Gathering detailed insights and metrics for @openpgp/noble-curves
Gathering detailed insights and metrics for @openpgp/noble-curves
Audited & minimal JS implementation of elliptic curve cryptography.
Installations
npm install @openpgp/noble-curvesDeveloper Guide
BETA
Typescript
No
Module System
ESM
Node Version
20.9.0
NPM Version
10.1.0
Score
76
Supply Chain
99
Quality
79
Maintenance
100
Vulnerability
100
License
Releases
Unable to fetch releases
Languages
2
JavaScript
TypeScript
JavaScript (52.13%)
TypeScript (47.87%)
Developer
Download Statistics
Total Downloads
3,368
Last Day
4
Last Week
11
Last Month
36
Last Year
564
GitHub Statistics
MIT License
434 Commits
1 Watchers
2 Branches
9 Contributors
Updated on Jun 26, 2024
Sponsor this package
Maintainers
3
Package Meta Information
Latest Version
1.3.0
Package Id
@openpgp/noble-curves@1.3.0
Unpacked Size
423.07 kB
Size
99.74 kB
File Count
57
NPM Version
10.1.0
Node Version
20.9.0
Published on
Feb 02, 2024
Total Downloads
Cumulative downloads
Total Downloads
3,368
Last Day
0%
4
Compared to previous day
Last Week
57.1%
11
Compared to previous week
Last Month
-47.8%
36
Compared to previous month
Last Year
-79.9%
564
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
noble-curves
This fork adds support for legacy browsers without BigInt (e.g. Safari 13 or less), and only includes hash algorithms needed by openpgpjs: Curve25519, Curve448, NIST curves and Secp256k1. It also adds some Brainpool curves.
We recommend you use the upstream repo. The rest of the README refers to the upstream library.
Audited & minimal JS implementation of elliptic curve cryptography.
- 🔒 Audited by independent security firms
- 🔻 Tree-shaking-friendly: use only what's necessary, other code won't be included
- 🏎 Ultra-fast, hand-optimized for caveats of JS engines
- 🔍 Unique tests ensure correctness: property-based, cross-library and Wycheproof vectors, fuzzing
- ➰ Short Weierstrass, Edwards, Montgomery curves
- ✍️ ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
- 🔖 SUF-CMA, SBS (non-repudiation), ZIP215 (consensus friendliness) features for ed25519
- #️⃣ hash-to-curve for encoding or hashing an arbitrary string to an elliptic curve point
- 🧜♂️ Poseidon ZK-friendly hash
This library belongs to noble crypto
noble-crypto — high-security, easily auditable set of contained cryptographic libraries and tools.
- Zero or minimal dependencies
- Highly readable TypeScript / JS code
- PGP-signed releases and transparent NPM builds
- All libraries: ciphers, curves, hashes
- Check out homepage for reading resources, documentation and apps built with noble
Usage
npm install @openpgp/noble-curves
We support all major platforms and runtimes. For Deno, ensure to use npm specifier. For React Native, you may need a polyfill for getRandomValues. A standalone file noble-curves.js is also available.
1// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size 2import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js 3// import { secp256k1 } from 'npm:@noble/curves@1.2.0/secp256k1'; // Deno
Implementations
Implementations use noble-hashes. If you want to use a different hashing library, abstract API doesn't depend on them.
ECDSA signature scheme
Generic example that works for all curves, shown for secp256k1:
1import { secp256k1 } from '@noble/curves/secp256k1'; 2const priv = secp256k1.utils.randomPrivateKey(); 3const pub = secp256k1.getPublicKey(priv); 4const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa 5const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available 6const isValid = secp256k1.verify(sig, msg, pub) === true; 7 8// hex strings are also supported besides Uint8Arrays: 9const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236'; 10const pub2 = secp256k1.getPublicKey(privHex);
ECDSA public key recovery & extra entropy
1// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex) 2// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format 3sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery 4 5// extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html 6const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
ECDH: Elliptic Curve Diffie-Hellman
1// 1. The output includes parity byte. Strip it using shared.slice(1) 2// 2. The output is not hashed. More secure way is sha256(shared) or hkdf(shared) 3const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey()); 4const shared = secp256k1.getSharedSecret(priv, someonesPub);
Schnorr signatures over secp256k1 (BIP340)
1import { schnorr } from '@noble/curves/secp256k1'; 2const priv = schnorr.utils.randomPrivateKey(); 3const pub = schnorr.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = schnorr.sign(msg, priv); 6const isValid = schnorr.verify(sig, msg, pub);
ed25519, X25519, ristretto255
1import { ed25519 } from '@noble/curves/ed25519'; 2const priv = ed25519.utils.randomPrivateKey(); 3const pub = ed25519.getPublicKey(priv); 4const msg = new TextEncoder().encode('hello'); 5const sig = ed25519.sign(msg, priv); 6ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215 7ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
Default verify behavior follows ZIP215 and
can be used in consensus-critical applications.
