69401a125673c3f49061a7acdd0562a7c9f09d14424a9b7ea2c6dfa3bdad8e1c.json raw

   1  {"ast":null,"code":"\"use strict\";\n\nObject.defineProperty(exports, \"__esModule\", {\n  value: true\n});\nexports.encodeToCurve = exports.hashToCurve = exports.secp256k1_hasher = exports.schnorr = exports.secp256k1 = void 0;\n/**\n * SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).\n *\n * Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,\n * check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).\n * @module\n */\n/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nconst sha2_js_1 = require(\"@noble/hashes/sha2.js\");\nconst utils_js_1 = require(\"@noble/hashes/utils.js\");\nconst _shortw_utils_ts_1 = require(\"./_shortw_utils.js\");\nconst hash_to_curve_ts_1 = require(\"./abstract/hash-to-curve.js\");\nconst modular_ts_1 = require(\"./abstract/modular.js\");\nconst weierstrass_ts_1 = require(\"./abstract/weierstrass.js\");\nconst utils_ts_1 = require(\"./utils.js\");\n// Seems like generator was produced from some seed:\n// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`\n// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n\nconst secp256k1_CURVE = {\n  p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),\n  n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),\n  h: BigInt(1),\n  a: BigInt(0),\n  b: BigInt(7),\n  Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),\n  Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8')\n};\nconst secp256k1_ENDO = {\n  beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),\n  basises: [[BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')], [BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')]]\n};\nconst _0n = /* @__PURE__ */BigInt(0);\nconst _1n = /* @__PURE__ */BigInt(1);\nconst _2n = /* @__PURE__ */BigInt(2);\n/**\n * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.\n * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]\n */\nfunction sqrtMod(y) {\n  const P = secp256k1_CURVE.p;\n  // prettier-ignore\n  const _3n = BigInt(3),\n    _6n = BigInt(6),\n    _11n = BigInt(11),\n    _22n = BigInt(22);\n  // prettier-ignore\n  const _23n = BigInt(23),\n    _44n = BigInt(44),\n    _88n = BigInt(88);\n  const b2 = y * y * y % P; // x^3, 11\n  const b3 = b2 * b2 * y % P; // x^7\n  const b6 = (0, modular_ts_1.pow2)(b3, _3n, P) * b3 % P;\n  const b9 = (0, modular_ts_1.pow2)(b6, _3n, P) * b3 % P;\n  const b11 = (0, modular_ts_1.pow2)(b9, _2n, P) * b2 % P;\n  const b22 = (0, modular_ts_1.pow2)(b11, _11n, P) * b11 % P;\n  const b44 = (0, modular_ts_1.pow2)(b22, _22n, P) * b22 % P;\n  const b88 = (0, modular_ts_1.pow2)(b44, _44n, P) * b44 % P;\n  const b176 = (0, modular_ts_1.pow2)(b88, _88n, P) * b88 % P;\n  const b220 = (0, modular_ts_1.pow2)(b176, _44n, P) * b44 % P;\n  const b223 = (0, modular_ts_1.pow2)(b220, _3n, P) * b3 % P;\n  const t1 = (0, modular_ts_1.pow2)(b223, _23n, P) * b22 % P;\n  const t2 = (0, modular_ts_1.pow2)(t1, _6n, P) * b2 % P;\n  const root = (0, modular_ts_1.pow2)(t2, _2n, P);\n  if (!Fpk1.eql(Fpk1.sqr(root), y)) throw new Error('Cannot find square root');\n  return root;\n}\nconst Fpk1 = (0, modular_ts_1.Field)(secp256k1_CURVE.p, {\n  sqrt: sqrtMod\n});\n/**\n * secp256k1 curve, ECDSA and ECDH methods.\n *\n * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`\n *\n * @example\n * ```js\n * import { secp256k1 } from '@noble/curves/secp256k1';\n * const { secretKey, publicKey } = secp256k1.keygen();\n * const msg = new TextEncoder().encode('hello');\n * const sig = secp256k1.sign(msg, secretKey);\n * const isValid = secp256k1.verify(sig, msg, publicKey) === true;\n * ```\n */\nexports.secp256k1 = (0, _shortw_utils_ts_1.createCurve)({\n  ...secp256k1_CURVE,\n  Fp: Fpk1,\n  lowS: true,\n  endo: secp256k1_ENDO\n}, sha2_js_1.sha256);\n// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.