|
|
|
"use strict";
|
|
|
|
var nobleCurves = (() => {
|
|
|
|
var __defProp = Object.defineProperty;
|
|
|
|
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
|
|
|
|
var __getOwnPropNames = Object.getOwnPropertyNames;
|
|
|
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
|
|
var __export = (target, all) => {
|
|
|
|
for (var name in all)
|
|
|
|
__defProp(target, name, { get: all[name], enumerable: true });
|
|
|
|
};
|
|
|
|
var __copyProps = (to, from, except, desc) => {
|
|
|
|
if ((from && typeof from === "object") || typeof from === "function") {
|
|
|
|
for (let key of __getOwnPropNames(from))
|
|
|
|
if (!__hasOwnProp.call(to, key) && key !== except)
|
|
|
|
__defProp(to, key, {
|
|
|
|
get: () => from[key],
|
|
|
|
enumerable:
|
|
|
|
!(desc = __getOwnPropDesc(from, key)) || desc.enumerable,
|
|
|
|
});
|
|
|
|
}
|
|
|
|
return to;
|
|
|
|
};
|
|
|
|
var __toCommonJS = (mod2) =>
|
|
|
|
__copyProps(__defProp({}, "__esModule", { value: true }), mod2);
|
|
|
|
|
|
|
|
// input.js
|
|
|
|
var input_exports = {};
|
|
|
|
__export(input_exports, {
|
|
|
|
bls12_381: () => bls12_381,
|
|
|
|
ed25519: () => ed25519,
|
|
|
|
ed25519_edwardsToMontgomeryPriv: () => edwardsToMontgomeryPriv,
|
|
|
|
ed25519_edwardsToMontgomeryPub: () => edwardsToMontgomeryPub,
|
|
|
|
ed448: () => ed448,
|
|
|
|
ed448_edwardsToMontgomeryPub: () => edwardsToMontgomeryPub2,
|
|
|
|
p256: () => p256,
|
|
|
|
p384: () => p384,
|
|
|
|
p521: () => p521,
|
|
|
|
secp256k1: () => secp256k1,
|
|
|
|
secp256k1_schnorr: () => schnorr,
|
|
|
|
utils: () => utils,
|
|
|
|
x25519: () => x25519,
|
|
|
|
x448: () => x448,
|
|
|
|
});
|
|
|
|
|
|
|
|
// ../esm/abstract/utils.js
|
|
|
|
var utils_exports = {};
|
|
|
|
__export(utils_exports, {
|
|
|
|
bitGet: () => bitGet,
|
|
|
|
bitLen: () => bitLen,
|
|
|
|
bitMask: () => bitMask,
|
|
|
|
bitSet: () => bitSet,
|
|
|
|
bytesToHex: () => bytesToHex,
|
|
|
|
bytesToNumberBE: () => bytesToNumberBE,
|
|
|
|
bytesToNumberLE: () => bytesToNumberLE,
|
|
|
|
concatBytes: () => concatBytes,
|
|
|
|
createHmacDrbg: () => createHmacDrbg,
|
|
|
|
ensureBytes: () => ensureBytes,
|
|
|
|
equalBytes: () => equalBytes,
|
|
|
|
hexToBytes: () => hexToBytes,
|
|
|
|
hexToNumber: () => hexToNumber,
|
|
|
|
numberToBytesBE: () => numberToBytesBE,
|
|
|
|
numberToBytesLE: () => numberToBytesLE,
|
|
|
|
numberToHexUnpadded: () => numberToHexUnpadded,
|
|
|
|
numberToVarBytesBE: () => numberToVarBytesBE,
|
|
|
|
utf8ToBytes: () => utf8ToBytes,
|
|
|
|
validateObject: () => validateObject,
|
|
|
|
});
|
|
|
|
var _0n = BigInt(0);
|
|
|
|
var _1n = BigInt(1);
|
|
|
|
var _2n = BigInt(2);
|
|
|
|
var u8a = (a) => a instanceof Uint8Array;
|
|
|
|
var hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
|
|
|
|
i.toString(16).padStart(2, "0"),
|
|
|
|
);
|
|
|
|
function bytesToHex(bytes2) {
|
|
|
|
if (!u8a(bytes2)) throw new Error("Uint8Array expected");
|
|
|
|
let hex = "";
|
|
|
|
for (let i = 0; i < bytes2.length; i++) {
|
|
|
|
hex += hexes[bytes2[i]];
|
|
|
|
}
|
|
|
|
return hex;
|
|
|
|
}
|
|
|
|
function numberToHexUnpadded(num) {
|
|
|
|
const hex = num.toString(16);
|
|
|
|
return hex.length & 1 ? `0${hex}` : hex;
|
|
|
|
}
|
|
|
|
function hexToNumber(hex) {
|
|
|
|
if (typeof hex !== "string")
|
|
|
|
throw new Error("hex string expected, got " + typeof hex);
|
|
|
|
return BigInt(hex === "" ? "0" : `0x${hex}`);
|
|
|
|
}
|
|
|
|
function hexToBytes(hex) {
|
|
|
|
if (typeof hex !== "string")
|
|
|
|
throw new Error("hex string expected, got " + typeof hex);
|
|
|
|
const len = hex.length;
|
|
|
|
if (len % 2)
|
|
|
|
throw new Error(
|
|
|
|
"padded hex string expected, got unpadded hex of length " + len,
|
|
|
|
);
|
|
|
|
const array = new Uint8Array(len / 2);
|
|
|
|
for (let i = 0; i < array.length; i++) {
|
|
|
|
const j = i * 2;
|
|
|
|
const hexByte = hex.slice(j, j + 2);
|
|
|
|
const byte = Number.parseInt(hexByte, 16);
|
|
|
|
if (Number.isNaN(byte) || byte < 0)
|
|
|
|
throw new Error("Invalid byte sequence");
|
|
|
|
array[i] = byte;
|
|
|
|
}
|
|
|
|
return array;
|
|
|
|
}
|
|
|
|
function bytesToNumberBE(bytes2) {
|
|
|
|
return hexToNumber(bytesToHex(bytes2));
|
|
|
|
}
|
|
|
|
function bytesToNumberLE(bytes2) {
|
|
|
|
if (!u8a(bytes2)) throw new Error("Uint8Array expected");
|
|
|
|
return hexToNumber(bytesToHex(Uint8Array.from(bytes2).reverse()));
|
|
|
|
}
|
|
|
|
function numberToBytesBE(n, len) {
|
|
|
|
return hexToBytes(n.toString(16).padStart(len * 2, "0"));
|
|
|
|
}
|
|
|
|
function numberToBytesLE(n, len) {
|
|
|
|
return numberToBytesBE(n, len).reverse();
|
|
|
|
}
|
|
|
|
function numberToVarBytesBE(n) {
|
|
|
|
return hexToBytes(numberToHexUnpadded(n));
|
|
|
|
}
|
|
|
|
function ensureBytes(title, hex, expectedLength) {
|
|
|
|
let res;
|
|
|
|
if (typeof hex === "string") {
|
|
|
|
try {
|
|
|
|
res = hexToBytes(hex);
|
|
|
|
} catch (e) {
|
|
|
|
throw new Error(
|
|
|
|
`${title} must be valid hex string, got "${hex}". Cause: ${e}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
} else if (u8a(hex)) {
|
|
|
|
res = Uint8Array.from(hex);
|
|
|
|
} else {
|
|
|
|
throw new Error(`${title} must be hex string or Uint8Array`);
|
|
|
|
}
|
|
|
|
const len = res.length;
|
|
|
|
if (typeof expectedLength === "number" && len !== expectedLength)
|
|
|
|
throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
function concatBytes(...arrays) {
|
|
|
|
const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
|
|
|
|
let pad = 0;
|
|
|
|
arrays.forEach((a) => {
|
|
|
|
if (!u8a(a)) throw new Error("Uint8Array expected");
|
|
|
|
r.set(a, pad);
|
|
|
|
pad += a.length;
|
|
|
|
});
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
function equalBytes(b1, b2) {
|
|
|
|
if (b1.length !== b2.length) return false;
|
|
|
|
for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
function utf8ToBytes(str) {
|
|
|
|
if (typeof str !== "string")
|
|
|
|
throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
|
|
|
|
return new Uint8Array(new TextEncoder().encode(str));
|
|
|
|
}
|
|
|
|
function bitLen(n) {
|
|
|
|
let len;
|
|
|
|
for (len = 0; n > _0n; n >>= _1n, len += 1);
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
function bitGet(n, pos) {
|
|
|
|
return (n >> BigInt(pos)) & _1n;
|
|
|
|
}
|
|
|
|
var bitSet = (n, pos, value) => {
|
|
|
|
return n | ((value ? _1n : _0n) << BigInt(pos));
|
|
|
|
};
|
|
|
|
var bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
|
|
|
|
var u8n = (data) => new Uint8Array(data);
|
|
|
|
var u8fr = (arr) => Uint8Array.from(arr);
|
|
|
|
function createHmacDrbg(hashLen, qByteLen, hmacFn) {
|
|
|
|
if (typeof hashLen !== "number" || hashLen < 2)
|
|
|
|
throw new Error("hashLen must be a number");
|
|
|
|
if (typeof qByteLen !== "number" || qByteLen < 2)
|
|
|
|
throw new Error("qByteLen must be a number");
|
|
|
|
if (typeof hmacFn !== "function")
|
|
|
|
throw new Error("hmacFn must be a function");
|
|
|
|
let v = u8n(hashLen);
|
|
|
|
let k = u8n(hashLen);
|
|
|
|
let i = 0;
|
|
|
|
const reset = () => {
|
|
|
|
v.fill(1);
|
|
|
|
k.fill(0);
|
|
|
|
i = 0;
|
|
|
|
};
|
|
|
|
const h = (...b) => hmacFn(k, v, ...b);
|
|
|
|
const reseed = (seed = u8n()) => {
|
|
|
|
k = h(u8fr([0]), seed);
|
|
|
|
v = h();
|
|
|
|
if (seed.length === 0) return;
|
|
|
|
k = h(u8fr([1]), seed);
|
|
|
|
v = h();
|
|
|
|
};
|
|
|
|
const gen2 = () => {
|
|
|
|
if (i++ >= 1e3) throw new Error("drbg: tried 1000 values");
|
|
|
|
let len = 0;
|
|
|
|
const out = [];
|
|
|
|
while (len < qByteLen) {
|
|
|
|
v = h();
|
|
|
|
const sl = v.slice();
|
|
|
|
out.push(sl);
|
|
|
|
len += v.length;
|
|
|
|
}
|
|
|
|
return concatBytes(...out);
|
|
|
|
};
|
|
|
|
const genUntil = (seed, pred) => {
|
|
|
|
reset();
|
|
|
|
reseed(seed);
|
|
|
|
let res = void 0;
|
|
|
|
while (!(res = pred(gen2()))) reseed();
|
|
|
|
reset();
|
|
|
|
return res;
|
|
|
|
};
|
|
|
|
return genUntil;
|
|
|
|
}
|
|
|
|
var validatorFns = {
|
|
|
|
bigint: (val) => typeof val === "bigint",
|
|
|
|
function: (val) => typeof val === "function",
|
|
|
|
boolean: (val) => typeof val === "boolean",
|
|
|
|
string: (val) => typeof val === "string",
|
|
|
|
stringOrUint8Array: (val) =>
|
|
|
|
typeof val === "string" || val instanceof Uint8Array,
|
|
|
|
isSafeInteger: (val) => Number.isSafeInteger(val),
|
|
|
|
array: (val) => Array.isArray(val),
|
|
|
|
field: (val, object) => object.Fp.isValid(val),
|
|
|
|
hash: (val) =>
|
|
|
|
typeof val === "function" && Number.isSafeInteger(val.outputLen),
|
|
|
|
};
|
|
|
|
function validateObject(object, validators, optValidators = {}) {
|
|
|
|
const checkField = (fieldName, type, isOptional) => {
|
|
|
|
const checkVal = validatorFns[type];
|
|
|
|
if (typeof checkVal !== "function")
|
|
|
|
throw new Error(`Invalid validator "${type}", expected function`);
|
|
|
|
const val = object[fieldName];
|
|
|
|
if (isOptional && val === void 0) return;
|
|
|
|
if (!checkVal(val, object)) {
|
|
|
|
throw new Error(
|
|
|
|
`Invalid param ${String(
|
|
|
|
fieldName,
|
|
|
|
)}=${val} (${typeof val}), expected ${type}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
for (const [fieldName, type] of Object.entries(validators))
|
|
|
|
checkField(fieldName, type, false);
|
|
|
|
for (const [fieldName, type] of Object.entries(optValidators))
|
|
|
|
checkField(fieldName, type, true);
|
|
|
|
return object;
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/_assert.js
|
|
|
|
function number(n) {
|
|
|
|
if (!Number.isSafeInteger(n) || n < 0)
|
|
|
|
throw new Error(`Wrong positive integer: ${n}`);
|
|
|
|
}
|
|
|
|
function bytes(b, ...lengths) {
|
|
|
|
if (!(b instanceof Uint8Array)) throw new Error("Expected Uint8Array");
|
|
|
|
if (lengths.length > 0 && !lengths.includes(b.length))
|
|
|
|
throw new Error(
|
|
|
|
`Expected Uint8Array of length ${lengths}, not of length=${b.length}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
function hash(hash2) {
|
|
|
|
if (typeof hash2 !== "function" || typeof hash2.create !== "function")
|
|
|
|
throw new Error("Hash should be wrapped by utils.wrapConstructor");
|
|
|
|
number(hash2.outputLen);
|
|
|
|
number(hash2.blockLen);
|
|
|
|
}
|
|
|
|
function exists(instance, checkFinished = true) {
|
|
|
|
if (instance.destroyed) throw new Error("Hash instance has been destroyed");
|
|
|
|
if (checkFinished && instance.finished)
|
|
|
|
throw new Error("Hash#digest() has already been called");
|
|
|
|
}
|
|
|
|
function output(out, instance) {
|
|
|
|
bytes(out);
|
|
|
|
const min = instance.outputLen;
|
|
|
|
if (out.length < min) {
|
|
|
|
throw new Error(
|
|
|
|
`digestInto() expects output buffer of length at least ${min}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/crypto.js
|
|
|
|
var crypto =
|
|
|
|
typeof globalThis === "object" && "crypto" in globalThis
|
|
|
|
? globalThis.crypto
|
|
|
|
: void 0;
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/utils.js
|
|
|
|
var u8a2 = (a) => a instanceof Uint8Array;
|
|
|
|
var u32 = (arr) =>
|
|
|
|
new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4));
|
|
|
|
var createView = (arr) =>
|
|
|
|
new DataView(arr.buffer, arr.byteOffset, arr.byteLength);
|
|
|
|
var rotr = (word, shift) => (word << (32 - shift)) | (word >>> shift);
|
|
|
|
var isLE = new Uint8Array(new Uint32Array([287454020]).buffer)[0] === 68;
|
|
|
|
if (!isLE) throw new Error("Non little-endian hardware is not supported");
|
|
|
|
function utf8ToBytes2(str) {
|
|
|
|
if (typeof str !== "string")
|
|
|
|
throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
|
|
|
|
return new Uint8Array(new TextEncoder().encode(str));
|
|
|
|
}
|
|
|
|
function toBytes(data) {
|
|
|
|
if (typeof data === "string") data = utf8ToBytes2(data);
|
|
|
|
if (!u8a2(data)) throw new Error(`expected Uint8Array, got ${typeof data}`);
|
|
|
|
return data;
|
|
|
|
}
|
|
|
|
function concatBytes2(...arrays) {
|
|
|
|
const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
|
|
|
|
let pad = 0;
|
|
|
|
arrays.forEach((a) => {
|
|
|
|
if (!u8a2(a)) throw new Error("Uint8Array expected");
|
|
|
|
r.set(a, pad);
|
|
|
|
pad += a.length;
|
|
|
|
});
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
var Hash = class {
|
|
|
|
// Safe version that clones internal state
|
|
|
|
clone() {
|
|
|
|
return this._cloneInto();
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var toStr = {}.toString;
|
|
|
|
function wrapConstructor(hashCons) {
|
|
|
|
const hashC = (msg) => hashCons().update(toBytes(msg)).digest();
|
|
|
|
const tmp = hashCons();
|
|
|
|
hashC.outputLen = tmp.outputLen;
|
|
|
|
hashC.blockLen = tmp.blockLen;
|
|
|
|
hashC.create = () => hashCons();
|
|
|
|
return hashC;
|
|
|
|
}
|
|
|
|
function wrapXOFConstructorWithOpts(hashCons) {
|
|
|
|
const hashC = (msg, opts) => hashCons(opts).update(toBytes(msg)).digest();
|
|
|
|
const tmp = hashCons({});
|
|
|
|
hashC.outputLen = tmp.outputLen;
|
|
|
|
hashC.blockLen = tmp.blockLen;
|
|
|
|
hashC.create = (opts) => hashCons(opts);
|
|
|
|
return hashC;
|
|
|
|
}
|
|
|
|
function randomBytes(bytesLength = 32) {
|
|
|
|
if (crypto && typeof crypto.getRandomValues === "function") {
|
|
|
|
return crypto.getRandomValues(new Uint8Array(bytesLength));
|
|
|
|
}
|
|
|
|
throw new Error("crypto.getRandomValues must be defined");
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/_sha2.js
|
|
|
|
function setBigUint64(view, byteOffset, value, isLE2) {
|
|
|
|
if (typeof view.setBigUint64 === "function")
|
|
|
|
return view.setBigUint64(byteOffset, value, isLE2);
|
|
|
|
const _32n2 = BigInt(32);
|
|
|
|
const _u32_max = BigInt(4294967295);
|
|
|
|
const wh = Number((value >> _32n2) & _u32_max);
|
|
|
|
const wl = Number(value & _u32_max);
|
|
|
|
const h = isLE2 ? 4 : 0;
|
|
|
|
const l = isLE2 ? 0 : 4;
|
|
|
|
view.setUint32(byteOffset + h, wh, isLE2);
|
|
|
|
view.setUint32(byteOffset + l, wl, isLE2);
|
|
|
|
}
|
|
|
|
var SHA2 = class extends Hash {
|
|
|
|
constructor(blockLen, outputLen, padOffset, isLE2) {
|
|
|
|
super();
|
|
|
|
this.blockLen = blockLen;
|
|
|
|
this.outputLen = outputLen;
|
|
|
|
this.padOffset = padOffset;
|
|
|
|
this.isLE = isLE2;
|
|
|
|
this.finished = false;
|
|
|
|
this.length = 0;
|
|
|
|
this.pos = 0;
|
|
|
|
this.destroyed = false;
|
|
|
|
this.buffer = new Uint8Array(blockLen);
|
|
|
|
this.view = createView(this.buffer);
|
|
|
|
}
|
|
|
|
update(data) {
|
|
|
|
exists(this);
|
|
|
|
const { view, buffer, blockLen } = this;
|
|
|
|
data = toBytes(data);
|
|
|
|
const len = data.length;
|
|
|
|
for (let pos = 0; pos < len; ) {
|
|
|
|
const take = Math.min(blockLen - this.pos, len - pos);
|
|
|
|
if (take === blockLen) {
|
|
|
|
const dataView = createView(data);
|
|
|
|
for (; blockLen <= len - pos; pos += blockLen)
|
|
|
|
this.process(dataView, pos);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
buffer.set(data.subarray(pos, pos + take), this.pos);
|
|
|
|
this.pos += take;
|
|
|
|
pos += take;
|
|
|
|
if (this.pos === blockLen) {
|
|
|
|
this.process(view, 0);
|
|
|
|
this.pos = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
this.length += data.length;
|
|
|
|
this.roundClean();
|
|
|
|
return this;
|
|
|
|
}
|
|
|
|
digestInto(out) {
|
|
|
|
exists(this);
|
|
|
|
output(out, this);
|
|
|
|
this.finished = true;
|
|
|
|
const { buffer, view, blockLen, isLE: isLE2 } = this;
|
|
|
|
let { pos } = this;
|
|
|
|
buffer[pos++] = 128;
|
|
|
|
this.buffer.subarray(pos).fill(0);
|
|
|
|
if (this.padOffset > blockLen - pos) {
|
|
|
|
this.process(view, 0);
|
|
|
|
pos = 0;
|
|
|
|
}
|
|
|
|
for (let i = pos; i < blockLen; i++) buffer[i] = 0;
|
|
|
|
setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE2);
|
|
|
|
this.process(view, 0);
|
|
|
|
const oview = createView(out);
|
|
|
|
const len = this.outputLen;
|
|
|
|
if (len % 4)
|
|
|
|
throw new Error("_sha2: outputLen should be aligned to 32bit");
|
|
|
|
const outLen = len / 4;
|
|
|
|
const state = this.get();
|
|
|
|
if (outLen > state.length)
|
|
|
|
throw new Error("_sha2: outputLen bigger than state");
|
|
|
|
for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE2);
|
|
|
|
}
|
|
|
|
digest() {
|
|
|
|
const { buffer, outputLen } = this;
|
|
|
|
this.digestInto(buffer);
|
|
|
|
const res = buffer.slice(0, outputLen);
|
|
|
|
this.destroy();
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
_cloneInto(to) {
|
|
|
|
to || (to = new this.constructor());
|
|
|
|
to.set(...this.get());
|
|
|
|
const { blockLen, buffer, length, finished, destroyed, pos } = this;
|
|
|
|
to.length = length;
|
|
|
|
to.pos = pos;
|
|
|
|
to.finished = finished;
|
|
|
|
to.destroyed = destroyed;
|
|
|
|
if (length % blockLen) to.buffer.set(buffer);
|
|
|
|
return to;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/sha256.js
|
|
|
|
var Chi = (a, b, c) => (a & b) ^ (~a & c);
|
|
|
|
var Maj = (a, b, c) => (a & b) ^ (a & c) ^ (b & c);
|
|
|
|
var SHA256_K = /* @__PURE__ */ new Uint32Array([
|
|
|
|
1116352408, 1899447441, 3049323471, 3921009573, 961987163, 1508970993,
|
|
|
|
2453635748, 2870763221, 3624381080, 310598401, 607225278, 1426881987,
|
|
|
|
1925078388, 2162078206, 2614888103, 3248222580, 3835390401, 4022224774,
|
|
|
|
264347078, 604807628, 770255983, 1249150122, 1555081692, 1996064986,
|
|
|
|
2554220882, 2821834349, 2952996808, 3210313671, 3336571891, 3584528711,
|
|
|
|
113926993, 338241895, 666307205, 773529912, 1294757372, 1396182291,
|
|
|
|
1695183700, 1986661051, 2177026350, 2456956037, 2730485921, 2820302411,
|
|
|
|
3259730800, 3345764771, 3516065817, 3600352804, 4094571909, 275423344,
|
|
|
|
430227734, 506948616, 659060556, 883997877, 958139571, 1322822218,
|
|
|
|
1537002063, 1747873779, 1955562222, 2024104815, 2227730452, 2361852424,
|
|
|
|
2428436474, 2756734187, 3204031479, 3329325298,
|
|
|
|
]);
|
|
|
|
var IV = /* @__PURE__ */ new Uint32Array([
|
|
|
|
1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924,
|
|
|
|
528734635, 1541459225,
|
|
|
|
]);
|
|
|
|
var SHA256_W = /* @__PURE__ */ new Uint32Array(64);
|
|
|
|
var SHA256 = class extends SHA2 {
|
|
|
|
constructor() {
|
|
|
|
super(64, 32, 8, false);
|
|
|
|
this.A = IV[0] | 0;
|
|
|
|
this.B = IV[1] | 0;
|
|
|
|
this.C = IV[2] | 0;
|
|
|
|
this.D = IV[3] | 0;
|
|
|
|
this.E = IV[4] | 0;
|
|
|
|
this.F = IV[5] | 0;
|
|
|
|
this.G = IV[6] | 0;
|
|
|
|
this.H = IV[7] | 0;
|
|
|
|
}
|
|
|
|
get() {
|
|
|
|
const { A, B, C, D, E, F, G, H } = this;
|
|
|
|
return [A, B, C, D, E, F, G, H];
|
|
|
|
}
|
|
|
|
// prettier-ignore
|
|
|
|
set(A, B, C, D, E, F, G, H) {
|
|
|
|
this.A = A | 0;
|
|
|
|
this.B = B | 0;
|
|
|
|
this.C = C | 0;
|
|
|
|
this.D = D | 0;
|
|
|
|
this.E = E | 0;
|
|
|
|
this.F = F | 0;
|
|
|
|
this.G = G | 0;
|
|
|
|
this.H = H | 0;
|
|
|
|
}
|
|
|
|
process(view, offset) {
|
|
|
|
for (let i = 0; i < 16; i++, offset += 4)
|
|
|
|
SHA256_W[i] = view.getUint32(offset, false);
|
|
|
|
for (let i = 16; i < 64; i++) {
|
|
|
|
const W15 = SHA256_W[i - 15];
|
|
|
|
const W2 = SHA256_W[i - 2];
|
|
|
|
const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3);
|
|
|
|
const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10);
|
|
|
|
SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0;
|
|
|
|
}
|
|
|
|
let { A, B, C, D, E, F, G, H } = this;
|
|
|
|
for (let i = 0; i < 64; i++) {
|
|
|
|
const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25);
|
|
|
|
const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0;
|
|
|
|
const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22);
|
|
|
|
const T2 = (sigma0 + Maj(A, B, C)) | 0;
|
|
|
|
H = G;
|
|
|
|
G = F;
|
|
|
|
F = E;
|
|
|
|
E = (D + T1) | 0;
|
|
|
|
D = C;
|
|
|
|
C = B;
|
|
|
|
B = A;
|
|
|
|
A = (T1 + T2) | 0;
|
|
|
|
}
|
|
|
|
A = (A + this.A) | 0;
|
|
|
|
B = (B + this.B) | 0;
|
|
|
|
C = (C + this.C) | 0;
|
|
|
|
D = (D + this.D) | 0;
|
|
|
|
E = (E + this.E) | 0;
|
|
|
|
F = (F + this.F) | 0;
|
|
|
|
G = (G + this.G) | 0;
|
|
|
|
H = (H + this.H) | 0;
|
|
|
|
this.set(A, B, C, D, E, F, G, H);
|
|
|
|
}
|
|
|
|
roundClean() {
|
|
|
|
SHA256_W.fill(0);
|
|
|
|
}
|
|
|
|
destroy() {
|
|
|
|
this.set(0, 0, 0, 0, 0, 0, 0, 0);
|
|
|
|
this.buffer.fill(0);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var sha256 = /* @__PURE__ */ wrapConstructor(() => new SHA256());
|
|
|
|
|
|
|
|
// ../esm/abstract/modular.js
|
|
|
|
var _0n2 = BigInt(0);
|
|
|
|
var _1n2 = BigInt(1);
|
|
|
|
var _2n2 = BigInt(2);
|
|
|
|
var _3n = BigInt(3);
|
|
|
|
var _4n = BigInt(4);
|
|
|
|
var _5n = BigInt(5);
|
|
|
|
var _8n = BigInt(8);
|
|
|
|
var _9n = BigInt(9);
|
|
|
|
var _16n = BigInt(16);
|
|
|
|
function mod(a, b) {
|
|
|
|
const result = a % b;
|
|
|
|
return result >= _0n2 ? result : b + result;
|
|
|
|
}
|
|
|
|
function pow(num, power, modulo) {
|
|
|
|
if (modulo <= _0n2 || power < _0n2)
|
|
|
|
throw new Error("Expected power/modulo > 0");
|
|
|
|
if (modulo === _1n2) return _0n2;
|
|
|
|
let res = _1n2;
|
|
|
|
while (power > _0n2) {
|
|
|
|
if (power & _1n2) res = (res * num) % modulo;
|
|
|
|
num = (num * num) % modulo;
|
|
|
|
power >>= _1n2;
|
|
|
|
}
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
function pow2(x, power, modulo) {
|
|
|
|
let res = x;
|
|
|
|
while (power-- > _0n2) {
|
|
|
|
res *= res;
|
|
|
|
res %= modulo;
|
|
|
|
}
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
function invert(number2, modulo) {
|
|
|
|
if (number2 === _0n2 || modulo <= _0n2) {
|
|
|
|
throw new Error(
|
|
|
|
`invert: expected positive integers, got n=${number2} mod=${modulo}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
let a = mod(number2, modulo);
|
|
|
|
let b = modulo;
|
|
|
|
let x = _0n2,
|
|
|
|
y = _1n2,
|
|
|
|
u = _1n2,
|
|
|
|
v = _0n2;
|
|
|
|
while (a !== _0n2) {
|
|
|
|
const q = b / a;
|
|
|
|
const r = b % a;
|
|
|
|
const m = x - u * q;
|
|
|
|
const n = y - v * q;
|
|
|
|
(b = a), (a = r), (x = u), (y = v), (u = m), (v = n);
|
|
|
|
}
|
|
|
|
const gcd = b;
|
|
|
|
if (gcd !== _1n2) throw new Error("invert: does not exist");
|
|
|
|
return mod(x, modulo);
|
|
|
|
}
|
|
|
|
function tonelliShanks(P3) {
|
|
|
|
const legendreC = (P3 - _1n2) / _2n2;
|
|
|
|
let Q, S, Z;
|
|
|
|
for (Q = P3 - _1n2, S = 0; Q % _2n2 === _0n2; Q /= _2n2, S++);
|
|
|
|
for (Z = _2n2; Z < P3 && pow(Z, legendreC, P3) !== P3 - _1n2; Z++);
|
|
|
|
if (S === 1) {
|
|
|
|
const p1div4 = (P3 + _1n2) / _4n;
|
|
|
|
return function tonelliFast(Fp8, n) {
|
|
|
|
const root = Fp8.pow(n, p1div4);
|
|
|
|
if (!Fp8.eql(Fp8.sqr(root), n))
|
|
|
|
throw new Error("Cannot find square root");
|
|
|
|
return root;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
const Q1div2 = (Q + _1n2) / _2n2;
|
|
|
|
return function tonelliSlow(Fp8, n) {
|
|
|
|
if (Fp8.pow(n, legendreC) === Fp8.neg(Fp8.ONE))
|
|
|
|
throw new Error("Cannot find square root");
|
|
|
|
let r = S;
|
|
|
|
let g = Fp8.pow(Fp8.mul(Fp8.ONE, Z), Q);
|
|
|
|
let x = Fp8.pow(n, Q1div2);
|
|
|
|
let b = Fp8.pow(n, Q);
|
|
|
|
while (!Fp8.eql(b, Fp8.ONE)) {
|
|
|
|
if (Fp8.eql(b, Fp8.ZERO)) return Fp8.ZERO;
|
|
|
|
let m = 1;
|
|
|
|
for (let t2 = Fp8.sqr(b); m < r; m++) {
|
|
|
|
if (Fp8.eql(t2, Fp8.ONE)) break;
|
|
|
|
t2 = Fp8.sqr(t2);
|
|
|
|
}
|
|
|
|
const ge2 = Fp8.pow(g, _1n2 << BigInt(r - m - 1));
|
|
|
|
g = Fp8.sqr(ge2);
|
|
|
|
x = Fp8.mul(x, ge2);
|
|
|
|
b = Fp8.mul(b, g);
|
|
|
|
r = m;
|
|
|
|
}
|
|
|
|
return x;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function FpSqrt(P3) {
|
|
|
|
if (P3 % _4n === _3n) {
|
|
|
|
const p1div4 = (P3 + _1n2) / _4n;
|
|
|
|
return function sqrt3mod4(Fp8, n) {
|
|
|
|
const root = Fp8.pow(n, p1div4);
|
|
|
|
if (!Fp8.eql(Fp8.sqr(root), n))
|
|
|
|
throw new Error("Cannot find square root");
|
|
|
|
return root;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
if (P3 % _8n === _5n) {
|
|
|
|
const c1 = (P3 - _5n) / _8n;
|
|
|
|
return function sqrt5mod8(Fp8, n) {
|
|
|
|
const n2 = Fp8.mul(n, _2n2);
|
|
|
|
const v = Fp8.pow(n2, c1);
|
|
|
|
const nv = Fp8.mul(n, v);
|
|
|
|
const i = Fp8.mul(Fp8.mul(nv, _2n2), v);
|
|
|
|
const root = Fp8.mul(nv, Fp8.sub(i, Fp8.ONE));
|
|
|
|
if (!Fp8.eql(Fp8.sqr(root), n))
|
|
|
|
throw new Error("Cannot find square root");
|
|
|
|
return root;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
if (P3 % _16n === _9n) {
|
|
|
|
}
|
|
|
|
return tonelliShanks(P3);
|
|
|
|
}
|
|
|
|
var isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n2) === _1n2;
|
|
|
|
var FIELD_FIELDS = [
|
|
|
|
"create",
|
|
|
|
"isValid",
|
|
|
|
"is0",
|
|
|
|
"neg",
|
|
|
|
"inv",
|
|
|
|
"sqrt",
|
|
|
|
"sqr",
|
|
|
|
"eql",
|
|
|
|
"add",
|
|
|
|
"sub",
|
|
|
|
"mul",
|
|
|
|
"pow",
|
|
|
|
"div",
|
|
|
|
"addN",
|
|
|
|
"subN",
|
|
|
|
"mulN",
|
|
|
|
"sqrN",
|
|
|
|
];
|
|
|
|
function validateField(field) {
|
|
|
|
const initial = {
|
|
|
|
ORDER: "bigint",
|
|
|
|
MASK: "bigint",
|
|
|
|
BYTES: "isSafeInteger",
|
|
|
|
BITS: "isSafeInteger",
|
|
|
|
};
|
|
|
|
const opts = FIELD_FIELDS.reduce((map, val) => {
|
|
|
|
map[val] = "function";
|
|
|
|
return map;
|
|
|
|
}, initial);
|
|
|
|
return validateObject(field, opts);
|
|
|
|
}
|
|
|
|
function FpPow(f, num, power) {
|
|
|
|
if (power < _0n2) throw new Error("Expected power > 0");
|
|
|
|
if (power === _0n2) return f.ONE;
|
|
|
|
if (power === _1n2) return num;
|
|
|
|
let p = f.ONE;
|
|
|
|
let d = num;
|
|
|
|
while (power > _0n2) {
|
|
|
|
if (power & _1n2) p = f.mul(p, d);
|
|
|
|
d = f.sqr(d);
|
|
|
|
power >>= _1n2;
|
|
|
|
}
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
function FpInvertBatch(f, nums) {
|
|
|
|
const tmp = new Array(nums.length);
|
|
|
|
const lastMultiplied = nums.reduce((acc, num, i) => {
|
|
|
|
if (f.is0(num)) return acc;
|
|
|
|
tmp[i] = acc;
|
|
|
|
return f.mul(acc, num);
|
|
|
|
}, f.ONE);
|
|
|
|
const inverted = f.inv(lastMultiplied);
|
|
|
|
nums.reduceRight((acc, num, i) => {
|
|
|
|
if (f.is0(num)) return acc;
|
|
|
|
tmp[i] = f.mul(acc, tmp[i]);
|
|
|
|
return f.mul(acc, num);
|
|
|
|
}, inverted);
|
|
|
|
return tmp;
|
|
|
|
}
|
|
|
|
function nLength(n, nBitLength) {
|
|
|
|
const _nBitLength =
|
|
|
|
nBitLength !== void 0 ? nBitLength : n.toString(2).length;
|
|
|
|
const nByteLength = Math.ceil(_nBitLength / 8);
|
|
|
|
return { nBitLength: _nBitLength, nByteLength };
|
|
|
|
}
|
|
|
|
function Field(ORDER, bitLen2, isLE2 = false, redef = {}) {
|
|
|
|
if (ORDER <= _0n2)
|
|
|
|
throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
|
|
|
|
const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen2);
|
|
|
|
if (BYTES > 2048)
|
|
|
|
throw new Error("Field lengths over 2048 bytes are not supported");
|
|
|
|
const sqrtP = FpSqrt(ORDER);
|
|
|
|
const f = Object.freeze({
|
|
|
|
ORDER,
|
|
|
|
BITS,
|
|
|
|
BYTES,
|
|
|
|
MASK: bitMask(BITS),
|
|
|
|
ZERO: _0n2,
|
|
|
|
ONE: _1n2,
|
|
|
|
create: (num) => mod(num, ORDER),
|
|
|
|
isValid: (num) => {
|
|
|
|
if (typeof num !== "bigint")
|
|
|
|
throw new Error(
|
|
|
|
`Invalid field element: expected bigint, got ${typeof num}`,
|
|
|
|
);
|
|
|
|
return _0n2 <= num && num < ORDER;
|
|
|
|
},
|
|
|
|
is0: (num) => num === _0n2,
|
|
|
|
isOdd: (num) => (num & _1n2) === _1n2,
|
|
|
|
neg: (num) => mod(-num, ORDER),
|
|
|
|
eql: (lhs, rhs) => lhs === rhs,
|
|
|
|
sqr: (num) => mod(num * num, ORDER),
|
|
|
|
add: (lhs, rhs) => mod(lhs + rhs, ORDER),
|
|
|
|
sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
|
|
|
|
mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
|
|
|
|
pow: (num, power) => FpPow(f, num, power),
|
|
|
|
div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
|
|
|
|
// Same as above, but doesn't normalize
|
|
|
|
sqrN: (num) => num * num,
|
|
|
|
addN: (lhs, rhs) => lhs + rhs,
|
|
|
|
subN: (lhs, rhs) => lhs - rhs,
|
|
|
|
mulN: (lhs, rhs) => lhs * rhs,
|
|
|
|
inv: (num) => invert(num, ORDER),
|
|
|
|
sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
|
|
|
|
invertBatch: (lst) => FpInvertBatch(f, lst),
|
|
|
|
// TODO: do we really need constant cmov?