It has SUF-CMA (strong unforgeability under chosen message attacks).
zip215: false option switches verification criteria to strict
RFC8032 / FIPS 186-5
and additionally provides non-repudiation with SBS (Strongly Binding Signatures).
X25519 follows RFC7748.
1// Variants from RFC8032: with context, prehashed 2import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519'; 3 4// ECDH using curve25519 aka x25519 5import { x25519 } from '@noble/curves/ed25519'; 6const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4'; 7const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c'; 8x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases 9x25519.getPublicKey(priv) === x25519.scalarMultBase(priv); 10x25519.getPublicKey(x25519.utils.randomPrivateKey()); 11 12// ed25519 => x25519 conversion 13import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519'; 14edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey())); 15edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
ristretto255 follows irtf draft.
1// hash-to-curve, ristretto255
2import { utf8ToBytes } from '@noble/hashes/utils';
3import { sha512 } from '@noble/hashes/sha512';
4import {
5 hashToCurve,
6 encodeToCurve,
7 RistrettoPoint,
8 hashToRistretto255,
9} from '@noble/curves/ed25519';
10
11const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
12hashToCurve(msg);
13
14const rp = RistrettoPoint.fromHex(
15 '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
16);
17RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();
18RistrettoPoint.ZERO.equals(dp) === false;
19// pre-hashed hash-to-curve
20RistrettoPoint.hashToCurve(sha512(msg));
21// full hash-to-curve including domain separation tag
22hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });ed448, X448, decaf448
1import { ed448 } from '@noble/curves/ed448'; 2const priv = ed448.utils.randomPrivateKey(); 3const pub = ed448.getPublicKey(priv); 4const msg = new TextEncoder().encode('whatsup'); 5const sig = ed448.sign(msg, priv); 6ed448.verify(sig, msg, pub); 7 8// Variants from RFC8032: prehashed 9import { ed448ph } from '@noble/curves/ed448';
ECDH using Curve448 aka X448, follows RFC7748.
1import { x448 } from '@noble/curves/ed448';
2x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
3x448.getPublicKey(priv) === x448.scalarMultBase(priv);
4
5// ed448 => x448 conversion
6import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
7edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));decaf448 follows irtf draft.
1import { utf8ToBytes } from '@noble/hashes/utils';
2import { shake256 } from '@noble/hashes/sha3';
3import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
4
5const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
6hashToCurve(msg);
7
8const dp = DecafPoint.fromHex(
9 'c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75'
10);
11DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();
12DecafPoint.ZERO.equals(dp) === false;
13// pre-hashed hash-to-curve
14DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
15// full hash-to-curve including domain separation tag
16hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });Same RFC7748 / RFC8032 / IRTF draft are followed.
bls12-381
See abstract/bls.
All available imports
1import { secp256k1, schnorr } from '@noble/curves/secp256k1'; 2import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519'; 3import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448'; 4import { p256 } from '@noble/curves/p256'; 5import { p384 } from '@noble/curves/p384'; 6import { p521 } from '@noble/curves/p521'; 7import { pallas, vesta } from '@noble/curves/pasta'; 8import { bls12_381 } from '@noble/curves/bls12-381'; 9import { bn254 } from '@noble/curves/bn254'; // also known as alt_bn128 10import { jubjub } from '@noble/curves/jubjub'; 11import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
Accessing a curve's variables
1import { secp256k1 } from '@noble/curves/secp256k1'; 2// Every curve has `CURVE` object that contains its parameters, field, and others 3console.log(secp256k1.CURVE.p); // field modulus 4console.log(secp256k1.CURVE.n); // curve order 5console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params 6console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates
Abstract API
Abstract API allows to define custom curves. All arithmetics is done with JS
bigints over finite fields, which is defined from modular sub-module. For
scalar multiplication, we use
precomputed tables with w-ary non-adjacent form (wNAF).
Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
could precompute any other point (e.g. for ECDH) using utils.precompute()
method: check out examples.
weierstrass: Short Weierstrass curve
1import { weierstrass } from '@noble/curves/abstract/weierstrass'; 2import { Field } from '@noble/curves/abstract/modular'; // finite field for mod arithmetics 3import { sha256 } from '@openpgp/noble-hashes/sha256'; // 3rd-party sha256() of type utils.CHash 4import { hmac } from '@openpgp/noble-hashes/hmac'; // 3rd-party hmac() that will accept sha256() 5import { concatBytes, randomBytes } from '@openpgp/noble-hashes/utils'; // 3rd-party utilities 6const secq256k1 = weierstrass({ 7 // secq256k1: cycle of secp256k1 with Fp/N flipped. 8 // https://personaelabs.org/posts/spartan-ecdsa 9 // https://zcash.github.io/halo2/background/curves.html#cycles-of-curves 10 a: 0n, 11 b: 7n, 12 Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n), 13 n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n, 14 Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n, 15 Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n, 16 hash: sha256, 17 hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)), 18 randomBytes, 19}); 20 21// Replace weierstrass() with weierstrassPoints() if you don't need ECDSA, hash, hmac, randomBytes
Short Weierstrass curve's formula is y² = x³ + ax + b. weierstrass
expects arguments a, b, field Fp, curve order n, cofactor h
and coordinates Gx, Gy of generator point.
k generation is done deterministically, following
RFC6979. For this you will need
hmac & hash, which in our implementations is provided by noble-hashes. If
you're using different hashing library, make sure to wrap it in the following interface:
1type CHash = { 2 (message: Uint8Array): Uint8Array; 3 blockLen: number; 4 outputLen: number; 5 create(): any; 6}; 7 8// example 9function sha256(message: Uint8Array) { return _internal_lowlvl(message) } 10sha256.outputLen = 32; // 32 bytes of output for sha2-256
Message hash is expected instead of message itself:
sign(msgHash, privKey)is default behavior, assuming you pre-hash msg with sha2, or other hashsign(msg, privKey, {prehash: true})option can be used if you want to pass the message itself
Weierstrass points:
- Exported as
ProjectivePoint - Represented in projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
- Use complete exception-free formulas for addition and doubling
- Can be decoded/encoded from/to Uint8Array / hex strings using
ProjectivePoint.fromHexandProjectivePoint#toRawBytes() - Have
assertValidity()which checks for being on-curve - Have
toAffine()andx/ygetters which convert to 2d xy affine coordinates
1// `weierstrassPoints()` returns `CURVE` and `ProjectivePoint`
2// `weierstrass()` returns `CurveFn`
3type SignOpts = { lowS?: boolean; prehash?: boolean; extraEntropy: boolean | Uint8Array };
4type CurveFn = {
5 CURVE: ReturnType<typeof validateOpts>;
6 getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
7 getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
8 sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
9 verify: (
10 signature: Hex | SignatureType,
11 msgHash: Hex,
12 publicKey: Hex,
13 opts?: { lowS?: boolean; prehash?: boolean }
14 ) => boolean;
15 ProjectivePoint: ProjectivePointConstructor;
16 Signature: SignatureConstructor;
17 utils: {
18 normPrivateKeyToScalar: (key: PrivKey) => bigint;
19 isValidPrivateKey(key: PrivKey): boolean;
20 randomPrivateKey: () => Uint8Array;
21 precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
22 };
23};
24
25// T is usually bigint, but can be something else like complex numbers in BLS curves
26interface ProjPointType<T> extends Group<ProjPointType<T>> {
27 readonly px: T;
