Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
Gathering detailed insights and metrics for @noble/curves
@openpgp/noble-curves
Audited & minimal JS implementation of elliptic curve cryptography
polyfill-crypto-methods
Polyfill for Crypto instance methods of Web Crypto API
@vsc.eco/kzg
Proof of concept KZG commitments using BLS12-381 curves using [noble-curves](https://github.com/paulmillr/noble-curves) and [galois](https://github.com/GuildOfWeavers/galois)
@kevincharm/noble-bn254-drand
@noble/curves/bn254 with hash-to-curve & signature implementations for drand
Audited & minimal JS implementation of elliptic curve cryptography.
npm install @noble/curves
Typescript
Module System
Min. Node Version
Node Version
NPM Version
99.8
Supply Chain
100
Quality
85.4
Maintenance
100
Vulnerability
100
License
Total
104,125,685
Last Day
146,723
Last Week
2,655,237
Last Month
10,619,465
Last Year
87,146,852
702 Stars
549 Commits
65 Forks
11 Watching
3 Branches
17 Contributors
Updated on 08 Dec 2024
Minified
Minified + Gzipped
JavaScript (53.42%)
TypeScript (46.5%)
Go (0.08%)
Cumulative downloads
Total Downloads
Last day
1.4%
146,723
Compared to previous day
Last week
4.8%
2,655,237
Compared to previous week
Last month
-2.2%
10,619,465
Compared to previous month
Last year
413.3%
87,146,852
Compared to previous year
1
6
Audited & minimal JS implementation of elliptic curve cryptography.
Take a glance at GitHub Discussions for questions and support.
noble cryptography — high-security, easily auditable set of contained cryptographic libraries and tools.
npm install @noble/curves
We support all major platforms and runtimes. For Deno, ensure to use npm specifier. For React Native, you may need a polyfill for getRandomValues. A standalone file noble-curves.js is also available.
1// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size 2import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js 3// import { secp256k1 } from 'npm:@noble/curves@1.6.0/secp256k1'; // Deno
Implementations use noble-hashes. If you want to use a different hashing library, abstract API doesn't depend on them.
1import { secp256k1 } from '@noble/curves/secp256k1'; 2// import { p256 } from '@noble/curves/p256'; // or p384 / p521 3 4const priv = secp256k1.utils.randomPrivateKey(); 5const pub = secp256k1.getPublicKey(priv); 6const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa 7const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available 8const isValid = secp256k1.verify(sig, msg, pub) === true; 9 10// hex strings are also supported besides Uint8Array-s: 11const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236'; 12const pub2 = secp256k1.getPublicKey(privHex);
The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).
1// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex) 2// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format 3sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery 4 5// extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html 6const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
1// 1. The output includes parity byte. Strip it using shared.slice(1) 2// 2. The output is not hashed. More secure way is sha256(shared) or hkdf(shared) 3const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey()); 4const shared = secp256k1.getSharedSecret(priv, someonesPub);
1import { schnorr } from '@noble/curves/secp256k1'; 2const priv = schnorr.utils.randomPrivateKey(); 3const pub = schnorr.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = schnorr.sign(msg, priv); 6const isValid = schnorr.verify(sig, msg, pub);
1import { ed25519 } from '@noble/curves/ed25519'; 2const priv = ed25519.utils.randomPrivateKey(); 3const pub = ed25519.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = ed25519.sign(msg, priv); 6ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215 7ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
Default verify
behavior follows ZIP215 and
can be used in consensus-critical applications.
It has SUF-CMA (strong unforgeability under chosen message attacks).
zip215: false
option switches verification criteria to strict
RFC8032 / FIPS 186-5
and additionally provides non-repudiation with SBS.
X25519 follows RFC7748.
1// Variants from RFC8032: with context, prehashed 2import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519'; 3 4// ECDH using curve25519 aka x25519 5import { x25519 } from '@noble/curves/ed25519'; 6const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4'; 7const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c'; 8x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases 9x25519.getPublicKey(priv) === x25519.scalarMultBase(priv); 10x25519.getPublicKey(x25519.utils.randomPrivateKey()); 11 12// ed25519 => x25519 conversion 13import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519'; 14edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey())); 15edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
ristretto255 follows irtf draft.