|
|
|
|
// We don't have const-time bigints anyway, so probably will be not very useful
|
|
|
|
cmov: (a, b, c) => (c ? b : a),
|
|
|
|
toBytes: (num) =>
|
|
|
|
isLE2 ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES),
|
|
|
|
fromBytes: (bytes2) => {
|
|
|
|
if (bytes2.length !== BYTES)
|
|
|
|
throw new Error(
|
|
|
|
`Fp.fromBytes: expected ${BYTES}, got ${bytes2.length}`,
|
|
|
|
);
|
|
|
|
return isLE2 ? bytesToNumberLE(bytes2) : bytesToNumberBE(bytes2);
|
|
|
|
},
|
|
|
|
});
|
|
|
|
return Object.freeze(f);
|
|
|
|
}
|
|
|
|
function FpSqrtEven(Fp8, elm) {
|
|
|
|
if (!Fp8.isOdd) throw new Error(`Field doesn't have isOdd`);
|
|
|
|
const root = Fp8.sqrt(elm);
|
|
|
|
return Fp8.isOdd(root) ? Fp8.neg(root) : root;
|
|
|
|
}
|
|
|
|
function getFieldBytesLength(fieldOrder) {
|
|
|
|
if (typeof fieldOrder !== "bigint")
|
|
|
|
throw new Error("field order must be bigint");
|
|
|
|
const bitLength = fieldOrder.toString(2).length;
|
|
|
|
return Math.ceil(bitLength / 8);
|
|
|
|
}
|
|
|
|
function getMinHashLength(fieldOrder) {
|
|
|
|
const length = getFieldBytesLength(fieldOrder);
|
|
|
|
return length + Math.ceil(length / 2);
|
|
|
|
}
|
|
|
|
function mapHashToField(key, fieldOrder, isLE2 = false) {
|
|
|
|
const len = key.length;
|
|
|
|
const fieldLen = getFieldBytesLength(fieldOrder);
|
|
|
|
const minLen = getMinHashLength(fieldOrder);
|
|
|
|
if (len < 16 || len < minLen || len > 1024)
|
|
|
|
throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
|
|
|
|
const num = isLE2 ? bytesToNumberBE(key) : bytesToNumberLE(key);
|
|
|
|
const reduced = mod(num, fieldOrder - _1n2) + _1n2;
|
|
|
|
return isLE2
|
|
|
|
? numberToBytesLE(reduced, fieldLen)
|
|
|
|
: numberToBytesBE(reduced, fieldLen);
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/abstract/curve.js
|
|
|
|
var _0n3 = BigInt(0);
|
|
|
|
var _1n3 = BigInt(1);
|
|
|
|
function wNAF(c, bits) {
|
|
|
|
const constTimeNegate = (condition, item) => {
|
|
|
|
const neg = item.negate();
|
|
|
|
return condition ? neg : item;
|
|
|
|
};
|
|
|
|
const opts = (W) => {
|
|
|
|
const windows = Math.ceil(bits / W) + 1;
|
|
|
|
const windowSize = 2 ** (W - 1);
|
|
|
|
return { windows, windowSize };
|
|
|
|
};
|
|
|
|
return {
|
|
|
|
constTimeNegate,
|
|
|
|
// non-const time multiplication ladder
|
|
|
|
unsafeLadder(elm, n) {
|
|
|
|
let p = c.ZERO;
|
|
|
|
let d = elm;
|
|
|
|
while (n > _0n3) {
|
|
|
|
if (n & _1n3) p = p.add(d);
|
|
|
|
d = d.double();
|
|
|
|
n >>= _1n3;
|
|
|
|
}
|
|
|
|
return p;
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Creates a wNAF precomputation window. Used for caching.
|
|
|
|
* Default window size is set by `utils.precompute()` and is equal to 8.
|
|
|
|
* Number of precomputed points depends on the curve size:
|
|
|
|
* 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
|
|
|
|
* - 𝑊 is the window size
|
|
|
|
* - 𝑛 is the bitlength of the curve order.
|
|
|
|
* For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
|
|
|
|
* @returns precomputed point tables flattened to a single array
|
|
|
|
*/
|
|
|
|
precomputeWindow(elm, W) {
|
|
|
|
const { windows, windowSize } = opts(W);
|
|
|
|
const points = [];
|
|
|
|
let p = elm;
|
|
|
|
let base = p;
|
|
|
|
for (let window = 0; window < windows; window++) {
|
|
|
|
base = p;
|
|
|
|
points.push(base);
|
|
|
|
for (let i = 1; i < windowSize; i++) {
|
|
|
|
base = base.add(p);
|
|
|
|
points.push(base);
|
|
|
|
}
|
|
|
|
p = base.double();
|
|
|
|
}
|
|
|
|
return points;
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
|
|
|
|
* @param W window size
|
|
|
|
* @param precomputes precomputed tables
|
|
|
|
* @param n scalar (we don't check here, but should be less than curve order)
|
|
|
|
* @returns real and fake (for const-time) points
|
|
|
|
*/
|
|
|
|
wNAF(W, precomputes, n) {
|
|
|
|
const { windows, windowSize } = opts(W);
|
|
|
|
let p = c.ZERO;
|
|
|
|
let f = c.BASE;
|
|
|
|
const mask = BigInt(2 ** W - 1);
|
|
|
|
const maxNumber = 2 ** W;
|
|
|
|
const shiftBy = BigInt(W);
|
|
|
|
for (let window = 0; window < windows; window++) {
|
|
|
|
const offset = window * windowSize;
|
|
|
|
let wbits = Number(n & mask);
|
|
|
|
n >>= shiftBy;
|
|
|
|
if (wbits > windowSize) {
|
|
|
|
wbits -= maxNumber;
|
|
|
|
n += _1n3;
|
|
|
|
}
|
|
|
|
const offset1 = offset;
|
|
|
|
const offset2 = offset + Math.abs(wbits) - 1;
|
|
|
|
const cond1 = window % 2 !== 0;
|
|
|
|
const cond2 = wbits < 0;
|
|
|
|
if (wbits === 0) {
|
|
|
|
f = f.add(constTimeNegate(cond1, precomputes[offset1]));
|
|
|
|
} else {
|
|
|
|
p = p.add(constTimeNegate(cond2, precomputes[offset2]));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return { p, f };
|
|
|
|
},
|
|
|
|
wNAFCached(P3, precomputesMap, n, transform) {
|
|
|
|
const W = P3._WINDOW_SIZE || 1;
|
|
|
|
let comp = precomputesMap.get(P3);
|
|
|
|
if (!comp) {
|
|
|
|
comp = this.precomputeWindow(P3, W);
|
|
|
|
if (W !== 1) {
|
|
|
|
precomputesMap.set(P3, transform(comp));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return this.wNAF(W, comp, n);
|
|
|
|
},
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function validateBasic(curve) {
|
|
|
|
validateField(curve.Fp);
|
|
|
|
validateObject(
|
|
|
|
curve,
|
|
|
|
{
|
|
|
|
n: "bigint",
|
|
|
|
h: "bigint",
|
|
|
|
Gx: "field",
|
|
|
|
Gy: "field",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
nBitLength: "isSafeInteger",
|
|
|
|
nByteLength: "isSafeInteger",
|
|
|
|
},
|
|
|
|
);
|
|
|
|
return Object.freeze({
|
|
|
|
...nLength(curve.n, curve.nBitLength),
|
|
|
|
...curve,
|
|
|
|
...{ p: curve.Fp.ORDER },
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/abstract/weierstrass.js
|
|
|
|
function validatePointOpts(curve) {
|
|
|
|
const opts = validateBasic(curve);
|
|
|
|
validateObject(
|
|
|
|
opts,
|
|
|
|
{
|
|
|
|
a: "field",
|
|
|
|
b: "field",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
allowedPrivateKeyLengths: "array",
|
|
|
|
wrapPrivateKey: "boolean",
|
|
|
|
isTorsionFree: "function",
|
|
|
|
clearCofactor: "function",
|
|
|
|
allowInfinityPoint: "boolean",
|
|
|
|
fromBytes: "function",
|
|
|
|
toBytes: "function",
|
|
|
|
},
|
|
|
|
);
|
|
|
|
const { endo, Fp: Fp8, a } = opts;
|
|
|
|
if (endo) {
|
|
|
|
if (!Fp8.eql(a, Fp8.ZERO)) {
|
|
|
|
throw new Error(
|
|
|
|
"Endomorphism can only be defined for Koblitz curves that have a=0",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
if (
|
|
|
|
typeof endo !== "object" ||
|
|
|
|
typeof endo.beta !== "bigint" ||
|
|
|
|
typeof endo.splitScalar !== "function"
|
|
|
|
) {
|
|
|
|
throw new Error(
|
|
|
|
"Expected endomorphism with beta: bigint and splitScalar: function",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return Object.freeze({ ...opts });
|
|
|
|
}
|
|
|
|
var { bytesToNumberBE: b2n, hexToBytes: h2b } = utils_exports;
|
|
|
|
var DER = {
|
|
|
|
// asn.1 DER encoding utils
|
|
|
|
Err: class DERErr extends Error {
|
|
|
|
constructor(m = "") {
|
|
|
|
super(m);
|
|
|
|
}
|
|
|
|
},
|
|
|
|
_parseInt(data) {
|
|
|
|
const { Err: E } = DER;
|
|
|
|
if (data.length < 2 || data[0] !== 2)
|
|
|
|
throw new E("Invalid signature integer tag");
|
|
|
|
const len = data[1];
|
|
|
|
const res = data.subarray(2, len + 2);
|
|
|
|
if (!len || res.length !== len)
|
|
|
|
throw new E("Invalid signature integer: wrong length");
|
|
|
|
if (res[0] & 128) throw new E("Invalid signature integer: negative");
|
|
|
|
if (res[0] === 0 && !(res[1] & 128))
|
|
|
|
throw new E("Invalid signature integer: unnecessary leading zero");
|
|
|
|
return { d: b2n(res), l: data.subarray(len + 2) };
|
|
|
|
},
|
|
|
|
toSig(hex) {
|
|
|
|
const { Err: E } = DER;
|
|
|
|
const data = typeof hex === "string" ? h2b(hex) : hex;
|
|
|
|
if (!(data instanceof Uint8Array)) throw new Error("ui8a expected");
|
|
|
|
let l = data.length;
|
|
|
|
if (l < 2 || data[0] != 48) throw new E("Invalid signature tag");
|
|
|
|
if (data[1] !== l - 2) throw new E("Invalid signature: incorrect length");
|
|
|
|
const { d: r, l: sBytes } = DER._parseInt(data.subarray(2));
|
|
|
|
const { d: s, l: rBytesLeft } = DER._parseInt(sBytes);
|
|
|
|
if (rBytesLeft.length)
|
|
|
|
throw new E("Invalid signature: left bytes after parsing");
|
|
|
|
return { r, s };
|
|
|
|
},
|
|
|
|
hexFromSig(sig) {
|
|
|
|
const slice = (s2) => (Number.parseInt(s2[0], 16) & 8 ? "00" + s2 : s2);
|
|
|
|
const h = (num) => {
|
|
|
|
const hex = num.toString(16);
|
|
|
|
return hex.length & 1 ? `0${hex}` : hex;
|
|
|
|
};
|
|
|
|
const s = slice(h(sig.s));
|
|
|
|
const r = slice(h(sig.r));
|
|
|
|
const shl = s.length / 2;
|
|
|
|
const rhl = r.length / 2;
|
|
|
|
const sl = h(shl);
|
|
|
|
const rl = h(rhl);
|
|
|
|
return `30${h(rhl + shl + 4)}02${rl}${r}02${sl}${s}`;
|
|
|
|
},
|
|
|
|
};
|
|
|
|
var _0n4 = BigInt(0);
|
|
|
|
var _1n4 = BigInt(1);
|
|
|
|
var _2n3 = BigInt(2);
|
|
|
|
var _3n2 = BigInt(3);
|
|
|
|
var _4n2 = BigInt(4);
|
|
|
|
function weierstrassPoints(opts) {
|
|
|
|
const CURVE2 = validatePointOpts(opts);
|
|
|
|
const { Fp: Fp8 } = CURVE2;
|
|
|
|
const toBytes2 =
|
|
|
|
CURVE2.toBytes ||
|
|
|
|
((_c, point, _isCompressed) => {
|
|
|
|
const a = point.toAffine();
|
|
|
|
return concatBytes(
|
|
|
|
Uint8Array.from([4]),
|
|
|
|
Fp8.toBytes(a.x),
|
|
|
|
Fp8.toBytes(a.y),
|
|
|
|
);
|
|
|
|
});
|
|
|
|
const fromBytes =
|
|
|
|
CURVE2.fromBytes ||
|
|
|
|
((bytes2) => {
|
|
|
|
const tail = bytes2.subarray(1);
|
|
|
|
const x = Fp8.fromBytes(tail.subarray(0, Fp8.BYTES));
|
|
|
|
const y = Fp8.fromBytes(tail.subarray(Fp8.BYTES, 2 * Fp8.BYTES));
|
|
|
|
return { x, y };
|
|
|
|
});
|
|
|
|
function weierstrassEquation(x) {
|
|
|
|
const { a, b } = CURVE2;
|
|
|
|
const x2 = Fp8.sqr(x);
|
|
|
|
const x3 = Fp8.mul(x2, x);
|
|
|
|
return Fp8.add(Fp8.add(x3, Fp8.mul(x, a)), b);
|
|
|
|
}
|
|
|
|
if (!Fp8.eql(Fp8.sqr(CURVE2.Gy), weierstrassEquation(CURVE2.Gx)))
|
|
|
|
throw new Error("bad generator point: equation left != right");
|
|
|
|
function isWithinCurveOrder(num) {
|
|
|
|
return typeof num === "bigint" && _0n4 < num && num < CURVE2.n;
|
|
|
|
}
|
|
|
|
function assertGE(num) {
|
|
|
|
if (!isWithinCurveOrder(num))
|
|
|
|
throw new Error("Expected valid bigint: 0 < bigint < curve.n");
|
|
|
|
}
|
|
|
|
function normPrivateKeyToScalar(key) {
|
|
|
|
const {
|
|
|
|
allowedPrivateKeyLengths: lengths,
|
|
|
|
nByteLength,
|
|
|
|
wrapPrivateKey,
|
|
|
|
n,
|
|
|
|
} = CURVE2;
|
|
|
|
if (lengths && typeof key !== "bigint") {
|
|
|
|
if (key instanceof Uint8Array) key = bytesToHex(key);
|
|
|
|
if (typeof key !== "string" || !lengths.includes(key.length))
|
|
|
|
throw new Error("Invalid key");
|
|
|
|
key = key.padStart(nByteLength * 2, "0");
|
|
|
|
}
|
|
|
|
let num;
|
|
|
|
try {
|
|
|
|
num =
|
|
|
|
typeof key === "bigint"
|
|
|
|
? key
|
|
|
|
: bytesToNumberBE(ensureBytes("private key", key, nByteLength));
|
|
|
|
} catch (error) {
|
|
|
|
throw new Error(
|
|
|
|
`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
if (wrapPrivateKey) num = mod(num, n);
|
|
|
|
assertGE(num);
|
|
|
|
return num;
|
|
|
|
}
|
|
|
|
const pointPrecomputes = /* @__PURE__ */ new Map();
|
|
|
|
function assertPrjPoint(other) {
|
|
|
|
if (!(other instanceof Point2))
|
|
|
|
throw new Error("ProjectivePoint expected");
|
|
|
|
}
|
|
|
|
class Point2 {
|
|
|
|
constructor(px, py, pz) {
|
|
|
|
this.px = px;
|
|
|
|
this.py = py;
|
|
|
|
this.pz = pz;
|
|
|
|
if (px == null || !Fp8.isValid(px)) throw new Error("x required");
|
|
|
|
if (py == null || !Fp8.isValid(py)) throw new Error("y required");
|
|
|
|
if (pz == null || !Fp8.isValid(pz)) throw new Error("z required");
|
|
|
|
}
|
|
|
|
// Does not validate if the point is on-curve.
|
|
|
|
// Use fromHex instead, or call assertValidity() later.
|
|
|
|
static fromAffine(p) {
|
|
|
|
const { x, y } = p || {};
|
|
|
|
if (!p || !Fp8.isValid(x) || !Fp8.isValid(y))
|
|
|
|
throw new Error("invalid affine point");
|
|
|
|
if (p instanceof Point2)
|
|
|
|
throw new Error("projective point not allowed");
|
|
|
|
const is0 = (i) => Fp8.eql(i, Fp8.ZERO);
|
|
|
|
if (is0(x) && is0(y)) return Point2.ZERO;
|
|
|
|
return new Point2(x, y, Fp8.ONE);
|
|
|
|
}
|
|
|
|
get x() {
|
|
|
|
return this.toAffine().x;
|
|
|
|
}
|
|
|
|
get y() {
|
|
|
|
return this.toAffine().y;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Takes a bunch of Projective Points but executes only one
|
|
|
|
* inversion on all of them. Inversion is very slow operation,
|
|
|
|
* so this improves performance massively.
|
|
|
|
* Optimization: converts a list of projective points to a list of identical points with Z=1.
|
|
|
|
*/
|
|
|
|
static normalizeZ(points) {
|
|
|
|
const toInv = Fp8.invertBatch(points.map((p) => p.pz));
|
|
|
|
return points
|
|
|
|
.map((p, i) => p.toAffine(toInv[i]))
|
|
|
|
.map(Point2.fromAffine);
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Converts hash string or Uint8Array to Point.
|
|
|
|
* @param hex short/long ECDSA hex
|
|
|
|
*/
|
|
|
|
static fromHex(hex) {
|
|
|
|
const P3 = Point2.fromAffine(fromBytes(ensureBytes("pointHex", hex)));
|
|
|
|
P3.assertValidity();
|
|
|
|
return P3;
|
|
|
|
}
|
|
|
|
// Multiplies generator point by privateKey.
|
|
|
|
static fromPrivateKey(privateKey) {
|
|
|
|
return Point2.BASE.multiply(normPrivateKeyToScalar(privateKey));
|
|
|
|
}
|
|
|
|
// "Private method", don't use it directly
|
|
|
|
_setWindowSize(windowSize) {
|
|
|
|
this._WINDOW_SIZE = windowSize;
|
|
|
|
pointPrecomputes.delete(this);
|
|
|
|
}
|
|
|
|
// A point on curve is valid if it conforms to equation.
|
|
|
|
assertValidity() {
|
|
|
|
if (this.is0()) {
|
|
|
|
if (CURVE2.allowInfinityPoint && !Fp8.is0(this.py)) return;
|
|
|
|
throw new Error("bad point: ZERO");
|
|
|
|
}
|
|
|
|
const { x, y } = this.toAffine();
|
|
|
|
if (!Fp8.isValid(x) || !Fp8.isValid(y))
|
|
|
|
throw new Error("bad point: x or y not FE");
|
|
|
|
const left = Fp8.sqr(y);
|
|
|
|
const right = weierstrassEquation(x);
|
|
|
|
if (!Fp8.eql(left, right))
|
|
|
|
throw new Error("bad point: equation left != right");
|
|
|
|
if (!this.isTorsionFree())
|
|
|
|
throw new Error("bad point: not in prime-order subgroup");
|
|
|
|
}
|
|
|
|
hasEvenY() {
|
|
|
|
const { y } = this.toAffine();
|
|
|
|
if (Fp8.isOdd) return !Fp8.isOdd(y);
|
|
|
|
throw new Error("Field doesn't support isOdd");
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Compare one point to another.
|
|
|
|
*/
|
|
|
|
equals(other) {
|
|
|
|
assertPrjPoint(other);
|
|
|
|
const { px: X1, py: Y1, pz: Z1 } = this;
|
|
|
|
const { px: X2, py: Y2, pz: Z2 } = other;
|
|
|
|
const U1 = Fp8.eql(Fp8.mul(X1, Z2), Fp8.mul(X2, Z1));
|
|
|
|
const U2 = Fp8.eql(Fp8.mul(Y1, Z2), Fp8.mul(Y2, Z1));
|
|
|
|
return U1 && U2;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Flips point to one corresponding to (x, -y) in Affine coordinates.
|
|
|
|
*/
|
|
|
|
negate() {
|
|
|
|
return new Point2(this.px, Fp8.neg(this.py), this.pz);
|
|
|
|
}
|
|
|
|
// Renes-Costello-Batina exception-free doubling formula.
|
|
|
|
// There is 30% faster Jacobian formula, but it is not complete.
|
|
|
|
// https://eprint.iacr.org/2015/1060, algorithm 3
|
|
|
|
// Cost: 8M + 3S + 3*a + 2*b3 + 15add.
|
|
|
|
double() {
|
|
|
|
const { a, b } = CURVE2;
|
|
|
|
const b3 = Fp8.mul(b, _3n2);
|
|
|
|
const { px: X1, py: Y1, pz: Z1 } = this;
|
|
|
|
let X3 = Fp8.ZERO,
|
|
|
|
Y3 = Fp8.ZERO,
|
|
|
|
Z3 = Fp8.ZERO;
|
|
|
|
let t0 = Fp8.mul(X1, X1);
|
|
|
|
let t1 = Fp8.mul(Y1, Y1);
|
|
|
|
let t2 = Fp8.mul(Z1, Z1);
|
|
|
|
let t3 = Fp8.mul(X1, Y1);
|
|
|
|
t3 = Fp8.add(t3, t3);
|
|
|
|
Z3 = Fp8.mul(X1, Z1);
|
|
|
|
Z3 = Fp8.add(Z3, Z3);
|
|
|
|
X3 = Fp8.mul(a, Z3);
|
|
|
|
Y3 = Fp8.mul(b3, t2);
|
|
|
|
Y3 = Fp8.add(X3, Y3);
|
|
|
|
X3 = Fp8.sub(t1, Y3);
|
|
|
|
Y3 = Fp8.add(t1, Y3);
|
|
|
|
Y3 = Fp8.mul(X3, Y3);
|
|
|
|
X3 = Fp8.mul(t3, X3);
|
|
|
|
Z3 = Fp8.mul(b3, Z3);
|
|
|
|
t2 = Fp8.mul(a, t2);
|
|
|
|
t3 = Fp8.sub(t0, t2);
|
|
|
|
t3 = Fp8.mul(a, t3);
|
|
|
|
t3 = Fp8.add(t3, Z3);
|
|
|
|
Z3 = Fp8.add(t0, t0);
|
|
|
|
t0 = Fp8.add(Z3, t0);
|
|
|
|
t0 = Fp8.add(t0, t2);
|
|
|
|
t0 = Fp8.mul(t0, t3);
|
|
|
|
Y3 = Fp8.add(Y3, t0);
|
|
|
|
t2 = Fp8.mul(Y1, Z1);
|
|
|
|
t2 = Fp8.add(t2, t2);
|
|
|
|
t0 = Fp8.mul(t2, t3);
|
|
|
|
X3 = Fp8.sub(X3, t0);
|
|
|
|
Z3 = Fp8.mul(t2, t1);
|
|
|
|
Z3 = Fp8.add(Z3, Z3);
|
|
|
|
Z3 = Fp8.add(Z3, Z3);
|
|
|
|
return new Point2(X3, Y3, Z3);
|
|
|
|
}
|
|
|
|
// Renes-Costello-Batina exception-free addition formula.
|
|
|
|
// There is 30% faster Jacobian formula, but it is not complete.
|
|
|
|
// https://eprint.iacr.org/2015/1060, algorithm 1
|
|
|
|
// Cost: 12M + 0S + 3*a + 3*b3 + 23add.
|
|
|
|
add(other) {
|
|
|
|
assertPrjPoint(other);
|
|
|
|
const { px: X1, py: Y1, pz: Z1 } = this;
|
|
|
|
const { px: X2, py: Y2, pz: Z2 } = other;
|
|
|
|
let X3 = Fp8.ZERO,
|
|
|
|
Y3 = Fp8.ZERO,
|
|
|
|
Z3 = Fp8.ZERO;
|
|
|
|
const a = CURVE2.a;
|
|
|
|
const b3 = Fp8.mul(CURVE2.b, _3n2);
|
|
|
|
let t0 = Fp8.mul(X1, X2);
|
|
|
|
let t1 = Fp8.mul(Y1, Y2);
|
|
|
|
let t2 = Fp8.mul(Z1, Z2);
|
|
|
|
let t3 = Fp8.add(X1, Y1);
|
|
|
|
let t4 = Fp8.add(X2, Y2);
|
|
|
|
t3 = Fp8.mul(t3, t4);
|
|
|
|
t4 = Fp8.add(t0, t1);
|
|
|
|
t3 = Fp8.sub(t3, t4);
|
|
|
|
t4 = Fp8.add(X1, Z1);
|
|
|
|
let t5 = Fp8.add(X2, Z2);
|
|
|
|
t4 = Fp8.mul(t4, t5);
|
|
|
|
t5 = Fp8.add(t0, t2);
|
|
|
|
t4 = Fp8.sub(t4, t5);
|
|
|
|
t5 = Fp8.add(Y1, Z1);
|
|
|
|
X3 = Fp8.add(Y2, Z2);
|
|
|
|
t5 = Fp8.mul(t5, X3);
|
|
|
|
X3 = Fp8.add(t1, t2);
|
|
|
|
t5 = Fp8.sub(t5, X3);
|
|
|
|
Z3 = Fp8.mul(a, t4);
|
|
|
|
X3 = Fp8.mul(b3, t2);
|
|
|
|
Z3 = Fp8.add(X3, Z3);
|
|
|
|
X3 = Fp8.sub(t1, Z3);
|
|
|
|
Z3 = Fp8.add(t1, Z3);
|
|
|
|
Y3 = Fp8.mul(X3, Z3);
|
|
|
|
t1 = Fp8.add(t0, t0);
|
|
|
|
t1 = Fp8.add(t1, t0);
|
|
|
|
t2 = Fp8.mul(a, t2);
|
|
|
|
t4 = Fp8.mul(b3, t4);
|
|
|
|
t1 = Fp8.add(t1, t2);
|
|
|
|
t2 = Fp8.sub(t0, t2);
|
|
|
|
t2 = Fp8.mul(a, t2);
|
|
|
|
t4 = Fp8.add(t4, t2);
|
|
|
|
t0 = Fp8.mul(t1, t4);
|
|
|
|
Y3 = Fp8.add(Y3, t0);
|
|
|
|
t0 = Fp8.mul(t5, t4);
|
|
|
|
X3 = Fp8.mul(t3, X3);
|
|
|
|
X3 = Fp8.sub(X3, t0);
|
|
|
|
t0 = Fp8.mul(t3, t1);
|
|
|
|
Z3 = Fp8.mul(t5, Z3);
|
|
|
|
Z3 = Fp8.add(Z3, t0);
|
|
|
|
return new Point2(X3, Y3, Z3);
|
|
|
|
}
|
|
|
|
subtract(other) {
|
|
|
|
return this.add(other.negate());
|
|
|
|
}
|
|
|
|
is0() {
|
|
|
|
return this.equals(Point2.ZERO);
|
|
|
|
}
|
|
|
|
wNAF(n) {
|
|
|
|
return wnaf.wNAFCached(this, pointPrecomputes, n, (comp) => {
|
|
|
|
const toInv = Fp8.invertBatch(comp.map((p) => p.pz));
|
|
|
|
return comp
|
|
|
|
.map((p, i) => p.toAffine(toInv[i]))
|
|
|
|
.map(Point2.fromAffine);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Non-constant-time multiplication. Uses double-and-add algorithm.
|
|
|
|
* It's faster, but should only be used when you don't care about
|
|
|
|
* an exposed private key e.g. sig verification, which works over *public* keys.
|
|
|
|
*/
|
|
|
|
multiplyUnsafe(n) {
|
|
|
|
const I = Point2.ZERO;
|
|
|
|
if (n === _0n4) return I;
|
|
|
|
assertGE(n);
|
|
|
|
if (n === _1n4) return this;
|
|
|
|
const { endo } = CURVE2;
|
|
|
|
if (!endo) return wnaf.unsafeLadder(this, n);
|
|
|
|
let { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
|
|
|
|
let k1p = I;
|
|
|
|
let k2p = I;
|
|
|
|
let d = this;
|
|
|
|
while (k1 > _0n4 || k2 > _0n4) {
|
|
|
|
if (k1 & _1n4) k1p = k1p.add(d);
|
|
|
|
if (k2 & _1n4) k2p = k2p.add(d);
|
|
|
|
d = d.double();
|
|
|
|
k1 >>= _1n4;
|
|
|
|
k2 >>= _1n4;
|
|
|
|
}
|
|
|
|
if (k1neg) k1p = k1p.negate();
|
|
|
|
if (k2neg) k2p = k2p.negate();
|
|
|
|
k2p = new Point2(Fp8.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
|
|
|
|
return k1p.add(k2p);
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Constant time multiplication.
|
|
|
|
* Uses wNAF method. Windowed method may be 10% faster,
|
|
|
|
* but takes 2x longer to generate and consumes 2x memory.
|
|
|
|
* Uses precomputes when available.
|
|
|
|
* Uses endomorphism for Koblitz curves.
|
|
|
|
* @param scalar by which the point would be multiplied
|
|
|
|
* @returns New point
|
|
|
|
*/
|
|
|
|
multiply(scalar) {
|
|
|
|
assertGE(scalar);
|
|
|
|
let n = scalar;
|
|
|
|
let point, fake;
|
|
|
|
const { endo } = CURVE2;
|
|
|
|
if (endo) {
|
|
|
|
const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
|
|
|
|
let { p: k1p, f: f1p } = this.wNAF(k1);
|
|
|
|
let { p: k2p, f: f2p } = this.wNAF(k2);
|
|
|
|
k1p = wnaf.constTimeNegate(k1neg, k1p);
|
|
|
|
k2p = wnaf.constTimeNegate(k2neg, k2p);
|
|
|
|
k2p = new Point2(Fp8.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
|
|
|
|
point = k1p.add(k2p);
|
|
|
|
fake = f1p.add(f2p);
|
|
|
|
} else {
|
|
|
|
const { p, f } = this.wNAF(n);
|
|
|
|
point = p;
|
|
|
|
fake = f;
|
|
|
|
}
|
|
|
|
return Point2.normalizeZ([point, fake])[0];
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
|
|
|
|
* Not using Strauss-Shamir trick: precomputation tables are faster.
|
|
|
|
* The trick could be useful if both P and Q are not G (not in our case).
|
|
|
|
* @returns non-zero affine point
|
|
|
|
*/
|
|
|
|
multiplyAndAddUnsafe(Q, a, b) {
|
|
|
|
const G = Point2.BASE;
|
|
|
|
const mul = (P3, a2) =>
|
|
|
|
a2 === _0n4 || a2 === _1n4 || !P3.equals(G)
|
|
|
|
? P3.multiplyUnsafe(a2)
|
|
|
|
: P3.multiply(a2);
|
|
|
|
const sum = mul(this, a).add(mul(Q, b));
|
|
|
|
return sum.is0() ? void 0 : sum;
|
|
|
|
}
|
|
|
|
// Converts Projective point to affine (x, y) coordinates.
