/*! * hip2-server@1.0.0 * Copyright (c) 2022, Matthew Zipkin (MIT) * https://github.com/pinheadmz/hip2-server#readme */ var __node_modules__ = [ [/* 0 */ 'hip2-server', '/src/derive.js', function(exports, module, __filename, __dirname, __meta) { 'use strict'; const HDPublicKey = __node_require__(1 /* 'hsd/lib/hd/public' */); const Address = __node_require__(55 /* 'hsd/lib/primitives/address' */); const fs = require('fs'); const path = require('path'); const http = require('http'); const MAX_INDEX = 0x7fffffff; if (process.argv.length < 3) throw new Error('Usage: node build/hip2-server.js '); const port = process.argv[2]; const xpubFile = path.join(__dirname, '..', 'conf', 'xpub'); let xpub; try { xpub = fs.readFileSync(xpubFile, 'ascii'); } catch (e) { throw new Error('xpub file missing'); } xpub = xpub.split('\n')[0]; if (xpub === 'xpub6DBMpym6PM3qe7Ug7BwG6zo7dinMMjpk8nmb73czsjkzPTzfQ1d5ZvqDea4uNmMVv1Y9DT6v17GuDL1x2km9FQuKqWMdnrDfRiDNrG1nTMr') throw new Error('Example xpub must not be used! Repalce with your own account xpub.'); const acct = HDPublicKey.fromBase58(xpub); // For some reason when bpkg'ed with -browser modules, we need to call // this once as a throwaway before actually using it. // The first function call FAILS because entropy can not be found to // "pregenerate a random blinding value" as part of the ECDSA precomputation. // For whatever reason, the function call succeeds from here on. // This is either a bug in bcrypto or bpkg, exposing an inconguity // with the -browser module. // See https://github.com/handshake-org/hsd/issues/700 acct.derive(0); const recv = acct.derive(0); function addr() { const indexFile = path.join(__dirname, '..', 'log', 'hip2-index'); let index = 0; try { index = parseInt(fs.readFileSync(indexFile, 'utf-8')); } catch (e) { ; } fs.writeFileSync(indexFile, String(index + 1), 'utf-8'); // Wow, used all our non-hardened addresses! // Don't roll over the saved index (that way the user knows this has happened) // but start over the address space and reuse addresses starting again at 0. if (index >= MAX_INDEX) index -= MAX_INDEX; const pk = recv.derive(index); const addr = Address.fromPubkey(pk.publicKey).toString(); return addr; } const requestListener = function (req, res) { res.writeHead(200); res.end(addr()); }; const server = http.createServer(requestListener); server.listen({port}); }], [/* 1 */ 'hsd', '/lib/hd/public.js', function(exports, module, __filename, __dirname, __meta) { /*! * public.js - hd public keys for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); const bio = __node_require__(3 /* 'bufio' */); const base58 = __node_require__(12 /* 'bcrypto/lib/encoding/base58' */); const sha512 = __node_require__(15 /* 'bcrypto/lib/sha512' */); const hash160 = __node_require__(18 /* 'bcrypto/lib/hash160' */); const hash256 = __node_require__(22 /* 'bcrypto/lib/hash256' */); const cleanse = __node_require__(24 /* 'bcrypto/lib/cleanse' */); const secp256k1 = __node_require__(28 /* 'bcrypto/lib/secp256k1' */); const Network = __node_require__(44 /* '../protocol/network' */); const consensus = __node_require__(51 /* '../protocol/consensus' */); const common = __node_require__(52 /* './common' */); /** * HDPublicKey * @alias module:hd.PublicKey * @property {Number} depth * @property {Number} parentFingerPrint * @property {Number} childIndex * @property {Buffer} chainCode * @property {Buffer} publicKey */ class HDPublicKey extends bio.Struct { /** * Create an HD public key. * @constructor * @param {Object|Base58String} options * @param {Base58String?} options.xkey - Serialized base58 key. * @param {Number?} options.depth * @param {Number?} options.parentFingerPrint * @param {Number?} options.childIndex * @param {Buffer?} options.chainCode * @param {Buffer?} options.publicKey */ constructor(options) { super(); this.depth = 0; this.parentFingerPrint = 0; this.childIndex = 0; this.chainCode = consensus.ZERO_HASH; this.publicKey = common.ZERO_KEY; this.fingerPrint = -1; if (options) this.fromOptions(options); } /** * Inject properties from options object. * @private * @param {Object} options */ fromOptions(options) { assert(options, 'No options for HDPublicKey'); assert((options.depth & 0xff) === options.depth); assert((options.parentFingerPrint >>> 0) === options.parentFingerPrint); assert((options.childIndex >>> 0) === options.childIndex); assert(Buffer.isBuffer(options.chainCode)); assert(Buffer.isBuffer(options.publicKey)); this.depth = options.depth; this.parentFingerPrint = options.parentFingerPrint; this.childIndex = options.childIndex; this.chainCode = options.chainCode; this.publicKey = options.publicKey; return this; } /** * Get HD public key (self). * @returns {HDPublicKey} */ toPublic() { return this; } /** * Get cached base58 xprivkey (always null here). * @returns {null} */ xprivkey(network) { return null; } /** * Get cached base58 xpubkey. * @returns {Base58String} */ xpubkey(network) { return this.toBase58(network); } /** * Destroy the key (zeroes chain code and pubkey). */ destroy() { this.depth = 0; this.childIndex = 0; this.parentFingerPrint = 0; cleanse(this.chainCode); cleanse(this.publicKey); this.fingerPrint = -1; } /** * Derive a child key. * @param {Number} index - Derivation index. * @param {Boolean?} hardened - Whether the derivation * should be hardened (throws if true). * @returns {HDPrivateKey} * @throws on `hardened` */ derive(index, hardened) { assert(typeof index === 'number'); if ((index >>> 0) !== index) throw new Error('Index out of range.'); if ((index & common.HARDENED) || hardened) throw new Error('Cannot derive hardened.'); if (this.depth >= 0xff) throw new Error('Depth too high.'); const id = this.getID(index); const cache = common.cache.get(id); if (cache) return cache; const bw = bio.pool(37); bw.writeBytes(this.publicKey); bw.writeU32BE(index); const data = bw.render(); const hash = sha512.mac(data, this.chainCode); const left = hash.slice(0, 32); const right = hash.slice(32, 64); let key; try { key = secp256k1.publicKeyTweakAdd(this.publicKey, left, true); } catch (e) { return this.derive(index + 1); } if (this.fingerPrint === -1) { const fp = hash160.digest(this.publicKey); this.fingerPrint = fp.readUInt32BE(0, true); } const child = new this.constructor(); child.depth = this.depth + 1; child.parentFingerPrint = this.fingerPrint; child.childIndex = index; child.chainCode = right; child.publicKey = key; common.cache.set(id, child); return child; } /** * Unique HD key ID. * @private * @param {Number} index * @returns {String} */ getID(index) { return 'b' + this.publicKey.toString('hex') + index; } /** * Derive a BIP44 account key (does not derive, only ensures account key). * @method * @param {Number} purpose * @param {Number} type * @param {Number} account * @returns {HDPublicKey} * @throws Error if key is not already an account key. */ deriveAccount(purpose, type, account) { assert((purpose >>> 0) === purpose); assert((type >>> 0) === type); assert((account >>> 0) === account); assert(this.isAccount(account), 'Cannot derive account index.'); return this; } /** * Test whether the key is a master key. * @method * @returns {Boolean} */ isMaster() { return common.isMaster(this); } /** * Test whether the key is (most likely) a BIP44 account key. * @method * @param {Number?} account * @returns {Boolean} */ isAccount(account) { return common.isAccount(this, account); } /** * Test whether a string is a valid path. * @param {String} path * @param {Boolean?} hardened * @returns {Boolean} */ static isValidPath(path) { try { common.parsePath(path, false); return true; } catch (e) { return false; } } /** * Derive a key from a derivation path. * @param {String} path * @returns {HDPublicKey} * @throws Error if `path` is not a valid path. * @throws Error if hardened. */ derivePath(path) { const indexes = common.parsePath(path, false); let key = this; for (const index of indexes) key = key.derive(index); return key; } /** * Compare a key against an object. * @param {Object} obj * @returns {Boolean} */ equals(obj) { assert(HDPublicKey.isHDPublicKey(obj)); return this.depth === obj.depth && this.parentFingerPrint === obj.parentFingerPrint && this.childIndex === obj.childIndex && this.chainCode.equals(obj.chainCode) && this.publicKey.equals(obj.publicKey); } /** * Compare a key against an object. * @param {Object} obj * @returns {Boolean} */ compare(key) { assert(HDPublicKey.isHDPublicKey(key)); let cmp = this.depth - key.depth; if (cmp !== 0) return cmp; cmp = this.parentFingerPrint - key.parentFingerPrint; if (cmp !== 0) return cmp; cmp = this.childIndex - key.childIndex; if (cmp !== 0) return cmp; cmp = this.chainCode.compare(key.chainCode); if (cmp !== 0) return cmp; cmp = this.publicKey.compare(key.publicKey); if (cmp !== 0) return cmp; return 0; } /** * Convert key to a more json-friendly object. * @returns {Object} */ getJSON(network) { return { xpubkey: this.xpubkey(network) }; } /** * Inject properties from json object. * @private * @param {Object} json * @param {Network?} network */ fromJSON(json, network) { assert(json.xpubkey, 'Could not handle HD key JSON.'); this.fromBase58(json.xpubkey, network); return this; } /** * Test whether an object is in the form of a base58 xpubkey. * @param {String} data * @param {(Network|NetworkType)?} network * @returns {Boolean} */ static isBase58(data, network) { if (typeof data !== 'string') return false; if (data.length < 4) return false; const prefix = data.substring(0, 4); try { Network.fromPublic58(prefix, network); return true; } catch (e) { return false; } } /** * Test whether a buffer has a valid network prefix. * @param {Buffer} data * @param {(Network|NetworkType)?} network * @returns {NetworkType} */ static isRaw(data, network) { if (!Buffer.isBuffer(data)) return false; if (data.length < 4) return false; const version = data.readUInt32BE(0, true); try { Network.fromPublic(version, network); return true; } catch (e) { return false; } } /** * Inject properties from a base58 key. * @private * @param {Base58String} xkey * @param {Network?} network */ fromBase58(xkey, network) { assert(typeof xkey === 'string'); return this.decode(base58.decode(xkey), network); } /** * Inject properties from serialized data. * @private * @param {BufferReader} br * @param {(Network|NetworkType)?} network */ read(br, network) { const version = br.readU32BE(); Network.fromPublic(version, network); this.depth = br.readU8(); this.parentFingerPrint = br.readU32BE(); this.childIndex = br.readU32BE(); this.chainCode = br.readBytes(32); this.publicKey = br.readBytes(33); br.verifyChecksum(hash256.digest); return this; } /** * Serialize key data to base58 extended key. * @param {(Network|NetworkType)?} network * @returns {Base58String} */ toBase58(network) { return base58.encode(this.encode(network)); } /** * Write the key to a buffer writer. * @param {BufferWriter} bw * @param {(Network|NetworkType)?} network */ write(bw, network) { network = Network.get(network); bw.writeU32BE(network.keyPrefix.xpubkey); bw.writeU8(this.depth); bw.writeU32BE(this.parentFingerPrint); bw.writeU32BE(this.childIndex); bw.writeBytes(this.chainCode); bw.writeBytes(this.publicKey); bw.writeChecksum(hash256.digest); return bw; } /** * Calculate serialization size. * @returns {Number} */ getSize() { return 82; } /** * Instantiate an HD public key from a base58 string. * @param {Base58String} xkey * @param {Network?} network * @returns {HDPublicKey} */ static fromBase58(xkey, network) { return new this().fromBase58(xkey, network); } /** * Test whether an object is a HDPublicKey. * @param {Object} obj * @returns {Boolean} */ static isHDPublicKey(obj) { return obj instanceof HDPublicKey; } } /* * Expose */ module.exports = HDPublicKey; }], [/* 2 */ 'bsert', '/lib/assert.js', function(exports, module, __filename, __dirname, __meta) { /*! * assert.js - assertions for javascript * Copyright (c) 2018, Christopher Jeffrey (MIT License). * https://github.com/chjj/bsert */ 'use strict'; /** * AssertionError */ class AssertionError extends Error { constructor(options) { if (typeof options === 'string') options = { message: options }; if (options === null || typeof options !== 'object') options = {}; let message = null; let operator = 'fail'; let generatedMessage = Boolean(options.generatedMessage); if (options.message != null) message = toString(options.message); if (typeof options.operator === 'string') operator = options.operator; if (message == null) { if (operator === 'fail') { message = 'Assertion failed.'; } else { const a = stringify(options.actual); const b = stringify(options.expected); message = `${a} ${operator} ${b}`; } generatedMessage = true; } super(message); let start = this.constructor; if (typeof options.stackStartFunction === 'function') start = options.stackStartFunction; else if (typeof options.stackStartFn === 'function') start = options.stackStartFn; this.type = 'AssertionError'; this.name = 'AssertionError [ERR_ASSERTION]'; this.code = 'ERR_ASSERTION'; this.generatedMessage = generatedMessage; this.actual = options.actual; this.expected = options.expected; this.operator = operator; if (Error.captureStackTrace) Error.captureStackTrace(this, start); } } /* * Assert */ function assert(value, message) { if (!value) { let generatedMessage = false; if (arguments.length === 0) { message = 'No value argument passed to `assert()`.'; generatedMessage = true; } else if (message == null) { message = 'Assertion failed.'; generatedMessage = true; } else if (isError(message)) { throw message; } throw new AssertionError({ message, actual: value, expected: true, operator: '==', generatedMessage, stackStartFn: assert }); } } function equal(actual, expected, message) { if (!Object.is(actual, expected)) { if (isError(message)) throw message; throw new AssertionError({ message, actual, expected, operator: 'strictEqual', stackStartFn: equal }); } } function notEqual(actual, expected, message) { if (Object.is(actual, expected)) { if (isError(message)) throw message; throw new AssertionError({ message, actual, expected, operator: 'notStrictEqual', stackStartFn: notEqual }); } } function fail(message) { let generatedMessage = false; if (isError(message)) throw message; if (message == null) { message = 'Assertion failed.'; generatedMessage = true; } throw new AssertionError({ message, actual: false, expected: true, operator: 'fail', generatedMessage, stackStartFn: fail }); } function throws(func, expected, message) { if (typeof expected === 'string') { message = expected; expected = undefined; } let thrown = false; let err = null; enforce(typeof func === 'function', 'func', 'function'); try { func(); } catch (e) { thrown = true; err = e; } if (!thrown) { let generatedMessage = false; if (message == null) { message = 'Missing expected exception.'; generatedMessage = true; } throw new AssertionError({ message, actual: undefined, expected, operator: 'throws', generatedMessage, stackStartFn: throws }); } if (!testError(err, expected, message, throws)) throw err; } function doesNotThrow(func, expected, message) { if (typeof expected === 'string') { message = expected; expected = undefined; } let thrown = false; let err = null; enforce(typeof func === 'function', 'func', 'function'); try { func(); } catch (e) { thrown = true; err = e; } if (!thrown) return; if (testError(err, expected, message, doesNotThrow)) { let generatedMessage = false; if (message == null) { message = 'Got unwanted exception.'; generatedMessage = true; } throw new AssertionError({ message, actual: err, expected, operator: 'doesNotThrow', generatedMessage, stackStartFn: doesNotThrow }); } throw err; } async function rejects(func, expected, message) { if (typeof expected === 'string') { message = expected; expected = undefined; } let thrown = false; let err = null; if (typeof func !== 'function') enforce(isPromise(func), 'func', 'promise'); try { if (isPromise(func)) await func; else await func(); } catch (e) { thrown = true; err = e; } if (!thrown) { let generatedMessage = false; if (message == null) { message = 'Missing expected rejection.'; generatedMessage = true; } throw new AssertionError({ message, actual: undefined, expected, operator: 'rejects', generatedMessage, stackStartFn: rejects }); } if (!testError(err, expected, message, rejects)) throw err; } async function doesNotReject(func, expected, message) { if (typeof expected === 'string') { message = expected; expected = undefined; } let thrown = false; let err = null; if (typeof func !== 'function') enforce(isPromise(func), 'func', 'promise'); try { if (isPromise(func)) await func; else await func(); } catch (e) { thrown = true; err = e; } if (!thrown) return; if (testError(err, expected, message, doesNotReject)) { let generatedMessage = false; if (message == null) { message = 'Got unwanted rejection.'; generatedMessage = true; } throw new AssertionError({ message, actual: undefined, expected, operator: 'doesNotReject', generatedMessage, stackStartFn: doesNotReject }); } throw err; } function ifError(err) { if (err != null) { let message = 'ifError got unwanted exception: '; if (typeof err === 'object' && typeof err.message === 'string') { if (err.message.length === 0 && err.constructor) message += err.constructor.name; else message += err.message; } else { message += stringify(err); } throw new AssertionError({ message, actual: err, expected: null, operator: 'ifError', generatedMessage: true, stackStartFn: ifError }); } } function deepEqual(actual, expected, message) { if (!isDeepEqual(actual, expected, false)) { if (isError(message)) throw message; throw new AssertionError({ message, actual, expected, operator: 'deepStrictEqual', stackStartFn: deepEqual }); } } function notDeepEqual(actual, expected, message) { if (isDeepEqual(actual, expected, true)) { if (isError(message)) throw message; throw new AssertionError({ message, actual, expected, operator: 'notDeepStrictEqual', stackStartFn: notDeepEqual }); } } function bufferEqual(actual, expected, enc, message) { if (!isEncoding(enc)) { message = enc; enc = null; } if (enc == null) enc = 'hex'; expected = bufferize(actual, expected, enc); enforce(isBuffer(actual), 'actual', 'buffer'); enforce(isBuffer(expected), 'expected', 'buffer'); if (actual !== expected && !actual.equals(expected)) { if (isError(message)) throw message; throw new AssertionError({ message, actual: actual.toString(enc), expected: expected.toString(enc), operator: 'bufferEqual', stackStartFn: bufferEqual }); } } function notBufferEqual(actual, expected, enc, message) { if (!isEncoding(enc)) { message = enc; enc = null; } if (enc == null) enc = 'hex'; expected = bufferize(actual, expected, enc); enforce(isBuffer(actual), 'actual', 'buffer'); enforce(isBuffer(expected), 'expected', 'buffer'); if (actual === expected || actual.equals(expected)) { if (isError(message)) throw message; throw new AssertionError({ message, actual: actual.toString(enc), expected: expected.toString(enc), operator: 'notBufferEqual', stackStartFn: notBufferEqual }); } } function enforce(value, name, type) { if (!value) { let msg; if (name == null) { msg = 'Invalid type for parameter.'; } else { if (type == null) msg = `Invalid type for "${name}".`; else msg = `"${name}" must be a(n) ${type}.`; } const err = new TypeError(msg); if (Error.captureStackTrace) Error.captureStackTrace(err, enforce); throw err; } } function range(value, name) { if (!value) { const msg = name != null ? `"${name}" is out of range.` : 'Parameter is out of range.'; const err = new RangeError(msg); if (Error.captureStackTrace) Error.captureStackTrace(err, range); throw err; } } /* * Stringification */ function stringify(value) { switch (typeof value) { case 'undefined': return 'undefined'; case 'object': if (value === null) return 'null'; return `[${objectName(value)}]`; case 'boolean': return `${value}`; case 'number': return `${value}`; case 'string': if (value.length > 80) value = `${value.substring(0, 77)}...