1// hash-to-curve, ristretto255
2import { utf8ToBytes } from '@noble/hashes/utils';
3import { sha512 } from '@noble/hashes/sha512';
4import {
5 hashToCurve,
6 encodeToCurve,
7 RistrettoPoint,
8 hashToRistretto255,
9} from '@noble/curves/ed25519';
10
11const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
12hashToCurve(msg);
13
14const rp = RistrettoPoint.fromHex(
15 '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
16);
17RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();
18RistrettoPoint.ZERO.equals(dp) === false;
19// pre-hashed hash-to-curve
20RistrettoPoint.hashToCurve(sha512(msg));
21// full hash-to-curve including domain separation tag
22hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
1import { ed448 } from '@noble/curves/ed448'; 2const priv = ed448.utils.randomPrivateKey(); 3const pub = ed448.getPublicKey(priv); 4const msg = new TextEncoder().encode('whatsup'); 5const sig = ed448.sign(msg, priv); 6ed448.verify(sig, msg, pub); 7 8// Variants from RFC8032: prehashed 9import { ed448ph } from '@noble/curves/ed448';
ECDH using Curve448 aka X448, follows RFC7748.
1import { x448 } from '@noble/curves/ed448';
2x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
3x448.getPublicKey(priv) === x448.scalarMultBase(priv);
4
5// ed448 => x448 conversion
6import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
7edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
decaf448 follows irtf draft.
1import { utf8ToBytes } from '@noble/hashes/utils';
2import { shake256 } from '@noble/hashes/sha3';
3import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
4
5const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
6hashToCurve(msg);
7
8const dp = DecafPoint.fromHex(
9 'c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75'
10);
11DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();
12DecafPoint.ZERO.equals(dp) === false;
13// pre-hashed hash-to-curve
14DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
15// full hash-to-curve including domain separation tag
16hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
Same RFC7748 / RFC8032 / IRTF draft are followed.
1import { bls12_381 as bls } from '@noble/curves/bls12-381'; 2 3// G1 keys, G2 signatures 4const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c'; 5const message = '64726e3da8'; 6const publicKey = bls.getPublicKey(privateKey); 7const signature = bls.sign(message, privateKey); 8const isValid = bls.verify(signature, message, publicKey); 9console.log({ publicKey, signature, isValid }); 10 11// G2 keys, G1 signatures 12// getPublicKeyForShortSignatures(privateKey) 13// signShortSignature(message, privateKey) 14// verifyShortSignature(signature, message, publicKey) 15// aggregateShortSignatures(signatures) 16 17// Custom DST 18const htfEthereum = { DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_' }; 19const signatureEth = bls.sign(message, privateKey, htfEthereum); 20const isValidEth = bls.verify(signature, message, publicKey, htfEthereum); 21 22// Aggregation 23const aggregatedKey = bls.aggregatePublicKeys([bls.utils.randomPrivateKey(), bls.utils.randomPrivateKey()]) 24// const aggregatedSig = bls.aggregateSignatures(sigs) 25 26// Pairings, with and without final exponentiation 27// bls.pairing(PointG1, PointG2); 28// bls.pairing(PointG1, PointG2, false); 29// bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2)); 30 31// Others 32// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE; 33// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr;
See abstract/bls. For example usage, check out the implementation of BLS EVM precompiles.
1import { bn254 } from '@noble/curves/bn254'; 2 3console.log( 4 bn254.G1, 5 bn254.G2, 6 bn254.pairing 7)
The API mirrors BLS. The curve was previously called alt_bn128. The implementation is compatible with EIP-196 and EIP-197.
Keep in mind that we don't implement Point methods toHex / toRawBytes. It's because different implementations of bn254 do it differently - there is no standard. Points of divergence:
For example usage, check out the implementation of bn254 EVM precompiles.
1import { secp256k1 } from '@noble/curves/secp256k1'; 2const p = secp256k1.ProjectivePoint; 3const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)]; 4p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n)); // 129*G
Pippenger algorithm is used underneath.