|
|
|
|
// Can accept precomputed Z^-1 - for example, from invertBatch.
|
|
|
|
// (x, y, z) ∋ (x=x/z, y=y/z)
|
|
|
|
toAffine(iz) {
|
|
|
|
const { px: x, py: y, pz: z } = this;
|
|
|
|
const is0 = this.is0();
|
|
|
|
if (iz == null) iz = is0 ? Fp8.ONE : Fp8.inv(z);
|
|
|
|
const ax = Fp8.mul(x, iz);
|
|
|
|
const ay = Fp8.mul(y, iz);
|
|
|
|
const zz = Fp8.mul(z, iz);
|
|
|
|
if (is0) return { x: Fp8.ZERO, y: Fp8.ZERO };
|
|
|
|
if (!Fp8.eql(zz, Fp8.ONE)) throw new Error("invZ was invalid");
|
|
|
|
return { x: ax, y: ay };
|
|
|
|
}
|
|
|
|
isTorsionFree() {
|
|
|
|
const { h: cofactor, isTorsionFree } = CURVE2;
|
|
|
|
if (cofactor === _1n4) return true;
|
|
|
|
if (isTorsionFree) return isTorsionFree(Point2, this);
|
|
|
|
throw new Error(
|
|
|
|
"isTorsionFree() has not been declared for the elliptic curve",
|
|
|
|
);
|
|
|
|
}
|
|
|
|
clearCofactor() {
|
|
|
|
const { h: cofactor, clearCofactor } = CURVE2;
|
|
|
|
if (cofactor === _1n4) return this;
|
|
|
|
if (clearCofactor) return clearCofactor(Point2, this);
|
|
|
|
return this.multiplyUnsafe(CURVE2.h);
|
|
|
|
}
|
|
|
|
toRawBytes(isCompressed = true) {
|
|
|
|
this.assertValidity();
|
|
|
|
return toBytes2(Point2, this, isCompressed);
|
|
|
|
}
|
|
|
|
toHex(isCompressed = true) {
|
|
|
|
return bytesToHex(this.toRawBytes(isCompressed));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Point2.BASE = new Point2(CURVE2.Gx, CURVE2.Gy, Fp8.ONE);
|
|
|
|
Point2.ZERO = new Point2(Fp8.ZERO, Fp8.ONE, Fp8.ZERO);
|
|
|
|
const _bits = CURVE2.nBitLength;
|
|
|
|
const wnaf = wNAF(Point2, CURVE2.endo ? Math.ceil(_bits / 2) : _bits);
|
|
|
|
return {
|
|
|
|
CURVE: CURVE2,
|
|
|
|
ProjectivePoint: Point2,
|
|
|
|
normPrivateKeyToScalar,
|
|
|
|
weierstrassEquation,
|
|
|
|
isWithinCurveOrder,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function validateOpts(curve) {
|
|
|
|
const opts = validateBasic(curve);
|
|
|
|
validateObject(
|
|
|
|
opts,
|
|
|
|
{
|
|
|
|
hash: "hash",
|
|
|
|
hmac: "function",
|
|
|
|
randomBytes: "function",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
bits2int: "function",
|
|
|
|
bits2int_modN: "function",
|
|
|
|
lowS: "boolean",
|
|
|
|
},
|
|
|
|
);
|
|
|
|
return Object.freeze({ lowS: true, ...opts });
|
|
|
|
}
|
|
|
|
function weierstrass(curveDef) {
|
|
|
|
const CURVE2 = validateOpts(curveDef);
|
|
|
|
const { Fp: Fp8, n: CURVE_ORDER } = CURVE2;
|
|
|
|
const compressedLen = Fp8.BYTES + 1;
|
|
|
|
const uncompressedLen = 2 * Fp8.BYTES + 1;
|
|
|
|
function isValidFieldElement(num) {
|
|
|
|
return _0n4 < num && num < Fp8.ORDER;
|
|
|
|
}
|
|
|
|
function modN2(a) {
|
|
|
|
return mod(a, CURVE_ORDER);
|
|
|
|
}
|
|
|
|
function invN(a) {
|
|
|
|
return invert(a, CURVE_ORDER);
|
|
|
|
}
|
|
|
|
const {
|
|
|
|
ProjectivePoint: Point2,
|
|
|
|
normPrivateKeyToScalar,
|
|
|
|
weierstrassEquation,
|
|
|
|
isWithinCurveOrder,
|
|
|
|
} = weierstrassPoints({
|
|
|
|
...CURVE2,
|
|
|
|
toBytes(_c, point, isCompressed) {
|
|
|
|
const a = point.toAffine();
|
|
|
|
const x = Fp8.toBytes(a.x);
|
|
|
|
const cat = concatBytes;
|
|
|
|
if (isCompressed) {
|
|
|
|
return cat(Uint8Array.from([point.hasEvenY() ? 2 : 3]), x);
|
|
|
|
} else {
|
|
|
|
return cat(Uint8Array.from([4]), x, Fp8.toBytes(a.y));
|
|
|
|
}
|
|
|
|
},
|
|
|
|
fromBytes(bytes2) {
|
|
|
|
const len = bytes2.length;
|
|
|
|
const head = bytes2[0];
|
|
|
|
const tail = bytes2.subarray(1);
|
|
|
|
if (len === compressedLen && (head === 2 || head === 3)) {
|
|
|
|
const x = bytesToNumberBE(tail);
|
|
|
|
if (!isValidFieldElement(x)) throw new Error("Point is not on curve");
|
|
|
|
const y2 = weierstrassEquation(x);
|
|
|
|
let y = Fp8.sqrt(y2);
|
|
|
|
const isYOdd = (y & _1n4) === _1n4;
|
|
|
|
const isHeadOdd = (head & 1) === 1;
|
|
|
|
if (isHeadOdd !== isYOdd) y = Fp8.neg(y);
|
|
|
|
return { x, y };
|
|
|
|
} else if (len === uncompressedLen && head === 4) {
|
|
|
|
const x = Fp8.fromBytes(tail.subarray(0, Fp8.BYTES));
|
|
|
|
const y = Fp8.fromBytes(tail.subarray(Fp8.BYTES, 2 * Fp8.BYTES));
|
|
|
|
return { x, y };
|
|
|
|
} else {
|
|
|
|
throw new Error(
|
|
|
|
`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
},
|
|
|
|
});
|
|
|
|
const numToNByteStr = (num) =>
|
|
|
|
bytesToHex(numberToBytesBE(num, CURVE2.nByteLength));
|
|
|
|
function isBiggerThanHalfOrder(number2) {
|
|
|
|
const HALF = CURVE_ORDER >> _1n4;
|
|
|
|
return number2 > HALF;
|
|
|
|
}
|
|
|
|
function normalizeS(s) {
|
|
|
|
return isBiggerThanHalfOrder(s) ? modN2(-s) : s;
|
|
|
|
}
|
|
|
|
const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
|
|
|
|
class Signature {
|
|
|
|
constructor(r, s, recovery) {
|
|
|
|
this.r = r;
|
|
|
|
this.s = s;
|
|
|
|
this.recovery = recovery;
|
|
|
|
this.assertValidity();
|
|
|
|
}
|
|
|
|
// pair (bytes of r, bytes of s)
|
|
|
|
static fromCompact(hex) {
|
|
|
|
const l = CURVE2.nByteLength;
|
|
|
|
hex = ensureBytes("compactSignature", hex, l * 2);
|
|
|
|
return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
|
|
|
|
}
|
|
|
|
// DER encoded ECDSA signature
|
|
|
|
// https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
|
|
|
|
static fromDER(hex) {
|
|
|
|
const { r, s } = DER.toSig(ensureBytes("DER", hex));
|
|
|
|
return new Signature(r, s);
|
|
|
|
}
|
|
|
|
assertValidity() {
|
|
|
|
if (!isWithinCurveOrder(this.r))
|
|
|
|
throw new Error("r must be 0 < r < CURVE.n");
|
|
|
|
if (!isWithinCurveOrder(this.s))
|
|
|
|
throw new Error("s must be 0 < s < CURVE.n");
|
|
|
|
}
|
|
|
|
addRecoveryBit(recovery) {
|
|
|
|
return new Signature(this.r, this.s, recovery);
|
|
|
|
}
|
|
|
|
recoverPublicKey(msgHash) {
|
|
|
|
const { r, s, recovery: rec } = this;
|
|
|
|
const h = bits2int_modN(ensureBytes("msgHash", msgHash));
|
|
|
|
if (rec == null || ![0, 1, 2, 3].includes(rec))
|
|
|
|
throw new Error("recovery id invalid");
|
|
|
|
const radj = rec === 2 || rec === 3 ? r + CURVE2.n : r;
|
|
|
|
if (radj >= Fp8.ORDER) throw new Error("recovery id 2 or 3 invalid");
|
|
|
|
const prefix = (rec & 1) === 0 ? "02" : "03";
|
|
|
|
const R = Point2.fromHex(prefix + numToNByteStr(radj));
|
|
|
|
const ir = invN(radj);
|
|
|
|
const u1 = modN2(-h * ir);
|
|
|
|
const u2 = modN2(s * ir);
|
|
|
|
const Q = Point2.BASE.multiplyAndAddUnsafe(R, u1, u2);
|
|
|
|
if (!Q) throw new Error("point at infinify");
|
|
|
|
Q.assertValidity();
|
|
|
|
return Q;
|
|
|
|
}
|
|
|
|
// Signatures should be low-s, to prevent malleability.
|
|
|
|
hasHighS() {
|
|
|
|
return isBiggerThanHalfOrder(this.s);
|
|
|
|
}
|
|
|
|
normalizeS() {
|
|
|
|
return this.hasHighS()
|
|
|
|
? new Signature(this.r, modN2(-this.s), this.recovery)
|
|
|
|
: this;
|
|
|
|
}
|
|
|
|
// DER-encoded
|
|
|
|
toDERRawBytes() {
|
|
|
|
return hexToBytes(this.toDERHex());
|
|
|
|
}
|
|
|
|
toDERHex() {
|
|
|
|
return DER.hexFromSig({ r: this.r, s: this.s });
|
|
|
|
}
|
|
|
|
// padded bytes of r, then padded bytes of s
|
|
|
|
toCompactRawBytes() {
|
|
|
|
return hexToBytes(this.toCompactHex());
|
|
|
|
}
|
|
|
|
toCompactHex() {
|
|
|
|
return numToNByteStr(this.r) + numToNByteStr(this.s);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
const utils2 = {
|
|
|
|
isValidPrivateKey(privateKey) {
|
|
|
|
try {
|
|
|
|
normPrivateKeyToScalar(privateKey);
|
|
|
|
return true;
|
|
|
|
} catch (error) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
},
|
|
|
|
normPrivateKeyToScalar,
|
|
|
|
/**
|
|
|
|
* Produces cryptographically secure private key from random of size
|
|
|
|
* (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
|
|
|
|
*/
|
|
|
|
randomPrivateKey: () => {
|
|
|
|
const length = getMinHashLength(CURVE2.n);
|
|
|
|
return mapHashToField(CURVE2.randomBytes(length), CURVE2.n);
|
|
|
|
},
|
|
|
|
/**
|
|
|
|
* Creates precompute table for an arbitrary EC point. Makes point "cached".
|
|
|
|
* Allows to massively speed-up `point.multiply(scalar)`.
|
|
|
|
* @returns cached point
|
|
|
|
* @example
|
|
|
|
* const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
|
|
|
|
* fast.multiply(privKey); // much faster ECDH now
|
|
|
|
*/
|
|
|
|
precompute(windowSize = 8, point = Point2.BASE) {
|
|
|
|
point._setWindowSize(windowSize);
|
|
|
|
point.multiply(BigInt(3));
|
|
|
|
return point;
|
|
|
|
},
|
|
|
|
};
|
|
|
|
function getPublicKey(privateKey, isCompressed = true) {
|
|
|
|
return Point2.fromPrivateKey(privateKey).toRawBytes(isCompressed);
|
|
|
|
}
|
|
|
|
function isProbPub(item) {
|
|
|
|
const arr = item instanceof Uint8Array;
|
|
|
|
const str = typeof item === "string";
|
|
|
|
const len = (arr || str) && item.length;
|
|
|
|
if (arr) return len === compressedLen || len === uncompressedLen;
|
|
|
|
if (str) return len === 2 * compressedLen || len === 2 * uncompressedLen;
|
|
|
|
if (item instanceof Point2) return true;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
function getSharedSecret(privateA, publicB, isCompressed = true) {
|
|
|
|
if (isProbPub(privateA)) throw new Error("first arg must be private key");
|
|
|
|
if (!isProbPub(publicB)) throw new Error("second arg must be public key");
|
|
|
|
const b = Point2.fromHex(publicB);
|
|
|
|
return b
|
|
|
|
.multiply(normPrivateKeyToScalar(privateA))
|
|
|
|
.toRawBytes(isCompressed);
|
|
|
|
}
|
|
|
|
const bits2int =
|
|
|
|
CURVE2.bits2int ||
|
|
|
|
function (bytes2) {
|
|
|
|
const num = bytesToNumberBE(bytes2);
|
|
|
|
const delta = bytes2.length * 8 - CURVE2.nBitLength;
|
|
|
|
return delta > 0 ? num >> BigInt(delta) : num;
|
|
|
|
};
|
|
|
|
const bits2int_modN =
|
|
|
|
CURVE2.bits2int_modN ||
|
|
|
|
function (bytes2) {
|
|
|
|
return modN2(bits2int(bytes2));
|
|
|
|
};
|
|
|
|
const ORDER_MASK = bitMask(CURVE2.nBitLength);
|
|
|
|
function int2octets(num) {
|
|
|
|
if (typeof num !== "bigint") throw new Error("bigint expected");
|
|
|
|
if (!(_0n4 <= num && num < ORDER_MASK))
|
|
|
|
throw new Error(`bigint expected < 2^${CURVE2.nBitLength}`);
|
|
|
|
return numberToBytesBE(num, CURVE2.nByteLength);
|
|
|
|
}
|
|
|
|
function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
|
|
|
|
if (["recovered", "canonical"].some((k) => k in opts))
|
|
|
|
throw new Error("sign() legacy options not supported");
|
|
|
|
const { hash: hash2, randomBytes: randomBytes2 } = CURVE2;
|
|
|
|
let { lowS, prehash, extraEntropy: ent } = opts;
|
|
|
|
if (lowS == null) lowS = true;
|
|
|
|
msgHash = ensureBytes("msgHash", msgHash);
|
|
|
|
if (prehash) msgHash = ensureBytes("prehashed msgHash", hash2(msgHash));
|
|
|
|
const h1int = bits2int_modN(msgHash);
|
|
|
|
const d = normPrivateKeyToScalar(privateKey);
|
|
|
|
const seedArgs = [int2octets(d), int2octets(h1int)];
|
|
|
|
if (ent != null) {
|
|
|
|
const e = ent === true ? randomBytes2(Fp8.BYTES) : ent;
|
|
|
|
seedArgs.push(ensureBytes("extraEntropy", e));
|
|
|
|
}
|
|
|
|
const seed = concatBytes(...seedArgs);
|
|
|
|
const m = h1int;
|
|
|
|
function k2sig(kBytes) {
|
|
|
|
const k = bits2int(kBytes);
|
|
|
|
if (!isWithinCurveOrder(k)) return;
|
|
|
|
const ik = invN(k);
|
|
|
|
const q = Point2.BASE.multiply(k).toAffine();
|
|
|
|
const r = modN2(q.x);
|
|
|
|
if (r === _0n4) return;
|
|
|
|
const s = modN2(ik * modN2(m + r * d));
|
|
|
|
if (s === _0n4) return;
|
|
|
|
let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n4);
|
|
|
|
let normS = s;
|
|
|
|
if (lowS && isBiggerThanHalfOrder(s)) {
|
|
|
|
normS = normalizeS(s);
|
|
|
|
recovery ^= 1;
|
|
|
|
}
|
|
|
|
return new Signature(r, normS, recovery);
|
|
|
|
}
|
|
|
|
return { seed, k2sig };
|
|
|
|
}
|
|
|
|
const defaultSigOpts = { lowS: CURVE2.lowS, prehash: false };
|
|
|
|
const defaultVerOpts = { lowS: CURVE2.lowS, prehash: false };
|
|
|
|
function sign(msgHash, privKey, opts = defaultSigOpts) {
|
|
|
|
const { seed, k2sig } = prepSig(msgHash, privKey, opts);
|
|
|
|
const C = CURVE2;
|
|
|
|
const drbg = createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
|
|
|
|
return drbg(seed, k2sig);
|
|
|
|
}
|
|
|
|
Point2.BASE._setWindowSize(8);
|
|
|
|
function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
|
|
|
|
const sg = signature;
|
|
|
|
msgHash = ensureBytes("msgHash", msgHash);
|
|
|
|
publicKey = ensureBytes("publicKey", publicKey);
|
|
|
|
if ("strict" in opts)
|
|
|
|
throw new Error("options.strict was renamed to lowS");
|
|
|
|
const { lowS, prehash } = opts;
|
|
|
|
let _sig = void 0;
|
|
|
|
let P3;
|
|
|
|
try {
|
|
|
|
if (typeof sg === "string" || sg instanceof Uint8Array) {
|
|
|
|
try {
|
|
|
|
_sig = Signature.fromDER(sg);
|
|
|
|
} catch (derError) {
|
|
|
|
if (!(derError instanceof DER.Err)) throw derError;
|
|
|
|
_sig = Signature.fromCompact(sg);
|
|
|
|
}
|
|
|
|
} else if (
|
|
|
|
typeof sg === "object" &&
|
|
|
|
typeof sg.r === "bigint" &&
|
|
|
|
typeof sg.s === "bigint"
|
|
|
|
) {
|
|
|
|
const { r: r2, s: s2 } = sg;
|
|
|
|
_sig = new Signature(r2, s2);
|
|
|
|
} else {
|
|
|
|
throw new Error("PARSE");
|
|
|
|
}
|
|
|
|
P3 = Point2.fromHex(publicKey);
|
|
|
|
} catch (error) {
|
|
|
|
if (error.message === "PARSE")
|
|
|
|
throw new Error(
|
|
|
|
`signature must be Signature instance, Uint8Array or hex string`,
|
|
|
|
);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (lowS && _sig.hasHighS()) return false;
|
|
|
|
if (prehash) msgHash = CURVE2.hash(msgHash);
|
|
|
|
const { r, s } = _sig;
|
|
|
|
const h = bits2int_modN(msgHash);
|
|
|
|
const is = invN(s);
|
|
|
|
const u1 = modN2(h * is);
|
|
|
|
const u2 = modN2(r * is);
|
|
|
|
const R = Point2.BASE.multiplyAndAddUnsafe(P3, u1, u2)?.toAffine();
|
|
|
|
if (!R) return false;
|
|
|
|
const v = modN2(R.x);
|
|
|
|
return v === r;
|
|
|
|
}
|
|
|
|
return {
|
|
|
|
CURVE: CURVE2,
|
|
|
|
getPublicKey,
|
|
|
|
getSharedSecret,
|
|
|
|
sign,
|
|
|
|
verify,
|
|
|
|
ProjectivePoint: Point2,
|
|
|
|
Signature,
|
|
|
|
utils: utils2,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function SWUFpSqrtRatio(Fp8, Z) {
|
|
|
|
const q = Fp8.ORDER;
|
|
|
|
let l = _0n4;
|
|
|
|
for (let o = q - _1n4; o % _2n3 === _0n4; o /= _2n3) l += _1n4;
|
|
|
|
const c1 = l;
|
|
|
|
const _2n_pow_c1_1 = _2n3 << (c1 - _1n4 - _1n4);
|
|
|
|
const _2n_pow_c1 = _2n_pow_c1_1 * _2n3;
|
|
|
|
const c2 = (q - _1n4) / _2n_pow_c1;
|
|
|
|
const c3 = (c2 - _1n4) / _2n3;
|
|
|
|
const c4 = _2n_pow_c1 - _1n4;
|
|
|
|
const c5 = _2n_pow_c1_1;
|
|
|
|
const c6 = Fp8.pow(Z, c2);
|
|
|
|
const c7 = Fp8.pow(Z, (c2 + _1n4) / _2n3);
|
|
|
|
let sqrtRatio = (u, v) => {
|
|
|
|
let tv1 = c6;
|
|
|
|
let tv2 = Fp8.pow(v, c4);
|
|
|
|
let tv3 = Fp8.sqr(tv2);
|
|
|
|
tv3 = Fp8.mul(tv3, v);
|
|
|
|
let tv5 = Fp8.mul(u, tv3);
|
|
|
|
tv5 = Fp8.pow(tv5, c3);
|
|
|
|
tv5 = Fp8.mul(tv5, tv2);
|
|
|
|
tv2 = Fp8.mul(tv5, v);
|
|
|
|
tv3 = Fp8.mul(tv5, u);
|
|
|
|
let tv4 = Fp8.mul(tv3, tv2);
|
|
|
|
tv5 = Fp8.pow(tv4, c5);
|
|
|
|
let isQR = Fp8.eql(tv5, Fp8.ONE);
|
|
|
|
tv2 = Fp8.mul(tv3, c7);
|
|
|
|
tv5 = Fp8.mul(tv4, tv1);
|
|
|
|
tv3 = Fp8.cmov(tv2, tv3, isQR);
|
|
|
|
tv4 = Fp8.cmov(tv5, tv4, isQR);
|
|
|
|
for (let i = c1; i > _1n4; i--) {
|
|
|
|
let tv52 = i - _2n3;
|
|
|
|
tv52 = _2n3 << (tv52 - _1n4);
|
|
|
|
let tvv5 = Fp8.pow(tv4, tv52);
|
|
|
|
const e1 = Fp8.eql(tvv5, Fp8.ONE);
|
|
|
|
tv2 = Fp8.mul(tv3, tv1);
|
|
|
|
tv1 = Fp8.mul(tv1, tv1);
|
|
|
|
tvv5 = Fp8.mul(tv4, tv1);
|
|
|
|
tv3 = Fp8.cmov(tv2, tv3, e1);
|
|
|
|
tv4 = Fp8.cmov(tvv5, tv4, e1);
|
|
|
|
}
|
|
|
|
return { isValid: isQR, value: tv3 };
|
|
|
|
};
|
|
|
|
if (Fp8.ORDER % _4n2 === _3n2) {
|
|
|
|
const c12 = (Fp8.ORDER - _3n2) / _4n2;
|
|
|
|
const c22 = Fp8.sqrt(Fp8.neg(Z));
|
|
|
|
sqrtRatio = (u, v) => {
|
|
|
|
let tv1 = Fp8.sqr(v);
|
|
|
|
const tv2 = Fp8.mul(u, v);
|
|
|
|
tv1 = Fp8.mul(tv1, tv2);
|
|
|
|
let y1 = Fp8.pow(tv1, c12);
|
|
|
|
y1 = Fp8.mul(y1, tv2);
|
|
|
|
const y2 = Fp8.mul(y1, c22);
|
|
|
|
const tv3 = Fp8.mul(Fp8.sqr(y1), v);
|
|
|
|
const isQR = Fp8.eql(tv3, u);
|
|
|
|
let y = Fp8.cmov(y2, y1, isQR);
|
|
|
|
return { isValid: isQR, value: y };
|
|
|
|
};
|
|
|
|
}
|
|
|
|
return sqrtRatio;
|
|
|
|
}
|
|
|
|
function mapToCurveSimpleSWU(Fp8, opts) {
|
|
|
|
validateField(Fp8);
|
|
|
|
if (!Fp8.isValid(opts.A) || !Fp8.isValid(opts.B) || !Fp8.isValid(opts.Z))
|
|
|
|
throw new Error("mapToCurveSimpleSWU: invalid opts");
|
|
|
|
const sqrtRatio = SWUFpSqrtRatio(Fp8, opts.Z);
|
|
|
|
if (!Fp8.isOdd) throw new Error("Fp.isOdd is not implemented!");
|
|
|
|
return (u) => {
|
|
|
|
let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
|
|
|
|
tv1 = Fp8.sqr(u);
|
|
|
|
tv1 = Fp8.mul(tv1, opts.Z);
|
|
|
|
tv2 = Fp8.sqr(tv1);
|
|
|
|
tv2 = Fp8.add(tv2, tv1);
|
|
|
|
tv3 = Fp8.add(tv2, Fp8.ONE);
|
|
|
|
tv3 = Fp8.mul(tv3, opts.B);
|
|
|
|
tv4 = Fp8.cmov(opts.Z, Fp8.neg(tv2), !Fp8.eql(tv2, Fp8.ZERO));
|
|
|
|
tv4 = Fp8.mul(tv4, opts.A);
|
|
|
|
tv2 = Fp8.sqr(tv3);
|
|
|
|
tv6 = Fp8.sqr(tv4);
|
|
|
|
tv5 = Fp8.mul(tv6, opts.A);
|
|
|
|
tv2 = Fp8.add(tv2, tv5);
|
|
|
|
tv2 = Fp8.mul(tv2, tv3);
|
|
|
|
tv6 = Fp8.mul(tv6, tv4);
|
|
|
|
tv5 = Fp8.mul(tv6, opts.B);
|
|
|
|
tv2 = Fp8.add(tv2, tv5);
|
|
|
|
x = Fp8.mul(tv1, tv3);
|
|
|
|
const { isValid, value } = sqrtRatio(tv2, tv6);
|
|
|
|
y = Fp8.mul(tv1, u);
|
|
|
|
y = Fp8.mul(y, value);
|
|
|
|
x = Fp8.cmov(x, tv3, isValid);
|
|
|
|
y = Fp8.cmov(y, value, isValid);
|
|
|
|
const e1 = Fp8.isOdd(u) === Fp8.isOdd(y);
|
|
|
|
y = Fp8.cmov(Fp8.neg(y), y, e1);
|
|
|
|
x = Fp8.div(x, tv4);
|
|
|
|
return { x, y };
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/abstract/hash-to-curve.js
|
|
|
|
function validateDST(dst) {
|
|
|
|
if (dst instanceof Uint8Array) return dst;
|
|
|
|
if (typeof dst === "string") return utf8ToBytes(dst);
|
|
|
|
throw new Error("DST must be Uint8Array or string");
|
|
|
|
}
|
|
|
|
var os2ip = bytesToNumberBE;
|
|
|
|
function i2osp(value, length) {
|
|
|
|
if (value < 0 || value >= 1 << (8 * length)) {
|
|
|
|
throw new Error(`bad I2OSP call: value=${value} length=${length}`);
|
|
|
|
}
|
|
|
|
const res = Array.from({ length }).fill(0);
|
|
|
|
for (let i = length - 1; i >= 0; i--) {
|
|
|
|
res[i] = value & 255;
|
|
|
|
value >>>= 8;
|
|
|
|
}
|
|
|
|
return new Uint8Array(res);
|
|
|
|
}
|
|
|
|
function strxor(a, b) {
|
|
|
|
const arr = new Uint8Array(a.length);
|
|
|
|
for (let i = 0; i < a.length; i++) {
|
|
|
|
arr[i] = a[i] ^ b[i];
|
|
|
|
}
|
|
|
|
return arr;
|
|
|
|
}
|
|
|
|
function isBytes(item) {
|
|
|
|
if (!(item instanceof Uint8Array)) throw new Error("Uint8Array expected");
|
|
|
|
}
|
|
|
|
function isNum(item) {
|
|
|
|
if (!Number.isSafeInteger(item)) throw new Error("number expected");
|
|
|
|
}
|
|
|
|
function expand_message_xmd(msg, DST, lenInBytes, H) {
|
|
|
|
isBytes(msg);
|
|
|
|
isBytes(DST);
|
|
|
|
isNum(lenInBytes);
|
|
|
|
if (DST.length > 255)
|
|
|
|
DST = H(concatBytes(utf8ToBytes("H2C-OVERSIZE-DST-"), DST));
|
|
|
|
const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
|
|
|
|
const ell = Math.ceil(lenInBytes / b_in_bytes);
|
|
|
|
if (ell > 255) throw new Error("Invalid xmd length");
|
|
|
|
const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
|
|
|
|
const Z_pad = i2osp(0, r_in_bytes);
|
|
|
|
const l_i_b_str = i2osp(lenInBytes, 2);
|
|
|
|
const b = new Array(ell);
|
|
|
|
const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
|
|
|
|
b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
|
|
|
|
for (let i = 1; i <= ell; i++) {
|
|
|
|
const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
|
|
|
|
b[i] = H(concatBytes(...args));
|
|
|
|
}
|
|
|
|
const pseudo_random_bytes = concatBytes(...b);
|
|
|
|
return pseudo_random_bytes.slice(0, lenInBytes);
|
|
|
|
}
|
|
|
|
function expand_message_xof(msg, DST, lenInBytes, k, H) {
|
|
|
|
isBytes(msg);
|
|
|
|
isBytes(DST);
|
|
|
|
isNum(lenInBytes);
|
|
|
|
if (DST.length > 255) {
|
|
|
|
const dkLen = Math.ceil((2 * k) / 8);
|
|
|
|
DST = H.create({ dkLen })
|
|
|
|
.update(utf8ToBytes("H2C-OVERSIZE-DST-"))
|
|
|
|
.update(DST)
|
|
|
|
.digest();
|
|
|
|
}
|
|
|
|
if (lenInBytes > 65535 || DST.length > 255)
|
|
|
|
throw new Error("expand_message_xof: invalid lenInBytes");
|
|
|
|
return H.create({ dkLen: lenInBytes })
|
|
|
|
.update(msg)
|
|
|
|
.update(i2osp(lenInBytes, 2))
|
|
|
|
.update(DST)
|
|
|
|
.update(i2osp(DST.length, 1))
|
|
|
|
.digest();
|
|
|
|
}
|
|
|
|
function hash_to_field(msg, count, options) {
|
|
|
|
validateObject(options, {
|
|
|
|
DST: "stringOrUint8Array",
|
|
|
|
p: "bigint",
|
|
|
|
m: "isSafeInteger",
|
|
|
|
k: "isSafeInteger",
|
|
|
|
hash: "hash",
|
|
|
|
});
|
|
|
|
const { p, k, m, hash: hash2, expand, DST: _DST } = options;
|
|
|
|
isBytes(msg);
|
|
|
|
isNum(count);
|
|
|
|
const DST = validateDST(_DST);
|
|
|
|
const log2p = p.toString(2).length;
|
|
|
|
const L = Math.ceil((log2p + k) / 8);
|
|
|
|
const len_in_bytes = count * m * L;
|
|
|
|
let prb;
|
|
|
|
if (expand === "xmd") {
|
|
|
|
prb = expand_message_xmd(msg, DST, len_in_bytes, hash2);
|
|
|
|
} else if (expand === "xof") {
|
|
|
|
prb = expand_message_xof(msg, DST, len_in_bytes, k, hash2);
|
|
|
|
} else if (expand === "_internal_pass") {
|
|
|
|
prb = msg;
|
|
|
|
} else {
|
|
|
|
throw new Error('expand must be "xmd" or "xof"');
|
|
|
|
}
|
|
|
|
const u = new Array(count);
|
|
|
|
for (let i = 0; i < count; i++) {
|
|
|
|
const e = new Array(m);
|
|
|
|
for (let j = 0; j < m; j++) {
|
|
|
|
const elm_offset = L * (j + i * m);
|
|
|
|
const tv = prb.subarray(elm_offset, elm_offset + L);
|
|
|
|
e[j] = mod(os2ip(tv), p);
|
|
|
|
}
|
|
|
|
u[i] = e;
|
|
|
|
}
|
|
|
|
return u;
|
|
|
|
}
|
|
|
|
function isogenyMap(field, map) {
|
|
|
|
const COEFF = map.map((i) => Array.from(i).reverse());
|
|
|
|
return (x, y) => {
|
|
|
|
const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
|
|
|
|
val.reduce((acc, i) => field.add(field.mul(acc, x), i)),
|
|
|
|
);
|
|
|
|
x = field.div(xNum, xDen);
|
|
|
|
y = field.mul(y, field.div(yNum, yDen));
|
|
|
|
return { x, y };
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function createHasher(Point2, mapToCurve, def) {
|
|
|
|
if (typeof mapToCurve !== "function")
|
|
|
|
throw new Error("mapToCurve() must be defined");
|
|
|
|
return {
|
|
|
|
// Encodes byte string to elliptic curve.
|
|
|
|
// hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
|
|
|
|
hashToCurve(msg, options) {
|
|
|
|
const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
|
|
|
|
const u0 = Point2.fromAffine(mapToCurve(u[0]));
|
|
|
|
const u1 = Point2.fromAffine(mapToCurve(u[1]));
|
|
|
|
const P3 = u0.add(u1).clearCofactor();
|
|
|
|
P3.assertValidity();
|
|
|
|
return P3;
|
|
|
|
},
|
|
|
|
// Encodes byte string to elliptic curve.
