2022-12-28 09:32:27 +03:00
|
|
|
/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
|
2022-12-14 01:23:23 +03:00
|
|
|
import { createCurve } from './_shortw_utils.js';
|
|
|
|
import { sha512 } from '@noble/hashes/sha512';
|
2022-12-28 09:32:27 +03:00
|
|
|
import { bytesToHex, PrivKey } from './abstract/utils.js';
|
|
|
|
import { Fp as Field } from './abstract/modular.js';
|
|
|
|
import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
|
2023-01-21 21:02:45 +03:00
|
|
|
import * as htf from './abstract/hash-to-curve.js';
|
2022-12-14 01:23:23 +03:00
|
|
|
|
2022-12-14 20:40:59 +03:00
|
|
|
// NIST secp521r1 aka P521
|
|
|
|
// Note that it's 521, which differs from 512 of its hash function.
|
|
|
|
// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
|
2022-12-28 08:31:41 +03:00
|
|
|
|
|
|
|
// Field over which we'll do calculations; 2n**521n - 1n
|
|
|
|
// prettier-ignore
|
|
|
|
const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
|
|
|
|
const Fp = Field(P);
|
|
|
|
|
|
|
|
const CURVE_A = Fp.create(BigInt('-3'));
|
|
|
|
// prettier-ignore
|
|
|
|
const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00');
|
|
|
|
|
|
|
|
const mapSWU = mapToCurveSimpleSWU(Fp, {
|
|
|
|
A: CURVE_A,
|
|
|
|
B: CURVE_B,
|
|
|
|
Z: Fp.create(BigInt('-4')),
|
|
|
|
});
|
|
|
|
|
2022-12-14 01:23:23 +03:00
|
|
|
// prettier-ignore
|
|
|
|
export const P521 = createCurve({
|
|
|
|
// Params: a, b
|
2022-12-28 08:31:41 +03:00
|
|
|
a: CURVE_A,
|
|
|
|
b: CURVE_B,
|
|
|
|
Fp,
|
2022-12-14 20:40:59 +03:00
|
|
|
// Curve order, total count of valid points in the field
|
2022-12-14 01:23:23 +03:00
|
|
|
n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
|
|
|
|
// Base point (x, y) aka generator point
|
|
|
|
Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
|
|
|
|
Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
|
|
|
|
h: BigInt(1),
|
|
|
|
lowS: false,
|
2022-12-26 07:37:12 +03:00
|
|
|
// P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
|
|
|
|
// We ensure all keys are 132 bytes.
|
|
|
|
// Does not replace validation; invalid keys would still be rejected.
|
2022-12-24 05:49:12 +03:00
|
|
|
normalizePrivateKey(key: PrivKey) {
|
|
|
|
if (typeof key === 'bigint') return key;
|
|
|
|
if (key instanceof Uint8Array) key = bytesToHex(key);
|
|
|
|
if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
|
|
|
|
throw new Error('Invalid key');
|
|
|
|
}
|
|
|
|
return key.padStart(66 * 2, '0');
|
2022-12-28 08:31:41 +03:00
|
|
|
},
|
2023-01-21 21:02:45 +03:00
|
|
|
} as const, sha512);
|
|
|
|
export const secp521r1 = P521;
|
|
|
|
|
|
|
|
const { hashToCurve, encodeToCurve } = htf.hashToCurve(
|
|
|
|
secp521r1.Point,
|
|
|
|
(scalars: bigint[]) => mapSWU(scalars[0]),
|
|
|
|
{
|
2022-12-28 08:31:41 +03:00
|
|
|
DST: 'P521_XMD:SHA-512_SSWU_RO_',
|
2023-01-21 21:02:45 +03:00
|
|
|
encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
|
2022-12-28 08:31:41 +03:00
|
|
|
p: Fp.ORDER,
|
|
|
|
m: 1,
|
|
|
|
k: 256,
|
2023-01-21 21:02:45 +03:00
|
|
|
expand: 'xmd',
|
2022-12-28 08:31:41 +03:00
|
|
|
hash: sha512,
|
2023-01-21 21:02:45 +03:00
|
|
|
}
|
|
|
|
);
|
|
|
|
export { hashToCurve, encodeToCurve };
|