92e62532b6cdf5950aed29e7f64bbda6f554a8adf40710a68f48c91701e3bdad.json raw

   1  {"ast":null,"code":"/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */\nimport { sha256 } from '@noble/hashes/sha256';\nimport { randomBytes } from '@noble/hashes/utils';\nimport { Field, mod, pow2 } from './abstract/modular.js';\nimport { mapToCurveSimpleSWU } from './abstract/weierstrass.js';\nimport { bytesToNumberBE, concatBytes, ensureBytes, numberToBytesBE } from './abstract/utils.js';\nimport { createHasher, isogenyMap } from './abstract/hash-to-curve.js';\nimport { createCurve } from './_shortw_utils.js';\nconst secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');\nconst secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');\nconst _1n = BigInt(1);\nconst _2n = BigInt(2);\nconst divNearest = (a, b) => (a + b / _2n) / b;\n/**\n * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.\n * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]\n */\nfunction sqrtMod(y) {\n  const P = secp256k1P;\n  // prettier-ignore\n  const _3n = BigInt(3),\n    _6n = BigInt(6),\n    _11n = BigInt(11),\n    _22n = BigInt(22);\n  // prettier-ignore\n  const _23n = BigInt(23),\n    _44n = BigInt(44),\n    _88n = BigInt(88);\n  const b2 = y * y * y % P; // x^3, 11\n  const b3 = b2 * b2 * y % P; // x^7\n  const b6 = pow2(b3, _3n, P) * b3 % P;\n  const b9 = pow2(b6, _3n, P) * b3 % P;\n  const b11 = pow2(b9, _2n, P) * b2 % P;\n  const b22 = pow2(b11, _11n, P) * b11 % P;\n  const b44 = pow2(b22, _22n, P) * b22 % P;\n  const b88 = pow2(b44, _44n, P) * b44 % P;\n  const b176 = pow2(b88, _88n, P) * b88 % P;\n  const b220 = pow2(b176, _44n, P) * b44 % P;\n  const b223 = pow2(b220, _3n, P) * b3 % P;\n  const t1 = pow2(b223, _23n, P) * b22 % P;\n  const t2 = pow2(t1, _6n, P) * b2 % P;\n  const root = pow2(t2, _2n, P);\n  if (!Fp.eql(Fp.sqr(root), y)) throw new Error('Cannot find square root');\n  return root;\n}\nconst Fp = Field(secp256k1P, undefined, undefined, {\n  sqrt: sqrtMod\n});\nexport const secp256k1 = createCurve({\n  a: BigInt(0),\n  b: BigInt(7),\n  Fp,\n  n: secp256k1N,\n  // Base point (x, y) aka generator point\n  Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),\n  Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),\n  h: BigInt(1),\n  lowS: true,\n  /**\n   * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.\n   * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.\n   * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.\n   * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066\n   */\n  endo: {\n    beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),\n    splitScalar: k => {\n      const n = secp256k1N;\n      const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');\n      const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');\n      const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');\n      const b2 = a1;\n      const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)\n      const c1 = divNearest(b2 * k, n);\n      const c2 = divNearest(-b1 * k, n);\n      let k1 = mod(k - c1 * a1 - c2 * a2, n);\n      let k2 = mod(-c1 * b1 - c2 * b2, n);\n      const k1neg = k1 > POW_2_128;\n      const k2neg = k2 > POW_2_128;\n      if (k1neg) k1 = n - k1;\n      if (k2neg) k2 = n - k2;\n      if (k1 > POW_2_128 || k2 > POW_2_128) {\n        throw new Error('splitScalar: Endomorphism failed, k=' + k);\n      }\n      return {\n        k1neg,\n        k1,\n        k2neg,\n        k2\n      };\n    }\n  }\n}, sha256);\n// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.\n// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki\nconst _0n = BigInt(0);\nconst fe = x => typeof x === 'bigint' && _0n < x && x < secp256k1P;\nconst ge = x => typeof x === 'bigint' && _0n < x && x < secp256k1N;\n/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */\nconst TAGGED_HASH_PREFIXES = {};\nfunction taggedHash(tag, ...messages) {\n  let tagP = TAGGED_HASH_PREFIXES[tag];\n  if (tagP === undefined) {\n    const tagH = sha256(Uint8Array.from(tag, c => c.charCodeAt(0)));\n    tagP = concatBytes(tagH, tagH);\n    TAGGED_HASH_PREFIXES[tag] = tagP;\n  }\n  return sha256(concatBytes(tagP, ...messages));\n}\n// ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03\nconst pointToBytes = point => point.toRawBytes(true).slice(1);\nconst numTo32b = n => numberToBytesBE(n, 32);\nconst modP = x => mod(x, secp256k1P);\nconst modN = x => mod(x, secp256k1N);\nconst Point = secp256k1.ProjectivePoint;\nconst GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);\n// Calculate point, scalar and bytes\nfunction schnorrGetExtPubKey(priv) {\n  let d_ = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey\n  let p = Point.fromPrivateKey(d_); // P = d'⋅G; 0 < d' < n check is done inside\n  const scalar = p.hasEvenY() ? d_ : modN(-d_);\n  return {\n    scalar: scalar,\n    bytes: pointToBytes(p)\n  };\n}\n/**\n * lift_x from BIP340. Convert 32-byte x coordinate to elliptic curve point.\n * @returns valid point checked for being on-curve\n */\nfunction lift_x(x) {\n  if (!fe(x)) throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.