Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
noble-curves-extended
This project extends @noble/curves to allow randomBytes to be specified externally
@openpgp/noble-curves
Audited & minimal JS implementation of elliptic curve cryptography
polyfill-crypto-methods
Polyfill for Crypto instance methods of Web Crypto API
shamir-secret-sharing-bn254

Audited & minimal JS implementation of elliptic curve cryptography.
npm install @noble/curves
Typescript
Module System
Min. Node Version
Node Version
NPM Version
99.8
Supply Chain
100
Quality
88
Maintenance
100
Vulnerability
100
License
JavaScript (53.15%)
TypeScript (46.78%)
Go (0.06%)
Total Downloads
199,485,196
Last Day
342,193
Last Week
4,999,114
Last Month
21,849,521
Last Year
152,865,291
MIT License
790 Stars
818 Commits
77 Forks
11 Watchers
9 Branches
19 Contributors
Updated on Jun 30, 2025
Minified
Minified + Gzipped
Latest Version
1.9.2
Package Id
@noble/curves@1.9.2
Unpacked Size
1.81 MB
Size
329.89 kB
File Count
239
NPM Version
10.9.2
Node Version
22.15.0
Published on
Jun 05, 2025
Cumulative downloads
Total Downloads
Last Day
6%
342,193
Compared to previous day
Last Week
-9.6%
4,999,114
Compared to previous week
Last Month
16%
21,849,521
Compared to previous month
Last Year
235.2%
152,865,291
Compared to previous year
1
Audited & minimal JS implementation of elliptic curve cryptography.
Curves have 4KB sister projects secp256k1 & ed25519. They have smaller attack surface, but less features.
Take a glance at GitHub Discussions for questions and support.
noble cryptography — high-security, easily auditable set of contained cryptographic libraries and tools.
npm install @noble/curves
deno add jsr:@noble/curves
deno doc jsr:@noble/curves
# command-line documentation
We support all major platforms and runtimes. For React Native, you may need a polyfill for getRandomValues. A standalone file noble-curves.js is also available.
1// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size 2import { secp256k1, schnorr } from '@noble/curves/secp256k1'; 3import { ed25519, ed25519ph, ed25519ctx, x25519 } from '@noble/curves/ed25519'; 4import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448'; 5import { p256, p384, p521 } from '@noble/curves/nist'; 6import { bls12_381 } from '@noble/curves/bls12-381'; 7import { bn254 } from '@noble/curves/bn254'; 8import { jubjub, babyjubjub } from '@noble/curves/misc'; 9import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
1import { secp256k1 } from '@noble/curves/secp256k1'; 2// import { p256 } from '@noble/curves/nist'; // or p384 / p521 3 4const priv = secp256k1.utils.randomPrivateKey(); 5const pub = secp256k1.getPublicKey(priv); 6const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa 7const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available 8const isValid = secp256k1.verify(sig, msg, pub) === true; 9 10// hex strings are also supported besides Uint8Array-s: 11const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236'; 12const pub2 = secp256k1.getPublicKey(privHex); 13 14// public key recovery 15// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex) 16// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format 17sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).
1const noisySignature = secp256k1.sign(msg, priv, { extraEntropy: true }); 2const ent = new Uint8Array(32).fill(3); // set custom entropy 3const noisySignature2 = secp256k1.sign(msg, priv, { extraEntropy: ent });
Hedged ECDSA is add-on, providing improved protection against fault attacks. It adds noise to signatures. The technique is used by default in BIP340; we also implement them optionally for ECDSA. Check out blog post Deterministic signatures are not your friends and spec draft.
1const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey()); 2const shared = secp256k1.getSharedSecret(priv, someonesPub); 3// NOTE: 4// - `shared` includes parity byte: strip it using shared.slice(1) 5// - `shared` is not hashed: more secure way is sha256(shared) or hkdf(shared)
1import { schnorr } from '@noble/curves/secp256k1'; 2const priv = schnorr.utils.randomPrivateKey(); 3const pub = schnorr.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = schnorr.sign(msg, priv); 6const isValid = schnorr.verify(sig, msg, pub);
1import { ed25519 } from '@noble/curves/ed25519'; 2const priv = ed25519.utils.randomPrivateKey(); 3const pub = ed25519.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = ed25519.sign(msg, priv); 6ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215 7ed25519.verify(sig, msg, pub, { zip215: false }); // SBS / e-voting / RFC8032 / FIPS 186-5 8 9// Variants from RFC8032: with context, prehashed 10import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
Default verify
behavior follows ZIP215 and
can be used in consensus-critical applications.