Multi-scalar-multiplication (MSM) is basically (Pa + Qb + Rc + ...)
.
It's 10-30x faster vs naive addition for large amount of points.
1import { secp256k1, schnorr } from '@noble/curves/secp256k1'; 2import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519'; 3import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448'; 4import { p256 } from '@noble/curves/p256'; 5import { p384 } from '@noble/curves/p384'; 6import { p521 } from '@noble/curves/p521'; 7import { pallas, vesta } from '@noble/curves/pasta'; 8import { bls12_381 } from '@noble/curves/bls12-381'; 9import { bn254 } from '@noble/curves/bn254'; // also known as alt_bn128 10import { jubjub } from '@noble/curves/jubjub'; 11import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
1import { secp256k1 } from '@noble/curves/secp256k1'; 2// Every curve has `CURVE` object that contains its parameters, field, and others 3console.log(secp256k1.CURVE.p); // field modulus 4console.log(secp256k1.CURVE.n); // curve order 5console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params 6console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates
Abstract API allows to define custom curves. All arithmetics is done with JS
bigints over finite fields, which is defined from modular
sub-module. For
scalar multiplication, we use
precomputed tables with w-ary non-adjacent form (wNAF).
Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
could precompute any other point (e.g. for ECDH) using utils.precompute()
method: check out examples.
1import { weierstrass } from '@noble/curves/abstract/weierstrass'; 2import { Field } from '@noble/curves/abstract/modular'; // finite field for mod arithmetics 3import { sha256 } from '@noble/hashes/sha256'; // 3rd-party sha256() of type utils.CHash 4import { hmac } from '@noble/hashes/hmac'; // 3rd-party hmac() that will accept sha256() 5import { concatBytes, randomBytes } from '@noble/hashes/utils'; // 3rd-party utilities 6 7const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)); 8 9// secq256k1: cycle of secp256k1 with Fp/N flipped. 10// https://personaelabs.org/posts/spartan-ecdsa 11// https://zcash.github.io/halo2/background/curves.html#cycles-of-curves 12const secq256k1 = weierstrass({ 13 // Curve equation params a, b 14 a: 0n, 15 b: 7n, 16 // Field over which we'll do calculations 17 Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n), 18 // Curve order, total count of valid points in the field. 19 n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n, 20 // Base point (x, y) aka generator point 21 Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n, 22 Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n, 23 24 hash: sha256, 25 hmac: hmacSha256, 26 randomBytes, 27}); 28 29// NIST secp192r1 aka p192 https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1 30const secp192r1 = weierstrass({ 31 a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffc'), 32 b: BigInt('0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1'), 33 Fp: Field(BigInt('0xfffffffffffffffffffffffffffffffeffffffffffffffff')), 34 n: BigInt('0xffffffffffffffffffffffff99def836146bc9b1b4d22831'), 35 Gx: BigInt('0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012'), 36 Gy: BigInt('0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811'), 37 h: BigInt(1), 38 hash: sha256, 39 hmac: hmacSha256, 40 randomBytes, 41}); 42 43 44// Replace weierstrass() with weierstrassPoints() if you don't need ECDSA, hash, hmac, randomBytes
Short Weierstrass curve's formula is y² = x³ + ax + b
. weierstrass
expects arguments a
, b
, field Fp
, curve order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
k
generation is done deterministically, following
RFC6979. It is suggested to use extraEntropy
option, which incorporates randomness into signatures to increase their security.
