import { deepStrictEqual, strictEqual, throws } from 'assert'; import { readFileSync } from 'fs'; import { bytesToHex, concatBytes, hexToBytes, utf8ToBytes, randomBytes } from '@noble/hashes/utils'; import * as fc from 'fast-check'; import { describe, should } from 'micro-should'; import { ed25519 as ed, ED25519_TORSION_SUBGROUP, numberToBytesLE } from './ed25519.helpers.js'; // Old vectors allow to test sign() because they include private key import { default as ed25519vectors_OLD } from './ed25519/ed25519_test_OLD.json' assert { type: 'json' }; import { default as ed25519vectors } from './wycheproof/ed25519_test.json' assert { type: 'json' }; import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' }; import { default as edgeCases } from './ed25519/edge-cases.json' assert { type: 'json' }; // Any changes to the file will need to be aware of the fact // the file is shared between noble-curves and noble-ed25519. describe('ed25519', () => { const hex = bytesToHex; const Point = ed.ExtendedPoint; function to32Bytes(numOrStr) { let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16); return hexToBytes(hex.padStart(64, '0')); } ed.utils.precompute(8); should('not accept >32byte private keys', () => { const invalidPriv = 100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n; throws(() => ed.getPublicKey(invalidPriv)); }); should('verify recent signature', () => { fc.assert( fc.property( fc.hexaString({ minLength: 2, maxLength: 32 }), fc.bigInt(2n, ed.CURVE.n), (message, privateKey) => { const publicKey = ed.getPublicKey(to32Bytes(privateKey)); const signature = ed.sign(to32Bytes(message), to32Bytes(privateKey)); deepStrictEqual(publicKey.length, 32); deepStrictEqual(signature.length, 64); deepStrictEqual(ed.verify(signature, to32Bytes(message), publicKey), true); } ), { numRuns: 5 } ); }); should('not verify signature with wrong message', () => { fc.assert( fc.property( fc.array(fc.integer({ min: 0x00, max: 0xff })), fc.array(fc.integer({ min: 0x00, max: 0xff })), fc.bigInt(1n, ed.CURVE.n), (bytes, wrongBytes, privateKey) => { const privKey = to32Bytes(privateKey); const message = new Uint8Array(bytes); const wrongMessage = new Uint8Array(wrongBytes); const publicKey = ed.getPublicKey(privKey); const signature = ed.sign(message, privKey); deepStrictEqual( ed.verify(signature, wrongMessage, publicKey), bytes.toString() === wrongBytes.toString() ); } ), { numRuns: 5 } ); }); const privKey = to32Bytes('a665a45920422f9d417e4867ef'); const wrongPriv = to32Bytes('a675a45920422f9d417e4867ef'); const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a'); const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c'); describe('basic methods', () => { should('sign and verify', () => { const publicKey = ed.getPublicKey(privKey); const signature = ed.sign(msg, privKey); deepStrictEqual(ed.verify(signature, msg, publicKey), true); }); }); describe('sync methods', () => { should('sign and verify', () => { const publicKey = ed.getPublicKey(privKey); const signature = ed.sign(msg, privKey); deepStrictEqual(ed.verify(signature, msg, publicKey), true); }); should('not verify signature with wrong public key', () => { const publicKey = ed.getPublicKey(wrongPriv); const signature = ed.sign(msg, privKey); deepStrictEqual(ed.verify(signature, msg, publicKey), false); }); should('not verify signature with wrong hash', () => { const publicKey = ed.getPublicKey(privKey); const signature = ed.sign(msg, privKey); deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false); }); }); describe('BASE_POINT.multiply()', () => { // https://xmr.llcoins.net/addresstests.html should('create right publicKey without SHA-512 hashing TEST 1', () => { const publicKey = Point.BASE.multiply(0x90af56259a4b6bfbc4337980d5d75fbe3c074630368ff3804d33028e5dbfa77n); deepStrictEqual( publicKey.toHex(), '0f3b913371411b27e646b537e888f685bf929ea7aab93c950ed84433f064480d' ); }); should('create right publicKey without SHA-512 hashing TEST 2', () => { const publicKey = Point.BASE.multiply(0x364e8711a60780382a5d57b061c126f039940f28a9e91fe039d4d3094d8b88n); deepStrictEqual( publicKey.toHex(), 'ad545340b58610f0cd62f17d55af1ab11ecde9c084d5476865ddb4dbda015349' ); }); should('create right publicKey