql(a, Fp8.ZERO)) {
throw new Error(
"Endomorphism can only be defined for Koblitz curves that have a=0",
);
}
if (
typeof endo !== "object" ||
typeof endo.beta !== "bigint" ||
typeof endo.splitScalar !== "function"
) {
throw new Error(
"Expected endomorphism with beta: bigint and splitScalar: function",
);
}
}
return Object.freeze({ ...opts });
}
var { bytesToNumberBE: b2n, hexToBytes: h2b } = utils_exports;
var DER = {
// asn.1 DER encoding utils
Err: class DERErr extends Error {
constructor(m = "") {
super(m);
}
},
_parseInt(data) {
const { Err: E } = DER;
if (data.length < 2 || data[0] !== 2)
throw new E("Invalid signature integer tag");
const len = data[1];
const res = data.subarray(2, len + 2);
if (!len || res.length !== len)
throw new E("Invalid signature integer: wrong length");
if (res[0] & 128) throw new E("Invalid signature integer: negative");
if (res[0] === 0 && !(res[1] & 128))
throw new E("Invalid signature integer: unnecessary leading zero");
return { d: b2n(res), l: data.subarray(len + 2) };
},
toSig(hex) {
const { Err: E } = DER;
const data = typeof hex === "string" ? h2b(hex) : hex;
if (!(data instanceof Uint8Array)) throw new Error("ui8a expected");
let l = data.length;
if (l < 2 || data[0] != 48) throw new E("Invalid signature tag");
if (data[1] !== l - 2) throw new E("Invalid signature: incorrect length");
const { d: r, l: sBytes } = DER._parseInt(data.subarray(2));
const { d: s, l: rBytesLeft } = DER._parseInt(sBytes);
if (rBytesLeft.length)
throw new E("Invalid signature: left bytes after parsing");
return { r, s };
},
hexFromSig(sig) {
const slice = (s2) => (Number.parseInt(s2[0], 16) & 8 ? "00" + s2 : s2);
const h = (num) => {
const hex = num.toString(16);
return hex.length & 1 ? `0${hex}` : hex;
};
const s = slice(h(sig.s));
const r = slice(h(sig.r));
const shl = s.length / 2;
const rhl = r.length / 2;
const sl = h(shl);
const rl = h(rhl);
return `30${h(rhl + shl + 4)}02${rl}${r}02${sl}${s}`;
},
};
var _0n4 = BigInt(0);
var _1n4 = BigInt(1);
var _2n3 = BigInt(2);
var _3n2 = BigInt(3);
var _4n2 = BigInt(4);
function weierstrassPoints(opts) {
const CURVE2 = validatePointOpts(opts);
const { Fp: Fp8 } = CURVE2;
const toBytes2 =
CURVE2.toBytes ||
((_c, point, _isCompressed) => {
const a = point.toAffine();
return concatBytes(
Uint8Array.from([4]),
Fp8.toBytes(a.x),
Fp8.toBytes(a.y),
);
});
const fromBytes =
CURVE2.fromBytes ||
((bytes2) => {
const tail = bytes2.subarray(1);
const x = Fp8.fromBytes(tail.subarray(0, Fp8.BYTES));
const y = Fp8.fromBytes(tail.subarray(Fp8.BYTES, 2 * Fp8.BYTES));
return { x, y };
});
function weierstrassEquation(x) {
const { a, b } = CURVE2;
const x2 = Fp8.sqr(x);
const x3 = Fp8.mul(x2, x);
return Fp8.add(Fp8.add(x3, Fp8.mul(x, a)), b);
}
if (!Fp8.eql(Fp8.sqr(CURVE2.Gy), weierstrassEquation(CURVE2.Gx)))
throw new Error("bad generator point: equation left != right");
function isWithinCurveOrder(num) {
return typeof num === "bigint" && _0n4 < num && num < CURVE2.n;
}
function assertGE(num) {
if (!isWithinCurveOrder(num))
throw new Error("Expected valid bigint: 0 < bigint < curve.n");
}
function normPrivateKeyToScalar(key) {
const {
allowedPrivateKeyLengths: lengths,
nByteLength,
wrapPrivateKey,
n,
} = CURVE2;
if (lengths && typeof key !== "bigint") {
if (key instanceof Uint8Array) key = bytesToHex(key);
if (typeof key !== "string" || !lengths.includes(key.length))
throw new Error("Invalid key");
key = key.padStart(nByteLength * 2, "0");
}
let num;
try {
num =
typeof key === "bigint"
? key
: bytesToNumberBE(ensureBytes("private key", key, nByteLength));
} catch (error) {
throw new Error(
`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`,
);
}
if (wrapPrivateKey) num = mod(num, n);
assertGE(num);
return num;
}
const pointPrecomputes = /* @__PURE__ */ new Map();
function assertPrjPoint(other) {
if (!(other instanceof Point2))
throw new Error("ProjectivePoint expected");
}
class Point2 {
constructor(px, py, pz) {
this.px = px;
this.py = py;
this.pz = pz;
if (px == null || !Fp8.isValid(px)) throw new Error("x required");
if (py == null || !Fp8.isValid(py)) throw new Error("y required");
if (pz == null || !Fp8.isValid(pz)) throw new Error("z required");
}
// Does not validate if the point is on-curve.
// Use fromHex instead, or call assertValidity() later.
static fromAffine(p) {
const { x, y } = p || {};
if (!p || !Fp8.isValid(x) || !Fp8.isValid(y))
throw new Error("invalid affine point");
if (p instanceof Point2)
throw new Error("projective point not allowed");
const is0 = (i) => Fp8.eql(i, Fp8.ZERO);
if (is0(x) && is0(y)) return Point2.ZERO;
return new Point2(x, y, Fp8.ONE);
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
/**
* Takes a bunch of Projective Points but executes only one
* inversion on all of them. Inversion is very slow operation,
* so this improves performance massively.
* Optimization: converts a list of projective points to a list of identical points with Z=1.
*/
static normalizeZ(points) {
const toInv = Fp8.invertBatch(points.map((p) => p.pz));
return points
.map((p, i) => p.toAffine(toInv[i]))
.map(Point2.fromAffine);
}
/**
* Converts hash string or Uint8Array to Point.
* @param hex short/long ECDSA hex
*/
static fromHex(hex) {
const P3 = Point2.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
P3.assertValidity();
return P3;
}
// Multiplies generator point by privateKey.
static fromPrivateKey(privateKey) {
return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
}
// "Private method", don't use it directly
_setWindowSize(windowSize) {
this._WINDOW_SIZE = windowSize;
pointPrecomputes.delete(this);
}
// A point on curve is valid if it conforms to equation.
assertValidity() {
if (this.is0()) {
if (CURVE2.allowInfinityPoint && !Fp8.is0(this.py)) return;
throw new Error("bad point: ZERO");
}
const { x, y } = this.toAffine();
if (!Fp8.isValid(x) || !Fp8.isValid(y))
throw new Error("bad point: x or y not FE");
const left = Fp8.sqr(y);
const right = weierstrassEquation(x);
if (!Fp8.eql(left, right))
throw new Error("bad point: equation left != right");
if (!this.isTorsionFree())
throw new Error("bad point: not in prime-order subgroup");
}
hasEvenY() {
const { y } = this.toAffine();
if (Fp8.isOdd) return !Fp8.isOdd(y);
throw new Error("Field doesn't support isOdd");
}
/**
* Compare one point to another.
*/
equals(other) {
assertPrjPoint(other);
const { px: X1, py: Y1, pz: Z1 } = this;
const { px: X2, py: Y2, pz: Z2 } = other;
const U1 = Fp8.eql(Fp8.mul(X1, Z2), Fp8.mul(X2, Z1));
const U2 = Fp8.eql(Fp8.mul(Y1, Z2), Fp8.mul(Y2, Z1));
return U1 && U2;
}
/**
* Flips point to one corresponding to (x, -y) in Affine coordinates.
*/
negate() {
return new Point2(this.px, Fp8.neg(this.py), this.pz);
}
// Renes-Costello-Batina exception-free doubling formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 3
// Cost: 8M + 3S + 3*a + 2*b3 + 15add.
double() {
const { a, b } = CURVE2;
const b3 = Fp8.mul(b, _3n2);
const { px: X1, py: Y1, pz: Z1 } = this;
let X3 = Fp8.ZERO,
Y3 = Fp8.ZERO,
Z3 = Fp8.ZERO;
let t0 = Fp8.mul(X1, X1);
let t1 = Fp8.mul(Y1, Y1);
let t2 = Fp8.mul(Z1, Z1);
let t3 = Fp8.mul(X1, Y1);
t3 = Fp8.add(t3, t3);
Z3 = Fp8.mul(X1, Z1);
Z3 = Fp8.add(Z3, Z3);
X3 = Fp8.mul(a, Z3);
Y3 = Fp8.mul(b3, t2);
Y3 = Fp8.add(X3, Y3);
X3 = Fp8.sub(t1, Y3);
Y3 = Fp8.add(t1, Y3);
Y3 = Fp8.mul(X3, Y3);
X3 = Fp8.mul(t3, X3);
Z3 = Fp8.mul(b3, Z3);
t2 = Fp8.mul(a, t2);
t3 = Fp8.sub(t0, t2);
t3 = Fp8.mul(a, t3);
t3 = Fp8.add(t3, Z3);
Z3 = Fp8.add(t0, t0);
t0 = Fp8.add(Z3, t0);
t0 = Fp8.add(t0, t2);
t0 = Fp8.mul(t0, t3);
Y3 = Fp8.add(Y3, t0);
t2 = Fp8.mul(Y1, Z1);
t2 = Fp8.add(t2, t2);
t0 = Fp8.mul(t2, t3);
X3 = Fp8.sub(X3, t0);
Z3 = Fp8.mul(t2, t1);
Z3 = Fp8.add(Z3, Z3);
Z3 = Fp8.add(Z3, Z3);
return new Point2(X3, Y3, Z3);
}
// Renes-Costello-Batina exception-free addition formula.
// There is 30% faster Jacobian formula, but it is not complete.
// https://eprint.iacr.org/2015/1060, algorithm 1
// Cost: 12M + 0S + 3*a + 3*b3 + 23add.
add(other) {
assertPrjPoint(other);
const { px: X1, py: Y1, pz: Z1 } = this;
const { px: X2, py: Y2, pz: Z2 } = other;
let X3 = Fp8.ZERO,
Y3 = Fp8.ZERO,
Z3 = Fp8.ZERO;
const a = CURVE2.a;
const b3 = Fp8.mul(CURVE2.b, _3n2);
let t0 = Fp8.mul(X1, X2);
let t1 = Fp8.mul(Y1, Y2);
let t2 = Fp8.mul(Z1, Z2);
let t3 = Fp8.add(X1, Y1);
let t4 = Fp8.add(X2, Y2);
t3 = Fp8.mul(t3, t4);
t4 = Fp8.add(t0, t1);
t3 = Fp8.sub(t3, t4);
t4 = Fp8.add(X1, Z1);
let t5 = Fp8.add(X2, Z2);
t4 = Fp8.mul(t4, t5);
t5 = Fp8.add(t0, t2);
t4 = Fp8.sub(t4, t5);
t5 = Fp8.add(Y1, Z1);
X3 = Fp8.add(Y2, Z2);
t5 = Fp8.mul(t5, X3);
X3 = Fp8.add(t1, t2);
t5 = Fp8.sub(t5, X3);
Z3 = Fp8.mul(a, t4);
X3 = Fp8.mul(b3, t2);
Z3 = Fp8.add(X3, Z3);
X3 = Fp8.sub(t1, Z3);
Z3 = Fp8.add(t1, Z3);
Y3 = Fp8.mul(X3, Z3);
t1 = Fp8.add(t0, t0);
t1 = Fp8.add(t1, t0);
t2 = Fp8.mul(a, t2);
t4 = Fp8.mul(b3, t4);
t1 = Fp8.add(t1, t2);
t2 = Fp8.sub(t0, t2);
t2 = Fp8.mul(a, t2);
t4 = Fp8.add(t4, t2);
t0 = Fp8.mul(t1, t4);
Y3 = Fp8.add(Y3, t0);
t0 = Fp8.mul(t5, t4);
X3 = Fp8.mul(t3, X3);
X3 = Fp8.sub(X3, t0);
t0 = Fp8.mul(t3, t1);
Z3 = Fp8.mul(t5, Z3);
Z3 = Fp8.add(Z3, t0);
return new Point2(X3, Y3, Z3);
}
subtract(other) {
return this.add(other.negate());
}
is0() {
return this.equals(Point2.ZERO);
}
wNAF(n) {
return wnaf.wNAFCached(this, pointPrecomputes, n, (comp) => {
const toInv = Fp8.invertBatch(comp.map((p) => p.pz));
return comp
.map((p, i) => p.toAffine(toInv[i]))
.map(Point2.fromAffine);
});
}
/**
* Non-constant-time multiplication. Uses double-and-add algorithm.
* It's faster, but should only be used when you don't care about
* an exposed private key e.g. sig verification, which works over *public* keys.
*/
multiplyUnsafe(n) {
const I = Point2.ZERO;
if (n === _0n4) return I;
assertGE(n);
if (n === _1n4) return this;
const { endo } = CURVE2;
if (!endo) return wnaf.unsafeLadder(this, n);
let { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
let k1p = I;
let k2p = I;
let d = this;
while (k1 > _0n4 || k2 > _0n4) {
if (k1 & _1n4) k1p = k1p.add(d);
if (k2 & _1n4) k2p = k2p.add(d);
d = d.double();
k1 >>= _1n4;
k2 >>= _1n4;
}
if (k1neg) k1p = k1p.negate();
if (k2neg) k2p = k2p.negate();
k2p = new Point2(Fp8.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
return k1p.add(k2p);
}
/**
* Constant time multiplication.
* Uses wNAF method. Windowed method may be 10% faster,
* but takes 2x longer to generate and consumes 2x memory.
* Uses precomputes when available.
* Uses endomorphism for Koblitz curves.
* @param scalar by which the point would be multiplied
* @returns New point
*/
multiply(scalar) {
assertGE(scalar);
let n = scalar;
let point, fake;
const { endo } = CURVE2;
if (endo) {
const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
let { p: k1p, f: f1p } = this.wNAF(k1);
let { p: k2p, f: f2p } = this.wNAF(k2);
k1p = wnaf.constTimeNegate(k1neg, k1p);
k2p = wnaf.constTimeNegate(k2neg, k2p);
k2p = new Point2(Fp8.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
point = k1p.add(k2p);
fake = f1p.add(f2p);
} else {
const { p, f } = this.wNAF(n);
point = p;
fake = f;
}
return Point2.normalizeZ([point, fake])[0];
}
/**
* Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
* Not using Strauss-Shamir trick: precomputation tables are faster.
* The trick could be useful if both P and Q are not G (not in our case).
