UNPKG

@noble/curves

Version:

Audited & minimal JS implementation of elliptic curve cryptography

paulmillr.com/noble/

paulmillr/noble-curves

231 lines 9.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
import { type IField } from './modular.ts'; export type AffinePoint<T> = { x: T; y: T; } & { Z?: never; }; export interface Group<T extends Group<T>> { double(): T; negate(): T; add(other: T): T; subtract(other: T): T; equals(other: T): boolean; multiply(scalar: bigint): T; toAffine?(invertedZ?: any): AffinePoint<any>; } /** Base interface for all elliptic curve Points. */ export interface CurvePoint<F, P extends CurvePoint<F, P>> extends Group<P> { /** Affine x coordinate. Different from projective / extended X coordinate. */ x: F; /** Affine y coordinate. Different from projective / extended Y coordinate. */ y: F; Z?: F; double(): P; negate(): P; add(other: P): P; subtract(other: P): P; equals(other: P): boolean; multiply(scalar: bigint): P; assertValidity(): void; clearCofactor(): P; is0(): boolean; isTorsionFree(): boolean; isSmallOrder(): boolean; multiplyUnsafe(scalar: bigint): P; /** * Massively speeds up `p.multiply(n)` by using precompute tables (caching). See {@link wNAF}. * @param isLazy calculate cache now. Default (true) ensures it's deferred to first `multiply()` */ precompute(windowSize?: number, isLazy?: boolean): P; /** Converts point to 2D xy affine coordinates */ toAffine(invertedZ?: F): AffinePoint<F>; toBytes(): Uint8Array; toHex(): string; } /** Base interface for all elliptic curve Point constructors. */ export interface CurvePointCons<P extends CurvePoint<any, P>> { [Symbol.hasInstance]: (item: unknown) => boolean; BASE: P; ZERO: P; /** Field for basic curve math */ Fp: IField<P_F<P>>; /** Scalar field, for scalars in multiply and others */ Fn: IField<bigint>; /** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */ fromAffine(p: AffinePoint<P_F<P>>): P; fromBytes(bytes: Uint8Array): P; fromHex(hex: Uint8Array | string): P; } /** Returns Fp type from Point (P_F<P> == P.F) */ export type P_F<P extends CurvePoint<any, P>> = P extends CurvePoint<infer F, P> ? F : never; /** Returns Fp type from PointCons (PC_F<PC> == PC.P.F) */ export type PC_F<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['Fp']['ZERO']; /** Returns Point type from PointCons (PC_P<PC> == PC.P) */ export type PC_P<PC extends CurvePointCons<CurvePoint<any, any>>> = PC['ZERO']; export type PC_ANY = CurvePointCons<CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, CurvePoint<any, any>>>>>>>>>>>; export interface CurveLengths { secretKey?: number; publicKey?: number; publicKeyUncompressed?: number; publicKeyHasPrefix?: boolean; signature?: number; seed?: number; } export type GroupConstructor<T> = { BASE: T; ZERO: T; }; /** @deprecated */ export type ExtendedGroupConstructor<T> = GroupConstructor<T> & { Fp: IField<any>; Fn: IField<bigint>; fromAffine(ap: AffinePoint<any>): T; }; export type Mapper<T> = (i: T[]) => T[]; export declare function negateCt<T extends { negate: () => T; }>(condition: boolean, item: T): T; /** * Takes a bunch of Projective Points but executes only one * inversion on all of them. Inversion is very slow operation, * so this improves performance massively. * Optimization: converts a list of projective points to a list of identical points with Z=1. */ export declare function normalizeZ<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, points: P[]): P[]; /** Internal wNAF opts for specific W and scalarBits */ export type WOpts = { windows: number; windowSize: number; mask: bigint; maxNumber: number; shiftBy: bigint; }; /** * Elliptic curve multiplication of Point by scalar. Fragile. * Table generation takes **30MB of ram and 10ms on high-end CPU**, * but may take much longer on slow devices. Actual generation will happen on * first call of `multiply()`. By default, `BASE` point is precomputed. * * Scalars should always be less than curve order: this should be checked inside of a curve itself. * Creates precomputation tables for fast multiplication: * - private scalar is split by fixed size windows of W bits * - every window point is collected