For k generation, specifying hmac
& hash
is required,
which in our implementations is done by noble-hashes. If
you're using different hashing library, make sure to wrap it in the following interface:
1type CHash = { 2 (message: Uint8Array): Uint8Array; 3 blockLen: number; 4 outputLen: number; 5 create(): any; 6}; 7 8// example 9function sha256(message: Uint8Array) { 10 return _internal_lowlvl(message); 11} 12sha256.outputLen = 32; // 32 bytes of output for sha2-256
Message hash is expected instead of message itself:
sign(msgHash, privKey)
is default behavior, assuming you pre-hash msg with sha2, or other hashsign(msg, privKey, {prehash: true})
option can be used if you want to pass the message itselfWeierstrass points:
ProjectivePoint
ProjectivePoint.fromHex
and ProjectivePoint#toRawBytes()
assertValidity()
which checks for being on-curvetoAffine()
and x
/ y
getters which convert to 2d xy affine coordinates1// `weierstrassPoints()` returns `CURVE` and `ProjectivePoint`
2// `weierstrass()` returns `CurveFn`
3type SignOpts = { lowS?: boolean; prehash?: boolean; extraEntropy: boolean | Uint8Array };
4type CurveFn = {
5 CURVE: ReturnType<typeof validateOpts>;
6 getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
7 getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
8 sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
9 verify: (
10 signature: Hex | SignatureType,
11 msgHash: Hex,
12 publicKey: Hex,
13 opts?: { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' }
14 ) => boolean;
15 ProjectivePoint: ProjectivePointConstructor;
16 Signature: SignatureConstructor;
17 utils: {
18 normPrivateKeyToScalar: (key: PrivKey) => bigint;
19 isValidPrivateKey(key: PrivKey): boolean;
20 randomPrivateKey: () => Uint8Array;
21 precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
22 };
23};
24
25// T is usually bigint, but can be something else like complex numbers in BLS curves
26interface ProjPointType<T> extends Group<ProjPointType<T>> {
27 readonly px: T;
28 readonly py: T;
29 readonly pz: T;
30 get x(): bigint;
31 get y(): bigint;
32 multiply(scalar: bigint): ProjPointType<T>;
33 multiplyUnsafe(scalar: bigint): ProjPointType<T>;
34 multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
35 toAffine(iz?: T): AffinePoint<T>;
36 isTorsionFree(): boolean;
37 clearCofactor(): ProjPointType<T>;
38 assertValidity(): void;
39 hasEvenY(): boolean;
40 toRawBytes(isCompressed?: boolean): Uint8Array;
41 toHex(isCompressed?: boolean): string;
42}
43// Static methods for 3d XYZ points
44interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
45 new (x: T, y: T, z: T): ProjPointType<T>;
46 fromAffine(p: AffinePoint<T>): ProjPointType<T>;
47 fromHex(hex: Hex): ProjPointType<T>;
48 fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
49 msm(points: ProjPointType[], scalars: bigint[]): ProjPointType<T>;
50}
ECDSA signatures are represented by Signature
instances and can be
described by the interface:
1interface SignatureType { 2 readonly r: bigint; 3 readonly s: bigint; 4 readonly recovery?: number; 5 assertValidity(): void; 6 addRecoveryBit(recovery: number): SignatureType; 7 hasHighS(): boolean; 8 normalizeS(): SignatureType; 9 recoverPublicKey(msgHash: Hex): ProjPointType<bigint>; 10 toCompactRawBytes(): Uint8Array; 11 toCompactHex(): string; 12 // DER-encoded 13 toDERRawBytes(): Uint8Array; 14 toDERHex(): string; 15} 16type SignatureConstructor = { 17 new (r: bigint, s: bigint): SignatureType; 18 fromCompact(hex: Hex): SignatureType; 19 fromDER(hex: Hex): SignatureType; 20};
More examples:
