forked from paulmillr/noble-secp256k1
-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.ts
1605 lines (1456 loc) · 53.6 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*! noble-secp256k1 - MIT License (c) 2019 Paul Miller (paulmillr.com) */
// https://www.secg.org/sec2-v2.pdf
// Uses built-in crypto module from node.js to generate randomness / hmac-sha256.
// In browser the line is automatically removed during build time: uses crypto.subtle instead.
import nodeCrypto from 'crypto';
// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
const _0n = BigInt(0);
const _1n = BigInt(1);
const _2n = BigInt(2);
const _3n = BigInt(3);
const _8n = BigInt(8);
// Curve fomula is y² = x³ + ax + b
const POW_2_256 = BigInt('115792089237316195423570985008687907853269984665640564039457584007913129639936');
const CURVE = {
// Params: a, b
a: _0n,
b: BigInt(7),
// Field over which we'll do calculations
P: POW_2_256 - BigInt('4294967296') - BigInt(977),
// Curve order, a number of valid points in the field
n: POW_2_256 - BigInt('432420386565659656852420866394968145599'),
// Cofactor. It's 1, so other subgroups don't exist, and default subgroup is prime-order
h: _1n,
// Base point (x, y) aka generator point
Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
// For endomorphism, see below
beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
};
// Cleaner js output if that's on a separate line.
export { CURVE };
/**
* y² = x³ + ax + b: Short weistrass curve formula
* @returns y²
*/
function weistrass(x: bigint): bigint {
const { a, b } = CURVE;
const x2 = mod(x * x);
const x3 = mod(x2 * x);
return mod(x3 + a * x + b);
}
// We accept hex strings besides Uint8Array for simplicity
type Hex = Uint8Array | string;
// Very few implementations accept numbers, we do it to ease learning curve
type PrivKey = Hex | bigint | number;
// 33/65-byte ECDSA key, or 32-byte Schnorr key - not interchangeable
type PubKey = Hex | Point;
// ECDSA signature
type Sig = Hex | Signature;
/**
* Always true for secp256k1.
* We're including it here if you'll want to reuse code to support
* different curve (e.g. secp256r1) - just set it to false then.
* Endomorphism only works for Koblitz curves with a == 0.
* It improves efficiency:
* Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
* Should always be used for Jacobian's double-and-add multiplication.
* For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
* https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
*/
const USE_ENDOMORPHISM = CURVE.a === _0n;
/**
* Jacobian Point works in 3d / jacobi coordinates: (x, y, z) ∋ (x=x/z², y=y/z³)
* Default Point works in 2d / affine coordinates: (x, y)
* We're doing calculations in jacobi, because its operations don't require costly inversion.
*/
class JacobianPoint {
constructor(readonly x: bigint, readonly y: bigint, readonly z: bigint) {}
static readonly BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n);
static readonly ZERO = new JacobianPoint(_0n, _1n, _0n);
static fromAffine(p: Point): JacobianPoint {
if (!(p instanceof Point)) {
throw new TypeError('JacobianPoint#fromAffine: expected Point');
}
return new JacobianPoint(p.x, p.y, _1n);
}
/**
* Takes a bunch of Jacobian Points but executes only one
* invert on all of them. invert is very slow operation,
* so this improves performance massively.
*/
static toAffineBatch(points: JacobianPoint[]): Point[] {
const toInv = invertBatch(points.map((p) => p.z));
return points.map((p, i) => p.toAffine(toInv[i]));
}
static normalizeZ(points: JacobianPoint[]): JacobianPoint[] {
return JacobianPoint.toAffineBatch(points).map(JacobianPoint.fromAffine);
}
/**
* Compare one point to another.
*/
equals(other: JacobianPoint): boolean {
if (!(other instanceof JacobianPoint)) throw new TypeError('JacobianPoint expected');
const { x: X1, y: Y1, z: Z1 } = this;
const { x: X2, y: Y2, z: Z2 } = other;
const Z1Z1 = mod(Z1 * Z1);
const Z2Z2 = mod(Z2 * Z2);
const U1 = mod(X1 * Z2Z2);
const U2 = mod(X2 * Z1Z1);
const S1 = mod(mod(Y1 * Z2) * Z2Z2);
const S2 = mod(mod(Y2 * Z1) * Z1Z1);
return U1 === U2 && S1 === S2;
}
/**
* Flips point to one corresponding to (x, -y) in Affine coordinates.