If you need SBS (Strongly Binding Signatures) and FIPS 186-5 compliance,
use zip215: false
. Check out Edwards Signatures section for more info.
Both options have SUF-CMA (strong unforgeability under chosen message attacks).
1// X25519 aka ECDH on Curve25519 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
2import { x25519 } from '@noble/curves/ed25519';
3const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
4const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
5x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
6x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
7x25519.getPublicKey(x25519.utils.randomPrivateKey());
8
9// ed25519 => x25519 conversion
10import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519';
11edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
12edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
1// ristretto255 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
2import { utf8ToBytes } from '@noble/hashes/utils';
3import { sha512 } from '@noble/hashes/sha512';
4import {
5 hashToCurve,
6 encodeToCurve,
7 RistrettoPoint,
8 hashToRistretto255,
9} from '@noble/curves/ed25519';
10
11const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
12hashToCurve(msg);
13
14const rp = RistrettoPoint.fromHex(
15 '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
16);
17RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();
18RistrettoPoint.ZERO.equals(dp) === false;
19// pre-hashed hash-to-curve
20RistrettoPoint.hashToCurve(sha512(msg));
21// full hash-to-curve including domain separation tag
22hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
1import { ed448 } from '@noble/curves/ed448'; 2const priv = ed448.utils.randomPrivateKey(); 3const pub = ed448.getPublicKey(priv); 4const msg = new TextEncoder().encode('whatsup'); 5const sig = ed448.sign(msg, priv); 6ed448.verify(sig, msg, pub); 7 8// Variants from RFC8032: prehashed 9import { ed448ph } from '@noble/curves/ed448';
1// X448 aka ECDH on Curve448 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
2import { x448 } from '@noble/curves/ed448';
3x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
4x448.getPublicKey(priv) === x448.scalarMultBase(priv);
5
6// ed448 => x448 conversion
7import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
8edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
1// decaf448 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
2import { utf8ToBytes } from '@noble/hashes/utils';
3import { shake256 } from '@noble/hashes/sha3';
4import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
5
6const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
7hashToCurve(msg);
8
9const dp = DecafPoint.fromHex(
10 'c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75'
11);
12DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();
13DecafPoint.ZERO.equals(dp) === false;
14// pre-hashed hash-to-curve
15DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
16// full hash-to-curve including domain separation tag
17hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
1import { bls12_381 } from '@noble/curves/bls12-381'; 2import { hexToBytes, utf8ToBytes } from '@noble/curves/abstract/utils'; 3 4// private keys are 32 bytes 5const privKey = hexToBytes('67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c'); 6// const privKey = bls12_381.utils.randomPrivateKey(); 7 8// Long signatures (G2), short public keys (G1) 9const blsl = bls12_381.longSignatures; 10const publicKey = blsl.getPublicKey(privateKey); 11// Sign msg with custom (Ethereum) DST 12const msg = utf8ToBytes('hello'); 13const DST = 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_'; 14const msgp = blsl.hash(msg, DST); 15const signature = blsl.sign(msgp, privateKey); 16const isValid = blsl.verify(signature, msgp, publicKey); 17console.log({ publicKey, signature, isValid }); 18 19// Short signatures (G1), long public keys (G2) 20const blss = bls12_381.shortSignatures; 21const publicKey2 = blss.getPublicKey(privateKey); 22const msgp2 = blss.hash(utf8ToBytes('hello'), 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_') 23const signature2 = blss.sign(msgp2, privateKey); 24const isValid2 = blss.verify(signature2, msgp2, publicKey); 25console.log({ publicKey2, signature2, isValid2 }); 26 27// Aggregation 28const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([ 29 bls12_381.utils.randomPrivateKey(), 30 bls12_381.utils.randomPrivateKey(), 31]); 32// const aggregatedSig = bls.aggregateSignatures(sigs) 33 34// Pairings, with and without final exponentiation 35// bls.pairing(PointG1, PointG2); 36// bls.pairing(PointG1, PointG2, false); 37// bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2)); 38 39// Others 40// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE; 41// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr;
See abstract/bls. For example usage, check out the implementation of BLS EVM precompiles.
