forked from tornado-packages/noble-curves
README: improve docs for ecdh
This commit is contained in:
parent
e8b9509c16
commit
9b7889e16f
32
README.md
32
README.md
@ -62,8 +62,9 @@ const pub2 = secp256k1.getPublicKey(privHex);
|
|||||||
|
|
||||||
- [Usage](#usage)
|
- [Usage](#usage)
|
||||||
- [Everything](#everything)
|
- [Everything](#everything)
|
||||||
- [ECDSA public key recovery & ECDH](#ecdsa-public-key-recovery--ecdh)
|
- [ECDH (Elliptic Curve Diffie-Hellman)](#ecdh-elliptic-curve-diffie-hellman)
|
||||||
- [Schnorr signatures over secp256k1 BIP340](#schnorr-signatures-over-secp256k1-bip340)
|
- [ECDSA public key recovery & extra entropy](#ecdsa-public-key-recovery--extra-entropy)
|
||||||
|
- [Schnorr signatures over secp256k1, BIP340](#schnorr-signatures-over-secp256k1-bip340)
|
||||||
- [ed25519, X25519, ristretto255](#ed25519-x25519-ristretto255)
|
- [ed25519, X25519, ristretto255](#ed25519-x25519-ristretto255)
|
||||||
- [ed448, X448, decaf448](#ed448-x448-decaf448)
|
- [ed448, X448, decaf448](#ed448-x448-decaf448)
|
||||||
- [bls12-381](#bls12-381)
|
- [bls12-381](#bls12-381)
|
||||||
@ -103,14 +104,22 @@ import { jubjub } from '@noble/curves/jubjub';
|
|||||||
import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
|
import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
|
||||||
```
|
```
|
||||||
|
|
||||||
#### ECDSA public key recovery & ECDH
|
#### ECDH (Elliptic Curve Diffie-Hellman)
|
||||||
|
|
||||||
```ts
|
```ts
|
||||||
|
// 1. The output includes parity byte. Strip it using shared.slice(1)
|
||||||
|
// 2. The output is not hashed. More secure way is sha256(shared) or hkdf(shared)
|
||||||
|
const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
|
||||||
|
const shared = secp256k1.getSharedSecret(priv, someonesPub);
|
||||||
|
```
|
||||||
|
|
||||||
|
#### ECDSA public key recovery & extra entropy
|
||||||
|
|
||||||
|
```ts
|
||||||
|
sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
|
||||||
|
|
||||||
// extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html
|
// extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html
|
||||||
const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
|
const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
|
||||||
sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
|
|
||||||
const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
|
|
||||||
const shared = secp256k1.getSharedSecret(priv, someonesPub); // ECDH
|
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Schnorr signatures over secp256k1 (BIP340)
|
#### Schnorr signatures over secp256k1 (BIP340)
|
||||||
@ -547,6 +556,8 @@ use aggregated, batch-verifiable
|
|||||||
[threshold signatures](https://medium.com/snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716),
|
[threshold signatures](https://medium.com/snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716),
|
||||||
using Boneh-Lynn-Shacham signature scheme.
|
using Boneh-Lynn-Shacham signature scheme.
|
||||||
|
|
||||||
|
The module doesn't expose `CURVE` property: use `G1.CURVE`, `G2.CURVE` instead.
|
||||||
|
|
||||||
Main methods and properties are:
|
Main methods and properties are:
|
||||||
|
|
||||||
- `getPublicKey(privateKey)`
|
- `getPublicKey(privateKey)`
|
||||||
@ -782,16 +793,13 @@ Unlike `mod.invert`, `mod.invertBatch` won't throw on `0`: make sure to throw an
|
|||||||
You can't simply make a 32-byte private key from a 32-byte hash.
|
You can't simply make a 32-byte private key from a 32-byte hash.
|
||||||
Doing so will make the key [biased](https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/).
|
Doing so will make the key [biased](https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/).
|
||||||
|
|
||||||
It may be tempting to do `sha256(something)` (or pbkdf2 / hmac-sha256),
|
|
||||||
convert the result to bigint, and modulo-reduce the result output by `CURVE.n`,
|
|
||||||
but you need more bytes for proper security.
|
|
||||||
|
|
||||||
To make the bias negligible, we follow [FIPS 186-5 A.2](https://csrc.nist.gov/publications/detail/fips/186/5/final)
|
To make the bias negligible, we follow [FIPS 186-5 A.2](https://csrc.nist.gov/publications/detail/fips/186/5/final)
|
||||||
and [h2c standard](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-hashing-to-a-finite-field).
|
and [h2c standard](https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-16.html#name-hashing-to-a-finite-field).
|
||||||
This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
|
This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
|
||||||
|
|
||||||
Use [abstract/hash-to-curve](#abstracthash-to-curve-hashing-strings-to-curve-points) if you need
|
`hashToPrivateScalar()` that hashes to **private key** was created for this purpose.
|
||||||
to hash to **public key**. `hashToPrivateScalar()` operates instead on **private keys**.
|
Use [abstract/hash-to-curve](#abstracthash-to-curve-hashing-strings-to-curve-points)
|
||||||
|
if you need to hash to **public key**.
|
||||||
|
|
||||||
```ts
|
```ts
|
||||||
import { p256 } from '@noble/curves/p256';
|
import { p256 } from '@noble/curves/p256';
|
||||||
|
Loading…
Reference in New Issue
Block a user