|
|
|
|
// encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
|
|
|
|
encodeToCurve(msg, options) {
|
|
|
|
const u = hash_to_field(msg, 1, {
|
|
|
|
...def,
|
|
|
|
DST: def.encodeDST,
|
|
|
|
...options,
|
|
|
|
});
|
|
|
|
const P3 = Point2.fromAffine(mapToCurve(u[0])).clearCofactor();
|
|
|
|
P3.assertValidity();
|
|
|
|
return P3;
|
|
|
|
},
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/hmac.js
|
|
|
|
var HMAC = class extends Hash {
|
|
|
|
constructor(hash2, _key) {
|
|
|
|
super();
|
|
|
|
this.finished = false;
|
|
|
|
this.destroyed = false;
|
|
|
|
hash(hash2);
|
|
|
|
const key = toBytes(_key);
|
|
|
|
this.iHash = hash2.create();
|
|
|
|
if (typeof this.iHash.update !== "function")
|
|
|
|
throw new Error("Expected instance of class which extends utils.Hash");
|
|
|
|
this.blockLen = this.iHash.blockLen;
|
|
|
|
this.outputLen = this.iHash.outputLen;
|
|
|
|
const blockLen = this.blockLen;
|
|
|
|
const pad = new Uint8Array(blockLen);
|
|
|
|
pad.set(
|
|
|
|
key.length > blockLen ? hash2.create().update(key).digest() : key,
|
|
|
|
);
|
|
|
|
for (let i = 0; i < pad.length; i++) pad[i] ^= 54;
|
|
|
|
this.iHash.update(pad);
|
|
|
|
this.oHash = hash2.create();
|
|
|
|
for (let i = 0; i < pad.length; i++) pad[i] ^= 54 ^ 92;
|
|
|
|
this.oHash.update(pad);
|
|
|
|
pad.fill(0);
|
|
|
|
}
|
|
|
|
update(buf) {
|
|
|
|
exists(this);
|
|
|
|
this.iHash.update(buf);
|
|
|
|
return this;
|
|
|
|
}
|
|
|
|
digestInto(out) {
|
|
|
|
exists(this);
|
|
|
|
bytes(out, this.outputLen);
|
|
|
|
this.finished = true;
|
|
|
|
this.iHash.digestInto(out);
|
|
|
|
this.oHash.update(out);
|
|
|
|
this.oHash.digestInto(out);
|
|
|
|
this.destroy();
|
|
|
|
}
|
|
|
|
digest() {
|
|
|
|
const out = new Uint8Array(this.oHash.outputLen);
|
|
|
|
this.digestInto(out);
|
|
|
|
return out;
|
|
|
|
}
|
|
|
|
_cloneInto(to) {
|
|
|
|
to || (to = Object.create(Object.getPrototypeOf(this), {}));
|
|
|
|
const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
|
|
|
|
to = to;
|
|
|
|
to.finished = finished;
|
|
|
|
to.destroyed = destroyed;
|
|
|
|
to.blockLen = blockLen;
|
|
|
|
to.outputLen = outputLen;
|
|
|
|
to.oHash = oHash._cloneInto(to.oHash);
|
|
|
|
to.iHash = iHash._cloneInto(to.iHash);
|
|
|
|
return to;
|
|
|
|
}
|
|
|
|
destroy() {
|
|
|
|
this.destroyed = true;
|
|
|
|
this.oHash.destroy();
|
|
|
|
this.iHash.destroy();
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var hmac = (hash2, key, message) =>
|
|
|
|
new HMAC(hash2, key).update(message).digest();
|
|
|
|
hmac.create = (hash2, key) => new HMAC(hash2, key);
|
|
|
|
|
|
|
|
// ../esm/_shortw_utils.js
|
|
|
|
function getHash(hash2) {
|
|
|
|
return {
|
|
|
|
hash: hash2,
|
|
|
|
hmac: (key, ...msgs) => hmac(hash2, key, concatBytes2(...msgs)),
|
|
|
|
randomBytes,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function createCurve(curveDef, defHash) {
|
|
|
|
const create = (hash2) => weierstrass({ ...curveDef, ...getHash(hash2) });
|
|
|
|
return Object.freeze({ ...create(defHash), create });
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/secp256k1.js
|
|
|
|
var secp256k1P = BigInt(
|
|
|
|
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f",
|
|
|
|
);
|
|
|
|
var secp256k1N = BigInt(
|
|
|
|
"0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141",
|
|
|
|
);
|
|
|
|
var _1n5 = BigInt(1);
|
|
|
|
var _2n4 = BigInt(2);
|
|
|
|
var divNearest = (a, b) => (a + b / _2n4) / b;
|
|
|
|
function sqrtMod(y) {
|
|
|
|
const P3 = secp256k1P;
|
|
|
|
const _3n6 = BigInt(3),
|
|
|
|
_6n = BigInt(6),
|
|
|
|
_11n2 = BigInt(11),
|
|
|
|
_22n2 = BigInt(22);
|
|
|
|
const _23n = BigInt(23),
|
|
|
|
_44n2 = BigInt(44),
|
|
|
|
_88n2 = BigInt(88);
|
|
|
|
const b2 = (y * y * y) % P3;
|
|
|
|
const b3 = (b2 * b2 * y) % P3;
|
|
|
|
const b6 = (pow2(b3, _3n6, P3) * b3) % P3;
|
|
|
|
const b9 = (pow2(b6, _3n6, P3) * b3) % P3;
|
|
|
|
const b11 = (pow2(b9, _2n4, P3) * b2) % P3;
|
|
|
|
const b22 = (pow2(b11, _11n2, P3) * b11) % P3;
|
|
|
|
const b44 = (pow2(b22, _22n2, P3) * b22) % P3;
|
|
|
|
const b88 = (pow2(b44, _44n2, P3) * b44) % P3;
|
|
|
|
const b176 = (pow2(b88, _88n2, P3) * b88) % P3;
|
|
|
|
const b220 = (pow2(b176, _44n2, P3) * b44) % P3;
|
|
|
|
const b223 = (pow2(b220, _3n6, P3) * b3) % P3;
|
|
|
|
const t1 = (pow2(b223, _23n, P3) * b22) % P3;
|
|
|
|
const t2 = (pow2(t1, _6n, P3) * b2) % P3;
|
|
|
|
const root = pow2(t2, _2n4, P3);
|
|
|
|
if (!Fp.eql(Fp.sqr(root), y)) throw new Error("Cannot find square root");
|
|
|
|
return root;
|
|
|
|
}
|
|
|
|
var Fp = Field(secp256k1P, void 0, void 0, { sqrt: sqrtMod });
|
|
|
|
var secp256k1 = createCurve(
|
|
|
|
{
|
|
|
|
a: BigInt(0),
|
|
|
|
b: BigInt(7),
|
|
|
|
Fp,
|
|
|
|
n: secp256k1N,
|
|
|
|
// Base point (x, y) aka generator point
|
|
|
|
Gx: BigInt(
|
|
|
|
"55066263022277343669578718895168534326250603453777594175500187360389116729240",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"32670510020758816978083085130507043184471273380659243275938904335757337482424",
|
|
|
|
),
|
|
|
|
h: BigInt(1),
|
|
|
|
lowS: true,
|
|
|
|
/**
|
|
|
|
* secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
|
|
|
|
* Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
|
|
|
|
* For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
|
|
|
|
* Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
|
|
|
|
*/
|
|
|
|
endo: {
|
|
|
|
beta: BigInt(
|
|
|
|
"0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee",
|
|
|
|
),
|
|
|
|
splitScalar: (k) => {
|
|
|
|
const n = secp256k1N;
|
|
|
|
const a1 = BigInt("0x3086d221a7d46bcde86c90e49284eb15");
|
|
|
|
const b1 = -_1n5 * BigInt("0xe4437ed6010e88286f547fa90abfe4c3");
|
|
|
|
const a2 = BigInt("0x114ca50f7a8e2f3f657c1108d9d44cfd8");
|
|
|
|
const b2 = a1;
|
|
|
|
const POW_2_128 = BigInt("0x100000000000000000000000000000000");
|
|
|
|
const c1 = divNearest(b2 * k, n);
|
|
|
|
const c2 = divNearest(-b1 * k, n);
|
|
|
|
let k1 = mod(k - c1 * a1 - c2 * a2, n);
|
|
|
|
let k2 = mod(-c1 * b1 - c2 * b2, n);
|
|
|
|
const k1neg = k1 > POW_2_128;
|
|
|
|
const k2neg = k2 > POW_2_128;
|
|
|
|
if (k1neg) k1 = n - k1;
|
|
|
|
if (k2neg) k2 = n - k2;
|
|
|
|
if (k1 > POW_2_128 || k2 > POW_2_128) {
|
|
|
|
throw new Error("splitScalar: Endomorphism failed, k=" + k);
|
|
|
|
}
|
|
|
|
return { k1neg, k1, k2neg, k2 };
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
sha256,
|
|
|
|
);
|
|
|
|
var _0n5 = BigInt(0);
|
|
|
|
var fe = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1P;
|
|
|
|
var ge = (x) => typeof x === "bigint" && _0n5 < x && x < secp256k1N;
|
|
|
|
var TAGGED_HASH_PREFIXES = {};
|
|
|
|
function taggedHash(tag, ...messages) {
|
|
|
|
let tagP = TAGGED_HASH_PREFIXES[tag];
|
|
|
|
if (tagP === void 0) {
|
|
|
|
const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
|
|
|
|
tagP = concatBytes(tagH, tagH);
|
|
|
|
TAGGED_HASH_PREFIXES[tag] = tagP;
|
|
|
|
}
|
|
|
|
return sha256(concatBytes(tagP, ...messages));
|
|
|
|
}
|
|
|
|
var pointToBytes = (point) => point.toRawBytes(true).slice(1);
|
|
|
|
var numTo32b = (n) => numberToBytesBE(n, 32);
|
|
|
|
var modP = (x) => mod(x, secp256k1P);
|
|
|
|
var modN = (x) => mod(x, secp256k1N);
|
|
|
|
var Point = secp256k1.ProjectivePoint;
|
|
|
|
var GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
|
|
|
|
function schnorrGetExtPubKey(priv) {
|
|
|
|
let d_ = secp256k1.utils.normPrivateKeyToScalar(priv);
|
|
|
|
let p = Point.fromPrivateKey(d_);
|
|
|
|
const scalar = p.hasEvenY() ? d_ : modN(-d_);
|
|
|
|
return { scalar, bytes: pointToBytes(p) };
|
|
|
|
}
|
|
|
|
function lift_x(x) {
|
|
|
|
if (!fe(x)) throw new Error("bad x: need 0 < x < p");
|
|
|
|
const xx = modP(x * x);
|
|
|
|
const c = modP(xx * x + BigInt(7));
|
|
|
|
let y = sqrtMod(c);
|
|
|
|
if (y % _2n4 !== _0n5) y = modP(-y);
|
|
|
|
const p = new Point(x, y, _1n5);
|
|
|
|
p.assertValidity();
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
function challenge(...args) {
|
|
|
|
return modN(bytesToNumberBE(taggedHash("BIP0340/challenge", ...args)));
|
|
|
|
}
|
|
|
|
function schnorrGetPublicKey(privateKey) {
|
|
|
|
return schnorrGetExtPubKey(privateKey).bytes;
|
|
|
|
}
|
|
|
|
function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
|
|
|
|
const m = ensureBytes("message", message);
|
|
|
|
const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
|
|
|
|
const a = ensureBytes("auxRand", auxRand, 32);
|
|
|
|
const t = numTo32b(d ^ bytesToNumberBE(taggedHash("BIP0340/aux", a)));
|
|
|
|
const rand = taggedHash("BIP0340/nonce", t, px, m);
|
|
|
|
const k_ = modN(bytesToNumberBE(rand));
|
|
|
|
if (k_ === _0n5) throw new Error("sign failed: k is zero");
|
|
|
|
const { bytes: rx, scalar: k } = schnorrGetExtPubKey(k_);
|
|
|
|
const e = challenge(rx, px, m);
|
|
|
|
const sig = new Uint8Array(64);
|
|
|
|
sig.set(rx, 0);
|
|
|
|
sig.set(numTo32b(modN(k + e * d)), 32);
|
|
|
|
if (!schnorrVerify(sig, m, px))
|
|
|
|
throw new Error("sign: Invalid signature produced");
|
|
|
|
return sig;
|
|
|
|
}
|
|
|
|
function schnorrVerify(signature, message, publicKey) {
|
|
|
|
const sig = ensureBytes("signature", signature, 64);
|
|
|
|
const m = ensureBytes("message", message);
|
|
|
|
const pub = ensureBytes("publicKey", publicKey, 32);
|
|
|
|
try {
|
|
|
|
const P3 = lift_x(bytesToNumberBE(pub));
|
|
|
|
const r = bytesToNumberBE(sig.subarray(0, 32));
|
|
|
|
if (!fe(r)) return false;
|
|
|
|
const s = bytesToNumberBE(sig.subarray(32, 64));
|
|
|
|
if (!ge(s)) return false;
|
|
|
|
const e = challenge(numTo32b(r), pointToBytes(P3), m);
|
|
|
|
const R = GmulAdd(P3, s, modN(-e));
|
|
|
|
if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false;
|
|
|
|
return true;
|
|
|
|
} catch (error) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
var schnorr = /* @__PURE__ */ (() => ({
|
|
|
|
getPublicKey: schnorrGetPublicKey,
|
|
|
|
sign: schnorrSign,
|
|
|
|
verify: schnorrVerify,
|
|
|
|
utils: {
|
|
|
|
randomPrivateKey: secp256k1.utils.randomPrivateKey,
|
|
|
|
lift_x,
|
|
|
|
pointToBytes,
|
|
|
|
numberToBytesBE,
|
|
|
|
bytesToNumberBE,
|
|
|
|
taggedHash,
|
|
|
|
mod,
|
|
|
|
},
|
|
|
|
}))();
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/_u64.js
|
|
|
|
var U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1);
|
|
|
|
var _32n = /* @__PURE__ */ BigInt(32);
|
|
|
|
function fromBig(n, le = false) {
|
|
|
|
if (le)
|
|
|
|
return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) };
|
|
|
|
return {
|
|
|
|
h: Number((n >> _32n) & U32_MASK64) | 0,
|
|
|
|
l: Number(n & U32_MASK64) | 0,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
function split(lst, le = false) {
|
|
|
|
let Ah = new Uint32Array(lst.length);
|
|
|
|
let Al = new Uint32Array(lst.length);
|
|
|
|
for (let i = 0; i < lst.length; i++) {
|
|
|
|
const { h, l } = fromBig(lst[i], le);
|
|
|
|
[Ah[i], Al[i]] = [h, l];
|
|
|
|
}
|
|
|
|
return [Ah, Al];
|
|
|
|
}
|
|
|
|
var toBig = (h, l) => (BigInt(h >>> 0) << _32n) | BigInt(l >>> 0);
|
|
|
|
var shrSH = (h, _l, s) => h >>> s;
|
|
|
|
var shrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
|
|
|
|
var rotrSH = (h, l, s) => (h >>> s) | (l << (32 - s));
|
|
|
|
var rotrSL = (h, l, s) => (h << (32 - s)) | (l >>> s);
|
|
|
|
var rotrBH = (h, l, s) => (h << (64 - s)) | (l >>> (s - 32));
|
|
|
|
var rotrBL = (h, l, s) => (h >>> (s - 32)) | (l << (64 - s));
|
|
|
|
var rotr32H = (_h, l) => l;
|
|
|
|
var rotr32L = (h, _l) => h;
|
|
|
|
var rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s));
|
|
|
|
var rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s));
|
|
|
|
var rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s));
|
|
|
|
var rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s));
|
|
|
|
function add(Ah, Al, Bh, Bl) {
|
|
|
|
const l = (Al >>> 0) + (Bl >>> 0);
|
|
|
|
return { h: (Ah + Bh + ((l / 2 ** 32) | 0)) | 0, l: l | 0 };
|
|
|
|
}
|
|
|
|
var add3L = (Al, Bl, Cl) => (Al >>> 0) + (Bl >>> 0) + (Cl >>> 0);
|
|
|
|
var add3H = (low, Ah, Bh, Ch) => (Ah + Bh + Ch + ((low / 2 ** 32) | 0)) | 0;
|
|
|
|
var add4L = (Al, Bl, Cl, Dl) =>
|
|
|
|
(Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0);
|
|
|
|
var add4H = (low, Ah, Bh, Ch, Dh) =>
|
|
|
|
(Ah + Bh + Ch + Dh + ((low / 2 ** 32) | 0)) | 0;
|
|
|
|
var add5L = (Al, Bl, Cl, Dl, El) =>
|
|
|
|
(Al >>> 0) + (Bl >>> 0) + (Cl >>> 0) + (Dl >>> 0) + (El >>> 0);
|
|
|
|
var add5H = (low, Ah, Bh, Ch, Dh, Eh) =>
|
|
|
|
(Ah + Bh + Ch + Dh + Eh + ((low / 2 ** 32) | 0)) | 0;
|
|
|
|
var u64 = {
|
|
|
|
fromBig,
|
|
|
|
split,
|
|
|
|
toBig,
|
|
|
|
shrSH,
|
|
|
|
shrSL,
|
|
|
|
rotrSH,
|
|
|
|
rotrSL,
|
|
|
|
rotrBH,
|
|
|
|
rotrBL,
|
|
|
|
rotr32H,
|
|
|
|
rotr32L,
|
|
|
|
rotlSH,
|
|
|
|
rotlSL,
|
|
|
|
rotlBH,
|
|
|
|
rotlBL,
|
|
|
|
add,
|
|
|
|
add3L,
|
|
|
|
add3H,
|
|
|
|
add4L,
|
|
|
|
add4H,
|
|
|
|
add5H,
|
|
|
|
add5L,
|
|
|
|
};
|
|
|
|
var u64_default = u64;
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/sha512.js
|
|
|
|
var [SHA512_Kh, SHA512_Kl] = /* @__PURE__ */ (() =>
|
|
|
|
u64_default.split(
|
|
|
|
[
|
|
|
|
"0x428a2f98d728ae22",
|
|
|
|
"0x7137449123ef65cd",
|
|
|
|
"0xb5c0fbcfec4d3b2f",
|
|
|
|
"0xe9b5dba58189dbbc",
|
|
|
|
"0x3956c25bf348b538",
|
|
|
|
"0x59f111f1b605d019",
|
|
|
|
"0x923f82a4af194f9b",
|
|
|
|
"0xab1c5ed5da6d8118",
|
|
|
|
"0xd807aa98a3030242",
|
|
|
|
"0x12835b0145706fbe",
|
|
|
|
"0x243185be4ee4b28c",
|
|
|
|
"0x550c7dc3d5ffb4e2",
|
|
|
|
"0x72be5d74f27b896f",
|
|
|
|
"0x80deb1fe3b1696b1",
|
|
|
|
"0x9bdc06a725c71235",
|
|
|
|
"0xc19bf174cf692694",
|
|
|
|
"0xe49b69c19ef14ad2",
|
|
|
|
"0xefbe4786384f25e3",
|
|
|
|
"0x0fc19dc68b8cd5b5",
|
|
|
|
"0x240ca1cc77ac9c65",
|
|
|
|
"0x2de92c6f592b0275",
|
|
|
|
"0x4a7484aa6ea6e483",
|
|
|
|
"0x5cb0a9dcbd41fbd4",
|
|
|
|
"0x76f988da831153b5",
|
|
|
|
"0x983e5152ee66dfab",
|
|
|
|
"0xa831c66d2db43210",
|
|
|
|
"0xb00327c898fb213f",
|
|
|
|
"0xbf597fc7beef0ee4",
|
|
|
|
"0xc6e00bf33da88fc2",
|
|
|
|
"0xd5a79147930aa725",
|
|
|
|
"0x06ca6351e003826f",
|
|
|
|
"0x142929670a0e6e70",
|
|
|
|
"0x27b70a8546d22ffc",
|
|
|
|
"0x2e1b21385c26c926",
|
|
|
|
"0x4d2c6dfc5ac42aed",
|
|
|
|
"0x53380d139d95b3df",
|
|
|
|
"0x650a73548baf63de",
|
|
|
|
"0x766a0abb3c77b2a8",
|
|
|
|
"0x81c2c92e47edaee6",
|
|
|
|
"0x92722c851482353b",
|
|
|
|
"0xa2bfe8a14cf10364",
|
|
|
|
"0xa81a664bbc423001",
|
|
|
|
"0xc24b8b70d0f89791",
|
|
|
|
"0xc76c51a30654be30",
|
|
|
|
"0xd192e819d6ef5218",
|
|
|
|
"0xd69906245565a910",
|
|
|
|
"0xf40e35855771202a",
|
|
|
|
"0x106aa07032bbd1b8",
|
|
|
|
"0x19a4c116b8d2d0c8",
|
|
|
|
"0x1e376c085141ab53",
|
|
|
|
"0x2748774cdf8eeb99",
|
|
|
|
"0x34b0bcb5e19b48a8",
|
|
|
|
"0x391c0cb3c5c95a63",
|
|
|
|
"0x4ed8aa4ae3418acb",
|
|
|
|
"0x5b9cca4f7763e373",
|
|
|
|
"0x682e6ff3d6b2b8a3",
|
|
|
|
"0x748f82ee5defb2fc",
|
|
|
|
"0x78a5636f43172f60",
|
|
|
|
"0x84c87814a1f0ab72",
|
|
|
|
"0x8cc702081a6439ec",
|
|
|
|
"0x90befffa23631e28",
|
|
|
|
"0xa4506cebde82bde9",
|
|
|
|
"0xbef9a3f7b2c67915",
|
|
|
|
"0xc67178f2e372532b",
|
|
|
|
"0xca273eceea26619c",
|
|
|
|
"0xd186b8c721c0c207",
|
|
|
|
"0xeada7dd6cde0eb1e",
|
|
|
|
"0xf57d4f7fee6ed178",
|
|
|
|
"0x06f067aa72176fba",
|
|
|
|
"0x0a637dc5a2c898a6",
|
|
|
|
"0x113f9804bef90dae",
|
|
|
|
"0x1b710b35131c471b",
|
|
|
|
"0x28db77f523047d84",
|
|
|
|
"0x32caab7b40c72493",
|
|
|
|
"0x3c9ebe0a15c9bebc",
|
|
|
|
"0x431d67c49c100d4c",
|
|
|
|
"0x4cc5d4becb3e42b6",
|
|
|
|
"0x597f299cfc657e2a",
|
|
|
|
"0x5fcb6fab3ad6faec",
|
|
|
|
"0x6c44198c4a475817",
|
|
|
|
].map((n) => BigInt(n)),
|
|
|
|
))();
|
|
|
|
var SHA512_W_H = /* @__PURE__ */ new Uint32Array(80);
|
|
|
|
var SHA512_W_L = /* @__PURE__ */ new Uint32Array(80);
|
|
|
|
var SHA512 = class extends SHA2 {
|
|
|
|
constructor() {
|
|
|
|
super(128, 64, 16, false);
|
|
|
|
this.Ah = 1779033703 | 0;
|
|
|
|
this.Al = 4089235720 | 0;
|
|
|
|
this.Bh = 3144134277 | 0;
|
|
|
|
this.Bl = 2227873595 | 0;
|
|
|
|
this.Ch = 1013904242 | 0;
|
|
|
|
this.Cl = 4271175723 | 0;
|
|
|
|
this.Dh = 2773480762 | 0;
|
|
|
|
this.Dl = 1595750129 | 0;
|
|
|
|
this.Eh = 1359893119 | 0;
|
|
|
|
this.El = 2917565137 | 0;
|
|
|
|
this.Fh = 2600822924 | 0;
|
|
|
|
this.Fl = 725511199 | 0;
|
|
|
|
this.Gh = 528734635 | 0;
|
|
|
|
this.Gl = 4215389547 | 0;
|
|
|
|
this.Hh = 1541459225 | 0;
|
|
|
|
this.Hl = 327033209 | 0;
|
|
|
|
}
|
|
|
|
// prettier-ignore
|
|
|
|
get() {
|
|
|
|
const { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } = this;
|
|
|
|
return [Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl];
|
|
|
|
}
|
|
|
|
// prettier-ignore
|
|
|
|
set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl) {
|
|
|
|
this.Ah = Ah | 0;
|
|
|
|
this.Al = Al | 0;
|
|
|
|
this.Bh = Bh | 0;
|
|
|
|
this.Bl = Bl | 0;
|
|
|
|
this.Ch = Ch | 0;
|
|
|
|
this.Cl = Cl | 0;
|
|
|
|
this.Dh = Dh | 0;
|
|
|
|
this.Dl = Dl | 0;
|
|
|
|
this.Eh = Eh | 0;
|
|
|
|
this.El = El | 0;
|
|
|
|
this.Fh = Fh | 0;
|
|
|
|
this.Fl = Fl | 0;
|
|
|
|
this.Gh = Gh | 0;
|
|
|
|
this.Gl = Gl | 0;
|
|
|
|
this.Hh = Hh | 0;
|
|
|
|
this.Hl = Hl | 0;
|
|
|
|
}
|
|
|
|
process(view, offset) {
|
|
|
|
for (let i = 0; i < 16; i++, offset += 4) {
|
|
|
|
SHA512_W_H[i] = view.getUint32(offset);
|
|
|
|
SHA512_W_L[i] = view.getUint32((offset += 4));
|
|
|
|
}
|
|
|
|
for (let i = 16; i < 80; i++) {
|
|
|
|
const W15h = SHA512_W_H[i - 15] | 0;
|
|
|
|
const W15l = SHA512_W_L[i - 15] | 0;
|
|
|
|
const s0h =
|
|
|
|
u64_default.rotrSH(W15h, W15l, 1) ^
|
|
|
|
u64_default.rotrSH(W15h, W15l, 8) ^
|
|
|
|
u64_default.shrSH(W15h, W15l, 7);
|
|
|
|
const s0l =
|
|
|
|
u64_default.rotrSL(W15h, W15l, 1) ^
|
|
|
|
u64_default.rotrSL(W15h, W15l, 8) ^
|
|
|
|
u64_default.shrSL(W15h, W15l, 7);
|
|
|
|
const W2h = SHA512_W_H[i - 2] | 0;
|
|
|
|
const W2l = SHA512_W_L[i - 2] | 0;
|
|
|
|
const s1h =
|
|
|
|
u64_default.rotrSH(W2h, W2l, 19) ^
|
|
|
|
u64_default.rotrBH(W2h, W2l, 61) ^
|
|
|
|
u64_default.shrSH(W2h, W2l, 6);
|
|
|
|
const s1l =
|
|
|
|
u64_default.rotrSL(W2h, W2l, 19) ^
|
|
|
|
u64_default.rotrBL(W2h, W2l, 61) ^
|
|
|
|
u64_default.shrSL(W2h, W2l, 6);
|
|
|
|
const SUMl = u64_default.add4L(
|
|
|
|
s0l,
|
|
|
|
s1l,
|
|
|
|
SHA512_W_L[i - 7],
|
|
|
|
SHA512_W_L[i - 16],
|
|
|
|
);
|
|
|
|
const SUMh = u64_default.add4H(
|
|
|
|
SUMl,
|
|
|
|
s0h,
|
|
|
|
s1h,
|
|
|
|
SHA512_W_H[i - 7],
|
|
|
|
SHA512_W_H[i - 16],
|
|
|
|
);
|
|
|
|
SHA512_W_H[i] = SUMh | 0;
|
|
|
|
SHA512_W_L[i] = SUMl | 0;
|
|
|
|
}
|
|
|
|
let { Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl } =
|
|
|
|
this;
|
|
|
|
for (let i = 0; i < 80; i++) {
|
|
|
|
const sigma1h =
|
|
|
|
u64_default.rotrSH(Eh, El, 14) ^
|
|
|
|
u64_default.rotrSH(Eh, El, 18) ^
|
|
|
|
u64_default.rotrBH(Eh, El, 41);
|
|
|
|
const sigma1l =
|
|
|
|
u64_default.rotrSL(Eh, El, 14) ^
|
|
|
|
u64_default.rotrSL(Eh, El, 18) ^
|
|
|
|
u64_default.rotrBL(Eh, El, 41);
|
|
|
|
const CHIh = (Eh & Fh) ^ (~Eh & Gh);
|
|
|
|
const CHIl = (El & Fl) ^ (~El & Gl);
|
|
|
|
const T1ll = u64_default.add5L(
|
|
|
|
Hl,
|
|
|
|
sigma1l,
|
|
|
|
CHIl,
|
|
|
|
SHA512_Kl[i],
|
|
|
|
SHA512_W_L[i],
|
|
|
|
);
|
|
|
|
const T1h = u64_default.add5H(
|
|
|
|
T1ll,
|
|
|
|
Hh,
|
|
|
|
sigma1h,
|
|
|
|
CHIh,
|
|
|
|
SHA512_Kh[i],
|
|
|
|
SHA512_W_H[i],
|
|
|
|
);
|
|
|
|
const T1l = T1ll | 0;
|
|
|
|
const sigma0h =
|
|
|
|
u64_default.rotrSH(Ah, Al, 28) ^
|
|
|
|
u64_default.rotrBH(Ah, Al, 34) ^
|
|
|
|
u64_default.rotrBH(Ah, Al, 39);
|
|
|
|
const sigma0l =
|
|
|
|
u64_default.rotrSL(Ah, Al, 28) ^
|
|
|
|
u64_default.rotrBL(Ah, Al, 34) ^
|
|
|
|
u64_default.rotrBL(Ah, Al, 39);
|
|
|
|
const MAJh = (Ah & Bh) ^ (Ah & Ch) ^ (Bh & Ch);
|
|
|
|
const MAJl = (Al & Bl) ^ (Al & Cl) ^ (Bl & Cl);
|
|
|
|
Hh = Gh | 0;
|
|
|
|
Hl = Gl | 0;
|
|
|
|
Gh = Fh | 0;
|
|
|
|
Gl = Fl | 0;
|
|
|
|
Fh = Eh | 0;
|
|
|
|
Fl = El | 0;
|
|
|
|
({ h: Eh, l: El } = u64_default.add(Dh | 0, Dl | 0, T1h | 0, T1l | 0));
|
|
|
|
Dh = Ch | 0;
|
|
|
|
Dl = Cl | 0;
|
|
|
|
Ch = Bh | 0;
|
|
|
|
Cl = Bl | 0;
|
|
|
|
Bh = Ah | 0;
|
|
|
|
Bl = Al | 0;
|
|
|
|
const All = u64_default.add3L(T1l, sigma0l, MAJl);
|
|
|
|
Ah = u64_default.add3H(All, T1h, sigma0h, MAJh);
|
|
|
|
Al = All | 0;
|
|
|
|
}
|
|
|
|
({ h: Ah, l: Al } = u64_default.add(
|
|
|
|
this.Ah | 0,
|
|
|
|
this.Al | 0,
|
|
|
|
Ah | 0,
|
|
|
|
Al | 0,
|
|
|
|
));
|
|
|
|
({ h: Bh, l: Bl } = u64_default.add(
|
|
|
|
this.Bh | 0,
|
|
|
|
this.Bl | 0,
|
|
|
|
Bh | 0,
|
|
|
|
Bl | 0,
|
|
|
|
));
|
|
|
|
({ h: Ch, l: Cl } = u64_default.add(
|
|
|
|
this.Ch | 0,
|
|
|
|
this.Cl | 0,
|
|
|
|
Ch | 0,
|
|
|
|
Cl | 0,
|
|
|
|
));
|
|
|
|
({ h: Dh, l: Dl } = u64_default.add(
|
|
|
|
this.Dh | 0,
|
|
|
|
this.Dl | 0,
|
|
|
|
Dh | 0,
|
|
|
|
Dl | 0,
|
|
|
|
));
|
|
|
|
({ h: Eh, l: El } = u64_default.add(
|
|
|
|
this.Eh | 0,
|
|
|
|
this.El | 0,
|
|
|
|
Eh | 0,
|
|
|
|
El | 0,
|
|
|
|
));
|
|
|
|
({ h: Fh, l: Fl } = u64_default.add(
|
|
|
|
this.Fh | 0,
|
|
|
|
this.Fl | 0,
|
|
|
|
Fh | 0,
|
|
|
|
Fl | 0,
|
|
|
|
));
|
|
|
|
({ h: Gh, l: Gl } = u64_default.add(
|
|
|
|
this.Gh | 0,
|
|
|
|
this.Gl | 0,
|
|
|
|
Gh | 0,
|
|
|
|
Gl | 0,
|
|
|
|
));
|
|
|
|
({ h: Hh, l: Hl } = u64_default.add(
|
|
|
|
this.Hh | 0,
|
|
|
|
this.Hl | 0,
|
|
|
|
Hh | 0,
|
|
|
|
Hl | 0,
|
|
|
|
));
|
|
|
|
this.set(Ah, Al, Bh, Bl, Ch, Cl, Dh, Dl, Eh, El, Fh, Fl, Gh, Gl, Hh, Hl);
|
|
|
|
}
|
|
|
|
roundClean() {
|
|
|
|
SHA512_W_H.fill(0);
|
|
|
|
SHA512_W_L.fill(0);
|
|
|
|
}
|
|
|
|
destroy() {
|
|
|
|
this.buffer.fill(0);
|
|
|
|
this.set(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var SHA384 = class extends SHA512 {
|
|
|
|
constructor() {
|
|
|
|
super();
|
|
|
|
this.Ah = 3418070365 | 0;
|
|
|
|
this.Al = 3238371032 | 0;
|
|
|
|
this.Bh = 1654270250 | 0;
|
|
|
|
this.Bl = 914150663 | 0;
|
|
|
|
this.Ch = 2438529370 | 0;
|
|
|
|
this.Cl = 812702999 | 0;
|
|
|
|
this.Dh = 355462360 | 0;
|
|
|
|
this.Dl = 4144912697 | 0;
|
|
|
|
this.Eh = 1731405415 | 0;
|
|
|
|
this.El = 4290775857 | 0;
|
|
|
|
this.Fh = 2394180231 | 0;
|
|
|
|
this.Fl = 1750603025 | 0;
|
|
|
|
this.Gh = 3675008525 | 0;
|
|
|
|
this.Gl = 1694076839 | 0;
|
|
|
|
this.Hh = 1203062813 | 0;
|
|
|
|
this.Hl = 3204075428 | 0;
|
|
|
|
this.outputLen = 48;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var sha512 = /* @__PURE__ */ wrapConstructor(() => new SHA512());
|
|
|
|
var sha384 = /* @__PURE__ */ wrapConstructor(() => new SHA384());
|
|
|
|
|
|
|
|
// ../esm/abstract/edwards.js
|
|
|
|
var _0n6 = BigInt(0);
|
|
|
|
var _1n6 = BigInt(1);
|
|
|
|
var _2n5 = BigInt(2);
|
|
|
|
var _8n2 = BigInt(8);
|
|
|
|
var VERIFY_DEFAULT = { zip215: true };
|
|
|
|
function validateOpts2(curve) {
|
|
|
|
const opts = validateBasic(curve);
|
|
|
|
validateObject(
|
|
|
|
curve,
|
|
|
|
{
|
|
|
|
hash: "function",
|
|
|
|
a: "bigint",
|
|
|
|
d: "bigint",
|
|
|
|
randomBytes: "function",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
adjustScalarBytes: "function",
|
|
|
|
domain: "function",
|
|
|
|
uvRatio: "function",
|
|
|
|
mapToCurve: "function",
|
|
|
|
},
|
|
|
|
);
|
|
|
|
return Object.freeze({ ...opts });
|
|
|
|
}
|
|
|
|
function twistedEdwards(curveDef) {
|
|
|
|
const CURVE2 = validateOpts2(curveDef);
|
|
|
|
const {
|
|
|
|
Fp: Fp8,
|
|
|
|
n: CURVE_ORDER,
|
|
|
|
prehash,
|
|
|
|
hash: cHash,
|
|
|
|
randomBytes: randomBytes2,
|
|
|
|
nByteLength,
|
|
|
|
h: cofactor,
|
|
|
|
} = CURVE2;
|
|
|
|
const MASK = _2n5 << (BigInt(nByteLength * 8) - _1n6);
|
|
|
|
const modP2 = Fp8.create;
|
|
|
|
const uvRatio3 =
|
|
|
|
CURVE2.uvRatio ||
|
|
|
|
((u, v) => {
|
|
|
|
try {
|
|
|
|
return { isValid: true, value: Fp8.sqrt(u * Fp8.inv(v)) };
|
|
|
|
} catch (e) {
|
|
|
|
return { isValid: false, value: _0n6 };
|
|
|
|
}
|
|
|
|
});
|
|
|
|
const adjustScalarBytes3 = CURVE2.adjustScalarBytes || ((bytes2) => bytes2);
|
|
|
|
const domain =
|
|
|
|
CURVE2.domain ||
|
|
|
|
((data, ctx, phflag) => {
|
|
|
|
if (ctx.length || phflag)
|
|
|
|
throw new Error("Contexts/pre-hash are not supported");
|
|
|
|
return data;
|
|
|
|
});
|
|
|
|
const inBig = (n) => typeof n === "bigint" && _0n6 < n;
|
|
|
|
const inRange = (n, max) => inBig(n) && inBig(max) && n < max;
|
|
|
|
const in0MaskRange = (n) => n === _0n6 || inRange(n, MASK);
|
|
|
|
function assertInRange(n, max) {
|
|
|
|
if (inRange(n, max)) return n;
|
|
|
|
throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
|
|
|
|
}
|
|
|
|
function assertGE0(n) {
|
|
|
|
return n === _0n6 ? n : assertInRange(n, CURVE_ORDER);
|
|
|
|
}
|
|
|
|
const pointPrecomputes = /* @__PURE__ */ new Map();
|
|
|
|
function isPoint(other) {
|
|
|
|
if (!(other instanceof Point2)) throw new Error("ExtendedPoint expected");
|
|
|
|
}
|
|
|
|
class Point2 {
|
|
|
|
constructor(ex, ey, ez, et) {
|
|
|
|
this.ex = ex;
|
|
|
|
this.ey = ey;
|
|
|
|
this.ez = ez;
|
|
|
|
this.et = et;
|
|
|
|
if (!in0MaskRange(ex)) throw new Error("x required");
|
|
|
|
if (!in0MaskRange(ey)) throw new Error("y required");
|
|
|
|
if (!in0MaskRange(ez)) throw new Error("z required");
|
|
|
|
if (!in0MaskRange(et)) throw new Error("t required");
|
|
|
|
}
|
|
|
|
get x() {
|
|
|
|
return this.toAffine().x;
|
|
|
|
}
|
|
|
|
get y() {
|
|
|
|
return this.toAffine().y;
|
|
|
|
}
|
|
|
|
static fromAffine(p) {
|
|
|
|
if (p instanceof Point2) throw new Error("extended point not allowed");
|
|
|
|
const { x, y } = p || {};
|
|
|
|
if (!in0MaskRange(x) || !in0MaskRange(y))
|
|
|
|
throw new Error("invalid affine point");
|
|
|
|
return new Point2(x, y, _1n6, modP2(x * y));
|
|
|
|
}
|
|
|
|
static normalizeZ(points) {
|
|
|
|
const toInv = Fp8.invertBatch(points.map((p) => p.ez));
|
|
|
|
return points
|
|
|
|
.map((p, i) => p.toAffine(toInv[i]))
|
|
|
|
.map(Point2.fromAffine);
|
|
|
|
}
|
|
|
|
// "Private method", don't use it directly
|
|
|
|
_setWindowSize(windowSize) {
|
|
|
|
this._WINDOW_SIZE = windowSize;
|
|
|
|
pointPrecomputes.delete(this);
|
|
|
|
}
|
|
|
|
// Not required for fromHex(), which always creates valid points.