* @returns non-zero affine point
*/
multiplyAndAddUnsafe(Q, a, b) {
const G = Point2.BASE;
const mul = (P3, a2) =>
a2 === _0n4 || a2 === _1n4 || !P3.equals(G)
? P3.multiplyUnsafe(a2)
: P3.multiply(a2);
const sum = mul(this, a).add(mul(Q, b));
return sum.is0() ? void 0 : sum;
}
// Converts Projective point to affine (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
// (x, y, z) ∋ (x=x/z, y=y/z)
toAffine(iz) {
const { px: x, py: y, pz: z } = this;
const is0 = this.is0();
if (iz == null) iz = is0 ? Fp8.ONE : Fp8.inv(z);
const ax = Fp8.mul(x, iz);
const ay = Fp8.mul(y, iz);
const zz = Fp8.mul(z, iz);
if (is0) return { x: Fp8.ZERO, y: Fp8.ZERO };
if (!Fp8.eql(zz, Fp8.ONE)) throw new Error("invZ was invalid");
return { x: ax, y: ay };
}
isTorsionFree() {
const { h: cofactor, isTorsionFree } = CURVE2;
if (cofactor === _1n4) return true;
if (isTorsionFree) return isTorsionFree(Point2, this);
throw new Error(
"isTorsionFree() has not been declared for the elliptic curve",
);
}
clearCofactor() {
const { h: cofactor, clearCofactor } = CURVE2;
if (cofactor === _1n4) return this;
if (clearCofactor) return clearCofactor(Point2, this);
return this.multiplyUnsafe(CURVE2.h);
}
toRawBytes(isCompressed = true) {
this.assertValidity();
return toBytes2(Point2, this, isCompressed);
}
toHex(isCompressed = true) {
return bytesToHex(this.toRawBytes(isCompressed));
}
}
Point2.BASE = new Point2(CURVE2.Gx, CURVE2.Gy, Fp8.ONE);
Point2.ZERO = new Point2(Fp8.ZERO, Fp8.ONE, Fp8.ZERO);
const _bits = CURVE2.nBitLength;
const wnaf = wNAF(Point2, CURVE2.endo ? Math.ceil(_bits / 2) : _bits);
return {
CURVE: CURVE2,
ProjectivePoint: Point2,
normPrivateKeyToScalar,
weierstrassEquation,
isWithinCurveOrder,
};
}
function validateOpts(curve) {
const opts = validateBasic(curve);
validateObject(
opts,
{
hash: "hash",
hmac: "function",
randomBytes: "function",
},
{
bits2int: "function",
bits2int_modN: "function",
lowS: "boolean",
},
);
return Object.freeze({ lowS: true, ...opts });
}
function weierstrass(curveDef) {
const CURVE2 = validateOpts(curveDef);
const { Fp: Fp8, n: CURVE_ORDER } = CURVE2;
const compressedLen = Fp8.BYTES + 1;
const uncompressedLen = 2 * Fp8.BYTES + 1;
function isValidFieldElement(num) {
return _0n4 < num && num < Fp8.ORDER;
}
function modN2(a) {
return mod(a, CURVE_ORDER);
}
function invN(a) {
return invert(a, CURVE_ORDER);
}
const {
ProjectivePoint: Point2,
normPrivateKeyToScalar,
weierstrassEquation,
isWithinCurveOrder,
} = weierstrassPoints({
...CURVE2,
toBytes(_c, point, isCompressed) {
const a = point.toAffine();
const x = Fp8.toBytes(a.x);
const cat = concatBytes;
if (isCompressed) {
return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
} else {
return cat(Uint8Array.from([4]), x, Fp8.toBytes(a.y));
}
},
fromBytes(bytes2) {
const len = bytes2.length;
const head = bytes2[0];
const tail = bytes2.subarray(1);
if (len === compressedLen && (head === 2 || head === 3)) {
const x = bytesToNumberBE(tail);
if (!isValidFieldElement(x)) throw new Error("Point is not on curve");
const y2 = weierstrassEquation(x);
let y = Fp8.sqrt(y2);
const isYOdd = (y & _1n4) === _1n4;
const isHeadOdd = (head & 1) === 1;
if (isHeadOdd !== isYOdd) y = Fp8.neg(y);
return { x, y };
} else if (len === uncompressedLen && head === 4) {
const x = Fp8.fromBytes(tail.subarray(0, Fp8.BYTES));
const y = Fp8.fromBytes(tail.subarray(Fp8.BYTES, 2 * Fp8.BYTES));
return { x, y };
} else {
throw new Error(
`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`,
);
}
},
});
const numToNByteStr = (num) =>
bytesToHex(numberToBytesBE(num, CURVE2.nByteLength));
function isBiggerThanHalfOrder(number2) {
const HALF = CURVE_ORDER >> _1n4;
return number2 > HALF;
}
function normalizeS(s) {
return isBiggerThanHalfOrder(s) ? modN2(-s) : s;
}
const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
class Signature {
constructor(r, s, recovery) {
this.r = r;
this.s = s;
this.recovery = recovery;
this.assertValidity();
}
// pair (bytes of r, bytes of s)
static fromCompact(hex) {
const l = CURVE2.nByteLength;
hex = ensureBytes("compactSignature", hex, l * 2);
return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
}
// DER encoded ECDSA signature
// https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
static fromDER(hex) {
const { r, s } = DER.toSig(ensureBytes("DER", hex));
return new Signature(r, s);
}
assertValidity() {
if (!isWithinCurveOrder(this.r))
throw new Error("r must be 0 < r < CURVE.n");
if (!isWithinCurveOrder(this.s))
throw new Error("s must be 0 < s < CURVE.n");
}
addRecoveryBit(recovery) {
return new Signature(this.r, this.s, recovery);
}
recoverPublicKey(msgHash) {
const { r, s, recovery: rec } = this;
const h = bits2int_modN(ensureBytes("msgHash", msgHash));
if (rec == null || ![0, 1, 2, 3].includes(rec))
throw new Error("recovery id invalid");
const radj = rec === 2 || rec === 3 ? r + CURVE2.n : r;
if (radj >= Fp8.ORDER) throw new Error("recovery id 2 or 3 invalid");
const prefix = (rec & 1) === 0 ? "02" : "03";
const R = Point2.fromHex(prefix + numToNByteStr(radj));
const ir = invN(radj);
const u1 = modN2(-h * ir);
const u2 = modN2(s * ir);
const Q = Point2.BASE.multiplyAndAddUnsafe(R, u1, u2);
if (!Q) throw new Error("point at infinify");
Q.assertValidity();
return Q;
}
// Signatures should be low-s, to prevent malleability.
hasHighS() {
return isBiggerThanHalfOrder(this.s);
}
normalizeS() {
return this.hasHighS()
? new Signature(this.r, modN2(-this.s), this.recovery)
: this;
}
// DER-encoded
toDERRawBytes() {
return hexToBytes(this.toDERHex());
}
toDERHex() {
return DER.hexFromSig({ r: this.r, s: this.s });
}
// padded bytes of r, then padded bytes of s
toCompactRawBytes() {
return hexToBytes(this.toCompactHex());
}
toCompactHex() {
return numToNByteStr(this.r) + numToNByteStr(this.s);
}
}
const utils2 = {
isValidPrivateKey(privateKey) {
try {
normPrivateKeyToScalar(privateKey);
return true;
} catch (error) {
return false;
}
},
normPrivateKeyToScalar,
/**
* Produces cryptographically secure private key from random of size
* (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
*/
randomPrivateKey: () => {
const length = getMinHashLength(CURVE2.n);
return mapHashToField(CURVE2.randomBytes(length), CURVE2.n);
},
/**
* Creates precompute table for an arbitrary EC point. Makes point "cached".
* Allows to massively speed-up `point.multiply(scalar)`.
* @returns cached point
* @example
* const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
* fast.multiply(privKey); // much faster ECDH now
*/
precompute(windowSize = 8, point = Point2.BASE) {
point._setWindowSize(windowSize);
point.multiply(BigInt(3));
return point;
},
};
function getPublicKey(privateKey, isCompressed = true) {
return Point2.fromPrivateKey(privateKey).toRawBytes(isCompressed);
}
function isProbPub(item) {
const arr = item instanceof Uint8Array;
const str = typeof item === "string";
const len = (arr || str) && item.length;
if (arr) return len === compressedLen || len === uncompressedLen;
if (str) return len === 2 * compressedLen || len === 2 * uncompressedLen;
if (item instanceof Point2) return true;
return false;
}
function getSharedSecret(privateA, publicB, isCompressed = true) {
if (isProbPub(privateA)) throw new Error("first arg must be private key");
if (!isProbPub(publicB)) throw new Error("second arg must be public key");
const b = Point2.fromHex(publicB);
return b
.multiply(normPrivateKeyToScalar(privateA))
.toRawBytes(isCompressed);
}
const bits2int =
CURVE2.bits2int ||
function (bytes2) {
const num = bytesToNumberBE(bytes2);
const delta = bytes2.length * 8 - CURVE2.nBitLength;
return delta > 0 ? num >> BigInt(delta) : num;
};
const bits2int_modN =
CURVE2.bits2int_modN ||
function (bytes2) {
return modN2(bits2int(bytes2));
};
const ORDER_MASK = bitMask(CURVE2.nBitLength);
function int2octets(num) {
if (typeof num !== "bigint") throw new Error("bigint expected");
if (!(_0n4 <= num && num < ORDER_MASK))
throw new Error(`bigint expected < 2^${CURVE2.nBitLength}`);
return numberToBytesBE(num, CURVE2.nByteLength);
}
function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
if (["recovered", "canonical"].some((k) => k in opts))
throw new Error("sign() legacy options not supported");
const { hash: hash2, randomBytes: randomBytes2 } = CURVE2;
let { lowS, prehash, extraEntropy: ent } = opts;
if (lowS == null) lowS = true;
msgHash = ensureBytes("msgHash", msgHash);
if (prehash) msgHash = ensureBytes("prehashed msgHash", hash2(msgHash));
const h1int = bits2int_modN(msgHash);
const d = normPrivateKeyToScalar(privateKey);
const seedArgs = [int2octets(d), int2octets(h1int)];
if (ent != null) {
const e = ent === true ? randomBytes2(Fp8.BYTES) : ent;
seedArgs.push(ensureBytes("extraEntropy", e));
}
const seed = concatBytes(...seedArgs);
const m = h1int;
function k2sig(kBytes) {
const k = bits2int(kBytes);
if (!isWithinCurveOrder(k)) return;
const ik = invN(k);
const q = Point2.BASE.multiply(k).toAffine();
const r = modN2(q.x);
if (r === _0n4) return;
const s = modN2(ik * modN2(m + r * d));
if (s === _0n4) return;
let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
let normS = s;
if (lowS && isBiggerThanHalfOrder(s)) {
normS = normalizeS(s);
recovery ^= 1;
}
return new Signature(r, normS, recovery);
}
return { seed, k2sig };
}
const defaultSigOpts = { lowS: CURVE2.lowS, prehash: false };
const defaultVerOpts = { lowS: CURVE2.lowS, prehash: false };
function sign(msgHash, privKey, opts = defaultSigOpts) {
const { seed, k2sig } = prepSig(msgHash, privKey, opts);
const C = CURVE2;
const drbg = createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
return drbg(seed, k2sig);
}
Point2.BASE._setWindowSize(8);
function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
const sg = signature;
msgHash = ensureBytes("msgHash", msgHash);
publicKey = ensureBytes("publicKey", publicKey);
if ("strict" in opts)
throw new Error("options.strict was renamed to lowS");
const { lowS, prehash } = opts;
let _sig = void 0;
let P3;
try {
if (typeof sg === "string" || sg instanceof Uint8Array) {
try {
_sig = Signature.fromDER(sg);
} catch (derError) {
if (!(derError instanceof DER.Err)) throw derError;
_sig = Signature.fromCompact(sg);
}
} else if (
typeof sg === "object" &&
typeof sg.r === "bigint" &&
typeof sg.s === "bigint"
) {
const { r: r2, s: s2 } = sg;
_sig = new Signature(r2, s2);
} else {
throw new Error("PARSE");
}
P3 = Point2.fromHex(publicKey);
} catch (error) {
if (error.message === "PARSE")
throw new Error(
`signature must be Signature instance, Uint8Array or hex string`,
);
return false;
}
if (lowS && _sig.hasHighS()) return false;
if (prehash) msgHash = CURVE2.hash(msgHash);
const { r, s } = _sig;
const h = bits2int_modN(msgHash);
const is = invN(s);
const u1 = modN2(h * is);
const u2 = modN2(r * is);
const R = Point2.BASE.multiplyAndAddUnsafe(P3, u1, u2)?.toAffine();
if (!R) return false;
const v = modN2(R.x);
return v === r;
}
return {
CURVE: CURVE2,
getPublicKey,
getSharedSecret,
sign,
verify,
ProjectivePoint: Point2,
Signature,
utils: utils2,
};
}
function SWUFpSqrtRatio(Fp8, Z) {
const q = Fp8.ORDER;
let l = _0n4;
for (let o = q - _1n4; o % _2n3 === _0n4; o /= _2n3) l += _1n4;
const c1 = l;
const _2n_pow_c1_1 = _2n3 << (c1 - _1n4 - _1n4);
const _2n_pow_c1 = _2n_pow_c1_1 * _2n3;
const c2 = (q - _1n4) / _2n_pow_c1;
const c3 = (c2 - _1n4) / _2n3;
const c4 = _2n_pow_c1 - _1n4;
const c5 = _2n_pow_c1_1;
const c6 = Fp8.pow(Z, c2);
const c7 = Fp8.pow(Z, (c2 + _1n4) / _2n3);
let sqrtRatio = (u, v) => {
let tv1 = c6;
let tv2 = Fp8.pow(v, c4);
let tv3 = Fp8.sqr(tv2);
tv3 = Fp8.mul(tv3, v);
let tv5 = Fp8.mul(u, tv3);
tv5 = Fp8.pow(tv5, c3);
tv5 = Fp8.mul(tv5, tv2);
tv2 = Fp8.mul(tv5, v);
tv3 = Fp8.mul(tv5, u);
let tv4 = Fp8.mul(tv3, tv2);
tv5 = Fp8.pow(tv4, c5);
let isQR = Fp8.eql(tv5, Fp8.ONE);
tv2 = Fp8.mul(tv3, c7);
tv5 = Fp8.mul(tv4, tv1);
tv3 = Fp8.cmov(tv2, tv3, isQR);
tv4 = Fp8.cmov(tv5, tv4, isQR);
for (let i = c1; i > _1n4; i--) {
let tv52 = i - _2n3;
tv52 = _2n3 << (tv52 - _1n4);
let tvv5 = Fp8.pow(tv4, tv52);
const e1 = Fp8.eql(tvv5, Fp8.ONE);
tv2 = Fp8.mul(tv3, tv1);
tv1 = Fp8.mul(tv1, tv1);
tvv5 = Fp8.mul(tv4, tv1);
tv3 = Fp8.cmov(tv2, tv3, e1);
tv4 = Fp8.cmov(tvv5, tv4, e1);
}
return { isValid: isQR, value: tv3 };
};
if (Fp8.ORDER % _4n2 === _3n2) {
const c12 = (Fp8.ORDER - _3n2) / _4n2;
const c22 = Fp8.sqrt(Fp8.neg(Z));
sqrtRatio = (u, v) => {
let tv1 = Fp8.sqr(v);
const tv2 = Fp8.mul(u, v);
tv1 = Fp8.mul(tv1, tv2);
let y1 = Fp8.pow(tv1, c12);
y1 = Fp8.mul(y1, tv2);
const y2 = Fp8.mul(y1, c22);
const tv3 = Fp8.mul(Fp8.sqr(y1), v);
const isQR = Fp8.eql(tv3, u);
let y = Fp8.cmov(y2, y1, isQR);
return { isValid: isQR, value: y };
};
}
return sqrtRatio;
}
function mapToCurveSimpleSWU(Fp8, opts) {
validateField(Fp8);
if (!Fp8.isValid(opts.A) || !Fp8.isValid(opts.B) || !Fp8.isValid(opts.Z))
throw new Error("mapToCurveSimpleSWU: invalid opts");
const sqrtRatio = SWUFpSqrtRatio(Fp8, opts.Z);
if (!Fp8.isOdd) throw new Error("Fp.isOdd is not implemented!");
return (u) => {
let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
tv1 = Fp8.sqr(u);
tv1 = Fp8.mul(tv1, opts.Z);
tv2 = Fp8.sqr(tv1);
tv2 = Fp8.add(tv2, tv1);
tv3 = Fp8.add(tv2, Fp8.ONE);
tv3 = Fp8.mul(tv3, opts.B);
tv4 = Fp8.cmov(opts.Z, Fp8.neg(tv2), !Fp8.eql(tv2, Fp8.ZERO));
tv4 = Fp8.mul(tv4, opts.A);
tv2 = Fp8.sqr(tv3);
tv6 = Fp8.sqr(tv4);
tv5 = Fp8.mul(tv6, opts.A);
tv2 = Fp8.add(tv2, tv5);
tv2 = Fp8.mul(tv2, tv3);
tv6 = Fp8.mul(tv6, tv4);
tv5 = Fp8.mul(tv6, opts.B);
tv2 = Fp8.add(tv2, tv5);
x = Fp8.mul(tv1, tv3);
const { isValid, value } = sqrtRatio(tv2, tv6);
y = Fp8.mul(tv1, u);
y = Fp8.mul(y, value);
x = Fp8.cmov(x, tv3, isValid);
y = Fp8.cmov(y, value, isValid);
const e1 = Fp8.isOdd(u) === Fp8.isOdd(y);
y = Fp8.cmov(Fp8.neg(y), y, e1);
x = Fp8.div(x, tv4);
return { x, y };
};
}
// ../esm/abstract/hash-to-curve.js
function validateDST(dst) {
if (dst instanceof Uint8Array) return dst;
if (typeof dst === "string") return utf8ToBytes(dst);
throw new Error("DST must be Uint8Array or string");
}
var os2ip = bytesToNumberBE;
function i2osp(value, length) {
if (value < 0 || value >= 1 << (8 * length)) {
throw new Error(`bad I2OSP call: value=${value} length=${length}`);
}
const res = Array.from({ length }).fill(0);
for (let i = length - 1; i >= 0; i--) {
res[i] = value & 255;
value >>>= 8;
}
return new Uint8Array(res);
}
function strxor(a, b) {
const arr = new Uint8Array(a.length);
for (let i = 0; i < a.length; i++) {
arr[i] = a[i] ^ b[i];
}
return arr;
}
function isBytes(item) {
if (!(item instanceof Uint8Array)) throw new Error("Uint8Array expected");
}
function isNum(item) {
if (!Number.isSafeInteger(item)) throw new Error("number expected");
}
function expand_message_xmd(msg, DST, lenInBytes, H) {
isBytes(msg);
isBytes(DST);
isNum(lenInBytes);
if (DST.length > 255)
DST = H(concatBytes(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
const ell = Math.ceil(lenInBytes / b_in_bytes);
if (ell > 255) throw new Error("Invalid xmd length");
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
const Z_pad = i2osp(0, r_in_bytes);
const l_i_b_str = i2osp(lenInBytes, 2);
const b = new Array(ell);
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
for (let i = 1; i <= ell; i++) {
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
b[i] = H(concatBytes(...args));
}
const pseudo_random_bytes = concatBytes(...b);
return pseudo_random_bytes.slice(0, lenInBytes);
}
function expand_message_xof(msg, DST, lenInBytes, k, H) {
isBytes(msg);
isBytes(DST);
isNum(lenInBytes);
if (DST.length > 255) {
const dkLen = Math.ceil((2 * k) / 8);
DST = H.create({ dkLen })
.update(utf8ToBytes("H2C-OVERSIZE-DST-"))
.update(DST)
.digest();
}
if (lenInBytes > 65535 || DST.length > 255)
throw new Error("expand_message_xof: invalid lenInBytes");
return H.create({ dkLen: lenInBytes })
.update(msg)
.update(i2osp(lenInBytes, 2))
.update(DST)
.update(i2osp(DST.length, 1))
.digest();
}
function hash_to_field(msg, count, options) {
validateObject(options, {
DST: "stringOrUint8Array",
p: "bigint",
m: "isSafeInteger",
k: "isSafeInteger",
hash: "hash",
});
const { p, k, m, hash: hash2, expand, DST: _DST } = options;
isBytes(msg);
isNum(count);
const DST = validateDST(_DST);
const log2p = p.toString(2).length;
const L = Math.ceil((log2p + k) / 8);
const len_in_bytes = count * m * L;
let prb;
if (expand === "xmd") {
prb = expand_message_xmd(msg, DST, len_in_bytes, hash2);
} else if (expand === "xof") {
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash2);
} else if (expand === "_internal_pass") {
prb = msg;
} else {
throw new Error('expand must be "xmd" or "xof"');
}
const u = new Array(count);
for (let i = 0; i < count; i++) {
const e = new Array(m);
for (let j = 0; j < m; j++) {
const elm_offset = L * (j + i * m);
const tv = prb.subarray(elm_offset, elm_offset + L);
e[j] = mod(os2ip(tv), p);
}
u[i] = e;
}
return u;
}
function isogenyMap(field, map) {
const COEFF = map.map((i) => Array.from(i).reverse());
return (x, y) => {
const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
val.reduce((acc, i) => field.add(field.mul(acc, x), i)),
);
x = field.div(xNum, xDen);
y = field.mul(y, field.div(yNum, yDen));
return { x, y };
};
}
function createHasher(Point2, mapToCurve, def) {
if (typeof mapToCurve !== "function")
throw new Error("mapToCurve() must be defined");
return {
// Encodes byte string to elliptic curve.
// hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
hashToCurve(msg, options) {
const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
const u0 = Point2.fromAffine(mapToCurve(u[0]));
const u1 = Point2.fromAffine(mapToCurve(u[1]));
const P3 = u0.add(u1).clearCofactor();
P3.assertValidity();
return P3;
},
// Encodes byte string to elliptic curve.
// encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
encodeToCurve(msg, options) {
const u = hash_to_field(msg, 1, {
...def,
DST: def.encodeDST,
...options,
});
const P3 = Point2.fromAffine(mapToCurve(u[0])).clearCofactor();
P3.assertValidity();
return P3;
},
};
}
// ../node_modules/@noble/hashes/esm/hmac.js
var HMAC = class extends Hash {
constructor(hash2, _key) {
super();
this.finished = false;
this.destroyed = false;
hash(hash2);
const key = toBytes(_key);
this.iHash = hash2.create();
if (typeof this.iHash.update !== "function")
throw new Error("Expected instance of class which extends utils.Hash");
this.blockLen = this.iHash.blockLen;
this.outputLen = this.iHash.outputLen;
const blockLen = this.blockLen;
const pad = new Uint8Array(blockLen);
pad.set(
key.length > blockLen ? hash2.create().update(key).digest() : key,
);
for (let i = 0; i < pad.length; i++) pad[i] ^= 54;
this.iHash.update(pad);
this.oHash = hash2.create();
for (let i = 0; i < pad.length; i++) pad[i] ^= 54 ^ 92;
this.oHash.update(pad);
pad.fill(0);
}
update(buf) {
exists(this);
this.iHash.update(buf);
return this;
}
digestInto(out) {
exists(this);
bytes(out, this.outputLen);
this.finished = true;
this.iHash.digestInto(out);
this.oHash.update(out);
this.oHash.digestInto(out);
this.destroy();
}
digest() {
const out = new Uint8Array(this.oHash.outputLen);
this.digestInto(out);
return out;
}
_cloneInto(to) {
to || (to = Object.create(Object.getPrototypeOf(this), {}));
const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
to = to;
to.finished = finished;
to.destroyed = destroyed;
to.blockLen = blockLen;
to.outputLen = outputLen;
to.oHash = oHash._cloneInto(to.oHash);
to.iHash = iHash._cloneInto(to.iHash);
return to;
}
destroy() {
this.destroyed = true;
this.oHash.destroy();
this.iHash.destroy();
}
};
var hmac = (hash2, key, message) =>
new HMAC(hash2, key).update(message).digest();
hmac.create = (hash2, key) => new HMAC(hash2, key);
// ../esm/_shortw_utils.js
function getHash(hash2) {
return {
hash: hash2,
hmac: (key, ...msgs) => hmac(hash2, key, concatBytes2(...msgs)),
randomBytes,
};
}
function createCurve(curveDef, defHash) {
const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
return Object.freeze({ ...create(defHash), create });
}
// ../esm/secp256k1.js
var secp256k1P = BigInt(
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f",
);
var secp256k1N = BigInt(
"0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141",
);
var _1n5 = BigInt(1);
var _2n4 = BigInt(2);
var divNearest = (a, b) => (a + b / _2n4) / b;
function sqrtMod(y) {
const P3 = secp256k1P;
const _3n6 = BigInt(3),
_6n = BigInt(6),
_11n2 = BigInt(11),
_22n2 = BigInt(22);
const _23n = BigInt(23),
_44n2 = BigInt(44),
_88n2 = BigInt(88);
const b2 = (y * y * y) % P3;
const b3 = (b2 * b2 * y) % P3;
const b6 = (pow2(b3, _3n6, P3) * b3) % P3;
const b9 = (pow2(b6, _3n6, P3) * b3) % P3;
const b11 = (pow2(b9, _2n4, P3) * b2) % P3;
const b22 = (pow2(b11, _11n2, P3) * b11) % P3;
const b44 = (pow2(b22, _22n2, P3) * b22) % P3;
const b88 = (pow2(b44, _44n2, P3) * b44) % P3;
const b176 = (pow2(b88, _88n2, P3) * b88) % P3;
const b220 = (pow2(b176, _44n2, P3) * b44) % P3;
const b223 = (pow2(b220, _3n6, P3) * b3) % P3;
const t1 = (pow2(b223, _23n, P3) * b22) % P3;
const t2 = (pow2(t1, _6n, P3) * b2) % P3;
const root = pow2(t2, _2n4, P3);
if (!Fp.eql(Fp.sqr(root), y)) throw new Error("Cannot find square root");
return root;
}
var Fp = Field(secp256k1P, void 0, void 0, { sqrt: sqrtMod });
var secp256k1 = createCurve(
{
a: BigInt(0),
b: BigInt(7),
Fp,
n: secp256k1N,
// Base point (x, y) aka generator point
Gx: BigInt(
"55066263022277343669578718895168534326250603453777594175500187360389116729240",
),
Gy: BigInt(
"32670510020758816978083085130507043184471273380659243275938904335757337482424",
),
h: BigInt(1),
lowS: true,
/**
* secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
* Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
* For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
* Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
*/
endo: {
beta: BigInt(
"0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee",
),
splitScalar: (k) => {
const n = secp256k1N;
const a1 = BigInt("0x3086d221a7d46bcde86c90e49284eb15");
const b1 = -_1n5 * BigInt("0xe4437ed6010e88286f547fa90abfe4c3");
const a2 = BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8");
const b2 = a1;
const POW_2_128 = BigInt("0x100000000000000000000000000000000");
const c1 = divNearest(b2 * k, n);
const c2 = divNearest(-b1 * k, n);
let k1 = mod(k - c1 * a1 - c2 * a2, n);
let k2 = mod(-c1 * b1 - c2 * b2, n);
const k1neg = k1 > POW_2_128;
const k2neg = k2 > POW_2_128;
if (k1neg) k1 = n - k1;
if (k2neg) k2 = n - k2;
if (k1 > POW_2_128 || k2 > POW_2_128) {
throw new Error("splitScalar: Endomorphism failed, k=" + k);
}
return { k1neg, k1, k2neg, k2 };
},
},
},
sha256,
);
var _0n5 = BigInt(0);
var fe = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1P;
var ge = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1N;
var TAGGED_HASH_PREFIXES = {};
function taggedHash(tag, ...messages) {
let tagP = TAGGED_HASH_PREFIXES[tag];
if (tagP === void 0) {
const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
tagP = concatBytes(tagH, tagH);
TAGGED_HASH_PREFIXES[tag] = tagP;
}
return sha256(concatBytes(tagP, ...messages));
}
var pointToBytes = (point) => point.toRawBytes(true).slice(1);
var numTo32b = (n) => numberToBytesBE(n, 32);
var modP = (x) => mod(x, secp256k1P);
var modN = (x) => mod(x, secp256k1N);
var Point = secp256k1.ProjectivePoint;
var GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
function schnorrGetExtPubKey(priv) {
let d_ = secp256k1.utils.normPrivateKeyToScalar(priv);
let p = Point.fromPrivateKey(d_);
const scalar = p.hasEvenY() ? d_ : modN(-d_);
return { scalar, bytes: pointToBytes(p) };
}
function lift_x(x) {
if (!fe(x)) throw new Error("bad x: need 0 < x < p");
const xx = modP(x * x);
const c = modP(xx * x + BigInt(7));
let y = sqrtMod(c);
if (y % _2n4 !== _0n5) y = modP(-y);
const p = new Point(x, y, _1n5);
p.assertValidity();
return p;
}
function challenge(...args) {
return modN(bytesToNumberBE(taggedHash("BIP0340/challenge", ...args)));
}
function schnorrGetPublicKey(privateKey) {
return schnorrGetExtPubKey(privateKey).bytes;
}
function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
const m = ensureBytes("message", message);
const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
const a = ensureBytes("auxRand", auxRand, 32);
const t = numTo32b(d ^ bytesToNumberBE(taggedHash("BIP0340/aux", a)));
const rand = taggedHash("BIP0340/nonce", t, px, m);
const k_ = modN(bytesToNumberBE(rand));
if (k_ === _0n5) throw new Error("sign failed: k is zero");
const { bytes: rx, scalar: k } = schnorrGetExtPubKey(k_);
const e = challenge(rx, px, m);
const sig = new Uint8Array(64);
sig.set(rx, 0);
sig.set(numTo32b(modN(k + e * d)), 32);
if (!schnorrVerify(sig, m, px))
throw new Error("sign: Invalid signature produced");
return sig;
}
function schnorrVerify(signature, message, publicKey) {
const sig = ensureBytes("signature", signature, 64);
const m = ensureBytes("message", message);
const pub = ensureBytes("publicKey", publicKey, 32);
try {
const P3 = lift_x(bytesToNumberBE(pub));
const r = bytesToNumberBE(sig.subarray(0, 32));
if (!fe(r)) return false;
const s = bytesToNumberBE(sig.subarray(32, 64));
if (!ge(s)) return false;
const e = challenge(numTo32b(r), pointToBytes(P3), m);
const R = GmulAdd(P3, s, modN(-e));
if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false;
return true;
} catch (error) {
return false;
}
}
var schnorr = /* @__PURE__ */ (() => ({
getPublicKey: schnorrGetPublicKey,
sign: schnorrSign,
verify: schnorrVerify,
utils: {
randomPrivateKey: secp256k1.utils.randomPrivateKey,
lift_x,
pointToBytes,
numberToBytesBE,
bytesToNumberBE,
taggedHash,
mod,
},
}))();
// ../node_modules/@noble/hashes/esm/_u64.js
var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
var _32n = /* @__PURE__ */ BigInt(32);
function fromBig(n, le = false) {
if (le)
return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
return {
h: Number((n >> _32n) & U32_MASK64) | 0,
l: Number(n & U32_MASK64) | 0,
};
}
function split(lst, le = false) {
let Ah = new Uint32Array(lst.length);
let Al = new Uint32Array(lst.length);
for (let i = 0; i < lst.length; i++) {
const { h, l } = fromBig(lst[i], le);
[Ah[i], Al[i]] = [h, l];
}
return [Ah, Al];
}
var toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);
var shrSH = (h, _l, s) => h >>> s;
var shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
var rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
var rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
var rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
var rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
var rotr32H = (_h, l) => l;
var rotr32L = (h, _l) => h;
var rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
var rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
var rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
var rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
function add(Ah, Al, Bh, Bl) {
const l = (Al >>> 0) + (Bl >>> 0);
return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
}
var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
var add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
var add4L = (Al, Bl, Cl, Dl) =>
(Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
var add4H = (low, Ah, Bh, Ch, Dh) =>
(Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
var add5L = (Al, Bl, Cl, Dl, El) =>
(Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
var add5H = (low, Ah, Bh, Ch, Dh, Eh) =>
(Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
var u64 = {
fromBig,
split,
toBig,
shrSH,
shrSL,
rotrSH,
rotrSL,
rotrBH,
rotrBL,
rotr32H,
rotr32L,
rotlSH,
rotlSL,
rotlBH,
rotlBL,
add,
add3L,
add3H,
add4L,
add4H,
add5H,
add5L,
};
var u64_default = u64;
// ../node_modules/@noble/hashes/esm/sha512.js
var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() =>
u64_default.split(
[
"0x428a2f98d728ae22",
"0x7137449123ef65cd",
"0xb5c0fbcfec4d3b2f",
"0xe9b5dba58189dbbc",
"0x3956c25bf348b538",
"0x59f111f1b605d019",
"0x923f82a4af194f9b",
"0xab1c5ed5da6d8118",
"0xd807aa98a3030242",
"0x12835b0145706fbe",
"0x243185be4ee4b28c",
"0x550c7dc3d5ffb4e2",
"0x72be5d74f27b896f",
"0x80deb1fe3b1696b1",
"0x9bdc06a725c71235",
"0xc19bf174cf692694",
"0xe49b69c19ef14ad2",
"0xefbe4786384f25e3",
"0x0fc19dc68b8cd5b5",
"0x240ca1cc77ac9c65",
"0x2de92c6f592b0275",
"0x4a7484aa6ea6e483",
"0x5cb0a9dcbd41fbd4",
"0x76f988da831153b5",
"0x983e5152ee66dfab",
"0xa831c66d2db43210",
"0xb00327c898fb213f",
"0xbf597fc7beef0ee4",
"0xc6e00bf33da88fc2",
"0xd5a79147930aa725",
"0x06ca6351e003826f",
"0x142929670a0e6e70",
"0x27b70a8546d22ffc",
"0x2e1b21385c26c926",
"0x4d2c6dfc5ac42aed",
"0x53380d139d95b3df",
"0x650a73548baf63de",
"0x766a0abb3c77b2a8",
"0x81c2c92e47edaee6",
"0x92722c851482353b",
"0xa2bfe8a14cf10364",
"0xa81a664bbc423001",
"0xc24b8b70d0f89791",
"0xc76c51a30654be30",
"0xd192e819d6ef5218",
"0xd69906245565a910",
"0xf40e35855771202a",
"0x106aa07032bbd1b8",
"0x19a4c116b8d2d0c8",
"0x1e376c085141ab53",
"0x2748774cdf8eeb99",
"0x34b0bcb5e19b48a8",
"0x391c0cb3c5c95a63",
"0x4ed8aa4ae3418acb",
"0x5b9cca4f7763e373",
"0x682e6ff3d6b2b8a3",
"0x748f82ee5defb2fc",
"0x78a5636f43172f60",
"0x84c87814a1f0ab72",
"0x8cc702081a6439ec",
"0x90befffa23631e28",
"0xa4506cebde82bde9",
"0xbef9a3f7b2c67915",
"0xc67178f2e372532b",
"0xca273eceea26619c",
"0xd186b8c721c0c207",
"0xeada7dd6cde0eb1e",
"0xf57d4f7fee6ed178",
"0x06f067aa72176fba",
"0x0a637dc5a2c898a6",
"0x113f9804bef90dae",
"0x1b710b35131c471b",
"0x28db77f523047d84",
"0x32caab7b40c72493",
"0x3c9ebe0a15c9bebc",
"0x431d67c49c100d4c",
"0x4cc5d4becb3e42b6",
"0x597f299cfc657e2a",
"0x5fcb6fab3ad6faec",
"0x6c44198c4a475817",
].map((n) => BigInt(n)),
))();
var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
var SHA512 = class extends SHA2 {
constructor() {
super(128, 64, 16, false);
this.Ah = 1779033703 | 0;
this.Al = 4089235720 | 0;
this.Bh = 3144134277 | 0;
this.Bl = 2227873595 | 0;
this.Ch = 1013904242 | 0;
this.Cl = 4271175723 | 0;
this.Dh = 2773480762 | 0;
this.Dl = 1595750129 | 0;
this.Eh = 1359893119 | 0;
this.El = 2917565137 | 0;
this.Fh = 2600822924 | 0;
this.Fl = 725511199 | 0;
this.Gh = 528734635 | 0;
this.Gl = 4215389547 | 0;
this.Hh = 1541459225 | 0;
this.Hl = 327033209 | 0;
}
// prettier-ignore
get() {
const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
}
// prettier-ignore
set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
this.Ah = Ah | 0;
this.Al = Al | 0;
this.Bh = Bh | 0;
this.Bl = Bl | 0;
this.Ch = Ch | 0;
this.Cl = Cl | 0;
this.Dh = Dh | 0;
this.Dl = Dl | 0;
this.Eh = Eh | 0;
this.El = El | 0;
this.Fh = Fh | 0;
this.Fl = Fl | 0;
this.Gh = Gh | 0;
this.Gl = Gl | 0;
this.Hh = Hh | 0;
this.Hl = Hl | 0;
}
process(view, offset) {
for (let i = 0; i < 16; i++, offset += 4) {
SHA512_W_H[i] = view.getUint32(offset);
SHA512_W_L[i] = view.getUint32((offset += 4));
}
for (let i = 16; i < 80; i++) {
const W15h = SHA512_W_H[i - 15] | 0;
const W15l = SHA512_W_L[i - 15] | 0;
const s0h =
u64_default.rotrSH(W15h, W15l, 1) ^
u64_default.rotrSH(W15h, W15l, 8) ^
u64_default.shrSH(W15h, W15l, 7);
const s0l =
u64_default.rotrSL(W15h, W15l, 1) ^
u64_default.rotrSL(W15h, W15l, 8) ^
u64_default.shrSL(W15h, W15l, 7);
const W2h = SHA512_W_H[i - 2] | 0;
const W2l = SHA512_W_L[i - 2] | 0;
const s1h =
u64_default.rotrSH(W2h, W2l, 19) ^
u64_default.rotrBH(W2h, W2l, 61) ^
u64_default.shrSH(W2h, W2l, 6);
const s1l =
u64_default.rotrSL(W2h, W2l, 19) ^