28 readonly py: T;
29 readonly pz: T;
30 get x(): bigint;
31 get y(): bigint;
32 multiply(scalar: bigint): ProjPointType<T>;
33 multiplyUnsafe(scalar: bigint): ProjPointType<T>;
34 multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
35 toAffine(iz?: T): AffinePoint<T>;
36 isTorsionFree(): boolean;
37 clearCofactor(): ProjPointType<T>;
38 assertValidity(): void;
39 hasEvenY(): boolean;
40 toRawBytes(isCompressed?: boolean): Uint8Array;
41 toHex(isCompressed?: boolean): string;
42}
43// Static methods for 3d XYZ points
44interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
45 new (x: T, y: T, z: T): ProjPointType<T>;
46 fromAffine(p: AffinePoint<T>): ProjPointType<T>;
47 fromHex(hex: Hex): ProjPointType<T>;
48 fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
49}ECDSA signatures are represented by Signature instances and can be
described by the interface:
1interface SignatureType { 2 readonly r: bigint; 3 readonly s: bigint; 4 readonly recovery?: number; 5 assertValidity(): void; 6 addRecoveryBit(recovery: number): SignatureType; 7 hasHighS(): boolean; 8 normalizeS(): SignatureType; 9 recoverPublicKey(msgHash: Hex): ProjPointType<bigint>; 10 toCompactRawBytes(): Uint8Array; 11 toCompactHex(): string; 12 // DER-encoded 13 toDERRawBytes(): Uint8Array; 14 toDERHex(): string; 15} 16type SignatureConstructor = { 17 new (r: bigint, s: bigint): SignatureType; 18 fromCompact(hex: Hex): SignatureType; 19 fromDER(hex: Hex): SignatureType; 20};
More examples:
1// All curves expose same generic interface. 2const priv = secq256k1.utils.randomPrivateKey(); 3secq256k1.getPublicKey(priv); // Convert private key to public. 4const sig = secq256k1.sign(msg, priv); // Sign msg with private key. 5const sig2 = secq256k1.sign(msg, priv, { prehash: true }); // hash(msg) 6secq256k1.verify(sig, msg, priv); // Verify if sig is correct. 7 8const Point = secq256k1.ProjectivePoint; 9const point = Point.BASE; // Elliptic curve Point class and BASE point static var. 10point.add(point).equals(point.double()); // add(), equals(), double() methods 11point.subtract(point).equals(Point.ZERO); // subtract() method, ZERO static var 12point.negate(); // Flips point over x/y coordinate. 13point.multiply(31415n); // Multiplication of Point by scalar. 14 15point.assertValidity(); // Checks for being on-curve 16point.toAffine(); // Converts to 2d affine xy coordinates 17 18secq256k1.CURVE.n; 19secq256k1.CURVE.p; 20secq256k1.CURVE.Fp.mod(); 21secq256k1.CURVE.hash(); 22 23// precomputes 24const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey)); 25fast.multiply(privKey); // much faster ECDH now
edwards: Twisted Edwards curve
1import { twistedEdwards } from '@noble/curves/abstract/edwards'; 2import { Field } from '@noble/curves/abstract/modular'; 3import { sha512 } from '@openpgp/noble-hashes/sha512'; 4import { randomBytes } from '@openpgp/noble-hashes/utils'; 5 6const Fp = Field(2n ** 255n - 19n); 7const ed25519 = twistedEdwards({ 8 a: Fp.create(-1n), 9 d: Fp.div(-121665n, 121666n), // -121665n/121666n mod p 10 Fp: Fp, 11 n: 2n ** 252n + 27742317777372353535851937790883648493n, 12 h: 8n, 13 Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n, 14 Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n, 15 hash: sha512, 16 randomBytes, 17 adjustScalarBytes(bytes) { 18 // optional; but mandatory in ed25519 19 bytes[0] &= 248; 20 bytes[31] &= 127; 21 bytes[31] |= 64; 22 return bytes; 23 }, 24} as const);
Twisted Edwards curve's formula is ax² + y² = 1 + dx²y². You must specify a, d, field Fp, order n, cofactor h
and coordinates Gx, Gy of generator point.
For EdDSA signatures, hash param required. adjustScalarBytes which instructs how to change private scalars could be specified.