1import { bn254 } from '@noble/curves/bn254'; 2 3console.log(bn254.G1, bn254.G2, bn254.pairing);
The API mirrors BLS. The curve was previously called alt_bn128. The implementation is compatible with EIP-196 and EIP-197.
We don't implement Point methods toHex / toRawBytes. To work around this limitation, has to initialize points on their own from BigInts. Reason it's not implemented is because there is no standard. Points of divergence:
For example usage, check out the implementation of bn254 EVM precompiles.
1import { jubjub, babyjubjub } from '@noble/curves/misc';
Miscellaneous, rarely used curves are contained in the module. Jubjub curves have Fp over scalar fields of other curves. They are friendly to ZK proofs. jubjub Fp = bls n. babyjubjub Fp = bn254 n.
1import { secp256k1 } from '@noble/curves/secp256k1'; 2 3// Curve's variables 4// Every curve has `CURVE` object that contains its parameters, field, and others 5console.log(secp256k1.CURVE.p); // field modulus 6console.log(secp256k1.CURVE.n); // curve order 7console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params 8console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates 9 10// MSM 11const p = secp256k1.ProjectivePoint; 12const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)]; 13p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n)); // 129*G
Multi-scalar-multiplication (MSM) is basically (Pa + Qb + Rc + ...)
.
It's 10-30x faster vs naive addition for large amount of points.
Pippenger algorithm is used underneath.
Implementations use noble-hashes. If you want to use a different hashing library, abstract API doesn't depend on them.
Abstract API allows to define custom curves. All arithmetics is done with JS
bigints over finite fields, which is defined from modular
sub-module. For
scalar multiplication, we use
precomputed tables with w-ary non-adjacent form (wNAF).
Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
could precompute any other point (e.g. for ECDH) using utils.precompute()
method: check out examples.
1import { weierstrass } from '@noble/curves/abstract/weierstrass'; 2import { Field } from '@noble/curves/abstract/modular'; 3import { sha256 } from '@noble/hashes/sha256'; 4import { hmac } from '@noble/hashes/hmac'; 5import { concatBytes, randomBytes } from '@noble/hashes/utils'; 6 7const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) => 8 hmac(sha256, key, concatBytes(...msgs)); 9 10// secQ (not secP) - secq256k1 is a cycle of secp256k1 with Fp/N flipped. 11// https://personaelabs.org/posts/spartan-ecdsa 12// https://zcash.github.io/halo2/background/curves.html#cycles-of-curves 13const secq256k1 = weierstrass({ 14 a: 0n, 15 b: 7n, 16 Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n), 17 n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n, 18 Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n, 19 Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n, 20 hash: sha256, 21 hmac: hmacSha256, 22 randomBytes, 23}); 24 25// NIST secp192r1 aka p192 26// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1 27const secp192r1 = weierstrass({ 28 a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn, 29 b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n, 30 Fp: Field(0xfffffffffffffffffffffffffffffffeffffffffffffffffn), 31 n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n, 32 Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n, 33 Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n, 34 hash: sha256, 35 hmac: hmacSha256, 36 randomBytes, 37});
Short Weierstrass curve's formula is y² = x³ + ax + b
. weierstrass
expects arguments a
, b
, field Fp
, curve order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
hmac
and hash
must be specified for deterministic k
generation.