u64_default.rotrBL(W2h, W2l, 61) ^
u64_default.shrSL(W2h, W2l, 6);
const SUMl = u64_default.add4L(
s0l,
s1l,
SHA512_W_L[i - 7],
SHA512_W_L[i - 16],
);
const SUMh = u64_default.add4H(
SUMl,
s0h,
s1h,
SHA512_W_H[i - 7],
SHA512_W_H[i - 16],
);
SHA512_W_H[i] = SUMh | 0;
SHA512_W_L[i] = SUMl | 0;
}
let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } =
this;
for (let i = 0; i < 80; i++) {
const sigma1h =
u64_default.rotrSH(Eh, El, 14) ^
u64_default.rotrSH(Eh, El, 18) ^
u64_default.rotrBH(Eh, El, 41);
const sigma1l =
u64_default.rotrSL(Eh, El, 14) ^
u64_default.rotrSL(Eh, El, 18) ^
u64_default.rotrBL(Eh, El, 41);
const CHIh = (Eh & Fh) ^ (~Eh & Gh);
const CHIl = (El & Fl) ^ (~El & Gl);
const T1ll = u64_default.add5L(
Hl,
sigma1l,
CHIl,
SHA512_Kl[i],
SHA512_W_L[i],
);
const T1h = u64_default.add5H(
T1ll,
Hh,
sigma1h,
CHIh,
SHA512_Kh[i],
SHA512_W_H[i],
);
const T1l = T1ll | 0;
const sigma0h =
u64_default.rotrSH(Ah, Al, 28) ^
u64_default.rotrBH(Ah, Al, 34) ^
u64_default.rotrBH(Ah, Al, 39);
const sigma0l =
u64_default.rotrSL(Ah, Al, 28) ^
u64_default.rotrBL(Ah, Al, 34) ^
u64_default.rotrBL(Ah, Al, 39);
const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
Hh = Gh | 0;
Hl = Gl | 0;
Gh = Fh | 0;
Gl = Fl | 0;
Fh = Eh | 0;
Fl = El | 0;
({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
Dh = Ch | 0;
Dl = Cl | 0;
Ch = Bh | 0;
Cl = Bl | 0;
Bh = Ah | 0;
Bl = Al | 0;
const All = u64_default.add3L(T1l, sigma0l, MAJl);
Ah = u64_default.add3H(All, T1h, sigma0h, MAJh);
Al = All | 0;
}
({ h: Ah, l: Al } = u64_default.add(
this.Ah | 0,
this.Al | 0,
Ah | 0,
Al | 0,
));
({ h: Bh, l: Bl } = u64_default.add(
this.Bh | 0,
this.Bl | 0,
Bh | 0,
Bl | 0,
));
({ h: Ch, l: Cl } = u64_default.add(
this.Ch | 0,
this.Cl | 0,
Ch | 0,
Cl | 0,
));
({ h: Dh, l: Dl } = u64_default.add(
this.Dh | 0,
this.Dl | 0,
Dh | 0,
Dl | 0,
));
({ h: Eh, l: El } = u64_default.add(
this.Eh | 0,
this.El | 0,
Eh | 0,
El | 0,
));
({ h: Fh, l: Fl } = u64_default.add(
this.Fh | 0,
this.Fl | 0,
Fh | 0,
Fl | 0,
));
({ h: Gh, l: Gl } = u64_default.add(
this.Gh | 0,
this.Gl | 0,
Gh | 0,
Gl | 0,
));
({ h: Hh, l: Hl } = u64_default.add(
this.Hh | 0,
this.Hl | 0,
Hh | 0,
Hl | 0,
));
this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
}
roundClean() {
SHA512_W_H.fill(0);
SHA512_W_L.fill(0);
}
destroy() {
this.buffer.fill(0);
this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
}
};
var SHA384 = class extends SHA512 {
constructor() {
super();
this.Ah = 3418070365 | 0;
this.Al = 3238371032 | 0;
this.Bh = 1654270250 | 0;
this.Bl = 914150663 | 0;
this.Ch = 2438529370 | 0;
this.Cl = 812702999 | 0;
this.Dh = 355462360 | 0;
this.Dl = 4144912697 | 0;
this.Eh = 1731405415 | 0;
this.El = 4290775857 | 0;
this.Fh = 2394180231 | 0;
this.Fl = 1750603025 | 0;
this.Gh = 3675008525 | 0;
this.Gl = 1694076839 | 0;
this.Hh = 1203062813 | 0;
this.Hl = 3204075428 | 0;
this.outputLen = 48;
}
};
var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
var sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384());
// ../esm/abstract/edwards.js
var _0n6 = BigInt(0);
var _1n6 = BigInt(1);
var _2n5 = BigInt(2);
var _8n2 = BigInt(8);
var VERIFY_DEFAULT = { zip215: true };
function validateOpts2(curve) {
const opts = validateBasic(curve);
validateObject(
curve,
{
hash: "function",
a: "bigint",
d: "bigint",
randomBytes: "function",
},
{
adjustScalarBytes: "function",
domain: "function",
uvRatio: "function",
mapToCurve: "function",
},
);
return Object.freeze({ ...opts });
}
function twistedEdwards(curveDef) {
const CURVE2 = validateOpts2(curveDef);
const {
Fp: Fp8,
n: CURVE_ORDER,
prehash,
hash: cHash,
randomBytes: randomBytes2,
nByteLength,
h: cofactor,
} = CURVE2;
const MASK = _2n5 << (BigInt(nByteLength * 8) - _1n6);
const modP2 = Fp8.create;
const uvRatio3 =
CURVE2.uvRatio ||
((u, v) => {
try {
return { isValid: true, value: Fp8.sqrt(u * Fp8.inv(v)) };
} catch (e) {
return { isValid: false, value: _0n6 };
}
});
const adjustScalarBytes3 = CURVE2.adjustScalarBytes || ((bytes2) => bytes2);
const domain =
CURVE2.domain ||
((data, ctx, phflag) => {
if (ctx.length || phflag)
throw new Error("Contexts/pre-hash are not supported");
return data;
});
const inBig = (n) => typeof n === "bigint" && _0n6 < n;
const inRange = (n, max) => inBig(n) && inBig(max) && n < max;
const in0MaskRange = (n) => n === _0n6 || inRange(n, MASK);
function assertInRange(n, max) {
if (inRange(n, max)) return n;
throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
}
function assertGE0(n) {
return n === _0n6 ? n : assertInRange(n, CURVE_ORDER);
}
const pointPrecomputes = /* @__PURE__ */ new Map();
function isPoint(other) {
if (!(other instanceof Point2)) throw new Error("ExtendedPoint expected");
}
class Point2 {
constructor(ex, ey, ez, et) {
this.ex = ex;
this.ey = ey;
this.ez = ez;
this.et = et;
if (!in0MaskRange(ex)) throw new Error("x required");
if (!in0MaskRange(ey)) throw new Error("y required");
if (!in0MaskRange(ez)) throw new Error("z required");
if (!in0MaskRange(et)) throw new Error("t required");
}
get x() {
return this.toAffine().x;
}
get y() {
return this.toAffine().y;
}
static fromAffine(p) {
if (p instanceof Point2) throw new Error("extended point not allowed");
const { x, y } = p || {};
if (!in0MaskRange(x) || !in0MaskRange(y))
throw new Error("invalid affine point");
return new Point2(x, y, _1n6, modP2(x * y));
}
static normalizeZ(points) {
const toInv = Fp8.invertBatch(points.map((p) => p.ez));
return points
.map((p, i) => p.toAffine(toInv[i]))
.map(Point2.fromAffine);
}
// "Private method", don't use it directly
_setWindowSize(windowSize) {
this._WINDOW_SIZE = windowSize;
pointPrecomputes.delete(this);
}
// Not required for fromHex(), which always creates valid points.
// Could be useful for fromAffine().
assertValidity() {
const { a, d } = CURVE2;
if (this.is0()) throw new Error("bad point: ZERO");
const { ex: X, ey: Y, ez: Z, et: T } = this;
const X2 = modP2(X * X);
const Y2 = modP2(Y * Y);
const Z2 = modP2(Z * Z);
const Z4 = modP2(Z2 * Z2);
const aX2 = modP2(X2 * a);
const left = modP2(Z2 * modP2(aX2 + Y2));
const right = modP2(Z4 + modP2(d * modP2(X2 * Y2)));
if (left !== right)
throw new Error("bad point: equation left != right (1)");
const XY = modP2(X * Y);
const ZT = modP2(Z * T);
if (XY !== ZT) throw new Error("bad point: equation left != right (2)");
}
// Compare one point to another.
equals(other) {
isPoint(other);
const { ex: X1, ey: Y1, ez: Z1 } = this;
const { ex: X2, ey: Y2, ez: Z2 } = other;
const X1Z2 = modP2(X1 * Z2);
const X2Z1 = modP2(X2 * Z1);
const Y1Z2 = modP2(Y1 * Z2);
const Y2Z1 = modP2(Y2 * Z1);
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
}
is0() {
return this.equals(Point2.ZERO);
}
negate() {
return new Point2(modP2(-this.ex), this.ey, this.ez, modP2(-this.et));
}
// Fast algo for doubling Extended Point.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
// Cost: 4M + 4S + 1*a + 6add + 1*2.
double() {
const { a } = CURVE2;
const { ex: X1, ey: Y1, ez: Z1 } = this;
const A = modP2(X1 * X1);
const B = modP2(Y1 * Y1);
const C = modP2(_2n5 * modP2(Z1 * Z1));
const D = modP2(a * A);
const x1y1 = X1 + Y1;
const E = modP2(modP2(x1y1 * x1y1) - A - B);
const G2 = D + B;
const F = G2 - C;
const H = D - B;
const X3 = modP2(E * F);
const Y3 = modP2(G2 * H);
const T3 = modP2(E * H);
const Z3 = modP2(F * G2);
return new Point2(X3, Y3, Z3, T3);
}
// Fast algo for adding 2 Extended Points.
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
// Cost: 9M + 1*a + 1*d + 7add.
add(other) {
isPoint(other);
const { a, d } = CURVE2;
const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
if (a === BigInt(-1)) {
const A2 = modP2((Y1 - X1) * (Y2 + X2));
const B2 = modP2((Y1 + X1) * (Y2 - X2));
const F2 = modP2(B2 - A2);
if (F2 === _0n6) return this.double();
const C2 = modP2(Z1 * _2n5 * T2);
const D2 = modP2(T1 * _2n5 * Z2);
const E2 = D2 + C2;
const G3 = B2 + A2;
const H2 = D2 - C2;
const X32 = modP2(E2 * F2);
const Y32 = modP2(G3 * H2);
const T32 = modP2(E2 * H2);
const Z32 = modP2(F2 * G3);
return new Point2(X32, Y32, Z32, T32);
}
const A = modP2(X1 * X2);
const B = modP2(Y1 * Y2);
const C = modP2(T1 * d * T2);
const D = modP2(Z1 * Z2);
const E = modP2((X1 + Y1) * (X2 + Y2) - A - B);
const F = D - C;
const G2 = D + C;
const H = modP2(B - a * A);
const X3 = modP2(E * F);
const Y3 = modP2(G2 * H);
const T3 = modP2(E * H);
const Z3 = modP2(F * G2);
return new Point2(X3, Y3, Z3, T3);
}
subtract(other) {
return this.add(other.negate());
}
wNAF(n) {
return wnaf.wNAFCached(this, pointPrecomputes, n, Point2.normalizeZ);
}
// Constant-time multiplication.
multiply(scalar) {
const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
return Point2.normalizeZ([p, f])[0];
}
// Non-constant-time multiplication. Uses double-and-add algorithm.
// It's faster, but should only be used when you don't care about
// an exposed private key e.g. sig verification.
// Does NOT allow scalars higher than CURVE.n.
multiplyUnsafe(scalar) {
let n = assertGE0(scalar);
if (n === _0n6) return I;
if (this.equals(I) || n === _1n6) return this;
if (this.equals(G)) return this.wNAF(n).p;
return wnaf.unsafeLadder(this, n);
}
// Checks if point is of small order.
// If you add something to small order point, you will have "dirty"
// point with torsion component.
// Multiplies point by cofactor and checks if the result is 0.
isSmallOrder() {
return this.multiplyUnsafe(cofactor).is0();
}
// Multiplies point by curve order and checks if the result is 0.
// Returns `false` is the point is dirty.
isTorsionFree() {
return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
}
// Converts Extended point to default (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
toAffine(iz) {
const { ex: x, ey: y, ez: z } = this;
const is0 = this.is0();
if (iz == null) iz = is0 ? _8n2 : Fp8.inv(z);
const ax = modP2(x * iz);
const ay = modP2(y * iz);
const zz = modP2(z * iz);
if (is0) return { x: _0n6, y: _1n6 };
if (zz !== _1n6) throw new Error("invZ was invalid");
return { x: ax, y: ay };
}
clearCofactor() {
const { h: cofactor2 } = CURVE2;
if (cofactor2 === _1n6) return this;
return this.multiplyUnsafe(cofactor2);
}
// Converts hash string or Uint8Array to Point.
// Uses algo from RFC8032 5.1.3.
static fromHex(hex, zip215 = false) {
const { d, a } = CURVE2;
const len = Fp8.BYTES;
hex = ensureBytes("pointHex", hex, len);
const normed = hex.slice();
const lastByte = hex[len - 1];
normed[len - 1] = lastByte & ~128;
const y = bytesToNumberLE(normed);
if (y === _0n6) {
} else {
if (zip215) assertInRange(y, MASK);
else assertInRange(y, Fp8.ORDER);
}
const y2 = modP2(y * y);
const u = modP2(y2 - _1n6);
const v = modP2(d * y2 - a);
let { isValid, value: x } = uvRatio3(u, v);
if (!isValid) throw new Error("Point.fromHex: invalid y coordinate");
const isXOdd = (x & _1n6) === _1n6;
const isLastByteOdd = (lastByte & 128) !== 0;
if (!zip215 && x === _0n6 && isLastByteOdd)
throw new Error("Point.fromHex: x=0 and x_0=1");
if (isLastByteOdd !== isXOdd) x = modP2(-x);
return Point2.fromAffine({ x, y });
}
static fromPrivateKey(privKey) {
return getExtendedPublicKey(privKey).point;
}
toRawBytes() {
const { x, y } = this.toAffine();
const bytes2 = numberToBytesLE(y, Fp8.BYTES);
bytes2[bytes2.length - 1] |= x & _1n6 ? 128 : 0;
return bytes2;
}
toHex() {
return bytesToHex(this.toRawBytes());
}
}
Point2.BASE = new Point2(
CURVE2.Gx,
CURVE2.Gy,
_1n6,
modP2(CURVE2.Gx * CURVE2.Gy),
);
Point2.ZERO = new Point2(_0n6, _1n6, _1n6, _0n6);
const { BASE: G, ZERO: I } = Point2;
const wnaf = wNAF(Point2, nByteLength * 8);
function modN2(a) {
return mod(a, CURVE_ORDER);
}
function modN_LE(hash2) {
return modN2(bytesToNumberLE(hash2));
}
function getExtendedPublicKey(key) {
const len = nByteLength;
key = ensureBytes("private key", key, len);
const hashed = ensureBytes("hashed private key", cHash(key), 2 * len);
const head = adjustScalarBytes3(hashed.slice(0, len));
const prefix = hashed.slice(len, 2 * len);
const scalar = modN_LE(head);
const point = G.multiply(scalar);
const pointBytes = point.toRawBytes();
return { head, prefix, scalar, point, pointBytes };
}
function getPublicKey(privKey) {
return getExtendedPublicKey(privKey).pointBytes;
}
function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
const msg = concatBytes(...msgs);
return modN_LE(
cHash(domain(msg, ensureBytes("context", context), !!prehash)),
);
}
function sign(msg, privKey, options = {}) {
msg = ensureBytes("message", msg);
if (prehash) msg = prehash(msg);
const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
const r = hashDomainToScalar(options.context, prefix, msg);
const R = G.multiply(r).toRawBytes();
const k = hashDomainToScalar(options.context, R, pointBytes, msg);
const s = modN2(r + k * scalar);
assertGE0(s);
const res = concatBytes(R, numberToBytesLE(s, Fp8.BYTES));
return ensureBytes("result", res, nByteLength * 2);
}
const verifyOpts = VERIFY_DEFAULT;
function verify(sig, msg, publicKey, options = verifyOpts) {
const { context, zip215 } = options;
const len = Fp8.BYTES;
sig = ensureBytes("signature", sig, 2 * len);
msg = ensureBytes("message", msg);
if (prehash) msg = prehash(msg);
const s = bytesToNumberLE(sig.slice(len, 2 * len));
let A, R, SB;
try {
A = Point2.fromHex(publicKey, zip215);
R = Point2.fromHex(sig.slice(0, len), zip215);
SB = G.multiplyUnsafe(s);
} catch (error) {
return false;
}
if (!zip215 && A.isSmallOrder()) return false;
const k = hashDomainToScalar(
context,
R.toRawBytes(),
A.toRawBytes(),
msg,
);
const RkA = R.add(A.multiplyUnsafe(k));
return RkA.subtract(SB).clearCofactor().equals(Point2.ZERO);
}
G._setWindowSize(8);
const utils2 = {
getExtendedPublicKey,
// ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
randomPrivateKey: () => randomBytes2(Fp8.BYTES),
/**
* We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
* values. This slows down first getPublicKey() by milliseconds (see Speed section),
* but allows to speed-up subsequent getPublicKey() calls up to 20x.