|
|
|
|
// Could be useful for fromAffine().
|
|
|
|
assertValidity() {
|
|
|
|
const { a, d } = CURVE2;
|
|
|
|
if (this.is0()) throw new Error("bad point: ZERO");
|
|
|
|
const { ex: X, ey: Y, ez: Z, et: T } = this;
|
|
|
|
const X2 = modP2(X * X);
|
|
|
|
const Y2 = modP2(Y * Y);
|
|
|
|
const Z2 = modP2(Z * Z);
|
|
|
|
const Z4 = modP2(Z2 * Z2);
|
|
|
|
const aX2 = modP2(X2 * a);
|
|
|
|
const left = modP2(Z2 * modP2(aX2 + Y2));
|
|
|
|
const right = modP2(Z4 + modP2(d * modP2(X2 * Y2)));
|
|
|
|
if (left !== right)
|
|
|
|
throw new Error("bad point: equation left != right (1)");
|
|
|
|
const XY = modP2(X * Y);
|
|
|
|
const ZT = modP2(Z * T);
|
|
|
|
if (XY !== ZT) throw new Error("bad point: equation left != right (2)");
|
|
|
|
}
|
|
|
|
// Compare one point to another.
|
|
|
|
equals(other) {
|
|
|
|
isPoint(other);
|
|
|
|
const { ex: X1, ey: Y1, ez: Z1 } = this;
|
|
|
|
const { ex: X2, ey: Y2, ez: Z2 } = other;
|
|
|
|
const X1Z2 = modP2(X1 * Z2);
|
|
|
|
const X2Z1 = modP2(X2 * Z1);
|
|
|
|
const Y1Z2 = modP2(Y1 * Z2);
|
|
|
|
const Y2Z1 = modP2(Y2 * Z1);
|
|
|
|
return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
|
|
|
|
}
|
|
|
|
is0() {
|
|
|
|
return this.equals(Point2.ZERO);
|
|
|
|
}
|
|
|
|
negate() {
|
|
|
|
return new Point2(modP2(-this.ex), this.ey, this.ez, modP2(-this.et));
|
|
|
|
}
|
|
|
|
// Fast algo for doubling Extended Point.
|
|
|
|
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
|
|
|
|
// Cost: 4M + 4S + 1*a + 6add + 1*2.
|
|
|
|
double() {
|
|
|
|
const { a } = CURVE2;
|
|
|
|
const { ex: X1, ey: Y1, ez: Z1 } = this;
|
|
|
|
const A = modP2(X1 * X1);
|
|
|
|
const B = modP2(Y1 * Y1);
|
|
|
|
const C = modP2(_2n5 * modP2(Z1 * Z1));
|
|
|
|
const D = modP2(a * A);
|
|
|
|
const x1y1 = X1 + Y1;
|
|
|
|
const E = modP2(modP2(x1y1 * x1y1) - A - B);
|
|
|
|
const G2 = D + B;
|
|
|
|
const F = G2 - C;
|
|
|
|
const H = D - B;
|
|
|
|
const X3 = modP2(E * F);
|
|
|
|
const Y3 = modP2(G2 * H);
|
|
|
|
const T3 = modP2(E * H);
|
|
|
|
const Z3 = modP2(F * G2);
|
|
|
|
return new Point2(X3, Y3, Z3, T3);
|
|
|
|
}
|
|
|
|
// Fast algo for adding 2 Extended Points.
|
|
|
|
// https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
|
|
|
|
// Cost: 9M + 1*a + 1*d + 7add.
|
|
|
|
add(other) {
|
|
|
|
isPoint(other);
|
|
|
|
const { a, d } = CURVE2;
|
|
|
|
const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
|
|
|
|
const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
|
|
|
|
if (a === BigInt(-1)) {
|
|
|
|
const A2 = modP2((Y1 - X1) * (Y2 + X2));
|
|
|
|
const B2 = modP2((Y1 + X1) * (Y2 - X2));
|
|
|
|
const F2 = modP2(B2 - A2);
|
|
|
|
if (F2 === _0n6) return this.double();
|
|
|
|
const C2 = modP2(Z1 * _2n5 * T2);
|
|
|
|
const D2 = modP2(T1 * _2n5 * Z2);
|
|
|
|
const E2 = D2 + C2;
|
|
|
|
const G3 = B2 + A2;
|
|
|
|
const H2 = D2 - C2;
|
|
|
|
const X32 = modP2(E2 * F2);
|
|
|
|
const Y32 = modP2(G3 * H2);
|
|
|
|
const T32 = modP2(E2 * H2);
|
|
|
|
const Z32 = modP2(F2 * G3);
|
|
|
|
return new Point2(X32, Y32, Z32, T32);
|
|
|
|
}
|
|
|
|
const A = modP2(X1 * X2);
|
|
|
|
const B = modP2(Y1 * Y2);
|
|
|
|
const C = modP2(T1 * d * T2);
|
|
|
|
const D = modP2(Z1 * Z2);
|
|
|
|
const E = modP2((X1 + Y1) * (X2 + Y2) - A - B);
|
|
|
|
const F = D - C;
|
|
|
|
const G2 = D + C;
|
|
|
|
const H = modP2(B - a * A);
|
|
|
|
const X3 = modP2(E * F);
|
|
|
|
const Y3 = modP2(G2 * H);
|
|
|
|
const T3 = modP2(E * H);
|
|
|
|
const Z3 = modP2(F * G2);
|
|
|
|
return new Point2(X3, Y3, Z3, T3);
|
|
|
|
}
|
|
|
|
subtract(other) {
|
|
|
|
return this.add(other.negate());
|
|
|
|
}
|
|
|
|
wNAF(n) {
|
|
|
|
return wnaf.wNAFCached(this, pointPrecomputes, n, Point2.normalizeZ);
|
|
|
|
}
|
|
|
|
// Constant-time multiplication.
|
|
|
|
multiply(scalar) {
|
|
|
|
const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
|
|
|
|
return Point2.normalizeZ([p, f])[0];
|
|
|
|
}
|
|
|
|
// Non-constant-time multiplication. Uses double-and-add algorithm.
|
|
|
|
// It's faster, but should only be used when you don't care about
|
|
|
|
// an exposed private key e.g. sig verification.
|
|
|
|
// Does NOT allow scalars higher than CURVE.n.
|
|
|
|
multiplyUnsafe(scalar) {
|
|
|
|
let n = assertGE0(scalar);
|
|
|
|
if (n === _0n6) return I;
|
|
|
|
if (this.equals(I) || n === _1n6) return this;
|
|
|
|
if (this.equals(G)) return this.wNAF(n).p;
|
|
|
|
return wnaf.unsafeLadder(this, n);
|
|
|
|
}
|
|
|
|
// Checks if point is of small order.
|
|
|
|
// If you add something to small order point, you will have "dirty"
|
|
|
|
// point with torsion component.
|
|
|
|
// Multiplies point by cofactor and checks if the result is 0.
|
|
|
|
isSmallOrder() {
|
|
|
|
return this.multiplyUnsafe(cofactor).is0();
|
|
|
|
}
|
|
|
|
// Multiplies point by curve order and checks if the result is 0.
|
|
|
|
// Returns `false` is the point is dirty.
|
|
|
|
isTorsionFree() {
|
|
|
|
return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
|
|
|
|
}
|
|
|
|
// Converts Extended point to default (x, y) coordinates.
|
|
|
|
// Can accept precomputed Z^-1 - for example, from invertBatch.
|
|
|
|
toAffine(iz) {
|
|
|
|
const { ex: x, ey: y, ez: z } = this;
|
|
|
|
const is0 = this.is0();
|
|
|
|
if (iz == null) iz = is0 ? _8n2 : Fp8.inv(z);
|
|
|
|
const ax = modP2(x * iz);
|
|
|
|
const ay = modP2(y * iz);
|
|
|
|
const zz = modP2(z * iz);
|
|
|
|
if (is0) return { x: _0n6, y: _1n6 };
|
|
|
|
if (zz !== _1n6) throw new Error("invZ was invalid");
|
|
|
|
return { x: ax, y: ay };
|
|
|
|
}
|
|
|
|
clearCofactor() {
|
|
|
|
const { h: cofactor2 } = CURVE2;
|
|
|
|
if (cofactor2 === _1n6) return this;
|
|
|
|
return this.multiplyUnsafe(cofactor2);
|
|
|
|
}
|
|
|
|
// Converts hash string or Uint8Array to Point.
|
|
|
|
// Uses algo from RFC8032 5.1.3.
|
|
|
|
static fromHex(hex, zip215 = false) {
|
|
|
|
const { d, a } = CURVE2;
|
|
|
|
const len = Fp8.BYTES;
|
|
|
|
hex = ensureBytes("pointHex", hex, len);
|
|
|
|
const normed = hex.slice();
|
|
|
|
const lastByte = hex[len - 1];
|
|
|
|
normed[len - 1] = lastByte & ~128;
|
|
|
|
const y = bytesToNumberLE(normed);
|
|
|
|
if (y === _0n6) {
|
|
|
|
} else {
|
|
|
|
if (zip215) assertInRange(y, MASK);
|
|
|
|
else assertInRange(y, Fp8.ORDER);
|
|
|
|
}
|
|
|
|
const y2 = modP2(y * y);
|
|
|
|
const u = modP2(y2 - _1n6);
|
|
|
|
const v = modP2(d * y2 - a);
|
|
|
|
let { isValid, value: x } = uvRatio3(u, v);
|
|
|
|
if (!isValid) throw new Error("Point.fromHex: invalid y coordinate");
|
|
|
|
const isXOdd = (x & _1n6) === _1n6;
|
|
|
|
const isLastByteOdd = (lastByte & 128) !== 0;
|
|
|
|
if (!zip215 && x === _0n6 && isLastByteOdd)
|
|
|
|
throw new Error("Point.fromHex: x=0 and x_0=1");
|
|
|
|
if (isLastByteOdd !== isXOdd) x = modP2(-x);
|
|
|
|
return Point2.fromAffine({ x, y });
|
|
|
|
}
|
|
|
|
static fromPrivateKey(privKey) {
|
|
|
|
return getExtendedPublicKey(privKey).point;
|
|
|
|
}
|
|
|
|
toRawBytes() {
|
|
|
|
const { x, y } = this.toAffine();
|
|
|
|
const bytes2 = numberToBytesLE(y, Fp8.BYTES);
|
|
|
|
bytes2[bytes2.length - 1] |= x & _1n6 ? 128 : 0;
|
|
|
|
return bytes2;
|
|
|
|
}
|
|
|
|
toHex() {
|
|
|
|
return bytesToHex(this.toRawBytes());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
Point2.BASE = new Point2(
|
|
|
|
CURVE2.Gx,
|
|
|
|
CURVE2.Gy,
|
|
|
|
_1n6,
|
|
|
|
modP2(CURVE2.Gx * CURVE2.Gy),
|
|
|
|
);
|
|
|
|
Point2.ZERO = new Point2(_0n6, _1n6, _1n6, _0n6);
|
|
|
|
const { BASE: G, ZERO: I } = Point2;
|
|
|
|
const wnaf = wNAF(Point2, nByteLength * 8);
|
|
|
|
function modN2(a) {
|
|
|
|
return mod(a, CURVE_ORDER);
|
|
|
|
}
|
|
|
|
function modN_LE(hash2) {
|
|
|
|
return modN2(bytesToNumberLE(hash2));
|
|
|
|
}
|
|
|
|
function getExtendedPublicKey(key) {
|
|
|
|
const len = nByteLength;
|
|
|
|
key = ensureBytes("private key", key, len);
|
|
|
|
const hashed = ensureBytes("hashed private key", cHash(key), 2 * len);
|
|
|
|
const head = adjustScalarBytes3(hashed.slice(0, len));
|
|
|
|
const prefix = hashed.slice(len, 2 * len);
|
|
|
|
const scalar = modN_LE(head);
|
|
|
|
const point = G.multiply(scalar);
|
|
|
|
const pointBytes = point.toRawBytes();
|
|
|
|
return { head, prefix, scalar, point, pointBytes };
|
|
|
|
}
|
|
|
|
function getPublicKey(privKey) {
|
|
|
|
return getExtendedPublicKey(privKey).pointBytes;
|
|
|
|
}
|
|
|
|
function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
|
|
|
|
const msg = concatBytes(...msgs);
|
|
|
|
return modN_LE(
|
|
|
|
cHash(domain(msg, ensureBytes("context", context), !!prehash)),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
function sign(msg, privKey, options = {}) {
|
|
|
|
msg = ensureBytes("message", msg);
|
|
|
|
if (prehash) msg = prehash(msg);
|
|
|
|
const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
|
|
|
|
const r = hashDomainToScalar(options.context, prefix, msg);
|
|
|
|
const R = G.multiply(r).toRawBytes();
|
|
|
|
const k = hashDomainToScalar(options.context, R, pointBytes, msg);
|
|
|
|
const s = modN2(r + k * scalar);
|
|
|
|
assertGE0(s);
|
|
|
|
const res = concatBytes(R, numberToBytesLE(s, Fp8.BYTES));
|
|
|
|
return ensureBytes("result", res, nByteLength * 2);
|
|
|
|
}
|
|
|
|
const verifyOpts = VERIFY_DEFAULT;
|
|
|
|
function verify(sig, msg, publicKey, options = verifyOpts) {
|
|
|
|
const { context, zip215 } = options;
|
|
|
|
const len = Fp8.BYTES;
|
|
|
|
sig = ensureBytes("signature", sig, 2 * len);
|
|
|
|
msg = ensureBytes("message", msg);
|
|
|
|
if (prehash) msg = prehash(msg);
|
|
|
|
const s = bytesToNumberLE(sig.slice(len, 2 * len));
|
|
|
|
let A, R, SB;
|
|
|
|
try {
|
|
|
|
A = Point2.fromHex(publicKey, zip215);
|
|
|
|
R = Point2.fromHex(sig.slice(0, len), zip215);
|
|
|
|
SB = G.multiplyUnsafe(s);
|
|
|
|
} catch (error) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!zip215 && A.isSmallOrder()) return false;
|
|
|
|
const k = hashDomainToScalar(
|
|
|
|
context,
|
|
|
|
R.toRawBytes(),
|
|
|
|
A.toRawBytes(),
|
|
|
|
msg,
|
|
|
|
);
|
|
|
|
const RkA = R.add(A.multiplyUnsafe(k));
|
|
|
|
return RkA.subtract(SB).clearCofactor().equals(Point2.ZERO);
|
|
|
|
}
|
|
|
|
G._setWindowSize(8);
|
|
|
|
const utils2 = {
|
|
|
|
getExtendedPublicKey,
|
|
|
|
// ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
|
|
|
|
randomPrivateKey: () => randomBytes2(Fp8.BYTES),
|
|
|
|
/**
|
|
|
|
* We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
|
|
|
|
* values. This slows down first getPublicKey() by milliseconds (see Speed section),
|
|
|
|
* but allows to speed-up subsequent getPublicKey() calls up to 20x.
|
|
|
|
* @param windowSize 2, 4, 8, 16
|
|
|
|
*/
|
|
|
|
precompute(windowSize = 8, point = Point2.BASE) {
|
|
|
|
point._setWindowSize(windowSize);
|
|
|
|
point.multiply(BigInt(3));
|
|
|
|
return point;
|
|
|
|
},
|
|
|
|
};
|
|
|
|
return {
|
|
|
|
CURVE: CURVE2,
|
|
|
|
getPublicKey,
|
|
|
|
sign,
|
|
|
|
verify,
|
|
|
|
ExtendedPoint: Point2,
|
|
|
|
utils: utils2,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/abstract/montgomery.js
|
|
|
|
var _0n7 = BigInt(0);
|
|
|
|
var _1n7 = BigInt(1);
|
|
|
|
function validateOpts3(curve) {
|
|
|
|
validateObject(
|
|
|
|
curve,
|
|
|
|
{
|
|
|
|
a: "bigint",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
montgomeryBits: "isSafeInteger",
|
|
|
|
nByteLength: "isSafeInteger",
|
|
|
|
adjustScalarBytes: "function",
|
|
|
|
domain: "function",
|
|
|
|
powPminus2: "function",
|
|
|
|
Gu: "bigint",
|
|
|
|
},
|
|
|
|
);
|
|
|
|
return Object.freeze({ ...curve });
|
|
|
|
}
|
|
|
|
function montgomery(curveDef) {
|
|
|
|
const CURVE2 = validateOpts3(curveDef);
|
|
|
|
const { P: P3 } = CURVE2;
|
|
|
|
const modP2 = (n) => mod(n, P3);
|
|
|
|
const montgomeryBits = CURVE2.montgomeryBits;
|
|
|
|
const montgomeryBytes = Math.ceil(montgomeryBits / 8);
|
|
|
|
const fieldLen = CURVE2.nByteLength;
|
|
|
|
const adjustScalarBytes3 = CURVE2.adjustScalarBytes || ((bytes2) => bytes2);
|
|
|
|
const powPminus2 = CURVE2.powPminus2 || ((x) => pow(x, P3 - BigInt(2), P3));
|
|
|
|
function cswap(swap, x_2, x_3) {
|
|
|
|
const dummy = modP2(swap * (x_2 - x_3));
|
|
|
|
x_2 = modP2(x_2 - dummy);
|
|
|
|
x_3 = modP2(x_3 + dummy);
|
|
|
|
return [x_2, x_3];
|
|
|
|
}
|
|
|
|
function assertFieldElement(n) {
|
|
|
|
if (typeof n === "bigint" && _0n7 <= n && n < P3) return n;
|
|
|
|
throw new Error("Expected valid scalar 0 < scalar < CURVE.P");
|
|
|
|
}
|
|
|
|
const a24 = (CURVE2.a - BigInt(2)) / BigInt(4);
|
|
|
|
function montgomeryLadder(pointU, scalar) {
|
|
|
|
const u = assertFieldElement(pointU);
|
|
|
|
const k = assertFieldElement(scalar);
|
|
|
|
const x_1 = u;
|
|
|
|
let x_2 = _1n7;
|
|
|
|
let z_2 = _0n7;
|
|
|
|
let x_3 = u;
|
|
|
|
let z_3 = _1n7;
|
|
|
|
let swap = _0n7;
|
|
|
|
let sw;
|
|
|
|
for (let t = BigInt(montgomeryBits - 1); t >= _0n7; t--) {
|
|
|
|
const k_t = (k >> t) & _1n7;
|
|
|
|
swap ^= k_t;
|
|
|
|
sw = cswap(swap, x_2, x_3);
|
|
|
|
x_2 = sw[0];
|
|
|
|
x_3 = sw[1];
|
|
|
|
sw = cswap(swap, z_2, z_3);
|
|
|
|
z_2 = sw[0];
|
|
|
|
z_3 = sw[1];
|
|
|
|
swap = k_t;
|
|
|
|
const A = x_2 + z_2;
|
|
|
|
const AA = modP2(A * A);
|
|
|
|
const B = x_2 - z_2;
|
|
|
|
const BB = modP2(B * B);
|
|
|
|
const E = AA - BB;
|
|
|
|
const C = x_3 + z_3;
|
|
|
|
const D = x_3 - z_3;
|
|
|
|
const DA = modP2(D * A);
|
|
|
|
const CB = modP2(C * B);
|
|
|
|
const dacb = DA + CB;
|
|
|
|
const da_cb = DA - CB;
|
|
|
|
x_3 = modP2(dacb * dacb);
|
|
|
|
z_3 = modP2(x_1 * modP2(da_cb * da_cb));
|
|
|
|
x_2 = modP2(AA * BB);
|
|
|
|
z_2 = modP2(E * (AA + modP2(a24 * E)));
|
|
|
|
}
|
|
|
|
sw = cswap(swap, x_2, x_3);
|
|
|
|
x_2 = sw[0];
|
|
|
|
x_3 = sw[1];
|
|
|
|
sw = cswap(swap, z_2, z_3);
|
|
|
|
z_2 = sw[0];
|
|
|
|
z_3 = sw[1];
|
|
|
|
const z2 = powPminus2(z_2);
|
|
|
|
return modP2(x_2 * z2);
|
|
|
|
}
|
|
|
|
function encodeUCoordinate(u) {
|
|
|
|
return numberToBytesLE(modP2(u), montgomeryBytes);
|
|
|
|
}
|
|
|
|
function decodeUCoordinate(uEnc) {
|
|
|
|
const u = ensureBytes("u coordinate", uEnc, montgomeryBytes);
|
|
|
|
if (fieldLen === montgomeryBytes) u[fieldLen - 1] &= 127;
|
|
|
|
return bytesToNumberLE(u);
|
|
|
|
}
|
|
|
|
function decodeScalar(n) {
|
|
|
|
const bytes2 = ensureBytes("scalar", n);
|
|
|
|
if (bytes2.length !== montgomeryBytes && bytes2.length !== fieldLen)
|
|
|
|
throw new Error(
|
|
|
|
`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes2.length}`,
|
|
|
|
);
|
|
|
|
return bytesToNumberLE(adjustScalarBytes3(bytes2));
|
|
|
|
}
|
|
|
|
function scalarMult(scalar, u) {
|
|
|
|
const pointU = decodeUCoordinate(u);
|
|
|
|
const _scalar = decodeScalar(scalar);
|
|
|
|
const pu = montgomeryLadder(pointU, _scalar);
|
|
|
|
if (pu === _0n7)
|
|
|
|
throw new Error("Invalid private or public key received");
|
|
|
|
return encodeUCoordinate(pu);
|
|
|
|
}
|
|
|
|
const GuBytes = encodeUCoordinate(CURVE2.Gu);
|
|
|
|
function scalarMultBase(scalar) {
|
|
|
|
return scalarMult(scalar, GuBytes);
|
|
|
|
}
|
|
|
|
return {
|
|
|
|
scalarMult,
|
|
|
|
scalarMultBase,
|
|
|
|
getSharedSecret: (privateKey, publicKey) =>
|
|
|
|
scalarMult(privateKey, publicKey),
|
|
|
|
getPublicKey: (privateKey) => scalarMultBase(privateKey),
|
|
|
|
utils: { randomPrivateKey: () => CURVE2.randomBytes(CURVE2.nByteLength) },
|
|
|
|
GuBytes,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/ed25519.js
|
|
|
|
var ED25519_P = BigInt(
|
|
|
|
"57896044618658097711785492504343953926634992332820282019728792003956564819949",
|
|
|
|
);
|
|
|
|
var ED25519_SQRT_M1 = BigInt(
|
|
|
|
"19681161376707505956807079304988542015446066515923890162744021073123829784752",
|
|
|
|
);
|
|
|
|
var _0n8 = BigInt(0);
|
|
|
|
var _1n8 = BigInt(1);
|
|
|
|
var _2n6 = BigInt(2);
|
|
|
|
var _5n2 = BigInt(5);
|
|
|
|
var _10n = BigInt(10);
|
|
|
|
var _20n = BigInt(20);
|
|
|
|
var _40n = BigInt(40);
|
|
|
|
var _80n = BigInt(80);
|
|
|
|
function ed25519_pow_2_252_3(x) {
|
|
|
|
const P3 = ED25519_P;
|
|
|
|
const x2 = (x * x) % P3;
|
|
|
|
const b2 = (x2 * x) % P3;
|
|
|
|
const b4 = (pow2(b2, _2n6, P3) * b2) % P3;
|
|
|
|
const b5 = (pow2(b4, _1n8, P3) * x) % P3;
|
|
|
|
const b10 = (pow2(b5, _5n2, P3) * b5) % P3;
|
|
|
|
const b20 = (pow2(b10, _10n, P3) * b10) % P3;
|
|
|
|
const b40 = (pow2(b20, _20n, P3) * b20) % P3;
|
|
|
|
const b80 = (pow2(b40, _40n, P3) * b40) % P3;
|
|
|
|
const b160 = (pow2(b80, _80n, P3) * b80) % P3;
|
|
|
|
const b240 = (pow2(b160, _80n, P3) * b80) % P3;
|
|
|
|
const b250 = (pow2(b240, _10n, P3) * b10) % P3;
|
|
|
|
const pow_p_5_8 = (pow2(b250, _2n6, P3) * x) % P3;
|
|
|
|
return { pow_p_5_8, b2 };
|
|
|
|
}
|
|
|
|
function adjustScalarBytes(bytes2) {
|
|
|
|
bytes2[0] &= 248;
|
|
|
|
bytes2[31] &= 127;
|
|
|
|
bytes2[31] |= 64;
|
|
|
|
return bytes2;
|
|
|
|
}
|
|
|
|
function uvRatio(u, v) {
|
|
|
|
const P3 = ED25519_P;
|
|
|
|
const v3 = mod(v * v * v, P3);
|
|
|
|
const v7 = mod(v3 * v3 * v, P3);
|
|
|
|
const pow3 = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
|
|
|
|
let x = mod(u * v3 * pow3, P3);
|
|
|
|
const vx2 = mod(v * x * x, P3);
|
|
|
|
const root1 = x;
|
|
|
|
const root2 = mod(x * ED25519_SQRT_M1, P3);
|
|
|
|
const useRoot1 = vx2 === u;
|
|
|
|
const useRoot2 = vx2 === mod(-u, P3);
|
|
|
|
const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P3);
|
|
|
|
if (useRoot1) x = root1;
|
|
|
|
if (useRoot2 || noRoot) x = root2;
|
|
|
|
if (isNegativeLE(x, P3)) x = mod(-x, P3);
|
|
|
|
return { isValid: useRoot1 || useRoot2, value: x };
|
|
|
|
}
|
|
|
|
var Fp2 = Field(ED25519_P, void 0, true);
|
|
|
|
var ed25519Defaults = {
|
|
|
|
// Param: a
|
|
|
|
a: BigInt(-1),
|
|
|
|
// d is equal to -121665/121666 over finite field.
|
|
|
|
// Negative number is P - number, and division is invert(number, P)
|
|
|
|
d: BigInt(
|
|
|
|
"37095705934669439343138083508754565189542113879843219016388785533085940283555",
|
|
|
|
),
|
|
|
|
// Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
|
|
|
|
Fp: Fp2,
|
|
|
|
// Subgroup order: how many points curve has
|
|
|
|
// 2n**252n + 27742317777372353535851937790883648493n;
|
|
|
|
n: BigInt(
|
|
|
|
"7237005577332262213973186563042994240857116359379907606001950938285454250989",
|
|
|
|
),
|
|
|
|
// Cofactor
|
|
|
|
h: BigInt(8),
|
|
|
|
// Base point (x, y) aka generator point
|
|
|
|
Gx: BigInt(
|
|
|
|
"15112221349535400772501151409588531511454012693041857206046113283949847762202",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"46316835694926478169428394003475163141307993866256225615783033603165251855960",
|
|
|
|
),
|
|
|
|
hash: sha512,
|
|
|
|
randomBytes,
|
|
|
|
adjustScalarBytes,
|
|
|
|
// dom2
|
|
|
|
// Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
|
|
|
|
// Constant-time, u/√v
|
|
|
|
uvRatio,
|
|
|
|
};
|
|
|
|
var ed25519 = /* @__PURE__ */ twistedEdwards(ed25519Defaults);
|
|
|
|
function ed25519_domain(data, ctx, phflag) {
|
|
|
|
if (ctx.length > 255) throw new Error("Context is too big");
|
|
|
|
return concatBytes2(
|
|
|
|
utf8ToBytes2("SigEd25519 no Ed25519 collisions"),
|
|
|
|
new Uint8Array([phflag ? 1 : 0, ctx.length]),
|
|
|
|
ctx,
|
|
|
|
data,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
var ed25519ctx = /* @__PURE__ */ twistedEdwards({
|
|
|
|
...ed25519Defaults,
|
|
|
|
domain: ed25519_domain,
|
|
|
|
});
|
|
|
|
var ed25519ph = /* @__PURE__ */ twistedEdwards({
|
|
|
|
...ed25519Defaults,
|
|
|
|
domain: ed25519_domain,
|
|
|
|
prehash: sha512,
|
|
|
|
});
|
|
|
|
var x25519 = /* @__PURE__ */ (() =>
|
|
|
|
montgomery({
|
|
|
|
P: ED25519_P,
|
|
|
|
a: BigInt(486662),
|
|
|
|
montgomeryBits: 255,
|
|
|
|
nByteLength: 32,
|
|
|
|
Gu: BigInt(9),
|
|
|
|
powPminus2: (x) => {
|
|
|
|
const P3 = ED25519_P;
|
|
|
|
const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
|
|
|
|
return mod(pow2(pow_p_5_8, BigInt(3), P3) * b2, P3);
|
|
|
|
},
|
|
|
|
adjustScalarBytes,
|
|
|
|
randomBytes,
|
|
|
|
}))();
|
|
|
|
function edwardsToMontgomeryPub(edwardsPub) {
|
|
|
|
const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
|
|
|
|
const _1n12 = BigInt(1);
|
|
|
|
return Fp2.toBytes(Fp2.create((_1n12 + y) * Fp2.inv(_1n12 - y)));
|
|
|
|
}
|
|
|
|
function edwardsToMontgomeryPriv(edwardsPriv) {
|
|
|
|
const hashed = ed25519Defaults.hash(edwardsPriv.subarray(0, 32));
|
|
|
|
return ed25519Defaults.adjustScalarBytes(hashed).subarray(0, 32);
|
|
|
|
}
|
|
|
|
var ELL2_C1 = (Fp2.ORDER + BigInt(3)) / BigInt(8);
|
|
|
|
var ELL2_C2 = Fp2.pow(_2n6, ELL2_C1);
|
|
|
|
var ELL2_C3 = Fp2.sqrt(Fp2.neg(Fp2.ONE));
|
|
|
|
var ELL2_C4 = (Fp2.ORDER - BigInt(5)) / BigInt(8);
|
|
|
|
var ELL2_J = BigInt(486662);
|
|
|
|
var ELL2_C1_EDWARDS = FpSqrtEven(Fp2, Fp2.neg(BigInt(486664)));
|
|
|
|
var SQRT_AD_MINUS_ONE = BigInt(
|
|
|
|
"25063068953384623474111414158702152701244531502492656460079210482610430750235",
|
|
|
|
);
|
|
|
|
var INVSQRT_A_MINUS_D = BigInt(
|
|
|
|
"54469307008909316920995813868745141605393597292927456921205312896311721017578",
|
|
|
|
);
|
|
|
|
var ONE_MINUS_D_SQ = BigInt(
|
|
|
|
"1159843021668779879193775521855586647937357759715417654439879720876111806838",
|
|
|
|
);
|
|
|
|
var D_MINUS_ONE_SQ = BigInt(
|
|
|
|
"40440834346308536858101042469323190826248399146238708352240133220865137265952",
|
|
|
|
);
|
|
|
|
var MAX_255B = BigInt(
|
|
|
|
"0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
|
|
|
|
);
|
|
|
|
|
|
|
|
// ../node_modules/@noble/hashes/esm/sha3.js
|
|
|
|
var [SHA3_PI, SHA3_ROTL, _SHA3_IOTA] = [[], [], []];
|
|
|
|
var _0n9 = /* @__PURE__ */ BigInt(0);
|
|
|
|
var _1n9 = /* @__PURE__ */ BigInt(1);
|
|
|
|
var _2n7 = /* @__PURE__ */ BigInt(2);
|
|
|
|
var _7n = /* @__PURE__ */ BigInt(7);
|
|
|
|
var _256n = /* @__PURE__ */ BigInt(256);
|
|
|
|
var _0x71n = /* @__PURE__ */ BigInt(113);
|
|
|
|
for (let round = 0, R = _1n9, x = 1, y = 0; round < 24; round++) {
|
|
|
|
[x, y] = [y, (2 * x + 3 * y) % 5];
|
|
|
|
SHA3_PI.push(2 * (5 * y + x));
|
|
|
|
SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64);
|
|
|
|
let t = _0n9;
|
|
|
|
for (let j = 0; j < 7; j++) {
|
|
|
|
R = ((R << _1n9) ^ ((R >> _7n) * _0x71n)) % _256n;
|
|
|
|
if (R & _2n7) t ^= _1n9 << ((_1n9 << /* @__PURE__ */ BigInt(j)) - _1n9);
|
|
|
|
}
|
|
|
|
_SHA3_IOTA.push(t);
|
|
|
|
}
|
|
|
|
var [SHA3_IOTA_H, SHA3_IOTA_L] = /* @__PURE__ */ split(_SHA3_IOTA, true);
|
|
|
|
var rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s));
|
|
|
|
var rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s));
|
|
|
|
function keccakP(s, rounds = 24) {
|
|
|
|
const B = new Uint32Array(5 * 2);
|
|
|
|
for (let round = 24 - rounds; round < 24; round++) {
|
|
|
|
for (let x = 0; x < 10; x++)
|
|
|
|
B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40];
|
|
|
|
for (let x = 0; x < 10; x += 2) {
|
|
|
|
const idx1 = (x + 8) % 10;
|
|
|
|
const idx0 = (x + 2) % 10;
|
|
|
|
const B0 = B[idx0];
|
|
|
|
const B1 = B[idx0 + 1];
|
|
|
|
const Th = rotlH(B0, B1, 1) ^ B[idx1];
|
|
|
|
const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1];
|
|
|
|
for (let y = 0; y < 50; y += 10) {
|
|
|
|
s[x + y] ^= Th;
|
|
|
|
s[x + y + 1] ^= Tl;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
let curH = s[2];
|
|
|
|
let curL = s[3];
|
|
|
|
for (let t = 0; t < 24; t++) {
|
|
|
|
const shift = SHA3_ROTL[t];
|
|
|
|
const Th = rotlH(curH, curL, shift);
|
|
|
|
const Tl = rotlL(curH, curL, shift);
|
|
|
|
const PI = SHA3_PI[t];
|
|
|
|
curH = s[PI];
|
|
|
|
curL = s[PI + 1];
|
|
|
|
s[PI] = Th;
|
|
|
|
s[PI + 1] = Tl;
|
|
|
|
}
|
|
|
|
for (let y = 0; y < 50; y += 10) {
|
|
|
|
for (let x = 0; x < 10; x++) B[x] = s[y + x];
|
|
|
|
for (let x = 0; x < 10; x++)
|
|
|
|
s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10];
|
|
|
|
}
|
|
|
|
s[0] ^= SHA3_IOTA_H[round];
|
|
|
|
s[1] ^= SHA3_IOTA_L[round];
|
|
|
|
}
|
|
|
|
B.fill(0);
|
|
|
|
}
|
|
|
|
var Keccak = class _Keccak extends Hash {
|
|
|
|
// NOTE: we accept arguments in bytes instead of bits here.