*/
negate(): JacobianPoint {
return new JacobianPoint(this.x, mod(-this.y), this.z);
}
// Fast algo for doubling 2 Jacobian Points when curve's a=0.
// Note: cannot be reused for other curves when a != 0.
// From: http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
// Cost: 2M + 5S + 6add + 3*2 + 1*3 + 1*8.
double(): JacobianPoint {
const { x: X1, y: Y1, z: Z1 } = this;
const A = mod(X1 * X1);
const B = mod(Y1 * Y1);
const C = mod(B * B);
const D = mod(_2n * (mod((X1 + B) * (X1 + B)) - A - C));
const E = mod(_3n * A);
const F = mod(E * E);
const X3 = mod(F - _2n * D);
const Y3 = mod(E * (D - X3) - _8n * C);
const Z3 = mod(_2n * Y1 * Z1);
return new JacobianPoint(X3, Y3, Z3);
}
// Fast algo for adding 2 Jacobian Points when curve's a=0.
// Note: cannot be reused for other curves when a != 0.
// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#addition-add-1998-cmo-2
// Cost: 12M + 4S + 6add + 1*2.
// Note: 2007 Bernstein-Lange (11M + 5S + 9add + 4*2) is actually 10% slower.
add(other: JacobianPoint): JacobianPoint {
if (!(other instanceof JacobianPoint)) throw new TypeError('JacobianPoint expected');
const { x: X1, y: Y1, z: Z1 } = this;
const { x: X2, y: Y2, z: Z2 } = other;
if (X2 === _0n || Y2 === _0n) return this;
if (X1 === _0n || Y1 === _0n) return other;
// We're using same code in equals()
const Z1Z1 = mod(Z1 * Z1);
const Z2Z2 = mod(Z2 * Z2);
const U1 = mod(X1 * Z2Z2);
const U2 = mod(X2 * Z1Z1);
const S1 = mod(mod(Y1 * Z2) * Z2Z2);
const S2 = mod(mod(Y2 * Z1) * Z1Z1);
const H = mod(U2 - U1);
const r = mod(S2 - S1);
// H = 0 meaning it's the same point.
if (H === _0n) {
if (r === _0n) {
return this.double();
} else {
return JacobianPoint.ZERO;
}
}
const HH = mod(H * H);
const HHH = mod(H * HH);
const V = mod(U1 * HH);
const X3 = mod(r * r - HHH - _2n * V);
const Y3 = mod(r * (V - X3) - S1 * HHH);
const Z3 = mod(Z1 * Z2 * H);
return new JacobianPoint(X3, Y3, Z3);
}
subtract(other: JacobianPoint) {
return this.add(other.negate());
}
/**
* Non-constant-time multiplication. Uses double-and-add algorithm.
* It's faster, but should only be used when you don't care about
* an exposed private key e.g. sig verification, which works over *public* keys.
*/
multiplyUnsafe(scalar: bigint): JacobianPoint {
let n = normalizeScalar(scalar);
const G = JacobianPoint.BASE;
const P0 = JacobianPoint.ZERO;
if (n === _0n) return P0;
if (n === _1n) return this;
// The condition is not executed unless you change global var
if (!USE_ENDOMORPHISM) {
let p = P0;
let d: JacobianPoint = this;
while (n > _0n) {
if (n & _1n) p = p.add(d);
d = d.double();
n >>= _1n;
}
return p;
}
let { k1neg, k1, k2neg, k2 } = splitScalarEndo(n);
let k1p = P0;
let k2p = P0;
let d: JacobianPoint = this;
while (k1 > _0n || k2 > _0n) {
if (k1 & _1n) k1p = k1p.add(d);
if (k2 & _1n) k2p = k2p.add(d);
d = d.double();
k1 >>= _1n;
k2 >>= _1n;
}
if (k1neg) k1p = k1p.negate();
if (k2neg) k2p = k2p.negate();
k2p = new JacobianPoint(mod(k2p.x * CURVE.beta), k2p.y, k2p.z);
return k1p.add(k2p);
}
/**
* Creates a wNAF precomputation window. Used for caching.
* Default window size is set by `utils.precompute()` and is equal to 8.
* Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
* @returns 65K precomputed points, depending on W
*/
private precomputeWindow(W: number): JacobianPoint[] {
// splitScalarEndo could return 129-bit numbers, so we need at least 128 / W + 1
const windows = USE_ENDOMORPHISM ? 128 / W + 1 : 256 / W + 1;
const points: JacobianPoint[] = [];
let p: JacobianPoint = this;
let base = p;
for (let window = 0; window < windows; window++) {
base = p;
points.push(base);
for (let i = 1; i < 2 ** (W - 1); i++) {
base = base.add(p);
points.push(base);
}
p = base.double();
}
return points;
}
/**
* Implements w-ary non-adjacent form for calculating ec multiplication.
* @param n
* @param affinePoint optional 2d point to save cached precompute windows on it.
* @returns real and fake (for const-time) points
*/
private wNAF(n: bigint, affinePoint?: Point): { p: JacobianPoint; f: JacobianPoint } {
if (!affinePoint && this.equals(JacobianPoint.BASE)) affinePoint = Point.BASE;
const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
if (256 % W) {
throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
}
// Calculate precomputes on a first run, reuse them after
let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
if (!precomputes) {
precomputes = this.precomputeWindow(W);
if (affinePoint && W !== 1) {
precomputes = JacobianPoint.normalizeZ(precomputes);
pointPrecomputes.set(affinePoint, precomputes);
}
}
// Initialize real and fake points for const-time
let p = JacobianPoint.ZERO;
let f = JacobianPoint.ZERO;
const windows = 1 + (USE_ENDOMORPHISM ? 128 / W : 256 / W); // W=8 17
const windowSize = 2 ** (W - 1); // W=8 128
const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b11111111 for W=8
const maxNumber = 2 ** W; // W=8 256
const shiftBy = BigInt(W); // W=8 8
for (let window = 0; window < windows; window++) {
const offset = window * windowSize;
// Extract W bits.
let wbits = Number(n & mask);
// Shift number by W bits.
n >>= shiftBy;
// If the bits are bigger than max size, we'll split those.
// +224 => 256 - 32
if (wbits > windowSize) {
wbits -= maxNumber;
n += _1n;
}
// Check if we're onto Zero point.
// Add random point inside current window to f.
if (wbits === 0) {
// The most important part for const-time getPublicKey
let pr = precomputes[offset];
if (window % 2) pr = pr.negate();
f = f.add(pr);
} else {
let cached = precomputes[offset + Math.abs(wbits) - 1];
if (wbits < 0) cached = cached.negate();
p = p.add(cached);
}
}
return { p, f };
}
/**
* Constant time multiplication.
* Uses wNAF method. Windowed method may be 10% faster,
* but takes 2x longer to generate and consumes 2x memory.
* @param scalar by which the point would be multiplied
* @param affinePoint optional point ot save cached precompute windows on it
* @returns New point
*/
multiply(scalar: number | bigint, affinePoint?: Point): JacobianPoint {
let n = normalizeScalar(scalar);
// Real point.
let point: JacobianPoint;
// Fake point, we use it to achieve constant-time multiplication.
let fake: JacobianPoint;
if (USE_ENDOMORPHISM) {
const { k1neg, k1, k2neg, k2 } = splitScalarEndo(n);
let { p: k1p, f: f1p } = this.wNAF(k1, affinePoint);
let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
if (k1neg) k1p = k1p.negate();
if (k2neg) k2p = k2p.negate();
k2p = new JacobianPoint(mod(k2p.x * CURVE.beta), k2p.y, k2p.z);
point = k1p.add(k2p);
fake = f1p.add(f2p);
} else {
const { p, f } = this.wNAF(n, affinePoint);
point = p;
fake = f;
}
// Normalize `z` for both points, but return only real one
return JacobianPoint.normalizeZ([point, fake])[0];
}
// Converts Jacobian point to affine (x, y) coordinates.
// Can accept precomputed Z^-1 - for example, from invertBatch.
// (x, y, z) ∋ (x=x/z², y=y/z³)
toAffine(invZ: bigint = invert(this.z)): Point {
const { x, y, z } = this;
const iz1 = invZ;
const iz2 = mod(iz1 * iz1);
const iz3 = mod(iz2 * iz1);
const ax = mod(x * iz2);
const ay = mod(y * iz3);
const zz = mod(z * iz1);
if (zz !== _1n) throw new Error('invZ was invalid');
return new Point(ax, ay);
}
}
// Stores precomputed values for points.
const pointPrecomputes = new WeakMap<Point, JacobianPoint[]>();
/**
* Default Point works in default aka affine coordinates: (x, y)
*/
export class Point {
/**
* Base point aka generator. public_key = Point.BASE * private_key
*/
static BASE: Point = new Point(CURVE.Gx, CURVE.Gy);
/**
* Identity point aka point at infinity. point = point + zero_point
*/
static ZERO: Point = new Point(_0n, _0n);
// We calculate precomputes for elliptic curve point multiplication
// using windowed method. This specifies window size and
// stores precomputed values. Usually only base point would be precomputed.