* @param windowSize 2, 4, 8, 16
*/
precompute(windowSize = 8, point = Point2.BASE) {
point._setWindowSize(windowSize);
point.multiply(BigInt(3));
return point;
},
};
return {
CURVE: CURVE2,
getPublicKey,
sign,
verify,
ExtendedPoint: Point2,
utils: utils2,
};
}
// ../esm/abstract/montgomery.js
var _0n7 = BigInt(0);
var _1n7 = BigInt(1);
function validateOpts3(curve) {
validateObject(
curve,
{
a: "bigint",
},
{
montgomeryBits: "isSafeInteger",
nByteLength: "isSafeInteger",
adjustScalarBytes: "function",
domain: "function",
powPminus2: "function",
Gu: "bigint",
},
);
return Object.freeze({ ...curve });
}
function montgomery(curveDef) {
const CURVE2 = validateOpts3(curveDef);
const { P: P3 } = CURVE2;
const modP2 = (n) => mod(n, P3);
const montgomeryBits = CURVE2.montgomeryBits;
const montgomeryBytes = Math.ceil(montgomeryBits / 8);
const fieldLen = CURVE2.nByteLength;
const adjustScalarBytes3 = CURVE2.adjustScalarBytes || ((bytes2) => bytes2);
const powPminus2 = CURVE2.powPminus2 || ((x) => pow(x, P3 - BigInt(2), P3));
function cswap(swap, x_2, x_3) {
const dummy = modP2(swap * (x_2 - x_3));
x_2 = modP2(x_2 - dummy);
x_3 = modP2(x_3 + dummy);
return [x_2, x_3];
}
function assertFieldElement(n) {
if (typeof n === "bigint" && _0n7 <= n && n < P3) return n;
throw new Error("Expected valid scalar 0 < scalar < CURVE.P");
}
const a24 = (CURVE2.a - BigInt(2)) / BigInt(4);
function montgomeryLadder(pointU, scalar) {
const u = assertFieldElement(pointU);
const k = assertFieldElement(scalar);
const x_1 = u;
let x_2 = _1n7;
let z_2 = _0n7;
let x_3 = u;
let z_3 = _1n7;
let swap = _0n7;
let sw;
for (let t = BigInt(montgomeryBits - 1); t >= _0n7; t--) {
const k_t = (k >> t) & _1n7;
swap ^= k_t;
sw = cswap(swap, x_2, x_3);
x_2 = sw[0];
x_3 = sw[1];
sw = cswap(swap, z_2, z_3);
z_2 = sw[0];
z_3 = sw[1];
swap = k_t;
const A = x_2 + z_2;
const AA = modP2(A * A);
const B = x_2 - z_2;
const BB = modP2(B * B);
const E = AA - BB;
const C = x_3 + z_3;
const D = x_3 - z_3;
const DA = modP2(D * A);
const CB = modP2(C * B);
const dacb = DA + CB;
const da_cb = DA - CB;
x_3 = modP2(dacb * dacb);
z_3 = modP2(x_1 * modP2(da_cb * da_cb));
x_2 = modP2(AA * BB);
z_2 = modP2(E * (AA + modP2(a24 * E)));
}
sw = cswap(swap, x_2, x_3);
x_2 = sw[0];
x_3 = sw[1];
sw = cswap(swap, z_2, z_3);
z_2 = sw[0];
z_3 = sw[1];
const z2 = powPminus2(z_2);
return modP2(x_2 * z2);
}
function encodeUCoordinate(u) {
return numberToBytesLE(modP2(u), montgomeryBytes);
}
function decodeUCoordinate(uEnc) {
const u = ensureBytes("u coordinate", uEnc, montgomeryBytes);
if (fieldLen === montgomeryBytes) u[fieldLen - 1] &= 127;
return bytesToNumberLE(u);
}
function decodeScalar(n) {
const bytes2 = ensureBytes("scalar", n);
if (bytes2.length !== montgomeryBytes && bytes2.length !== fieldLen)
throw new Error(
`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes2.length}`,
);
return bytesToNumberLE(adjustScalarBytes3(bytes2));
}
function scalarMult(scalar, u) {
const pointU = decodeUCoordinate(u);
const _scalar = decodeScalar(scalar);
const pu = montgomeryLadder(pointU, _scalar);
if (pu === _0n7)
throw new Error("Invalid private or public key received");
return encodeUCoordinate(pu);
}
const GuBytes = encodeUCoordinate(CURVE2.Gu);
function scalarMultBase(scalar) {
return scalarMult(scalar, GuBytes);
}
return {
scalarMult,
scalarMultBase,
getSharedSecret: (privateKey, publicKey) =>
scalarMult(privateKey, publicKey),
getPublicKey: (privateKey) => scalarMultBase(privateKey),
utils: { randomPrivateKey: () => CURVE2.randomBytes(CURVE2.nByteLength) },
GuBytes,
};
}
// ../esm/ed25519.js
var ED25519_P = BigInt(
"57896044618658097711785492504343953926634992332820282019728792003956564819949",
);
var ED25519_SQRT_M1 = BigInt(
"19681161376707505956807079304988542015446066515923890162744021073123829784752",
);
var _0n8 = BigInt(0);
var _1n8 = BigInt(1);
var _2n6 = BigInt(2);
var _5n2 = BigInt(5);
var _10n = BigInt(10);
var _20n = BigInt(20);
var _40n = BigInt(40);
var _80n = BigInt(80);
function ed25519_pow_2_252_3(x) {
const P3 = ED25519_P;
const x2 = (x * x) % P3;
const b2 = (x2 * x) % P3;
const b4 = (pow2(b2, _2n6, P3) * b2) % P3;
const b5 = (pow2(b4, _1n8, P3) * x) % P3;
const b10 = (pow2(b5, _5n2, P3) * b5) % P3;
const b20 = (pow2(b10, _10n, P3) * b10) % P3;
const b40 = (pow2(b20, _20n, P3) * b20) % P3;
const b80 = (pow2(b40, _40n, P3) * b40) % P3;
const b160 = (pow2(b80, _80n, P3) * b80) % P3;
const b240 = (pow2(b160, _80n, P3) * b80) % P3;
const b250 = (pow2(b240, _10n, P3) * b10) % P3;
const pow_p_5_8 = (pow2(b250, _2n6, P3) * x) % P3;
return { pow_p_5_8, b2 };
}
function adjustScalarBytes(bytes2) {
bytes2[0] &= 248;
bytes2[31] &= 127;
bytes2[31] |= 64;
return bytes2;
}
function uvRatio(u, v) {
const P3 = ED25519_P;
const v3 = mod(v * v * v, P3);
const v7 = mod(v3 * v3 * v, P3);
const pow3 = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
let x = mod(u * v3 * pow3, P3);
const vx2 = mod(v * x * x, P3);
const root1 = x;
const root2 = mod(x * ED25519_SQRT_M1, P3);
const useRoot1 = vx2 === u;
const useRoot2 = vx2 === mod(-u, P3);
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P3);
if (useRoot1) x = root1;
if (useRoot2 || noRoot) x = root2;
if (isNegativeLE(x, P3)) x = mod(-x, P3);
return { isValid: useRoot1 || useRoot2, value: x };
}
var Fp2 = Field(ED25519_P, void 0, true);
var ed25519Defaults = {
// Param: a
a: BigInt(-1),
// d is equal to -121665/121666 over finite field.
// Negative number is P - number, and division is invert(number, P)
d: BigInt(
"37095705934669439343138083508754565189542113879843219016388785533085940283555",
),
// Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
Fp: Fp2,
// Subgroup order: how many points curve has
// 2n**252n + 27742317777372353535851937790883648493n;
n: BigInt(
"7237005577332262213973186563042994240857116359379907606001950938285454250989",
),
// Cofactor
h: BigInt(8),
// Base point (x, y) aka generator point
Gx: BigInt(
"15112221349535400772501151409588531511454012693041857206046113283949847762202",
),
Gy: BigInt(
"46316835694926478169428394003475163141307993866256225615783033603165251855960",
),
hash: sha512,
randomBytes,
adjustScalarBytes,
// dom2
// Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
// Constant-time, u/√v
uvRatio,
};
var ed25519 = /* @__PURE__ */ twistedEdwards(ed25519Defaults);
function ed25519_domain(data, ctx, phflag) {
if (ctx.length > 255) throw new Error("Context is too big");
return concatBytes2(
utf8ToBytes2("SigEd25519 no Ed25519 collisions"),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data,
);
}
var ed25519ctx = /* @__PURE__ */ twistedEdwards({
...ed25519Defaults,
domain: ed25519_domain,
});
var ed25519ph = /* @__PURE__ */ twistedEdwards({
...ed25519Defaults,
domain: ed25519_domain,
prehash: sha512,
});
var x25519 = /* @__PURE__ */ (() =>
montgomery({
P: ED25519_P,
a: BigInt(486662),
montgomeryBits: 255,
nByteLength: 32,
Gu: BigInt(9),
powPminus2: (x) => {
const P3 = ED25519_P;
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
return mod(pow2(pow_p_5_8, BigInt(3), P3) * b2, P3);
},
adjustScalarBytes,
randomBytes,
}))();
function edwardsToMontgomeryPub(edwardsPub) {
const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
const _1n12 = BigInt(1);
return Fp2.toBytes(Fp2.create((_1n12 + y) * Fp2.inv(_1n12 - y)));
}
function edwardsToMontgomeryPriv(edwardsPriv) {
const hashed = ed25519Defaults.hash(edwardsPriv.subarray(0, 32));
return ed25519Defaults.adjustScalarBytes(hashed).subarray(0, 32);
}
var ELL2_C1 = (Fp2.ORDER + BigInt(3)) / BigInt(8);
var ELL2_C2 = Fp2.pow(_2n6, ELL2_C1);
var ELL2_C3 = Fp2.sqrt(Fp2.neg(Fp2.ONE));
var ELL2_C4 = (Fp2.ORDER - BigInt(5)) / BigInt(8);
var ELL2_J = BigInt(486662);
var ELL2_C1_EDWARDS = FpSqrtEven(Fp2, Fp2.neg(BigInt(486664)));
var SQRT_AD_MINUS_ONE = BigInt(
"25063068953384623474111414158702152701244531502492656460079210482610430750235",
);
var INVSQRT_A_MINUS_D = BigInt(
"54469307008909316920995813868745141605393597292927456921205312896311721017578",
);
var ONE_MINUS_D_SQ = BigInt(
"1159843021668779879193775521855586647937357759715417654439879720876111806838",
);
var D_MINUS_ONE_SQ = BigInt(
"40440834346308536858101042469323190826248399146238708352240133220865137265952",
);
var MAX_255B = BigInt(
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
);
// ../node_modules/@noble/hashes/esm/sha3.js
var [SHA3_PI, SHA3_ROTL, _SHA3_IOTA] = [[], [], []];
var _0n9 = /* @__PURE__ */ BigInt(0);
var _1n9 = /* @__PURE__ */ BigInt(1);
var _2n7 = /* @__PURE__ */ BigInt(2);
var _7n = /* @__PURE__ */ BigInt(7);
var _256n = /* @__PURE__ */ BigInt(256);
var _0x71n = /* @__PURE__ */ BigInt(113);
for (let round = 0, R = _1n9, x = 1, y = 0; round < 24; round++) {
[x, y] = [y, (2 * x + 3 * y) % 5];
SHA3_PI.push(2 * (5 * y + x));
SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);
let t = _0n9;
for (let j = 0; j < 7; j++) {
R = ((R << _1n9) ^ ((R >> _7n) * _0x71n)) % _256n;
if (R & _2n7) t ^= _1n9 << ((_1n9 << /* @__PURE__ */ BigInt(j)) - _1n9);
}
_SHA3_IOTA.push(t);
}
var [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true);
var rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));
var rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));
function keccakP(s, rounds = 24) {
const B = new Uint32Array(5 * 2);
for (let round = 24 - rounds; round < 24; round++) {
for (let x = 0; x < 10; x++)
B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
for (let x = 0; x < 10; x += 2) {
const idx1 = (x + 8) % 10;
const idx0 = (x + 2) % 10;
const B0 = B[idx0];
const B1 = B[idx0 + 1];
const Th = rotlH(B0, B1, 1) ^ B[idx1];
const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
for (let y = 0; y < 50; y += 10) {
s[x + y] ^= Th;
s[x + y + 1] ^= Tl;
}
}
let curH = s[2];
let curL = s[3];
for (let t = 0; t < 24; t++) {
const shift = SHA3_ROTL[t];
const Th = rotlH(curH, curL, shift);
const Tl = rotlL(curH, curL, shift);
const PI = SHA3_PI[t];
curH = s[PI];
curL = s[PI + 1];
s[PI] = Th;
s[PI + 1] = Tl;
}
for (let y = 0; y < 50; y += 10) {
for (let x = 0; x < 10; x++) B[x] = s[y + x];
for (let x = 0; x < 10; x++)
s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
}
s[0] ^= SHA3_IOTA_H[round];
s[1] ^= SHA3_IOTA_L[round];
}
B.fill(0);
}
var Keccak = class _Keccak extends Hash {
// NOTE: we accept arguments in bytes instead of bits here.
constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
super();
this.blockLen = blockLen;
this.suffix = suffix;
this.outputLen = outputLen;
this.enableXOF = enableXOF;
this.rounds = rounds;
this.pos = 0;
this.posOut = 0;
this.finished = false;
this.destroyed = false;
number(outputLen);
if (0 >= this.blockLen || this.blockLen >= 200)
throw new Error("Sha3 supports only keccak-f1600 function");
this.state = new Uint8Array(200);
this.state32 = u32(this.state);
}
keccak() {
keccakP(this.state32, this.rounds);
this.posOut = 0;
this.pos = 0;
}
update(data) {
exists(this);
const { blockLen, state } = this;
data = toBytes(data);
const len = data.length;
for (let pos = 0; pos < len; ) {
const take = Math.min(blockLen - this.pos, len - pos);
for (let i = 0; i < take; i++) state[this.pos++] ^= data[pos++];
if (this.pos === blockLen) this.keccak();
}
return this;
}
finish() {
if (this.finished) return;
this.finished = true;
const { state, suffix, pos, blockLen } = this;
state[pos] ^= suffix;
if ((suffix & 128) !== 0 && pos === blockLen - 1) this.keccak();
state[blockLen - 1] ^= 128;
this.keccak();
}
writeInto(out) {
exists(this, false);
bytes(out);
this.finish();
const bufferOut = this.state;
const { blockLen } = this;
for (let pos = 0, len = out.length; pos < len; ) {
if (this.posOut >= blockLen) this.keccak();
const take = Math.min(blockLen - this.posOut, len - pos);
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
this.posOut += take;
pos += take;
}
return out;
}
xofInto(out) {
if (!this.enableXOF)
throw new Error("XOF is not possible for this instance");
return this.writeInto(out);
}
xof(bytes2) {
number(bytes2);
return this.xofInto(new Uint8Array(bytes2));
}
digestInto(out) {
output(out, this);
if (this.finished) throw new Error("digest() was already called");
this.writeInto(out);
this.destroy();
return out;
}
digest() {
return this.digestInto(new Uint8Array(this.outputLen));
}
destroy() {
this.destroyed = true;
this.state.fill(0);
}
_cloneInto(to) {
const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
to.state32.set(this.state32);
to.pos = this.pos;
to.posOut = this.posOut;
to.finished = this.finished;
to.rounds = rounds;
to.suffix = suffix;
to.outputLen = outputLen;
to.enableXOF = enableXOF;
to.destroyed = this.destroyed;
return to;
}
};
var gen = (suffix, blockLen, outputLen) =>
wrapConstructor(() => new Keccak(blockLen, suffix, outputLen));
var sha3_224 = /* @__PURE__ */ gen(6, 144, 224 / 8);
var sha3_256 = /* @__PURE__ */ gen(6, 136, 256 / 8);
var sha3_384 = /* @__PURE__ */ gen(6, 104, 384 / 8);
var sha3_512 = /* @__PURE__ */ gen(6, 72, 512 / 8);
var keccak_224 = /* @__PURE__ */ gen(1, 144, 224 / 8);
var keccak_256 = /* @__PURE__ */ gen(1, 136, 256 / 8);
var keccak_384 = /* @__PURE__ */ gen(1, 104, 384 / 8);
var keccak_512 = /* @__PURE__ */ gen(1, 72, 512 / 8);
var genShake = (suffix, blockLen, outputLen) =>
wrapXOFConstructorWithOpts(
(opts = {}) =>
new Keccak(
blockLen,
suffix,
opts.dkLen === void 0 ? outputLen : opts.dkLen,
true,
),
);
var shake128 = /* @__PURE__ */ genShake(31, 168, 128 / 8);
var shake256 = /* @__PURE__ */ genShake(31, 136, 256 / 8);
// ../esm/ed448.js
var shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
var shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
var ed448P = BigInt(
"726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439",
);
var _1n10 = BigInt(1);
var _2n8 = BigInt(2);
var _3n3 = BigInt(3);
var _4n3 = BigInt(4);
var _11n = BigInt(11);
var _22n = BigInt(22);
var _44n = BigInt(44);
var _88n = BigInt(88);
var _223n = BigInt(223);
function ed448_pow_Pminus3div4(x) {
const P3 = ed448P;
const b2 = (x * x * x) % P3;
const b3 = (b2 * b2 * x) % P3;
const b6 = (pow2(b3, _3n3, P3) * b3) % P3;
const b9 = (pow2(b6, _3n3, P3) * b3) % P3;
const b11 = (pow2(b9, _2n8, P3) * b2) % P3;
const b22 = (pow2(b11, _11n, P3) * b11) % P3;
const b44 = (pow2(b22, _22n, P3) * b22) % P3;
const b88 = (pow2(b44, _44n, P3) * b44) % P3;
const b176 = (pow2(b88, _88n, P3) * b88) % P3;
const b220 = (pow2(b176, _44n, P3) * b44) % P3;
const b222 = (pow2(b220, _2n8, P3) * b2) % P3;
const b223 = (pow2(b222, _1n10, P3) * x) % P3;
return (pow2(b223, _223n, P3) * b222) % P3;
}
function adjustScalarBytes2(bytes2) {
bytes2[0] &= 252;
bytes2[55] |= 128;
bytes2[56] = 0;
return bytes2;
}
function uvRatio2(u, v) {
const P3 = ed448P;
const u2v = mod(u * u * v, P3);
const u3v = mod(u2v * u, P3);
const u5v3 = mod(u3v * u2v * v, P3);
const root = ed448_pow_Pminus3div4(u5v3);
const x = mod(u3v * root, P3);
const x2 = mod(x * x, P3);
return { isValid: mod(x2 * v, P3) === u, value: x };
}
var Fp3 = Field(ed448P, 456, true);
var ED448_DEF = {
// Param: a
a: BigInt(1),
// -39081. Negative number is P - number
d: BigInt(
"726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358",
),
// Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
Fp: Fp3,
// Subgroup order: how many points curve has;
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
n: BigInt(
"181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779",
),
nBitLength: 456,
// Cofactor
h: BigInt(4),
// Base point (x, y) aka generator point
Gx: BigInt(
"224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710",
),
Gy: BigInt(
"298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660",
),
// SHAKE256(dom4(phflag,context)||x, 114)
hash: shake256_114,
randomBytes,
adjustScalarBytes: adjustScalarBytes2,
// dom4
domain: (data, ctx, phflag) => {
if (ctx.length > 255)
throw new Error(`Context is too big: ${ctx.length}`);
return concatBytes2(
utf8ToBytes2("SigEd448"),
new Uint8Array([phflag ? 1 : 0, ctx.length]),
ctx,
data,
);
},
uvRatio: uvRatio2,
};
var ed448 = /* @__PURE__ */ twistedEdwards(ED448_DEF);
var ed448ph = /* @__PURE__ */ twistedEdwards({
...ED448_DEF,
prehash: shake256_64,
});
var x448 = /* @__PURE__ */ (() =>
montgomery({
a: BigInt(156326),
montgomeryBits: 448,
nByteLength: 57,
P: ed448P,
Gu: BigInt(5),
powPminus2: (x) => {
const P3 = ed448P;
const Pminus3div4 = ed448_pow_Pminus3div4(x);
const Pminus3 = pow2(Pminus3div4, BigInt(2), P3);
return mod(Pminus3 * x, P3);
},
adjustScalarBytes: adjustScalarBytes2,
randomBytes,
}))();
function edwardsToMontgomeryPub2(edwardsPub) {
const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
const _1n12 = BigInt(1);
return Fp3.toBytes(Fp3.create((y - _1n12) * Fp3.inv(y + _1n12)));
}
var ELL2_C12 = (Fp3.ORDER - BigInt(3)) / BigInt(4);
var ELL2_J2 = BigInt(156326);
var ONE_MINUS_D = BigInt("39082");
var ONE_MINUS_TWO_D = BigInt("78163");
var SQRT_MINUS_D = BigInt(
"98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214",
);
var INVSQRT_MINUS_D = BigInt(
"315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716",
);
var MAX_448B = BigInt(
"0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
);
// ../esm/p256.js
var Fp4 = Field(
BigInt(
"0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
),
);
var CURVE_A = Fp4.create(BigInt("-3"));
var CURVE_B = BigInt(
"0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
);
var p256 = createCurve(
{
a: CURVE_A,
b: CURVE_B,
Fp: Fp4,
// Curve order, total count of valid points in the field
n: BigInt(
"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
),
// Base (generator) point (x, y)
Gx: BigInt(
"0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
),
Gy: BigInt(
"0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
),
h: BigInt(1),
lowS: false,
},
sha256,
);
// ../esm/p384.js
var P = BigInt(
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff",
);
var Fp5 = Field(P);
var CURVE_A2 = Fp5.create(BigInt("-3"));
var CURVE_B2 = BigInt(
"0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef",
);
var p384 = createCurve(
{
a: CURVE_A2,
b: CURVE_B2,
Fp: Fp5,
// Curve order, total count of valid points in the field.