`; return JSON.stringify(value); case 'symbol': return tryString(value); case 'function': return `[${funcName(value)}]`; case 'bigint': return `${value}n`; default: return `[${typeof value}]`; } } function toString(value) { if (typeof value === 'string') return value; if (isError(value)) return tryString(value); return stringify(value); } function tryString(value) { try { return String(value); } catch (e) { return 'Object'; } } /* * Error Testing */ function testError(err, expected, message, func) { if (expected == null) return true; if (isRegExp(expected)) return expected.test(err); if (typeof expected !== 'function') { if (func === doesNotThrow || func === doesNotReject) throw new TypeError('"expected" must not be an object.'); if (typeof expected !== 'object') throw new TypeError('"expected" must be an object.'); let generatedMessage = false; if (message == null) { const name = func === rejects ? 'rejection' : 'exception'; message = `Missing expected ${name}.`; generatedMessage = true; } if (err == null || typeof err !== 'object') { throw new AssertionError({ actual: err, expected, message, operator: func.name, generatedMessage, stackStartFn: func }); } const keys = Object.keys(expected); if (isError(expected)) keys.push('name', 'message'); if (keys.length === 0) throw new TypeError('"expected" may not be an empty object.'); for (const key of keys) { const expect = expected[key]; const value = err[key]; if (typeof value === 'string' && isRegExp(expect) && expect.test(value)) { continue; } if ((key in err) && isDeepEqual(value, expect, false)) continue; throw new AssertionError({ actual: err, expected: expected, message, operator: func.name, generatedMessage, stackStartFn: func }); } return true; } if (expected.prototype !== undefined && (err instanceof expected)) return true; if (Error.isPrototypeOf(expected)) return false; return expected.call({}, err) === true; } /* * Comparisons */ function isDeepEqual(x, y, fail) { try { return compare(x, y, null); } catch (e) { return fail; } } function compare(a, b, cache) { // Primitives. if (Object.is(a, b)) return true; if (!isObject(a) || !isObject(b)) return false; // Semi-primitives. if (objectString(a) !== objectString(b)) return false; if (Object.getPrototypeOf(a) !== Object.getPrototypeOf(b)) return false; if (isBuffer(a) && isBuffer(b)) return a.equals(b); if (isDate(a)) return Object.is(a.getTime(), b.getTime()); if (isRegExp(a)) { return a.source === b.source && a.global === b.global && a.multiline === b.multiline && a.lastIndex === b.lastIndex && a.ignoreCase === b.ignoreCase; } if (isError(a)) { if (a.message !== b.message) return false; } if (isArrayBuffer(a)) { a = new Uint8Array(a); b = new Uint8Array(b); } if (isView(a) && !isBuffer(a)) { if (isBuffer(b)) return false; const x = new Uint8Array(a.buffer); const y = new Uint8Array(b.buffer); if (x.length !== y.length) return false; for (let i = 0; i < x.length; i++) { if (x[i] !== y[i]) return false; } return true; } if (isSet(a)) { if (a.size !== b.size) return false; const keys = new Set([...a, ...b]); return keys.size === a.size; } // Recursive. if (!cache) { cache = { a: new Map(), b: new Map(), p: 0 }; } else { const aa = cache.a.get(a); if (aa != null) { const bb = cache.b.get(b); if (bb != null) return aa === bb; } cache.p += 1; } cache.a.set(a, cache.p); cache.b.set(b, cache.p); const ret = recurse(a, b, cache); cache.a.delete(a); cache.b.delete(b); return ret; } function recurse(a, b, cache) { if (isMap(a)) { if (a.size !== b.size) return false; const keys = new Set([...a.keys(), ...b.keys()]); if (keys.size !== a.size) return false; for (const key of keys) { if (!compare(a.get(key), b.get(key), cache)) return false; } return true; } if (isArray(a)) { if (a.length !== b.length) return false; for (let i = 0; i < a.length; i++) { if (!compare(a[i], b[i], cache)) return false; } return true; } const ak = ownKeys(a); const bk = ownKeys(b); if (ak.length !== bk.length) return false; const keys = new Set([...ak, ...bk]); if (keys.size !== ak.length) return false; for (const key of keys) { if (!compare(a[key], b[key], cache)) return false; } return true; } function ownKeys(obj) { const keys = Object.keys(obj); if (!Object.getOwnPropertySymbols) return keys; if (!Object.getOwnPropertyDescriptor) return keys; const symbols = Object.getOwnPropertySymbols(obj); for (const symbol of symbols) { const desc = Object.getOwnPropertyDescriptor(obj, symbol); if (desc && desc.enumerable) keys.push(symbol); } return keys; } /* * Helpers */ function objectString(obj) { if (obj === undefined) return '[object Undefined]'; if (obj === null) return '[object Null]'; try { return Object.prototype.toString.call(obj); } catch (e) { return '[object Object]'; } } function objectType(obj) { return objectString(obj).slice(8, -1); } function objectName(obj) { const type = objectType(obj); if (obj == null) return type; if (type !== 'Object' && type !== 'Error') return type; let ctor, name; try { ctor = obj.constructor; } catch (e) { ; } if (ctor == null) return type; try { name = ctor.name; } catch (e) { return type; } if (typeof name !== 'string' || name.length === 0) return type; return name; } function funcName(func) { let name; try { name = func.name; } catch (e) { ; } if (typeof name !== 'string' || name.length === 0) return 'Function'; return `Function: ${name}`; } function isArray(obj) { return Array.isArray(obj); } function isArrayBuffer(obj) { return obj instanceof ArrayBuffer; } function isBuffer(obj) { return isObject(obj) && typeof obj.writeUInt32LE === 'function' && typeof obj.equals === 'function'; } function isDate(obj) { return obj instanceof Date; } function isError(obj) { return obj instanceof Error; } function isMap(obj) { return obj instanceof Map; } function isObject(obj) { return obj && typeof obj === 'object'; } function isPromise(obj) { return obj instanceof Promise; } function isRegExp(obj) { return obj instanceof RegExp; } function isSet(obj) { return obj instanceof Set; } function isView(obj) { return ArrayBuffer.isView(obj); } function isEncoding(enc) { if (typeof enc !== 'string') return false; switch (enc) { case 'ascii': case 'binary': case 'base64': case 'hex': case 'latin1': case 'ucs2': case 'utf8': case 'utf16le': return true; } return false; } function bufferize(actual, expected, enc) { if (typeof expected === 'string') { if (!isBuffer(actual)) return null; const {constructor} = actual; if (!constructor || typeof constructor.from !== 'function') return null; if (!isEncoding(enc)) return null; if (enc === 'hex' && (expected.length & 1)) return null; const raw = constructor.from(expected, enc); if (enc === 'hex' && raw.length !== (expected.length >>> 1)) return null; return raw; } return expected; } /* * API */ assert.AssertionError = AssertionError; assert.assert = assert; assert.strict = assert; assert.ok = assert; assert.equal = equal; assert.notEqual = notEqual; assert.strictEqual = equal; assert.notStrictEqual = notEqual; assert.fail = fail; assert.throws = throws; assert.doesNotThrow = doesNotThrow; assert.rejects = rejects; assert.doesNotReject = doesNotReject; assert.ifError = ifError; assert.deepEqual = deepEqual; assert.notDeepEqual = notDeepEqual; assert.deepStrictEqual = deepEqual; assert.notDeepStrictEqual = notDeepEqual; assert.bufferEqual = bufferEqual; assert.notBufferEqual = notBufferEqual; assert.enforce = enforce; assert.range = range; /* * Expose */ module.exports = assert; }], [/* 3 */ 'bufio', '/lib/bufio.js', function(exports, module, __filename, __dirname, __meta) { /*! * bufio.js - buffer utilities for javascript * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const custom = __node_require__(4 /* './custom' */); const encoding = __node_require__(5 /* './encoding' */); const enforce = __node_require__(6 /* './enforce' */); const EncodingError = __node_require__(7 /* './error' */); const BufferReader = __node_require__(8 /* './reader' */); const BufferWriter = __node_require__(9 /* './writer' */); const StaticWriter = __node_require__(10 /* './staticwriter' */); const Struct = __node_require__(11 /* './struct' */); exports.custom = custom; exports.encoding = encoding; exports.EncodingError = EncodingError; exports.BufferReader = BufferReader; exports.BufferWriter = BufferWriter; exports.StaticWriter = StaticWriter; exports.Struct = Struct; exports.read = function read(data, zeroCopy) { return new BufferReader(data, zeroCopy); }; exports.write = function write(size) { return size != null ? new StaticWriter(size) : new BufferWriter(); }; exports.pool = function pool(size) { return StaticWriter.pool(size); }; function _read(func, size) { return function(data, off) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds read'); return func(data, off); }; } function _readn(func) { return function(data, off, len) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); enforce((len >>> 0) === len, 'len', 'integer'); if (off + len > data.length) throw new EncodingError(off, 'Out of bounds read'); return func(data, off, len); }; } function _readvar(func) { return function(data, off) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); return func(data, off); }; } function _write(func, size) { return function(data, num, off) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds write'); return func(data, num, off); }; } function _writen(func) { return function(data, num, off, len) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); enforce((len >>> 0) === len, 'len', 'integer'); if (off + len > data.length) throw new EncodingError(off, 'Out of bounds write'); return func(data, num, off, len); }; } function _writecb(func, size) { return function(data, num, off) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); if (off + size(num) > data.length) throw new EncodingError(off, 'Out of bounds write'); return func(data, num, off); }; } exports.readU = _readn(encoding.readU); exports.readU64 = _read(encoding.readU64, 8); exports.readU56 = _read(encoding.readU56, 7); exports.readU48 = _read(encoding.readU48, 6); exports.readU40 = _read(encoding.readU40, 5); exports.readU32 = _read(encoding.readU32, 4); exports.readU24 = _read(encoding.readU24, 3); exports.readU16 = _read(encoding.readU16, 2); exports.readU8 = _read(encoding.readU8, 1); exports.readUBE = _readn(encoding.readUBE); exports.readU64BE = _read(encoding.readU64BE, 8); exports.readU56BE = _read(encoding.readU56BE, 7); exports.readU48BE = _read(encoding.readU48BE, 6); exports.readU40BE = _read(encoding.readU40BE, 5); exports.readU32BE = _read(encoding.readU32BE, 4); exports.readU24BE = _read(encoding.readU24BE, 3); exports.readU16BE = _read(encoding.readU16BE, 2); exports.readI = _readn(encoding.readI); exports.readI64 = _read(encoding.readI64, 8); exports.readI56 = _read(encoding.readI56, 7); exports.readI48 = _read(encoding.readI48, 6); exports.readI40 = _read(encoding.readI40, 5); exports.readI32 = _read(encoding.readI32, 4); exports.readI24 = _read(encoding.readI24, 3); exports.readI16 = _read(encoding.readI16, 2); exports.readI8 = _read(encoding.readI8, 1); exports.readIBE = _readn(encoding.readIBE); exports.readI64BE = _read(encoding.readI64BE, 8); exports.readI56BE = _read(encoding.readI56BE, 7); exports.readI48BE = _read(encoding.readI48BE, 6); exports.readI40BE = _read(encoding.readI40BE, 5); exports.readI32BE = _read(encoding.readI32BE, 4); exports.readI24BE = _read(encoding.readI24BE, 3); exports.readI16BE = _read(encoding.readI16BE, 2); exports.readFloat = _read(encoding.readFloat, 4); exports.readFloatBE = _read(encoding.readFloatBE, 4); exports.readDouble = _read(encoding.readDouble, 8); exports.readDoubleBE = _read(encoding.readDoubleBE, 8); exports.writeU = _writen(encoding.writeU); exports.writeU64 = _write(encoding.writeU64, 8); exports.writeU56 = _write(encoding.writeU56, 7); exports.writeU48 = _write(encoding.writeU48, 6); exports.writeU40 = _write(encoding.writeU40, 5); exports.writeU32 = _write(encoding.writeU32, 4); exports.writeU24 = _write(encoding.writeU24, 3); exports.writeU16 = _write(encoding.writeU16, 2); exports.writeU8 = _write(encoding.writeU8, 1); exports.writeUBE = _writen(encoding.writeUBE); exports.writeU64BE = _write(encoding.writeU64BE, 8); exports.writeU56BE = _write(encoding.writeU56BE, 7); exports.writeU48BE = _write(encoding.writeU48BE, 6); exports.writeU40BE = _write(encoding.writeU40BE, 5); exports.writeU32BE = _write(encoding.writeU32BE, 4); exports.writeU24BE = _write(encoding.writeU24BE, 3); exports.writeU16BE = _write(encoding.writeU16BE, 2); exports.writeI = _writen(encoding.writeI); exports.writeI64 = _write(encoding.writeI64, 8); exports.writeI56 = _write(encoding.writeI56, 7); exports.writeI48 = _write(encoding.writeI48, 6); exports.writeI40 = _write(encoding.writeI40, 5); exports.writeI32 = _write(encoding.writeI32, 4); exports.writeI24 = _write(encoding.writeI24, 3); exports.writeI16 = _write(encoding.writeI16, 2); exports.writeI8 = _write(encoding.writeI8, 1); exports.writeIBE = _writen(encoding.writeIBE); exports.writeI64BE = _write(encoding.writeI64BE, 8); exports.writeI56BE = _write(encoding.writeI56BE, 7); exports.writeI48BE = _write(encoding.writeI48BE, 6); exports.writeI40BE = _write(encoding.writeI40BE, 5); exports.writeI32BE = _write(encoding.writeI32BE, 4); exports.writeI24BE = _write(encoding.writeI24BE, 3); exports.writeI16BE = _write(encoding.writeI16BE, 2); exports.writeFloat = _write(encoding.writeFloat, 4); exports.writeFloatBE = _write(encoding.writeFloatBE, 4); exports.writeDouble = _write(encoding.writeDouble, 8); exports.writeDoubleBE = _write(encoding.writeDoubleBE, 8); exports.readVarint = _readvar(encoding.readVarint); exports.writeVarint = _writecb(encoding.writeVarint, encoding.sizeVarint); exports.sizeVarint = encoding.sizeVarint; exports.readVarint2 = _readvar(encoding.readVarint2); exports.writeVarint2 = _writecb(encoding.writeVarint2, encoding.sizeVarint2); exports.sizeVarint2 = encoding.sizeVarint2; exports.sliceBytes = encoding.sliceBytes; exports.readBytes = encoding.readBytes; exports.writeBytes = encoding.writeBytes; exports.readString = encoding.readString; exports.writeString = encoding.writeString; exports.realloc = encoding.realloc; exports.copy = encoding.copy; exports.concat = encoding.concat; exports.sizeVarBytes = encoding.sizeVarBytes; exports.sizeVarlen = encoding.sizeVarlen; exports.sizeVarString = encoding.sizeVarString; }], [/* 4 */ 'bufio', '/lib/custom-browser.js', function(exports, module, __filename, __dirname, __meta) { 'use strict'; exports.custom = 'inspect'; }], [/* 5 */ 'bufio', '/lib/encoding.js', function(exports, module, __filename, __dirname, __meta) { /*! * encoding.js - encoding utils for bcoin * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ /* eslint no-implicit-coercion: "off" */ 'use strict'; const enforce = __node_require__(6 /* './enforce' */); const EncodingError = __node_require__(7 /* './error' */); /* * Constants */ const HI = 1 / 0x100000000; const {MAX_SAFE_INTEGER} = Number; const F32_ARRAY = new Float32Array(1); const F328_ARRAY = new Uint8Array(F32_ARRAY.buffer); const F64_ARRAY = new Float64Array(1); const F648_ARRAY = new Uint8Array(F64_ARRAY.buffer); F32_ARRAY[0] = -1; const BIG_ENDIAN = F328_ARRAY[3] === 0; /* * Read Unsigned LE */ function readU(data, off, len) { switch (len) { case 8: return readU64(data, off); case 7: return readU56(data, off); case 6: return readU48(data, off); case 5: return readU40(data, off); case 4: return readU32(data, off); case 3: return readU24(data, off); case 2: return readU16(data, off); case 1: return readU8(data, off); default: throw new EncodingError(off, 'Invalid read length'); } } function readU64(data, off) { const hi = readU32(data, off + 4); const lo = readU32(data, off); check((hi & 0xffe00000) === 0, off, 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readU56(data, off) { const hi = readU24(data, off + 4); const lo = readU32(data, off); check((hi & 0xffe00000) === 0, off, 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readU48(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off++] * 0x1000000 + data[off++] * 0x100000000 + data[off] * 0x10000000000); } function readU40(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off++] * 0x1000000 + data[off] * 0x100000000); } function readU32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000); } function readU24(data, off) { return (data[off++] + data[off++] * 0x100 + data[off] * 0x10000); } function readU16(data, off) { return data[off++] + data[off] * 0x100; } function readU8(data, off) { return data[off]; } /* * Read Unsigned BE */ function readUBE(data, off, len) { switch (len) { case 8: return readU64BE(data, off); case 7: return readU56BE(data, off); case 6: return readU48BE(data, off); case 5: return readU40BE(data, off); case 4: return readU32BE(data, off); case 3: return readU24BE(data, off); case 2: return readU16BE(data, off); case 1: return readU8(data, off); default: throw new EncodingError(off, 'Invalid read length'); } } function readU64BE(data, off) { const hi = readU32BE(data, off); const lo = readU32BE(data, off + 4); check((hi & 0xffe00000) === 0, off, 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readU56BE(data, off) { const hi = readU24BE(data, off); const lo = readU32BE(data, off + 3); check((hi & 0xffe00000) === 0, off, 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readU48BE(data, off) { return (data[off++] * 0x10000000000 + data[off++] * 0x100000000 + data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readU40BE(data, off) { return (data[off++] * 0x100000000 + data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readU32BE(data, off) { return (data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readU24BE(data, off) { return (data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readU16BE(data, off) { return data[off++] * 0x100 + data[off]; } /* * Read Signed LE */ function readI(data, off, len) { switch (len) { case 8: return readI64(data, off); case 7: return readI56(data, off); case 6: return readI48(data, off); case 5: return readI40(data, off); case 4: return readI32(data, off); case 3: return readI24(data, off); case 2: return readI16(data, off); case 1: return readI8(data, off); default: throw new EncodingError(off, 'Invalid read length'); } } function readI64(data, off) { const hi = readI32(data, off + 4); const lo = readU32(data, off); check(isSafe(hi, lo), 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readI56(data, off) { const hi = readI24(data, off + 4); const lo = readU32(data, off); check(isSafe(hi, lo), 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readI48(data, off) { const val = data[off + 4] + data[off + 5] * 0x100; return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000 + (val | (val & 0x8000) * 0x1fffe) * 0x100000000); } function readI40(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off++] * 0x1000000 + (data[off] | (data[off] & 0x80) * 0x1fffffe) * 0x100000000); } function readI32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + (data[off] << 24)); } function readI24(data, off) { const val = (data[off++] + data[off++] * 0x100 + data[off] * 0x10000); return val | (val & 0x800000) * 0x1fe; } function readI16(data, off) { const val = data[off++] + data[off] * 0x100; return val | (val & 0x8000) * 0x1fffe; } function readI8(data, off) { const val = data[off]; return val | (val & 0x80) * 0x1fffffe; } /* * Read Signed BE */ function readIBE(data, off, len) { switch (len) { case 8: return readI64BE(data, off); case 7: return readI56BE(data, off); case 6: return readI48BE(data, off); case 5: return readI40BE(data, off); case 4: return readI32BE(data, off); case 3: return readI24BE(data, off); case 2: return readI16BE(data, off); case 1: return readI8(data, off); default: throw new EncodingError(off, 'Invalid read length'); } } function readI64BE(data, off) { const hi = readI32BE(data, off); const lo = readU32BE(data, off + 4); check(isSafe(hi, lo), 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readI56BE(data, off) { const