Edwards points:
- Exported as
ExtendedPoint - Represented in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
- Use complete exception-free formulas for addition and doubling
- Can be decoded/encoded from/to Uint8Array / hex strings using
ExtendedPoint.fromHexandExtendedPoint#toRawBytes() - Have
assertValidity()which checks for being on-curve - Have
toAffine()andx/ygetters which convert to 2d xy affine coordinates - Have
isTorsionFree(),clearCofactor()andisSmallOrder()utilities to handle torsions
1// `twistedEdwards()` returns `CurveFn` of following type:
2type CurveFn = {
3 CURVE: ReturnType<typeof validateOpts>;
4 getPublicKey: (privateKey: Hex) => Uint8Array;
5 sign: (message: Hex, privateKey: Hex, context?: Hex) => Uint8Array;
6 verify: (sig: SigType, message: Hex, publicKey: Hex, context?: Hex) => boolean;
7 ExtendedPoint: ExtPointConstructor;
8 utils: {
9 randomPrivateKey: () => Uint8Array;
10 getExtendedPublicKey: (key: PrivKey) => {
11 head: Uint8Array;
12 prefix: Uint8Array;
13 scalar: bigint;
14 point: PointType;
15 pointBytes: Uint8Array;
16 };
17 };
18};
19
20interface ExtPointType extends Group<ExtPointType> {
21 readonly ex: bigint;
22 readonly ey: bigint;
23 readonly ez: bigint;
24 readonly et: bigint;
25 get x(): bigint;
26 get y(): bigint;
27 assertValidity(): void;
28 multiply(scalar: bigint): ExtPointType;
29 multiplyUnsafe(scalar: bigint): ExtPointType;
30 isSmallOrder(): boolean;
31 isTorsionFree(): boolean;
32 clearCofactor(): ExtPointType;
33 toAffine(iz?: bigint): AffinePoint<bigint>;
34 toRawBytes(isCompressed?: boolean): Uint8Array;
35 toHex(isCompressed?: boolean): string;
36}
37// Static methods of Extended Point with coordinates in X, Y, Z, T
38interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
39 new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
40 fromAffine(p: AffinePoint<bigint>): ExtPointType;
41 fromHex(hex: Hex): ExtPointType;
42 fromPrivateKey(privateKey: Hex): ExtPointType;
43}montgomery: Montgomery curve
1import { montgomery } from '@noble/curves/abstract/montgomery'; 2import { Field } from '@noble/curves/abstract/modular'; 3 4const x25519 = montgomery({ 5 a: 486662n, 6 Gu: 9n, 7 Fp: Field(2n ** 255n - 19n), 8 montgomeryBits: 255, 9 nByteLength: 32, 10 // Optional param 11 adjustScalarBytes(bytes) { 12 bytes[0] &= 248; 13 bytes[31] &= 127; 14 bytes[31] |= 64; 15 return bytes; 16 }, 17});
The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748. Proper Elliptic Curve Points are not implemented yet.
You must specify curve params Fp, a, Gu coordinate of u, montgomeryBits and nByteLength.
bls: Barreto-Lynn-Scott curves
The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction. They allow to construct zk-SNARKs and use aggregated, batch-verifiable threshold signatures, using Boneh-Lynn-Shacham signature scheme.
The module doesn't expose CURVE property: use G1.CURVE, G2.CURVE instead.
Only BLS12-381 is implemented currently.
Defining BLS12-377 and BLS24 should be straightforward.
Main methods and properties are:
getPublicKey(privateKey)sign(message, privateKey)verify(signature, message, publicKey)aggregatePublicKeys(publicKeys)aggregateSignatures(signatures)G1andG2curves containingCURVEandProjectivePointSignatureproperty withfromHex,toHexmethodsfieldscontainingFp,Fp2,Fp6,Fp12,Fr
The default BLS uses short public keys (with public keys in G1 and signatures in G2). Short signatures (public keys in G2 and signatures in G1) is also supported, using:
getPublicKeyForShortSignatures(privateKey)signShortSignature(message, privateKey)verifyShortSignature(signature, message, publicKey)aggregateShortSignatures(signatures)
1import { bls12_381 as bls } from '@noble/curves/bls12-381'; 2const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c'; 3const message = '64726e3da8'; 4const publicKey = bls.getPublicKey(privateKey); 5const signature = bls.sign(message, privateKey); 6const isValid = bls.verify(signature, message, publicKey); 7console.log({ publicKey, signature, isValid }); 8 9// Sign 1 msg with 3 keys 10const privateKeys = [ '18f020b98eb798752a50ed0563b079c125b0db5dd0b1060d1c1b47d4a193e1e4', 'ed69a8c50cf8c9836be3b67c7eeff416612d45ba39a5c099d48fa668bf558c9c', '16ae669f3be7a2121e17d0c68c05a8f3d6bef21ec0f2315f1d7aec12484e4cf5',]; 11const messages = ['d2', '0d98', '05caf3']; 12const publicKeys = privateKeys.map(bls.getPublicKey); 13const signatures2 = privateKeys.map((p) => bls.sign(message, p)); 14const aggPubKey2 = bls.aggregatePublicKeys(publicKeys); 15const aggSignature2 = bls.aggregateSignatures(signatures2); 16const isValid2 = bls.verify(aggSignature2, message, aggPubKey2); 17console.log({ signatures2, aggSignature2, isValid2 }); 18 19// Sign 3 msgs with 3 keys 20const signatures3 = privateKeys.map((p, i) => bls.sign(messages[i], p)); 21const aggSignature3 = bls.aggregateSignatures(signatures3); 22const isValid3 = bls.verifyBatch(aggSignature3, messages, publicKeys); 23console.log({ publicKeys, signatures3, aggSignature3, isValid3 }); 24 25// Pairings, with and without final exponentiation 26bls.pairing(PointG1, PointG2); 27bls.pairing(PointG1, PointG2, false); 28bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2)); 29 30// Others 31bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE 32bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr 33bls.params.x, bls.params.r, bls.params.G1b, bls.params.G2b 34 35// hash-to-curve examples can be seen below
hash-to-curve: Hashing strings to curve points
The module allows to hash arbitrary strings to elliptic curve points. Implements RFC 9380.
