UNPKG

@oko-wallet/oko-sdk-cosmos

Version:

1,358 lines (1,343 loc) • 382 kB

JavaScript

import require$$0, { bech32 as bech32$1 } from 'bech32'; import { Buffer as Buffer$1 } from 'buffer'; import { serializeSignDoc, encodeSecp256k1Signature } from '@cosmjs/amino'; import '@cosmjs/proto-signing'; import { EventEmitter3, OkoWallet } from '@oko-wallet/oko-sdk-core'; /** * Dummy function for Keplr interface compatibility. * This function is provided to match the Keplr API and does nothing. * It can be safely called and awaited, but has no effect. * * @param _chainId - The chain ID (unused) */ async function enable(_chainId) { return; } async function sendGetCosmosChainInfo(okoWallet, chainId) { const msg = { target: "oko_attached", msg_type: "get_cosmos_chain_info", payload: { chain_id: null, }, }; const res = await okoWallet.sendMsgToIframe(msg); if (res.msg_type !== "get_cosmos_chain_info_ack") { return { success: false, err: { type: "wrong_ack_message_type" } }; } if (!res.payload.success) { return { success: false, err: { type: "payload_contains_err", err: res.payload.err }, }; } return { success: true, data: res.payload.data }; } async function getCosmosChainInfo() { const chainInfoRes = await sendGetCosmosChainInfo(this.okoWallet); if (!chainInfoRes.success) { throw new Error(`Failed to get chain registry response: ${chainInfoRes.err.toString()}`); } return chainInfoRes.data; } const crypto$1 = typeof globalThis === 'object' && 'crypto' in globalThis ? globalThis.crypto : undefined; /** * Utilities for hex, bytes, CSPRNG. * @module */ /*! noble-hashes - MIT License (c) 2022 Paul Miller (paulmillr.com) */ // We use WebCrypto aka globalThis.crypto, which exists in browsers and node.js 16+. // node.js versions earlier than v19 don't declare it in global scope. // For node.js, package.json#exports field mapping rewrites import // from `crypto` to `cryptoNode`, which imports native module. // Makes the utils un-importable in browsers without a bundler. // Once node.js 18 is deprecated (2025-04-30), we can just drop the import. /** Checks if something is Uint8Array. Be careful: nodejs Buffer will return true. */ function isBytes(a) { return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array'); } /** Asserts something is positive integer. */ function anumber(n) { if (!Number.isSafeInteger(n) || n < 0) throw new Error('positive integer expected, got ' + n); } /** Asserts something is Uint8Array. */ function abytes(b, ...lengths) { if (!isBytes(b)) throw new Error('Uint8Array expected'); if (lengths.length > 0 && !lengths.includes(b.length)) throw new Error('Uint8Array expected of length ' + lengths + ', got length=' + b.length); } /** Asserts something is hash */ function ahash(h) { if (typeof h !== 'function' || typeof h.create !== 'function') throw new Error('Hash should be wrapped by utils.createHasher'); anumber(h.outputLen); anumber(h.blockLen); } /** Asserts a hash instance has not been destroyed / finished */ function aexists(instance, checkFinished = true) { if (instance.destroyed) throw new Error('Hash instance has been destroyed'); if (checkFinished && instance.finished) throw new Error('Hash#digest() has already been called'); } /** Asserts output is properly-sized byte array */ function aoutput(out, instance) { abytes(out); const min = instance.outputLen; if (out.length < min) { throw new Error('digestInto() expects output buffer of length at least ' + min); } } /** Cast u8 / u16 / u32 to u32. */ function u32(arr) { return new Uint32Array(arr.buffer, arr.byteOffset, Math.floor(arr.byteLength / 4)); } /** Zeroize a byte array. Warning: JS provides no guarantees. */ function clean(...arrays) { for (let i = 0; i < arrays.length; i++) { arrays[i].fill(0); } } /** Create DataView of an array for easy byte-level manipulation. */ function createView(arr) { return new DataView(arr.buffer, arr.byteOffset, arr.byteLength); } /** The rotate right (circular right shift) operation for uint32 */ function rotr(word, shift) { return (word << (32 - shift)) | (word >>> shift); } /** The rotate left (circular left shift) operation for uint32 */ function rotl(word, shift) { return (word << shift) | ((word >>> (32 - shift)) >>> 0); } /** Is current platform little-endian? Most are. Big-Endian platform: IBM */ const isLE = /* @__PURE__ */ (() => new Uint8Array(new Uint32Array([0x11223344]).buffer)[0] === 0x44)(); /** The byte swap operation for uint32 */ function byteSwap(word) { return (((word << 24) & 0xff000000) | ((word << 8) & 0xff0000) | ((word >>> 8) & 0xff00) | ((word >>> 24) & 0xff)); } /** In place byte swap for Uint32Array */ function byteSwap32(arr) { for (let i = 0; i < arr.length; i++) { arr[i] = byteSwap(arr[i]); } return arr; } const swap32IfBE = isLE ? (u) => u : byteSwap32; // Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex const hasHexBuiltin = /* @__PURE__ */ (() => // @ts-ignore typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function')(); // Array where index 0xf0 (240) is mapped to string 'f0' const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0')); /** * Convert byte array to hex string. Uses built-in function, when available. * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123' */ function bytesToHex(bytes) { abytes(bytes); // @ts-ignore if (hasHexBuiltin) return bytes.toHex(); // pre-caching improves the speed 6x let hex = ''; for (let i = 0; i < bytes.length; i++) { hex += hexes[bytes[i]]; } return hex; } // We use optimized technique to convert hex string to byte array const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 }; function asciiToBase16(ch) { if (ch >= asciis._0 && ch <= asciis._9) return ch - asciis._0; // '2' => 50-48 if (ch >= asciis.A && ch <= asciis.F) return ch - (asciis.A - 10); // 'B' => 66-(65-10) if (ch >= asciis.a && ch <= asciis.f) return ch - (asciis.a - 10); // 'b' => 98-(97-10) return; } /** * Convert hex string to byte array. Uses built-in function, when available. * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23]) */ function hexToBytes(hex) { if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex); // @ts-ignore if (hasHexBuiltin) return Uint8Array.fromHex(hex); const hl = hex.length; const al = hl / 2; if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl); const array = new Uint8Array(al); for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) { const n1 = asciiToBase16(hex.charCodeAt(hi)); const n2 = asciiToBase16(hex.charCodeAt(hi + 1)); if (n1 === undefined || n2 === undefined) { const char = hex[hi] + hex[hi + 1]; throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi); } array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163 } return array; } /** * Converts string to bytes using UTF8 encoding. * @example utf8ToBytes('abc') // Uint8Array.from([97, 98, 99]) */ function utf8ToBytes(str) { if (typeof str !== 'string') throw new Error('string expected'); return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809 } /** * Normalizes (non-hex) string or Uint8Array to Uint8Array. * Warning: when Uint8Array is passed, it would NOT get copied. * Keep in mind for future mutable operations. */ function toBytes(data) { if (typeof data === 'string') data = utf8ToBytes(data); abytes(data); return data; } /** Copies several Uint8Arrays into one. */ function concatBytes(...arrays) { let sum = 0; for (let i = 0; i < arrays.length; i++) { const a = arrays[i]; abytes(a); sum += a.length; } const res = new Uint8Array(sum); for (let i = 0, pad = 0; i < arrays.length; i++) { const a = arrays[i]; res.set(a, pad); pad += a.length; } return res; } /** For runtime check if class implements interface */ class Hash { } /** Wraps hash function, creating an interface on top of it */ function createHasher(hashCons) { const hashC = (msg) => hashCons().update(toBytes(msg)).digest(); const tmp = hashCons(); hashC.outputLen = tmp.outputLen; hashC.blockLen = tmp.blockLen; hashC.create = () => hashCons(); return hashC; } /** Cryptographically secure PRNG. Uses internal OS-level `crypto.getRandomValues`. */ function randomBytes(bytesLength = 32) { if (crypto$1 && typeof crypto$1.getRandomValues === 'function') { return crypto$1.getRandomValues(new Uint8Array(bytesLength)); } // Legacy Node.js compatibility if (crypto$1 && typeof crypto$1.randomBytes === 'function') { return Uint8Array.from(crypto$1.randomBytes(bytesLength)); } throw new Error('crypto.getRandomValues must be defined'); } /** * Internal Merkle-Damgard hash utils. * @module */ /** Polyfill for Safari 14. https://caniuse.com/mdn-javascript_builtins_dataview_setbiguint64 */ function setBigUint64(view, byteOffset, value, isLE) { if (typeof view.setBigUint64 === 'function') return view.setBigUint64(byteOffset, value, isLE); const _32n = BigInt(32); const _u32_max = BigInt(0xffffffff); const wh = Number((value >> _32n) & _u32_max); const wl = Number(value & _u32_max); const h = isLE ? 4 : 0; const l = isLE ? 0 : 4; view.setUint32(byteOffset + h, wh, isLE); view.setUint32(byteOffset + l, wl, isLE); } /** Choice: a ? b : c */ function Chi(a, b, c) { return (a & b) ^ (~a & c); } /** Majority function, true if any two inputs is true. */ function Maj(a, b, c) { return (a & b) ^ (a & c) ^ (b & c); } /** * Merkle-Damgard hash construction base class. * Could be used to create MD5, RIPEMD, SHA1, SHA2. */ class HashMD extends Hash { constructor(blockLen, outputLen, padOffset, isLE) { super(); this.finished = false; this.length = 0; this.pos = 0; this.destroyed = false; this.blockLen = blockLen; this.outputLen = outputLen; this.padOffset = padOffset; this.isLE = isLE; this.buffer = new Uint8Array(blockLen); this.view = createView(this.buffer); } update(data) { aexists(this); data = toBytes(data); abytes(data); const { view, buffer, blockLen } = this; const len = data.length; for (let pos = 0; pos < len;) { const take = Math.min(blockLen - this.pos, len - pos); // Fast path: we have at least one block in input, cast it to view and process if (take === blockLen) { const dataView = createView(data); for (; blockLen <= len - pos; pos += blockLen) this.process(dataView, pos); continue; } buffer.set(data.subarray(pos, pos + take), this.pos); this.pos += take; pos += take; if (this.pos === blockLen) { this.process(view, 0); this.pos = 0; } } this.length += data.length; this.roundClean(); return this; } digestInto(out) { aexists(this); aoutput(out, this); this.finished = true; // Padding // We can avoid allocation of buffer for padding completely if it // was previously not allocated here. But it won't change performance. const { buffer, view, blockLen, isLE } = this; let { pos } = this; // append the bit '1' to the message buffer[pos++] = 0b10000000; clean(this.buffer.subarray(pos)); // we have less than padOffset left in buffer, so we cannot put length in // current block, need process it and pad again if (this.padOffset > blockLen - pos) { this.process(view, 0); pos = 0; } // Pad until full block byte with zeros for (let i = pos; i < blockLen; i++) buffer[i] = 0; // Note: sha512 requires length to be 128bit integer, but length in JS will overflow before that // You need to write around 2 exabytes (u64_max / 8 / (1024**6)) for this to happen. // So we just write lowest 64 bits of that value. setBigUint64(view, blockLen - 8, BigInt(this.length * 8), isLE); this.process(view, 0); const oview = createView(out); const len = this.outputLen; // NOTE: we do division by 4 later, which should be fused in single op with modulo by JIT if (len % 4) throw new Error('_sha2: outputLen should be aligned to 32bit'); const outLen = len / 4; const state = this.get(); if (outLen > state.length) throw new Error('_sha2: outputLen bigger than state'); for (let i = 0; i < outLen; i++) oview.setUint32(4 * i, state[i], isLE); } digest() { const { buffer, outputLen } = this; this.digestInto(buffer); const res = buffer.slice(0, outputLen); this.destroy(); return res; } _cloneInto(to) { to || (to = new this.constructor()); to.set(...this.get()); const { blockLen, buffer, length, finished, destroyed, pos } = this; to.destroyed = destroyed; to.finished = finished; to.length = length; to.pos = pos; if (length % blockLen) to.buffer.set(buffer); return to; } clone() { return this._cloneInto(); } } /** * Initial SHA-2 state: fractional parts of square roots of first 16 primes 2..53. * Check out `test/misc/sha2-gen-iv.js` for recomputation guide. */ /** Initial SHA256 state. Bits 0..32 of frac part of sqrt of primes 2..19 */ const SHA256_IV = /* @__PURE__ */ Uint32Array.from([ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, ]); /** * Internal helpers for u64. BigUint64Array is too slow as per 2025, so we implement it using Uint32Array. * @todo re-check https://issues.chromium.org/issues/42212588 * @module */ const U32_MASK64 = /* @__PURE__ */ BigInt(2 ** 32 - 1); const _32n = /* @__PURE__ */ BigInt(32); function fromBig(n, le = false) { if (le) return { h: Number(n & U32_MASK64), l: Number((n >> _32n) & U32_MASK64) }; return { h: Number((n >> _32n) & U32_MASK64) | 0, l: Number(n & U32_MASK64) | 0 }; } function split(lst, le = false) { const len = lst.length; let Ah = new Uint32Array(len); let Al = new Uint32Array(len); for (let i = 0; i < len; i++) { const { h, l } = fromBig(lst[i], le); [Ah[i], Al[i]] = [h, l]; } return [Ah, Al]; } // Left rotate for Shift in [1, 32) const rotlSH = (h, l, s) => (h << s) | (l >>> (32 - s)); const rotlSL = (h, l, s) => (l << s) | (h >>> (32 - s)); // Left rotate for Shift in (32, 64), NOTE: 32 is special case. const rotlBH = (h, l, s) => (l << (s - 32)) | (h >>> (64 - s)); const rotlBL = (h, l, s) => (h << (s - 32)) | (l >>> (64 - s)); /** * SHA2 hash function. A.k.a. sha256, sha384, sha512, sha512_224, sha512_256. * SHA256 is the fastest hash implementable in JS, even faster than Blake3. * Check out [RFC 4634](https://datatracker.ietf.org/doc/html/rfc4634) and * [FIPS 180-4](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf). * @module */ /** * Round constants: * First 32 bits of fractional parts of the cube roots of the first 64 primes 2..311) */ // prettier-ignore const SHA256_K = /* @__PURE__ */ Uint32Array.from([ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ]); /** Reusable temporary buffer. "W" comes straight from spec. */ const SHA256_W = /* @__PURE__ */ new Uint32Array(64); class SHA256 extends HashMD { constructor(outputLen = 32) { super(64, outputLen, 8, false); // We cannot use array here since array allows indexing by variable // which means optimizer/compiler cannot use registers. this.A = SHA256_IV[0] | 0; this.B = SHA256_IV[1] | 0; this.C = SHA256_IV[2] | 0; this.D = SHA256_IV[3] | 0; this.E = SHA256_IV[4] | 0; this.F = SHA256_IV[5] | 0; this.G = SHA256_IV[6] | 0; this.H = SHA256_IV[7] | 0; } get() { const { A, B, C, D, E, F, G, H } = this; return [A, B, C, D, E, F, G, H]; } // prettier-ignore set(A, B, C, D, E, F, G, H) { this.A = A | 0; this.B = B | 0; this.C = C | 0; this.D = D | 0; this.E = E | 0; this.F = F | 0; this.G = G | 0; this.H = H | 0; } process(view, offset) { // Extend the first 16 words into the remaining 48 words w[16..63] of the message schedule array for (let i = 0; i < 16; i++, offset += 4) SHA256_W[i] = view.getUint32(offset, false); for (let i = 16; i < 64; i++) { const W15 = SHA256_W[i - 15]; const W2 = SHA256_W[i - 2]; const s0 = rotr(W15, 7) ^ rotr(W15, 18) ^ (W15 >>> 3); const s1 = rotr(W2, 17) ^ rotr(W2, 19) ^ (W2 >>> 10); SHA256_W[i] = (s1 + SHA256_W[i - 7] + s0 + SHA256_W[i - 16]) | 0; } // Compression function main loop, 64 rounds let { A, B, C, D, E, F, G, H } = this; for (let i = 0; i < 64; i++) { const