hi = readI24BE(data, off); const lo = readU32BE(data, off + 3); check(isSafe(hi, lo), 'Number exceeds 2^53-1'); return hi * 0x100000000 + lo; } function readI48BE(data, off) { const val = data[off++] * 0x100 + data[off++]; return ((val | (val & 0x8000) * 0x1fffe) * 0x100000000 + data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readI40BE(data, off) { const val = data[off++]; return ((val | (val & 0x80) * 0x1fffffe) * 0x100000000 + data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readI32BE(data, off) { return ((data[off++] << 24) + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function readI24BE(data, off) { const val = (data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); return val | (val & 0x800000) * 0x1fe; } function readI16BE(data, off) { const val = data[off++] * 0x100 + data[off]; return val | (val & 0x8000) * 0x1fffe; } /* * Read Float */ function _readFloatBackwards(data, off) { F328_ARRAY[3] = data[off++]; F328_ARRAY[2] = data[off++]; F328_ARRAY[1] = data[off++]; F328_ARRAY[0] = data[off]; return F32_ARRAY[0]; } function _readFloatForwards(data, off) { F328_ARRAY[0] = data[off++]; F328_ARRAY[1] = data[off++]; F328_ARRAY[2] = data[off++]; F328_ARRAY[3] = data[off]; return F32_ARRAY[0]; } function _readDoubleBackwards(data, off) { F648_ARRAY[7] = data[off++]; F648_ARRAY[6] = data[off++]; F648_ARRAY[5] = data[off++]; F648_ARRAY[4] = data[off++]; F648_ARRAY[3] = data[off++]; F648_ARRAY[2] = data[off++]; F648_ARRAY[1] = data[off++]; F648_ARRAY[0] = data[off]; return F64_ARRAY[0]; } function _readDoubleForwards(data, off) { F648_ARRAY[0] = data[off++]; F648_ARRAY[1] = data[off++]; F648_ARRAY[2] = data[off++]; F648_ARRAY[3] = data[off++]; F648_ARRAY[4] = data[off++]; F648_ARRAY[5] = data[off++]; F648_ARRAY[6] = data[off++]; F648_ARRAY[7] = data[off]; return F64_ARRAY[0]; } const readFloat = BIG_ENDIAN ? _readFloatBackwards : _readFloatForwards; const readFloatBE = BIG_ENDIAN ? _readFloatForwards : _readFloatBackwards; const readDouble = BIG_ENDIAN ? _readDoubleBackwards : _readDoubleForwards; const readDoubleBE = BIG_ENDIAN ? _readDoubleForwards : _readDoubleBackwards; /* * Write Unsigned LE */ function writeU(dst, num, off, len) { switch (len) { case 8: return writeU64(dst, num, off); case 7: return writeU56(dst, num, off); case 6: return writeU48(dst, num, off); case 5: return writeU40(dst, num, off); case 4: return writeU32(dst, num, off); case 3: return writeU24(dst, num, off); case 2: return writeU16(dst, num, off); case 1: return writeU8(dst, num, off); default: throw new EncodingError(off, 'Invalid write length'); } } function writeU64(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); return write64(dst, num, off, false); } function writeU56(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); return write56(dst, num, off, false); } function writeU48(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); const hi = (num * HI) | 0; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; dst[off++] = hi; dst[off++] = hi >>> 8; return off; } function writeU40(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); const hi = (num * HI) | 0; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; dst[off++] = hi; return off; } function writeU32(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; return off; } function writeU24(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; return off; } function writeU16(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off++] = num; dst[off++] = num >>> 8; return off; } function writeU8(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off] = num; return off + 1; } /* * Write Unsigned BE */ function writeUBE(dst, num, off, len) { switch (len) { case 8: return writeU64BE(dst, num, off); case 7: return writeU56BE(dst, num, off); case 6: return writeU48BE(dst, num, off); case 5: return writeU40BE(dst, num, off); case 4: return writeU32BE(dst, num, off); case 3: return writeU24BE(dst, num, off); case 2: return writeU16BE(dst, num, off); case 1: return writeU8(dst, num, off); default: throw new EncodingError(off, 'Invalid write length'); } } function writeU64BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); return write64(dst, num, off, true); } function writeU56BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); return write56(dst, num, off, true); } function writeU48BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); const hi = (num * HI) | 0; dst[off++] = hi >>> 8; dst[off++] = hi; dst[off + 3] = num; num >>>= 8; dst[off + 2] = num; num >>>= 8; dst[off + 1] = num; num >>>= 8; dst[off] = num; return off + 4; } function writeU40BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); const hi = (num * HI) | 0; dst[off++] = hi; dst[off + 3] = num; num >>>= 8; dst[off + 2] = num; num >>>= 8; dst[off + 1] = num; num >>>= 8; dst[off] = num; return off + 4; } function writeU32BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off + 3] = num; num >>>= 8; dst[off + 2] = num; num >>>= 8; dst[off + 1] = num; num >>>= 8; dst[off] = num; return off + 4; } function writeU24BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off + 2] = num; num >>>= 8; dst[off + 1] = num; num >>>= 8; dst[off] = num; return off + 3; } function writeU16BE(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); dst[off++] = num >>> 8; dst[off++] = num; return off; } /* * Write Signed LE */ function writeI(dst, num, off, len) { switch (len) { case 8: return writeU64(dst, num, off); case 7: return writeU56(dst, num, off); case 6: return writeU48(dst, num, off); case 5: return writeU40(dst, num, off); case 4: return writeU24(dst, num, off); case 3: return writeU32(dst, num, off); case 2: return writeU16(dst, num, off); case 1: return writeU8(dst, num, off); default: throw new EncodingError(off, 'Invalid write length'); } } function writeI64(dst, num, off) { return writeU64(dst, num, off); } function writeI56(dst, num, off) { return writeU56(dst, num, off); } function writeI48(dst, num, off) { return writeU48(dst, num, off); } function writeI40(dst, num, off) { return writeU40(dst, num, off); } function writeI32(dst, num, off) { return writeU32(dst, num, off); } function writeI24(dst, num, off) { return writeU24(dst, num, off); } function writeI16(dst, num, off) { return writeU16(dst, num, off); } function writeI8(dst, num, off) { return writeU8(dst, num, off); } /* * Write Signed BE */ function writeIBE(dst, num, off, len) { switch (len) { case 8: return writeU64BE(dst, num, off); case 7: return writeU56BE(dst, num, off); case 6: return writeU48BE(dst, num, off); case 5: return writeU40BE(dst, num, off); case 4: return writeU32BE(dst, num, off); case 3: return writeU24BE(dst, num, off); case 2: return writeU16BE(dst, num, off); case 1: return writeU8(dst, num, off); default: throw new EncodingError(off, 'Invalid write length'); } } function writeI64BE(dst, num, off) { return writeU64BE(dst, num, off); } function writeI56BE(dst, num, off) { return writeU56BE(dst, num, off); } function writeI48BE(dst, num, off) { return writeU48BE(dst, num, off); } function writeI40BE(dst, num, off) { return writeU40BE(dst, num, off); } function writeI32BE(dst, num, off) { return writeU32BE(dst, num, off); } function writeI24BE(dst, num, off) { return writeU24BE(dst, num, off); } function writeI16BE(dst, num, off) { return writeU16BE(dst, num, off); } function _writeDoubleForwards(dst, num, off) { enforce(isNumber(num), 'num', 'number'); F64_ARRAY[0] = num; dst[off++] = F648_ARRAY[0]; dst[off++] = F648_ARRAY[1]; dst[off++] = F648_ARRAY[2]; dst[off++] = F648_ARRAY[3]; dst[off++] = F648_ARRAY[4]; dst[off++] = F648_ARRAY[5]; dst[off++] = F648_ARRAY[6]; dst[off++] = F648_ARRAY[7]; return off; } function _writeDoubleBackwards(dst, num, off) { enforce(isNumber(num), 'num', 'number'); F64_ARRAY[0] = num; dst[off++] = F648_ARRAY[7]; dst[off++] = F648_ARRAY[6]; dst[off++] = F648_ARRAY[5]; dst[off++] = F648_ARRAY[4]; dst[off++] = F648_ARRAY[3]; dst[off++] = F648_ARRAY[2]; dst[off++] = F648_ARRAY[1]; dst[off++] = F648_ARRAY[0]; return off; } function _writeFloatForwards(dst, num, off) { enforce(isNumber(num), 'num', 'number'); F32_ARRAY[0] = num; dst[off++] = F328_ARRAY[0]; dst[off++] = F328_ARRAY[1]; dst[off++] = F328_ARRAY[2]; dst[off++] = F328_ARRAY[3]; return off; } function _writeFloatBackwards(dst, num, off) { enforce(isNumber(num), 'num', 'number'); F32_ARRAY[0] = num; dst[off++] = F328_ARRAY[3]; dst[off++] = F328_ARRAY[2]; dst[off++] = F328_ARRAY[1]; dst[off++] = F328_ARRAY[0]; return off; } const writeFloat = BIG_ENDIAN ? _writeFloatBackwards : _writeFloatForwards; const writeFloatBE = BIG_ENDIAN ? _writeFloatForwards : _writeFloatBackwards; const writeDouble = BIG_ENDIAN ? _writeDoubleBackwards : _writeDoubleForwards; const writeDoubleBE = BIG_ENDIAN ? _writeDoubleForwards : _writeDoubleBackwards; /* * Varints */ function readVarint(data, off) { let value, size; checkRead(off < data.length, off); switch (data[off]) { case 0xff: size = 9; checkRead(off + size <= data.length, off); value = readU64(data, off + 1); check(value > 0xffffffff, off, 'Non-canonical varint'); break; case 0xfe: size = 5; checkRead(off + size <= data.length, off); value = readU32(data, off + 1); check(value > 0xffff, off, 'Non-canonical varint'); break; case 0xfd: size = 3; checkRead(off + size <= data.length, off); value = readU16(data, off + 1); check(value >= 0xfd, off, 'Non-canonical varint'); break; default: size = 1; value = data[off]; break; } return new Varint(size, value); } function writeVarint(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); if (num < 0xfd) { dst[off++] = num; return off; } if (num <= 0xffff) { dst[off++] = 0xfd; return writeU16(dst, num, off); } if (num <= 0xffffffff) { dst[off++] = 0xfe; return writeU32(dst, num, off); } dst[off++] = 0xff; return writeU64(dst, num, off); } function sizeVarint(num) { enforce(Number.isSafeInteger(num), 'num', 'integer'); if (num < 0xfd) return 1; if (num <= 0xffff) return 3; if (num <= 0xffffffff) return 5; return 9; } function readVarint2(data, off) { let num = 0; let size = 0; for (;;) { checkRead(off < data.length, off); const ch = data[off++]; size += 1; // Number.MAX_SAFE_INTEGER >>> 7 check(num <= 0x3fffffffffff - (ch & 0x7f), off, 'Number exceeds 2^53-1'); // num = (num << 7) | (ch & 0x7f); num = (num * 0x80) + (ch & 0x7f); if ((ch & 0x80) === 0) break; check(num !== MAX_SAFE_INTEGER, off, 'Number exceeds 2^53-1'); num += 1; } return new Varint(size, num); } function writeVarint2(dst, num, off) { enforce(Number.isSafeInteger(num), 'num', 'integer'); const tmp = []; let len = 0; for (;;) { tmp[len] = (num & 0x7f) | (len ? 0x80 : 0x00); if (num <= 0x7f) break; // num = (num >>> 7) - 1; num = ((num - (num % 0x80)) / 0x80) - 1; len += 1; } checkRead(off + len + 1 <= dst.length, off); do { dst[off++] = tmp[len]; } while (len--); return off; } function sizeVarint2(num) { enforce(Number.isSafeInteger(num), 'num', 'integer'); let size = 0; for (;;) { size += 1; if (num <= 0x7f) break; // num = (num >>> 7) - 1; num = ((num - (num % 0x80)) / 0x80) - 1; } return size; } /* * Bytes */ function sliceBytes(data, off, size) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); enforce((size >>> 0) === size, 'size', 'integer'); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds read'); return data.slice(off, off + size); } function readBytes(data, off, size) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); enforce((size >>> 0) === size, 'size', 'integer'); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds read'); const buf = Buffer.allocUnsafeSlow(size); data.copy(buf, 0, off, off + size); return buf; } function writeBytes(data, value, off) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce(Buffer.isBuffer(value), 'value', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); if (off + value.length > data.length) throw new EncodingError(off, 'Out of bounds write'); return value.copy(data, off, 0, value.length); } function readString(data, off, size, enc) { if (enc == null) enc = 'binary'; enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce((off >>> 0) === off, 'off', 'integer'); enforce((size >>> 0) === size, 'size', 'integer'); enforce(typeof enc === 'string', 'enc', 'string'); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds read'); return data.toString(enc, off, off + size); } function writeString(data, str, off, enc) { if (enc == null) enc = 'binary'; enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce(typeof str === 'string', 'str', 'string'); enforce((off >>> 0) === off, 'off', 'integer'); enforce(typeof enc === 'string', 'enc', 'string'); if (str.length === 0) return 0; const size = Buffer.byteLength(str, enc); if (off + size > data.length) throw new EncodingError(off, 'Out of bounds write'); return data.write(str, off, enc); } function realloc(data, size) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); const buf = Buffer.allocUnsafeSlow(size); data.copy(buf, 0); return buf; } function copy(data) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); return realloc(data, data.length); } function concat(a, b) { enforce(Buffer.isBuffer(a), 'a', 'buffer'); enforce(Buffer.isBuffer(b), 'b', 'buffer'); const size = a.length + b.length; const buf = Buffer.allocUnsafeSlow(size); a.copy(buf, 0); b.copy(buf, a.length); return buf; } /* * Size Helpers */ function sizeVarBytes(data) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); return sizeVarint(data.length) + data.length; } function sizeVarlen(len) { return sizeVarint(len) + len; } function sizeVarString(str, enc) { if (enc == null) enc = 'binary'; enforce(typeof str === 'string', 'str', 'string'); enforce(typeof enc === 'string', 'enc', 'string'); if (str.length === 0) return 1; const len = Buffer.byteLength(str, enc); return sizeVarint(len) + len; } /* * Helpers */ function isSafe(hi, lo) { if (hi < 0) { hi = ~hi; if (lo === 0) hi += 1; } return (hi & 0xffe00000) === 0; } function write64(dst, num, off, be) { let neg = false; if (num < 0) { num = -num; neg = true; } let hi = (num * HI) | 0; let lo = num | 0; if (neg) { if (lo === 0) { hi = (~hi + 1) | 0; } else { hi = ~hi; lo = ~lo + 1; } } if (be) { off = writeI32BE(dst, hi, off); off = writeI32BE(dst, lo, off); } else { off = writeI32(dst, lo, off); off = writeI32(dst, hi, off); } return off; } function write56(dst, num, off, be) { let neg = false; if (num < 0) { num = -num; neg = true; } let hi = (num * HI) | 0; let lo = num | 0; if (neg) { if (lo === 0) { hi = (~hi + 1) | 0; } else { hi = ~hi; lo = ~lo + 1; } } if (be) { off = writeI24BE(dst, hi, off); off = writeI32BE(dst, lo, off); } else { off = writeI32(dst, lo, off); off = writeI24(dst, hi, off); } return off; } class Varint { constructor(size, value) { this.size = size; this.value = value; } } function isNumber(num) { return typeof num === 'number' && isFinite(num); } function checkRead(value, offset) { if (!value) throw new EncodingError(offset, 'Out of bounds read', checkRead); } function check(value, offset, reason) { if (!value) throw new EncodingError(offset, reason, check); } /* * Expose */ exports.readU = readU; exports.readU64 = readU64; exports.readU56 = readU56; exports.readU48 = readU48; exports.readU40 = readU40; exports.readU32 = readU32; exports.readU24 = readU24; exports.readU16 = readU16; exports.readU8 = readU8; exports.readUBE = readUBE; exports.readU64BE = readU64BE; exports.readU56BE = readU56BE; exports.readU48BE = readU48BE; exports.readU40BE = readU40BE; exports.readU32BE = readU32BE; exports.readU24BE = readU24BE; exports.readU16BE = readU16BE; exports.readI = readI; exports.readI64 = readI64; exports.readI56 = readI56; exports.readI48 = readI48; exports.readI40 = readI40; exports.readI32 = readI32; exports.readI24 = readI24; exports.readI16 = readI16; exports.readI8 = readI8; exports.readIBE = readIBE; exports.readI64BE = readI64BE; exports.readI56BE = readI56BE; exports.readI48BE = readI48BE; exports.readI40BE = readI40BE; exports.readI32BE = readI32BE; exports.readI24BE = readI24BE; exports.readI16BE = readI16BE; exports.readFloat = readFloat; exports.readFloatBE = readFloatBE; exports.readDouble = readDouble; exports.readDoubleBE = readDoubleBE; exports.writeU = writeU; exports.writeU64 = writeU64; exports.writeU56 = writeU56; exports.writeU48 = writeU48; exports.writeU40 = writeU40; exports.writeU32 = writeU32; exports.writeU24 = writeU24; exports.writeU16 = writeU16; exports.writeU8 = writeU8; exports.writeUBE = writeUBE; exports.writeU64BE = writeU64BE; exports.writeU56BE = writeU56BE; exports.writeU48BE = writeU48BE; exports.writeU40BE = writeU40BE; exports.writeU32BE = writeU32BE; exports.writeU24BE = writeU24BE; exports.writeU16BE = writeU16BE; exports.writeI = writeI; exports.writeI64 = writeI64; exports.writeI56 = writeI56; exports.writeI48 = writeI48; exports.writeI40 = writeI40; exports.writeI32 = writeI32; exports.writeI24 = writeI24; exports.writeI16 = writeI16; exports.writeI8 = writeI8; exports.writeIBE = writeIBE; exports.writeI64BE = writeI64BE; exports.writeI56BE = writeI56BE; exports.writeI48BE = writeI48BE; exports.writeI40BE = writeI40BE; exports.writeI32BE = writeI32BE; exports.writeI24BE = writeI24BE; exports.writeI16BE = writeI16BE; exports.writeFloat = writeFloat; exports.writeFloatBE = writeFloatBE; exports.writeDouble = writeDouble; exports.writeDoubleBE = writeDoubleBE; exports.readVarint = readVarint; exports.writeVarint = writeVarint; exports.sizeVarint = sizeVarint; exports.readVarint2 = readVarint2; exports.writeVarint2 = writeVarint2; exports.sizeVarint2 = sizeVarint2; exports.sliceBytes = sliceBytes; exports.readBytes = readBytes; exports.writeBytes = writeBytes; exports.readString = readString; exports.writeString = writeString; exports.realloc = realloc; exports.copy = copy; exports.concat = concat; exports.sizeVarBytes = sizeVarBytes; exports.sizeVarlen = sizeVarlen; exports.sizeVarString = sizeVarString; }], [/* 6 */ 'bufio', '/lib/enforce.js', function(exports, module, __filename, __dirname, __meta) { /*! * enforce.js - type enforcement for bcoin * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; /* * Enforce */ function enforce(value, name, type) { if (!value) { const err = new TypeError(`'${name}' must be a(n) ${type}.`); if (Error.captureStackTrace) Error.captureStackTrace(err, enforce); throw err; } } /* * Expose */ module.exports = enforce; }], [/* 7 */ 'bufio', '/lib/error.js', function(exports, module, __filename, __dirname, __meta) { /*! * error.js - encoding error for bcoin * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; /** * Encoding Error * @extends {Error} */ class EncodingError extends Error { /** * Create an encoding error. * @constructor * @param {Number} offset * @param {String} reason */ constructor(offset, reason, start) { super(); this.type = 'EncodingError'; this.name = 'EncodingError'; this.code = 'ERR_ENCODING'; this.message = `${reason} (offset=${offset}).`; if (Error.captureStackTrace) Error.captureStackTrace(this, start || EncodingError); } } /* * Expose */ module.exports = EncodingError; }], [/* 8 */ 'bufio', '/lib/reader.js', function(exports, module, __filename, __dirname, __meta) { /*! * reader.js - buffer reader for bcoin * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const enforce = __node_require__(6 /* './enforce' */); const encoding = __node_require__(5 /* './encoding' */); const EncodingError = __node_require__(7 /* './error' */); /* * Constants */ const EMPTY = Buffer.alloc(0); /** * Buffer Reader */ class BufferReader { /** * Create a buffer reader. * @constructor * @param {Buffer} data * @param {Boolean?