_WINDOW_SIZE?: number;
constructor(readonly x: bigint, readonly y: bigint) {}
// "Private method", don't use it directly
_setWindowSize(windowSize: number) {
this._WINDOW_SIZE = windowSize;
pointPrecomputes.delete(this);
}
/**
* Supports compressed Schnorr (32-byte) and ECDSA (33-byte) points
* @param bytes 32/33 bytes
* @returns Point instance
*/
private static fromCompressedHex(bytes: Uint8Array) {
const isShort = bytes.length === 32;
const x = bytesToNumber(isShort ? bytes : bytes.subarray(1));
if (!isValidFieldElement(x)) throw new Error('Point is not on curve');
const y2 = weistrass(x); // y² = x³ + ax + b
let y = sqrtMod(y2); // y = y² ^ (p+1)/4
const isYOdd = (y & _1n) === _1n;
if (isShort) {
// Schnorr
if (isYOdd) y = mod(-y);
} else {
// ECDSA
const isFirstByteOdd = (bytes[0] & 1) === 1;
if (isFirstByteOdd !== isYOdd) y = mod(-y);
}
const point = new Point(x, y);
point.assertValidity();
return point;
}
// Schnorr doesn't support uncompressed points, so this is only for ECDSA
private static fromUncompressedHex(bytes: Uint8Array) {
const x = bytesToNumber(bytes.subarray(1, 33));
const y = bytesToNumber(bytes.subarray(33, 65));
const point = new Point(x, y);
point.assertValidity();
return point;
}
/**
* Converts hash string or Uint8Array to Point.
* @param hex 32-byte (schnorr) or 33/65-byte (ECDSA) hex
*/
static fromHex(hex: Hex): Point {
const bytes = ensureBytes(hex);
const len = bytes.length;
const header = bytes[0];
if (len === 32 || (len === 33 && (header === 0x02 || header === 0x03))) {
return this.fromCompressedHex(bytes);
}
if (len === 65 && header === 0x04) return this.fromUncompressedHex(bytes);
throw new Error(
`Point.fromHex: received invalid point. Expected 32-33 compressed bytes or 65 uncompressed bytes, not ${len}`
);
}
// Multiplies generator point by privateKey.
static fromPrivateKey(privateKey: PrivKey) {
return Point.BASE.multiply(normalizePrivateKey(privateKey));
}
/**
* Recovers public key from ECDSA signature.
* https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Public_key_recovery
* ```
* recover(r, s, h) where
* u1 = hs^-1 mod n
* u2 = sr^-1 mod n
* Q = u1⋅G + u2⋅R
* ```
*/
static fromSignature(msgHash: Hex, signature: Sig, recovery: number): Point {
msgHash = ensureBytes(msgHash);
const h = truncateHash(msgHash);
const { r, s } = normalizeSignature(signature);
if (recovery !== 0 && recovery !== 1) {
throw new Error('Cannot recover signature: invalid recovery bit');
}
if (h === _0n) throw new Error('Cannot recover signature: msgHash cannot be 0');
const prefix = recovery & 1 ? '03' : '02';
const R = Point.fromHex(prefix + numTo32bStr(r));
const { n } = CURVE;
const rinv = invert(r, n);
// Q = u1⋅G + u2⋅R
const u1 = mod(-h * rinv, n);
const u2 = mod(s * rinv, n);
const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2);
if (!Q) throw new Error('Cannot recover signature: point at infinify');
Q.assertValidity();
return Q;
}
toRawBytes(isCompressed = false): Uint8Array {
return hexToBytes(this.toHex(isCompressed));
}
toHex(isCompressed = false): string {
const x = numTo32bStr(this.x);
if (isCompressed) {
const prefix = this.y & _1n ? '03' : '02';
return `${prefix}${x}`;
} else {
return `04${x}${numTo32bStr(this.y)}`;
}
}
// Schnorr-related function
toHexX() {
return this.toHex(true).slice(2);
}
toRawX() {
return this.toRawBytes(true).slice(1);
}
// A point on curve is valid if it conforms to equation.