sigma1 = rotr(E, 6) ^ rotr(E, 11) ^ rotr(E, 25); const T1 = (H + sigma1 + Chi(E, F, G) + SHA256_K[i] + SHA256_W[i]) | 0; const sigma0 = rotr(A, 2) ^ rotr(A, 13) ^ rotr(A, 22); const T2 = (sigma0 + Maj(A, B, C)) | 0; H = G; G = F; F = E; E = (D + T1) | 0; D = C; C = B; B = A; A = (T1 + T2) | 0; } // Add the compressed chunk to the current hash value A = (A + this.A) | 0; B = (B + this.B) | 0; C = (C + this.C) | 0; D = (D + this.D) | 0; E = (E + this.E) | 0; F = (F + this.F) | 0; G = (G + this.G) | 0; H = (H + this.H) | 0; this.set(A, B, C, D, E, F, G, H); } roundClean() { clean(SHA256_W); } destroy() { this.set(0, 0, 0, 0, 0, 0, 0, 0); clean(this.buffer); } } /** * SHA2-256 hash function from RFC 4634. * * It is the fastest JS hash, even faster than Blake3. * To break sha256 using birthday attack, attackers need to try 2^128 hashes. * BTC network is doing 2^70 hashes/sec (2^95 hashes/year) as per 2025. */ const sha256 = /* @__PURE__ */ createHasher(() => new SHA256()); /** SHA1 (RFC 3174), MD5 (RFC 1321) and RIPEMD160 (RFC 2286) legacy, weak hash functions. Don't use them in a new protocol. What "weak" means: - Collisions can be made with 2^18 effort in MD5, 2^60 in SHA1, 2^80 in RIPEMD160. - No practical pre-image attacks (only theoretical, 2^123.4) - HMAC seems kinda ok: https://datatracker.ietf.org/doc/html/rfc6151 * @module */ // RIPEMD-160 const Rho160 = /* @__PURE__ */ Uint8Array.from([ 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8, ]); const Id160 = /* @__PURE__ */ (() => Uint8Array.from(new Array(16).fill(0).map((_, i) => i)))(); const Pi160 = /* @__PURE__ */ (() => Id160.map((i) => (9 * i + 5) % 16))(); const idxLR = /* @__PURE__ */ (() => { const L = [Id160]; const R = [Pi160]; const res = [L, R]; for (let i = 0; i < 4; i++) for (let j of res) j.push(j[i].map((k) => Rho160[k])); return res; })(); const idxL = /* @__PURE__ */ (() => idxLR[0])(); const idxR = /* @__PURE__ */ (() => idxLR[1])(); // const [idxL, idxR] = idxLR; const shifts160 = /* @__PURE__ */ [ [11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8], [12, 13, 11, 15, 6, 9, 9, 7, 12, 15, 11, 13, 7, 8, 7, 7], [13, 15, 14, 11, 7, 7, 6, 8, 13, 14, 13, 12, 5, 5, 6, 9], [14, 11, 12, 14, 8, 6, 5, 5, 15, 12, 15, 14, 9, 9, 8, 6], [15, 12, 13, 13, 9, 5, 8, 6, 14, 11, 12, 11, 8, 6, 5, 5], ].map((i) => Uint8Array.from(i)); const shiftsL160 = /* @__PURE__ */ idxL.map((idx, i) => idx.map((j) => shifts160[i][j])); const shiftsR160 = /* @__PURE__ */ idxR.map((idx, i) => idx.map((j) => shifts160[i][j])); const Kl160 = /* @__PURE__ */ Uint32Array.from([ 0x00000000, 0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xa953fd4e, ]); const Kr160 = /* @__PURE__ */ Uint32Array.from([ 0x50a28be6, 0x5c4dd124, 0x6d703ef3, 0x7a6d76e9, 0x00000000, ]); // It's called f() in spec. function ripemd_f(group, x, y, z) { if (group === 0) return x ^ y ^ z; if (group === 1) return (x & y) | (~x & z); if (group === 2) return (x | ~y) ^ z; if (group === 3) return (x & z) | (y & ~z); return x ^ (y | ~z); } // Reusable temporary buffer const BUF_160 = /* @__PURE__ */ new Uint32Array(16); class RIPEMD160 extends HashMD { constructor() { super(64, 20, 8, true); this.h0 = 0x67452301 | 0; this.h1 = 0xefcdab89 | 0; this.h2 = 0x98badcfe | 0; this.h3 = 0x10325476 | 0; this.h4 = 0xc3d2e1f0 | 0; } get() { const { h0, h1, h2, h3, h4 } = this; return [h0, h1, h2, h3, h4]; } set(h0, h1, h2, h3, h4) { this.h0 = h0 | 0; this.h1 = h1 | 0; this.h2 = h2 | 0; this.h3 = h3 | 0; this.h4 = h4 | 0; } process(view, offset) { for (let i = 0; i < 16; i++, offset += 4) BUF_160[i] = view.getUint32(offset, true); // prettier-ignore let al = this.h0 | 0, ar = al, bl = this.h1 | 0, br = bl, cl = this.h2 | 0, cr = cl, dl = this.h3 | 0, dr = dl, el = this.h4 | 0, er = el; // Instead of iterating 0 to 80, we split it into 5 groups // And use the groups in constants, functions, etc. Much simpler for (let group = 0; group < 5; group++) { const rGroup = 4 - group; const hbl = Kl160[group], hbr = Kr160[group]; // prettier-ignore const rl = idxL[group], rr = idxR[group]; // prettier-ignore const sl = shiftsL160[group], sr = shiftsR160[group]; // prettier-ignore for (let i = 0; i < 16; i++) { const tl = (rotl(al + ripemd_f(group, bl, cl, dl) + BUF_160[rl[i]] + hbl, sl[i]) + el) | 0; al = el, el = dl, dl = rotl(cl, 10) | 0, cl = bl, bl = tl; // prettier-ignore } // 2 loops are 10% faster for (let i = 0; i < 16; i++) { const tr = (rotl(ar + ripemd_f(rGroup, br, cr, dr) + BUF_160[rr[i]] + hbr, sr[i]) + er) | 0; ar = er, er = dr, dr = rotl(cr, 10) | 0, cr = br, br = tr; // prettier-ignore } } // Add the compressed chunk to the current hash value this.set((this.h1 + cl + dr) | 0, (this.h2 + dl + er) | 0, (this.h3 + el + ar) | 0, (this.h4 + al + br) | 0, (this.h0 + bl + cr) | 0); } roundClean() { clean(BUF_160); } destroy() { this.destroyed = true; clean(this.buffer); this.set(0, 0, 0, 0, 0); } } /** * RIPEMD-160 - a legacy hash function from 1990s. * * https://homes.esat.kuleuven.be/~bosselae/ripemd160.html * * https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf */ const ripemd160 = /* @__PURE__ */ createHasher(() => new RIPEMD160()); /** * SHA3 (keccak) hash function, based on a new "Sponge