} zeroCopy - Do not reallocate buffers when * slicing. Note that this can lead to memory leaks if not used * carefully. */ constructor(data, zeroCopy = false) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); enforce(typeof zeroCopy === 'boolean', 'zeroCopy', 'boolean'); this.data = data; this.offset = 0; this.zeroCopy = zeroCopy; this.stack = []; } /** * Assertion. * @param {Number} size */ check(size) { if (this.offset + size > this.data.length) throw new EncodingError(this.offset, 'Out of bounds read', this.check); } /** * Get total size of passed-in Buffer. * @returns {Buffer} */ getSize() { return this.data.length; } /** * Calculate number of bytes left to read. * @returns {Number} */ left() { this.check(0); return this.data.length - this.offset; } /** * Seek to a position to read from by offset. * @param {Number} off - Offset (positive or negative). */ seek(off) { enforce(Number.isSafeInteger(off), 'off', 'integer'); if (this.offset + off < 0) throw new EncodingError(this.offset, 'Out of bounds read'); this.check(off); this.offset += off; return this; } /** * Mark the current starting position. */ start() { this.stack.push(this.offset); return this.offset; } /** * Stop reading. Pop the start position off the stack * and calculate the size of the data read. * @returns {Number} Size. * @throws on empty stack. */ end() { if (this.stack.length === 0) throw new Error('Cannot end without a stack item.'); const start = this.stack.pop(); return this.offset - start; } /** * Stop reading. Pop the start position off the stack * and return the data read. * @param {Bolean?} zeroCopy - Do a fast buffer * slice instead of allocating a new buffer (warning: * may cause memory leaks if not used with care). * @returns {Buffer} Data read. * @throws on empty stack. */ endData(zeroCopy = false) { enforce(typeof zeroCopy === 'boolean', 'zeroCopy', 'boolean'); if (this.stack.length === 0) throw new Error('Cannot end without a stack item.'); const start = this.stack.pop(); const end = this.offset; const size = end - start; const data = this.data; if (size === data.length) return data; if (this.zeroCopy || zeroCopy) return data.slice(start, end); const ret = Buffer.allocUnsafeSlow(size); data.copy(ret, 0, start, end); return ret; } /** * Destroy the reader. Remove references to the data. */ destroy() { this.data = EMPTY; this.offset = 0; this.stack.length = 0; return this; } /** * Read uint8. * @returns {Number} */ readU8() { this.check(1); const ret = this.data[this.offset]; this.offset += 1; return ret; } /** * Read uint16le. * @returns {Number} */ readU16() { this.check(2); const ret = encoding.readU16(this.data, this.offset); this.offset += 2; return ret; } /** * Read uint16be. * @returns {Number} */ readU16BE() { this.check(2); const ret = encoding.readU16BE(this.data, this.offset); this.offset += 2; return ret; } /** * Read uint24le. * @returns {Number} */ readU24() { this.check(3); const ret = encoding.readU24(this.data, this.offset); this.offset += 3; return ret; } /** * Read uint24be. * @returns {Number} */ readU24BE() { this.check(3); const ret = encoding.readU24BE(this.data, this.offset); this.offset += 3; return ret; } /** * Read uint32le. * @returns {Number} */ readU32() { this.check(4); const ret = encoding.readU32(this.data, this.offset); this.offset += 4; return ret; } /** * Read uint32be. * @returns {Number} */ readU32BE() { this.check(4); const ret = encoding.readU32BE(this.data, this.offset); this.offset += 4; return ret; } /** * Read uint40le. * @returns {Number} */ readU40() { this.check(5); const ret = encoding.readU40(this.data, this.offset); this.offset += 5; return ret; } /** * Read uint40be. * @returns {Number} */ readU40BE() { this.check(5); const ret = encoding.readU40BE(this.data, this.offset); this.offset += 5; return ret; } /** * Read uint48le. * @returns {Number} */ readU48() { this.check(6); const ret = encoding.readU48(this.data, this.offset); this.offset += 6; return ret; } /** * Read uint48be. * @returns {Number} */ readU48BE() { this.check(6); const ret = encoding.readU48BE(this.data, this.offset); this.offset += 6; return ret; } /** * Read uint56le. * @returns {Number} */ readU56() { this.check(7); const ret = encoding.readU56(this.data, this.offset); this.offset += 7; return ret; } /** * Read uint56be. * @returns {Number} */ readU56BE() { this.check(7); const ret = encoding.readU56BE(this.data, this.offset); this.offset += 7; return ret; } /** * Read uint64le as a js number. * @returns {Number} * @throws on num > MAX_SAFE_INTEGER */ readU64() { this.check(8); const ret = encoding.readU64(this.data, this.offset); this.offset += 8; return ret; } /** * Read uint64be as a js number. * @returns {Number} * @throws on num > MAX_SAFE_INTEGER */ readU64BE() { this.check(8); const ret = encoding.readU64BE(this.data, this.offset); this.offset += 8; return ret; } /** * Read int8. * @returns {Number} */ readI8() { this.check(1); const ret = encoding.readI8(this.data, this.offset); this.offset += 1; return ret; } /** * Read int16le. * @returns {Number} */ readI16() { this.check(2); const ret = encoding.readI16(this.data, this.offset); this.offset += 2; return ret; } /** * Read int16be. * @returns {Number} */ readI16BE() { this.check(2); const ret = encoding.readI16BE(this.data, this.offset); this.offset += 2; return ret; } /** * Read int24le. * @returns {Number} */ readI24() { this.check(3); const ret = encoding.readI24(this.data, this.offset); this.offset += 3; return ret; } /** * Read int24be. * @returns {Number} */ readI24BE() { this.check(3); const ret = encoding.readI24BE(this.data, this.offset); this.offset += 3; return ret; } /** * Read int32le. * @returns {Number} */ readI32() { this.check(4); const ret = encoding.readI32(this.data, this.offset); this.offset += 4; return ret; } /** * Read int32be. * @returns {Number} */ readI32BE() { this.check(4); const ret = encoding.readI32BE(this.data, this.offset); this.offset += 4; return ret; } /** * Read int40le. * @returns {Number} */ readI40() { this.check(5); const ret = encoding.readI40(this.data, this.offset); this.offset += 5; return ret; } /** * Read int40be. * @returns {Number} */ readI40BE() { this.check(5); const ret = encoding.readI40BE(this.data, this.offset); this.offset += 5; return ret; } /** * Read int48le. * @returns {Number} */ readI48() { this.check(6); const ret = encoding.readI48(this.data, this.offset); this.offset += 6; return ret; } /** * Read int48be. * @returns {Number} */ readI48BE() { this.check(6); const ret = encoding.readI48BE(this.data, this.offset); this.offset += 6; return ret; } /** * Read int56le. * @returns {Number} */ readI56() { this.check(7); const ret = encoding.readI56(this.data, this.offset); this.offset += 7; return ret; } /** * Read int56be. * @returns {Number} */ readI56BE() { this.check(7); const ret = encoding.readI56BE(this.data, this.offset); this.offset += 7; return ret; } /** * Read int64le as a js number. * @returns {Number} * @throws on num > MAX_SAFE_INTEGER */ readI64() { this.check(8); const ret = encoding.readI64(this.data, this.offset); this.offset += 8; return ret; } /** * Read int64be as a js number. * @returns {Number} * @throws on num > MAX_SAFE_INTEGER */ readI64BE() { this.check(8); const ret = encoding.readI64BE(this.data, this.offset); this.offset += 8; return ret; } /** * Read float le. * @returns {Number} */ readFloat() { this.check(4); const ret = encoding.readFloat(this.data, this.offset); this.offset += 4; return ret; } /** * Read float be. * @returns {Number} */ readFloatBE() { this.check(4); const ret = encoding.readFloatBE(this.data, this.offset); this.offset += 4; return ret; } /** * Read double float le. * @returns {Number} */ readDouble() { this.check(8); const ret = encoding.readDouble(this.data, this.offset); this.offset += 8; return ret; } /** * Read double float be. * @returns {Number} */ readDoubleBE() { this.check(8); const ret = encoding.readDoubleBE(this.data, this.offset); this.offset += 8; return ret; } /** * Read a varint. * @returns {Number} */ readVarint() { const {size, value} = encoding.readVarint(this.data, this.offset); this.offset += size; return value; } /** * Read a varint (type 2). * @returns {Number} */ readVarint2() { const {size, value} = encoding.readVarint2(this.data, this.offset); this.offset += size; return value; } /** * Read N bytes (will do a fast slice if zero copy). * @param {Number} size * @param {Bolean?} zeroCopy - Do a fast buffer * slice instead of allocating a new buffer (warning: * may cause memory leaks if not used with care). * @returns {Buffer} */ readBytes(size, zeroCopy = false) { enforce((size >>> 0) === size, 'size', 'integer'); enforce(typeof zeroCopy === 'boolean', 'zeroCopy', 'boolean'); this.check(size); let ret; if (this.zeroCopy || zeroCopy) { ret = this.data.slice(this.offset, this.offset + size); } else { ret = Buffer.allocUnsafeSlow(size); this.data.copy(ret, 0, this.offset, this.offset + size); } this.offset += size; return ret; } /** * Read a varint number of bytes (will do a fast slice if zero copy). * @param {Bolean?} zeroCopy - Do a fast buffer * slice instead of allocating a new buffer (warning: * may cause memory leaks if not used with care). * @returns {Buffer} */ readVarBytes(zeroCopy = false) { return this.readBytes(this.readVarint(), zeroCopy); } /** * Slice N bytes and create a child reader. * @param {Number} size * @returns {BufferReader} */ readChild(size) { enforce((size >>> 0) === size, 'size', 'integer'); this.check(size); const data = this.data.slice(0, this.offset + size); const br = new this.constructor(data); br.offset = this.offset; this.offset += size; return br; } /** * Read a string. * @param {Number} size * @param {String} enc - Any buffer-supported encoding. * @returns {String} */ readString(size, enc) { if (enc == null) enc = 'binary'; enforce((size >>> 0) === size, 'size', 'integer'); enforce(typeof enc === 'string', 'enc', 'string'); this.check(size); const ret = this.data.toString(enc, this.offset, this.offset + size); this.offset += size; return ret; } /** * Read a 32-byte hash. * @param {String} enc - `"hex"` or `null`. * @returns {Hash|Buffer} */ readHash(enc) { if (enc) return this.readString(32, enc); return this.readBytes(32); } /** * Read string of a varint length. * @param {String} enc - Any buffer-supported encoding. * @param {Number?} limit - Size limit. * @returns {String} */ readVarString(enc, limit = 0) { if (enc == null) enc = 'binary'; enforce(typeof enc === 'string', 'enc', 'string'); enforce((limit >>> 0) === limit, 'limit', 'integer'); const size = this.readVarint(); if (limit !== 0 && size > limit) throw new EncodingError(this.offset, 'String exceeds limit'); return this.readString(size, enc); } /** * Read a null-terminated string. * @param {String} enc - Any buffer-supported encoding. * @returns {String} */ readNullString(enc) { if (enc == null) enc = 'binary'; enforce(typeof enc === 'string', 'enc', 'string'); let i = this.offset; for (; i < this.data.length; i++) { if (this.data[i] === 0) break; } if (i === this.data.length) throw new EncodingError(this.offset, 'No NUL terminator'); const ret = this.readString(i - this.offset, enc); this.offset = i + 1; return ret; } /** * Create a checksum from the last start position. * @param {Function} hash * @returns {Number} Checksum. */ createChecksum(hash) { if (!hash || typeof hash.digest !== 'function') enforce(typeof hash === 'function', 'hash', 'function'); let start = 0; if (this.stack.length > 0) start = this.stack[this.stack.length - 1]; const data = this.data.slice(start, this.offset); const raw = hash.digest ? hash.digest(data) : hash(data); return encoding.readU32(raw, 0); } /** * Verify a 4-byte checksum against a calculated checksum. * @param {Function} hash * @returns {Number} checksum * @throws on bad checksum */ verifyChecksum(hash) { const checksum = this.createChecksum(hash); const expect = this.readU32(); if (checksum !== expect) throw new EncodingError(this.offset, 'Checksum mismatch'); return checksum; } } /* * Expose */ module.exports = BufferReader; }], [/* 9 */ 'bufio', '/lib/writer.js', function(exports, module, __filename, __dirname, __meta) { /*! * writer.js - buffer writer for bcoin * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const enforce = __node_require__(6 /* './enforce' */); const encoding = __node_require__(5 /* './encoding' */); const EncodingError = __node_require__(7 /* './error' */); /* * Constants */ const SEEK = 0; const U8 = 1; const U16 = 2; const U16BE = 3; const U24 = 4; const U24BE = 5; const U32 = 6; const U32BE = 7; const U40 = 8; const U40BE = 9; const U48 = 10; const U48BE = 11; const U56 = 12; const U56BE = 13; const U64 = 14; const U64BE = 15; const I8 = 16; const I16 = 17; const I16BE = 18; const I24 = 19; const I24BE = 20; const I32 = 21; const I32BE = 22; const I40 = 23; const I40BE = 24; const I48 = 25; const I48BE = 26; const I56 = 27; const I56BE = 28; const I64 = 29; const I64BE = 30; const FL = 31; const FLBE = 32; const DBL = 33; const DBLBE = 34; const VARINT = 35; const VARINT2 = 36; const BYTES = 37; const STR = 38; const CHECKSUM = 39; const FILL = 40; /** * Buffer Writer */ class BufferWriter { /** * Create a buffer writer. * @constructor */ constructor() { this.ops = []; this.offset = 0; } /** * Allocate and render the final buffer. * @returns {Buffer} Rendered buffer. */ render() { const data = Buffer.allocUnsafeSlow(this.offset); let off = 0; for (const op of this.ops) { switch (op.type) { case SEEK: off += op.value; break; case U8: off = encoding.writeU8(data, op.value, off); break; case U16: off = encoding.writeU16(data, op.value, off); break; case U16BE: off = encoding.writeU16BE(data, op.value, off); break; case U24: off = encoding.writeU24(data, op.value, off); break; case U24BE: off = encoding.writeU24BE(data, op.value, off); break; case U32: off = encoding.writeU32(data, op.value, off); break; case U32BE: off = encoding.writeU32BE(data, op.value, off); break; case U40: off = encoding.writeU40(data, op.value, off); break; case U40BE: off = encoding.writeU40BE(data, op.value, off); break; case U48: off = encoding.writeU48(data, op.value, off); break; case U48BE: off = encoding.writeU48BE(data, op.value, off); break; case U56: off = encoding.writeU56(data, op.value, off); break; case U56BE: off = encoding.writeU56BE(data, op.value, off); break; case U64: off = encoding.writeU64(data, op.value, off); break; case U64BE: off = encoding.writeU64BE(data, op.value, off); break; case I8: off = encoding.writeI8(data, op.value, off); break; case I16: off = encoding.writeI16(data, op.value, off); break; case I16BE: off = encoding.writeI16BE(data, op.value, off); break; case I24: off = encoding.writeI24(data, op.value, off); break; case I24BE: off = encoding.writeI24BE(data, op.value, off); break; case I32: off = encoding.writeI32(data, op.value, off); break; case I32BE: off = encoding.writeI32BE(data, op.value, off); break; case I40: off = encoding.writeI40(data, op.value, off); break; case I40BE: off = encoding.writeI40BE(data, op.value, off); break; case I48: off = encoding.writeI48(data, op.value, off); break; case I48BE: off = encoding.writeI48BE(data, op.value, off); break; case I56: off = encoding.writeI56(data, op.value, off); break; case I56BE: off = encoding.writeI56BE(data, op.value, off); break; case I64: off = encoding.writeI64(data, op.value, off); break; case I64BE: off = encoding.writeI64BE(data, op.value, off); break; case FL: off = encoding.writeFloat(data, op.value, off); break; case FLBE: off = encoding.writeFloatBE(data, op.value, off); break; case DBL: off = encoding.writeDouble(data, op.value, off); break; case DBLBE: off = encoding.writeDoubleBE(data, op.value, off); break; case VARINT: off = encoding.writeVarint(data, op.value, off); break; case VARINT2: off = encoding.writeVarint2(data, op.value, off); break; case BYTES: off += op.data.copy(data, off); break; case STR: off += data.write(op.value, off, op.enc); break; case CHECKSUM: off += op.func(data.slice(0, off)).copy(data, off, 0, 4); break; case FILL: data.fill(op.value, off, off + op.size); off += op.size; break; default: throw new Error('Invalid type.'); } } if (off !== data.length) throw new EncodingError(off, 'Out of bounds write'); this.destroy(); return data; } /** * Get size of data written so far. * @returns {Number} */ getSize() { return this.offset; } /** * Seek to relative offset. * @param {Number} offset */ seek(off) { enforce(Number.isSafeInteger(off), 'off', 'integer'); if (this.offset + off < 0) throw new EncodingError(this.offset, 'Out of bounds write'); this.offset += off; this.ops.push(new NumberOp(SEEK, off)); return this; } /** * Destroy the buffer writer. Remove references to `ops`. */ destroy() { this.ops.length = 0; this.offset = 0; return this; } /** * Write uint8. * @param {Number} value */ writeU8(value) { this.offset += 1; this.ops.push(new NumberOp(U8, value)); return this; } /** * Write uint16le. * @param {Number} value */ writeU16(value) { this.offset += 2; this.ops.push(new NumberOp(U16, value)); return this; } /** * Write uint16be. * @param {Number} value */ writeU16BE(value) { this.offset += 2; this.ops.push(new NumberOp(U16BE, value)); return this; } /** * Write uint24le. * @param {Number} value */ writeU24(value) { this.offset += 3; this.ops.push(new NumberOp(U24, value)); return this; } /** * Write uint24be. * @param {Number} value */ writeU24BE(value) { this.offset += 3; this.ops.push(new NumberOp(U24BE, value)); return this; } /** * Write uint32le. * @param {Number} value */ writeU32(value) { this.offset += 4; this.ops.push(new NumberOp(U32, value)); return this; } /** * Write uint32be. * @param {Number} value */ writeU32BE(value) { this.offset += 4; this.ops.push(new NumberOp(U32BE, value)); return this; } /** * Write uint40le. * @param {Number} value */ writeU40(value) { this.offset += 5; this.ops.push(new NumberOp(U40, value)); return this; } /** * Write uint40be. * @param {Number} value */ writeU40BE(value) { this.offset += 5; this.ops.push(new NumberOp(U40BE, value)); return this; } /** * Write uint48le. * @param {Number} value */ writeU48(value) { this.offset += 6; this.ops.push(new NumberOp(U48, value)); return this; } /** * Write uint48be. * @param {Number} value */ writeU48BE(value) { this.offset += 6; this.ops.push(new NumberOp(U48BE, value)); return this; } /** * Write uint56le. * @param {Number} value */ writeU56(value) { this.offset += 7; this.ops.push(new NumberOp(U56, value)); return this; } /** * Write uint56be. * @param {Number} value */ writeU56BE(value) { this.offset += 7; this.ops.push(new NumberOp(U56BE, value)); return this; } /** * Write uint64le. * @param {Number} value */ writeU64(value) { this.offset += 8; this.ops.push(new NumberOp(U64, value)); return this; } /** * Write uint64be. * @param {Number} value */ writeU64BE(value) { this.offset += 8; this.ops.push(new NumberOp(U64BE, value)); return this; } /** * Write int8. * @param {Number} value */ writeI8(value) { this.offset += 1; this.ops.push(new NumberOp(I8, value)); return this; } /** * Write int16le. * @param {Number} value */ writeI16(value) { this.offset += 2; this.ops.push(new NumberOp(I16, value)); return this; } /** * Write int16be. * @param {Number} value */ writeI16BE(value) { this.offset += 2; this.ops.push(new NumberOp(I16BE, value)); return this; } /** * Write int24le. * @param {Number} value */ writeI24(value) { this.offset += 3; this.ops.push(new NumberOp(I24, value)); return this; } /** * Write int24be. * @param {Number} value */ writeI24BE(value) { this.offset += 3; this.ops.push(new NumberOp(I24BE, value)); return this; } /** * Write int32le. * @param {Number} value */ writeI32(value) { this.offset += 4; this.ops.push(new NumberOp(I32, value)); return this; } /** * Write int32be. * @param {Number} value */ writeI32BE(value) { this.offset += 4; this.ops.push(new NumberOp(I32BE, value)); return this; } /** * Write int40le. * @param {Number} value */ writeI40(value) { this.offset += 5; this.ops.push(new NumberOp(I40, value)); return this; } /** * Write int40be. * @param {Number} value */ writeI40BE(value) { this.offset += 5; this.ops.push(new NumberOp(I40BE, value)); return this; } /** * Write int48le. * @param {Number} value */ writeI48(value) { this.offset += 6; this.ops.push(new NumberOp(I48, value)); return this; } /** * Write int48be. * @param {Number} value */ writeI48BE(value) { this.offset += 6; this.ops.push(new NumberOp(I48BE, value)); return this; } /** * Write int56le. * @param {Number} value */ writeI56(value) { this.offset += 7; this.ops.push(new NumberOp(I56, value)); return this; } /** * Write int56be. * @param {Number} value */ writeI56BE(value) { this.offset += 7; this.ops.push(new NumberOp(I56BE, value)); return this; } /** * Write int64le. * @param {Number} value */ writeI64(value) { this.offset += 8; this.ops.push(new NumberOp(I64, value)); return this; } /** * Write int64be. * @param {Number} value */ writeI64BE(value) { this.offset += 8; this.ops.push(new NumberOp(I64BE, value)); return this; } /** * Write float le. * @param {Number} value */ writeFloat(value) { this.offset += 4; this.ops.push(new NumberOp(FL, value)); return this; } /** * Write float be. * @param {Number} value */ writeFloatBE(value) { this.offset += 4; this.ops.push(new NumberOp(FLBE, value)); return this; } /** * Write double le. * @param {Number} value */ writeDouble(value) { this.offset += 8; this.ops.push(new NumberOp(DBL, value)); return this; } /** * Write double be. * @param {Number} value */ writeDoubleBE(value) { this.offset += 8; this.ops.push(new NumberOp(DBLBE, value)); return this; } /** * Write a varint. * @param {Number} value */ writeVarint(value) { this.offset += encoding.sizeVarint(value); this.ops.push(new NumberOp(VARINT, value)); return this; } /** * Write a varint (type 2). * @param {Number} value */ writeVarint2(value) { this.offset += encoding.sizeVarint2(value); this.ops.push(new NumberOp(VARINT2, value)); return this; } /** * Write bytes. * @param {Buffer} value */ writeBytes(value) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); if (value.length === 0) return this; this.offset += value.length; this.ops.push(new BufferOp(BYTES, value)); return this; } /** * Write bytes with a varint length before them. * @param {Buffer} value */ writeVarBytes(value) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); this.offset += encoding.sizeVarint(value.length); this.ops.push(new NumberOp(VARINT, value.length)); if (value.length === 0) return this; this.offset += value.length; this.ops.push(new BufferOp(BYTES, value)); return this; } /** * Copy bytes. * @param {Buffer} value * @param {Number} start * @param {Number} end */ copy(value, start, end) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); enforce((start >>> 0) === start, 'start', 'integer'); enforce((end >>> 0) === end, 'end', 'integer'); enforce(end >= start, 'start', 'integer'); const buf = value.slice(start, end); this.writeBytes(buf); return this; } /** * Write string to buffer. * @param {String} value * @param {String?