\n// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki\n/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */\nconst TAGGED_HASH_PREFIXES = {};\nfunction taggedHash(tag, ...messages) {\n  let tagP = TAGGED_HASH_PREFIXES[tag];\n  if (tagP === undefined) {\n    const tagH = (0, sha2_js_1.sha256)((0, utils_ts_1.utf8ToBytes)(tag));\n    tagP = (0, utils_ts_1.concatBytes)(tagH, tagH);\n    TAGGED_HASH_PREFIXES[tag] = tagP;\n  }\n  return (0, sha2_js_1.sha256)((0, utils_ts_1.concatBytes)(tagP, ...messages));\n}\n// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03\nconst pointToBytes = point => point.toBytes(true).slice(1);\nconst Pointk1 = /* @__PURE__ */(() => exports.secp256k1.Point)();\nconst hasEven = y => y % _2n === _0n;\n// Calculate point, scalar and bytes\nfunction schnorrGetExtPubKey(priv) {\n  const {\n    Fn,\n    BASE\n  } = Pointk1;\n  const d_ = (0, weierstrass_ts_1._normFnElement)(Fn, priv);\n  const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside\n  const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);\n  return {\n    scalar,\n    bytes: pointToBytes(p)\n  };\n}\n/**\n * lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.\n * @returns valid point checked for being on-curve\n */\nfunction lift_x(x) {\n  const Fp = Fpk1;\n  if (!Fp.isValidNot0(x)) throw new Error('invalid x: Fail if x ≥ p');\n  const xx = Fp.create(x * x);\n  const c = Fp.create(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.\n  let y = Fp.sqrt(c); // Let y = c^(p+1)/4 mod p. Same as sqrt().\n  // Return the unique point P such that x(P) = x and\n  // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.\n  if (!hasEven(y)) y = Fp.neg(y);\n  const p = Pointk1.fromAffine({\n    x,\n    y\n  });\n  p.assertValidity();\n  return p;\n}\nconst num = utils_ts_1.bytesToNumberBE;\n/**\n * Create tagged hash, convert it to bigint, reduce modulo-n.\n */\nfunction challenge(...args) {\n  return Pointk1.Fn.create(num(taggedHash('BIP0340/challenge', ...args)));\n}\n/**\n * Schnorr public key is just `x` coordinate of Point as per BIP340.\n */\nfunction schnorrGetPublicKey(secretKey) {\n  return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)\n}\n/**\n * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.\n * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.\n */\nfunction schnorrSign(message, secretKey, auxRand = (0, utils_js_1.randomBytes)(32)) {\n  const {\n    Fn\n  } = Pointk1;\n  const m = (0, utils_ts_1.ensureBytes)('message', message);\n  const {\n    bytes: px,\n    scalar: d\n  } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder\n  const a = (0, utils_ts_1.ensureBytes)('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array\n  const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)\n  const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)\n  // Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G\n  const {\n    bytes: rx,\n    scalar: k\n  } = schnorrGetExtPubKey(rand);\n  const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.\n  const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).\n  sig.set(rx, 0);\n  sig.set(Fn.toBytes(Fn.create(k + e * d)), 32);\n  // If Verify(bytes(P), m, sig) (see below) returns failure, abort\n  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');\n  return sig;\n}\n/**\n * Verifies Schnorr signature.\n * Will swallow errors & return false except for initial type validation of arguments.\n */\nfunction schnorrVerify(signature, message, publicKey) {\n  const {\n    Fn,\n    BASE\n  } = Pointk1;\n  const sig = (0, utils_ts_1.ensureBytes)('signature', signature, 64);\n  const m = (0, utils_ts_1.ensureBytes)('message', message);\n  const pub = (0, utils_ts_1.ensureBytes)('publicKey', publicKey, 32);\n  try {\n    const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails\n    const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.\n    if (!(0, utils_ts_1.inRange)(r, _1n, secp256k1_CURVE.p)) return false;\n    const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.\n    if (!