function" design. * Different from older hashes, the internal state is bigger than output size. * * Check out [FIPS-202](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf), * [Website](https://keccak.team/keccak.html), * [the differences between SHA-3 and Keccak](https://crypto.stackexchange.com/questions/15727/what-are-the-key-differences-between-the-draft-sha-3-standard-and-the-keccak-sub). * * Check out `sha3-addons` module for cSHAKE, k12, and others. * @module */ // No __PURE__ annotations in sha3 header: // EVERYTHING is in fact used on every export. // Various per round constants calculations const _0n$4 = BigInt(0); const _1n$4 = BigInt(1); const _2n$3 = BigInt(2); const _7n$1 = BigInt(7); const _256n = BigInt(256); const _0x71n = BigInt(0x71); const SHA3_PI = []; const SHA3_ROTL = []; const _SHA3_IOTA = []; for (let round = 0, R = _1n$4, x = 1, y = 0; round < 24; round++) { // Pi [x, y] = [y, (2 * x + 3 * y) % 5]; SHA3_PI.push(2 * (5 * y + x)); // Rotational SHA3_ROTL.push((((round + 1) * (round + 2)) / 2) % 64); // Iota let t = _0n$4; for (let j = 0; j < 7; j++) { R = ((R << _1n$4) ^ ((R >> _7n$1) * _0x71n)) % _256n; if (R & _2n$3) t ^= _1n$4 << ((_1n$4 << /* @__PURE__ */ BigInt(j)) - _1n$4); } _SHA3_IOTA.push(t); } const IOTAS = split(_SHA3_IOTA, true); const SHA3_IOTA_H = IOTAS[0]; const SHA3_IOTA_L = IOTAS[1]; // Left rotation (without 0, 32, 64) const rotlH = (h, l, s) => (s > 32 ? rotlBH(h, l, s) : rotlSH(h, l, s)); const rotlL = (h, l, s) => (s > 32 ? rotlBL(h, l, s) : rotlSL(h, l, s)); /** `keccakf1600` internal function, additionally allows to adjust round count. */ function keccakP(s, rounds = 24) { const B = new Uint32Array(5 * 2); // NOTE: all indices are x2 since we store state as u32 instead of u64 (bigints to slow in js) for (let round = 24 - rounds; round < 24; round++) { // Theta θ for (let x = 0; x < 10; x++) B[x] = s[x] ^ s[x + 10] ^ s[x + 20] ^ s[x + 30] ^ s[x + 40]; for (let x = 0; x < 10; x += 2) { const idx1 = (x + 8) % 10; const idx0 = (x + 2) % 10; const B0 = B[idx0]; const B1 = B[idx0 + 1]; const Th = rotlH(B0, B1, 1) ^ B[idx1]; const Tl = rotlL(B0, B1, 1) ^ B[idx1 + 1]; for (let y = 0; y < 50; y += 10) { s[x + y] ^= Th; s[x + y + 1] ^= Tl; } } // Rho (ρ) and Pi (π) let curH = s[2]; let curL = s[3]; for (let t = 0; t < 24; t++) { const shift = SHA3_ROTL[t]; const Th = rotlH(curH, curL, shift); const Tl = rotlL(curH, curL, shift); const PI = SHA3_PI[t]; curH = s[PI]; curL = s[PI + 1]; s[PI] = Th; s[PI + 1] = Tl; } // Chi (χ) for (let y = 0; y < 50; y += 10) { for (let x = 0; x < 10; x++) B[x] = s[y + x]; for (let x = 0; x < 10; x++) s[y + x] ^= ~B[(x + 2) % 10] & B[(x + 4) % 10]; } // Iota (ι) s[0] ^= SHA3_IOTA_H[round]; s[1] ^= SHA3_IOTA_L[round]; } clean(B); } /** Keccak sponge function. */ class Keccak extends Hash { // NOTE: we accept arguments in bytes instead of bits here. constructor(blockLen, suffix, outputLen, enableXOF = false, rounds = 24) { super(); this.pos = 0; this.posOut = 0; this.finished = false; this.destroyed = false; this.enableXOF = false; this.blockLen = blockLen; this.suffix = suffix; this.outputLen = outputLen; this.enableXOF = enableXOF; this.rounds = rounds; // Can be passed from user as dkLen anumber(outputLen); // 1600 = 5x5 matrix of 64bit. 1600 bits === 200 bytes // 0 < blockLen < 200 if (!(0 < blockLen && blockLen < 200)) throw new Error('only keccak-f1600 function is supported'); this.state = new Uint8Array(200); this.state32 = u32(this.state); } clone() { return this._cloneInto(); } keccak() { swap32IfBE(this.state32); keccakP(this.state32, this.rounds); swap32IfBE(this.state32); this.posOut = 0; this.pos = 0; } update(data) { aexists(this); data = toBytes(data); abytes(data); const { blockLen, state } = this; const len = data.length; for (let pos = 0; pos < len;) { const take = Math.min(blockLen - this.pos, len - pos); for (let i = 0; i < take; i++) state[this.pos++] ^= data[pos++]; if (this.pos === blockLen) this.keccak(); } return this; } finish() { if (this.finished) return; this.finished = true; const { state, suffix, pos, blockLen } = this; // Do the padding state[pos] ^= suffix; if ((suffix & 0x80) !== 0 && pos === blockLen - 1) this.keccak(); state[blockLen - 1] ^= 0x80; this.keccak(); } writeInto(out) { aexists(this, false); abytes(out); this.finish(); const bufferOut = this.state; const { blockLen } = this; for (let pos = 0, len = out.length; pos < len;) { if (this.posOut >= blockLen) this.keccak(); const take = Math.min(blockLen - this.posOut, len - pos); out.set(bufferOut.subarray(this.posOut, this.posOut + take), pos); this.posOut += take; pos += take; } return out; } xofInto(out) { // Sha3/Keccak usage with XOF is probably mistake, only SHAKE instances can do XOF if (!this.enableXOF) throw new Error('XOF is not possible for this instance'); return this.writeInto(out); } xof(bytes) { anumber(bytes); return this.xofInto(new Uint8Array(bytes)); } digestInto(out) { aoutput(out, this); if (this.finished) throw new Error('digest() was already called'); this.writeInto(out); this.destroy(); return out; } digest() { return this.digestInto(new Uint8Array(this.outputLen)); } destroy() { this.destroyed = true; clean(this.state); } _cloneInto(to) { const { blockLen, suffix, outputLen, rounds, enableXOF } = this; to || (to = new Keccak(blockLen, suffix, outputLen, enableXOF, rounds)); to.state32.set(this.state32); to.pos = this.pos; to.posOut = this.posOut; to.finished = this.finished; to.rounds = rounds; // Suffix can change in cSHAKE to.suffix = suffix; to.outputLen = outputLen; to.enableXOF = enableXOF; to.destroyed = this.destroyed; return to; } } const gen = (suffix, blockLen, outputLen) => createHasher(() => new Keccak(blockLen, suffix, outputLen)); /** keccak-256 hash function. Different from SHA3-256. */ const keccak_256 = /* @__PURE__ */ (() => gen(0x01, 136, 256 / 8))(); /** * HMAC: RFC2104 message authentication code. * @module */ class HMAC extends Hash { constructor(hash, _key) { super(); this.finished = false; this.destroyed = false; ahash(hash); const key = toBytes(_key); this.iHash = hash.create(); if (typeof this.iHash.update !== 'function') throw new Error('Expected instance of class which extends utils.Hash'); this.blockLen = this.iHash.blockLen; this.outputLen = this.iHash.outputLen; const blockLen = this.blockLen; const pad = new Uint8Array(blockLen); // blockLen can be bigger than outputLen pad.set(key.length > blockLen ? hash.create().update(key).digest() : key); for (let i = 0; i < pad.length; i++) pad[i] ^= 0x36; this.iHash.update(pad); // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone this.oHash = hash.create(); // Undo internal XOR && apply outer XOR for (let i = 0; i < pad.length; i++) pad[i] ^= 0x36 ^ 0x5c; this.oHash.update(pad); clean(pad); } update(buf) { aexists(this); this.iHash.update(buf); return this; } digestInto(out) { aexists(this); abytes(out, this.outputLen); this.finished = true; this.iHash.digestInto(out); this.oHash.update(out); this.oHash.digestInto(out); this.destroy(); } digest() { const out = new Uint8Array(this.oHash.outputLen); this.digestInto(out); return out; } _cloneInto(to) { // Create new instance without calling constructor since key already in state and we don't know it. to || (to = Object.create(Object.getPrototypeOf(this), {})); const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this; to = to; to.finished = finished; to.destroyed = destroyed; to.blockLen = blockLen; to.outputLen = outputLen; to.oHash = oHash._cloneInto(to.oHash); to.iHash = iHash._cloneInto(to.iHash); return to; } clone() { return this._cloneInto(); } destroy() { this.destroyed = true; this.oHash.destroy(); this.iHash.destroy(); } } /** * HMAC: RFC2104 message authentication code. * @param hash - function that would be used e.g. sha256 * @param key - message key * @param message - message data * @example * import { hmac } from '@noble/hashes/hmac'; * import { sha256 } from '@noble/hashes/sha2'; * const mac1 = hmac(sha256, 'key', 'message'); */ const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest(); hmac.create = (hash, key) => new HMAC(hash, key); /** * Hex, bytes and number utilities. * @module */ /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ const _0n$3 = /* @__PURE__ */ BigInt(0); const _1n$3 = /* @__PURE__ */ BigInt(1); // tmp name until v2 function _abool2(value, title = '') { if (typeof value !== 'boolean') { const prefix = title && `"${title}"`; throw new Error(prefix + 'expected boolean, got type=' + typeof value); } return value; } // tmp name until v2 /** Asserts something is Uint8Array. */ function _abytes2(value, length, title = '') { const bytes = isBytes(value); const len = value?.length; const needsLen = length !== undefined; if (!bytes || (needsLen && len !== length)) { const prefix = title && `"${title}" `; const ofLen = needsLen ? ` of length ${length}` : ''; const got = bytes ? `length=${len}` : `type=${typeof value}`; throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got); } return value; } // Used in weierstrass, der function numberToHexUnpadded(num) { const hex = num.toString(16); return hex.length & 1 ? '0' + hex : hex; } function hexToNumber(hex) { if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex); return hex === '' ? _0n$3 : BigInt('0x' + hex); // Big Endian } // BE: Big Endian, LE: Little Endian function bytesToNumberBE(bytes) { return hexToNumber(bytesToHex(bytes)); } function bytesToNumberLE(bytes) { abytes(bytes); return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse())); } function numberToBytesBE(n, len) { return hexToBytes(n.toString(16).padStart(len * 2, '0')); } function numberToBytesLE(n, len) { return numberToBytesBE(n, len).reverse(); } /** * Takes hex string or Uint8Array, converts to Uint8Array. * Validates output length. * Will throw error for other types. * @param title descriptive title for an error e.g. 