assertValidity(): void {
const msg = 'Point is not on elliptic curve';
const { x, y } = this;
if (!isValidFieldElement(x) || !isValidFieldElement(y)) throw new Error(msg);
const left = mod(y * y);
const right = weistrass(x);
if (mod(left - right) !== _0n) throw new Error(msg);
}
equals(other: Point): boolean {
return this.x === other.x && this.y === other.y;
}
// Returns the same point with inverted `y`
negate() {
return new Point(this.x, mod(-this.y));
}
// Adds point to itself
double() {
return JacobianPoint.fromAffine(this).double().toAffine();
}
// Adds point to other point
add(other: Point) {
return JacobianPoint.fromAffine(this).add(JacobianPoint.fromAffine(other)).toAffine();
}
// Subtracts other point from the point
subtract(other: Point) {
return this.add(other.negate());
}
multiply(scalar: number | bigint) {
return JacobianPoint.fromAffine(this).multiply(scalar, this).toAffine();
}
/**
* Efficiently calculate aP + bQ.
* Unsafe, can expose private key, if used incorrectly.
* TODO: Utilize Shamir's trick
* @returns non-zero affine point
*/
multiplyAndAddUnsafe(Q: Point, a: bigint, b: bigint): Point | undefined {
const P = JacobianPoint.fromAffine(this);
const aP = a === _0n || a === _1n || this !== Point.BASE ? P.multiplyUnsafe(a) : P.multiply(a);
const bQ = JacobianPoint.fromAffine(Q).multiplyUnsafe(b);
const sum = aP.add(bQ);
return sum.equals(JacobianPoint.ZERO) ? undefined : sum.toAffine();
}
}
function sliceDER(s: string): string {
// Proof: any([(i>=0x80) == (int(hex(i).replace('0x', '').zfill(2)[0], 16)>=8) for i in range(0, 256)])
// Padding done by numberToHex
return Number.parseInt(s[0], 16) >= 8 ? '00' + s : s;
}
function parseDERInt(data: Uint8Array) {
if (data.length < 2 || data[0] !== 0x02) {
throw new Error(`Invalid signature integer tag: ${bytesToHex(data)}`);
}
const len = data[1];
const res = data.subarray(2, len + 2);
if (!len || res.length !== len) {
throw new Error(`Invalid signature integer: wrong length`);
}
// Strange condition, its not about length, but about first bytes of number.
if (res[0] === 0x00 && res[1] <= 0x7f) {
throw new Error('Invalid signature integer: trailing length');
}
return { data: bytesToNumber(res), left: data.subarray(len + 2) };
}
function parseDERSignature(data: Uint8Array) {
if (data.length < 2 || data[0] != 0x30) {
throw new Error(`Invalid signature tag: ${bytesToHex(data)}`);
}
if (data[1] !== data.length - 2) {
throw new Error('Invalid signature: incorrect length');
}
const { data: r, left: sBytes } = parseDERInt(data.subarray(2));
const { data: s, left: rBytesLeft } = parseDERInt(sBytes);
if (rBytesLeft.length) {
throw new Error(`Invalid signature: left bytes after parsing: ${bytesToHex(rBytesLeft)}`);
}
return { r, s };
}
// Represents ECDSA signature with its (r, s) properties
export class Signature {
constructor(readonly r: bigint, readonly s: bigint) {
this.assertValidity();
}
// pair (32 bytes of r, 32 bytes of s)
static fromCompact(hex: Hex) {
const arr = isUint8a(hex);
const name = 'Signature.fromCompact';
if (typeof hex !== 'string' && !arr)
throw new TypeError(`${name}: Expected string or Uint8Array`);
const str = arr ? bytesToHex(hex) : hex;
if (str.length !== 128) throw new Error(`${name}: Expected 64-byte hex`);
return new Signature(hexToNumber(str.slice(0, 64)), hexToNumber(str.slice(64, 128)));
}
// DER encoded ECDSA signature
// https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
static fromDER(hex: Hex) {
const arr = isUint8a(hex);
if (typeof hex !== 'string' && !arr)
throw new TypeError(`Signature.fromDER: Expected string or Uint8Array`);
const { r, s } = parseDERSignature(arr ? hex : hexToBytes(hex));
return new Signature(r, s);
}
// Don't use this method
static fromHex(hex: Hex) {
return this.fromDER(hex);
}
assertValidity(): void {
const { r, s } = this;
if (!isWithinCurveOrder(r)) throw new Error('Invalid Signature: r must be 0 < r < n');
if (!isWithinCurveOrder(s)) throw new Error('Invalid Signature: s must be 0 < s < n');
}
// Always false for canonical signatures.