Weierstrass points:
ProjectivePoint
ProjectivePoint.fromHex
and ProjectivePoint#toRawBytes()
assertValidity()
which checks for being on-curvetoAffine()
and x
/ y
getters which convert to 2d xy affine coordinatesECDSA signatures:
Signature
instances with r, s
and optional recovery
propertiesrecoverPublicKey()
, toCompactRawBytes()
and toDERRawBytes()
methodssign(msgHash, privKey)
(default, prehash: false) - you did hashing beforesign(msg, privKey, {prehash: true})
- curves will do hashing for youMore examples:
1// All curves expose same generic interface. 2const priv = secq256k1.utils.randomPrivateKey(); 3secq256k1.getPublicKey(priv); // Convert private key to public. 4const sig = secq256k1.sign(msg, priv); // Sign msg with private key. 5const sig2 = secq256k1.sign(msg, priv, { prehash: true }); // hash(msg) 6secq256k1.verify(sig, msg, priv); // Verify if sig is correct. 7 8// Default behavior is "try DER, then try compact if fails". Can be explicit: 9secq256k1.verify(sig.toCompactHex(), msg, priv, { format: 'compact' }); 10 11const Point = secq256k1.ProjectivePoint; 12const point = Point.BASE; // Elliptic curve Point class and BASE point static var. 13point.add(point).equals(point.double()); // add(), equals(), double() methods 14point.subtract(point).equals(Point.ZERO); // subtract() method, ZERO static var 15point.negate(); // Flips point over x/y coordinate. 16point.multiply(31415n); // Multiplication of Point by scalar. 17 18point.assertValidity(); // Checks for being on-curve 19point.toAffine(); // Converts to 2d affine xy coordinates 20 21secq256k1.CURVE.n; 22secq256k1.CURVE.p; 23secq256k1.CURVE.Fp.mod(); 24secq256k1.CURVE.hash(); 25 26// precomputes 27const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey)); 28fast.multiply(privKey); // much faster ECDH now
1import { twistedEdwards } from '@noble/curves/abstract/edwards'; 2import { Field } from '@noble/curves/abstract/modular'; 3import { sha512 } from '@noble/hashes/sha512'; 4import { randomBytes } from '@noble/hashes/utils'; 5 6const Fp = Field(2n ** 255n - 19n); 7const ed25519 = twistedEdwards({ 8 a: Fp.create(-1n), 9 d: Fp.div(-121665n, 121666n), // -121665n/121666n mod p 10 Fp: Fp, 11 n: 2n ** 252n + 27742317777372353535851937790883648493n, 12 h: 8n, 13 Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n, 14 Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n, 15 hash: sha512, 16 randomBytes, 17 adjustScalarBytes(bytes) { 18 // optional; but mandatory in ed25519 19 bytes[0] &= 248; 20 bytes[31] &= 127; 21 bytes[31] |= 64; 22 return bytes; 23 }, 24} as const);
Twisted Edwards curve's formula is ax² + y² = 1 + dx²y²
.
You must specify a
, d
, field Fp
, order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
For EdDSA signatures, hash
param required.
adjustScalarBytes
which instructs how to change private scalars could be specified.
Edwards points:
ExtendedPoint
ExtendedPoint.fromHex
and ExtendedPoint#toRawBytes()
assertValidity()
which checks for being on-curvetoAffine()
and x
/ y
getters which convert to 2d xy affine coordinatesisTorsionFree()
, clearCofactor()
and isSmallOrder()
utilities to handle torsionsEdDSA signatures:
zip215: true
is default behavior. It has slightly looser verification logic
to be consensus-friendly, following ZIP215 ruleszip215: false
switches verification criteria to strict
RFC8032 / FIPS 186-5
and additionally provides non-repudiation with SBS,
which is useful for:
Check out RFC9496 for description of ristretto and decaf groups which we implement.
The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748. Proper Elliptic Curve Points are not implemented yet.
The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction. They allow to construct zk-SNARKs and use aggregated, batch-verifiable threshold signatures, using Boneh-Lynn-Shacham signature scheme.
The module doesn't expose CURVE
property: use G1.CURVE
, G2.CURVE
instead.
Only BLS12-381 is currently implemented.
Defining BLS12-377 and BLS24 should be straightforward.
The default BLS uses short public keys (with public keys in G1 and signatures in G2). Short signatures (public keys in G2 and signatures in G1) are also supported.
The module allows to hash arbitrary strings to elliptic curve points. Implements RFC 9380.
Every curve has exported hashToCurve
and encodeToCurve
methods. You should always prefer hashToCurve
for security:
1import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1'; 2import { randomBytes } from '@noble/hashes/utils'; 3hashToCurve('0102abcd'); 4console.log(hashToCurve(randomBytes())); 5console.log(encodeToCurve(randomBytes())); 6 7import { bls12_381 } from '@noble/curves/bls12-381'; 8bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' }); 9bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
Low-level methods from the spec:
1// produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
2function expand_message_xmd(
3 msg: Uint8Array,
4 DST: Uint8Array,
5 lenInBytes: number,
6 H: CHash // For CHash see abstract/weierstrass docs section
7): Uint8Array;
8// produces a uniformly random byte string using an extendable-output function (XOF) H.
