33995e9ba6394b6f4f86af834c52cdc661dbb53423ce7a36df15fbaf8ce4046e.json raw

   1  {"ast":null,"code":"import { mod } from './modular.js';\nimport { bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.js';\nfunction validateDST(dst) {\n  if (dst instanceof Uint8Array) return dst;\n  if (typeof dst === 'string') return utf8ToBytes(dst);\n  throw new Error('DST must be Uint8Array or string');\n}\n// Octet Stream to Integer. \"spec\" implementation of os2ip is 2.5x slower vs bytesToNumberBE.\nconst os2ip = bytesToNumberBE;\n// Integer to Octet Stream (numberToBytesBE)\nfunction i2osp(value, length) {\n  if (value < 0 || value >= 1 << 8 * length) {\n    throw new Error(`bad I2OSP call: value=${value} length=${length}`);\n  }\n  const res = Array.from({\n    length\n  }).fill(0);\n  for (let i = length - 1; i >= 0; i--) {\n    res[i] = value & 0xff;\n    value >>>= 8;\n  }\n  return new Uint8Array(res);\n}\nfunction strxor(a, b) {\n  const arr = new Uint8Array(a.length);\n  for (let i = 0; i < a.length; i++) {\n    arr[i] = a[i] ^ b[i];\n  }\n  return arr;\n}\nfunction isBytes(item) {\n  if (!(item instanceof Uint8Array)) throw new Error('Uint8Array expected');\n}\nfunction isNum(item) {\n  if (!Number.isSafeInteger(item)) throw new Error('number expected');\n}\n// Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits\n// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1\nexport function expand_message_xmd(msg, DST, lenInBytes, H) {\n  isBytes(msg);\n  isBytes(DST);\n  isNum(lenInBytes);\n  // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3\n  if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));\n  const {\n    outputLen: b_in_bytes,\n    blockLen: r_in_bytes\n  } = H;\n  const ell = Math.ceil(lenInBytes / b_in_bytes);\n  if (ell > 255) throw new Error('Invalid xmd length');\n  const DST_prime = concatBytes(DST, i2osp(DST.length, 1));\n  const Z_pad = i2osp(0, r_in_bytes);\n  const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str\n  const b = new Array(ell);\n  const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));\n  b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));\n  for (let i = 1; i <= ell; i++) {\n    const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];\n    b[i] = H(concatBytes(...args));\n  }\n  const pseudo_random_bytes = concatBytes(...b);\n  return pseudo_random_bytes.slice(0, lenInBytes);\n}\n// Produces a uniformly random byte string using an extendable-output function (XOF) H.\n// 1. The collision resistance of H MUST be at least k bits.\n// 2. H MUST be an XOF that has been proved indifferentiable from\n//    a random oracle under a reasonable cryptographic assumption.\n// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2\nexport function expand_message_xof(msg, DST, lenInBytes, k, H) {\n  isBytes(msg);\n  isBytes(DST);\n  isNum(lenInBytes);\n  // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3\n  // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));\n  if (DST.length > 255) {\n    const dkLen = Math.ceil(2 * k / 8);\n    DST = H.create({\n      dkLen\n    }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();\n  }\n  if (lenInBytes > 65535 || DST.length > 255) throw new Error('expand_message_xof: invalid lenInBytes');\n  return H.create({\n    dkLen: lenInBytes\n  }).update(msg).update(i2osp(lenInBytes, 2))\n  // 2. DST_prime = DST || I2OSP(len(DST), 1)\n  .update(DST).update(i2osp(DST.length, 1)).digest();\n}\n/**\n * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F\n * https://www.rfc-editor.org/rfc/rfc9380#section-5.2\n * @param msg a byte string containing the message to hash\n * @param count the number of elements of F to output\n * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above\n * @returns [u_0, ..., u_(count - 1)], a list of field elements.\n */\nexport function hash_to_field(msg, count, options) {\n  validateObject(options, {\n    DST: 'stringOrUint8Array',\n    p: 'bigint',\n    m: 'isSafeInteger',\n    k: 'isSafeInteger',\n    hash: 'hash'\n  });\n  const {\n    p,\n    k,\n    m,\n    hash,\n    expand,\n    DST: _DST\n  } = options;\n  isBytes(msg);\n  isNum(count);\n  const DST = validateDST(_DST);\n  const log2p = p.toString(2).length;\n  const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above\n  const len_in_bytes = count * m * L;\n  let prb; // pseudo_random_bytes\n  if (expand === 'xmd') {\n    prb = expand_message_xmd(msg, DST, len_in_bytes, hash);\n  } else if (expand === 'xof') {\n    prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);\n  } else if (expand === '_internal_pass') {\n    // for internal tests only\n    prb = msg;\n  } else {\n    throw new Error('expand must be \"xmd\" or \"xof\"');\n  }\n  const u = new Array(count);\n  for (let i = 0; i < count; i++) {\n    const e = new Array(m);\n    for (let j = 0; j < m; j++) {\n      const elm_offset = L * (j + i * m);\n      const tv = prb.subarray(elm_offset, elm_offset + L);\n      e[j] = mod(os2ip(tv), p);\n    }\n    u[i] = e;\n  }\n  return u;\n}\nexport function isogenyMap(field, map) {\n  // Make same order as in spec\n  const COEFF = map.map(i => Array.from(i).reverse());\n  return (x, y) => {\n    const [xNum, xDen, yNum, yDen] = COEFF.map(val => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));\n    x = field.div(xNum, xDen); // xNum / xDen\n    y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)\n    return {\n      x,\n      y\n    };\n  };\n}\nexport function createHasher(Point, mapToCurve, def) {\n  if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');\n  return {\n    // Encodes byte string to elliptic curve.\n    // hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3\n    hashToCurve(msg, options) {\n      const u = hash_to_field(msg, 2, {\n        ...def,\n        DST: def.DST,\n        ...options\n      });\n      const u0 = Point.fromAffine(mapToCurve(u[0]));\n      const u1 = Point.fromAffine(mapToCurve(u[1]));\n      const P = u0.add(u1).clearCofactor();\n      P.assertValidity();\n      return P;\n    },\n    // Encodes byte string to elliptic curve.\n    // encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3\n    encodeToCurve(msg, options) {\n      const u = hash_to_field(msg, 1, {\n        ...def,\n        DST: def.encodeDST,\n        ...options\n      });\n      const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();\n      P.assertValidity();\n      return P;\n    }\n  };\n}\n//# sourceMappingURL=hash-to-curve.js.map","map":null,"metadata":{},"sourceType":"module","externalDependencies":[]}