// We don't provide `hasHighR` for now even though some folks use it
// https://github.com/bitcoin/bitcoin/pull/13666
hasHighS(): boolean {
const HALF = CURVE.n >> _1n;
return this.s > HALF;
}
normalizeS(): Signature {
return this.hasHighS() ? new Signature(this.r, CURVE.n - this.s) : this;
}
// DER-encoded
toDERRawBytes(isCompressed = false) {
return hexToBytes(this.toDERHex(isCompressed));
}
toDERHex(isCompressed = false) {
const sHex = sliceDER(numberToHexUnpadded(this.s));
if (isCompressed) return sHex;
const rHex = sliceDER(numberToHexUnpadded(this.r));
const rLen = numberToHexUnpadded(rHex.length / 2);
const sLen = numberToHexUnpadded(sHex.length / 2);
const length = numberToHexUnpadded(rHex.length / 2 + sHex.length / 2 + 4);
return `30${length}02${rLen}${rHex}02${sLen}${sHex}`;
}
// Don't use these methods. Use toDER* or toCompact* for explicitness.
toRawBytes() {
return this.toDERRawBytes();
}
toHex() {
return this.toDERHex();
}
// 32 bytes of r, then 32 bytes of s
toCompactRawBytes() {
return hexToBytes(this.toCompactHex());
}
toCompactHex() {
return numTo32bStr(this.r) + numTo32bStr(this.s);
}
}
// Concatenates several Uint8Arrays into one.
// TODO: check if we're copying data instead of moving it and if that's ok
function concatBytes(...arrays: Uint8Array[]): Uint8Array {
if (!arrays.every(isUint8a)) throw new Error('Uint8Array list expected');
if (arrays.length === 1) return arrays[0];
const length = arrays.reduce((a, arr) => a + arr.length, 0);
const result = new Uint8Array(length);
for (let i = 0, pad = 0; i < arrays.length; i++) {
const arr = arrays[i];
result.set(arr, pad);
pad += arr.length;
}
return result;
}
// Convert between types
// ---------------------
// We can't do `instanceof Uint8Array` because it's unreliable between Web Workers etc
function isUint8a(bytes: Uint8Array | unknown): bytes is Uint8Array {
return bytes instanceof Uint8Array;
}
const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
function bytesToHex(uint8a: Uint8Array): string {
if (!(uint8a instanceof Uint8Array)) throw new Error('Expected Uint8Array');
// pre-caching improves the speed 6x
let hex = '';
for (let i = 0; i < uint8a.length; i++) {
hex += hexes[uint8a[i]];
}
return hex;
}
function numTo32bStr(num: number | bigint): string {
if (num > POW_2_256) throw new Error('Expected number < 2^256');
return num.toString(16).padStart(64, '0');
}
function numTo32b(num: bigint): Uint8Array {
return hexToBytes(numTo32bStr(num));
}
function numberToHexUnpadded(num: number | bigint): string {
const hex = num.toString(16);
return hex.length & 1 ? `0${hex}` : hex;
}
function hexToNumber(hex: string): bigint {
if (typeof hex !== 'string') {
throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
}
// Big Endian
return BigInt(`0x${hex}`);
}
// Caching slows it down 2-3x
function hexToBytes(hex: string): Uint8Array {
if (typeof hex !== 'string') {
throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
}
if (hex.length % 2) throw new Error('hexToBytes: received invalid unpadded hex' + hex.length);
const array = new Uint8Array(hex.length / 2);
for (let i = 0; i < array.length; i++) {
const j = i * 2;
const hexByte = hex.slice(j, j + 2);
const byte = Number.parseInt(hexByte, 16);
if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
array[i] = byte;
}
return array;
}
// Big Endian
function bytesToNumber(bytes: Uint8Array): bigint {
return hexToNumber(bytesToHex(bytes));
}
function ensureBytes(hex: Hex): Uint8Array {
// Uint8Array.from() instead of hash.slice() because node.js Buffer
// is instance of Uint8Array, and its slice() creates **mutable** copy
return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
}
function normalizeScalar(num: number | bigint): bigint {
if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0) return BigInt(num);
if (typeof num === 'bigint' && isWithinCurveOrder(num)) return num;
throw new TypeError('Expected valid private scalar: 0 < scalar < curve.n');
}
// -------------------------
// Calculates a modulo b
function mod(a: bigint, b: bigint = CURVE.P): bigint {
const result = a % b;
return result >= _0n ? result : b + result;
}
// Does x ^ (2 ^ power). E.g. 30 ^ (2 ^ 4)
function pow2(x: bigint, power: bigint): bigint {
const { P } = CURVE;
let res = x;
while (power-- > _0n) {
res *= res;
res %= P;
}
return res;
}
// Used to calculate y - the square root of y².