1// All curves expose same generic interface. 2const priv = secq256k1.utils.randomPrivateKey(); 3secq256k1.getPublicKey(priv); // Convert private key to public. 4const sig = secq256k1.sign(msg, priv); // Sign msg with private key. 5const sig2 = secq256k1.sign(msg, priv, { prehash: true }); // hash(msg) 6secq256k1.verify(sig, msg, priv); // Verify if sig is correct. 7 8// Default behavior is "try DER, then try compact if fails". Can be explicit: 9secq256k1.verify(sig.toCompactHex(), msg, priv, { format: 'compact' }); 10 11const Point = secq256k1.ProjectivePoint; 12const point = Point.BASE; // Elliptic curve Point class and BASE point static var. 13point.add(point).equals(point.double()); // add(), equals(), double() methods 14point.subtract(point).equals(Point.ZERO); // subtract() method, ZERO static var 15point.negate(); // Flips point over x/y coordinate. 16point.multiply(31415n); // Multiplication of Point by scalar. 17 18point.assertValidity(); // Checks for being on-curve 19point.toAffine(); // Converts to 2d affine xy coordinates 20 21secq256k1.CURVE.n; 22secq256k1.CURVE.p; 23secq256k1.CURVE.Fp.mod(); 24secq256k1.CURVE.hash(); 25 26// precomputes 27const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey)); 28fast.multiply(privKey); // much faster ECDH now
1import { twistedEdwards } from '@noble/curves/abstract/edwards'; 2import { Field } from '@noble/curves/abstract/modular'; 3import { sha512 } from '@noble/hashes/sha512'; 4import { randomBytes } from '@noble/hashes/utils'; 5 6const Fp = Field(2n ** 255n - 19n); 7const ed25519 = twistedEdwards({ 8 a: Fp.create(-1n), 9 d: Fp.div(-121665n, 121666n), // -121665n/121666n mod p 10 Fp: Fp, 11 n: 2n ** 252n + 27742317777372353535851937790883648493n, 12 h: 8n, 13 Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n, 14 Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n, 15 hash: sha512, 16 randomBytes, 17 adjustScalarBytes(bytes) { 18 // optional; but mandatory in ed25519 19 bytes[0] &= 248; 20 bytes[31] &= 127; 21 bytes[31] |= 64; 22 return bytes; 23 }, 24} as const);
Twisted Edwards curve's formula is ax² + y² = 1 + dx²y²
. You must specify a
, d
, field Fp
, order n
, cofactor h
and coordinates Gx
, Gy
of generator point.
For EdDSA signatures, hash
param required. adjustScalarBytes
which instructs how to change private scalars could be specified.
We support non-repudiation, which help in following scenarios:
Edwards points:
ExtendedPoint
ExtendedPoint.fromHex
and ExtendedPoint#toRawBytes()
assertValidity()
which checks for being on-curvetoAffine()
and x
/ y
getters which convert to 2d xy affine coordinatesisTorsionFree()
, clearCofactor()
and isSmallOrder()
utilities to handle torsions1// `twistedEdwards()` returns `CurveFn` of following type:
2type CurveFn = {
3 CURVE: ReturnType<typeof validateOpts>;
4 getPublicKey: (privateKey: Hex) => Uint8Array;
5 sign: (message: Hex, privateKey: Hex, context?: Hex) => Uint8Array;
6 verify: (sig: SigType, message: Hex, publicKey: Hex, context?: Hex) => boolean;
7 ExtendedPoint: ExtPointConstructor;
8 utils: {
9 randomPrivateKey: () => Uint8Array;
10 getExtendedPublicKey: (key: PrivKey) => {
11 head: Uint8Array;
12 prefix: Uint8Array;
13 scalar: bigint;
14 point: PointType;
15 pointBytes: Uint8Array;
16 };
17 };
18};
19
20interface ExtPointType extends Group<ExtPointType> {
21 readonly ex: bigint;
22 readonly ey: bigint;
23 readonly ez: bigint;
24 readonly et: bigint;
25 get x(): bigint;
26 get y(): bigint;
27 assertValidity(): void;
28 multiply(scalar: bigint): ExtPointType;
29 multiplyUnsafe(scalar: bigint): ExtPointType;
30 isSmallOrder(): boolean;
31 isTorsionFree(): boolean;
32 clearCofactor(): ExtPointType;
33 toAffine(iz?: bigint): AffinePoint<bigint>;
34 toRawBytes(isCompressed?: boolean): Uint8Array;
35 toHex(isCompressed?: boolean): string;
36}
37// Static methods of Extended Point with coordinates in X, Y, Z, T
38interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
39 new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
40 fromAffine(p: AffinePoint<bigint>): ExtPointType;
41 fromHex(hex: Hex): ExtPointType;
42 fromPrivateKey(privateKey: Hex): ExtPointType;
43 msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
44}
1import { montgomery } from '@noble/curves/abstract/montgomery'; 2import { Field } from '@noble/curves/abstract/modular'; 3 4const x25519 = montgomery({ 5 a: 486662n, 6 Gu: 9n, 7 P: 2n ** 255n - 19n, 8 montgomeryBits: 255, 9 nByteLength: 32, 10 // Optional param 11 adjustScalarBytes(bytes) { 12 bytes[0] &= 248; 13 bytes[31] &= 127; 14 bytes[31] |= 64; 15 return bytes; 16 }, 17});
The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748. Proper Elliptic Curve Points are not implemented yet.