9function expand_message_xof(
10 msg: Uint8Array,
11 DST: Uint8Array,
12 lenInBytes: number,
13 k: number,
14 H: CHash
15): Uint8Array;
16// Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
17function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
18
19/**
20 * * `DST` is a domain separation tag, defined in section 2.2.5
21 * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
22 * * `m` is extension degree (1 for prime fields)
23 * * `k` is the target security target in bits (e.g. 128), from section 5.1
24 * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
25 * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
26 */
27type UnicodeOrBytes = string | Uint8Array;
28type Opts = {
29 DST: UnicodeOrBytes;
30 p: bigint;
31 m: number;
32 k: number;
33 expand?: 'xmd' | 'xof';
34 hash: CHash;
35};
Implements Poseidon ZK-friendly hash: permutation and sponge.
There are many poseidon variants with different constants. We don't provide them: you should construct them manually. Check out micro-starknet package for a proper example.
1import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon'; 2 3const rate = 2; 4const capacity = 1; 5const { mds, roundConstants } = poseidon.grainGenConstants({ 6 Fp, 7 t: rate + capacity, 8 roundsFull: 8, 9 roundsPartial: 31, 10}); 11const opts = { 12 Fp, 13 rate, 14 capacity, 15 sboxPower: 17, 16 mds, 17 roundConstants, 18 roundsFull: 8, 19 roundsPartial: 31, 20}; 21const permutation = poseidon.poseidon(opts); 22const sponge = poseidon.poseidonSponge(opts); // use carefully, not specced
1import * as mod from '@noble/curves/abstract/modular'; 2 3// Finite Field utils 4const fp = mod.Field(2n ** 255n - 19n); // Finite field over 2^255-19 5fp.mul(591n, 932n); // multiplication 6fp.pow(481n, 11024858120n); // exponentiation 7fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17) 8fp.inv(5n); // modular inverse 9fp.sqrt(21n); // square root 10 11// Non-Field generic utils are also available 12mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10 13mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse 14mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
Field operations are not constant-time: they are using JS bigints, see security.
The fact is mostly irrelevant, but the important method to keep in mind is pow
,
which may leak exponent bits, when used naïvely.
mod.Field
is always field over prime number. Non-prime fields aren't supported for now.
We don't test for prime-ness for speed and because algorithms are probabilistic anyway.
Initializing a non-prime field could make your app suspectible to
DoS (infilite loop) on Tonelli-Shanks square root calculation.
Unlike mod.inv
, mod.invertBatch
won't throw on 0
: make sure to throw an error yourself.
Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields. API may change at any time. The code has not been audited. Feature requests are welcome.
1import * as fft from '@noble/curves/abstract/fft.js';
You can't simply make a 32-byte private key from a 32-byte hash. Doing so will make the key biased.
To make the bias negligible, we follow FIPS 186-5 A.2 and RFC 9380. This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
hashToPrivateScalar()
that hashes to private key was created for this purpose.
Use abstract/hash-to-curve
if you need to hash to public key.
1import { p256 } from '@noble/curves/nist'; 2import { sha256 } from '@noble/hashes/sha256'; 3import { hkdf } from '@noble/hashes/hkdf'; 4import * as mod from '@noble/curves/abstract/modular'; 5const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2) 6const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv 7const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
1import * as utils from '@noble/curves/abstract/utils'; 2 3utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 4utils.hexToBytes('deadbeef'); 5utils.numberToHexUnpadded(123n); 6utils.hexToNumber(); 7 8utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 9utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 10utils.numberToBytesBE(123n, 32); 11utils.numberToBytesLE(123n, 64); 12 13utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef])); 14utils.nLength(255n); 15utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
The library has been independently audited:
curve
, modular
, poseidon
, weierstrass
curve
, hash-to-curve
, modular
, poseidon
, utils
, weierstrass
and
top-level modules _shortw_utils
and secp256k1
It is tested against property-based, cross-library and Wycheproof vectors, and is being fuzzed in the separate repo.
If you see anything unusual: investigate and report.
We're targetting algorithmic constant time. JIT-compiler and Garbage Collector make "constant time" extremely hard to achieve timing attack resistance in a scripting language. Which means any other JS library can't have constant-timeness. Even statically typed Rust, a language without GC, makes it harder to achieve constant-time for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages.