// Exponentiates it to very big number (P+1)/4.
// We are unwrapping the loop because it's 2x faster.
// (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
// We are multiplying it bit-by-bit
function sqrtMod(x: bigint): bigint {
const { P } = CURVE;
const _6n = BigInt(6);
const _11n = BigInt(11);
const _22n = BigInt(22);
const _23n = BigInt(23);
const _44n = BigInt(44);
const _88n = BigInt(88);
const b2 = (x * x * x) % P; // x^3, 11
const b3 = (b2 * b2 * x) % P; // x^7
const b6 = (pow2(b3, _3n) * b3) % P;
const b9 = (pow2(b6, _3n) * b3) % P;
const b11 = (pow2(b9, _2n) * b2) % P;
const b22 = (pow2(b11, _11n) * b11) % P;
const b44 = (pow2(b22, _22n) * b22) % P;
const b88 = (pow2(b44, _44n) * b44) % P;
const b176 = (pow2(b88, _88n) * b88) % P;
const b220 = (pow2(b176, _44n) * b44) % P;
const b223 = (pow2(b220, _3n) * b3) % P;
const t1 = (pow2(b223, _23n) * b22) % P;
const t2 = (pow2(t1, _6n) * b2) % P;
return pow2(t2, _2n);
}
// Inverses number over modulo
function invert(number: bigint, modulo: bigint = CURVE.P): bigint {
if (number === _0n || modulo <= _0n) {
throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
}
// Eucledian GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
let a = mod(number, modulo);
let b = modulo;
// prettier-ignore
let x = _0n, y = _1n, u = _1n, v = _0n;
while (a !== _0n) {
const q = b / a;
const r = b % a;
const m = x - u * q;
const n = y - v * q;
// prettier-ignore
b = a, a = r, x = u, y = v, u = m, v = n;
}
const gcd = b;
if (gcd !== _1n) throw new Error('invert: does not exist');
return mod(x, modulo);
}
/**
* Takes a list of numbers, efficiently inverts all of them.
* @param nums list of bigints
* @param p modulo
* @returns list of inverted bigints
* @example
* invertBatch([1n, 2n, 4n], 21n);
* // => [1n, 11n, 16n]
*/
function invertBatch(nums: bigint[], p: bigint = CURVE.P): bigint[] {
const scratch = new Array(nums.length);
// Walk from first to last, multiply them by each other MOD p
const lastMultiplied = nums.reduce((acc, num, i) => {
if (num === _0n) return acc;
scratch[i] = acc;
return mod(acc * num, p);
}, _1n);
// Invert last element
const inverted = invert(lastMultiplied, p);
// Walk from last to first, multiply them by inverted each other MOD p
nums.reduceRight((acc, num, i) => {
if (num === _0n) return acc;
scratch[i] = mod(acc * scratch[i], p);
return mod(acc * num, p);
}, inverted);
return scratch;
}
const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
const POW_2_128 = BigInt('340282366920938463463374607431768211456');
// Split 256-bit K into 2 128-bit (k1, k2) for which k1 + k2 * lambda = K.