Every curve has exported hashToCurve and encodeToCurve methods. You should always prefer hashToCurve for security:
1import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1'; 2import { randomBytes } from '@openpgp/noble-hashes/utils'; 3hashToCurve('0102abcd'); 4console.log(hashToCurve(randomBytes())); 5console.log(encodeToCurve(randomBytes())); 6 7import { bls12_381 } from '@noble/curves/bls12-381'; 8bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' }); 9bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
Low-level methods from the spec:
1// produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
2function expand_message_xmd(
3 msg: Uint8Array,
4 DST: Uint8Array,
5 lenInBytes: number,
6 H: CHash // For CHash see abstract/weierstrass docs section
7): Uint8Array;
8// produces a uniformly random byte string using an extendable-output function (XOF) H.
9function expand_message_xof(
10 msg: Uint8Array,
11 DST: Uint8Array,
12 lenInBytes: number,
13 k: number,
14 H: CHash
15): Uint8Array;
16// Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
17function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
18
19/**
20 * * `DST` is a domain separation tag, defined in section 2.2.5
21 * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
22 * * `m` is extension degree (1 for prime fields)
23 * * `k` is the target security target in bits (e.g. 128), from section 5.1
24 * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
25 * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
26 */
27type UnicodeOrBytes = string | Uint8Array;
28type Opts = {
29 DST: UnicodeOrBytes;
30 p: bigint;
31 m: number;
32 k: number;
33 expand?: 'xmd' | 'xof';
34 hash: CHash;
35};poseidon: Poseidon hash
Implements Poseidon ZK-friendly hash.
There are many poseidon variants with different constants. We don't provide them: you should construct them manually. Check out micro-starknet package for a proper example.
1import { poseidon } from '@noble/curves/abstract/poseidon'; 2 3type PoseidonOpts = { 4 Fp: Field<bigint>; 5 t: number; 6 roundsFull: number; 7 roundsPartial: number; 8 sboxPower?: number; 9 reversePartialPowIdx?: boolean; 10 mds: bigint[][]; 11 roundConstants: bigint[][]; 12}; 13const instance = poseidon(opts: PoseidonOpts);
modular: Modular arithmetics utilities
1import * as mod from '@noble/curves/abstract/modular'; 2const fp = mod.Field(2n ** 255n - 19n); // Finite field over 2^255-19 3fp.mul(591n, 932n); // multiplication 4fp.pow(481n, 11024858120n); // exponentiation 5fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17) 6fp.sqrt(21n); // square root 7 8// Generic non-FP utils are also available 9mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10 10mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse 11mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
Field operations are not constant-time: they are using JS bigints, see security.
The fact is mostly irrelevant, but the important method to keep in mind is pow,
which may leak exponent bits, when used naïvely.
mod.Field is always field over prime. Non-prime fields aren't supported for now.
We don't test for prime-ness for speed and because algorithms are probabilistic anyway.
Initializing a non-prime field could make your app suspectible to
DoS (infilite loop) on Tonelli-Shanks square root calculation.
Unlike mod.invert, mod.invertBatch won't throw on 0: make sure to throw an error yourself.
Creating private keys from hashes
You can't simply make a 32-byte private key from a 32-byte hash. Doing so will make the key biased.
To make the bias negligible, we follow FIPS 186-5 A.2 and RFC 9380. This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
hashToPrivateScalar() that hashes to private key was created for this purpose.