n: BigInt(
"0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973",
),
// Base (generator) point (x, y)
Gx: BigInt(
"0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7",
),
Gy: BigInt(
"0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f",
),
h: BigInt(1),
lowS: false,
},
sha384,
);
// ../esm/p521.js
var P2 = BigInt(
"0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
);
var Fp6 = Field(P2);
var CURVE = {
a: Fp6.create(BigInt("-3")),
b: BigInt(
"0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
),
Fp: Fp6,
n: BigInt(
"0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
),
Gx: BigInt(
"0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
),
Gy: BigInt(
"0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
),
h: BigInt(1),
};
var p521 = createCurve(
{
a: CURVE.a,
b: CURVE.b,
Fp: Fp6,
// Curve order, total count of valid points in the field
n: CURVE.n,
Gx: CURVE.Gx,
Gy: CURVE.Gy,
h: CURVE.h,
lowS: false,
allowedPrivateKeyLengths: [130, 131, 132],
// P521 keys are variable-length. Normalize to 132b
},
sha512,
);
// ../esm/abstract/bls.js
var _2n9 = BigInt(2);
var _3n4 = BigInt(3);
function bls(CURVE2) {
const {
Fp: Fp8,
Fr: Fr2,
Fp2: Fp23,
Fp6: Fp63,
Fp12: Fp122,
} = CURVE2.fields;
const BLS_X_LEN2 = bitLen(CURVE2.params.x);
function calcPairingPrecomputes(p) {
const { x, y } = p;
const Qx = x,
Qy = y,
Qz = Fp23.ONE;
let Rx = Qx,
Ry = Qy,
Rz = Qz;
let ell_coeff = [];
for (let i = BLS_X_LEN2 - 2; i >= 0; i--) {
let t0 = Fp23.sqr(Ry);
let t1 = Fp23.sqr(Rz);
let t2 = Fp23.multiplyByB(Fp23.mul(t1, _3n4));
let t3 = Fp23.mul(t2, _3n4);
let t4 = Fp23.sub(Fp23.sub(Fp23.sqr(Fp23.add(Ry, Rz)), t1), t0);
ell_coeff.push([
Fp23.sub(t2, t0),
Fp23.mul(Fp23.sqr(Rx), _3n4),
Fp23.neg(t4),
// -T4
]);
Rx = Fp23.div(Fp23.mul(Fp23.mul(Fp23.sub(t0, t3), Rx), Ry), _2n9);
Ry = Fp23.sub(
Fp23.sqr(Fp23.div(Fp23.add(t0, t3), _2n9)),
Fp23.mul(Fp23.sqr(t2), _3n4),
);
Rz = Fp23.mul(t0, t4);
if (bitGet(CURVE2.params.x, i)) {
let t02 = Fp23.sub(Ry, Fp23.mul(Qy, Rz));
let t12 = Fp23.sub(Rx, Fp23.mul(Qx, Rz));
ell_coeff.push([
Fp23.sub(Fp23.mul(t02, Qx), Fp23.mul(t12, Qy)),
Fp23.neg(t02),
t12,
// T1
]);
let t22 = Fp23.sqr(t12);
let t32 = Fp23.mul(t22, t12);
let t42 = Fp23.mul(t22, Rx);
let t5 = Fp23.add(
Fp23.sub(t32, Fp23.mul(t42, _2n9)),
Fp23.mul(Fp23.sqr(t02), Rz),
);
Rx = Fp23.mul(t12, t5);
Ry = Fp23.sub(Fp23.mul(Fp23.sub(t42, t5), t02), Fp23.mul(t32, Ry));
Rz = Fp23.mul(Rz, t32);
}
}
return ell_coeff;
}
function millerLoop(ell, g1) {
const { x } = CURVE2.params;
const Px = g1[0];
const Py = g1[1];
let f12 = Fp122.ONE;
for (let j = 0, i = BLS_X_LEN2 - 2; i >= 0; i--, j++) {
const E = ell[j];
f12 = Fp122.multiplyBy014(
f12,
E[0],
Fp23.mul(E[1], Px),
Fp23.mul(E[2], Py),
);
if (bitGet(x, i)) {
j += 1;
const F = ell[j];
f12 = Fp122.multiplyBy014(
f12,
F[0],
Fp23.mul(F[1], Px),
Fp23.mul(F[2], Py),
);
}
if (i !== 0) f12 = Fp122.sqr(f12);
}
return Fp122.conjugate(f12);
}
const utils2 = {
randomPrivateKey: () => {
const length = getMinHashLength(Fr2.ORDER);
return mapHashToField(CURVE2.randomBytes(length), Fr2.ORDER);
},
calcPairingPrecomputes,
};
const G1_ = weierstrassPoints({ n: Fr2.ORDER, ...CURVE2.G1 });
const G1 = Object.assign(
G1_,
createHasher(G1_.ProjectivePoint, CURVE2.G1.mapToCurve, {
...CURVE2.htfDefaults,
...CURVE2.G1.htfDefaults,
}),
);
function pairingPrecomputes(point) {
const p = point;
if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
return p._PPRECOMPUTES;
}
const G2_ = weierstrassPoints({ n: Fr2.ORDER, ...CURVE2.G2 });
const G2 = Object.assign(
G2_,
createHasher(G2_.ProjectivePoint, CURVE2.G2.mapToCurve, {
...CURVE2.htfDefaults,
...CURVE2.G2.htfDefaults,
}),
);
const { Signature } = CURVE2.G2;
function pairing(Q, P3, withFinalExponent = true) {
if (
Q.equals(G1.ProjectivePoint.ZERO) ||
P3.equals(G2.ProjectivePoint.ZERO)
)
throw new Error("pairing is not available for ZERO point");
Q.assertValidity();
P3.assertValidity();
const Qa = Q.toAffine();
const looped = millerLoop(pairingPrecomputes(P3), [Qa.x, Qa.y]);
return withFinalExponent ? Fp122.finalExponentiate(looped) : looped;
}
function normP1(point) {
return point instanceof G1.ProjectivePoint
? point
: G1.ProjectivePoint.fromHex(point);
}
function normP2(point) {
return point instanceof G2.ProjectivePoint
? point
: Signature.fromHex(point);
}
function normP2Hash(point, htfOpts) {
return point instanceof G2.ProjectivePoint
? point
: G2.hashToCurve(ensureBytes("point", point), htfOpts);
}
function getPublicKey(privateKey) {
return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
}
function sign(message, privateKey, htfOpts) {
const msgPoint = normP2Hash(message, htfOpts);
msgPoint.assertValidity();
const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
if (message instanceof G2.ProjectivePoint) return sigPoint;
return Signature.toRawBytes(sigPoint);
}
function verify(signature, message, publicKey, htfOpts) {
const P3 = normP1(publicKey);
const Hm = normP2Hash(message, htfOpts);
const G = G1.ProjectivePoint.BASE;
const S = normP2(signature);
const ePHm = pairing(P3.negate(), Hm, false);
const eGS = pairing(G, S, false);
const exp = Fp122.finalExponentiate(Fp122.mul(eGS, ePHm));
return Fp122.eql(exp, Fp122.ONE);
}
function aggregatePublicKeys(publicKeys) {
if (!publicKeys.length) throw new Error("Expected non-empty array");
const agg = publicKeys
.map(normP1)
.reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
const aggAffine = agg;
if (publicKeys[0] instanceof G1.ProjectivePoint) {
aggAffine.assertValidity();
return aggAffine;
}
return aggAffine.toRawBytes(true);
}
function aggregateSignatures(signatures) {
if (!signatures.length) throw new Error("Expected non-empty array");
const agg = signatures
.map(normP2)
.reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
const aggAffine = agg;
if (signatures[0] instanceof G2.ProjectivePoint) {
aggAffine.assertValidity();
return aggAffine;
}
return Signature.toRawBytes(aggAffine);
}
function verifyBatch(signature, messages, publicKeys, htfOpts) {
if (!messages.length)
throw new Error("Expected non-empty messages array");
if (publicKeys.length !== messages.length)
throw new Error("Pubkey count should equal msg count");
const sig = normP2(signature);
const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
const nPublicKeys = publicKeys.map(normP1);
try {
const paired = [];
for (const message of new Set(nMessages)) {
const groupPublicKey = nMessages.reduce(
(groupPublicKey2, subMessage, i) =>
subMessage === message
? groupPublicKey2.add(nPublicKeys[i])
: groupPublicKey2,
G1.ProjectivePoint.ZERO,
);
paired.push(pairing(groupPublicKey, message, false));
}
paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
const product = paired.reduce((a, b) => Fp122.mul(a, b), Fp122.ONE);
const exp = Fp122.finalExponentiate(product);
return Fp122.eql(exp, Fp122.ONE);
} catch {
return false;
}
}
G1.ProjectivePoint.BASE._setWindowSize(4);
return {
getPublicKey,
sign,
verify,
verifyBatch,
aggregatePublicKeys,
aggregateSignatures,
millerLoop,
pairing,
G1,
G2,
Signature,
fields: {
Fr: Fr2,
Fp: Fp8,
Fp2: Fp23,
Fp6: Fp63,
Fp12: Fp122,
},
params: {
x: CURVE2.params.x,
r: CURVE2.params.r,
G1b: CURVE2.G1.b,
G2b: CURVE2.G2.b,
},
utils: utils2,
};
}
// ../esm/bls12-381.js
var _0n10 = BigInt(0);
var _1n11 = BigInt(1);
var _2n10 = BigInt(2);
var _3n5 = BigInt(3);
var _4n4 = BigInt(4);
var _8n3 = BigInt(8);
var _16n2 = BigInt(16);
var Fp_raw = BigInt(
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab",
);
var Fp7 = Field(Fp_raw);
var Fr = Field(
BigInt(
"0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001",
),
);
var Fp2Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
c0: Fp7.add(c0, r0),
c1: Fp7.add(c1, r1),
});
var Fp2Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
c0: Fp7.sub(c0, r0),
c1: Fp7.sub(c1, r1),
});
var Fp2Multiply = ({ c0, c1 }, rhs) => {
if (typeof rhs === "bigint")
return { c0: Fp7.mul(c0, rhs), c1: Fp7.mul(c1, rhs) };
const { c0: r0, c1: r1 } = rhs;
let t1 = Fp7.mul(c0, r0);
let t2 = Fp7.mul(c1, r1);
const o0 = Fp7.sub(t1, t2);
const o1 = Fp7.sub(
Fp7.mul(Fp7.add(c0, c1), Fp7.add(r0, r1)),
Fp7.add(t1, t2),
);
return { c0: o0, c1: o1 };
};
var Fp2Square = ({ c0, c1 }) => {
const a = Fp7.add(c0, c1);
const b = Fp7.sub(c0, c1);
const c = Fp7.add(c0, c0);
return { c0: Fp7.mul(a, b), c1: Fp7.mul(c, c1) };
};
var FP2_ORDER = Fp_raw * Fp_raw;
var Fp22 = {
ORDER: FP2_ORDER,
BITS: bitLen(FP2_ORDER),
BYTES: Math.ceil(bitLen(FP2_ORDER) / 8),
MASK: bitMask(bitLen(FP2_ORDER)),
ZERO: { c0: Fp7.ZERO, c1: Fp7.ZERO },
ONE: { c0: Fp7.ONE, c1: Fp7.ZERO },
create: (num) => num,
isValid: ({ c0, c1 }) => typeof c0 === "bigint" && typeof c1 === "bigint",
is0: ({ c0, c1 }) => Fp7.is0(c0) && Fp7.is0(c1),
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp7.eql(c0, r0) && Fp7.eql(c1, r1),
neg: ({ c0, c1 }) => ({ c0: Fp7.neg(c0), c1: Fp7.neg(c1) }),
pow: (num, power) => FpPow(Fp22, num, power),
invertBatch: (nums) => FpInvertBatch(Fp22, nums),
// Normalized
add: Fp2Add,
sub: Fp2Subtract,
mul: Fp2Multiply,
sqr: Fp2Square,
// NonNormalized stuff
addN: Fp2Add,
subN: Fp2Subtract,
mulN: Fp2Multiply,
sqrN: Fp2Square,
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
div: (lhs, rhs) =>
Fp22.mul(
lhs,
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp22.inv(rhs),
),
inv: ({ c0: a, c1: b }) => {
const factor = Fp7.inv(Fp7.create(a * a + b * b));
return {
c0: Fp7.mul(factor, Fp7.create(a)),
c1: Fp7.mul(factor, Fp7.create(-b)),
};
},
sqrt: (num) => {
if (Fp22.eql(num, Fp22.ZERO)) return Fp22.ZERO;
const candidateSqrt = Fp22.pow(num, (Fp22.ORDER + _8n3) / _16n2);
const check = Fp22.div(Fp22.sqr(candidateSqrt), num);
const R = FP2_ROOTS_OF_UNITY;
const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp22.eql(r, check));
if (!divisor) throw new Error("No root");
const index = R.indexOf(divisor);
const root = R[index / 2];
if (!root) throw new Error("Invalid root");
const x1 = Fp22.div(candidateSqrt, root);
const x2 = Fp22.neg(x1);
const { re: re1, im: im1 } = Fp22.reim(x1);
const { re: re2, im: im2 } = Fp22.reim(x2);
if (im1 > im2 || (im1 === im2 && re1 > re2)) return x1;
return x2;
},
// Same as sgn0_m_eq_2 in RFC 9380
isOdd: (x) => {
const { re: x0, im: x1 } = Fp22.reim(x);
const sign_0 = x0 % _2n10;
const zero_0 = x0 === _0n10;
const sign_1 = x1 % _2n10;
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n11;
},
// Bytes util
fromBytes(b) {
if (b.length !== Fp22.BYTES)
throw new Error(`fromBytes wrong length=${b.length}`);
return {
c0: Fp7.fromBytes(b.subarray(0, Fp7.BYTES)),
c1: Fp7.fromBytes(b.subarray(Fp7.BYTES)),
};
},
toBytes: ({ c0, c1 }) => concatBytes(Fp7.toBytes(c0), Fp7.toBytes(c1)),
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
c0: Fp7.cmov(c0, r0, c),
c1: Fp7.cmov(c1, r1, c),
}),
// Specific utils
// toString() {
// return `Fp2(${this.c0} + ${this.c1}×i)`;
// }
reim: ({ c0, c1 }) => ({ re: c0, im: c1 }),
// multiply by u + 1
mulByNonresidue: ({ c0, c1 }) => ({
c0: Fp7.sub(c0, c1),
c1: Fp7.add(c0, c1),
}),
multiplyByB: ({ c0, c1 }) => {
let t0 = Fp7.mul(c0, _4n4);
let t1 = Fp7.mul(c1, _4n4);
return { c0: Fp7.sub(t0, t1), c1: Fp7.add(t0, t1) };
},
fromBigTuple: (tuple) => {
if (tuple.length !== 2) throw new Error("Invalid tuple");
const fps = tuple.map((n) => Fp7.create(n));
return { c0: fps[0], c1: fps[1] };
},
frobeniusMap: ({ c0, c1 }, power) => ({
c0,
c1: Fp7.mul(c1, FP2_FROBENIUS_COEFFICIENTS[power % 2]),
}),
};
var FP2_FROBENIUS_COEFFICIENTS = [
BigInt("0x1"),
BigInt(
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
),
].map((item) => Fp7.create(item));
var rv1 = BigInt(
"0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
);
var FP2_ROOTS_OF_UNITY = [
[_1n11, _0n10],
[rv1, -rv1],
[_0n10, _1n11],
[rv1, rv1],
[-_1n11, _0n10],
[-rv1, rv1],
[_0n10, -_1n11],
[-rv1, -rv1],
].map((pair) => Fp22.fromBigTuple(pair));
var Fp6Add = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
c0: Fp22.add(c0, r0),
c1: Fp22.add(c1, r1),
c2: Fp22.add(c2, r2),
});
var Fp6Subtract = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
c0: Fp22.sub(c0, r0),
c1: Fp22.sub(c1, r1),
c2: Fp22.sub(c2, r2),
});
var Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
if (typeof rhs === "bigint") {
return {
c0: Fp22.mul(c0, rhs),
c1: Fp22.mul(c1, rhs),
c2: Fp22.mul(c2, rhs),
};
}
const { c0: r0, c1: r1, c2: r2 } = rhs;
const t0 = Fp22.mul(c0, r0);
const t1 = Fp22.mul(c1, r1);
const t2 = Fp22.mul(c2, r2);
return {
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
c0: Fp22.add(
t0,
Fp22.mulByNonresidue(
Fp22.sub(
Fp22.mul(Fp22.add(c1, c2), Fp22.add(r1, r2)),
Fp22.add(t1, t2),
),
),
),
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
c1: Fp22.add(
Fp22.sub(
Fp22.mul(Fp22.add(c0, c1), Fp22.add(r0, r1)),
Fp22.add(t0, t1),
),
Fp22.mulByNonresidue(t2),
),
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
c2: Fp22.sub(
Fp22.add(t1, Fp22.mul(Fp22.add(c0, c2), Fp22.add(r0, r2))),
Fp22.add(t0, t2),
),
};
};
var Fp6Square = ({ c0, c1, c2 }) => {
let t0 = Fp22.sqr(c0);
let t1 = Fp22.mul(Fp22.mul(c0, c1), _2n10);
let t3 = Fp22.mul(Fp22.mul(c1, c2), _2n10);
let t4 = Fp22.sqr(c2);
return {
c0: Fp22.add(Fp22.mulByNonresidue(t3), t0),
c1: Fp22.add(Fp22.mulByNonresidue(t4), t1),
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
c2: Fp22.sub(
Fp22.sub(
Fp22.add(Fp22.add(t1, Fp22.sqr(Fp22.add(Fp22.sub(c0, c1), c2))), t3),
t0,
),
t4,
),
};
};
var Fp62 = {
ORDER: Fp22.ORDER,
BITS: 3 * Fp22.BITS,
BYTES: 3 * Fp22.BYTES,
MASK: bitMask(3 * Fp22.BITS),
ZERO: { c0: Fp22.ZERO, c1: Fp22.ZERO, c2: Fp22.ZERO },
ONE: { c0: Fp22.ONE, c1: Fp22.ZERO, c2: Fp22.ZERO },
create: (num) => num,
isValid: ({ c0, c1, c2 }) =>
Fp22.isValid(c0) && Fp22.isValid(c1) && Fp22.isValid(c2),