without SHA-512 hashing TEST 3', () => { const publicKey = Point.BASE.multiply(0xb9bf90ff3abec042752cac3a07a62f0c16cfb9d32a3fc2305d676ec2d86e941n); deepStrictEqual( publicKey.toHex(), 'e097c4415fe85724d522b2e449e8fd78dd40d20097bdc9ae36fe8ec6fe12cb8c' ); }); should('create right publicKey without SHA-512 hashing TEST 4', () => { const publicKey = Point.BASE.multiply(0x69d896f02d79524c9878e080308180e2859d07f9f54454e0800e8db0847a46en); deepStrictEqual( publicKey.toHex(), 'f12cb7c43b59971395926f278ce7c2eaded9444fbce62ca717564cb508a0db1d' ); }); should('throw Point#multiply on TEST 5', () => { for (const num of [0n, 0, -1n, -1, 1.1]) { throws(() => Point.BASE.multiply(num)); } }); }); // https://ed25519.cr.yp.to/python/sign.py // https://ed25519.cr.yp.to/python/sign.input const data = readFileSync('./test/ed25519/vectors.txt', 'utf-8'); const vectors = data .trim() .split('\n') .map((line) => line.split(':')); should('ed25519 official vectors/should match 1024 official vectors', () => { for (let i = 0; i < vectors.length; i++) { const vector = vectors[i]; // Extract. const priv = vector[0].slice(0, 64); const expectedPub = vector[1]; const msg = vector[2]; const expectedSignature = vector[3].slice(0, 128); // Calculate const pub = ed.getPublicKey(to32Bytes(priv)); deepStrictEqual(hex(pub), expectedPub); deepStrictEqual(pub, Point.fromHex(pub).toRawBytes()); const signature = hex(ed.sign(msg, priv)); // console.log('vector', i); // expect(pub).toBe(expectedPub); deepStrictEqual(signature, expectedSignature); } }); // https://tools.ietf.org/html/rfc8032#section-7 should('rfc8032 vectors/should create right signature for 0x9d and empty string', () => { const privateKey = '9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60'; const publicKey = ed.getPublicKey(privateKey); const message = ''; const signature = ed.sign(message, privateKey); deepStrictEqual( hex(publicKey), 'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a' ); deepStrictEqual( hex(signature), 'e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b' ); }); should('rfc8032 vectors/should create right signature for 0x4c and 72', () => { const privateKey = '4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb'; const publicKey = ed.getPublicKey(privateKey); const message = '72'; const signature = ed.sign(message, privateKey); deepStrictEqual( hex(publicKey), '3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c' ); deepStrictEqual( hex(signature), '92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00' ); }); should('rfc8032 vectors/should create right signature for 0x00 and 5a', () => { const privateKey = '002fdd1f7641793ab064bb7aa848f762e7ec6e332ffc26eeacda141ae33b1783'; const publicKey = ed.getPublicKey(privateKey); const message = '5ac1dfc324f43e6cb79a87ab0470fa857b51fb944982e19074ca44b1e40082c1d07b92efa7ea55ad42b7c027e0b9e33756d95a2c1796a7c2066811dc41858377d4b835c1688d638884cd2ad8970b74c1a54aadd27064163928a77988b24403aa85af82ceab6b728e554761af7175aeb99215b7421e4474c04d213e01ff03e3529b11077cdf28964b8c49c5649e3a46fa0a09dcd59dcad58b9b922a83210acd5e65065531400234f5e40cddcf9804968e3e9ac6f5c44af65001e158067fc3a660502d13fa8874fa93332138d9606bc41b4cee7edc39d753dae12a873941bb357f7e92a4498847d6605456cb8c0b425a47d7d3ca37e54e903a41e6450a35ebe5237c6f0c1bbbc1fd71fb7cd893d189850295c199b7d88af26bc8548975fda1099ffefee42a52f3428ddff35e0173d3339562507ac5d2c45bbd2c19cfe89b'; const signature = ed.sign(message, privateKey); deepStrictEqual( hex(publicKey), '77d1d8ebacd13f4e2f8a40e28c4a63bc9ce3bfb69716334bcb28a33eb134086c' ); deepStrictEqual( hex(signature), '0df3aa0d0999ad3dc580378f52d152700d5b3b057f56a66f92112e441e1cb9123c66f18712c87efe22d2573777296241216904d7cdd7d5ea433928bd2872fa0c' ); }); should('rfc8032 vectors/should create right signature for 0xf5 and long msg', () => { const privateKey = 'f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5'; const publicKey = ed.getPublicKey(privateKey); const message = '08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0'; const signature = ed.sign(message, privateKey); deepStrictEqual( hex(publicKey), '278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e' ); deepStrictEqual( hex(signature), '0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03' ); }); // const