} enc - Any buffer-supported encoding. */ writeString(value, enc) { if (enc == null) enc = 'binary'; enforce(typeof value === 'string', 'value', 'string'); enforce(typeof enc === 'string', 'enc', 'string'); if (value.length === 0) return this; this.offset += Buffer.byteLength(value, enc); this.ops.push(new StringOp(STR, value, enc)); return this; } /** * Write a 32 byte hash. * @param {Hash} value */ writeHash(value) { if (typeof value !== 'string') { enforce(Buffer.isBuffer(value), 'value', 'buffer'); enforce(value.length === 32, 'value', '32-byte hash'); this.writeBytes(value); return this; } enforce(value.length === 64, 'value', '32-byte hash'); this.writeString(value, 'hex'); return this; } /** * Write a string with a varint length before it. * @param {String} * @param {String?} enc - Any buffer-supported encoding. */ writeVarString(value, enc) { if (enc == null) enc = 'binary'; enforce(typeof value === 'string', 'value', 'string'); enforce(typeof enc === 'string', 'enc', 'string'); if (value.length === 0) { this.ops.push(new NumberOp(VARINT, 0)); return this; } const size = Buffer.byteLength(value, enc); this.offset += encoding.sizeVarint(size); this.offset += size; this.ops.push(new NumberOp(VARINT, size)); this.ops.push(new StringOp(STR, value, enc)); return this; } /** * Write a null-terminated string. * @param {String|Buffer} * @param {String?} enc - Any buffer-supported encoding. */ writeNullString(value, enc) { this.writeString(value, enc); this.writeU8(0); return this; } /** * Calculate and write a checksum for the data written so far. * @param {Function} hash */ writeChecksum(hash) { if (hash && typeof hash.digest === 'function') hash = hash.digest.bind(hash); enforce(typeof hash === 'function', 'hash', 'function'); this.offset += 4; this.ops.push(new FunctionOp(CHECKSUM, hash)); return this; } /** * Fill N bytes with value. * @param {Number} value * @param {Number} size */ fill(value, size) { enforce((value & 0xff) === value, 'value', 'byte'); enforce((size >>> 0) === size, 'size', 'integer'); if (size === 0) return this; this.offset += size; this.ops.push(new FillOp(FILL, value, size)); return this; } } /* * Helpers */ class WriteOp { constructor(type) { this.type = type; } } class NumberOp extends WriteOp { constructor(type, value) { super(type); this.value = value; } } class BufferOp extends WriteOp { constructor(type, data) { super(type); this.data = data; } } class StringOp extends WriteOp { constructor(type, value, enc) { super(type); this.value = value; this.enc = enc; } } class FunctionOp extends WriteOp { constructor(type, func) { super(type); this.func = func; } } class FillOp extends WriteOp { constructor(type, value, size) { super(type); this.value = value; this.size = size; } } /* * Expose */ module.exports = BufferWriter; }], [/* 10 */ 'bufio', '/lib/staticwriter.js', function(exports, module, __filename, __dirname, __meta) { /*! * staticwriter.js - buffer writer for bcoin * Copyright (c) 2014-2017, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const enforce = __node_require__(6 /* './enforce' */); const encoding = __node_require__(5 /* './encoding' */); const EncodingError = __node_require__(7 /* './error' */); /* * Constants */ const EMPTY = Buffer.alloc(0); const POOL_SIZE = 100 << 10; let POOL = null; /** * Statically Allocated Writer */ class StaticWriter { /** * Statically allocated buffer writer. * @constructor * @param {Number|Buffer} options */ constructor(options) { this.data = EMPTY; this.offset = 0; if (options != null) this.init(options); } /** * Assertion. * @param {Number} size */ check(size) { if (this.offset + size > this.data.length) throw new EncodingError(this.offset, 'Out of bounds write', this.check); } /** * Initialize options. * @param {Object} options */ init(options) { if (Buffer.isBuffer(options)) { this.data = options; this.offset = 0; return this; } enforce((options >>> 0) === options, 'size', 'integer'); this.data = Buffer.allocUnsafeSlow(options); this.offset = 0; return this; } /** * Allocate writer from preallocated 100kb pool. * @param {Number} size * @returns {StaticWriter} */ static pool(size) { enforce((size >>> 0) === size, 'size', 'integer'); if (size <= POOL_SIZE) { if (!POOL) POOL = Buffer.allocUnsafeSlow(POOL_SIZE); const bw = new StaticWriter(); bw.data = POOL.slice(0, size); return bw; } return new StaticWriter(size); } /** * Allocate and render the final buffer. * @returns {Buffer} Rendered buffer. */ render() { const {data, offset} = this; if (offset !== data.length) throw new EncodingError(offset, 'Out of bounds write'); this.destroy(); return data; } /** * Slice the final buffer at written offset. * @returns {Buffer} Rendered buffer. */ slice() { const {data, offset} = this; if (offset > data.length) throw new EncodingError(offset, 'Out of bounds write'); this.destroy(); return data.slice(0, offset); } /** * Get size of data written so far. * @returns {Number} */ getSize() { return this.offset; } /** * Seek to relative offset. * @param {Number} off */ seek(off) { enforce(Number.isSafeInteger(off), 'off', 'integer'); if (this.offset + off < 0) throw new EncodingError(this.offset, 'Out of bounds write'); this.check(off); this.offset += off; return this; } /** * Destroy the buffer writer. */ destroy() { this.data = EMPTY; this.offset = 0; return this; } /** * Write uint8. * @param {Number} value */ writeU8(value) { this.check(1); this.offset = encoding.writeU8(this.data, value, this.offset); return this; } /** * Write uint16le. * @param {Number} value */ writeU16(value) { this.check(2); this.offset = encoding.writeU16(this.data, value, this.offset); return this; } /** * Write uint16be. * @param {Number} value */ writeU16BE(value) { this.check(2); this.offset = encoding.writeU16BE(this.data, value, this.offset); return this; } /** * Write uint24le. * @param {Number} value */ writeU24(value) { this.check(3); this.offset = encoding.writeU24(this.data, value, this.offset); return this; } /** * Write uint24be. * @param {Number} value */ writeU24BE(value) { this.check(3); this.offset = encoding.writeU24BE(this.data, value, this.offset); return this; } /** * Write uint32le. * @param {Number} value */ writeU32(value) { this.check(4); this.offset = encoding.writeU32(this.data, value, this.offset); return this; } /** * Write uint32be. * @param {Number} value */ writeU32BE(value) { this.check(4); this.offset = encoding.writeU32BE(this.data, value, this.offset); return this; } /** * Write uint40le. * @param {Number} value */ writeU40(value) { this.check(5); this.offset = encoding.writeU40(this.data, value, this.offset); return this; } /** * Write uint40be. * @param {Number} value */ writeU40BE(value) { this.check(5); this.offset = encoding.writeU40BE(this.data, value, this.offset); return this; } /** * Write uint48le. * @param {Number} value */ writeU48(value) { this.check(6); this.offset = encoding.writeU48(this.data, value, this.offset); return this; } /** * Write uint48be. * @param {Number} value */ writeU48BE(value) { this.check(6); this.offset = encoding.writeU48BE(this.data, value, this.offset); return this; } /** * Write uint56le. * @param {Number} value */ writeU56(value) { this.check(7); this.offset = encoding.writeU56(this.data, value, this.offset); return this; } /** * Write uint56be. * @param {Number} value */ writeU56BE(value) { this.check(7); this.offset = encoding.writeU56BE(this.data, value, this.offset); return this; } /** * Write uint64le. * @param {Number} value */ writeU64(value) { this.check(8); this.offset = encoding.writeU64(this.data, value, this.offset); return this; } /** * Write uint64be. * @param {Number} value */ writeU64BE(value) { this.check(8); this.offset = encoding.writeU64BE(this.data, value, this.offset); return this; } /** * Write int8. * @param {Number} value */ writeI8(value) { this.check(1); this.offset = encoding.writeI8(this.data, value, this.offset); return this; } /** * Write int16le. * @param {Number} value */ writeI16(value) { this.check(2); this.offset = encoding.writeI16(this.data, value, this.offset); return this; } /** * Write int16be. * @param {Number} value */ writeI16BE(value) { this.check(2); this.offset = encoding.writeI16BE(this.data, value, this.offset); return this; } /** * Write int24le. * @param {Number} value */ writeI24(value) { this.check(3); this.offset = encoding.writeI24(this.data, value, this.offset); return this; } /** * Write int24be. * @param {Number} value */ writeI24BE(value) { this.check(3); this.offset = encoding.writeI24BE(this.data, value, this.offset); return this; } /** * Write int32le. * @param {Number} value */ writeI32(value) { this.check(4); this.offset = encoding.writeI32(this.data, value, this.offset); return this; } /** * Write int32be. * @param {Number} value */ writeI32BE(value) { this.check(4); this.offset = encoding.writeI32BE(this.data, value, this.offset); return this; } /** * Write int40le. * @param {Number} value */ writeI40(value) { this.check(5); this.offset = encoding.writeI40(this.data, value, this.offset); return this; } /** * Write int40be. * @param {Number} value */ writeI40BE(value) { this.check(5); this.offset = encoding.writeI40BE(this.data, value, this.offset); return this; } /** * Write int48le. * @param {Number} value */ writeI48(value) { this.check(6); this.offset = encoding.writeI48(this.data, value, this.offset); return this; } /** * Write int48be. * @param {Number} value */ writeI48BE(value) { this.check(6); this.offset = encoding.writeI48BE(this.data, value, this.offset); return this; } /** * Write int56le. * @param {Number} value */ writeI56(value) { this.check(7); this.offset = encoding.writeI56(this.data, value, this.offset); return this; } /** * Write int56be. * @param {Number} value */ writeI56BE(value) { this.check(7); this.offset = encoding.writeI56BE(this.data, value, this.offset); return this; } /** * Write int64le. * @param {Number} value */ writeI64(value) { this.check(8); this.offset = encoding.writeI64(this.data, value, this.offset); return this; } /** * Write int64be. * @param {Number} value */ writeI64BE(value) { this.check(8); this.offset = encoding.writeI64BE(this.data, value, this.offset); return this; } /** * Write float le. * @param {Number} value */ writeFloat(value) { this.check(4); this.offset = encoding.writeFloat(this.data, value, this.offset); return this; } /** * Write float be. * @param {Number} value */ writeFloatBE(value) { this.check(4); this.offset = encoding.writeFloatBE(this.data, value, this.offset); return this; } /** * Write double le. * @param {Number} value */ writeDouble(value) { this.check(8); this.offset = encoding.writeDouble(this.data, value, this.offset); return this; } /** * Write double be. * @param {Number} value */ writeDoubleBE(value) { this.check(8); this.offset = encoding.writeDoubleBE(this.data, value, this.offset); return this; } /** * Write a varint. * @param {Number} value */ writeVarint(value) { this.offset = encoding.writeVarint(this.data, value, this.offset); return this; } /** * Write a varint (type 2). * @param {Number} value */ writeVarint2(value) { this.offset = encoding.writeVarint2(this.data, value, this.offset); return this; } /** * Write bytes. * @param {Buffer} value */ writeBytes(value) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); this.check(value.length); this.offset += value.copy(this.data, this.offset); return this; } /** * Write bytes with a varint length before them. * @param {Buffer} value */ writeVarBytes(value) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); this.writeVarint(value.length); this.writeBytes(value); return this; } /** * Copy bytes. * @param {Buffer} value * @param {Number} start * @param {Number} end */ copy(value, start, end) { enforce(Buffer.isBuffer(value), 'value', 'buffer'); enforce((start >>> 0) === start, 'start', 'integer'); enforce((end >>> 0) === end, 'end', 'integer'); enforce(end >= start, 'start', 'integer'); this.check(end - start); this.offset += value.copy(this.data, this.offset, start, end); return this; } /** * Write string to buffer. * @param {String} value * @param {String?} enc - Any buffer-supported encoding. */ writeString(value, enc) { if (enc == null) enc = 'binary'; enforce(typeof value === 'string', 'value', 'string'); enforce(typeof enc === 'string', 'enc', 'string'); if (value.length === 0) return this; const size = Buffer.byteLength(value, enc); this.check(size); this.offset += this.data.write(value, this.offset, enc); return this; } /** * Write a 32 byte hash. * @param {Hash} value */ writeHash(value) { if (typeof value !== 'string') { enforce(Buffer.isBuffer(value), 'value', 'buffer'); enforce(value.length === 32, 'value', '32-byte hash'); this.writeBytes(value); return this; } enforce(value.length === 64, 'value', '32-byte hash'); this.check(32); this.offset += this.data.write(value, this.offset, 'hex'); return this; } /** * Write a string with a varint length before it. * @param {String} * @param {String?} enc - Any buffer-supported encoding. */ writeVarString(value, enc) { if (enc == null) enc = 'binary'; enforce(typeof value === 'string', 'value', 'string'); enforce(typeof enc === 'string', 'enc', 'string'); if (value.length === 0) { this.writeVarint(0); return this; } const size = Buffer.byteLength(value, enc); this.writeVarint(size); this.check(size); this.offset += this.data.write(value, this.offset, enc); return this; } /** * Write a null-terminated string. * @param {String|Buffer} * @param {String?} enc - Any buffer-supported encoding. */ writeNullString(value, enc) { this.writeString(value, enc); this.writeU8(0); return this; } /** * Calculate and write a checksum for the data written so far. * @param {Function} hash */ writeChecksum(hash) { if (!hash || typeof hash.digest !== 'function') enforce(typeof hash === 'function', 'hash', 'function'); this.check(4); const data = this.data.slice(0, this.offset); const raw = hash.digest ? hash.digest(data) : hash(data); raw.copy(this.data, this.offset, 0, 4); this.offset += 4; return this; } /** * Fill N bytes with value. * @param {Number} value * @param {Number} size */ fill(value, size) { enforce((value & 0xff) === value, 'value', 'byte'); enforce((size >>> 0) === size, 'size', 'integer'); this.check(size); this.data.fill(value, this.offset, this.offset + size); this.offset += size; return this; } } /* * Expose */ module.exports = StaticWriter; }], [/* 11 */ 'bufio', '/lib/struct.js', function(exports, module, __filename, __dirname, __meta) { /*! * struct.js - struct object for bcoin * Copyright (c) 2018, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const enforce = __node_require__(6 /* './enforce' */); const BufferReader = __node_require__(8 /* './reader' */); const BufferWriter = __node_require__(9 /* './writer' */); const StaticWriter = __node_require__(10 /* './staticwriter' */); const {custom} = __node_require__(4 /* './custom' */); /** * Struct */ class Struct { constructor() {} inject(obj) { enforce(obj instanceof this.constructor, 'obj', 'struct'); return this.decode(obj.encode()); } clone() { const copy = new this.constructor(); return copy.inject(this); } /* * Bindable */ getSize(extra) { return -1; } write(bw, extra) { return bw; } read(br, extra) { return this; } toString() { return Object.prototype.toString.call(this); } fromString(str, extra) { return this; } getJSON() { return this; } fromJSON(json, extra) { return this; } fromOptions(options, extra) { return this; } from(options, extra) { return this.fromOptions(options, extra); } format() { return this.getJSON(); } /* * API */ encode(extra) { const size = this.getSize(extra); const bw = size === -1 ? new BufferWriter() : new StaticWriter(size); this.write(bw, extra); return bw.render(); } decode(data, extra) { const br = new BufferReader(data); this.read(br, extra); return this; } toHex(extra) { return this.encode(extra).toString('hex'); } fromHex(str, extra) { enforce(typeof str === 'string', 'str', 'string'); const size = str.length >>> 1; const data = Buffer.from(str, 'hex'); if (data.length !