You must specify curve params Fp
, a
, Gu
coordinate of u, montgomeryBits
and nByteLength
.
The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction. They allow to construct zk-SNARKs and use aggregated, batch-verifiable threshold signatures, using Boneh-Lynn-Shacham signature scheme.
The module doesn't expose CURVE
property: use G1.CURVE
, G2.CURVE
instead.
Only BLS12-381 is currently implemented.
Defining BLS12-377 and BLS24 should be straightforward.
The default BLS uses short public keys (with public keys in G1 and signatures in G2). Short signatures (public keys in G2 and signatures in G1) are also supported.
The module allows to hash arbitrary strings to elliptic curve points. Implements RFC 9380.
Every curve has exported hashToCurve
and encodeToCurve
methods. You should always prefer hashToCurve
for security:
1import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1'; 2import { randomBytes } from '@noble/hashes/utils'; 3hashToCurve('0102abcd'); 4console.log(hashToCurve(randomBytes())); 5console.log(encodeToCurve(randomBytes())); 6 7import { bls12_381 } from '@noble/curves/bls12-381'; 8bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' }); 9bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
Low-level methods from the spec:
1// produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
2function expand_message_xmd(
3 msg: Uint8Array,
4 DST: Uint8Array,
5 lenInBytes: number,
6 H: CHash // For CHash see abstract/weierstrass docs section
7): Uint8Array;
8// produces a uniformly random byte string using an extendable-output function (XOF) H.
9function expand_message_xof(
10 msg: Uint8Array,
11 DST: Uint8Array,
12 lenInBytes: number,
13 k: number,
14 H: CHash
15): Uint8Array;
16// Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
17function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
18
19/**
20 * * `DST` is a domain separation tag, defined in section 2.2.5
21 * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
22 * * `m` is extension degree (1 for prime fields)
23 * * `k` is the target security target in bits (e.g. 128), from section 5.1
24 * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
25 * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
26 */
27type UnicodeOrBytes = string | Uint8Array;
28type Opts = {
29 DST: UnicodeOrBytes;
30 p: bigint;
31 m: number;
32 k: number;
33 expand?: 'xmd' | 'xof';
34 hash: CHash;
35};
Implements Poseidon ZK-friendly hash.
There are many poseidon variants with different constants. We don't provide them: you should construct them manually. Check out micro-starknet package for a proper example.
1import { poseidon } from '@noble/curves/abstract/poseidon'; 2 3type PoseidonOpts = { 4 Fp: Field<bigint>; 5 t: number; 6 roundsFull: number; 7 roundsPartial: number; 8 sboxPower?: number; 9 reversePartialPowIdx?: boolean; 10 mds: bigint[][]; 11 roundConstants: bigint[][]; 12}; 13const instance = poseidon(opts: PoseidonOpts);
1import * as mod from '@noble/curves/abstract/modular'; 2 3// Finite Field utils 4const fp = mod.Field(2n ** 255n - 19n); // Finite field over 2^255-19 5fp.mul(591n, 932n); // multiplication 6fp.pow(481n, 11024858120n); // exponentiation 7fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17) 8fp.inv(5n); // modular inverse 9fp.sqrt(21n); // square root 10 11// Non-Field generic utils are also available 12mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10 13mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse 14mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
Field operations are not constant-time: they are using JS bigints, see security.
The fact is mostly irrelevant, but the important method to keep in mind is pow
,
which may leak exponent bits, when used naïvely.
mod.Field
is always field over prime number. Non-prime fields aren't supported for now.
We don't test for prime-ness for speed and because algorithms are probabilistic anyway.
Initializing a non-prime field could make your app suspectible to
DoS (infilite loop) on Tonelli-Shanks square root calculation.