'secret key' * @param hex hex string or Uint8Array * @param expectedLength optional, will compare to result array's length * @returns */ function ensureBytes(title, hex, expectedLength) { let res; if (typeof hex === 'string') { try { res = hexToBytes(hex); } catch (e) { throw new Error(title + ' must be hex string or Uint8Array, cause: ' + e); } } else if (isBytes(hex)) { // Uint8Array.from() instead of hash.slice() because node.js Buffer // is instance of Uint8Array, and its slice() creates **mutable** copy res = Uint8Array.from(hex); } else { throw new Error(title + ' must be hex string or Uint8Array'); } res.length; return res; } /** * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99]) */ // export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_; /** * Converts bytes to string using UTF8 encoding. * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc' */ // export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_; // Is positive bigint const isPosBig = (n) => typeof n === 'bigint' && _0n$3 <= n; function inRange(n, min, max) { return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max; } /** * Asserts min <= n < max. NOTE: It's < max and not <= max. * @example * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n) */ function aInRange(title, n, min, max) { // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)? // consider P=256n, min=0n, max=P // - a for min=0 would require -1: `inRange('x', x, -1n, P)` // - b would commonly require subtraction: `inRange('x', x, 0n, P - 1n)` // - our way is the cleanest: `inRange('x', x, 0n, P) if (!inRange(n, min, max)) throw new Error('expected valid ' + title + ': ' + min + ' <= n < ' + max + ', got ' + n); } // Bit operations /** * Calculates amount of bits in a bigint. * Same as `n.toString(2).length` * TODO: merge with nLength in modular */ function bitLen(n) { let len; for (len = 0; n > _0n$3; n >>= _1n$3, len += 1) ; return len; } /** * Calculate mask for N bits. Not using ** operator with bigints because of old engines. * Same as BigInt(`0b${Array(i).fill('1').join('')}`) */ const bitMask = (n) => (_1n$3 << BigInt(n)) - _1n$3; /** * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs. * @returns function that will call DRBG until 2nd arg returns something meaningful * @example * const drbg = createHmacDRBG<Key>(32, 32, hmac); * drbg(seed, bytesToKey); // bytesToKey must return Key or undefined */ function createHmacDrbg(hashLen, qByteLen, hmacFn) { if (typeof hashLen !== 'number' || hashLen < 2) throw new Error('hashLen must be a number'); if (typeof qByteLen !== 'number' || qByteLen < 2) throw new Error('qByteLen must be a number'); if (typeof hmacFn !== 'function') throw new Error('hmacFn must be a function'); // Step B, Step C: set hashLen to 8*ceil(hlen/8) const u8n = (len) => new Uint8Array(len); // creates Uint8Array const u8of = (byte) => Uint8Array.of(byte); // another shortcut let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs. let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same let i = 0; // Iterations counter, will throw when over 1000 const reset = () => { v.fill(1); k.fill(0); i = 0; }; const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values) const reseed = (seed = u8n(0)) => { // HMAC-DRBG reseed() function. Steps D-G k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed) v = h(); // v = hmac(k || v) if (seed.length === 0) return; k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed) v = h(); // v = hmac(k || v) }; const gen = () => { // HMAC-DRBG generate() function if (i++ >= 1000) throw new Error('drbg: tried 1000 values'); let len = 0; const out = []; while (len < qByteLen) { v = h(); const sl = v.slice(); out.push(sl); len += v.length; } return concatBytes(...out); }; const genUntil = (seed, pred) => { reset(); reseed(seed); // Steps D-G let res = undefined; // Step H: grind until k is in [1..n-1] while (!(res = pred(gen()))) reseed(); reset(); return res; }; return genUntil; } function _validateObject(object, fields, optFields = {}) { if (!object || typeof object !== 'object') throw new Error('expected valid options object'); function checkField(fieldName, expectedType, isOpt) { const val = object[fieldName]; if (isOpt && val === undefined) return; const current = typeof val; if (current !== expectedType || val === null) throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`); } Object.entries(fields).forEach(([k, v]) => checkField(k, v, false)); Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true)); } /** * Memoizes (caches) computation result. * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed. */ function memoized(fn) { const map = new WeakMap(); return (arg, ...args) => { const val = map.get(arg); if (val !== undefined) return val; const computed = fn(arg, ...args); map.set(arg, computed); return computed; }; } /** * Utils for modular division and fields. * Field over 11 is a finite (Galois) field is integer number operations `mod 11`. * There is no division: it is replaced by modular multiplicative inverse. * @module */ /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */ // prettier-ignore const _0n$2 = BigInt(0), _1n$2 = BigInt(1), _2n$2 = /* @__PURE__ */ BigInt(2), _3n$1 = /* @__PURE__ */ BigInt(3); // prettier-ignore const _4n$1 = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7); // prettier-ignore const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16); // Calculates a modulo b function mod(a, b) { const result = a % b; return result >= _0n$2 ? result : b + result; } /** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */ function pow2(x, power, modulo) { let res = x; while (power-- > _0n$2) { res *= res; res %= modulo; } return res; } /** * Inverses number over modulo. * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/). */ function invert(number, modulo) { if (number === _0n$2) throw new Error('invert: expected non-zero number'); if (modulo <= _0n$2) throw new Error('invert: expected positive modulus, got ' + modulo); // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower. let a = mod(number, modulo); let b = modulo; // prettier-ignore let x = _0n$2, u = _1n$2; while (a !