Use abstract/hash-to-curve
if you need to hash to public key.
1import { p256 } from '@noble/curves/p256'; 2import { sha256 } from '@noble/hashes/sha256'; 3import { hkdf } from '@noble/hashes/hkdf'; 4const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2) 5const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv 6const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
utils: Useful utilities
1import * as utils from '@noble/curves/abstract/utils'; 2 3utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 4utils.hexToBytes('deadbeef'); 5utils.numberToHexUnpadded(123n); 6utils.hexToNumber(); 7 8utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 9utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef])); 10utils.numberToBytesBE(123n, 32); 11utils.numberToBytesLE(123n, 64); 12 13utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef])); 14utils.nLength(255n); 15utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
Security
The library has been independently audited:
- at version 1.2.0, in Sep 2023, by Kudelski Security
- PDFs: offline
- Changes since audit
- Scope: scure-starknet and its related
abstract modules of noble-curves:
curve,modular,poseidon,weierstrass - The audit has been funded by Starkware
- at version 0.7.3, in Feb 2023, by Trail of Bits
- PDFs: online, offline
- Changes since audit
- Scope: abstract modules
curve,hash-to-curve,modular,poseidon,utils,weierstrassand top-level modules_shortw_utilsandsecp256k1 - The audit has been funded by Ryan Shea
It is tested against property-based, cross-library and Wycheproof vectors, and has fuzzing by Guido Vranken's cryptofuzz.
If you see anything unusual: investigate and report.
Constant-timeness
JIT-compiler and Garbage Collector make "constant time" extremely hard to achieve timing attack resistance in a scripting language. Which means any other JS library can't have constant-timeness. Even statically typed Rust, a language without GC, makes it harder to achieve constant-time for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
Supply chain security
- Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
- Releases are transparent and built on GitHub CI. Make sure to verify provenance logs
- Rare releasing is followed to ensure less re-audit need for end-users
- Dependencies are minimized and locked-down:
- If your app has 500 dependencies, any dep could get hacked and you'll be downloading malware with every install. We make sure to use as few dependencies as possible
- We prevent automatic dependency updates by locking-down version ranges. Every update is checked with
npm-diff - One dependency noble-hashes is used, by the same author, to provide hashing functionality
- Dev Dependencies are only used if you want to contribute to the repo. They are disabled for end-users:
- scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
- prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
Randomness
We're deferring to built-in crypto.getRandomValues which is considered cryptographically secure (CSPRNG).
In the past, browsers had bugs that made it weak: it may happen again. Implementing a userspace CSPRNG to get resilient to the weakness is even worse: there is no reliable userspace source of quality entropy.
Speed
Benchmark results on Apple M2 with node v20:
secp256k1
init x 68 ops/sec @ 14ms/op
getPublicKey x 6,750 ops/sec @ 148μs/op
sign x 5,206 ops/sec @ 192μs/op
verify x 880 ops/sec @ 1ms/op
getSharedSecret x 536 ops/sec @ 1ms/op
recoverPublicKey x 852 ops/sec @ 1ms/op
schnorr.sign x 685 ops/sec @ 1ms/op
schnorr.verify x 908 ops/sec @ 1ms/op
p256
init x 38 ops/sec @ 26ms/op
getPublicKey x 6,530 ops/sec @ 153μs/op
sign x 5,074 ops/sec @ 197μs/op
verify x 626 ops/sec @ 1ms/op
p384
init x 17 ops/sec @ 57ms/op
getPublicKey x 2,883 ops/sec @ 346μs/op
sign x 2,358 ops/sec @ 424μs/op
verify x 245 ops/sec @ 4ms/op
p521
init x 9 ops/sec @ 109ms/op
getPublicKey x 1,516 ops/sec @ 659μs/op
sign x 1,271 ops/sec @ 786μs/op
verify x 123 ops/sec @ 8ms/op
ed25519