Unlike mod.inv
, mod.invertBatch
won't throw on 0
: make sure to throw an error yourself.
You can't simply make a 32-byte private key from a 32-byte hash. Doing so will make the key biased.
To make the bias negligible, we follow FIPS 186-5 A.2 and RFC 9380. This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
hashToPrivateScalar()
that hashes to private key was created for this purpose.
Use abstract/hash-to-curve
if you need to hash to public key.
1import { p256 } from '@noble/curves/p256'; 2import { sha256 } from '@noble/hashes/sha256'; 3import { hkdf } from '@noble/hashes/hkdf'; 4import * as mod from '@noble/curves/abstract/modular'; 5const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2) 6const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv 7const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
1import * as utils from '@noble/curves/abstract/utils'; 2 3utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 4utils.hexToBytes('deadbeef'); 5utils.numberToHexUnpadded(123n); 6utils.hexToNumber(); 7 8utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 9utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 10utils.numberToBytesBE(123n, 32); 11utils.numberToBytesLE(123n, 64); 12 13utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef])); 14utils.nLength(255n); 15utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
The library has been independently audited:
curve
, modular
, poseidon
, weierstrass
curve
, hash-to-curve
, modular
, poseidon
, utils
, weierstrass
and
top-level modules _shortw_utils
and secp256k1
It is tested against property-based, cross-library and Wycheproof vectors, and has fuzzing by Guido Vranken's cryptofuzz.
If you see anything unusual: investigate and report.
JIT-compiler and Garbage Collector make "constant time" extremely hard to achieve timing attack resistance in a scripting language. Which means any other JS library can't have constant-timeness. Even statically typed Rust, a language without GC, makes it harder to achieve constant-time for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
npm-diff
We're deferring to built-in crypto.getRandomValues which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again. Implementing a userspace CSPRNG to get resilient to the weakness is even worse: there is no reliable userspace source of quality entropy.
Benchmark results on Apple M2 with node v22:
secp256k1
init x 68 ops/sec @ 14ms/op
getPublicKey x 6,839 ops/sec @ 146μs/op
sign x 5,226 ops/sec @ 191μs/op
verify x 893 ops/sec @ 1ms/op
getSharedSecret x 538 ops/sec @ 1ms/op
recoverPublicKey x 923 ops/sec @ 1ms/op
schnorr.sign x 700 ops/sec @ 1ms/op
schnorr.verify x 919 ops/sec @ 1ms/op
ed25519
init x 51 ops/sec @ 19ms/op
getPublicKey x 9,809 ops/sec @ 101μs/op
sign x 4,976 ops/sec @ 200μs/op
verify x 1,018 ops/sec @ 981μs/op
ed448
init x 19 ops/sec @ 50ms/op
getPublicKey x 3,723 ops/sec @ 268μs/op
sign x 1,759 ops/sec @ 568μs/op
verify x 344 ops/sec @ 2ms/op
p256
init x 39 ops/sec @ 25ms/op
getPublicKey x 6,518 ops/sec @ 153μs/op
sign x 5,148 ops/sec @ 194μs/op
verify x 609 ops/sec @ 1ms/op
p384
init x 17 ops/sec @ 57ms/op
getPublicKey x 2,933 ops/sec @ 340μs/op
sign x 2,327 ops/sec @ 429μs/op
verify x 244 ops/sec @ 4ms/op
p521
init x 8 ops/sec @ 112ms/op
getPublicKey x 1,484 ops/sec @ 673μs/op
sign x 1,264 ops/sec @ 790μs/op
verify x 124 ops/sec @ 8ms/op
ristretto255
add x 680,735 ops/sec @ 1μs/op
multiply x 10,766 ops/sec @ 92μs/op
encode x 15,835 ops/sec @ 63μs/op