== _0n$2) { // JIT applies optimization if those two lines follow each other const q = b / a; const r = b % a; const m = x - u * q; // prettier-ignore b = a, a = r, x = u, u = m; } const gcd = b; if (gcd !== _1n$2) throw new Error('invert: does not exist'); return mod(x, modulo); } function assertIsSquare(Fp, root, n) { if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root'); } // Not all roots are possible! Example which will throw: // const NUM = // n = 72057594037927816n; // Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab')); function sqrt3mod4(Fp, n) { const p1div4 = (Fp.ORDER + _1n$2) / _4n$1; const root = Fp.pow(n, p1div4); assertIsSquare(Fp, root, n); return root; } function sqrt5mod8(Fp, n) { const p5div8 = (Fp.ORDER - _5n) / _8n; const n2 = Fp.mul(n, _2n$2); const v = Fp.pow(n2, p5div8); const nv = Fp.mul(n, v); const i = Fp.mul(Fp.mul(nv, _2n$2), v); const root = Fp.mul(nv, Fp.sub(i, Fp.ONE)); assertIsSquare(Fp, root, n); return root; } // Based on RFC9380, Kong algorithm // prettier-ignore function sqrt9mod16(P) { const Fp_ = Field(P); const tn = tonelliShanks(P); const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); // 1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F const c2 = tn(Fp_, c1); // 2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F const c3 = tn(Fp_, Fp_.neg(c1)); // 3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F const c4 = (P + _7n) / _16n; // 4. c4 = (q + 7) / 16 # Integer arithmetic return (Fp, n) => { let tv1 = Fp.pow(n, c4); // 1. tv1 = x^c4 let tv2 = Fp.mul(tv1, c1); // 2. tv2 = c1 * tv1 const tv3 = Fp.mul(tv1, c2); // 3. tv3 = c2 * tv1 const tv4 = Fp.mul(tv1, c3); // 4. tv4 = c3 * tv1 const e1 = Fp.eql(Fp.sqr(tv2), n); // 5. e1 = (tv2^2) == x const e2 = Fp.eql(Fp.sqr(tv3), n); // 6. e2 = (tv3^2) == x tv1 = Fp.cmov(tv1, tv2, e1); // 7. tv1 = CMOV(tv1, tv2, e1) # Select tv2 if (tv2^2) == x tv2 = Fp.cmov(tv4, tv3, e2); // 8. tv2 = CMOV(tv4, tv3, e2) # Select tv3 if (tv3^2) == x const e3 = Fp.eql(Fp.sqr(tv2), n); // 9. e3 = (tv2^2) == x const root = Fp.cmov(tv1, tv2, e3); // 10. z = CMOV(tv1, tv2, e3) # Select sqrt from tv1 & tv2 assertIsSquare(Fp, root, n); return root; }; } /** * Tonelli-Shanks square root search algorithm. * 1. https://eprint.iacr.org/2012/685.pdf (page 12) * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks * @param P field order * @returns function that takes field Fp (created from P) and number n */ function tonelliShanks(P) { // Initialization (precomputation). // Caching initialization could boost perf by 7%. if (P < _3n$1) throw new Error('sqrt is not defined for small field'); // Factor P - 1 = Q * 2^S, where Q is odd let Q = P - _1n$2; let S = 0; while (Q % _2n$2 === _0n$2) { Q /= _2n$2; S++; } // Find the first quadratic non-residue Z >= 2 let Z = _2n$2; const _Fp = Field(P); while (FpLegendre(_Fp, Z) === 1) { // Basic primality test for P. After x iterations, chance of // not finding quadratic non-residue is 2^x, so 2^1000. if (Z++ > 1000) throw new Error('Cannot find square root: probably non-prime P'); } // Fast-path; usually done before Z, but we do "primality test". if (S === 1) return sqrt3mod4; // Slow-path // TODO: test on Fp2 and others let cc = _Fp.pow(Z, Q); // c = z^Q const Q1div2 = (Q + _1n$2) / _2n$2; return function tonelliSlow(Fp, n) { if (Fp.is0(n)) return n; // Check if n is a quadratic residue using Legendre symbol if (FpLegendre(Fp, n) !== 1) throw new Error('Cannot find square root'); // Initialize variables for the main loop let M = S; let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root // Main loop // while t != 1 while (!Fp.eql(t, Fp.ONE)) { if (Fp.is0(t)) return Fp.ZERO; // if t=0 return R=0 let i = 1; // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P) let t_tmp = Fp.sqr(t); // t^(2^1) while (!Fp.eql(t_tmp, Fp.ONE)) { i++; t_tmp = Fp.sqr(t_tmp); // t^(2^2)... if (i === M) throw new Error('Cannot find square root'); } // Calculate the exponent for b: 2^(M - i - 1) const exponent = _1n$2 << BigInt(M - i - 1); // bigint is important const b = Fp.pow(c, exponent); // b = 2^(M - i - 1) // Update variables M = i; c = Fp.sqr(b); // c = b^2 t = Fp.mul(t, c); // t = (t * b^2) R = Fp.mul(R, b); // R = R*b } return R; }; } /** * Square root for a finite field. Will try optimized versions first: * * 1. P ≡ 3 (mod 4) * 2. P ≡ 5 (mod 8) * 3. P ≡ 9 (mod 16) * 4. Tonelli-Shanks algorithm * * Different algorithms can give different roots, it is up to user to decide which one they want. * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve). */ function FpSqrt(P) { // P ≡ 3 (mod 4) => √n = n^((P+1)/4) if (P % _4n$1 === _3n$1) return sqrt3mod4; // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf if (P % _8n === _5n)