Use low-level languages instead of JS / WASM if your goal is absolute security.
The library mostly uses Uint8Arrays and bigints.
.fill(0)
which instructs to fill content with zeroes
but there are no guarantees in JSawait fn()
will write all internal variables to memory. With
async functions there are no guarantees when the code
chunk would be executed. Which means attacker can have
plenty of time to read data from memory.This means some secrets could stay in memory longer than anticipated. However, if an attacker can read application memory, it's doomed anyway: there is no way to guarantee anything about zeroizing sensitive data without complex tests-suite which will dump process memory and verify that there is no sensitive data left. For JS it means testing all browsers (including mobile). And, of course, it will be useless without using the same test-suite in the actual application that consumes the library.
gh attestation verify --owner paulmillr noble-curves.js
npm-diff
For this package, there is 1 dependency; and a few dev dependencies:
We're deferring to built-in crypto.getRandomValues which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again. Implementing a userspace CSPRNG to get resilient to the weakness is even worse: there is no reliable userspace source of quality entropy.
Cryptographically relevant quantum computer, if built, will allow to break elliptic curve cryptography (both ECDSA / EdDSA & ECDH) using Shor's algorithm.
Consider switching to newer / hybrid algorithms, such as SPHINCS+. They are available in noble-post-quantum.
NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH) after 2035. Australian ASD prohibits it after 2030.
1npm run bench:install && npm run bench
noble-curves spends 10+ ms to generate 20MB+ of base point precomputes. This is done one-time per curve.
The generation is deferred until any method (pubkey, sign, verify) is called.
User can force precompute generation by manually calling Point.BASE.precompute(windowSize, false)
.
Check out the source code.
Benchmark results on Apple M4:
# secp256k1
init 10ms
getPublicKey x 9,099 ops/sec @ 109μs/op
sign x 7,182 ops/sec @ 139μs/op
verify x 1,188 ops/sec @ 841μs/op
getSharedSecret x 735 ops/sec @ 1ms/op
recoverPublicKey x 1,265 ops/sec @ 790μs/op
schnorr.sign x 957 ops/sec @ 1ms/op
schnorr.verify x 1,210 ops/sec @ 825μs/op
# ed25519
init 14ms
getPublicKey x 14,216 ops/sec @ 70μs/op
sign x 6,849 ops/sec @ 145μs/op
verify x 1,400 ops/sec @ 713μs/op
# ed448
init 37ms
getPublicKey x 5,273 ops/sec @ 189μs/op
sign x 2,494 ops/sec @ 400μs/op
verify x 476 ops/sec @ 2ms/op
# p256
init 17ms
getPublicKey x 8,977 ops/sec @ 111μs/op
sign x 7,236 ops/sec @ 138μs/op
verify x 877 ops/sec @ 1ms/op
# p384
init 42ms
getPublicKey x 4,084 ops/sec @ 244μs/op
sign x 3,247 ops/sec @ 307μs/op
verify x 331 ops/sec @ 3ms/op
# p521
init 83ms
getPublicKey x 2,049 ops/sec @ 487μs/op
sign x 1,748 ops/sec @ 571μs/op
verify x 170 ops/sec @ 5ms/op
# ristretto255
add x 931,966 ops/sec @ 1μs/op
multiply x 15,444 ops/sec @ 64μs/op
encode x 21,367 ops/sec @ 46μs/op
decode x 21,715 ops/sec @ 46μs/op
# decaf448
add x 478,011 ops/sec @ 2μs/op
multiply x 416 ops/sec @ 2ms/op
encode x 8,562 ops/sec @ 116μs/op
decode x 8,636 ops/sec @ 115μs/op
# ECDH
x25519 x 1,981 ops/sec @ 504μs/op
x448 x 743 ops/sec @ 1ms/op
secp256k1 x 728 ops/sec @ 1ms/op
p256 x 705 ops/sec @ 1ms/op
p384 x 268 ops/sec @ 3ms/op
p521 x 137 ops/sec @ 7ms/op
# hash-to-curve
hashToPrivateScalar x 1,754,385 ops/sec @ 570ns/op
hash_to_field x 135,703 ops/sec @ 7μs/op
hashToCurve secp256k1 x 3,194 ops/sec @ 313μs/op
hashToCurve p256 x 5,962 ops/sec @ 167μs/op