== size) throw new Error('Invalid hex string.'); return this.decode(data, extra); } toBase64(extra) { return this.encode(extra).toString('base64'); } fromBase64(str, extra) { enforce(typeof str === 'string', 'str', 'string'); const data = Buffer.from(str, 'base64'); if (str.length > size64(data.length)) throw new Error('Invalid base64 string.'); return this.decode(data, extra); } toJSON() { return this.getJSON(); } [custom]() { return this.format(); } /* * Static API */ static read(br, extra) { return new this().read(br, extra); } static decode(data, extra) { return new this().decode(data, extra); } static fromHex(str, extra) { return new this().fromHex(str, extra); } static fromBase64(str, extra) { return new this().fromBase64(str, extra); } static fromString(str, extra) { return new this().fromString(str, extra); } static fromJSON(json, extra) { return new this().fromJSON(json, extra); } static fromOptions(options, extra) { return new this().fromOptions(options, extra); } static from(options, extra) { return new this().from(options, extra); } /* * Aliases */ toWriter(bw, extra) { return this.write(bw, extra); } fromReader(br, extra) { return this.read(br, extra); } toRaw(extra) { return this.encode(extra); } fromRaw(data, extra) { return this.decode(data, extra); } /* * Static Aliases */ static fromReader(br, extra) { return this.read(br, extra); } static fromRaw(data, extra) { return this.decode(data, extra); } } /* * Helpers */ function size64(size) { const expect = ((4 * size / 3) + 3) & ~3; return expect >>> 0; } /* * Expose */ module.exports = Struct; }], [/* 12 */ 'bcrypto', '/lib/encoding/base58-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * base58.js - base58 for bcrypto * Copyright (c) 2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(13 /* '../js/base58' */); }], [/* 13 */ 'bcrypto', '/lib/js/base58.js', function(exports, module, __filename, __dirname, __meta) { /*! * base58.js - base58 for bcrypto * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on bitcoin/bitcoin: * Copyright (c) 2009-2019, The Bitcoin Core Developers (MIT License). * Copyright (c) 2009-2019, The Bitcoin Developers (MIT License). * https://github.com/bitcoin/bitcoin * * Resources: * https://github.com/bitcoin/bitcoin/blob/master/src/base58.cpp */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /* * Constants */ const CHARSET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'; const TABLE = [ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, -1, -1, -1, -1, -1, -1, -1, 9, 10, 11, 12, 13, 14, 15, 16, -1, 17, 18, 19, 20, 21, -1, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, -1, -1, -1, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, -1, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, -1, -1, -1, -1, -1 ]; const pool = Buffer.alloc(128); /** * Encode a base58 string. * @param {Buffer} data * @returns {String} */ function encode(data) { assert(Buffer.isBuffer(data)); let zeroes = 0; let i = 0; for (; i < data.length; i++) { if (data[i] !== 0) break; zeroes += 1; } const size = (((data.length - zeroes) * 138 / 100) | 0) + 1; const b58 = size <= 128 ? pool.fill(0) : Buffer.alloc(size); let length = 0; for (; i < data.length; i++) { let carry = data[i]; let j = 0; for (let k = size - 1; k >= 0; k--, j++) { if (carry === 0 && j >= length) break; carry += b58[k] * 256; b58[k] = carry % 58; carry = (carry / 58) | 0; } assert(carry === 0); length = j; } i = size - length; while (i < size && b58[i] === 0) i += 1; let str = ''; for (let j = 0; j < zeroes; j++) str += '1'; while (i < size) str += CHARSET[b58[i++]]; return str; } /** * Decode a base58 string. * @param {String} str * @returns {Buffer} * @throws on non-base58 character. */ function decode(str) { assert(typeof str === 'string'); let zeroes = 0; let i = 0; for (; i < str.length; i++) { if (str[i] !== '1') break; zeroes += 1; } const size = ((str.length * 733) / 1000 | 0) + 1; const b256 = size <= 128 ? pool.fill(0) : Buffer.alloc(size); let length = 0; for (; i < str.length; i++) { const ch = str.charCodeAt(i); if (ch & 0xff80) throw new Error('Invalid base58 string.'); const val = TABLE[ch]; if (val === -1) throw new Error('Invalid base58 string.'); let carry = val; let j = 0; for (let k = size - 1; k >= 0; k--, j++) { if (carry === 0 && j >= length) break; carry += b256[k] * 58; b256[k] = carry; carry >>>= 8; } assert(carry === 0); length = j; } // See: https://github.com/bitcoin/bitcoin/commit/2bcf1fc4 i = size - length; const out = Buffer.alloc(zeroes + (size - i)); let j; for (j = 0; j < zeroes; j++) out[j] = 0; while (i < size) out[j++] = b256[i++]; return out; } /** * Test whether the string is a base58 string. * @param {String} str * @returns {Buffer} */ function test(str) { assert(typeof str === 'string'); for (let i = 0; i < str.length; i++) { const ch = str.charCodeAt(i); if (ch & 0xff80) return false; if (TABLE[ch] === -1) return false; } return true; } /* * Expose */ exports.native = 0; exports.encode = encode; exports.decode = decode; exports.test = test; }], [/* 14 */ 'bcrypto', '/lib/internal/assert.js', function(exports, module, __filename, __dirname, __meta) { /*! * assert.js - assert for bcrypto * Copyright (c) 2020, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; /* * Assert */ function assert(val, msg) { if (!val) { const err = new Error(msg || 'Assertion failed'); if (Error.captureStackTrace) Error.captureStackTrace(err, assert); throw err; } } /* * Expose */ module.exports = assert; }], [/* 15 */ 'bcrypto', '/lib/sha512-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha512.js - sha512 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(16 /* './js/sha512' */); }], [/* 16 */ 'bcrypto', '/lib/js/sha512.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha512.js - SHA512 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/hash.js: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/hash.js * * Resources: * https://en.wikipedia.org/wiki/SHA-2 * https://tools.ietf.org/html/rfc4634 * https://github.com/indutny/hash.js/blob/master/lib/hash/sha/512.js */ /* eslint camelcase: "off" */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const FINALIZED = -1; const DESC = Buffer.alloc(16, 0x00); const PADDING = Buffer.alloc(128, 0x00); PADDING[0] = 0x80; const K = new Uint32Array([ 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc, 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118, 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2, 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694, 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65, 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483, 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5, 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210, 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4, 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725, 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70, 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926, 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df, 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8, 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b, 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001, 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30, 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910, 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8, 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53, 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8, 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb, 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3, 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60, 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec, 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9, 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b, 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207, 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178, 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6, 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b, 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493, 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c, 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a, 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817 ]); /** * SHA512 */ class SHA512 { constructor() { this.state = new Uint32Array(16); this.msg = new Uint32Array(160); this.block = Buffer.alloc(128); this.size = FINALIZED; } init() { this.state[0] = 0x6a09e667; this.state[1] = 0xf3bcc908; this.state[2] = 0xbb67ae85; this.state[3] = 0x84caa73b; this.state[4] = 0x3c6ef372; this.state[5] = 0xfe94f82b; this.state[6] = 0xa54ff53a; this.state[7] = 0x5f1d36f1; this.state[8] = 0x510e527f; this.state[9] = 0xade682d1; this.state[10] = 0x9b05688c; this.state[11] = 0x2b3e6c1f; this.state[12] = 0x1f83d9ab; this.state[13] = 0xfb41bd6b; this.state[14] = 0x5be0cd19; this.state[15] = 0x137e2179; this.size = 0; return this; } update(data) { assert(Buffer.isBuffer(data)); this._update(data, data.length); return this; } final() { return this._final(Buffer.alloc(64)); } _update(data, len) { assert(this.size !== FINALIZED, 'Context is not initialized.'); let pos = this.size & 127; let off = 0; this.size += len; if (pos > 0) { let want = 128 - pos; if (want > len) want = len; data.copy(this.block, pos, off, off + want); pos += want; len -= want; off += want; if (pos < 128) return; this._transform(this.block, 0); } while (len >= 128) { this._transform(data, off); off += 128; len -= 128; } if (len > 0) data.copy(this.block, 0, off, off + len); } /** * Finalize SHA512 context. * @private * @param {Buffer} out * @returns {Buffer} */ _final(out) { assert(this.size !== FINALIZED, 'Context is not initialized.'); const pos = this.size & 127; const len = this.size * 8; writeU32(DESC, (len * (1 / 0x100000000)) >>> 0, 8); writeU32(DESC, len >>> 0, 12); this._update(PADDING, 1 + ((239 - pos) & 127)); this._update(DESC, 16); for (let i = 0; i < 16; i++) { writeU32(out, this.state[i], i * 4); this.state[i] = 0; } for (let i = 0; i < 160; i++) this.msg[i] = 0; for (let i = 0; i < 128; i++) this.block[i] = 0; this.size = FINALIZED; return out; } _prepare(chunk, pos) { const W = this.msg; let i = 0; for (; i < 32; i++) W[i] = readU32(chunk, pos + i * 4); for (; i < 160; i += 2) { const c0_hi = g1_512_hi(W[i - 4], W[i - 3]); const c0_lo = g1_512_lo(W[i - 4], W[i - 3]); const c1_hi = W[i - 14]; const c1_lo = W[i - 13]; const c2_hi = g0_512_hi(W[i - 30], W[i - 29]); const c2_lo = g0_512_lo(W[i - 30], W[i - 29]); const c3_hi = W[i - 32]; const c3_lo = W[i - 31]; W[i + 0] = sum64_4_hi(c0_hi, c0_lo, c1_hi, c1_lo, c2_hi, c2_lo, c3_hi, c3_lo); W[i + 1] = sum64_4_lo(c0_hi, c0_lo, c1_hi, c1_lo, c2_hi, c2_lo, c3_hi, c3_lo); } } _transform(chunk, pos) { const W = this.msg; this._prepare(chunk, pos); let ah = this.state[0]; let al = this.state[1]; let bh = this.state[2]; let bl = this.state[3]; let ch = this.state[4]; let cl = this.state[5]; let dh = this.state[6]; let dl = this.state[7]; let eh = this.state[8]; let el = this.state[9]; let fh = this.state[10]; let fl = this.state[11]; let gh = this.state[12]; let gl = this.state[13]; let hh = this.state[14]; let hl = this.state[15]; for (let i = 0; i < W.length; i += 2) { let c0_hi = hh; let c0_lo = hl; let c1_hi = s1_512_hi(eh, el); let c1_lo = s1_512_lo(eh, el); const c2_hi = ch64_hi(eh, el, fh, fl, gh, gl); const c2_lo = ch64_lo(eh, el, fh, fl, gh, gl); const c3_hi = K[i + 0]; const c3_lo = K[i + 1]; const c4_hi = W[i + 0]; const c4_lo = W[i + 1]; const T1_hi = sum64_5_hi(c0_hi, c0_lo, c1_hi, c1_lo, c2_hi, c2_lo, c3_hi, c3_lo, c4_hi, c4_lo); const T1_lo = sum64_5_lo(c0_hi, c0_lo, c1_hi, c1_lo, c2_hi, c2_lo, c3_hi, c3_lo, c4_hi, c4_lo); c0_hi = s0_512_hi(ah, al); c0_lo = s0_512_lo(ah, al); c1_hi = maj64_hi(ah, al, bh, bl, ch, cl); c1_lo = maj64_lo(ah, al, bh, bl, ch, cl); const T2_hi = sum64_hi(c0_hi, c0_lo, c1_hi, c1_lo); const T2_lo = sum64_lo(c0_hi, c0_lo, c1_hi, c1_lo); hh = gh; hl = gl; gh = fh; gl = fl; fh = eh; fl = el; eh = sum64_hi(dh, dl, T1_hi, T1_lo); el = sum64_lo(dl, dl, T1_hi, T1_lo); dh = ch; dl = cl; ch = bh; cl = bl; bh = ah; bl = al; ah = sum64_hi(T1_hi, T1_lo, T2_hi, T2_lo); al = sum64_lo(T1_hi, T1_lo, T2_hi, T2_lo); } sum64(this.state, 0, ah, al); sum64(this.state, 2, bh, bl); sum64(this.state, 4, ch, cl); sum64(this.state, 6, dh, dl); sum64(this.state, 8, eh, el); sum64(this.state, 10, fh, fl); sum64(this.state, 12, gh, gl); sum64(this.state, 14, hh, hl); } static hash() { return new SHA512(); } static hmac() { return new HMAC(SHA512, 128); } static digest(data) { return SHA512.ctx.init().update(data).final(); } static root(left, right) { assert(Buffer.isBuffer(left) && left.length === 64); assert(Buffer.isBuffer(right) && right.length === 64); return SHA512.ctx.init().update(left).update(right).final(); } static multi(x, y, z) { const {ctx} = SHA512; ctx.init(); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key) { return SHA512.hmac().init(key).update(data).final(); } } /* * Static */ SHA512.native = 0; SHA512.id = 'SHA512'; SHA512.size = 64; SHA512.bits = 512; SHA512.blockSize = 128; SHA512.zero = Buffer.alloc(64, 0x00); SHA512.ctx = new SHA512(); /* * Helpers */ function sum64(buf, pos, ah, al) { const bh = buf[pos + 0]; const bl = buf[pos + 1]; const lo = (al + bl) >>> 0; const hi = (lo < al) + ah + bh; buf[pos + 0] = hi >>> 0; buf[pos + 1] = lo; } function sum64_hi(ah, al, bh, bl) { const lo = (al + bl) >>> 0; const hi = (lo < al) + ah + bh; return hi >>> 0; } function sum64_lo(ah, al, bh, bl) { const lo = al + bl; return lo >>> 0; } function sum64_4_hi(ah, al, bh, bl, ch, cl, dh, dl) { let carry = 0; let lo = al; lo = (lo + bl) >>> 0; carry += (lo < al); lo = (lo + cl) >>> 0; carry += (lo < cl); lo = (lo + dl) >>> 0; carry += (lo < dl); const hi = ah + bh + ch + dh + carry; return hi >>> 0; } function sum64_4_lo(ah, al, bh, bl, ch, cl, dh, dl) { const lo = al + bl + cl + dl; return lo >>> 0; } function sum64_5_hi(ah, al, bh, bl, ch, cl, dh, dl, eh, el) { let carry = 0; let lo = al; lo = (lo + bl) >>> 0; carry += (lo < al); lo = (lo + cl) >>> 0; carry += (lo < cl); lo = (lo + dl) >>> 0; carry += (lo < dl); lo = (lo + el) >>> 0; carry += (lo < el); const hi = ah + bh + ch + dh + eh + carry; return hi >>> 0; } function sum64_5_lo(ah, al, bh, bl, ch, cl, dh, dl, eh, el) { const lo = al + bl + cl + dl + el; return lo >>> 0; } function rotr64_hi(ah, al, num) { const r = (al << (32 - num)) | (ah >>> num); return r >>> 0; } function rotr64_lo(ah, al, num) { const r = (ah << (32 - num)) | (al >>> num); return r >>> 0; } function shr64_hi(ah, al, num) { return ah >>> num; } function shr64_lo(ah, al, num) { const r = (ah << (32 - num)) | (al >>> num); return r >>> 0; } function ch64_hi(xh, xl, yh, yl, zh, zl) { const r = (xh & yh) ^ ((~xh) & zh); return r >>> 0; } function ch64_lo(xh, xl, yh, yl, zh, zl) { const r = (xl & yl) ^ ((~xl) & zl); return r >>> 0; } function maj64_hi(xh, xl, yh, yl, zh, zl) { const r = (xh & yh) ^ (xh & zh) ^ (yh & zh); return r >>> 0; } function maj64_lo(xh, xl, yh, yl, zh, zl) { const r = (xl & yl) ^ (xl & zl) ^ (yl & zl); return r >>> 0; } function s0_512_hi(xh, xl) { const c0_hi = rotr64_hi(xh, xl, 28); const c1_hi = rotr64_hi(xl, xh, 2); // 34 const c2_hi = rotr64_hi(xl, xh, 7); // 39 const r = c0_hi ^ c1_hi ^ c2_hi; return r >>> 0; } function s0_512_lo(xh, xl) { const c0_lo = rotr64_lo(xh, xl, 28); const c1_lo = rotr64_lo(xl, xh, 2); // 34 const c2_lo = rotr64_lo(xl, xh, 7); // 39 const r = c0_lo ^ c1_lo ^ c2_lo; return r >>> 0; } function s1_512_hi(xh, xl) { const c0_hi = rotr64_hi(xh, xl, 14); const c1_hi = rotr64_hi(xh, xl, 18); const c2_hi = rotr64_hi(xl, xh, 9); // 41 const r = c0_hi ^ c1_hi ^ c2_hi; return r >>> 0; } function s1_512_lo(xh, xl) { const c0_lo = rotr64_lo(xh, xl, 14); const c1_lo = rotr64_lo(xh, xl, 18); const c2_lo = rotr64_lo(xl, xh, 9); // 41 const r = c0_lo ^ c1_lo ^ c2_lo; return r >>> 0; } function g0_512_hi(xh, xl) { const c0_hi = rotr64_hi(xh, xl, 1); const c1_hi = rotr64_hi(xh, xl, 8); const c2_hi = shr64_hi(xh, xl, 7); const r = c0_hi ^ c1_hi ^ c2_hi; return r >>> 0; } function g0_512_lo(xh, xl) { const c0_lo = rotr64_lo(xh, xl, 1); const c1_lo = rotr64_lo(xh, xl, 8); const c2_lo = shr64_lo(xh, xl, 7); const r = c0_lo ^ c1_lo ^ c2_lo; return r >>> 0; } function g1_512_hi(xh, xl) { const c0_hi = rotr64_hi(xh, xl, 19); const c1_hi = rotr64_hi(xl, xh, 29); // 61 const c2_hi = shr64_hi(xh, xl, 6); const r = c0_hi ^ c1_hi ^ c2_hi; return r >>> 0; } function g1_512_lo(xh, xl) { const c0_lo = rotr64_lo(xh, xl, 19); const c1_lo = rotr64_lo(xl, xh, 29); // 61 const c2_lo = shr64_lo(xh, xl, 6); const r = c0_lo ^ c1_lo ^ c2_lo; return r >>> 0; } function readU32(data, off) { return (data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function writeU32(data, num, off) { data[off++] = num >>> 24; data[off++] = num >>> 16; data[off++] = num >>> 8; data[off++] = num; return off; } /* * Expose */ module.exports = SHA512; }], [/* 17 */ 'bcrypto', '/lib/internal/hmac.js', function(exports, module, __filename, __dirname, __meta) { /*! * hmac.js - hmac for bcrypto * Copyright (c) 2016-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/hash.js: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/hash.js * * Resources: * https://en.wikipedia.org/wiki/HMAC * https://tools.ietf.org/html/rfc2104 * https://github.com/indutny/hash.js/blob/master/lib/hash/hmac.js */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /** * HMAC */ class HMAC { /** * Create an HMAC. * @param {Function} Hash * @param {Number} size * @param {Array} [x=[]] * @param {Array} [y=[]] */ constructor(Hash, size, x = [], y = []) { assert(typeof Hash === 'function'); assert((size >>> 0) === size); assert(Array.isArray(x)); assert(Array.isArray(y)); this.hash = Hash; this.size = size; this.x = x; this.y = y; this.inner = new Hash(); this.outer = new Hash(); } /** * Initialize HMAC context. * @param {Buffer} data */ init(key) { assert(Buffer.isBuffer(key)); // Shorten key if (key.length > this.size) { const Hash = this.hash; const h = new Hash(); h.init(...this.x); h.update(key); key = h.final(...this.y); assert(key.length <= this.size); } // Pad key const pad = Buffer.alloc(this.size); for (let i = 0; i < key.length; i++) pad[i] = key[i] ^ 0x36; for (let i = key.length; i < pad.length; i++) pad[i] = 0x36; this.inner.init(...this.x); this.inner.update(pad); for (let i = 0; i < key.length; i++) pad[i] = key[i] ^ 0x5c; for (let i = key.length; i < pad.length; i++) pad[i] = 0x5c; this.outer.init(...this.x); this.outer.update(pad); return this; } /** * Update HMAC context. * @param {Buffer} data */ update(data) { this.inner.update(data); return this; } /** * Finalize HMAC context. * @returns {Buffer} */ final() { this.outer.update(this.inner.final(...this.y)); return this.outer.final(...this.y); } } /* * Expose */ module.exports = HMAC; }], [/* 18 */ 'bcrypto', '/lib/hash160-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * hash160.js - hash160 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(19 /* './js/hash160' */); }], [/* 19 */ 'bcrypto', '/lib/js/hash160.js', function(exports, module, __filename, __dirname, __meta) { /*! * hash160.js - Hash160 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Resources: * https://github.com/bitcoin/bitcoin/blob/master/src/hash.h */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const SHA256 = __node_require__(20 /* './sha256' */); const RIPEMD160 = __node_require__(21 /* './ripemd160' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const rmd = new RIPEMD160(); /** * Hash160 */ class Hash160 { constructor() { this.ctx = new SHA256(); } init() { this.ctx.init(); return this; } update(data) { this.ctx.update(data); return this; } final() { const out = Buffer.alloc(32); this.ctx._final(out); rmd.init(); rmd.update(out); rmd._final(out); return out.slice(0, 20); } static hash() { return new Hash160(); } static hmac() { return new HMAC(Hash160, 64); } static digest(data) { return Hash160.ctx.init().update(data).final(); } static root(left, right) { assert(Buffer.isBuffer(left) && left.length === 20); assert(Buffer.isBuffer(right) && right.length === 20); return Hash160.ctx.init().update(left).update(right).final(); } static multi(x, y, z) { const {ctx} = Hash160; ctx.init(); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key) { return Hash160.hmac().init(key).update(data).final(); } } /* * Static */ Hash160.native = 0; Hash160.id = 'HASH160'; Hash160.size = 20; Hash160.bits = 160; Hash160.blockSize = 64; Hash160.zero = Buffer.alloc(20, 0x00); Hash160.ctx = new Hash160(); /* * Expose */ module.exports = Hash160; }], [/* 20 */ 'bcrypto', '/lib/js/sha256.