\n  const xx = modP(x * x);\n  const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.\n  let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.\n  if (y % _2n !== _0n) y = modP(-y); // Return the unique point P such that x(P) = x and\n  const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.\n  p.assertValidity();\n  return p;\n}\n/**\n * Create tagged hash, convert it to bigint, reduce modulo-n.\n */\nfunction challenge(...args) {\n  return modN(bytesToNumberBE(taggedHash('BIP0340/challenge', ...args)));\n}\n/**\n * Schnorr public key is just `x` coordinate of Point as per BIP340.\n */\nfunction schnorrGetPublicKey(privateKey) {\n  return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)\n}\n/**\n * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.\n * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.\n */\nfunction schnorrSign(message, privateKey, auxRand = randomBytes(32)) {\n  const m = ensureBytes('message', message);\n  const {\n    bytes: px,\n    scalar: d\n  } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder\n  const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array\n  const t = numTo32b(d ^ bytesToNumberBE(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)\n  const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)\n  const k_ = modN(bytesToNumberBE(rand)); // Let k' = int(rand) mod n\n  if (k_ === _0n) throw new Error('sign failed: k is zero'); // Fail if k' = 0.\n  const {\n    bytes: rx,\n    scalar: k\n  } = schnorrGetExtPubKey(k_); // Let R = k'⋅G.\n  const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.\n  const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).\n  sig.set(rx, 0);\n  sig.set(numTo32b(modN(k + e * d)), 32);\n  // If Verify(bytes(P), m, sig) (see below) returns failure, abort\n  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');\n  return sig;\n}\n/**\n * Verifies Schnorr signature.\n * Will swallow errors & return false except for initial type validation of arguments.\n */\nfunction schnorrVerify(signature, message, publicKey) {\n  const sig = ensureBytes('signature', signature, 64);\n  const m = ensureBytes('message', message);\n  const pub = ensureBytes('publicKey', publicKey, 32);\n  try {\n    const P = lift_x(bytesToNumberBE(pub)); // P = lift_x(int(pk)); fail if that fails\n    const r = bytesToNumberBE(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.\n    if (!fe(r)) return false;\n    const s = bytesToNumberBE(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.\n    if (!ge(s)) return false;\n    const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n\n    const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P\n    if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false; // -eP == (n-e)P\n    return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.\n  } catch (error) {\n    return false;\n  }\n}\nexport const schnorr = /* @__PURE__ */(() => ({\n  getPublicKey: schnorrGetPublicKey,\n  sign: schnorrSign,\n  verify: schnorrVerify,\n  utils: {\n    randomPrivateKey: secp256k1.utils.randomPrivateKey,\n    lift_x,\n    pointToBytes,\n    numberToBytesBE,\n    bytesToNumberBE,\n    taggedHash,\n    mod\n  }\n}))();\nconst isoMap = /* @__PURE__ */(() => isogenyMap(Fp, [\n// xNum\n['0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7', '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581', '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262', '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c'],\n// xDen\n['0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b', '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14', '0x0000000000000000000000000000000000000000000000000000000000000001' // LAST 1\n],\n// yNum\n['0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c', '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3', '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931', '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84'],\n// yDen\n['0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b', '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573', '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f', '0x0000000000000000000000000000000000000000000000000000000000000001' // LAST 1\n]].map(i => i.map(j => BigInt(j)))))();\nconst mapSWU = /* @__PURE__ */(() => mapToCurveSimpleSWU(Fp, {\n  A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),\n  B: BigInt('1771'),\n  Z: Fp.create(BigInt('-11'))\n}))();\nconst htf = /* @__PURE__ */(() => createHasher(secp256k1.ProjectivePoint, scalars => {\n  const {\n    x,\n    y\n  } = mapSWU(Fp.create(scalars[0]));\n  return isoMap(x, y);\n}, {\n  DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',\n  encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',\n  p: Fp.ORDER,\n  m: 1,\n  k: 128,\n  expand: 'xmd',\n  hash: sha256\n}))();\nexport const hashToCurve = /* @__PURE__ */(() => htf.hashToCurve)();\nexport const encodeToCurve = /* @__PURE__ */(() => htf.encodeToCurve)();\n//# sourceMappingURL=secp256k1.js.map","map":null,"metadata":{},"sourceType":"module","externalDependencies":[]}