|
|
|
|
constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) {
|
|
|
|
super();
|
|
|
|
this.blockLen = blockLen;
|
|
|
|
this.suffix = suffix;
|
|
|
|
this.outputLen = outputLen;
|
|
|
|
this.enableXOF = enableXOF;
|
|
|
|
this.rounds = rounds;
|
|
|
|
this.pos = 0;
|
|
|
|
this.posOut = 0;
|
|
|
|
this.finished = false;
|
|
|
|
this.destroyed = false;
|
|
|
|
number(outputLen);
|
|
|
|
if (0 >= this.blockLen || this.blockLen >= 200)
|
|
|
|
throw new Error("Sha3 supports only keccak-f1600 function");
|
|
|
|
this.state = new Uint8Array(200);
|
|
|
|
this.state32 = u32(this.state);
|
|
|
|
}
|
|
|
|
keccak() {
|
|
|
|
keccakP(this.state32, this.rounds);
|
|
|
|
this.posOut = 0;
|
|
|
|
this.pos = 0;
|
|
|
|
}
|
|
|
|
update(data) {
|
|
|
|
exists(this);
|
|
|
|
const { blockLen, state } = this;
|
|
|
|
data = toBytes(data);
|
|
|
|
const len = data.length;
|
|
|
|
for (let pos = 0; pos < len; ) {
|
|
|
|
const take = Math.min(blockLen - this.pos, len - pos);
|
|
|
|
for (let i = 0; i < take; i++) state[this.pos++] ^= data[pos++];
|
|
|
|
if (this.pos === blockLen) this.keccak();
|
|
|
|
}
|
|
|
|
return this;
|
|
|
|
}
|
|
|
|
finish() {
|
|
|
|
if (this.finished) return;
|
|
|
|
this.finished = true;
|
|
|
|
const { state, suffix, pos, blockLen } = this;
|
|
|
|
state[pos] ^= suffix;
|
|
|
|
if ((suffix & 128) !== 0 && pos === blockLen - 1) this.keccak();
|
|
|
|
state[blockLen - 1] ^= 128;
|
|
|
|
this.keccak();
|
|
|
|
}
|
|
|
|
writeInto(out) {
|
|
|
|
exists(this, false);
|
|
|
|
bytes(out);
|
|
|
|
this.finish();
|
|
|
|
const bufferOut = this.state;
|
|
|
|
const { blockLen } = this;
|
|
|
|
for (let pos = 0, len = out.length; pos < len; ) {
|
|
|
|
if (this.posOut >= blockLen) this.keccak();
|
|
|
|
const take = Math.min(blockLen - this.posOut, len - pos);
|
|
|
|
out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos);
|
|
|
|
this.posOut += take;
|
|
|
|
pos += take;
|
|
|
|
}
|
|
|
|
return out;
|
|
|
|
}
|
|
|
|
xofInto(out) {
|
|
|
|
if (!this.enableXOF)
|
|
|
|
throw new Error("XOF is not possible for this instance");
|
|
|
|
return this.writeInto(out);
|
|
|
|
}
|
|
|
|
xof(bytes2) {
|
|
|
|
number(bytes2);
|
|
|
|
return this.xofInto(new Uint8Array(bytes2));
|
|
|
|
}
|
|
|
|
digestInto(out) {
|
|
|
|
output(out, this);
|
|
|
|
if (this.finished) throw new Error("digest() was already called");
|
|
|
|
this.writeInto(out);
|
|
|
|
this.destroy();
|
|
|
|
return out;
|
|
|
|
}
|
|
|
|
digest() {
|
|
|
|
return this.digestInto(new Uint8Array(this.outputLen));
|
|
|
|
}
|
|
|
|
destroy() {
|
|
|
|
this.destroyed = true;
|
|
|
|
this.state.fill(0);
|
|
|
|
}
|
|
|
|
_cloneInto(to) {
|
|
|
|
const { blockLen, suffix, outputLen, rounds, enableXOF } = this;
|
|
|
|
to || (to = new _Keccak(blockLen, suffix, outputLen, enableXOF, rounds));
|
|
|
|
to.state32.set(this.state32);
|
|
|
|
to.pos = this.pos;
|
|
|
|
to.posOut = this.posOut;
|
|
|
|
to.finished = this.finished;
|
|
|
|
to.rounds = rounds;
|
|
|
|
to.suffix = suffix;
|
|
|
|
to.outputLen = outputLen;
|
|
|
|
to.enableXOF = enableXOF;
|
|
|
|
to.destroyed = this.destroyed;
|
|
|
|
return to;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
var gen = (suffix, blockLen, outputLen) =>
|
|
|
|
wrapConstructor(() => new Keccak(blockLen, suffix, outputLen));
|
|
|
|
var sha3_224 = /* @__PURE__ */ gen(6, 144, 224 / 8);
|
|
|
|
var sha3_256 = /* @__PURE__ */ gen(6, 136, 256 / 8);
|
|
|
|
var sha3_384 = /* @__PURE__ */ gen(6, 104, 384 / 8);
|
|
|
|
var sha3_512 = /* @__PURE__ */ gen(6, 72, 512 / 8);
|
|
|
|
var keccak_224 = /* @__PURE__ */ gen(1, 144, 224 / 8);
|
|
|
|
var keccak_256 = /* @__PURE__ */ gen(1, 136, 256 / 8);
|
|
|
|
var keccak_384 = /* @__PURE__ */ gen(1, 104, 384 / 8);
|
|
|
|
var keccak_512 = /* @__PURE__ */ gen(1, 72, 512 / 8);
|
|
|
|
var genShake = (suffix, blockLen, outputLen) =>
|
|
|
|
wrapXOFConstructorWithOpts(
|
|
|
|
(opts = {}) =>
|
|
|
|
new Keccak(
|
|
|
|
blockLen,
|
|
|
|
suffix,
|
|
|
|
opts.dkLen === void 0 ? outputLen : opts.dkLen,
|
|
|
|
true,
|
|
|
|
),
|
|
|
|
);
|
|
|
|
var shake128 = /* @__PURE__ */ genShake(31, 168, 128 / 8);
|
|
|
|
var shake256 = /* @__PURE__ */ genShake(31, 136, 256 / 8);
|
|
|
|
|
|
|
|
// ../esm/ed448.js
|
|
|
|
var shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
|
|
|
|
var shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
|
|
|
|
var ed448P = BigInt(
|
|
|
|
"726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439",
|
|
|
|
);
|
|
|
|
var _1n10 = BigInt(1);
|
|
|
|
var _2n8 = BigInt(2);
|
|
|
|
var _3n3 = BigInt(3);
|
|
|
|
var _4n3 = BigInt(4);
|
|
|
|
var _11n = BigInt(11);
|
|
|
|
var _22n = BigInt(22);
|
|
|
|
var _44n = BigInt(44);
|
|
|
|
var _88n = BigInt(88);
|
|
|
|
var _223n = BigInt(223);
|
|
|
|
function ed448_pow_Pminus3div4(x) {
|
|
|
|
const P3 = ed448P;
|
|
|
|
const b2 = (x * x * x) % P3;
|
|
|
|
const b3 = (b2 * b2 * x) % P3;
|
|
|
|
const b6 = (pow2(b3, _3n3, P3) * b3) % P3;
|
|
|
|
const b9 = (pow2(b6, _3n3, P3) * b3) % P3;
|
|
|
|
const b11 = (pow2(b9, _2n8, P3) * b2) % P3;
|
|
|
|
const b22 = (pow2(b11, _11n, P3) * b11) % P3;
|
|
|
|
const b44 = (pow2(b22, _22n, P3) * b22) % P3;
|
|
|
|
const b88 = (pow2(b44, _44n, P3) * b44) % P3;
|
|
|
|
const b176 = (pow2(b88, _88n, P3) * b88) % P3;
|
|
|
|
const b220 = (pow2(b176, _44n, P3) * b44) % P3;
|
|
|
|
const b222 = (pow2(b220, _2n8, P3) * b2) % P3;
|
|
|
|
const b223 = (pow2(b222, _1n10, P3) * x) % P3;
|
|
|
|
return (pow2(b223, _223n, P3) * b222) % P3;
|
|
|
|
}
|
|
|
|
function adjustScalarBytes2(bytes2) {
|
|
|
|
bytes2[0] &= 252;
|
|
|
|
bytes2[55] |= 128;
|
|
|
|
bytes2[56] = 0;
|
|
|
|
return bytes2;
|
|
|
|
}
|
|
|
|
function uvRatio2(u, v) {
|
|
|
|
const P3 = ed448P;
|
|
|
|
const u2v = mod(u * u * v, P3);
|
|
|
|
const u3v = mod(u2v * u, P3);
|
|
|
|
const u5v3 = mod(u3v * u2v * v, P3);
|
|
|
|
const root = ed448_pow_Pminus3div4(u5v3);
|
|
|
|
const x = mod(u3v * root, P3);
|
|
|
|
const x2 = mod(x * x, P3);
|
|
|
|
return { isValid: mod(x2 * v, P3) === u, value: x };
|
|
|
|
}
|
|
|
|
var Fp3 = Field(ed448P, 456, true);
|
|
|
|
var ED448_DEF = {
|
|
|
|
// Param: a
|
|
|
|
a: BigInt(1),
|
|
|
|
// -39081. Negative number is P - number
|
|
|
|
d: BigInt(
|
|
|
|
"726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358",
|
|
|
|
),
|
|
|
|
// Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
|
|
|
|
Fp: Fp3,
|
|
|
|
// Subgroup order: how many points curve has;
|
|
|
|
// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
|
|
|
|
n: BigInt(
|
|
|
|
"181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779",
|
|
|
|
),
|
|
|
|
nBitLength: 456,
|
|
|
|
// Cofactor
|
|
|
|
h: BigInt(4),
|
|
|
|
// Base point (x, y) aka generator point
|
|
|
|
Gx: BigInt(
|
|
|
|
"224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660",
|
|
|
|
),
|
|
|
|
// SHAKE256(dom4(phflag,context)||x, 114)
|
|
|
|
hash: shake256_114,
|
|
|
|
randomBytes,
|
|
|
|
adjustScalarBytes: adjustScalarBytes2,
|
|
|
|
// dom4
|
|
|
|
domain: (data, ctx, phflag) => {
|
|
|
|
if (ctx.length > 255)
|
|
|
|
throw new Error(`Context is too big: ${ctx.length}`);
|
|
|
|
return concatBytes2(
|
|
|
|
utf8ToBytes2("SigEd448"),
|
|
|
|
new Uint8Array([phflag ? 1 : 0, ctx.length]),
|
|
|
|
ctx,
|
|
|
|
data,
|
|
|
|
);
|
|
|
|
},
|
|
|
|
uvRatio: uvRatio2,
|
|
|
|
};
|
|
|
|
var ed448 = /* @__PURE__ */ twistedEdwards(ED448_DEF);
|
|
|
|
var ed448ph = /* @__PURE__ */ twistedEdwards({
|
|
|
|
...ED448_DEF,
|
|
|
|
prehash: shake256_64,
|
|
|
|
});
|
|
|
|
var x448 = /* @__PURE__ */ (() =>
|
|
|
|
montgomery({
|
|
|
|
a: BigInt(156326),
|
|
|
|
montgomeryBits: 448,
|
|
|
|
nByteLength: 57,
|
|
|
|
P: ed448P,
|
|
|
|
Gu: BigInt(5),
|
|
|
|
powPminus2: (x) => {
|
|
|
|
const P3 = ed448P;
|
|
|
|
const Pminus3div4 = ed448_pow_Pminus3div4(x);
|
|
|
|
const Pminus3 = pow2(Pminus3div4, BigInt(2), P3);
|
|
|
|
return mod(Pminus3 * x, P3);
|
|
|
|
},
|
|
|
|
adjustScalarBytes: adjustScalarBytes2,
|
|
|
|
randomBytes,
|
|
|
|
}))();
|
|
|
|
function edwardsToMontgomeryPub2(edwardsPub) {
|
|
|
|
const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
|
|
|
|
const _1n12 = BigInt(1);
|
|
|
|
return Fp3.toBytes(Fp3.create((y - _1n12) * Fp3.inv(y + _1n12)));
|
|
|
|
}
|
|
|
|
var ELL2_C12 = (Fp3.ORDER - BigInt(3)) / BigInt(4);
|
|
|
|
var ELL2_J2 = BigInt(156326);
|
|
|
|
var ONE_MINUS_D = BigInt("39082");
|
|
|
|
var ONE_MINUS_TWO_D = BigInt("78163");
|
|
|
|
var SQRT_MINUS_D = BigInt(
|
|
|
|
"98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214",
|
|
|
|
);
|
|
|
|
var INVSQRT_MINUS_D = BigInt(
|
|
|
|
"315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716",
|
|
|
|
);
|
|
|
|
var MAX_448B = BigInt(
|
|
|
|
"0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
|
|
|
|
);
|
|
|
|
|
|
|
|
// ../esm/p256.js
|
|
|
|
var Fp4 = Field(
|
|
|
|
BigInt(
|
|
|
|
"0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
|
|
|
|
),
|
|
|
|
);
|
|
|
|
var CURVE_A = Fp4.create(BigInt("-3"));
|
|
|
|
var CURVE_B = BigInt(
|
|
|
|
"0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
|
|
|
|
);
|
|
|
|
var p256 = createCurve(
|
|
|
|
{
|
|
|
|
a: CURVE_A,
|
|
|
|
b: CURVE_B,
|
|
|
|
Fp: Fp4,
|
|
|
|
// Curve order, total count of valid points in the field
|
|
|
|
n: BigInt(
|
|
|
|
"0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
|
|
|
|
),
|
|
|
|
// Base (generator) point (x, y)
|
|
|
|
Gx: BigInt(
|
|
|
|
"0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5",
|
|
|
|
),
|
|
|
|
h: BigInt(1),
|
|
|
|
lowS: false,
|
|
|
|
},
|
|
|
|
sha256,
|
|
|
|
);
|
|
|
|
|
|
|
|
// ../esm/p384.js
|
|
|
|
var P = BigInt(
|
|
|
|
"0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff",
|
|
|
|
);
|
|
|
|
var Fp5 = Field(P);
|
|
|
|
var CURVE_A2 = Fp5.create(BigInt("-3"));
|
|
|
|
var CURVE_B2 = BigInt(
|
|
|
|
"0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef",
|
|
|
|
);
|
|
|
|
var p384 = createCurve(
|
|
|
|
{
|
|
|
|
a: CURVE_A2,
|
|
|
|
b: CURVE_B2,
|
|
|
|
Fp: Fp5,
|
|
|
|
// Curve order, total count of valid points in the field.
|
|
|
|
n: BigInt(
|
|
|
|
"0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973",
|
|
|
|
),
|
|
|
|
// Base (generator) point (x, y)
|
|
|
|
Gx: BigInt(
|
|
|
|
"0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f",
|
|
|
|
),
|
|
|
|
h: BigInt(1),
|
|
|
|
lowS: false,
|
|
|
|
},
|
|
|
|
sha384,
|
|
|
|
);
|
|
|
|
|
|
|
|
// ../esm/p521.js
|
|
|
|
var P2 = BigInt(
|
|
|
|
"0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff",
|
|
|
|
);
|
|
|
|
var Fp6 = Field(P2);
|
|
|
|
var CURVE = {
|
|
|
|
a: Fp6.create(BigInt("-3")),
|
|
|
|
b: BigInt(
|
|
|
|
"0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00",
|
|
|
|
),
|
|
|
|
Fp: Fp6,
|
|
|
|
n: BigInt(
|
|
|
|
"0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409",
|
|
|
|
),
|
|
|
|
Gx: BigInt(
|
|
|
|
"0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650",
|
|
|
|
),
|
|
|
|
h: BigInt(1),
|
|
|
|
};
|
|
|
|
var p521 = createCurve(
|
|
|
|
{
|
|
|
|
a: CURVE.a,
|
|
|
|
b: CURVE.b,
|
|
|
|
Fp: Fp6,
|
|
|
|
// Curve order, total count of valid points in the field
|
|
|
|
n: CURVE.n,
|
|
|
|
Gx: CURVE.Gx,
|
|
|
|
Gy: CURVE.Gy,
|
|
|
|
h: CURVE.h,
|
|
|
|
lowS: false,
|
|
|
|
allowedPrivateKeyLengths: [130, 131, 132],
|
|
|
|
// P521 keys are variable-length. Normalize to 132b
|
|
|
|
},
|
|
|
|
sha512,
|
|
|
|
);
|
|
|
|
|
|
|
|
// ../esm/abstract/bls.js
|
|
|
|
var _2n9 = BigInt(2);
|
|
|
|
var _3n4 = BigInt(3);
|
|
|
|
function bls(CURVE2) {
|
|
|
|
const {
|
|
|
|
Fp: Fp8,
|
|
|
|
Fr: Fr2,
|
|
|
|
Fp2: Fp23,
|
|
|
|
Fp6: Fp63,
|
|
|
|
Fp12: Fp122,
|
|
|
|
} = CURVE2.fields;
|
|
|
|
const BLS_X_LEN2 = bitLen(CURVE2.params.x);
|
|
|
|
function calcPairingPrecomputes(p) {
|
|
|
|
const { x, y } = p;
|
|
|
|
const Qx = x,
|
|
|
|
Qy = y,
|
|
|
|
Qz = Fp23.ONE;
|
|
|
|
let Rx = Qx,
|
|
|
|
Ry = Qy,
|
|
|
|
Rz = Qz;
|
|
|
|
let ell_coeff = [];
|
|
|
|
for (let i = BLS_X_LEN2 - 2; i >= 0; i--) {
|
|
|
|
let t0 = Fp23.sqr(Ry);
|
|
|
|
let t1 = Fp23.sqr(Rz);
|
|
|
|
let t2 = Fp23.multiplyByB(Fp23.mul(t1, _3n4));
|
|
|
|
let t3 = Fp23.mul(t2, _3n4);
|
|
|
|
let t4 = Fp23.sub(Fp23.sub(Fp23.sqr(Fp23.add(Ry, Rz)), t1), t0);
|
|
|
|
ell_coeff.push([
|
|
|
|
Fp23.sub(t2, t0),
|
|
|
|
Fp23.mul(Fp23.sqr(Rx), _3n4),
|
|
|
|
Fp23.neg(t4),
|
|
|
|
// -T4
|
|
|
|
]);
|
|
|
|
Rx = Fp23.div(Fp23.mul(Fp23.mul(Fp23.sub(t0, t3), Rx), Ry), _2n9);
|
|
|
|
Ry = Fp23.sub(
|
|
|
|
Fp23.sqr(Fp23.div(Fp23.add(t0, t3), _2n9)),
|
|
|
|
Fp23.mul(Fp23.sqr(t2), _3n4),
|
|
|
|
);
|
|
|
|
Rz = Fp23.mul(t0, t4);
|
|
|
|
if (bitGet(CURVE2.params.x, i)) {
|
|
|
|
let t02 = Fp23.sub(Ry, Fp23.mul(Qy, Rz));
|
|
|
|
let t12 = Fp23.sub(Rx, Fp23.mul(Qx, Rz));
|
|
|
|
ell_coeff.push([
|
|
|
|
Fp23.sub(Fp23.mul(t02, Qx), Fp23.mul(t12, Qy)),
|
|
|
|
Fp23.neg(t02),
|
|
|
|
t12,
|
|
|
|
// T1
|
|
|
|
]);
|
|
|
|
let t22 = Fp23.sqr(t12);
|
|
|
|
let t32 = Fp23.mul(t22, t12);
|
|
|
|
let t42 = Fp23.mul(t22, Rx);
|
|
|
|
let t5 = Fp23.add(
|
|
|
|
Fp23.sub(t32, Fp23.mul(t42, _2n9)),
|
|
|
|
Fp23.mul(Fp23.sqr(t02), Rz),
|
|
|
|
);
|
|
|
|
Rx = Fp23.mul(t12, t5);
|
|
|
|
Ry = Fp23.sub(Fp23.mul(Fp23.sub(t42, t5), t02), Fp23.mul(t32, Ry));
|
|
|
|
Rz = Fp23.mul(Rz, t32);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ell_coeff;
|
|
|
|
}
|
|
|
|
function millerLoop(ell, g1) {
|
|
|
|
const { x } = CURVE2.params;
|
|
|
|
const Px = g1[0];
|
|
|
|
const Py = g1[1];
|
|
|
|
let f12 = Fp122.ONE;
|
|
|
|
for (let j = 0, i = BLS_X_LEN2 - 2; i >= 0; i--, j++) {
|
|
|
|
const E = ell[j];
|
|
|
|
f12 = Fp122.multiplyBy014(
|
|
|
|
f12,
|
|
|
|
E[0],
|
|
|
|
Fp23.mul(E[1], Px),
|
|
|
|
Fp23.mul(E[2], Py),
|
|
|
|
);
|
|
|
|
if (bitGet(x, i)) {
|
|
|
|
j += 1;
|
|
|
|
const F = ell[j];
|
|
|
|
f12 = Fp122.multiplyBy014(
|
|
|
|
f12,
|
|
|
|
F[0],
|
|
|
|
Fp23.mul(F[1], Px),
|
|
|
|
Fp23.mul(F[2], Py),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
if (i !== 0) f12 = Fp122.sqr(f12);
|
|
|
|
}
|
|
|
|
return Fp122.conjugate(f12);
|
|
|
|
}
|
|
|
|
const utils2 = {
|
|
|
|
randomPrivateKey: () => {
|
|
|
|
const length = getMinHashLength(Fr2.ORDER);
|
|
|
|
return mapHashToField(CURVE2.randomBytes(length), Fr2.ORDER);
|
|
|
|
},
|
|
|
|
calcPairingPrecomputes,
|
|
|
|
};
|
|
|
|
const G1_ = weierstrassPoints({ n: Fr2.ORDER, ...CURVE2.G1 });
|
|
|
|
const G1 = Object.assign(
|
|
|
|
G1_,
|
|
|
|
createHasher(G1_.ProjectivePoint, CURVE2.G1.mapToCurve, {
|
|
|
|
...CURVE2.htfDefaults,
|
|
|
|
...CURVE2.G1.htfDefaults,
|
|
|
|
}),
|
|
|
|
);
|
|
|
|
function pairingPrecomputes(point) {
|
|
|
|
const p = point;
|
|
|
|
if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
|
|
|
|
p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
|
|
|
|
return p._PPRECOMPUTES;
|
|
|
|
}
|
|
|
|
const G2_ = weierstrassPoints({ n: Fr2.ORDER, ...CURVE2.G2 });
|
|
|
|
const G2 = Object.assign(
|
|
|
|
G2_,
|
|
|
|
createHasher(G2_.ProjectivePoint, CURVE2.G2.mapToCurve, {
|
|
|
|
...CURVE2.htfDefaults,
|
|
|
|
...CURVE2.G2.htfDefaults,
|
|
|
|
}),
|
|
|
|
);
|
|
|
|
const { Signature } = CURVE2.G2;
|
|
|
|
function pairing(Q, P3, withFinalExponent = true) {
|
|
|
|
if (
|
|
|
|
Q.equals(G1.ProjectivePoint.ZERO) ||
|
|
|
|
P3.equals(G2.ProjectivePoint.ZERO)
|
|
|
|
)
|
|
|
|
throw new Error("pairing is not available for ZERO point");
|
|
|
|
Q.assertValidity();
|
|
|
|
P3.assertValidity();
|
|
|
|
const Qa = Q.toAffine();
|
|
|
|
const looped = millerLoop(pairingPrecomputes(P3), [Qa.x, Qa.y]);
|
|
|
|
return withFinalExponent ? Fp122.finalExponentiate(looped) : looped;
|
|
|
|
}
|
|
|
|
function normP1(point) {
|
|
|
|
return point instanceof G1.ProjectivePoint
|
|
|
|
? point
|
|
|
|
: G1.ProjectivePoint.fromHex(point);
|
|
|
|
}
|
|
|
|
function normP2(point) {
|
|
|
|
return point instanceof G2.ProjectivePoint
|
|
|
|
? point
|
|
|
|
: Signature.fromHex(point);
|
|
|
|
}
|
|
|
|
function normP2Hash(point, htfOpts) {
|
|
|
|
return point instanceof G2.ProjectivePoint
|
|
|
|
? point
|
|
|
|
: G2.hashToCurve(ensureBytes("point", point), htfOpts);
|
|
|
|
}
|
|
|
|
function getPublicKey(privateKey) {
|
|
|
|
return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
|
|
|
|
}
|
|
|
|
function sign(message, privateKey, htfOpts) {
|
|
|
|
const msgPoint = normP2Hash(message, htfOpts);
|
|
|
|
msgPoint.assertValidity();
|
|
|
|
const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
|
|
|
|
if (message instanceof G2.ProjectivePoint) return sigPoint;
|
|
|
|
return Signature.toRawBytes(sigPoint);
|
|
|
|
}
|
|
|
|
function verify(signature, message, publicKey, htfOpts) {
|
|
|
|
const P3 = normP1(publicKey);
|
|
|
|
const Hm = normP2Hash(message, htfOpts);
|
|
|
|
const G = G1.ProjectivePoint.BASE;
|
|
|
|
const S = normP2(signature);
|
|
|
|
const ePHm = pairing(P3.negate(), Hm, false);
|
|
|
|
const eGS = pairing(G, S, false);
|
|
|
|
const exp = Fp122.finalExponentiate(Fp122.mul(eGS, ePHm));
|
|
|
|
return Fp122.eql(exp, Fp122.ONE);
|
|
|
|
}
|
|
|
|
function aggregatePublicKeys(publicKeys) {
|
|
|
|
if (!publicKeys.length) throw new Error("Expected non-empty array");
|
|
|
|
const agg = publicKeys
|
|
|
|
.map(normP1)
|
|
|
|
.reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
|
|
|
|
const aggAffine = agg;
|
|
|
|
if (publicKeys[0] instanceof G1.ProjectivePoint) {
|
|
|
|
aggAffine.assertValidity();
|
|
|
|
return aggAffine;
|
|
|
|
}
|
|
|
|
return aggAffine.toRawBytes(true);
|
|
|
|
}
|
|
|
|
function aggregateSignatures(signatures) {
|
|
|
|
if (!signatures.length) throw new Error("Expected non-empty array");
|
|
|
|
const agg = signatures
|
|
|
|
.map(normP2)
|
|
|
|
.reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
|
|
|
|
const aggAffine = agg;
|
|
|
|
if (signatures[0] instanceof G2.ProjectivePoint) {
|
|
|
|
aggAffine.assertValidity();
|
|
|
|
return aggAffine;
|
|
|
|
}
|
|
|
|
return Signature.toRawBytes(aggAffine);
|
|
|
|
}
|
|
|
|
function verifyBatch(signature, messages, publicKeys, htfOpts) {
|
|
|
|
if (!messages.length)
|
|
|
|
throw new Error("Expected non-empty messages array");
|
|
|
|
if (publicKeys.length !== messages.length)
|
|
|
|
throw new Error("Pubkey count should equal msg count");
|
|
|
|
const sig = normP2(signature);
|
|
|
|
const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
|
|
|
|
const nPublicKeys = publicKeys.map(normP1);
|
|
|
|
try {
|
|
|
|
const paired = [];
|
|
|
|
for (const message of new Set(nMessages)) {
|
|
|
|
const groupPublicKey = nMessages.reduce(
|
|
|
|
(groupPublicKey2, subMessage, i) =>
|
|
|
|
subMessage === message
|
|
|
|
? groupPublicKey2.add(nPublicKeys[i])
|
|
|
|
: groupPublicKey2,
|
|
|
|
G1.ProjectivePoint.ZERO,
|
|
|
|
);
|
|
|
|
paired.push(pairing(groupPublicKey, message, false));
|
|
|
|
}
|
|
|
|
paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
|
|
|
|
const product = paired.reduce((a, b) => Fp122.mul(a, b), Fp122.ONE);
|
|
|
|
const exp = Fp122.finalExponentiate(product);
|
|
|
|
return Fp122.eql(exp, Fp122.ONE);
|
|
|
|
} catch {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
G1.ProjectivePoint.BASE._setWindowSize(4);
|
|
|
|
return {
|
|
|
|
getPublicKey,
|
|
|
|
sign,
|
|
|
|
verify,
|
|
|
|
verifyBatch,
|
|
|
|
aggregatePublicKeys,
|
|
|
|
aggregateSignatures,
|
|
|
|
millerLoop,
|
|
|
|
pairing,
|
|
|
|
G1,
|
|
|
|
G2,
|
|
|
|
Signature,
|
|
|
|
fields: {
|
|
|
|
Fr: Fr2,
|
|
|
|
Fp: Fp8,
|
|
|
|
Fp2: Fp23,
|
|
|
|
Fp6: Fp63,
|
|
|
|
Fp12: Fp122,
|
|
|
|
},
|
|
|
|
params: {
|
|
|
|
x: CURVE2.params.x,
|
|
|
|
r: CURVE2.params.r,
|
|
|
|
G1b: CURVE2.G1.b,
|
|
|
|
G2b: CURVE2.G2.b,
|
|
|
|
},
|
|
|
|
utils: utils2,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
// ../esm/bls12-381.js
|
|
|
|
var _0n10 = BigInt(0);
|
|
|
|
var _1n11 = BigInt(1);
|
|
|
|
var _2n10 = BigInt(2);
|
|
|
|
var _3n5 = BigInt(3);
|
|
|
|
var _4n4 = BigInt(4);
|
|
|
|
var _8n3 = BigInt(8);
|
|
|
|
var _16n2 = BigInt(16);
|
|
|
|
var Fp_raw = BigInt(
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab",
|
|
|
|
);
|
|
|
|
var Fp7 = Field(Fp_raw);
|
|
|
|
var Fr = Field(
|
|
|
|
BigInt(
|
|
|
|
"0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001",
|
|
|
|
),
|
|
|
|
);
|
|
|
|
var Fp2Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
|
|
c0: Fp7.add(c0, r0),
|
|
|
|
c1: Fp7.add(c1, r1),
|
|
|
|
});
|
|
|
|
var Fp2Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
|
|
c0: Fp7.sub(c0, r0),
|
|
|
|
c1: Fp7.sub(c1, r1),
|
|
|
|
});
|
|
|
|
var Fp2Multiply = ({ c0, c1 }, rhs) => {
|
|
|
|
if (typeof rhs === "bigint")
|
|
|
|
return { c0: Fp7.mul(c0, rhs), c1: Fp7.mul(c1, rhs) };
|
|
|
|
const { c0: r0, c1: r1 } = rhs;
|
|
|
|
let t1 = Fp7.mul(c0, r0);
|
|
|
|
let t2 = Fp7.mul(c1, r1);
|
|
|
|
const o0 = Fp7.sub(t1, t2);
|
|
|
|
const o1 = Fp7.sub(
|
|
|
|
Fp7.mul(Fp7.add(c0, c1), Fp7.add(r0, r1)),
|
|
|
|
Fp7.add(t1, t2),
|
|
|
|
);
|
|
|
|
return { c0: o0, c1: o1 };
|
|
|
|
};
|
|
|
|
var Fp2Square = ({ c0, c1 }) => {
|
|
|
|
const a = Fp7.add(c0, c1);
|
|
|
|
const b = Fp7.sub(c0, c1);
|
|
|
|
const c = Fp7.add(c0, c0);
|
|
|
|
return { c0: Fp7.mul(a, b), c1: Fp7.mul(c, c1) };
|
|
|
|
};
|
|
|
|
var FP2_ORDER = Fp_raw * Fp_raw;
|
|
|
|
var Fp22 = {
|
|
|
|
ORDER: FP2_ORDER,
|
|
|
|
BITS: bitLen(FP2_ORDER),
|
|
|
|
BYTES: Math.ceil(bitLen(FP2_ORDER) / 8),
|
|
|
|
MASK: bitMask(bitLen(FP2_ORDER)),
|
|
|
|
ZERO: { c0: Fp7.ZERO, c1: Fp7.ZERO },
|
|
|
|
ONE: { c0: Fp7.ONE, c1: Fp7.ZERO },
|
|
|
|
create: (num) => num,
|
|
|
|