is0: ({ c0, c1, c2 }) => Fp22.is0(c0) && Fp22.is0(c1) && Fp22.is0(c2),
neg: ({ c0, c1, c2 }) => ({
c0: Fp22.neg(c0),
c1: Fp22.neg(c1),
c2: Fp22.neg(c2),
}),
eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) =>
Fp22.eql(c0, r0) && Fp22.eql(c1, r1) && Fp22.eql(c2, r2),
sqrt: () => {
throw new Error("Not implemented");
},
// Do we need division by bigint at all? Should be done via order:
div: (lhs, rhs) =>
Fp62.mul(
lhs,
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp62.inv(rhs),
),
pow: (num, power) => FpPow(Fp62, num, power),
invertBatch: (nums) => FpInvertBatch(Fp62, nums),
// Normalized
add: Fp6Add,
sub: Fp6Subtract,
mul: Fp6Multiply,
sqr: Fp6Square,
// NonNormalized stuff
addN: Fp6Add,
subN: Fp6Subtract,
mulN: Fp6Multiply,
sqrN: Fp6Square,
inv: ({ c0, c1, c2 }) => {
let t0 = Fp22.sub(Fp22.sqr(c0), Fp22.mulByNonresidue(Fp22.mul(c2, c1)));
let t1 = Fp22.sub(Fp22.mulByNonresidue(Fp22.sqr(c2)), Fp22.mul(c0, c1));
let t2 = Fp22.sub(Fp22.sqr(c1), Fp22.mul(c0, c2));
let t4 = Fp22.inv(
Fp22.add(
Fp22.mulByNonresidue(Fp22.add(Fp22.mul(c2, t1), Fp22.mul(c1, t2))),
Fp22.mul(c0, t0),
),
);
return {
c0: Fp22.mul(t4, t0),
c1: Fp22.mul(t4, t1),
c2: Fp22.mul(t4, t2),
};
},
// Bytes utils
fromBytes: (b) => {
if (b.length !== Fp62.BYTES)
throw new Error(`fromBytes wrong length=${b.length}`);
return {
c0: Fp22.fromBytes(b.subarray(0, Fp22.BYTES)),
c1: Fp22.fromBytes(b.subarray(Fp22.BYTES, 2 * Fp22.BYTES)),
c2: Fp22.fromBytes(b.subarray(2 * Fp22.BYTES)),
};
},
toBytes: ({ c0, c1, c2 }) =>
concatBytes(Fp22.toBytes(c0), Fp22.toBytes(c1), Fp22.toBytes(c2)),
cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({
c0: Fp22.cmov(c0, r0, c),
c1: Fp22.cmov(c1, r1, c),
c2: Fp22.cmov(c2, r2, c),
}),
// Utils
// fromTriple(triple: [Fp2, Fp2, Fp2]) {
// return new Fp6(...triple);
// }
// toString() {
// return `Fp6(${this.c0} + ${this.c1} * v, ${this.c2} * v^2)`;
// }
fromBigSix: (t) => {
if (!Array.isArray(t) || t.length !== 6)
throw new Error("Invalid Fp6 usage");
return {
c0: Fp22.fromBigTuple(t.slice(0, 2)),
c1: Fp22.fromBigTuple(t.slice(2, 4)),
c2: Fp22.fromBigTuple(t.slice(4, 6)),
};
},
frobeniusMap: ({ c0, c1, c2 }, power) => ({
c0: Fp22.frobeniusMap(c0, power),
c1: Fp22.mul(
Fp22.frobeniusMap(c1, power),
FP6_FROBENIUS_COEFFICIENTS_1[power % 6],
),
c2: Fp22.mul(
Fp22.frobeniusMap(c2, power),
FP6_FROBENIUS_COEFFICIENTS_2[power % 6],
),
}),
mulByNonresidue: ({ c0, c1, c2 }) => ({
c0: Fp22.mulByNonresidue(c2),
c1: c0,
c2: c1,
}),
// Sparse multiplication
multiplyBy1: ({ c0, c1, c2 }, b1) => ({
c0: Fp22.mulByNonresidue(Fp22.mul(c2, b1)),
c1: Fp22.mul(c0, b1),
c2: Fp22.mul(c1, b1),
}),
// Sparse multiplication
multiplyBy01({ c0, c1, c2 }, b0, b1) {
let t0 = Fp22.mul(c0, b0);
let t1 = Fp22.mul(c1, b1);
return {
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
c0: Fp22.add(
Fp22.mulByNonresidue(Fp22.sub(Fp22.mul(Fp22.add(c1, c2), b1), t1)),
t0,
),
// (b0 + b1) * (c0 + c1) - T0 - T1
c1: Fp22.sub(
Fp22.sub(Fp22.mul(Fp22.add(b0, b1), Fp22.add(c0, c1)), t0),
t1,
),
// (c0 + c2) * b0 - T0 + T1
c2: Fp22.add(Fp22.sub(Fp22.mul(Fp22.add(c0, c2), b0), t0), t1),
};
},
multiplyByFp2: ({ c0, c1, c2 }, rhs) => ({
c0: Fp22.mul(c0, rhs),
c1: Fp22.mul(c1, rhs),
c2: Fp22.mul(c2, rhs),
}),
};
var FP6_FROBENIUS_COEFFICIENTS_1 = [
[BigInt("0x1"), BigInt("0x0")],
[
BigInt("0x0"),
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
),
],
[
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
),
BigInt("0x0"),
],
[BigInt("0x0"), BigInt("0x1")],
[
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
),
BigInt("0x0"),
],
[
BigInt("0x0"),
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
),
],
].map((pair) => Fp22.fromBigTuple(pair));
var FP6_FROBENIUS_COEFFICIENTS_2 = [
[BigInt("0x1"), BigInt("0x0")],
[
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad",
),
BigInt("0x0"),
],
[
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
),
BigInt("0x0"),
],
[
BigInt(
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
),
BigInt("0x0"),
],
[
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
),
BigInt("0x0"),
],
[
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff",
),
BigInt("0x0"),
],
].map((pair) => Fp22.fromBigTuple(pair));
var BLS_X = BigInt("0xd201000000010000");
var BLS_X_LEN = bitLen(BLS_X);
var Fp12Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
c0: Fp62.add(c0, r0),
c1: Fp62.add(c1, r1),
});
var Fp12Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
c0: Fp62.sub(c0, r0),
c1: Fp62.sub(c1, r1),
});
var Fp12Multiply = ({ c0, c1 }, rhs) => {
if (typeof rhs === "bigint")
return { c0: Fp62.mul(c0, rhs), c1: Fp62.mul(c1, rhs) };
let { c0: r0, c1: r1 } = rhs;
let t1 = Fp62.mul(c0, r0);
let t2 = Fp62.mul(c1, r1);
return {
c0: Fp62.add(t1, Fp62.mulByNonresidue(t2)),
// (c0 + c1) * (r0 + r1) - (T1 + T2)
c1: Fp62.sub(
Fp62.mul(Fp62.add(c0, c1), Fp62.add(r0, r1)),
Fp62.add(t1, t2),
),
};
};
var Fp12Square = ({ c0, c1 }) => {
let ab = Fp62.mul(c0, c1);
return {
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
c0: Fp62.sub(
Fp62.sub(
Fp62.mul(Fp62.add(Fp62.mulByNonresidue(c1), c0), Fp62.add(c0, c1)),
ab,
),
Fp62.mulByNonresidue(ab),
),
c1: Fp62.add(ab, ab),
};
};
function Fp4Square(a, b) {
const a2 = Fp22.sqr(a);
const b2 = Fp22.sqr(b);
return {
first: Fp22.add(Fp22.mulByNonresidue(b2), a2),
second: Fp22.sub(Fp22.sub(Fp22.sqr(Fp22.add(a, b)), a2), b2),
// (a + b)² - a² - b²
};
}
var Fp12 = {
ORDER: Fp22.ORDER,
BITS: 2 * Fp22.BITS,
BYTES: 2 * Fp22.BYTES,
MASK: bitMask(2 * Fp22.BITS),
ZERO: { c0: Fp62.ZERO, c1: Fp62.ZERO },
ONE: { c0: Fp62.ONE, c1: Fp62.ZERO },
create: (num) => num,
isValid: ({ c0, c1 }) => Fp62.isValid(c0) && Fp62.isValid(c1),
is0: ({ c0, c1 }) => Fp62.is0(c0) && Fp62.is0(c1),
neg: ({ c0, c1 }) => ({ c0: Fp62.neg(c0), c1: Fp62.neg(c1) }),
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) =>
Fp62.eql(c0, r0) && Fp62.eql(c1, r1),
sqrt: () => {
throw new Error("Not implemented");
},
inv: ({ c0, c1 }) => {
let t = Fp62.inv(
Fp62.sub(Fp62.sqr(c0), Fp62.mulByNonresidue(Fp62.sqr(c1))),
);
return { c0: Fp62.mul(c0, t), c1: Fp62.neg(Fp62.mul(c1, t)) };
},
div: (lhs, rhs) =>
Fp12.mul(
lhs,
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp12.inv(rhs),
),
pow: (num, power) => FpPow(Fp12, num, power),
invertBatch: (nums) => FpInvertBatch(Fp12, nums),
// Normalized
add: Fp12Add,
sub: Fp12Subtract,
mul: Fp12Multiply,
sqr: Fp12Square,
// NonNormalized stuff
addN: Fp12Add,
subN: Fp12Subtract,
mulN: Fp12Multiply,
sqrN: Fp12Square,
// Bytes utils
fromBytes: (b) => {
if (b.length !== Fp12.BYTES)
throw new Error(`fromBytes wrong length=${b.length}`);
return {
c0: Fp62.fromBytes(b.subarray(0, Fp62.BYTES)),
c1: Fp62.fromBytes(b.subarray(Fp62.BYTES)),
};
},
toBytes: ({ c0, c1 }) => concatBytes(Fp62.toBytes(c0), Fp62.toBytes(c1)),
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
c0: Fp62.cmov(c0, r0, c),
c1: Fp62.cmov(c1, r1, c),
}),
// Utils
// toString() {
// return `Fp12(${this.c0} + ${this.c1} * w)`;
// },
// fromTuple(c: [Fp6, Fp6]) {
// return new Fp12(...c);
// }
fromBigTwelve: (t) => ({
c0: Fp62.fromBigSix(t.slice(0, 6)),
c1: Fp62.fromBigSix(t.slice(6, 12)),
}),
// Raises to q**i -th power
frobeniusMap(lhs, power) {
const r0 = Fp62.frobeniusMap(lhs.c0, power);
const { c0, c1, c2 } = Fp62.frobeniusMap(lhs.c1, power);
const coeff = FP12_FROBENIUS_COEFFICIENTS[power % 12];
return {
c0: r0,
c1: Fp62.create({
c0: Fp22.mul(c0, coeff),
c1: Fp22.mul(c1, coeff),
c2: Fp22.mul(c2, coeff),
}),
};
},
// Sparse multiplication
multiplyBy014: ({ c0, c1 }, o0, o1, o4) => {
let t0 = Fp62.multiplyBy01(c0, o0, o1);
let t1 = Fp62.multiplyBy1(c1, o4);
return {
c0: Fp62.add(Fp62.mulByNonresidue(t1), t0),
// (c1 + c0) * [o0, o1+o4] - T0 - T1
c1: Fp62.sub(
Fp62.sub(
Fp62.multiplyBy01(Fp62.add(c1, c0), o0, Fp22.add(o1, o4)),
t0,
),
t1,
),
};
},
multiplyByFp2: ({ c0, c1 }, rhs) => ({
c0: Fp62.multiplyByFp2(c0, rhs),
c1: Fp62.multiplyByFp2(c1, rhs),
}),
conjugate: ({ c0, c1 }) => ({ c0, c1: Fp62.neg(c1) }),
// A cyclotomic group is a subgroup of Fp^n defined by
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
// The result of any pairing is in a cyclotomic subgroup
// https://eprint.iacr.org/2009/565.pdf
_cyclotomicSquare: ({ c0, c1 }) => {
const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
const { first: t3, second: t4 } = Fp4Square(c0c0, c1c1);
const { first: t5, second: t6 } = Fp4Square(c1c0, c0c2);
const { first: t7, second: t8 } = Fp4Square(c0c1, c1c2);
let t9 = Fp22.mulByNonresidue(t8);
return {
c0: Fp62.create({
c0: Fp22.add(Fp22.mul(Fp22.sub(t3, c0c0), _2n10), t3),
c1: Fp22.add(Fp22.mul(Fp22.sub(t5, c0c1), _2n10), t5),
c2: Fp22.add(Fp22.mul(Fp22.sub(t7, c0c2), _2n10), t7),
}),
c1: Fp62.create({
c0: Fp22.add(Fp22.mul(Fp22.add(t9, c1c0), _2n10), t9),
c1: Fp22.add(Fp22.mul(Fp22.add(t4, c1c1), _2n10), t4),
c2: Fp22.add(Fp22.mul(Fp22.add(t6, c1c2), _2n10), t6),
}),
};
},
_cyclotomicExp(num, n) {
let z = Fp12.ONE;
for (let i = BLS_X_LEN - 1; i >= 0; i--) {
z = Fp12._cyclotomicSquare(z);
if (bitGet(n, i)) z = Fp12.mul(z, num);
}
return z;
},
// https://eprint.iacr.org/2010/354.pdf
// https://eprint.iacr.org/2009/565.pdf
finalExponentiate: (num) => {
const x = BLS_X;
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
const t6 = Fp12.mul(
Fp12.conjugate(Fp12._cyclotomicExp(t5, x)),
Fp12._cyclotomicSquare(t2),
);
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
const t6_t1c_pow_q1 = Fp12.frobeniusMap(
Fp12.mul(t6, Fp12.conjugate(t1)),
1,
);
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
return Fp12.mul(
Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1),
t7_t3c_t1,
);
},
};
var FP12_FROBENIUS_COEFFICIENTS = [
[BigInt("0x1"), BigInt("0x0")],
[
BigInt(
"0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8",
),
BigInt(
"0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3",
),
],
[
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff",
),
BigInt("0x0"),
],
[
BigInt(
"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
),
BigInt(
"0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
),
],
[
BigInt(
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
),
BigInt("0x0"),
],
[
BigInt(
"0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995",
),
BigInt(
"0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116",
),
],
[
BigInt(
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
),
BigInt("0x0"),
],
[
BigInt(
"0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3",
),
BigInt(
"0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8",
),
],
[
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
),
BigInt("0x0"),
],
[
BigInt(
"0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
),
BigInt(
"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
),
],
[
BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad",
),
BigInt("0x0"),
],
[
BigInt(
"0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116",
),
BigInt(
"0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995",
),
],
].map((n) => Fp22.fromBigTuple(n));
var isogenyMapG2 = isogenyMap(
Fp22,
[
// xNum
[
[
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
],
[
"0x0",
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a",
],
[
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e",
"0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d",
],
[
"0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1",
"0x0",
],
],
// xDen
[
[
"0x0",
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63",
],
[
"0xc",
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f",
],
["0x1", "0x0"],
// LAST 1
],
// yNum
[
[
"0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706",
"0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706",
],
[
"0x0",
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be",
],
[
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c",
"0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f",
],
[
"0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10",
"0x0",
],
],
// yDen
[
[
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb",
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb",
],
[
"0x0",
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3",
],
[
"0x12",
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99",
],
["0x1", "0x0"],
// LAST 1
],
].map((i) => i.map((pair) => Fp22.fromBigTuple(pair.map(BigInt)))),
);
var isogenyMapG1 = isogenyMap(
Fp7,
[
// xNum
[
"0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7",
"0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb",
"0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0",
"0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861",
"0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9",
"0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983",
"0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84",
"0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e",
"0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317",
"0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e",
"0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b",
"0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229",
],
// xDen
[
"0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c",
"0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff",
"0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19",
"0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8",
"0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e",
"0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5",
"0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a",
"0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e",
"0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641",