decode x 15,972 ops/sec @ 62μs/op
decaf448
add x 345,303 ops/sec @ 2μs/op
multiply x 300 ops/sec @ 3ms/op
encode x 5,987 ops/sec @ 167μs/op
decode x 5,892 ops/sec @ 169μs/op
ecdh
├─x25519 x 1,477 ops/sec @ 676μs/op
├─secp256k1 x 537 ops/sec @ 1ms/op
├─p256 x 512 ops/sec @ 1ms/op
├─p384 x 198 ops/sec @ 5ms/op
├─p521 x 99 ops/sec @ 10ms/op
└─x448 x 504 ops/sec @ 1ms/op
bls12-381
init x 36 ops/sec @ 27ms/op
getPublicKey x 960 ops/sec @ 1ms/op
sign x 60 ops/sec @ 16ms/op
verify x 47 ops/sec @ 21ms/op
pairing x 125 ops/sec @ 7ms/op
pairing10 x 40 ops/sec @ 24ms/op ± 23.27% (min: 21ms, max: 48ms)
MSM 4096 scalars x points x 0 ops/sec @ 4655ms/op
aggregatePublicKeys/8 x 129 ops/sec @ 7ms/op
aggregatePublicKeys/32 x 34 ops/sec @ 28ms/op
aggregatePublicKeys/128 x 8 ops/sec @ 113ms/op
aggregatePublicKeys/512 x 2 ops/sec @ 449ms/op
aggregatePublicKeys/2048 x 0 ops/sec @ 1792ms/op
aggregateSignatures/8 x 62 ops/sec @ 15ms/op
aggregateSignatures/32 x 16 ops/sec @ 60ms/op
aggregateSignatures/128 x 4 ops/sec @ 238ms/op
aggregateSignatures/512 x 1 ops/sec @ 946ms/op
aggregateSignatures/2048 x 0 ops/sec @ 3774ms/op
hash-to-curve
hash_to_field x 91,600 ops/sec @ 10μs/op
secp256k1 x 2,373 ops/sec @ 421μs/op
p256 x 4,310 ops/sec @ 231μs/op
p384 x 1,664 ops/sec @ 600μs/op
p521 x 807 ops/sec @ 1ms/op
ed25519 x 3,088 ops/sec @ 323μs/op
ed448 x 1,247 ops/sec @ 801μs/op
Previously, the library was split into single-feature packages noble-secp256k1, noble-ed25519 and noble-bls12-381.
Curves continue their original work. The single-feature packages changed their direction towards providing minimal 4kb implementations of cryptography, which means they have less features.
Upgrading from noble-secp256k1 2.0 or noble-ed25519 2.0: no changes, libraries are compatible.
Upgrading from noble-secp256k1 1.7:
getPublicKey
isCompressed
to false
: getPublicKey(priv, false)
sign
Signature
instance with { r, s, recovery }
propertiescanonical
option was renamed to lowS
recovered
option has been removed because recovery bit is always returned nowder
option has been removed. There are 2 options:
fromCompact
, toCompactRawBytes
, toCompactHex
.
Compact encoding is simply a concatenation of 32-byte r and 32-byte s.verify
strict
option was renamed to lowS
getSharedSecret
isCompressed
to false
: getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec)
was changed to sig.recoverPublicKey(msg)
number
type for private keys have been removed: use bigint
insteadPoint
(2d xy) has been changed to ProjectivePoint
(3d xyz)utils
were split into utils
(same api as in noble-curves) and
etc
(hmacSha256Sync
and others)Upgrading from @noble/ed25519 1.7:
bigint
is no longer allowed in getPublicKey
, sign
, verify
. Reason: ed25519 is LE, can lead to bugsPoint
(2d xy) has been changed to ExtendedPoint
(xyzt)Signature
was removed: just use raw bytes or hex nowutils
were split into utils
(same api as in noble-curves) and
etc
(sha512Sync
and others)getSharedSecret
was moved to x25519
moduletoX25519
has been moved to edwardsToMontgomeryPub
and edwardsToMontgomeryPriv
methodsUpgrading from @noble/bls12-381:
npm install
to install build dependencies like TypeScriptnpm run build
to compile TypeScript codenpm run test
will execute all main testsCheck out paulmillr.com/noble for useful resources, articles, documentation and demos related to the library.
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
See LICENSE file.
No vulnerabilities found.
No security vulnerabilities found.