isValid: ({ c0, c1 }) => typeof c0 === "bigint" && typeof c1 === "bigint",
|
|
|
|
is0: ({ c0, c1 }) => Fp7.is0(c0) && Fp7.is0(c1),
|
|
|
|
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp7.eql(c0, r0) && Fp7.eql(c1, r1),
|
|
|
|
neg: ({ c0, c1 }) => ({ c0: Fp7.neg(c0), c1: Fp7.neg(c1) }),
|
|
|
|
pow: (num, power) => FpPow(Fp22, num, power),
|
|
|
|
invertBatch: (nums) => FpInvertBatch(Fp22, nums),
|
|
|
|
// Normalized
|
|
|
|
add: Fp2Add,
|
|
|
|
sub: Fp2Subtract,
|
|
|
|
mul: Fp2Multiply,
|
|
|
|
sqr: Fp2Square,
|
|
|
|
// NonNormalized stuff
|
|
|
|
addN: Fp2Add,
|
|
|
|
subN: Fp2Subtract,
|
|
|
|
mulN: Fp2Multiply,
|
|
|
|
sqrN: Fp2Square,
|
|
|
|
// Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
|
|
|
|
div: (lhs, rhs) =>
|
|
|
|
Fp22.mul(
|
|
|
|
lhs,
|
|
|
|
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp22.inv(rhs),
|
|
|
|
),
|
|
|
|
inv: ({ c0: a, c1: b }) => {
|
|
|
|
const factor = Fp7.inv(Fp7.create(a * a + b * b));
|
|
|
|
return {
|
|
|
|
c0: Fp7.mul(factor, Fp7.create(a)),
|
|
|
|
c1: Fp7.mul(factor, Fp7.create(-b)),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
sqrt: (num) => {
|
|
|
|
if (Fp22.eql(num, Fp22.ZERO)) return Fp22.ZERO;
|
|
|
|
const candidateSqrt = Fp22.pow(num, (Fp22.ORDER + _8n3) / _16n2);
|
|
|
|
const check = Fp22.div(Fp22.sqr(candidateSqrt), num);
|
|
|
|
const R = FP2_ROOTS_OF_UNITY;
|
|
|
|
const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp22.eql(r, check));
|
|
|
|
if (!divisor) throw new Error("No root");
|
|
|
|
const index = R.indexOf(divisor);
|
|
|
|
const root = R[index / 2];
|
|
|
|
if (!root) throw new Error("Invalid root");
|
|
|
|
const x1 = Fp22.div(candidateSqrt, root);
|
|
|
|
const x2 = Fp22.neg(x1);
|
|
|
|
const { re: re1, im: im1 } = Fp22.reim(x1);
|
|
|
|
const { re: re2, im: im2 } = Fp22.reim(x2);
|
|
|
|
if (im1 > im2 || (im1 === im2 && re1 > re2)) return x1;
|
|
|
|
return x2;
|
|
|
|
},
|
|
|
|
// Same as sgn0_m_eq_2 in RFC 9380
|
|
|
|
isOdd: (x) => {
|
|
|
|
const { re: x0, im: x1 } = Fp22.reim(x);
|
|
|
|
const sign_0 = x0 % _2n10;
|
|
|
|
const zero_0 = x0 === _0n10;
|
|
|
|
const sign_1 = x1 % _2n10;
|
|
|
|
return BigInt(sign_0 || (zero_0 && sign_1)) == _1n11;
|
|
|
|
},
|
|
|
|
// Bytes util
|
|
|
|
fromBytes(b) {
|
|
|
|
if (b.length !== Fp22.BYTES)
|
|
|
|
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
|
|
return {
|
|
|
|
c0: Fp7.fromBytes(b.subarray(0, Fp7.BYTES)),
|
|
|
|
c1: Fp7.fromBytes(b.subarray(Fp7.BYTES)),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
toBytes: ({ c0, c1 }) => concatBytes(Fp7.toBytes(c0), Fp7.toBytes(c1)),
|
|
|
|
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
|
|
|
|
c0: Fp7.cmov(c0, r0, c),
|
|
|
|
c1: Fp7.cmov(c1, r1, c),
|
|
|
|
}),
|
|
|
|
// Specific utils
|
|
|
|
// toString() {
|
|
|
|
// return `Fp2(${this.c0} + ${this.c1}×i)`;
|
|
|
|
// }
|
|
|
|
reim: ({ c0, c1 }) => ({ re: c0, im: c1 }),
|
|
|
|
// multiply by u + 1
|
|
|
|
mulByNonresidue: ({ c0, c1 }) => ({
|
|
|
|
c0: Fp7.sub(c0, c1),
|
|
|
|
c1: Fp7.add(c0, c1),
|
|
|
|
}),
|
|
|
|
multiplyByB: ({ c0, c1 }) => {
|
|
|
|
let t0 = Fp7.mul(c0, _4n4);
|
|
|
|
let t1 = Fp7.mul(c1, _4n4);
|
|
|
|
return { c0: Fp7.sub(t0, t1), c1: Fp7.add(t0, t1) };
|
|
|
|
},
|
|
|
|
fromBigTuple: (tuple) => {
|
|
|
|
if (tuple.length !== 2) throw new Error("Invalid tuple");
|
|
|
|
const fps = tuple.map((n) => Fp7.create(n));
|
|
|
|
return { c0: fps[0], c1: fps[1] };
|
|
|
|
},
|
|
|
|
frobeniusMap: ({ c0, c1 }, power) => ({
|
|
|
|
c0,
|
|
|
|
c1: Fp7.mul(c1, FP2_FROBENIUS_COEFFICIENTS[power % 2]),
|
|
|
|
}),
|
|
|
|
};
|
|
|
|
var FP2_FROBENIUS_COEFFICIENTS = [
|
|
|
|
BigInt("0x1"),
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
|
|
|
|
),
|
|
|
|
].map((item) => Fp7.create(item));
|
|
|
|
var rv1 = BigInt(
|
|
|
|
"0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
|
|
|
|
);
|
|
|
|
var FP2_ROOTS_OF_UNITY = [
|
|
|
|
[_1n11, _0n10],
|
|
|
|
[rv1, -rv1],
|
|
|
|
[_0n10, _1n11],
|
|
|
|
[rv1, rv1],
|
|
|
|
[-_1n11, _0n10],
|
|
|
|
[-rv1, rv1],
|
|
|
|
[_0n10, -_1n11],
|
|
|
|
[-rv1, -rv1],
|
|
|
|
].map((pair) => Fp22.fromBigTuple(pair));
|
|
|
|
var Fp6Add = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
|
|
|
|
c0: Fp22.add(c0, r0),
|
|
|
|
c1: Fp22.add(c1, r1),
|
|
|
|
c2: Fp22.add(c2, r2),
|
|
|
|
});
|
|
|
|
var Fp6Subtract = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
|
|
|
|
c0: Fp22.sub(c0, r0),
|
|
|
|
c1: Fp22.sub(c1, r1),
|
|
|
|
c2: Fp22.sub(c2, r2),
|
|
|
|
});
|
|
|
|
var Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
|
|
|
|
if (typeof rhs === "bigint") {
|
|
|
|
return {
|
|
|
|
c0: Fp22.mul(c0, rhs),
|
|
|
|
c1: Fp22.mul(c1, rhs),
|
|
|
|
c2: Fp22.mul(c2, rhs),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
const { c0: r0, c1: r1, c2: r2 } = rhs;
|
|
|
|
const t0 = Fp22.mul(c0, r0);
|
|
|
|
const t1 = Fp22.mul(c1, r1);
|
|
|
|
const t2 = Fp22.mul(c2, r2);
|
|
|
|
return {
|
|
|
|
// t0 + (c1 + c2) * (r1 * r2) - (T1 + T2) * (u + 1)
|
|
|
|
c0: Fp22.add(
|
|
|
|
t0,
|
|
|
|
Fp22.mulByNonresidue(
|
|
|
|
Fp22.sub(
|
|
|
|
Fp22.mul(Fp22.add(c1, c2), Fp22.add(r1, r2)),
|
|
|
|
Fp22.add(t1, t2),
|
|
|
|
),
|
|
|
|
),
|
|
|
|
),
|
|
|
|
// (c0 + c1) * (r0 + r1) - (T0 + T1) + T2 * (u + 1)
|
|
|
|
c1: Fp22.add(
|
|
|
|
Fp22.sub(
|
|
|
|
Fp22.mul(Fp22.add(c0, c1), Fp22.add(r0, r1)),
|
|
|
|
Fp22.add(t0, t1),
|
|
|
|
),
|
|
|
|
Fp22.mulByNonresidue(t2),
|
|
|
|
),
|
|
|
|
// T1 + (c0 + c2) * (r0 + r2) - T0 + T2
|
|
|
|
c2: Fp22.sub(
|
|
|
|
Fp22.add(t1, Fp22.mul(Fp22.add(c0, c2), Fp22.add(r0, r2))),
|
|
|
|
Fp22.add(t0, t2),
|
|
|
|
),
|
|
|
|
};
|
|
|
|
};
|
|
|
|
var Fp6Square = ({ c0, c1, c2 }) => {
|
|
|
|
let t0 = Fp22.sqr(c0);
|
|
|
|
let t1 = Fp22.mul(Fp22.mul(c0, c1), _2n10);
|
|
|
|
let t3 = Fp22.mul(Fp22.mul(c1, c2), _2n10);
|
|
|
|
let t4 = Fp22.sqr(c2);
|
|
|
|
return {
|
|
|
|
c0: Fp22.add(Fp22.mulByNonresidue(t3), t0),
|
|
|
|
c1: Fp22.add(Fp22.mulByNonresidue(t4), t1),
|
|
|
|
// T1 + (c0 - c1 + c2)² + T3 - T0 - T4
|
|
|
|
c2: Fp22.sub(
|
|
|
|
Fp22.sub(
|
|
|
|
Fp22.add(Fp22.add(t1, Fp22.sqr(Fp22.add(Fp22.sub(c0, c1), c2))), t3),
|
|
|
|
t0,
|
|
|
|
),
|
|
|
|
t4,
|
|
|
|
),
|
|
|
|
};
|
|
|
|
};
|
|
|
|
var Fp62 = {
|
|
|
|
ORDER: Fp22.ORDER,
|
|
|
|
BITS: 3 * Fp22.BITS,
|
|
|
|
BYTES: 3 * Fp22.BYTES,
|
|
|
|
MASK: bitMask(3 * Fp22.BITS),
|
|
|
|
ZERO: { c0: Fp22.ZERO, c1: Fp22.ZERO, c2: Fp22.ZERO },
|
|
|
|
ONE: { c0: Fp22.ONE, c1: Fp22.ZERO, c2: Fp22.ZERO },
|
|
|
|
create: (num) => num,
|
|
|
|
isValid: ({ c0, c1, c2 }) =>
|
|
|
|
Fp22.isValid(c0) && Fp22.isValid(c1) && Fp22.isValid(c2),
|
|
|
|
is0: ({ c0, c1, c2 }) => Fp22.is0(c0) && Fp22.is0(c1) && Fp22.is0(c2),
|
|
|
|
neg: ({ c0, c1, c2 }) => ({
|
|
|
|
c0: Fp22.neg(c0),
|
|
|
|
c1: Fp22.neg(c1),
|
|
|
|
c2: Fp22.neg(c2),
|
|
|
|
}),
|
|
|
|
eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) =>
|
|
|
|
Fp22.eql(c0, r0) && Fp22.eql(c1, r1) && Fp22.eql(c2, r2),
|
|
|
|
sqrt: () => {
|
|
|
|
throw new Error("Not implemented");
|
|
|
|
},
|
|
|
|
// Do we need division by bigint at all? Should be done via order:
|
|
|
|
div: (lhs, rhs) =>
|
|
|
|
Fp62.mul(
|
|
|
|
lhs,
|
|
|
|
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp62.inv(rhs),
|
|
|
|
),
|
|
|
|
pow: (num, power) => FpPow(Fp62, num, power),
|
|
|
|
invertBatch: (nums) => FpInvertBatch(Fp62, nums),
|
|
|
|
// Normalized
|
|
|
|
add: Fp6Add,
|
|
|
|
sub: Fp6Subtract,
|
|
|
|
mul: Fp6Multiply,
|
|
|
|
sqr: Fp6Square,
|
|
|
|
// NonNormalized stuff
|
|
|
|
addN: Fp6Add,
|
|
|
|
subN: Fp6Subtract,
|
|
|
|
mulN: Fp6Multiply,
|
|
|
|
sqrN: Fp6Square,
|
|
|
|
inv: ({ c0, c1, c2 }) => {
|
|
|
|
let t0 = Fp22.sub(Fp22.sqr(c0), Fp22.mulByNonresidue(Fp22.mul(c2, c1)));
|
|
|
|
let t1 = Fp22.sub(Fp22.mulByNonresidue(Fp22.sqr(c2)), Fp22.mul(c0, c1));
|
|
|
|
let t2 = Fp22.sub(Fp22.sqr(c1), Fp22.mul(c0, c2));
|
|
|
|
let t4 = Fp22.inv(
|
|
|
|
Fp22.add(
|
|
|
|
Fp22.mulByNonresidue(Fp22.add(Fp22.mul(c2, t1), Fp22.mul(c1, t2))),
|
|
|
|
Fp22.mul(c0, t0),
|
|
|
|
),
|
|
|
|
);
|
|
|
|
return {
|
|
|
|
c0: Fp22.mul(t4, t0),
|
|
|
|
c1: Fp22.mul(t4, t1),
|
|
|
|
c2: Fp22.mul(t4, t2),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
// Bytes utils
|
|
|
|
fromBytes: (b) => {
|
|
|
|
if (b.length !== Fp62.BYTES)
|
|
|
|
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
|
|
return {
|
|
|
|
c0: Fp22.fromBytes(b.subarray(0, Fp22.BYTES)),
|
|
|
|
c1: Fp22.fromBytes(b.subarray(Fp22.BYTES, 2 * Fp22.BYTES)),
|
|
|
|
c2: Fp22.fromBytes(b.subarray(2 * Fp22.BYTES)),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
toBytes: ({ c0, c1, c2 }) =>
|
|
|
|
concatBytes(Fp22.toBytes(c0), Fp22.toBytes(c1), Fp22.toBytes(c2)),
|
|
|
|
cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({
|
|
|
|
c0: Fp22.cmov(c0, r0, c),
|
|
|
|
c1: Fp22.cmov(c1, r1, c),
|
|
|
|
c2: Fp22.cmov(c2, r2, c),
|
|
|
|
}),
|
|
|
|
// Utils
|
|
|
|
// fromTriple(triple: [Fp2, Fp2, Fp2]) {
|
|
|
|
// return new Fp6(...triple);
|
|
|
|
// }
|
|
|
|
// toString() {
|
|
|
|
// return `Fp6(${this.c0} + ${this.c1} * v, ${this.c2} * v^2)`;
|
|
|
|
// }
|
|
|
|
fromBigSix: (t) => {
|
|
|
|
if (!Array.isArray(t) || t.length !== 6)
|
|
|
|
throw new Error("Invalid Fp6 usage");
|
|
|
|
return {
|
|
|
|
c0: Fp22.fromBigTuple(t.slice(0, 2)),
|
|
|
|
c1: Fp22.fromBigTuple(t.slice(2, 4)),
|
|
|
|
c2: Fp22.fromBigTuple(t.slice(4, 6)),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
frobeniusMap: ({ c0, c1, c2 }, power) => ({
|
|
|
|
c0: Fp22.frobeniusMap(c0, power),
|
|
|
|
c1: Fp22.mul(
|
|
|
|
Fp22.frobeniusMap(c1, power),
|
|
|
|
FP6_FROBENIUS_COEFFICIENTS_1[power % 6],
|
|
|
|
),
|
|
|
|
c2: Fp22.mul(
|
|
|
|
Fp22.frobeniusMap(c2, power),
|
|
|
|
FP6_FROBENIUS_COEFFICIENTS_2[power % 6],
|
|
|
|
),
|
|
|
|
}),
|
|
|
|
mulByNonresidue: ({ c0, c1, c2 }) => ({
|
|
|
|
c0: Fp22.mulByNonresidue(c2),
|
|
|
|
c1: c0,
|
|
|
|
c2: c1,
|
|
|
|
}),
|
|
|
|
// Sparse multiplication
|
|
|
|
multiplyBy1: ({ c0, c1, c2 }, b1) => ({
|
|
|
|
c0: Fp22.mulByNonresidue(Fp22.mul(c2, b1)),
|
|
|
|
c1: Fp22.mul(c0, b1),
|
|
|
|
c2: Fp22.mul(c1, b1),
|
|
|
|
}),
|
|
|
|
// Sparse multiplication
|
|
|
|
multiplyBy01({ c0, c1, c2 }, b0, b1) {
|
|
|
|
let t0 = Fp22.mul(c0, b0);
|
|
|
|
let t1 = Fp22.mul(c1, b1);
|
|
|
|
return {
|
|
|
|
// ((c1 + c2) * b1 - T1) * (u + 1) + T0
|
|
|
|
c0: Fp22.add(
|
|
|
|
Fp22.mulByNonresidue(Fp22.sub(Fp22.mul(Fp22.add(c1, c2), b1), t1)),
|
|
|
|
t0,
|
|
|
|
),
|
|
|
|
// (b0 + b1) * (c0 + c1) - T0 - T1
|
|
|
|
c1: Fp22.sub(
|
|
|
|
Fp22.sub(Fp22.mul(Fp22.add(b0, b1), Fp22.add(c0, c1)), t0),
|
|
|
|
t1,
|
|
|
|
),
|
|
|
|
// (c0 + c2) * b0 - T0 + T1
|
|
|
|
c2: Fp22.add(Fp22.sub(Fp22.mul(Fp22.add(c0, c2), b0), t0), t1),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
multiplyByFp2: ({ c0, c1, c2 }, rhs) => ({
|
|
|
|
c0: Fp22.mul(c0, rhs),
|
|
|
|
c1: Fp22.mul(c1, rhs),
|
|
|
|
c2: Fp22.mul(c2, rhs),
|
|
|
|
}),
|
|
|
|
};
|
|
|
|
var FP6_FROBENIUS_COEFFICIENTS_1 = [
|
|
|
|
[BigInt("0x1"), BigInt("0x0")],
|
|
|
|
[
|
|
|
|
BigInt("0x0"),
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[BigInt("0x0"), BigInt("0x1")],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt("0x0"),
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
].map((pair) => Fp22.fromBigTuple(pair));
|
|
|
|
var FP6_FROBENIUS_COEFFICIENTS_2 = [
|
|
|
|
[BigInt("0x1"), BigInt("0x0")],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
].map((pair) => Fp22.fromBigTuple(pair));
|
|
|
|
var BLS_X = BigInt("0xd201000000010000");
|
|
|
|
var BLS_X_LEN = bitLen(BLS_X);
|
|
|
|
var Fp12Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
|
|
c0: Fp62.add(c0, r0),
|
|
|
|
c1: Fp62.add(c1, r1),
|
|
|
|
});
|
|
|
|
var Fp12Subtract = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
|
|
|
|
c0: Fp62.sub(c0, r0),
|
|
|
|
c1: Fp62.sub(c1, r1),
|
|
|
|
});
|
|
|
|
var Fp12Multiply = ({ c0, c1 }, rhs) => {
|
|
|
|
if (typeof rhs === "bigint")
|
|
|
|
return { c0: Fp62.mul(c0, rhs), c1: Fp62.mul(c1, rhs) };
|
|
|
|
let { c0: r0, c1: r1 } = rhs;
|
|
|
|
let t1 = Fp62.mul(c0, r0);
|
|
|
|
let t2 = Fp62.mul(c1, r1);
|
|
|
|
return {
|
|
|
|
c0: Fp62.add(t1, Fp62.mulByNonresidue(t2)),
|
|
|
|
// (c0 + c1) * (r0 + r1) - (T1 + T2)
|
|
|
|
c1: Fp62.sub(
|
|
|
|
Fp62.mul(Fp62.add(c0, c1), Fp62.add(r0, r1)),
|
|
|
|
Fp62.add(t1, t2),
|
|
|
|
),
|
|
|
|
};
|
|
|
|
};
|
|
|
|
var Fp12Square = ({ c0, c1 }) => {
|
|
|
|
let ab = Fp62.mul(c0, c1);
|
|
|
|
return {
|
|
|
|
// (c1 * v + c0) * (c0 + c1) - AB - AB * v
|
|
|
|
c0: Fp62.sub(
|
|
|
|
Fp62.sub(
|
|
|
|
Fp62.mul(Fp62.add(Fp62.mulByNonresidue(c1), c0), Fp62.add(c0, c1)),
|
|
|
|
ab,
|
|
|
|
),
|
|
|
|
Fp62.mulByNonresidue(ab),
|
|
|
|
),
|
|
|
|
c1: Fp62.add(ab, ab),
|
|
|
|
};
|
|
|
|
};
|
|
|
|
function Fp4Square(a, b) {
|
|
|
|
const a2 = Fp22.sqr(a);
|
|
|
|
const b2 = Fp22.sqr(b);
|
|
|
|
return {
|
|
|
|
first: Fp22.add(Fp22.mulByNonresidue(b2), a2),
|
|
|
|
second: Fp22.sub(Fp22.sub(Fp22.sqr(Fp22.add(a, b)), a2), b2),
|
|
|
|
// (a + b)² - a² - b²
|
|
|
|
};
|
|
|
|
}
|
|
|
|
var Fp12 = {
|
|
|
|
ORDER: Fp22.ORDER,
|
|
|
|
BITS: 2 * Fp22.BITS,
|
|
|
|
BYTES: 2 * Fp22.BYTES,
|
|
|
|
MASK: bitMask(2 * Fp22.BITS),
|
|
|
|
ZERO: { c0: Fp62.ZERO, c1: Fp62.ZERO },
|
|
|
|
ONE: { c0: Fp62.ONE, c1: Fp62.ZERO },
|
|
|
|
create: (num) => num,
|
|
|
|
isValid: ({ c0, c1 }) => Fp62.isValid(c0) && Fp62.isValid(c1),
|
|
|
|
is0: ({ c0, c1 }) => Fp62.is0(c0) && Fp62.is0(c1),
|
|
|
|
neg: ({ c0, c1 }) => ({ c0: Fp62.neg(c0), c1: Fp62.neg(c1) }),
|
|
|
|
eql: ({ c0, c1 }, { c0: r0, c1: r1 }) =>
|
|
|
|
Fp62.eql(c0, r0) && Fp62.eql(c1, r1),
|
|
|
|
sqrt: () => {
|
|
|
|
throw new Error("Not implemented");
|
|
|
|
},
|
|
|
|
inv: ({ c0, c1 }) => {
|
|
|
|
let t = Fp62.inv(
|
|
|
|
Fp62.sub(Fp62.sqr(c0), Fp62.mulByNonresidue(Fp62.sqr(c1))),
|
|
|
|
);
|
|
|
|
return { c0: Fp62.mul(c0, t), c1: Fp62.neg(Fp62.mul(c1, t)) };
|
|
|
|
},
|
|
|
|
div: (lhs, rhs) =>
|
|
|
|
Fp12.mul(
|
|
|
|
lhs,
|
|
|
|
typeof rhs === "bigint" ? Fp7.inv(Fp7.create(rhs)) : Fp12.inv(rhs),
|
|
|
|
),
|
|
|
|
pow: (num, power) => FpPow(Fp12, num, power),
|
|
|
|
invertBatch: (nums) => FpInvertBatch(Fp12, nums),
|
|
|
|
// Normalized
|
|
|
|
add: Fp12Add,
|
|
|
|
sub: Fp12Subtract,
|
|
|
|
mul: Fp12Multiply,
|
|
|
|
sqr: Fp12Square,
|
|
|
|
// NonNormalized stuff
|
|
|
|
addN: Fp12Add,
|
|
|
|
subN: Fp12Subtract,
|
|
|
|
mulN: Fp12Multiply,
|
|
|
|
sqrN: Fp12Square,
|
|
|
|
// Bytes utils
|
|
|
|
fromBytes: (b) => {
|
|
|
|
if (b.length !== Fp12.BYTES)
|
|
|
|
throw new Error(`fromBytes wrong length=${b.length}`);
|
|
|
|
return {
|
|
|
|
c0: Fp62.fromBytes(b.subarray(0, Fp62.BYTES)),
|
|
|
|
c1: Fp62.fromBytes(b.subarray(Fp62.BYTES)),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
toBytes: ({ c0, c1 }) => concatBytes(Fp62.toBytes(c0), Fp62.toBytes(c1)),
|
|
|
|
cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
|
|
|
|
c0: Fp62.cmov(c0, r0, c),
|
|
|
|
c1: Fp62.cmov(c1, r1, c),
|
|
|
|
}),
|
|
|
|
// Utils
|
|
|
|
// toString() {
|
|
|
|
// return `Fp12(${this.c0} + ${this.c1} * w)`;
|
|
|
|
// },
|
|
|
|
// fromTuple(c: [Fp6, Fp6]) {
|
|
|
|
// return new Fp12(...c);
|
|
|
|
// }
|
|
|
|
fromBigTwelve: (t) => ({
|
|
|
|
c0: Fp62.fromBigSix(t.slice(0, 6)),
|
|
|
|
c1: Fp62.fromBigSix(t.slice(6, 12)),
|
|
|
|
}),
|
|
|
|
// Raises to q**i -th power
|
|
|
|
frobeniusMap(lhs, power) {
|
|
|
|
const r0 = Fp62.frobeniusMap(lhs.c0, power);
|
|
|
|
const { c0, c1, c2 } = Fp62.frobeniusMap(lhs.c1, power);
|
|
|
|
const coeff = FP12_FROBENIUS_COEFFICIENTS[power % 12];
|
|
|
|
return {
|
|
|
|
c0: r0,
|
|
|
|
c1: Fp62.create({
|
|
|
|
c0: Fp22.mul(c0, coeff),
|
|
|
|
c1: Fp22.mul(c1, coeff),
|
|
|
|
c2: Fp22.mul(c2, coeff),
|
|
|
|
}),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
// Sparse multiplication
|
|
|
|
multiplyBy014: ({ c0, c1 }, o0, o1, o4) => {
|
|
|
|
let t0 = Fp62.multiplyBy01(c0, o0, o1);
|
|
|
|
let t1 = Fp62.multiplyBy1(c1, o4);
|
|
|
|
return {
|
|
|
|
c0: Fp62.add(Fp62.mulByNonresidue(t1), t0),
|
|
|
|
// (c1 + c0) * [o0, o1+o4] - T0 - T1
|
|
|
|
c1: Fp62.sub(
|
|
|
|
Fp62.sub(
|
|
|
|
Fp62.multiplyBy01(Fp62.add(c1, c0), o0, Fp22.add(o1, o4)),
|
|
|
|
t0,
|
|
|
|
),
|
|
|
|
t1,
|
|
|
|
),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
multiplyByFp2: ({ c0, c1 }, rhs) => ({
|
|
|
|
c0: Fp62.multiplyByFp2(c0, rhs),
|
|
|
|
c1: Fp62.multiplyByFp2(c1, rhs),
|
|
|
|
}),
|
|
|
|
conjugate: ({ c0, c1 }) => ({ c0, c1: Fp62.neg(c1) }),
|
|
|
|
// A cyclotomic group is a subgroup of Fp^n defined by
|
|
|
|
// GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
|
|
|
|
// The result of any pairing is in a cyclotomic subgroup
|
|
|
|
// https://eprint.iacr.org/2009/565.pdf
|
|
|
|
_cyclotomicSquare: ({ c0, c1 }) => {
|
|
|
|
const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
|
|
|
|
const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
|
|
|
|
const { first: t3, second: t4 } = Fp4Square(c0c0, c1c1);
|
|
|
|
const { first: t5, second: t6 } = Fp4Square(c1c0, c0c2);
|
|
|
|
const { first: t7, second: t8 } = Fp4Square(c0c1, c1c2);
|
|
|
|
let t9 = Fp22.mulByNonresidue(t8);
|
|
|
|
return {
|
|
|
|
c0: Fp62.create({
|
|
|
|
c0: Fp22.add(Fp22.mul(Fp22.sub(t3, c0c0), _2n10), t3),
|
|
|
|
c1: Fp22.add(Fp22.mul(Fp22.sub(t5, c0c1), _2n10), t5),
|
|
|
|
c2: Fp22.add(Fp22.mul(Fp22.sub(t7, c0c2), _2n10), t7),
|
|
|
|
}),
|
|
|
|
c1: Fp62.create({
|
|
|
|
c0: Fp22.add(Fp22.mul(Fp22.add(t9, c1c0), _2n10), t9),
|
|
|
|
c1: Fp22.add(Fp22.mul(Fp22.add(t4, c1c1), _2n10), t4),
|
|
|
|
c2: Fp22.add(Fp22.mul(Fp22.add(t6, c1c2), _2n10), t6),
|
|
|
|
}),
|
|
|
|
};
|
|
|
|
},
|
|
|
|
_cyclotomicExp(num, n) {
|
|
|
|
let z = Fp12.ONE;
|
|
|
|
for (let i = BLS_X_LEN - 1; i >= 0; i--) {
|
|
|
|
z = Fp12._cyclotomicSquare(z);
|
|
|
|
if (bitGet(n, i)) z = Fp12.mul(z, num);
|
|
|
|
}
|
|
|
|
return z;
|
|
|
|
},
|
|
|
|
// https://eprint.iacr.org/2010/354.pdf
|
|
|
|
// https://eprint.iacr.org/2009/565.pdf
|
|
|
|
finalExponentiate: (num) => {
|
|
|
|
const x = BLS_X;
|
|
|
|
const t0 = Fp12.div(Fp12.frobeniusMap(num, 6), num);
|
|
|
|
const t1 = Fp12.mul(Fp12.frobeniusMap(t0, 2), t0);
|
|
|
|
const t2 = Fp12.conjugate(Fp12._cyclotomicExp(t1, x));
|
|
|
|
const t3 = Fp12.mul(Fp12.conjugate(Fp12._cyclotomicSquare(t1)), t2);
|
|
|
|
const t4 = Fp12.conjugate(Fp12._cyclotomicExp(t3, x));
|
|
|
|
const t5 = Fp12.conjugate(Fp12._cyclotomicExp(t4, x));
|
|
|
|
const t6 = Fp12.mul(
|
|
|
|
Fp12.conjugate(Fp12._cyclotomicExp(t5, x)),
|
|
|
|
Fp12._cyclotomicSquare(t2),
|
|
|
|
);
|
|
|
|
const t7 = Fp12.conjugate(Fp12._cyclotomicExp(t6, x));
|
|
|
|
const t2_t5_pow_q2 = Fp12.frobeniusMap(Fp12.mul(t2, t5), 2);
|
|
|
|
const t4_t1_pow_q3 = Fp12.frobeniusMap(Fp12.mul(t4, t1), 3);
|
|
|
|
const t6_t1c_pow_q1 = Fp12.frobeniusMap(
|
|
|
|
Fp12.mul(t6, Fp12.conjugate(t1)),
|
|
|
|
1,
|
|
|
|
);
|
|
|
|
const t7_t3c_t1 = Fp12.mul(Fp12.mul(t7, Fp12.conjugate(t3)), t1);
|
|
|
|
return Fp12.mul(
|
|
|
|
Fp12.mul(Fp12.mul(t2_t5_pow_q2, t4_t1_pow_q3), t6_t1c_pow_q1),
|
|
|
|
t7_t3c_t1,
|
|
|
|
);
|
|
|
|
},
|
|
|
|
};
|
|
|
|
var FP12_FROBENIUS_COEFFICIENTS = [
|
|
|
|
[BigInt("0x1"), BigInt("0x0")],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad",
|
|
|
|
),
|
|
|
|
BigInt("0x0"),
|
|
|
|
],
|
|
|
|
[
|
|
|
|
BigInt(
|
|
|
|
"0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995",
|
|
|
|
),
|
|
|
|
],
|
|
|
|
].map((n) => Fp22.fromBigTuple(n));
|
|
|
|
var isogenyMapG2 = isogenyMap(
|
|
|
|
Fp22,
|
|
|
|
[
|
|
|
|
// xNum
|
|
|
|
[
|
|
|
|
[
|
|
|
|
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
|
|
|
|
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97d6",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x0",
|
|
|
|
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71a",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71e",
|
|
|
|
"0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38d",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x171d6541fa38ccfaed6dea691f5fb614cb14b4e7f4e810aa22d6108f142b85757098e38d0f671c7188e2aaaaaaaa5ed1",
|
|
|
|
"0x0",
|
|
|
|
],
|
|
|
|
],
|
|
|
|
// xDen
|
|
|
|
[
|
|
|
|
[
|
|
|
|
"0x0",
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa63",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0xc",
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa9f",
|
|
|
|
],
|
|
|
|
["0x1", "0x0"],
|
|
|
|
// LAST 1
|
|
|
|
],
|
|
|
|
// yNum
|
|
|
|
[
|
|
|
|
[
|
|
|
|
"0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706",
|
|
|
|
"0x1530477c7ab4113b59a4c18b076d11930f7da5d4a07f649bf54439d87d27e500fc8c25ebf8c92f6812cfc71c71c6d706",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x0",
|
|
|
|
"0x5c759507e8e333ebb5b7a9a47d7ed8532c52d39fd3a042a88b58423c50ae15d5c2638e343d9c71c6238aaaaaaaa97be",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x11560bf17baa99bc32126fced787c88f984f87adf7ae0c7f9a208c6b4f20a4181472aaa9cb8d555526a9ffffffffc71c",
|
|
|
|
"0x8ab05f8bdd54cde190937e76bc3e447cc27c3d6fbd7063fcd104635a790520c0a395554e5c6aaaa9354ffffffffe38f",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x124c9ad43b6cf79bfbf7043de3811ad0761b0f37a1e26286b0e977c69aa274524e79097a56dc4bd9e1b371c71c718b10",
|
|
|
|
"0x0",
|
|
|
|
],
|
|
|
|
],
|
|
|
|
// yDen
|
|
|
|
[
|
|
|
|
[
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb",
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa8fb",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x0",
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffa9d3",
|
|
|
|
],
|
|
|
|
[
|