PRIVATE_KEY = 0xa665a45920422f9d417e4867efn; // const MESSAGE = ripemd160(new Uint8Array([97, 98, 99, 100, 101, 102, 103])); // prettier-ignore // const MESSAGE = new Uint8Array([ // 135, 79, 153, 96, 197, 210, 183, 169, 181, 250, 211, 131, 225, 186, 68, 113, 158, 187, 116, 58, // ]); // const WRONG_MESSAGE = ripemd160(new Uint8Array([98, 99, 100, 101, 102, 103])); // prettier-ignore // const WRONG_MESSAGE = new Uint8Array([ // 88, 157, 140, 127, 29, 160, 162, 75, 192, 123, 115, 129, 173, 72, 177, 207, 194, 17, 175, 28, // ]); // // it("should verify just signed message", async () => { // // await fc.assert(fc.asyncProperty( // // fc.hexa(), // // fc.bigInt(2n, ristretto25519.PRIME_ORDER), // // async (message, privateKey) => { // // const publicKey = await ristretto25519.getPublicKey(privateKey); // // const signature = await ristretto25519.sign(message, privateKey); // // expect(publicKey.length).toBe(32); // // expect(signature.length).toBe(64); // // expect(await ristretto25519.verify(signature, message, publicKey)).toBe(true); // // }), // // { numRuns: 1 } // // ); // // }); // // it("should not verify sign with wrong message", async () => { // // await fc.assert(fc.asyncProperty( // // fc.array(fc.integer(0x00, 0xff)), // // fc.array(fc.integer(0x00, 0xff)), // // fc.bigInt(2n, ristretto25519.PRIME_ORDER), // // async (bytes, wrongBytes, privateKey) => { // // const message = new Uint8Array(bytes); // // const wrongMessage = new Uint8Array(wrongBytes); // // const publicKey = await ristretto25519.getPublicKey(privateKey); // // const signature = await ristretto25519.sign(message, privateKey); // // expect(await ristretto25519.verify(signature, wrongMessage, publicKey)).toBe( // // bytes.toString() === wrongBytes.toString() // // ); // // }), // // { numRuns: 1 } // // ); // // }); // // it("should sign and verify", async () => { // // const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY); // // const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY); // // expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(true); // // }); // // it("should not verify signature with wrong public key", async () => { // // const publicKey = await ristretto25519.getPublicKey(12); // // const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY); // // expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(false); // // }); // // it("should not verify signature with wrong hash", async () => { // // const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY); // // const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY); // // expect(await ristretto25519.verify(signature, WRONG_MESSAGE, publicKey)).toBe(false); // // }); should('input immutability: sign/verify are immutable', () => { const privateKey = ed.utils.randomPrivateKey(); const publicKey = ed.getPublicKey(privateKey); for (let i = 0; i < 100; i++) { let payload = randomBytes(100); let signature = ed.sign(payload, privateKey); if (!ed.verify(signature, payload, publicKey)) { throw new Error('Signature verification failed'); } const signatureCopy = Buffer.alloc(signature.byteLength); signatureCopy.set(signature, 0); // <-- breaks payload = payload.slice(); signature = signature.slice(); if (!ed.verify(signatureCopy, payload, publicKey)) throw new Error('Copied signature verification failed'); } }); // https://zips.z.cash/zip-0215 // Vectors from https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7 describe('ZIP215', () => { should('pass all compliance tests', () => { const str = utf8ToBytes('Zcash'); for (let v of zip215) { let noble = false; try { noble = ed.verify(v.sig_bytes, str, v.vk_bytes); } catch (e) { noble = false; } deepStrictEqual(noble, v.valid_zip215, JSON.stringify(v)); } }); should('disallow sig.s >= CURVE.n', () => { // sig.R = BASE, sig.s = N+1 const sig = '5866666666666666666666666666666666666666666666666666666666666666eed3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010'; deepStrictEqual(ed.verify(sig, 'deadbeef', Point.BASE), false); }); }); // should('X25519/getSharedSecret() should be commutative', () => { // for (let i = 0; i < 512; i++) { // const asec = ed.utils.randomPrivateKey(); // const apub = ed.getPublicKey(asec); // const bsec = ed.utils.randomPrivateKey(); // const bpub = ed.getPublicKey(bsec); // try { // deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub)); // } catch (error) { // console.error('not commutative', { asec, apub, bsec, bpub }); // throw error; // } // } // }); // should('X25519: should convert base point to montgomery using fromPoint', () => { // deepStrictEqual( // hex(ed.montgomeryCurve.UfromPoint(Point.BASE)), // ed.montgomeryCurve.BASE_POINT_U // ); // }); should(`wycheproof/ED25519 (OLD)`, () => { for (let g = 0; g < ed25519vectors_OLD.testGroups.length; g++) { const group = ed25519vectors_OLD.testGroups[g]; const key = group.key; deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk, `(${g}, public)`); for (let i = 0; i < group.tests.length; i++) { const v = group.tests[i]; const comment = `(${g}/${i}, ${v.result}): ${v.comment}`; if (v.result === 'valid' || v.result === 'acceptable') { deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, comment); deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, comment); } else if (v.result === 'invalid') { let failed = false; try { failed = !ed.verify(v.sig, v.msg, key.pk); } catch (error) { failed = true; } deepStrictEqual(failed, true, comment); } else throw new Error('unknown test result'); } } }); should(`wycheproof/ED25519`, () => { for (let g = 0; g < ed25519vectors.testGroups.length; g++) { const group = ed25519vectors.testGroups[g]; const key = group.publicKey; for (let i = 0; i < group.tests.length; i++) { const v = group.tests[i]; const comment = `(${g}/${i}, ${v.result}): ${v.comment}`; if (v.result === 'valid' || v.result === 'acceptable') { deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, comment); } else if (v.result === 'invalid') { let failed = false; try { failed = !ed.verify(v.sig, v.msg, key.pk); } catch (error) { failed = true; } deepStrictEqual(failed, true, comment); } else throw new Error('unknown test result'); } } }); should('not mutate inputs', () => { const message = new Uint8Array([12, 12, 12]); const signature = ed.sign(message, to32Bytes(1n)); const publicKey = ed.getPublicKey(to32Bytes(1n)); // <- was 1n deepStrictEqual(ed.verify(signature, message, publicKey), true); }); should('isTorsionFree()', () => { const orig = ed.utils.getExtendedPublicKey(ed.utils.randomPrivateKey()).point; for (const hex of ED25519_TORSION_SUBGROUP.slice(1)) { const dirty = orig.add(Point.fromHex(hex)); const cleared = dirty.clearCofactor(); strictEqual(orig.isTorsionFree(), true, `orig must be torsionFree: ${hex}`); strictEqual(dirty.isTorsionFree(), false, `dirty must not be torsionFree: ${hex}`); strictEqual(cleared.isTorsionFree(), true, `cleared must be torsionFree: ${hex}`); } }); should('not verify when x=0 and x_0 = 1 (RFC8032)', () => { const list = [edgeCases[8], edgeCases[10], edgeCases[11]]; for (let v of list) { const result = ed.verify(v.signature, v.message, v.pub_key, { zip215: true }); strictEqual(result, true, `zip215: true must validate: ${v.signature}`); } for (let v of list) { const result = ed.verify(v.signature, v.message, v.pub_key, { zip215: false }); strictEqual(result, false, `zip215: false must not validate: ${v.signature}`); } }); should('not verify when sig.s >= CURVE.n', () => { const privateKey = ed.utils.randomPrivateKey(); const message = Uint8Array.from([0xab, 0xbc, 0xcd, 0xde]); const publicKey = ed.getPublicKey(privateKey); const signature = ed.sign(message, privateKey); const R = signature.slice(0, 32); let s = signature.slice(32, 64); s = bytesToHex(s.slice().reverse()); s = BigInt('0x' + s); s = s + ed.CURVE.n; s = numberToBytesLE(s, 32); const sig_invalid = concatBytes(R, s); deepStrictEqual(ed.verify(sig_invalid, message, publicKey), false); }); should('not accept point without z, t', () => { const t = 81718630521762619991978402609047527194981150691135404693881672112315521837062n; const point = Point.fromAffine({ x: t, y: t }); throws(() => point.assertValidity()); // Otherwise (without assertValidity): // const point2 = point.double(); // point2.toAffine(); // crash! }); }); // ESM is broken. import url from 'url'; if (import.meta.url === url.pathToFileURL(process.argv[1]).href) { should.run(); }