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha256.js - SHA256 implementation for bcrypto * Copyright (c) 2016-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/hash.js: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/hash.js * * Resources: * https://en.wikipedia.org/wiki/SHA-2 * https://tools.ietf.org/html/rfc4634 * https://github.com/indutny/hash.js/blob/master/lib/hash/sha/256.js */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const FINALIZED = -1; const DESC = Buffer.alloc(8, 0x00); const PADDING = Buffer.alloc(64, 0x00); PADDING[0] = 0x80; const K = new Uint32Array([ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 ]); /** * SHA256 */ class SHA256 { constructor() { this.state = new Uint32Array(8); this.msg = new Uint32Array(64); this.block = Buffer.alloc(64); this.size = FINALIZED; } init() { this.state[0] = 0x6a09e667; this.state[1] = 0xbb67ae85; this.state[2] = 0x3c6ef372; this.state[3] = 0xa54ff53a; this.state[4] = 0x510e527f; this.state[5] = 0x9b05688c; this.state[6] = 0x1f83d9ab; this.state[7] = 0x5be0cd19; this.size = 0; return this; } update(data) { assert(Buffer.isBuffer(data)); this._update(data, data.length); return this; } final() { return this._final(Buffer.alloc(32)); } _update(data, len) { assert(this.size !== FINALIZED, 'Context is not initialized.'); let pos = this.size & 63; let off = 0; this.size += len; if (pos > 0) { let want = 64 - pos; if (want > len) want = len; data.copy(this.block, pos, off, off + want); pos += want; len -= want; off += want; if (pos < 64) return; this._transform(this.block, 0); } while (len >= 64) { this._transform(data, off); off += 64; len -= 64; } if (len > 0) data.copy(this.block, 0, off, off + len); } _final(out) { assert(this.size !== FINALIZED, 'Context is not initialized.'); const pos = this.size & 63; const len = this.size * 8; writeU32(DESC, (len * (1 / 0x100000000)) >>> 0, 0); writeU32(DESC, len >>> 0, 4); this._update(PADDING, 1 + ((119 - pos) & 63)); this._update(DESC, 8); for (let i = 0; i < 8; i++) { writeU32(out, this.state[i], i * 4); this.state[i] = 0; } for (let i = 0; i < 64; i++) this.msg[i] = 0; for (let i = 0; i < 64; i++) this.block[i] = 0; this.size = FINALIZED; return out; } _transform(chunk, pos) { const W = this.msg; let a = this.state[0]; let b = this.state[1]; let c = this.state[2]; let d = this.state[3]; let e = this.state[4]; let f = this.state[5]; let g = this.state[6]; let h = this.state[7]; let i = 0; for (; i < 16; i++) W[i] = readU32(chunk, pos + i * 4); for (; i < 64; i++) W[i] = sigma1(W[i - 2]) + W[i - 7] + sigma0(W[i - 15]) + W[i - 16]; for (i = 0; i < 64; i++) { const t1 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; const t2 = Sigma0(a) + Maj(a, b, c); h = g; g = f; f = e; e = (d + t1) >>> 0; d = c; c = b; b = a; a = (t1 + t2) >>> 0; } this.state[0] += a; this.state[1] += b; this.state[2] += c; this.state[3] += d; this.state[4] += e; this.state[5] += f; this.state[6] += g; this.state[7] += h; } static hash() { return new SHA256(); } static hmac() { return new HMAC(SHA256, 64); } static digest(data) { return SHA256.ctx.init().update(data).final(); } static root(left, right) { assert(Buffer.isBuffer(left) && left.length === 32); assert(Buffer.isBuffer(right) && right.length === 32); return SHA256.ctx.init().update(left).update(right).final(); } static multi(x, y, z) { const {ctx} = SHA256; ctx.init(); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key) { return SHA256.hmac().init(key).update(data).final(); } } /* * Static */ SHA256.native = 0; SHA256.id = 'SHA256'; SHA256.size = 32; SHA256.bits = 256; SHA256.blockSize = 64; SHA256.zero = Buffer.alloc(32, 0x00); SHA256.ctx = new SHA256(); /* * Helpers */ function Sigma0(x) { return (x >>> 2 | x << 30) ^ (x >>> 13 | x << 19) ^ (x >>> 22 | x << 10); } function Sigma1(x) { return (x >>> 6 | x << 26) ^ (x >>> 11 | x << 21) ^ (x >>> 25 | x << 7); } function sigma0(x) { return (x >>> 7 | x << 25) ^ (x >>> 18 | x << 14) ^ (x >>> 3); } function sigma1(x) { return (x >>> 17 | x << 15) ^ (x >>> 19 | x << 13) ^ (x >>> 10); } function Ch(x, y, z) { return z ^ (x & (y ^ z)); } function Maj(x, y, z) { return (x & y) | (z & (x | y)); } function readU32(data, off) { return (data[off++] * 0x1000000 + data[off++] * 0x10000 + data[off++] * 0x100 + data[off]); } function writeU32(data, num, off) { data[off++] = num >>> 24; data[off++] = num >>> 16; data[off++] = num >>> 8; data[off++] = num; return off; } /* * Expose */ module.exports = SHA256; }], [/* 21 */ 'bcrypto', '/lib/js/ripemd160.js', function(exports, module, __filename, __dirname, __meta) { /*! * ripemd160.js - RIPEMD160 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/hash.js: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/hash.js * * Resources: * https://en.wikipedia.org/wiki/RIPEMD-160 * https://homes.esat.kuleuven.be/~bosselae/ripemd160/pdf/AB-9601/AB-9601.pdf * https://github.com/indutny/hash.js/blob/master/lib/hash/ripemd.js */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const FINALIZED = -1; const DESC = Buffer.alloc(8, 0x00); const PADDING = Buffer.alloc(64, 0x00); PADDING[0] = 0x80; const r = new Uint8Array([ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8, 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12, 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2, 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13 ]); const rh = new Uint8Array([ 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12, 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2, 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13, 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14, 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11 ]); const s = new Uint8Array([ 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8, 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12, 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5, 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12, 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6 ]); const sh = new Uint8Array([ 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6, 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11, 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5, 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8, 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11 ]); /** * RIPEMD160 */ class RIPEMD160 { constructor() { this.state = new Uint32Array(5); this.msg = new Uint32Array(16); this.block = Buffer.alloc(64); this.size = FINALIZED; } init() { this.state[0] = 0x67452301; this.state[1] = 0xefcdab89; this.state[2] = 0x98badcfe; this.state[3] = 0x10325476; this.state[4] = 0xc3d2e1f0; this.size = 0; return this; } update(data) { assert(Buffer.isBuffer(data)); this._update(data, data.length); return this; } final() { return this._final(Buffer.alloc(20)); } _update(data, len) { assert(this.size !== FINALIZED, 'Context is not initialized.'); let pos = this.size & 63; let off = 0; this.size += len; if (pos > 0) { let want = 64 - pos; if (want > len) want = len; data.copy(this.block, pos, off, off + want); pos += want; len -= want; off += want; if (pos < 64) return; this._transform(this.block, 0); } while (len >= 64) { this._transform(data, off); off += 64; len -= 64; } if (len > 0) data.copy(this.block, 0, off, off + len); } _final(out) { assert(this.size !== FINALIZED, 'Context is not initialized.'); const pos = this.size & 63; const len = this.size * 8; writeU32(DESC, len >>> 0, 0); writeU32(DESC, (len * (1 / 0x100000000)) >>> 0, 4); this._update(PADDING, 1 + ((119 - pos) & 63)); this._update(DESC, 8); for (let i = 0; i < 5; i++) { writeU32(out, this.state[i], i * 4); this.state[i] = 0; } for (let i = 0; i < 16; i++) this.msg[i] = 0; for (let i = 0; i < 64; i++) this.block[i] = 0; this.size = FINALIZED; return out; } _transform(chunk, pos) { const W = this.msg; let A = this.state[0]; let B = this.state[1]; let C = this.state[2]; let D = this.state[3]; let E = this.state[4]; let Ah = A; let Bh = B; let Ch = C; let Dh = D; let Eh = E; for (let i = 0; i < 16; i++) W[i] = readU32(chunk, pos + i * 4); for (let j = 0; j < 80; j++) { let a = A + f(j, B, C, D) + W[r[j]] + K(j); let b = rotl32(a, s[j]); let T = b + E; A = E; E = D; D = rotl32(C, 10); C = B; B = T; a = Ah + f(79 - j, Bh, Ch, Dh) + W[rh[j]] + Kh(j); b = rotl32(a, sh[j]); T = b + Eh; Ah = Eh; Eh = Dh; Dh = rotl32(Ch, 10); Ch = Bh; Bh = T; } const T = this.state[1] + C + Dh; this.state[1] = this.state[2] + D + Eh; this.state[2] = this.state[3] + E + Ah; this.state[3] = this.state[4] + A + Bh; this.state[4] = this.state[0] + B + Ch; this.state[0] = T; } static hash() { return new RIPEMD160(); } static hmac() { return new HMAC(RIPEMD160, 64); } static digest(data) { return RIPEMD160.ctx.init().update(data).final(); } static root(left, right) { assert(Buffer.isBuffer(left) && left.length === 20); assert(Buffer.isBuffer(right) && right.length === 20); return RIPEMD160.ctx.init().update(left).update(right).final(); } static multi(x, y, z) { const {ctx} = RIPEMD160; ctx.init(); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key) { return RIPEMD160.hmac().init(key).update(data).final(); } } /* * Static */ RIPEMD160.native = 0; RIPEMD160.id = 'RIPEMD160'; RIPEMD160.size = 20; RIPEMD160.bits = 160; RIPEMD160.blockSize = 64; RIPEMD160.zero = Buffer.alloc(20, 0x00); RIPEMD160.ctx = new RIPEMD160(); /* * Helpers */ function rotl32(w, b) { return (w << b) | (w >>> (32 - b)); } function f(j, x, y, z) { if (j <= 15) return x ^ y ^ z; if (j <= 31) return (x & y) | ((~x) & z); if (j <= 47) return (x | (~y)) ^ z; if (j <= 63) return (x & z) | (y & (~z)); return x ^ (y | (~z)); } function K(j) { if (j <= 15) return 0x00000000; if (j <= 31) return 0x5a827999; if (j <= 47) return 0x6ed9eba1; if (j <= 63) return 0x8f1bbcdc; return 0xa953fd4e; } function Kh(j) { if (j <= 15) return 0x50a28be6; if (j <= 31) return 0x5c4dd124; if (j <= 47) return 0x6d703ef3; if (j <= 63) return 0x7a6d76e9; return 0x00000000; } function readU32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000); } function writeU32(dst, num, off) { dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; return off; } /* * Expose */ module.exports = RIPEMD160; }], [/* 22 */ 'bcrypto', '/lib/hash256-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * hash256.js - hash256 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(23 /* './js/hash256' */); }], [/* 23 */ 'bcrypto', '/lib/js/hash256.js', function(exports, module, __filename, __dirname, __meta) { /*! * hash256.js - Hash256 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Resources: * https://github.com/bitcoin/bitcoin/blob/master/src/hash.h */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const SHA256 = __node_require__(20 /* './sha256' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /** * Hash256 */ class Hash256 { constructor() { this.ctx = new SHA256(); } init() { this.ctx.init(); return this; } update(data) { this.ctx.update(data); return this; } final() { const out = Buffer.alloc(32); this.ctx._final(out); this.ctx.init(); this.ctx.update(out); this.ctx._final(out); return out; } static hash() { return new Hash256(); } static hmac() { return new HMAC(Hash256, 64); } static digest(data) { return Hash256.ctx.init().update(data).final(); } static root(left, right) { assert(Buffer.isBuffer(left) && left.length === 32); assert(Buffer.isBuffer(right) && right.length === 32); return Hash256.ctx.init().update(left).update(right).final(); } static multi(x, y, z) { const {ctx} = Hash256; ctx.init(); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key) { return Hash256.hmac().init(key).update(data).final(); } } /* * Static */ Hash256.native = 0; Hash256.id = 'HASH256'; Hash256.size = 32; Hash256.bits = 256; Hash256.blockSize = 64; Hash256.zero = Buffer.alloc(32, 0x00); Hash256.ctx = new Hash256(); /* * Expose */ module.exports = Hash256; }], [/* 24 */ 'bcrypto', '/lib/cleanse-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * cleanse.js - cleanse for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(25 /* './js/cleanse' */); }], [/* 25 */ 'bcrypto', '/lib/js/cleanse.js', function(exports, module, __filename, __dirname, __meta) { /*! * cleanse.js - memzero for bcrypto * Copyright (c) 2016-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const random = __node_require__(26 /* '../random' */); /** * A maybe-secure memzero. * @param {Buffer} data */ function cleanse(data) { assert(Buffer.isBuffer(data)); random.randomFill(data, 0, data.length); } /* * Static */ cleanse.native = 0; /* * Expose */ module.exports = cleanse; }], [/* 26 */ 'bcrypto', '/lib/random-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * random.js - random for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(27 /* './js/random' */); }], [/* 27 */ 'bcrypto', '/lib/js/random.js', function(exports, module, __filename, __dirname, __meta) { /*! * random.js - random number generator for bcrypto * Copyright (c) 2014-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Resources: * https://wiki.openssl.org/index.php/Random_Numbers * https://csrc.nist.gov/projects/random-bit-generation/ * http://www.pcg-random.org/posts/bounded-rands.html * https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /* * Constants */ const crypto = global.crypto || global.msCrypto; const HAS_CRYPTO = crypto && typeof crypto.getRandomValues === 'function'; const randomValues = HAS_CRYPTO ? crypto.getRandomValues.bind(crypto) : null; const pool = new Uint32Array(16); const MAX_BYTES = 65536; let poolPos = 0; /** * Generate pseudo-random bytes. * @param {Number} size * @returns {Buffer} */ function randomBytes(size) { assert((size >>> 0) === size); const data = Buffer.alloc(size); randomFillSync(data, 0, size); return data; } /** * Generate pseudo-random bytes. * @param {Buffer} data * @param {Number} [off=0] * @param {Number} [size=data.length-off] * @returns {Buffer} */ function randomFill(data, off, size) { assert(Buffer.isBuffer(data)); if (off == null) off = 0; assert((off >>> 0) === off); if (size == null) size = data.length - off; assert((size >>> 0) === size); assert(off + size <= data.length); randomFillSync(data, off, size); return data; } /** * Generate a random uint32. * @returns {Number} */ function randomInt() { if ((poolPos & 15) === 0) { getRandomValues(pool); poolPos = 0; } return pool[poolPos++]; } /** * Generate a random uint32 within a range. * @param {Number} min - Inclusive. * @param {Number} max - Exclusive. * @returns {Number} */ function randomRange(min, max) { assert((min >>> 0) === min); assert((max >>> 0) === max); assert(max >= min); const space = max - min; if (space === 0) return min; const top = -space >>> 0; let x, r; do { x = randomInt(); r = x % space; } while (x - r > top); return r + min; } /* * Helpers */ function getRandomValues(array) { if (!HAS_CRYPTO) throw new Error('Entropy source not available.'); return randomValues(array); } function randomFillSync(data, off, size) { assert(Buffer.isBuffer(data)); assert(data.buffer instanceof ArrayBuffer); assert((data.byteOffset >>> 0) === data.byteOffset); assert((data.byteLength >>> 0) === data.byteLength); assert((off >>> 0) === off); assert((size >>> 0) === size); assert(off + size <= data.byteLength); if (size > 2 ** 31 - 1) throw new RangeError('The value "size" is out of range.'); const offset = data.byteOffset + off; const array = new Uint8Array(data.buffer, offset, size); if (array.length > MAX_BYTES) { for (let i = 0; i < array.length; i += MAX_BYTES) { let j = i + MAX_BYTES; if (j > array.length) j = array.length; getRandomValues(array.subarray(i, j)); } } else { if (array.length > 0) getRandomValues(array); } } /* * Expose */ exports.native = 0; exports.randomBytes = randomBytes; exports.randomFill = randomFill; exports.randomInt = randomInt; exports.randomRange = randomRange; }], [/* 28 */ 'bcrypto', '/lib/secp256k1-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * secp256k1.js - secp256k1 for bcrypto * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(29 /* './js/secp256k1' */); }], [/* 29 */ 'bcrypto', '/lib/js/secp256k1.js', function(exports, module, __filename, __dirname, __meta) { /*! * secp256k1.js - secp256k1 for bcrypto * Copyright (c) 2014-2015, Fedor Indutny (MIT License) * Copyright (c) 2014-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; const ECDSA = __node_require__(30 /* './ecdsa' */); const SHA256 = __node_require__(39 /* '../sha256' */); const pre = __node_require__(43 /* './precomputed/secp256k1.json' */); /* * Expose */ module.exports = new ECDSA('SECP256K1', SHA256, SHA256, pre); }], [/* 30 */ 'bcrypto', '/lib/js/ecdsa.js', function(exports, module, __filename, __dirname, __meta) { /*! * ecdsa.js - ECDSA for bcrypto * Copyright (c) 2018-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/elliptic: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/elliptic * * References: * * [SEC1] SEC 1: Elliptic Curve Cryptography, Version 2.0 * Certicom Research * http://www.secg.org/sec1-v2.pdf * * [FIPS186] Suite B Implementer's Guide to FIPS 186-3 (ECDSA) * https://tinyurl.com/fips186-guide * * [GECC] Guide to Elliptic Curve Cryptography * D. Hankerson, A. Menezes, and S. Vanstone * https://tinyurl.com/guide-to-ecc * * [RFC6979] Deterministic Usage of the Digital Signature * Algorithm (DSA) and Elliptic Curve Digital * Signature Algorithm (ECDSA) * T. Pornin * https://tools.ietf.org/html/rfc6979 */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const BN = __node_require__(31 /* '../bn' */); const rng = __node_require__(26 /* '../random' */); const asn1 = __node_require__(34 /* '../internal/asn1' */); const Schnorr = __node_require__(35 /* './schnorr-legacy' */); const HmacDRBG = __node_require__(40 /* '../hmac-drbg' */); const elliptic = __node_require__(42 /* './elliptic' */); /** * ECDSA */ class ECDSA { constructor(name, hash, xof, pre) { assert(typeof name === 'string'); assert(hash); assert(xof); this.id = name; this.type = 'ecdsa'; this.hash = hash; this.xof = xof; this.native = 0; this._pre = pre || null; this._curve = null; this._schnorr = null; } get curve() { if (!this._curve) { this._curve = elliptic.curve(this.id, this._pre); this._curve.precompute(rng); this._pre = null; } return this._curve; } get schnorr() { if (!this._schnorr) this._schnorr = new Schnorr(this.curve, this.xof); return this._schnorr; } get size() { return this.curve.fieldSize; } get bits() { return this.curve.fieldBits; } privateKeyGenerate() { const a = this.curve.randomScalar(rng); return this.curve.encodeScalar(a); } privateKeyVerify(key) { assert(Buffer.isBuffer(key)); let a; try { a = this.curve.decodeScalar(key); } catch (e) { return false; } return !a.isZero() && a.cmp(this.curve.n) < 0; } privateKeyExport(key) { const pub = this.publicKeyCreate(key, false); const {x, y} = this.publicKeyExport(pub); return { d: Buffer.from(key), x, y }; } privateKeyImport(json) { assert(json && typeof json === 'object'); const a = BN.decode(json.d, this.curve.endian); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); return this.curve.encodeScalar(a); } privateKeyTweakAdd(key, tweak) { const t = this.curve.decodeScalar(tweak); if (t.cmp(this.curve.n) >= 0) throw new Error('Invalid scalar.'); const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); const k = a.add(t).imod(this.curve.n); if (k.isZero()) throw new Error('Invalid private key.'); return this.curve.encodeScalar(k); } privateKeyTweakMul(key, tweak) { const t = this.curve.decodeScalar(tweak); if (t.isZero() || t.cmp(this.curve.n) >= 0) throw new Error('Invalid scalar.'); const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); const k = a.mul(t).imod(this.curve.n); if (k.isZero()) throw new Error('Invalid private key.'); return this.curve.encodeScalar(k); } privateKeyNegate(key) { const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); const k = a.neg().imod(this.curve.n); return this.curve.encodeScalar(k); } privateKeyInvert(key) { const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); const k = a.invert(this.curve.n); return this.curve.encodeScalar(k); } publicKeyCreate(key, compress) { const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); const A = this.curve.g.mulBlind(a); return A.encode(compress); } publicKeyConvert(key, compress) { const A = this.curve.decodePoint(key); return