(0, utils_ts_1.inRange)(s, _1n, secp256k1_CURVE.n)) return false;\n    // int(challenge(bytes(r)||bytes(P)||m))%n\n    const e = challenge(Fn.toBytes(r), pointToBytes(P), m);\n    // R = s⋅G - e⋅P, where -eP == (n-e)P\n    const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));\n    const {\n      x,\n      y\n    } = R.toAffine();\n    // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.\n    if (R.is0() || !hasEven(y) || x !== r) return false;\n    return true;\n  } catch (error) {\n    return false;\n  }\n}\n/**\n * Schnorr signatures over secp256k1.\n * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki\n * @example\n * ```js\n * import { schnorr } from '@noble/curves/secp256k1';\n * const { secretKey, publicKey } = schnorr.keygen();\n * // const publicKey = schnorr.getPublicKey(secretKey);\n * const msg = new TextEncoder().encode('hello');\n * const sig = schnorr.sign(msg, secretKey);\n * const isValid = schnorr.verify(sig, msg, publicKey);\n * ```\n */\nexports.schnorr = (() => {\n  const size = 32;\n  const seedLength = 48;\n  const randomSecretKey = (seed = (0, utils_js_1.randomBytes)(seedLength)) => {\n    return (0, modular_ts_1.mapHashToField)(seed, secp256k1_CURVE.n);\n  };\n  // TODO: remove\n  exports.secp256k1.utils.randomSecretKey;\n  function keygen(seed) {\n    const secretKey = randomSecretKey(seed);\n    return {\n      secretKey,\n      publicKey: schnorrGetPublicKey(secretKey)\n    };\n  }\n  return {\n    keygen,\n    getPublicKey: schnorrGetPublicKey,\n    sign: schnorrSign,\n    verify: schnorrVerify,\n    Point: Pointk1,\n    utils: {\n      randomSecretKey: randomSecretKey,\n      randomPrivateKey: randomSecretKey,\n      taggedHash,\n      // TODO: remove\n      lift_x,\n      pointToBytes,\n      numberToBytesBE: utils_ts_1.numberToBytesBE,\n      bytesToNumberBE: utils_ts_1.bytesToNumberBE,\n      mod: modular_ts_1.mod\n    },\n    lengths: {\n      secretKey: size,\n      publicKey: size,\n      publicKeyHasPrefix: false,\n      signature: size * 2,\n      seed: seedLength\n    }\n  };\n})();\nconst isoMap = /* @__PURE__ */(() => (0, hash_to_curve_ts_1.isogenyMap)(Fpk1, [\n// xNum\n['0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7', '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581', '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262', '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c'],\n// xDen\n['0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b', '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14', '0x0000000000000000000000000000000000000000000000000000000000000001' // LAST 1\n],\n// yNum\n['0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c', '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3', '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931', '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84'],\n// yDen\n['0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b', '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573', '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f', '0x0000000000000000000000000000000000000000000000000000000000000001' // LAST 1\n]].map(i => i.map(j => BigInt(j)))))();\nconst mapSWU = /* @__PURE__ */(() => (0, weierstrass_ts_1.mapToCurveSimpleSWU)(Fpk1, {\n  A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),\n  B: BigInt('1771'),\n  Z: Fpk1.create(BigInt('-11'))\n}))();\n/** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */\nexports.secp256k1_hasher = (() => (0, hash_to_curve_ts_1.createHasher)(exports.secp256k1.Point, scalars => {\n  const {\n    x,\n    y\n  } = mapSWU(Fpk1.create(scalars[0]));\n  return isoMap(x, y);\n}, {\n  DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',\n  encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',\n  p: Fpk1.ORDER,\n  m: 1,\n  k: 128,\n  expand: 'xmd',\n  hash: sha2_js_1.sha256\n}))();\n/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */\nexports.hashToCurve = (() => exports.secp256k1_hasher.hashToCurve)();\n/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */\nexports.encodeToCurve = (() => exports.secp256k1_hasher.encodeToCurve)();\n//# sourceMappingURL=secp256k1.js.map","map":null,"metadata":{},"sourceType":"script","externalDependencies":[]}