|
|
|
"0x12",
|
|
|
|
"0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaa99",
|
|
|
|
],
|
|
|
|
["0x1", "0x0"],
|
|
|
|
// LAST 1
|
|
|
|
],
|
|
|
|
].map((i) => i.map((pair) => Fp22.fromBigTuple(pair.map(BigInt)))),
|
|
|
|
);
|
|
|
|
var isogenyMapG1 = isogenyMap(
|
|
|
|
Fp7,
|
|
|
|
[
|
|
|
|
// xNum
|
|
|
|
[
|
|
|
|
"0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7",
|
|
|
|
"0x17294ed3e943ab2f0588bab22147a81c7c17e75b2f6a8417f565e33c70d1e86b4838f2a6f318c356e834eef1b3cb83bb",
|
|
|
|
"0xd54005db97678ec1d1048c5d10a9a1bce032473295983e56878e501ec68e25c958c3e3d2a09729fe0179f9dac9edcb0",
|
|
|
|
"0x1778e7166fcc6db74e0609d307e55412d7f5e4656a8dbf25f1b33289f1b330835336e25ce3107193c5b388641d9b6861",
|
|
|
|
"0xe99726a3199f4436642b4b3e4118e5499db995a1257fb3f086eeb65982fac18985a286f301e77c451154ce9ac8895d9",
|
|
|
|
"0x1630c3250d7313ff01d1201bf7a74ab5db3cb17dd952799b9ed3ab9097e68f90a0870d2dcae73d19cd13c1c66f652983",
|
|
|
|
"0xd6ed6553fe44d296a3726c38ae652bfb11586264f0f8ce19008e218f9c86b2a8da25128c1052ecaddd7f225a139ed84",
|
|
|
|
"0x17b81e7701abdbe2e8743884d1117e53356de5ab275b4db1a682c62ef0f2753339b7c8f8c8f475af9ccb5618e3f0c88e",
|
|
|
|
"0x80d3cf1f9a78fc47b90b33563be990dc43b756ce79f5574a2c596c928c5d1de4fa295f296b74e956d71986a8497e317",
|
|
|
|
"0x169b1f8e1bcfa7c42e0c37515d138f22dd2ecb803a0c5c99676314baf4bb1b7fa3190b2edc0327797f241067be390c9e",
|
|
|
|
"0x10321da079ce07e272d8ec09d2565b0dfa7dccdde6787f96d50af36003b14866f69b771f8c285decca67df3f1605fb7b",
|
|
|
|
"0x6e08c248e260e70bd1e962381edee3d31d79d7e22c837bc23c0bf1bc24c6b68c24b1b80b64d391fa9c8ba2e8ba2d229",
|
|
|
|
],
|
|
|
|
// xDen
|
|
|
|
[
|
|
|
|
"0x8ca8d548cff19ae18b2e62f4bd3fa6f01d5ef4ba35b48ba9c9588617fc8ac62b558d681be343df8993cf9fa40d21b1c",
|
|
|
|
"0x12561a5deb559c4348b4711298e536367041e8ca0cf0800c0126c2588c48bf5713daa8846cb026e9e5c8276ec82b3bff",
|
|
|
|
"0xb2962fe57a3225e8137e629bff2991f6f89416f5a718cd1fca64e00b11aceacd6a3d0967c94fedcfcc239ba5cb83e19",
|
|
|
|
"0x3425581a58ae2fec83aafef7c40eb545b08243f16b1655154cca8abc28d6fd04976d5243eecf5c4130de8938dc62cd8",
|
|
|
|
"0x13a8e162022914a80a6f1d5f43e7a07dffdfc759a12062bb8d6b44e833b306da9bd29ba81f35781d539d395b3532a21e",
|
|
|
|
"0xe7355f8e4e667b955390f7f0506c6e9395735e9ce9cad4d0a43bcef24b8982f7400d24bc4228f11c02df9a29f6304a5",
|
|
|
|
"0x772caacf16936190f3e0c63e0596721570f5799af53a1894e2e073062aede9cea73b3538f0de06cec2574496ee84a3a",
|
|
|
|
"0x14a7ac2a9d64a8b230b3f5b074cf01996e7f63c21bca68a81996e1cdf9822c580fa5b9489d11e2d311f7d99bbdcc5a5e",
|
|
|
|
"0xa10ecf6ada54f825e920b3dafc7a3cce07f8d1d7161366b74100da67f39883503826692abba43704776ec3a79a1d641",
|
|
|
|
"0x95fc13ab9e92ad4476d6e3eb3a56680f682b4ee96f7d03776df533978f31c1593174e4b4b7865002d6384d168ecdd0a",
|
|
|
|
"0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
|
|
|
|
// LAST 1
|
|
|
|
],
|
|
|
|
// yNum
|
|
|
|
[
|
|
|
|
"0x90d97c81ba24ee0259d1f094980dcfa11ad138e48a869522b52af6c956543d3cd0c7aee9b3ba3c2be9845719707bb33",
|
|
|
|
"0x134996a104ee5811d51036d776fb46831223e96c254f383d0f906343eb67ad34d6c56711962fa8bfe097e75a2e41c696",
|
|
|
|
"0xcc786baa966e66f4a384c86a3b49942552e2d658a31ce2c344be4b91400da7d26d521628b00523b8dfe240c72de1f6",
|
|
|
|
"0x1f86376e8981c217898751ad8746757d42aa7b90eeb791c09e4a3ec03251cf9de405aba9ec61deca6355c77b0e5f4cb",
|
|
|
|
"0x8cc03fdefe0ff135caf4fe2a21529c4195536fbe3ce50b879833fd221351adc2ee7f8dc099040a841b6daecf2e8fedb",
|
|
|
|
"0x16603fca40634b6a2211e11db8f0a6a074a7d0d4afadb7bd76505c3d3ad5544e203f6326c95a807299b23ab13633a5f0",
|
|
|
|
"0x4ab0b9bcfac1bbcb2c977d027796b3ce75bb8ca2be184cb5231413c4d634f3747a87ac2460f415ec961f8855fe9d6f2",
|
|
|
|
"0x987c8d5333ab86fde9926bd2ca6c674170a05bfe3bdd81ffd038da6c26c842642f64550fedfe935a15e4ca31870fb29",
|
|
|
|
"0x9fc4018bd96684be88c9e221e4da1bb8f3abd16679dc26c1e8b6e6a1f20cabe69d65201c78607a360370e577bdba587",
|
|
|
|
"0xe1bba7a1186bdb5223abde7ada14a23c42a0ca7915af6fe06985e7ed1e4d43b9b3f7055dd4eba6f2bafaaebca731c30",
|
|
|
|
"0x19713e47937cd1be0dfd0b8f1d43fb93cd2fcbcb6caf493fd1183e416389e61031bf3a5cce3fbafce813711ad011c132",
|
|
|
|
"0x18b46a908f36f6deb918c143fed2edcc523559b8aaf0c2462e6bfe7f911f643249d9cdf41b44d606ce07c8a4d0074d8e",
|
|
|
|
"0xb182cac101b9399d155096004f53f447aa7b12a3426b08ec02710e807b4633f06c851c1919211f20d4c04f00b971ef8",
|
|
|
|
"0x245a394ad1eca9b72fc00ae7be315dc757b3b080d4c158013e6632d3c40659cc6cf90ad1c232a6442d9d3f5db980133",
|
|
|
|
"0x5c129645e44cf1102a159f748c4a3fc5e673d81d7e86568d9ab0f5d396a7ce46ba1049b6579afb7866b1e715475224b",
|
|
|
|
"0x15e6be4e990f03ce4ea50b3b42df2eb5cb181d8f84965a3957add4fa95af01b2b665027efec01c7704b456be69c8b604",
|
|
|
|
],
|
|
|
|
// yDen
|
|
|
|
[
|
|
|
|
"0x16112c4c3a9c98b252181140fad0eae9601a6de578980be6eec3232b5be72e7a07f3688ef60c206d01479253b03663c1",
|
|
|
|
"0x1962d75c2381201e1a0cbd6c43c348b885c84ff731c4d59ca4a10356f453e01f78a4260763529e3532f6102c2e49a03d",
|
|
|
|
"0x58df3306640da276faaae7d6e8eb15778c4855551ae7f310c35a5dd279cd2eca6757cd636f96f891e2538b53dbf67f2",
|
|
|
|
"0x16b7d288798e5395f20d23bf89edb4d1d115c5dbddbcd30e123da489e726af41727364f2c28297ada8d26d98445f5416",
|
|
|
|
"0xbe0e079545f43e4b00cc912f8228ddcc6d19c9f0f69bbb0542eda0fc9dec916a20b15dc0fd2ededda39142311a5001d",
|
|
|
|
"0x8d9e5297186db2d9fb266eaac783182b70152c65550d881c5ecd87b6f0f5a6449f38db9dfa9cce202c6477faaf9b7ac",
|
|
|
|
"0x166007c08a99db2fc3ba8734ace9824b5eecfdfa8d0cf8ef5dd365bc400a0051d5fa9c01a58b1fb93d1a1399126a775c",
|
|
|
|
"0x16a3ef08be3ea7ea03bcddfabba6ff6ee5a4375efa1f4fd7feb34fd206357132b920f5b00801dee460ee415a15812ed9",
|
|
|
|
"0x1866c8ed336c61231a1be54fd1d74cc4f9fb0ce4c6af5920abc5750c4bf39b4852cfe2f7bb9248836b233d9d55535d4a",
|
|
|
|
"0x167a55cda70a6e1cea820597d94a84903216f763e13d87bb5308592e7ea7d4fbc7385ea3d529b35e346ef48bb8913f55",
|
|
|
|
"0x4d2f259eea405bd48f010a01ad2911d9c6dd039bb61a6290e591b36e636a5c871a5c29f4f83060400f8b49cba8f6aa8",
|
|
|
|
"0xaccbb67481d033ff5852c1e48c50c477f94ff8aefce42d28c0f9a88cea7913516f968986f7ebbea9684b529e2561092",
|
|
|
|
"0xad6b9514c767fe3c3613144b45f1496543346d98adf02267d5ceef9a00d9b8693000763e3b90ac11e99b138573345cc",
|
|
|
|
"0x2660400eb2e4f3b628bdd0d53cd76f2bf565b94e72927c1cb748df27942480e420517bd8714cc80d1fadc1326ed06f7",
|
|
|
|
"0xe0fa1d816ddc03e6b24255e0d7819c171c40f65e273b853324efcd6356caa205ca2f570f13497804415473a1d634b8f",
|
|
|
|
"0x000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
|
|
|
|
// LAST 1
|
|
|
|
],
|
|
|
|
].map((i) => i.map((j) => BigInt(j))),
|
|
|
|
);
|
|
|
|
var G2_SWU = mapToCurveSimpleSWU(Fp22, {
|
|
|
|
A: Fp22.create({ c0: Fp7.create(_0n10), c1: Fp7.create(BigInt(240)) }),
|
|
|
|
B: Fp22.create({
|
|
|
|
c0: Fp7.create(BigInt(1012)),
|
|
|
|
c1: Fp7.create(BigInt(1012)),
|
|
|
|
}),
|
|
|
|
Z: Fp22.create({ c0: Fp7.create(BigInt(-2)), c1: Fp7.create(BigInt(-1)) }),
|
|
|
|
// Z: -(2 + I)
|
|
|
|
});
|
|
|
|
var G1_SWU = mapToCurveSimpleSWU(Fp7, {
|
|
|
|
A: Fp7.create(
|
|
|
|
BigInt(
|
|
|
|
"0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d",
|
|
|
|
),
|
|
|
|
),
|
|
|
|
B: Fp7.create(
|
|
|
|
BigInt(
|
|
|
|
"0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0",
|
|
|
|
),
|
|
|
|
),
|
|
|
|
Z: Fp7.create(BigInt(11)),
|
|
|
|
});
|
|
|
|
var ut_root = Fp62.create({ c0: Fp22.ZERO, c1: Fp22.ONE, c2: Fp22.ZERO });
|
|
|
|
var wsq = Fp12.create({ c0: ut_root, c1: Fp62.ZERO });
|
|
|
|
var wcu = Fp12.create({ c0: Fp62.ZERO, c1: ut_root });
|
|
|
|
var [wsq_inv, wcu_inv] = Fp12.invertBatch([wsq, wcu]);
|
|
|
|
function psi(x, y) {
|
|
|
|
const x2 = Fp12.mul(
|
|
|
|
Fp12.frobeniusMap(Fp12.multiplyByFp2(wsq_inv, x), 1),
|
|
|
|
wsq,
|
|
|
|
).c0.c0;
|
|
|
|
const y2 = Fp12.mul(
|
|
|
|
Fp12.frobeniusMap(Fp12.multiplyByFp2(wcu_inv, y), 1),
|
|
|
|
wcu,
|
|
|
|
).c0.c0;
|
|
|
|
return [x2, y2];
|
|
|
|
}
|
|
|
|
function G2psi(c, P3) {
|
|
|
|
const affine = P3.toAffine();
|
|
|
|
const p = psi(affine.x, affine.y);
|
|
|
|
return new c(p[0], p[1], Fp22.ONE);
|
|
|
|
}
|
|
|
|
var PSI2_C1 = BigInt(
|
|
|
|
"0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac",
|
|
|
|
);
|
|
|
|
function psi2(x, y) {
|
|
|
|
return [Fp22.mul(x, PSI2_C1), Fp22.neg(y)];
|
|
|
|
}
|
|
|
|
function G2psi2(c, P3) {
|
|
|
|
const affine = P3.toAffine();
|
|
|
|
const p = psi2(affine.x, affine.y);
|
|
|
|
return new c(p[0], p[1], Fp22.ONE);
|
|
|
|
}
|
|
|
|
var htfDefaults = Object.freeze({
|
|
|
|
// DST: a domain separation tag
|
|
|
|
// defined in section 2.2.5
|
|
|
|
// Use utils.getDSTLabel(), utils.setDSTLabel(value)
|
|
|
|
DST: "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_",
|
|
|
|
encodeDST: "BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_",
|
|
|
|
// p: the characteristic of F
|
|
|
|
// where F is a finite field of characteristic p and order q = p^m
|
|
|
|
p: Fp7.ORDER,
|
|
|
|
// m: the extension degree of F, m >= 1
|
|
|
|
// where F is a finite field of characteristic p and order q = p^m
|
|
|
|
m: 2,
|
|
|
|
// k: the target security level for the suite in bits
|
|
|
|
// defined in section 5.1
|
|
|
|
k: 128,
|
|
|
|
// option to use a message that has already been processed by
|
|
|
|
// expand_message_xmd
|
|
|
|
expand: "xmd",
|
|
|
|
// Hash functions for: expand_message_xmd is appropriate for use with a
|
|
|
|
// wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
|
|
|
|
// BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
|
|
|
|
hash: sha256,
|
|
|
|
});
|
|
|
|
var C_BIT_POS = Fp7.BITS;
|
|
|
|
var I_BIT_POS = Fp7.BITS + 1;
|
|
|
|
var S_BIT_POS = Fp7.BITS + 2;
|
|
|
|
var COMPRESSED_ZERO = Fp7.toBytes(
|
|
|
|
bitSet(bitSet(_0n10, I_BIT_POS, true), S_BIT_POS, true),
|
|
|
|
);
|
|
|
|
function signatureG2ToRawBytes(point) {
|
|
|
|
point.assertValidity();
|
|
|
|
const len = Fp7.BYTES;
|
|
|
|
if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
|
|
|
|
return concatBytes(COMPRESSED_ZERO, numberToBytesBE(_0n10, len));
|
|
|
|
const { x, y } = point.toAffine();
|
|
|
|
const { re: x0, im: x1 } = Fp22.reim(x);
|
|
|
|
const { re: y0, im: y1 } = Fp22.reim(y);
|
|
|
|
const tmp = y1 > _0n10 ? y1 * _2n10 : y0 * _2n10;
|
|
|
|
const aflag1 = Boolean((tmp / Fp7.ORDER) & _1n11);
|
|
|
|
const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
|
|
|
|
const z2 = x0;
|
|
|
|
return concatBytes(numberToBytesBE(z1, len), numberToBytesBE(z2, len));
|
|
|
|
}
|
|
|
|
var bls12_381 = bls({
|
|
|
|
// Fields
|
|
|
|
fields: {
|
|
|
|
Fp: Fp7,
|
|
|
|
Fp2: Fp22,
|
|
|
|
Fp6: Fp62,
|
|
|
|
Fp12,
|
|
|
|
Fr,
|
|
|
|
},
|
|
|
|
// G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
|
|
|
|
// characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
|
|
|
|
G1: {
|
|
|
|
Fp: Fp7,
|
|
|
|
// cofactor; (z - 1)²/3
|
|
|
|
h: BigInt("0x396c8c005555e1568c00aaab0000aaab"),
|
|
|
|
// generator's coordinates
|
|
|
|
// x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
|
|
|
|
// y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
|
|
|
|
Gx: BigInt(
|
|
|
|
"0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb",
|
|
|
|
),
|
|
|
|
Gy: BigInt(
|
|
|
|
"0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1",
|
|
|
|
),
|
|
|
|
a: Fp7.ZERO,
|
|
|
|
b: _4n4,
|
|
|
|
htfDefaults: { ...htfDefaults, m: 1 },
|
|
|
|
wrapPrivateKey: true,
|
|
|
|
allowInfinityPoint: true,
|
|
|
|
// Checks is the point resides in prime-order subgroup.
|
|
|
|
// point.isTorsionFree() should return true for valid points
|
|
|
|
// It returns false for shitty points.
|
|
|
|
// https://eprint.iacr.org/2021/1130.pdf
|
|
|
|
isTorsionFree: (c, point) => {
|
|
|
|
const cubicRootOfUnityModP = BigInt(
|
|
|
|
"0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe",
|
|
|
|
);
|
|
|
|
const phi = new c(
|
|
|
|
Fp7.mul(point.px, cubicRootOfUnityModP),
|
|
|
|
point.py,
|
|
|
|
point.pz,
|
|
|
|
);
|
|
|
|
const xP = point.multiplyUnsafe(bls12_381.params.x).negate();
|
|
|
|
const u2P = xP.multiplyUnsafe(bls12_381.params.x);
|
|
|
|
return u2P.equals(phi);
|
|
|
|
},
|
|
|
|
// Clear cofactor of G1
|
|
|
|
// https://eprint.iacr.org/2019/403
|
|
|
|
clearCofactor: (_c, point) => {
|
|
|
|
return point.multiplyUnsafe(bls12_381.params.x).add(point);
|
|
|
|
},
|
|
|
|
mapToCurve: (scalars) => {
|
|
|
|
const { x, y } = G1_SWU(Fp7.create(scalars[0]));
|
|
|
|
return isogenyMapG1(x, y);
|
|
|
|
},
|
|
|
|
fromBytes: (bytes2) => {
|
|
|
|
bytes2 = bytes2.slice();
|
|
|
|
if (bytes2.length === 48) {
|
|
|
|
const P3 = Fp7.ORDER;
|
|
|
|
const compressedValue = bytesToNumberBE(bytes2);
|
|
|
|
const bflag = bitGet(compressedValue, I_BIT_POS);
|
|
|
|
if (bflag === _1n11) return { x: _0n10, y: _0n10 };
|
|
|
|
const x = Fp7.create(compressedValue & Fp7.MASK);
|
|
|
|
const right = Fp7.add(
|
|
|
|
Fp7.pow(x, _3n5),
|
|
|
|
Fp7.create(bls12_381.params.G1b),
|
|
|
|
);
|
|
|
|
let y = Fp7.sqrt(right);
|
|
|
|
if (!y) throw new Error("Invalid compressed G1 point");
|
|
|
|
const aflag = bitGet(compressedValue, C_BIT_POS);
|
|
|
|
if ((y * _2n10) / P3 !== aflag) y = Fp7.neg(y);
|
|
|
|
return { x: Fp7.create(x), y: Fp7.create(y) };
|
|
|
|
} else if (bytes2.length === 96) {
|
|
|
|
if ((bytes2[0] & (1 << 6)) !== 0)
|
|
|
|
return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
|
|
|
|
const x = bytesToNumberBE(bytes2.subarray(0, Fp7.BYTES));
|
|
|
|
const y = bytesToNumberBE(bytes2.subarray(Fp7.BYTES));
|
|
|
|
return { x: Fp7.create(x), y: Fp7.create(y) };
|
|
|
|
} else {
|
|
|
|
throw new Error("Invalid point G1, expected 48/96 bytes");
|
|
|
|
}
|
|
|
|
},
|
|
|
|
toBytes: (c, point, isCompressed) => {
|
|
|
|
const isZero = point.equals(c.ZERO);
|
|
|
|
const { x, y } = point.toAffine();
|
|
|
|
if (isCompressed) {
|
|
|
|
if (isZero) return COMPRESSED_ZERO.slice();
|
|
|
|
const P3 = Fp7.ORDER;
|
|
|
|
let num;
|
|
|
|
num = bitSet(x, C_BIT_POS, Boolean((y * _2n10) / P3));
|
|
|
|
num = bitSet(num, S_BIT_POS, true);
|
|
|
|
return numberToBytesBE(num, Fp7.BYTES);
|
|
|
|
} else {
|
|
|
|
if (isZero) {
|
|
|
|
const x2 = concatBytes(
|
|
|
|
new Uint8Array([64]),
|
|
|
|
new Uint8Array(2 * Fp7.BYTES - 1),
|
|
|
|
);
|
|
|
|
return x2;
|
|
|
|
} else {
|
|
|
|
return concatBytes(
|
|
|
|
numberToBytesBE(x, Fp7.BYTES),
|
|
|
|
numberToBytesBE(y, Fp7.BYTES),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
},
|
|
|
|
},
|
|
|
|
// G2 is the order-q subgroup of E2(Fp²) : y² = x³+4(1+√−1),
|
|
|
|
// where Fp2 is Fp[√−1]/(x2+1). #E2(Fp2 ) = h2q, where
|
|
|
|
// G² - 1
|
|
|
|
// h2q
|
|
|
|
G2: {
|
|
|
|
Fp: Fp22,
|
|
|
|
// cofactor
|
|
|
|
h: BigInt(
|
|
|
|
"0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5",
|
|
|
|
),
|
|
|
|
Gx: Fp22.fromBigTuple([
|
|
|
|
BigInt(
|
|
|
|
"0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e",
|
|
|
|
),
|
|
|
|
]),
|
|
|
|
// y =
|
|
|
|
// 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582,
|
|
|
|
// 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
|
|
|
|
Gy: Fp22.fromBigTuple([
|
|
|
|
BigInt(
|
|
|
|
"0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801",
|
|
|
|
),
|
|
|
|
BigInt(
|
|
|
|
"0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be",
|
|
|
|
),
|
|
|
|
]),
|
|
|
|
a: Fp22.ZERO,
|
|
|
|
b: Fp22.fromBigTuple([_4n4, _4n4]),
|
|
|
|
hEff: BigInt(
|
|
|
|
"0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551",
|
|
|
|
),
|
|
|
|
htfDefaults: { ...htfDefaults },
|
|
|
|
wrapPrivateKey: true,
|
|
|
|
allowInfinityPoint: true,
|
|
|
|
mapToCurve: (scalars) => {
|
|
|
|
const { x, y } = G2_SWU(Fp22.fromBigTuple(scalars));
|
|
|
|
return isogenyMapG2(x, y);
|
|
|
|
},
|
|
|
|
// Checks is the point resides in prime-order subgroup.
|
|
|
|
// point.isTorsionFree() should return true for valid points
|
|
|
|
// It returns false for shitty points.
|
|
|
|
// https://eprint.iacr.org/2021/1130.pdf
|
|
|
|
isTorsionFree: (c, P3) => {
|
|
|
|
return P3.multiplyUnsafe(bls12_381.params.x)
|
|
|
|
.negate()
|
|
|
|
.equals(G2psi(c, P3));
|
|
|
|
},
|
|
|
|
// Maps the point into the prime-order subgroup G2.
|
|
|
|
// clear_cofactor_bls12381_g2 from cfrg-hash-to-curve-11
|
|
|
|
// https://eprint.iacr.org/2017/419.pdf
|
|
|
|
// prettier-ignore
|
|
|
|
clearCofactor: (c, P3) => {
|
|
|
|
const x = bls12_381.params.x;
|
|
|
|
let t1 = P3.multiplyUnsafe(x).negate();
|
|
|
|
let t2 = G2psi(c, P3);
|
|
|
|
let t3 = P3.double();
|
|
|
|
t3 = G2psi2(c, t3);
|
|
|
|
t3 = t3.subtract(t2);
|
|
|
|
t2 = t1.add(t2);
|
|
|
|
t2 = t2.multiplyUnsafe(x).negate();
|
|
|
|
t3 = t3.add(t2);
|
|
|
|
t3 = t3.subtract(t1);
|
|
|
|
const Q = t3.subtract(P3);
|
|
|
|
return Q;
|
|
|
|
},
|
|
|
|
fromBytes: (bytes2) => {
|
|
|
|
bytes2 = bytes2.slice();
|
|
|
|
const m_byte = bytes2[0] & 224;
|
|
|
|
if (m_byte === 32 || m_byte === 96 || m_byte === 224) {
|
|
|
|
throw new Error("Invalid encoding flag: " + m_byte);
|
|
|
|
}
|
|
|
|
const bitC = m_byte & 128;
|
|
|
|
const bitI = m_byte & 64;
|
|
|
|
const bitS = m_byte & 32;
|
|
|
|
const L = Fp7.BYTES;
|
|
|
|
const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
|
|
|
|
if (bytes2.length === 96 && bitC) {
|
|
|
|
const b = bls12_381.params.G2b;
|
|
|
|
const P3 = Fp7.ORDER;
|
|
|
|
bytes2[0] = bytes2[0] & 31;
|
|
|
|
if (bitI) {
|
|
|
|
if (bytes2.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
|
|
|
|
throw new Error("Invalid compressed G2 point");
|
|
|
|
}
|
|
|
|
return { x: Fp22.ZERO, y: Fp22.ZERO };
|
|
|
|
}
|
|
|
|
const x_1 = slc(bytes2, 0, L);
|
|
|
|
const x_0 = slc(bytes2, L, 2 * L);
|
|
|
|
const x = Fp22.create({ c0: Fp7.create(x_0), c1: Fp7.create(x_1) });
|
|
|
|
const right = Fp22.add(Fp22.pow(x, _3n5), b);
|
|
|
|
let y = Fp22.sqrt(right);
|
|
|
|
const Y_bit =
|
|
|
|
y.c1 === _0n10
|
|
|
|
? (y.c0 * _2n10) / P3
|
|
|
|
: (y.c1 * _2n10) / P3
|
|
|
|
? _1n11
|
|
|
|
: _0n10;
|
|
|
|
y = bitS > 0 && Y_bit > 0 ? y : Fp22.neg(y);
|
|
|
|
return { x, y };
|
|
|
|
} else if (bytes2.length === 192 && !bitC) {
|
|
|
|
if ((bytes2[0] & (1 << 6)) !== 0) {
|
|
|
|
return { x: Fp22.ZERO, y: Fp22.ZERO };
|
|
|
|
}
|
|
|
|
const x1 = slc(bytes2, 0, L);
|
|
|
|
const x0 = slc(bytes2, L, 2 * L);
|
|
|
|
const y1 = slc(bytes2, 2 * L, 3 * L);
|
|
|
|
const y0 = slc(bytes2, 3 * L, 4 * L);
|
|
|
|
return {
|
|
|
|
x: Fp22.fromBigTuple([x0, x1]),
|
|
|
|
y: Fp22.fromBigTuple([y0, y1]),
|
|
|
|
};
|
|
|
|
} else {
|
|
|
|
throw new Error("Invalid point G2, expected 96/192 bytes");
|
|
|
|
}
|
|
|
|
},
|
|
|
|
toBytes: (c, point, isCompressed) => {
|
|
|
|
const { BYTES: len, ORDER: P3 } = Fp7;
|
|
|
|
const isZero = point.equals(c.ZERO);
|
|
|
|
const { x, y } = point.toAffine();
|
|
|
|
if (isCompressed) {
|
|
|
|
if (isZero)
|
|
|
|
return concatBytes(COMPRESSED_ZERO, numberToBytesBE(_0n10, len));
|
|
|
|
const flag = Boolean(
|
|
|
|
y.c1 === _0n10 ? (y.c0 * _2n10) / P3 : (y.c1 * _2n10) / P3,
|
|
|
|
);
|
|
|
|
let x_1 = bitSet(x.c1, C_BIT_POS, flag);
|
|
|
|
x_1 = bitSet(x_1, S_BIT_POS, true);
|
|
|
|
return concatBytes(
|
|
|
|
numberToBytesBE(x_1, len),
|
|
|
|
numberToBytesBE(x.c0, len),
|
|
|
|
);
|
|
|
|
} else {
|
|
|
|
if (isZero)
|
|
|
|
return concatBytes(
|
|
|
|
new Uint8Array([64]),
|
|
|
|
new Uint8Array(4 * len - 1),
|
|
|
|
);
|
|
|
|
const { re: x0, im: x1 } = Fp22.reim(x);
|
|
|
|
const { re: y0, im: y1 } = Fp22.reim(y);
|
|
|
|
return concatBytes(
|
|
|
|
numberToBytesBE(x1, len),
|
|
|
|
numberToBytesBE(x0, len),
|
|
|
|
numberToBytesBE(y1, len),
|
|
|
|
numberToBytesBE(y0, len),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
},
|
|
|
|
Signature: {
|
|
|
|
// TODO: Optimize, it's very slow because of sqrt.
|
|
|
|
fromHex(hex) {
|
|
|
|
hex = ensureBytes("signatureHex", hex);
|
|
|
|
const P3 = Fp7.ORDER;
|
|
|
|
const half = hex.length / 2;
|
|
|
|
if (half !== 48 && half !== 96)
|
|
|
|
throw new Error(
|
|
|
|
"Invalid compressed signature length, must be 96 or 192",
|
|
|
|
);
|
|
|
|
const z1 = bytesToNumberBE(hex.slice(0, half));
|
|
|
|
const z2 = bytesToNumberBE(hex.slice(half));
|
|
|
|
const bflag1 = bitGet(z1, I_BIT_POS);
|
|
|
|
if (bflag1 === _1n11) return bls12_381.G2.ProjectivePoint.ZERO;
|
|
|
|
const x1 = Fp7.create(z1 & Fp7.MASK);
|
|
|
|
const x2 = Fp7.create(z2);
|
|
|
|
const x = Fp22.create({ c0: x2, c1: x1 });
|
|
|
|
const y2 = Fp22.add(Fp22.pow(x, _3n5), bls12_381.params.G2b);
|
|
|
|
let y = Fp22.sqrt(y2);
|
|
|
|
if (!y) throw new Error("Failed to find a square root");
|
|
|
|
const { re: y0, im: y1 } = Fp22.reim(y);
|
|
|
|
const aflag1 = bitGet(z1, 381);
|
|
|
|
const isGreater = y1 > _0n10 && (y1 * _2n10) / P3 !== aflag1;
|
|
|
|
const isZero = y1 === _0n10 && (y0 * _2n10) / P3 !== aflag1;
|
|
|
|
if (isGreater || isZero) y = Fp22.neg(y);
|
|
|
|
const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
|
|
|
|
point.assertValidity();
|
|
|
|
return point;
|
|
|
|
},
|
|
|
|
toRawBytes(point) {
|
|
|
|
return signatureG2ToRawBytes(point);
|
|
|
|
},
|
|
|
|
toHex(point) {
|
|
|
|
return bytesToHex(signatureG2ToRawBytes(point));
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
params: {
|
|
|
|
x: BLS_X,
|
|
|
|
r: Fr.ORDER,
|
|
|
|
// order; z⁴ − z² + 1; CURVE.n from other curves
|
|
|
|
},
|
|
|
|
htfDefaults,
|
|
|
|
hash: sha256,
|
|
|
|
randomBytes,
|
|
|
|
});
|
|
|
|
|
|
|
|
// input.js
|
|
|
|
var utils = { bytesToHex, concatBytes, hexToBytes };
|
|
|
|
return __toCommonJS(input_exports);
|
|
|
|
})();
|
|
|
|
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
|
|
|
|
/*! Bundled license information:
|
|
|
|
|
|
|
|
@noble/hashes/esm/utils.js:
|
|
|
|
(*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) *)
|
|
|
|
*/
|