init x 54 ops/sec @ 18ms/op
getPublicKey x 10,269 ops/sec @ 97μs/op
sign x 5,110 ops/sec @ 195μs/op
verify x 1,049 ops/sec @ 952μs/op
ed448
init x 19 ops/sec @ 51ms/op
getPublicKey x 3,775 ops/sec @ 264μs/op
sign x 1,771 ops/sec @ 564μs/op
verify x 351 ops/sec @ 2ms/op
ecdh
├─x25519 x 1,466 ops/sec @ 682μs/op
├─secp256k1 x 539 ops/sec @ 1ms/op
├─p256 x 511 ops/sec @ 1ms/op
├─p384 x 199 ops/sec @ 5ms/op
├─p521 x 103 ops/sec @ 9ms/op
└─x448 x 548 ops/sec @ 1ms/op
bls12-381
init x 36 ops/sec @ 27ms/op
getPublicKey 1-bit x 973 ops/sec @ 1ms/op
getPublicKey x 970 ops/sec @ 1ms/op
sign x 55 ops/sec @ 17ms/op
verify x 39 ops/sec @ 25ms/op
pairing x 106 ops/sec @ 9ms/op
aggregatePublicKeys/8 x 129 ops/sec @ 7ms/op
aggregatePublicKeys/32 x 34 ops/sec @ 28ms/op
aggregatePublicKeys/128 x 8 ops/sec @ 112ms/op
aggregatePublicKeys/512 x 2 ops/sec @ 446ms/op
aggregatePublicKeys/2048 x 0 ops/sec @ 1778ms/op
aggregateSignatures/8 x 50 ops/sec @ 19ms/op
aggregateSignatures/32 x 13 ops/sec @ 74ms/op
aggregateSignatures/128 x 3 ops/sec @ 296ms/op
aggregateSignatures/512 x 0 ops/sec @ 1180ms/op
aggregateSignatures/2048 x 0 ops/sec @ 4715ms/op
hash-to-curve
hash_to_field x 91,600 ops/sec @ 10μs/op
secp256k1 x 2,373 ops/sec @ 421μs/op
p256 x 4,310 ops/sec @ 231μs/op
p384 x 1,664 ops/sec @ 600μs/op
p521 x 807 ops/sec @ 1ms/op
ed25519 x 3,088 ops/sec @ 323μs/op
ed448 x 1,247 ops/sec @ 801μs/op
Upgrading
Previously, the library was split into single-feature packages noble-secp256k1, noble-ed25519 and noble-bls12-381.
Curves continue their original work. The single-feature packages changed their direction towards providing minimal 4kb implementations of cryptography, which means they have less features.
Upgrading from noble-secp256k1 2.0 or noble-ed25519 2.0: no changes, libraries are compatible.
Upgrading from noble-secp256k1 1.7:
getPublicKey- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set
argument
isCompressedtofalse:getPublicKey(priv, false)
sign- is now sync
- now returns
Signatureinstance with{ r, s, recovery }properties canonicaloption was renamed tolowSrecoveredoption has been removed because recovery bit is always returned nowderoption has been removed. There are 2 options:- Use compact encoding:
fromCompact,toCompactRawBytes,toCompactHex. Compact encoding is simply a concatenation of 32-byte r and 32-byte s. - If you must use DER encoding, switch to noble-curves (see above).
- Use compact encoding:
verify- is now sync
strictoption was renamed tolowS
getSharedSecret- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set
argument
isCompressedtofalse:getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec)was changed tosig.recoverPublicKey(msg)numbertype for private keys have been removed: usebigintinsteadPoint(2d xy) has been changed toProjectivePoint(3d xyz)utilswere split intoutils(same api as in noble-curves) andetc(hmacSha256Syncand others)
Upgrading from @noble/ed25519 1.7:
- Methods are now sync by default
bigintis no longer allowed ingetPublicKey,sign,verify. Reason: ed25519 is LE, can lead to bugsPoint(2d xy) has been changed toExtendedPoint(xyzt)Signaturewas removed: just use raw bytes or hex nowutilswere split intoutils(same api as in noble-curves) andetc(sha512Syncand others)getSharedSecretwas moved tox25519moduletoX25519has been moved toedwardsToMontgomeryPubandedwardsToMontgomeryPrivmethods
Upgrading from @noble/bls12-381:
- Methods and classes were renamed:
- PointG1 -> G1.Point, PointG2 -> G2.Point
- PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
- Fp2 ORDER was corrected
Contributing & testing
- Clone the repository
npm installto install build dependencies like TypeScriptnpm run buildto compile TypeScript codenpm run testwill execute all main tests
Resources
Check out paulmillr.com/noble for useful resources, articles, documentation and demos related to the library.
License
The MIT License (MIT)
Copyright (c) 2022 Paul Miller (https://paulmillr.com)
See LICENSE file.
No vulnerabilities found.
No security vulnerabilities found.