"0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a",
"0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
// LAST 1
],
// yNum
[
"0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33",
"0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696",
"0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6",
"0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb",
"0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb",
"0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0",
"0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2",
"0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29",
"0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587",
"0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30",
"0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132",
"0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e",
"0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8",
"0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133",
"0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b",
"0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604",
],
// yDen
[
"0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1",
"0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d",
"0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2",
"0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416",
"0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d",
"0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac",
"0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c",
"0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9",
"0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a",
"0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55",
"0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8",
"0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092",
"0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc",
"0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7",
"0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f",
"0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
// LAST 1
],
].map((i) => i.map((j) => BigInt(j))),
);
var G2_SWU = mapToCurveSimpleSWU(Fp22, {
A: Fp22.create({ c0: Fp7.create(_0n10), c1: Fp7.create(BigInt(240)) }),
B: Fp22.create({
c0: Fp7.create(BigInt(1012)),
c1: Fp7.create(BigInt(1012)),
}),
Z: Fp22.create({ c0: Fp7.create(BigInt(-2)), c1: Fp7.create(BigInt(-1)) }),
// Z: -(2 + I)
});
var G1_SWU = mapToCurveSimpleSWU(Fp7, {
A: Fp7.create(
BigInt(
"0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d",
),
),
B: Fp7.create(
BigInt(
"0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0",
),
),
Z: Fp7.create(BigInt(11)),
});
var ut_root = Fp62.create({ c0: Fp22.ZERO, c1: Fp22.ONE, c2: Fp22.ZERO });
var wsq = Fp12.create({ c0: ut_root, c1: Fp62.ZERO });
var wcu = Fp12.create({ c0: Fp62.ZERO, c1: ut_root });
var [wsq_inv, wcu_inv] = Fp12.invertBatch([wsq, wcu]);
function psi(x, y) {
const x2 = Fp12.mul(
Fp12.frobeniusMap(Fp12.multiplyByFp2(wsq_inv, x), 1),
wsq,
).c0.c0;
const y2 = Fp12.mul(
Fp12.frobeniusMap(Fp12.multiplyByFp2(wcu_inv, y), 1),
wcu,
).c0.c0;
return [x2, y2];
}
function G2psi(c, P3) {
const affine = P3.toAffine();
const p = psi(affine.x, affine.y);
return new c(p[0], p[1], Fp22.ONE);
}
var PSI2_C1 = BigInt(
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
);
function psi2(x, y) {
return [Fp22.mul(x, PSI2_C1), Fp22.neg(y)];
}
function G2psi2(c, P3) {
const affine = P3.toAffine();
const p = psi2(affine.x, affine.y);
return new c(p[0], p[1], Fp22.ONE);
}
var htfDefaults = Object.freeze({
// DST: a domain separation tag
// defined in section 2.2.5
// Use utils.getDSTLabel(), utils.setDSTLabel(value)
DST: "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_",
encodeDST: "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_",
// p: the characteristic of F
// where F is a finite field of characteristic p and order q = p^m
p: Fp7.ORDER,
// m: the extension degree of F, m >= 1
// where F is a finite field of characteristic p and order q = p^m
m: 2,
// k: the target security level for the suite in bits
// defined in section 5.1
k: 128,
// option to use a message that has already been processed by
// expand_message_xmd
expand: "xmd",
// Hash functions for: expand_message_xmd is appropriate for use with a
// wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
// BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
hash: sha256,
});
var C_BIT_POS = Fp7.BITS;
var I_BIT_POS = Fp7.BITS + 1;
var S_BIT_POS = Fp7.BITS + 2;
var COMPRESSED_ZERO = Fp7.toBytes(
bitSet(bitSet(_0n10, I_BIT_POS, true), S_BIT_POS, true),
);
function signatureG2ToRawBytes(point) {
point.assertValidity();
const len = Fp7.BYTES;
if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
return concatBytes(COMPRESSED_ZERO, numberToBytesBE(_0n10, len));
const { x, y } = point.toAffine();
const { re: x0, im: x1 } = Fp22.reim(x);
const { re: y0, im: y1 } = Fp22.reim(y);
const tmp = y1 > _0n10 ? y1 * _2n10 : y0 * _2n10;
const aflag1 = Boolean((tmp / Fp7.ORDER) & _1n11);
const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
const z2 = x0;
return concatBytes(numberToBytesBE(z1, len), numberToBytesBE(z2, len));
}
var bls12_381 = bls({
// Fields
fields: {
Fp: Fp7,
Fp2: Fp22,
Fp6: Fp62,
Fp12,
Fr,
},
// G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
// characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
G1: {
Fp: Fp7,
// cofactor; (z - 1)²/3
h: BigInt("0x396c8c005555e1568c00aaab0000aaab"),
// generator's coordinates
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
Gx: BigInt(
"0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb",
),
Gy: BigInt(
"0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1",
),
a: Fp7.ZERO,
b: _4n4,
htfDefaults: { ...htfDefaults, m: 1 },
wrapPrivateKey: true,
allowInfinityPoint: true,
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, point) => {
const cubicRootOfUnityModP = BigInt(
"0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
);
const phi = new c(
Fp7.mul(point.px, cubicRootOfUnityModP),
point.py,
point.pz,
);
const xP = point.multiplyUnsafe(bls12_381.params.x).negate();
const u2P = xP.multiplyUnsafe(bls12_381.params.x);
return u2P.equals(phi);
},
// Clear cofactor of G1
// https://eprint.iacr.org/2019/403
clearCofactor: (_c, point) => {
return point.multiplyUnsafe(bls12_381.params.x).add(point);
},
mapToCurve: (scalars) => {
const { x, y } = G1_SWU(Fp7.create(scalars[0]));
return isogenyMapG1(x, y);
},
fromBytes: (bytes2) => {
bytes2 = bytes2.slice();
if (bytes2.length === 48) {
const P3 = Fp7.ORDER;
const compressedValue = bytesToNumberBE(bytes2);
const bflag = bitGet(compressedValue, I_BIT_POS);
if (bflag === _1n11) return { x: _0n10, y: _0n10 };
const x = Fp7.create(compressedValue & Fp7.MASK);
const right = Fp7.add(
Fp7.pow(x, _3n5),
Fp7.create(bls12_381.params.G1b),
);
let y = Fp7.sqrt(right);
if (!y) throw new Error("Invalid compressed G1 point");
const aflag = bitGet(compressedValue, C_BIT_POS);
if ((y * _2n10) / P3 !== aflag) y = Fp7.neg(y);
return { x: Fp7.create(x), y: Fp7.create(y) };
} else if (bytes2.length === 96) {
if ((bytes2[0] & (1 << 6)) !== 0)
return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
const x = bytesToNumberBE(bytes2.subarray(0, Fp7.BYTES));
const y = bytesToNumberBE(bytes2.subarray(Fp7.BYTES));
return { x: Fp7.create(x), y: Fp7.create(y) };
} else {
throw new Error("Invalid point G1, expected 48/96 bytes");
}
},
toBytes: (c, point, isCompressed) => {
const isZero = point.equals(c.ZERO);
const { x, y } = point.toAffine();
if (isCompressed) {
if (isZero) return COMPRESSED_ZERO.slice();
const P3 = Fp7.ORDER;
let num;
num = bitSet(x, C_BIT_POS, Boolean((y * _2n10) / P3));
num = bitSet(num, S_BIT_POS, true);
return numberToBytesBE(num, Fp7.BYTES);
} else {
if (isZero) {
const x2 = concatBytes(
new Uint8Array([64]),
new Uint8Array(2 * Fp7.BYTES - 1),
);
return x2;
} else {
return concatBytes(
numberToBytesBE(x, Fp7.BYTES),
numberToBytesBE(y, Fp7.BYTES),
);
}
}
},
},
// G2 is the order-q subgroup of E2(Fp²) : y² = x³+4(1+√1),
// where Fp2 is Fp[√1]/(x2+1). #E2(Fp2 ) = h2q, where
// G² - 1
// h2q
G2: {
Fp: Fp22,
// cofactor
h: BigInt(
"0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5",
),
Gx: Fp22.fromBigTuple([
BigInt(
"0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8",
),
BigInt(
"0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e",
),
]),
// y =
// 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582,
// 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
Gy: Fp22.fromBigTuple([
BigInt(
"0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801",
),
BigInt(
"0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be",
),
]),
a: Fp22.ZERO,
b: Fp22.fromBigTuple([_4n4, _4n4]),
hEff: BigInt(
"0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551",
),
htfDefaults: { ...htfDefaults },
wrapPrivateKey: true,
allowInfinityPoint: true,
mapToCurve: (scalars) => {
const { x, y } = G2_SWU(Fp22.fromBigTuple(scalars));
return isogenyMapG2(x, y);
},
// Checks is the point resides in prime-order subgroup.
// point.isTorsionFree() should return true for valid points
// It returns false for shitty points.
// https://eprint.iacr.org/2021/1130.pdf
isTorsionFree: (c, P3) => {
return P3.multiplyUnsafe(bls12_381.params.x)
.negate()
.equals(G2psi(c, P3));
},
// Maps the point into the prime-order subgroup G2.
// clear_cofactor_bls12381_g2 from cfrg-hash-to-curve-11
// https://eprint.iacr.org/2017/419.pdf
// prettier-ignore
clearCofactor: (c, P3) => {
const x = bls12_381.params.x;
let t1 = P3.multiplyUnsafe(x).negate();
let t2 = G2psi(c, P3);
let t3 = P3.double();
t3 = G2psi2(c, t3);
t3 = t3.subtract(t2);
t2 = t1.add(t2);
t2 = t2.multiplyUnsafe(x).negate();
t3 = t3.add(t2);
t3 = t3.subtract(t1);
const Q = t3.subtract(P3);
return Q;
},
fromBytes: (bytes2) => {
bytes2 = bytes2.slice();
const m_byte = bytes2[0] & 224;
if (m_byte === 32 || m_byte === 96 || m_byte === 224) {
throw new Error("Invalid encoding flag: " + m_byte);
}
const bitC = m_byte & 128;
const bitI = m_byte & 64;
const bitS = m_byte & 32;
const L = Fp7.BYTES;
const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
if (bytes2.length === 96 && bitC) {
const b = bls12_381.params.G2b;
const P3 = Fp7.ORDER;
bytes2[0] = bytes2[0] & 31;
if (bitI) {
if (bytes2.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
throw new Error("Invalid compressed G2 point");
}
return { x: Fp22.ZERO, y: Fp22.ZERO };
}
const x_1 = slc(bytes2, 0, L);
const x_0 = slc(bytes2, L, 2 * L);
const x = Fp22.create({ c0: Fp7.create(x_0), c1: Fp7.create(x_1) });
const right = Fp22.add(Fp22.pow(x, _3n5), b);
let y = Fp22.sqrt(right);
const Y_bit =
y.c1 === _0n10
? (y.c0 * _2n10) / P3
: (y.c1 * _2n10) / P3
? _1n11
: _0n10;
y = bitS > 0 && Y_bit > 0 ? y : Fp22.neg(y);
return { x, y };
} else if (bytes2.length === 192 && !bitC) {
if ((bytes2[0] & (1 << 6)) !== 0) {
return { x: Fp22.ZERO, y: Fp22.ZERO };
}
const x1 = slc(bytes2, 0, L);
const x0 = slc(bytes2, L, 2 * L);
const y1 = slc(bytes2, 2 * L, 3 * L);
const y0 = slc(bytes2, 3 * L, 4 * L);
return {
x: Fp22.fromBigTuple([x0, x1]),
y: Fp22.fromBigTuple([y0, y1]),
};
} else {
throw new Error("Invalid point G2, expected 96/192 bytes");
}
},
toBytes: (c, point, isCompressed) => {
const { BYTES: len, ORDER: P3 } = Fp7;
const isZero = point.equals(c.ZERO);
const { x, y } = point.toAffine();
if (isCompressed) {
if (isZero)
return concatBytes(COMPRESSED_ZERO, numberToBytesBE(_0n10, len));
const flag = Boolean(
y.c1 === _0n10 ? (y.c0 * _2n10) / P3 : (y.c1 * _2n10) / P3,
);
let x_1 = bitSet(x.c1, C_BIT_POS, flag);
x_1 = bitSet(x_1, S_BIT_POS, true);
return concatBytes(
numberToBytesBE(x_1, len),
numberToBytesBE(x.c0, len),
);
} else {
if (isZero)
return concatBytes(
new Uint8Array([64]),
new Uint8Array(4 * len - 1),
);
const { re: x0, im: x1 } = Fp22.reim(x);
const { re: y0, im: y1 } = Fp22.reim(y);
return concatBytes(
numberToBytesBE(x1, len),
numberToBytesBE(x0, len),
numberToBytesBE(y1, len),
numberToBytesBE(y0, len),
);
}
},
Signature: {
// TODO: Optimize, it's very slow because of sqrt.
fromHex(hex) {
hex = ensureBytes("signatureHex", hex);
const P3 = Fp7.ORDER;
const half = hex.length / 2;
if (half !== 48 && half !== 96)
throw new Error(
"Invalid compressed signature length, must be 96 or 192",
);
const z1 = bytesToNumberBE(hex.slice(0, half));
const z2 = bytesToNumberBE(hex.slice(half));
const bflag1 = bitGet(z1, I_BIT_POS);
if (bflag1 === _1n11) return bls12_381.G2.ProjectivePoint.ZERO;
const x1 = Fp7.create(z1 & Fp7.MASK);
const x2 = Fp7.create(z2);
const x = Fp22.create({ c0: x2, c1: x1 });
const y2 = Fp22.add(Fp22.pow(x, _3n5), bls12_381.params.G2b);
let y = Fp22.sqrt(y2);
if (!y) throw new Error("Failed to find a square root");
const { re: y0, im: y1 } = Fp22.reim(y);
const aflag1 = bitGet(z1, 381);
const isGreater = y1 > _0n10 && (y1 * _2n10) / P3 !== aflag1;
const isZero = y1 === _0n10 && (y0 * _2n10) / P3 !== aflag1;
if (isGreater || isZero) y = Fp22.neg(y);
const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
point.assertValidity();
return point;
},
toRawBytes(point) {
return signatureG2ToRawBytes(point);
},
toHex(point) {
return bytesToHex(signatureG2ToRawBytes(point));
},
},
},
params: {
x: BLS_X,
r: Fr.ORDER,
// order; z⁴ z² + 1; CURVE.n from other curves
},
htfDefaults,
hash: sha256,
randomBytes,
});
// input.js
var utils = { bytesToHex, concatBytes, hexToBytes };
return __toCommonJS(input_exports);
})();
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
/*! Bundled license information:
@noble/hashes/esm/utils.js:
(*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
*/
Reference in New Issue View Git Blame Copy Permalink