hashToCurve p384 x 2,230 ops/sec @ 448μs/op
hashToCurve p521 x 1,063 ops/sec @ 940μs/op
hashToCurve ed25519 x 4,047 ops/sec @ 247μs/op
hashToCurve ed448 x 1,691 ops/sec @ 591μs/op
hash_to_ristretto255 x 8,733 ops/sec @ 114μs/op
hash_to_decaf448 x 3,882 ops/sec @ 257μs/op
# modular over secp256k1 P field
invert a x 866,551 ops/sec @ 1μs/op
invert b x 693,962 ops/sec @ 1μs/op
sqrt p = 3 mod 4 x 25,738 ops/sec @ 38μs/op
sqrt tonneli-shanks x 847 ops/sec @ 1ms/op
# bls12-381
init 22ms
getPublicKey x 1,325 ops/sec @ 754μs/op
sign x 80 ops/sec @ 12ms/op
verify x 62 ops/sec @ 15ms/op
pairing x 166 ops/sec @ 6ms/op
pairing10 x 54 ops/sec @ 18ms/op ± 23.48% (15ms..36ms)
MSM 4096 scalars x points 3286ms
aggregatePublicKeys/8 x 173 ops/sec @ 5ms/op
aggregatePublicKeys/32 x 46 ops/sec @ 21ms/op
aggregatePublicKeys/128 x 11 ops/sec @ 84ms/op
aggregatePublicKeys/512 x 2 ops/sec @ 335ms/op
aggregatePublicKeys/2048 x 0 ops/sec @ 1346ms/op
aggregateSignatures/8 x 82 ops/sec @ 12ms/op
aggregateSignatures/32 x 21 ops/sec @ 45ms/op
aggregateSignatures/128 x 5 ops/sec @ 178ms/op
aggregateSignatures/512 x 1 ops/sec @ 705ms/op
aggregateSignatures/2048 x 0 ops/sec @ 2823ms/op
Previously, the library was split into single-feature packages noble-secp256k1, noble-ed25519 and noble-bls12-381.
Curves continue their original work. The single-feature packages changed their direction towards providing minimal 4kb implementations of cryptography, which means they have less features.
Upgrading from noble-secp256k1 2.0 or noble-ed25519 2.0: no changes, libraries are compatible.
Upgrading from noble-secp256k1 1.7:
getPublicKey
isCompressed
to false
: getPublicKey(priv, false)
sign
Signature
instance with { r, s, recovery }
propertiescanonical
option was renamed to lowS
recovered
option has been removed because recovery bit is always returned nowder
option has been removed. There are 2 options:
fromCompact
, toCompactRawBytes
, toCompactHex
.
Compact encoding is simply a concatenation of 32-byte r and 32-byte s.verify
strict
option was renamed to lowS
getSharedSecret
isCompressed
to false
: getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec)
was changed to sig.recoverPublicKey(msg)
number
type for private keys have been removed: use bigint
insteadPoint
(2d xy) has been changed to ProjectivePoint
(3d xyz)utils
were split into utils
(same api as in noble-curves) and
etc
(hmacSha256Sync
and others)Upgrading from @noble/ed25519 1.7:
bigint
is no longer allowed in getPublicKey
, sign
, verify
. Reason: ed25519 is LE, can lead to bugsPoint
(2d xy) has been changed to ExtendedPoint
(xyzt)Signature
was removed: just use raw bytes or hex nowutils
were split into utils
(same api as in noble-curves) and
etc
(sha512Sync
and others)getSharedSecret
was moved to x25519
moduletoX25519
has been moved to edwardsToMontgomeryPub
and edwardsToMontgomeryPriv
methodsUpgrading from @noble/bls12-381:
npm install && npm run build && npm test
will build the code and run tests.npm run lint
/ npm run format
will run linter / fix linter issues.npm run bench
will run benchmarks, which may need their deps first (npm run bench:install
)npm run build:release
will build single fileCheck out github.com/paulmillr/guidelines for general coding practices and rules.
See paulmillr.com/noble for useful resources, articles, documentation and demos related to the library.
MuSig2 signature scheme and BIP324 ElligatorSwift mapping for secp256k1 are available in a separate package.
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
See LICENSE file.
No vulnerabilities found.
No security vulnerabilities found.