// Used for endomorphism https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
function splitScalarEndo(k: bigint) {
const { n } = CURVE;
const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
const b2 = a1;
const c1 = divNearest(b2 * k, n);
const c2 = divNearest(-b1 * k, n);
let k1 = mod(k - c1 * a1 - c2 * a2, n);
let k2 = mod(-c1 * b1 - c2 * b2, n);
const k1neg = k1 > POW_2_128;
const k2neg = k2 > POW_2_128;
if (k1neg) k1 = n - k1;
if (k2neg) k2 = n - k2;
if (k1 > POW_2_128 || k2 > POW_2_128) {
throw new Error('splitScalarEndo: Endomorphism failed, k=' + k);
}
return { k1neg, k1, k2neg, k2 };
}
// Ensures ECDSA message hashes are 32 bytes and < curve order
function truncateHash(hash: Uint8Array): bigint {
const { n } = CURVE;
const byteLength = hash.length;
const delta = byteLength * 8 - 256; // size of curve.n
let h = bytesToNumber(hash);
if (delta > 0) h = h >> BigInt(delta);
if (h >= n) h -= n;
return h;
}
// RFC6979 related code
type RecoveredSig = { sig: Signature; recovery: number };
type U8A = Uint8Array;
// Minimal HMAC-DRBG (NIST 800-90) for signatures
// Used only for RFC6979, does not fully implement DRBG spec.
class HmacDrbg {
k: Uint8Array;
v: Uint8Array;
counter: number;
constructor() {
// Step B, Step C
this.v = new Uint8Array(32).fill(1);
this.k = new Uint8Array(32).fill(0);
this.counter = 0;
}
private hmac(...values: Uint8Array[]) {
return utils.hmacSha256(this.k, ...values);
}
private hmacSync(...values: Uint8Array[]) {
if (typeof utils.hmacSha256Sync !== 'function')
throw new Error('utils.hmacSha256Sync is undefined, you need to set it');
const res = utils.hmacSha256Sync!(this.k, ...values);
if (res instanceof Promise)
throw new Error('To use sync sign(), ensure utils.hmacSha256 is sync');
return res;
}
incr() {
if (this.counter >= 1000) {
throw new Error('Tried 1,000 k values for sign(), all were invalid');
}
this.counter += 1;
}
// We concatenate extraData into seed
async reseed(seed = new Uint8Array()) {
this.k = await this.hmac(this.v, Uint8Array.from([0x00]), seed);
this.v = await this.hmac(this.v);
if (seed.length === 0) return;
this.k = await this.hmac(this.v, Uint8Array.from([0x01]), seed);
this.v = await this.hmac(this.v);
}
reseedSync(seed = new Uint8Array()) {
this.k = this.hmacSync(this.v, Uint8Array.from([0x00]), seed);
this.v = this.hmacSync(this.v);
if (seed.length === 0) return;
this.k = this.hmacSync(this.v, Uint8Array.from([0x01]), seed);
this.v = this.hmacSync(this.v);
}
async generate(): Promise<Uint8Array> {
this.incr();
this.v = await this.hmac(this.v);
return this.v;
}
generateSync(): Uint8Array {
this.incr();
this.v = this.hmacSync(this.v);
return this.v;
}
// There is no need in clean() method
// It's useless, there are no guarantees with JS GC
// whether bigints are removed even if you clean Uint8Arrays.
}
function isWithinCurveOrder(num: bigint): boolean {
return _0n < num && num < CURVE.n;
}
function isValidFieldElement(num: bigint): boolean {
return _0n < num && num < CURVE.P;
}
/**
* Converts signature params into point & r/s, checks them for validity.
* k must be in range [1, n-1]
* @param k signature's k param: deterministic in our case, random in non-rfc6979 sigs
* @param m message that would be signed
* @param d private key
* @returns Signature with its point on curve Q OR undefined if params were invalid
*/
function kmdToSig(kBytes: Uint8Array, m: bigint, d: bigint): RecoveredSig | undefined {
const k = bytesToNumber(kBytes);
if (!isWithinCurveOrder(k)) return;
// Important: all mod() calls in the function must be done over `n`
const { n } = CURVE;
const q = Point.BASE.multiply(k);
// r = x mod n
const r = mod(q.x, n);
if (r === _0n) return;
// s = (1/k * (m + dr) mod n
const s = mod(invert(k, n) * mod(m + d * r, n), n);
if (s === _0n) return;
const sig = new Signature(r, s);
const recovery = (q.x === sig.r ? 0 : 2) | Number(q.y & _1n);
return { sig, recovery };
}
function normalizePrivateKey(key: PrivKey): bigint {
let num: bigint;
if (typeof key === 'bigint') {
num = key;
} else if (typeof key === 'number' && Number.isSafeInteger(key) && key > 0) {
num = BigInt(key);
} else if (typeof key === 'string') {
if (key.length !== 64) throw new Error('Expected 32 bytes of private key');
num = hexToNumber(key);
} else if (isUint8a(key)) {