from window's table & added to accumulator * - since windows are different, same point inside tables won't be accessed more than once per calc * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar) * - +1 window is neccessary for wNAF * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication * * @todo Research returning 2d JS array of windows, instead of a single window. * This would allow windows to be in different memory locations */ export declare class wNAF<PC extends PC_ANY> { private readonly BASE; private readonly ZERO; private readonly Fn; readonly bits: number; constructor(Point: PC, bits: number); _unsafeLadder(elm: PC_P<PC>, n: bigint, p?: PC_P<PC>): PC_P<PC>; /** * Creates a wNAF precomputation window. Used for caching. * Default window size is set by `utils.precompute()` and is equal to 8. * Number of precomputed points depends on the curve size: * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where: * - 𝑊 is the window size * - 𝑛 is the bitlength of the curve order. * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224. * @param point Point instance * @param W window size * @returns precomputed point tables flattened to a single array */ private precomputeWindow; /** * Implements ec multiplication using precomputed tables and w-ary non-adjacent form. * More compact implementation: * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541 * @returns real and fake (for const-time) points */ private wNAF; /** * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form. * @param acc accumulator point to add result of multiplication * @returns point */ private wNAFUnsafe; private getPrecomputes; cached(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>): { p: PC_P<PC>; f: PC_P<PC>; }; unsafe(point: PC_P<PC>, scalar: bigint, transform?: Mapper<PC_P<PC>>, prev?: PC_P<PC>): PC_P<PC>; createCache(P: PC_P<PC>, W: number): void; hasCache(elm: PC_P<PC>): boolean; } /** * Endomorphism-specific multiplication for Koblitz curves. * Cost: 128 dbl, 0-256 adds. */ export declare function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(Point: PC, point: P, k1: bigint, k2: bigint): { p1: P; p2: P; }; /** * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...). * 30x faster vs naive addition on L=4096, 10x faster than precomputes. * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL. * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0. * @param c Curve Point constructor * @param fieldN field over CURVE.N - important that it's not over CURVE.P * @param points array of L curve points * @param scalars array of L scalars (aka secret keys / bigints) */ export declare function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, fieldN: IField<bigint>, points: P[], scalars: bigint[]): P; /** * Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...). * @param c Curve Point constructor * @param fieldN field over CURVE.N - important that it's not over CURVE.P * @param points array of L curve points * @returns function which multiplies points with scaars */ export declare function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(c: PC, fieldN: IField<bigint>, points: P[], windowSize: number): (scalars: bigint[]) => P; /** * Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok. * Though generator can be different (Fp2 / Fp6 for BLS). */ export type BasicCurve<T> = { Fp: IField<T>; n: bigint; nBitLength?: number; nByteLength?: number; h: bigint; hEff?: bigint; Gx: T; Gy: T; allowInfinityPoint?: boolean; }; /** @deprecated */ export declare function validateBasic<FP, T>(curve: BasicCurve<FP> & T): Readonly<{ readonly nBitLength: number; readonly nByteLength: number; } & BasicCurve<FP> & T & { p: bigint; }>; export type ValidCurveParams<T> = { p: bigint; n: bigint; h: bigint; a: T; b?: T; d?: T; Gx: T; Gy: T; }; export type FpFn<T> = { Fp: IField<T>; Fn: IField<bigint>; }; /** Validates CURVE opts and creates fields */ export declare function _createCurveFields<T>(type: 'weierstrass' | 'edwards', CURVE: ValidCurveParams<T>, curveOpts?: Partial<FpFn<T>>, FpFnLE?: boolean): FpFn<T> & { CURVE: ValidCurveParams<T>; }; //# sourceMappingURL=curve.d.ts.map