A.encode(compress); } publicKeyFromUniform(bytes, compress) { const u = this.curve.decodeUniform(bytes); const A = this.curve.pointFromUniform(u); return A.encode(compress); } publicKeyToUniform(key, hint = rng.randomInt()) { const A = this.curve.decodePoint(key); const u = this.curve.pointToUniform(A, hint); return this.curve.encodeUniform(u, hint >>> 8); } publicKeyFromHash(bytes, compress) { const A = this.curve.pointFromHash(bytes); return A.encode(compress); } publicKeyToHash(key) { const A = this.curve.decodePoint(key); return this.curve.pointToHash(A, 0, rng); } publicKeyVerify(key) { assert(Buffer.isBuffer(key)); try { this.curve.decodePoint(key); } catch (e) { return false; } return true; } publicKeyExport(key) { const {x, y} = this.curve.decodePoint(key); return { x: this.curve.encodeField(x.fromRed()), y: this.curve.encodeField(y.fromRed()) }; } publicKeyImport(json, compress) { assert(json && typeof json === 'object'); const x = BN.decode(json.x, this.curve.endian); if (x.cmp(this.curve.p) >= 0) throw new Error('Invalid point.'); if (json.y != null) { const y = BN.decode(json.y, this.curve.endian); if (y.cmp(this.curve.p) >= 0) throw new Error('Invalid point.'); const A = this.curve.point(x, y); if (!A.validate()) throw new Error('Invalid point.'); return A.encode(compress); } const A = this.curve.pointFromX(x, json.sign); return A.encode(compress); } publicKeyTweakAdd(key, tweak, compress) { const t = this.curve.decodeScalar(tweak); if (t.cmp(this.curve.n) >= 0) throw new Error('Invalid scalar.'); const A = this.curve.decodePoint(key); const T = this.curve.g.jmul(t); const P = T.add(A); return P.encode(compress); } publicKeyTweakMul(key, tweak, compress) { const t = this.curve.decodeScalar(tweak); if (t.isZero() || t.cmp(this.curve.n) >= 0) throw new Error('Invalid scalar.'); const A = this.curve.decodePoint(key); const P = A.mul(t); return P.encode(compress); } publicKeyCombine(keys, compress) { assert(Array.isArray(keys)); let P = this.curve.jpoint(); for (const key of keys) { const A = this.curve.decodePoint(key); P = P.add(A); } return P.encode(compress); } publicKeyNegate(key, compress) { const A = this.curve.decodePoint(key); const P = A.neg(); return P.encode(compress); } signatureNormalize(sig) { const [r, s] = this._decodeCompact(sig); if (s.cmp(this.curve.nh) > 0) s.ineg().imod(this.curve.n); return this._encodeCompact(r, s); } signatureNormalizeDER(sig) { const [r, s] = this._decodeDER(sig, false); if (s.cmp(this.curve.nh) > 0) s.ineg().imod(this.curve.n); return this._encodeDER(r, s); } signatureExport(sig) { const [r, s] = this._decodeCompact(sig); return this._encodeDER(r, s); } signatureImport(sig) { const [r, s] = this._decodeDER(sig, false); return this._encodeCompact(r, s); } isLowS(sig) { assert(Buffer.isBuffer(sig)); let s; try { [, s] = this._decodeCompact(sig); } catch (e) { return false; } return s.cmp(this.curve.nh) <= 0; } isLowDER(sig) { assert(Buffer.isBuffer(sig)); let s; try { [, s] = this._decodeDER(sig, false); } catch (e) { return false; } return s.cmp(this.curve.nh) <= 0; } sign(msg, key) { const [r, s] = this._sign(msg, key); return this._encodeCompact(r, s); } signRecoverable(msg, key) { const [r, s, param] = this._sign(msg, key); return [this._encodeCompact(r, s), param]; } signDER(msg, key) { const [r, s] = this._sign(msg, key); return this._encodeDER(r, s); } signRecoverableDER(msg, key) { const [r, s, param] = this._sign(msg, key); return [this._encodeDER(r, s), param]; } _sign(msg, key) { // ECDSA Signing. // // [SEC1] Page 44, Section 4.1.3. // [GECC] Algorithm 4.29, Page 184, Section 4.4.1. // [RFC6979] Page 9, Section 2.4. // [RFC6979] Page 10, Section 3.2. // // Assumptions: // // - Let `m` be an integer reduced from bytes. // - Let `a` be a secret non-zero scalar. // - Let `k` be a random non-zero scalar. // - R != O, r != 0, s != 0. // // Computation: // // k = random integer in [1,n-1] // R = G * k // r = x(R) mod n // s = (r * a + m) / k mod n // s = -s mod n, if s > n / 2 // S = (r, s) // // We can blind the scalar arithmetic // with a random integer `b` like so: // // b = random integer in [1,n-1] // s = (r * (a * b) + m * b) / (k * b) mod n // // Note that `k` must remain secret, // otherwise an attacker can compute: // // a = (s * k - m) / r mod n // // This means that if two signatures // share the same `r` value, an attacker // can compute: // // k = (m1 - m2) / (+-s1 - +-s2) mod n // a = (s1 * k - m1) / r mod n // // Assuming: // // s1 = (r * a + m1) / k mod n // s2 = (r * a + m2) / k mod n // // To mitigate this, `k` can be generated // deterministically using the HMAC-DRBG // construction described in [RFC6979]. const {n, nh} = this.curve; const G = this.curve.g; const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(n) >= 0) throw new Error('Invalid private key.'); const m = this._reduce(msg); const nonce = this.curve.encodeScalar(m); const drbg = new HmacDRBG(this.hash, key, nonce); for (;;) { const bytes = drbg.generate(this.curve.scalarSize); const k = this._truncate(bytes); if (k.isZero() || k.cmp(n) >= 0) continue; const R = G.mulBlind(k); if (R.isInfinity()) continue; const x = R.getX(); const r = x.mod(n); if (r.isZero()) continue; const b = this.curve.randomScalar(rng); const ki = k.mul(b).fermat(n); const ba = a.mul(b).imod(n); const bm = m.mul(b).imod(n); const sk = r.mul(ba).iadd(bm).imod(n); const s = sk.mul(ki).imod(n); if (s.isZero()) continue; let param = R.isOdd() | (!x.eq(r) << 1); if (s.cmp(nh) > 0) { s.ineg().imod(n); param ^= 1; } return [r, s, param]; } } verify(msg, sig, key) { assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert(Buffer.isBuffer(key)); let r, s; try { [r, s] = this._decodeCompact(sig); } catch (e) { return false; } try { return this._verify(msg, r, s, key); } catch (e) { return false; } } verifyDER(msg, sig, key) { assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert(Buffer.isBuffer(key)); let r, s; try { [r, s] = this._decodeDER(sig, false); } catch (e) { return false; } try { return this._verify(msg, r, s, key); } catch (e) { return false; } } _verify(msg, r, s, key) { // ECDSA Verification. // // [SEC1] Page 46, Section 4.1.4. // [GECC] Algorithm 4.30, Page 184, Section 4.4.1. // // Assumptions: // // - Let `m` be an integer reduced from bytes. // - Let `r` and `s` be signature elements. // - Let `A` be a valid group element. // - r != 0, r < n. // - s != 0, s < n. // - R != O. // // Computation: // // u1 = m / s mod n // u2 = r / s mod n // R = G * u1 + A * u2 // r == x(R) mod n // // Note that the signer can verify their // own signatures more efficiently with: // // R = G * ((u1 + u2 * a) mod n) // // Furthermore, we can avoid affinization // of `R` by scaling `r` by `z^2` and // repeatedly adding `n * z^2` to it up // to a certain threshold. const {n} = this.curve; const G = this.curve.g; const m = this._reduce(msg); const A = this.curve.decodePoint(key); if (r.isZero() || r.cmp(n) >= 0) return false; if (s.isZero() || s.cmp(n) >= 0) return false; const si = s.invert(n); const u1 = m.mul(si).imod(n); const u2 = r.mul(si).imod(n); const R = G.jmulAdd(u1, A, u2); return R.eqR(r); } recover(msg, sig, param, compress) { assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert((param >>> 0) === param); assert((param & 3) === param, 'The recovery param is more than two bits.'); let r, s; try { [r, s] = this._decodeCompact(sig); } catch (e) { return null; } let A; try { A = this._recover(msg, r, s, param); } catch (e) { return null; } return A.encode(compress); } recoverDER(msg, sig, param, compress) { assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert((param >>> 0) === param); assert((param & 3) === param, 'The recovery param is more than two bits.'); let r, s; try { [r, s] = this._decodeDER(sig, false); } catch (e) { return null; } let A; try { A = this._recover(msg, r, s, param); } catch (e) { return null; } return A.encode(compress); } _recover(msg, r, s, param) { // ECDSA Public Key Recovery. // // [SEC1] Page 47, Section 4.1.6. // // Assumptions: // // - Let `m` be an integer reduced from bytes. // - Let `r` and `s` be signature elements. // - Let `i` be an integer in [0,3]. // - x^3 + a * x + b is square in F(p). // - If i > 1 then r < (p mod n). // - r != 0, r < n. // - s != 0, s < n. // - A != O. // // Computation: // // x = r + n, if i > 1 // = r, otherwise // R' = (x, sqrt(x^3 + a * x + b)) // R = -R', if i mod 2 == 1 // = +R', otherwise // s1 = m / r mod n // s2 = s / r mod n // A = R * s2 - G * s1 // // Note that this implementation will have // trouble on curves where `p / n > 1`. const {n, pmodn} = this.curve; const G = this.curve.g; const m = this._reduce(msg); if (r.isZero() || r.cmp(n) >= 0) throw new Error('Invalid R value.'); if (s.isZero() || s.cmp(n) >= 0) throw new Error('Invalid S value.'); const sign = (param & 1) !== 0; const high = param >>> 1; let x = r; if (high) { if (this.curve.highOrder) throw new Error('Invalid high bit.'); if (x.cmp(pmodn) >= 0) throw new Error('Invalid R value.'); x = x.add(n); } const R = this.curve.pointFromX(x, sign); const ri = r.invert(n); const s1 = m.mul(ri).ineg().imod(n); const s2 = s.mul(ri).imod(n); const A = G.mulAdd(s1, R, s2); if (A.isInfinity()) throw new Error('Invalid point.'); return A; } derive(pub, priv, compress) { const A = this.curve.decodePoint(pub); const a = this.curve.decodeScalar(priv); if (a.isZero() || a.cmp(this.curve.n) >= 0) throw new Error('Invalid private key.'); if (this.curve.h.cmpn(1) > 0) { if (A.isSmall()) throw new Error('Invalid point.'); } const P = A.mulBlind(a, rng); return P.encode(compress); } /* * Schnorr */ schnorrSign(msg, key) { return this.schnorr.sign(msg, key); } schnorrVerify(msg, sig, key) { return this.schnorr.verify(msg, sig, key); } schnorrVerifyBatch(batch) { return this.schnorr.verifyBatch(batch); } /* * Helpers */ _encodeCompact(r, s) { return Buffer.concat([ this.curve.encodeScalar(r), this.curve.encodeScalar(s) ]); } _decodeCompact(sig) { assert(Buffer.isBuffer(sig)); const {n} = this.curve; const size = this.curve.scalarSize; if (sig.length !== size * 2) throw new Error('Invalid signature size.'); const Rraw = sig.slice(0, size); const Sraw = sig.slice(size, size * 2); const r = this.curve.decodeScalar(Rraw); const s = this.curve.decodeScalar(Sraw); if (r.cmp(n) >= 0 || s.cmp(n) >= 0) throw new Error('Invalid signature.'); return [r, s]; } _encodeDER(r, s) { const size = asn1.sizeInt(r) + asn1.sizeInt(s); const out = Buffer.alloc(asn1.sizeSeq(size)); let pos = 0; pos = asn1.writeSeq(out, pos, size); pos = asn1.writeInt(out, pos, r); pos = asn1.writeInt(out, pos, s); assert(pos === out.length); return out; } _decodeDER(sig, strict) { assert(Buffer.isBuffer(sig)); assert(typeof strict === 'boolean'); const {n} = this.curve; let pos = 0; let r, s; pos = asn1.readSeq(sig, pos, strict); [r, pos] = asn1.readInt(sig, pos, strict); [s, pos] = asn1.readInt(sig, pos, strict); if (strict && pos !== sig.length) throw new Error('Trailing bytes.'); if (r.cmp(n) >= 0 || s.cmp(n) >= 0) throw new Error('Invalid signature.'); return [r, s]; } _truncate(msg) { // Byte array to integer conversion. // // [SEC1] Step 5, Page 45, Section 4.1.3. // [FIPS186] Page 25, Section B.2. // // The two sources above disagree on this. // // FIPS186 simply modulos the entire byte // array by the order, whereas SEC1 takes // the left-most ceil(log2(n+1)) bits modulo // the order (and maybe does other stuff). // // Instead of trying to decipher all of // this nonsense, we simply replicate the // OpenSSL behavior (which, in actuality, // is more similar to the SEC1 behavior). assert(Buffer.isBuffer(msg)); const bits = this.curve.n.bitLength(); const bytes = (bits + 7) >>> 3; if (msg.length > bytes) msg = msg.slice(0, bytes); const m = BN.decode(msg, this.curve.endian); const d = msg.length * 8 - bits; if (d > 0) m.iushrn(d); return m; } _reduce(msg) { return this._truncate(msg).imod(this.curve.n); } } /* * Expose */ module.exports = ECDSA; }], [/* 31 */ 'bcrypto', '/lib/bn-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * bn.js - big numbers for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(32 /* './js/bn' */); }], [/* 32 */ 'bcrypto', '/lib/js/bn.js', function(exports, module, __filename, __dirname, __meta) { /*! * bn.js - big numbers for bcrypto * Copyright (c) 2018-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/bn.js: * Copyright (c) 2015, Fedor Indutny (MIT License). * https://github.com/indutny/bn.js * * Parts of this software are based on golang/go: * Copyright (c) 2009, The Go Authors. All rights reserved. * https://github.com/golang/go * * Parts of this software are based on openssl/openssl: * Copyright (c) 1998-2018, The OpenSSL Project (Apache License v2.0). * Copyright (c) 1995-1998, Eric A. Young, Tim J. Hudson. All rights reserved. * https://github.com/openssl/openssl * * Parts of this software are based on libgmp: * Copyright (c) 1991-1997, 1999-2014, Free Software Foundation, Inc. * https://gmplib.org/ * * Parts of this software are based on v8/v8: * Copyright (c) 2017, The V8 Project Authors (BSD-Style License). * https://github.com/v8/v8 * * Resources: * https://github.com/indutny/bn.js/blob/master/lib/bn.js * https://github.com/indutny/miller-rabin/blob/master/lib/mr.js * https://github.com/golang/go/blob/master/src/math/big/int.go * https://github.com/golang/go/blob/master/src/math/big/nat.go * https://github.com/golang/go/blob/master/src/math/big/prime.go * https://github.com/openssl/openssl/tree/master/crypto/bn * https://github.com/openssl/openssl/blob/master/crypto/bn/bn_kron.c * https://github.com/gnutls/nettle/blob/master/mini-gmp.c * https://github.com/v8/v8/blob/master/src/objects/bigint.cc */ /* eslint valid-typeof: "off" */ 'use strict'; const {custom} = __node_require__(33 /* '../internal/custom' */); /* * Constants */ const zeros = [ '', '0', '00', '000', '0000', '00000', '000000', '0000000', '00000000', '000000000', '0000000000', '00000000000', '000000000000', '0000000000000', '00000000000000', '000000000000000', '0000000000000000', '00000000000000000', '000000000000000000', '0000000000000000000', '00000000000000000000', '000000000000000000000', '0000000000000000000000', '00000000000000000000000', '000000000000000000000000', '0000000000000000000000000' ]; const groupSizes = [ 0x00, 0x19, 0x10, 0x0c, 0x0b, 0x0a, 0x09, 0x08, 0x08, 0x07, 0x07, 0x07, 0x07, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05 ]; const groupBases = [ 0x00000000, 0x02000000, 0x0290d741, 0x01000000, 0x02e90edd, 0x039aa400, 0x0267bf47, 0x01000000, 0x0290d741, 0x00989680, 0x012959c3, 0x0222c000, 0x03bd7765, 0x0072e440, 0x00adcea1, 0x01000000, 0x01704f61, 0x0206fc40, 0x02cddcf9, 0x03d09000, 0x003e5185, 0x004ea360, 0x006235f7, 0x00798000, 0x009502f9, 0x00b54ba0, 0x00daf26b, 0x01069c00, 0x0138f9ad, 0x0172c9e0, 0x01b4d89f, 0x02000000, 0x025528a1, 0x02b54a20, 0x03216b93, 0x039aa400 ]; const primes = { p192: null, p224: null, p521: null, k256: null, p251: null, p25519: null, p448: null }; const modes = { NONE: 0, QUO: 1, REM: 2, BOTH: 3, EUCLID: 4, ALL: 7 }; const WND_WIDTH = 4; const WND_SIZE = 1 << (WND_WIDTH - 1); const HAS_BIGINT = typeof BigInt === 'function'; /** * BN */ class BN { constructor(num, base, endian) { this.words = [0]; this.length = 1; this.negative = 0; this.red = null; this.from(num, base, endian); } /* * Addition Engine */ _iadd(a, b) { let carry = 0; let i = 0; // a.length > b.length if (a.length < b.length) [a, b] = [b, a]; if (a !== this) this._alloc(a.length); for (; i < b.length; i++) { const r = (a.words[i] | 0) + (b.words[i] | 0) + carry; this.words[i] = r & 0x3ffffff; carry = r >>> 26; } for (; carry !== 0 && i < a.length; i++) { const r = (a.words[i] | 0) + carry; this.words[i] = r & 0x3ffffff; carry = r >>> 26; } this.length = a.length; if (carry !== 0) { this._alloc(this.length + 1); this.words[this.length++] = carry; } else if (a !== this) { // Copy the rest of the words. for (; i < a.length; i++) this.words[i] = a.words[i]; } // Note: we shouldn't need to strip here. return this; } _iaddn(num) { this.words[0] += num; if (this.words[0] < 0x4000000) return this; // Carry. let i = 0; this._alloc(this.length + 1); this.words[this.length] = 0; for (; i < this.length && this.words[i] >= 0x4000000; i++) { this.words[i] -= 0x4000000; this.words[i + 1] += 1; } this.length = Math.max(this.length, i + 1); // Note: we shouldn't need to strip here. return this; } /* * Addition */ iadd(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.negative === num.negative) { // x + y == x + y // (-x) + (-y) == -(x + y) this._iadd(this, num); } else { // x + (-y) == x - y == -(y - x) // (-x) + y == y - x == -(x - y) const cmp = this.ucmp(num); // x + (-x) == (-x) + x == 0 if (cmp === 0) { this.words[0] = 0; this.length = 1; this.negative = 0; return this; } if (cmp < 0) { this._isub(num, this); this.negative ^= 1; } else { this._isub(this, num); } } return this; } iaddn(num) { enforce(isSMI(num), 'num', 'smi'); const negative = (num < 0) | 0; if (negative) num = -num; if (this.negative === negative) { // x + y == x + y // (-x) + (-y) == -(x + y) this._iaddn(num); } else { // x + (-y) == x - y == -(y - x) // (-x) + y == y - x == -(x - y) if (this.length === 1 && this.words[0] < num) { this.words[0] = num - this.words[0]; this.negative ^= 1; } else { this._isubn(num); } } return this; } add(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (num.length > this.length) return num.clone().iadd(this); return this.clone().iadd(num); } addn(num) { return this.clone().iaddn(num); } /* * Subtraction Engine */ _isub(a, b) { let carry = 0; let i = 0; // a > b assert(a.length >= b.length); if (a !== this) this._alloc(a.length); for (; i < b.length; i++) { const r = (a.words[i] | 0) - (b.words[i] | 0) + carry; carry = r >> 26; this.words[i] = r & 0x3ffffff; } for (; carry !== 0 && i < a.length; i++) { const r = (a.words[i] | 0) + carry; carry = r >> 26; this.words[i] = r & 0x3ffffff; } assert(carry === 0); // Copy rest of the words. if (a !== this) { for (; i < a.length; i++) this.words[i] = a.words[i]; } this.length = Math.max(this.length, i); return this._strip(); } _isubn(num) { this.words[0] -= num; if (this.words[0] >= 0) return this._normalize(); assert(this.length !== 1); // Carry. this._alloc(this.length + 1); for (let i = 0; i < this.length && this.words[i] < 0; i++) { this.words[i] += 0x4000000; this.words[i + 1] -= 1; } this.words[this.length] = 0; return this._strip(); } /* * Subtraction */ isub(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.negative !== num.negative) { // x - (-y) == x + y // (-x) - y == -(x + y) this._iadd(this, num); } else { // x - y == x - y == -(y - x) // (-x) - (-y) == y - x == -(x - y) const cmp = this.ucmp(num); // x - x == 0 if (cmp === 0) { this.words[0] = 0; this.length = 1; this.negative = 0; return this; } if (cmp < 0) { this._isub(num, this); this.negative ^= 1; } else { this._isub(this, num); } } return this; } isubn(num) { enforce(isSMI(num), 'num', 'smi'); const negative = (num < 0) | 0; if (negative) num = -num; if (this.negative !== negative) { // x - (-y) == x + y // (-x) - y == -(x + y) this._iaddn(num); } else { // x - y == x - y == -(y - x) // (-x) - (-y) == y - x == -(x - y) if (this.length === 1 && this.words[0] < num) { this.words[0] = num - this.words[0]; this.negative ^= 1; } else { this._isubn(num); } } return this; } sub(num) { return this.clone().isub(num); } subn(num) { return this.clone().isubn(num); } /* * Multiplication Engine */ _mul(num, out) { enforce(BN.isBN(num), 'num', 'bignum'); enforce(BN.isBN(out), 'out', 'bignum'); if (this.length === 10 && num.length === 10) return comb10MulTo(this, num, out); const len = this.length + num.length; if (len < 63) return smallMulTo(this, num, out); if (len < 1024) return bigMulTo(this, num, out); return jumboMulTo(this, num, out); } /* * Multiplication */ imul(num) { return this.mul(num)._move(this); } imuln(num) { enforce(isSMI(num), 'num', 'smi'); const neg = (num < 0) | 0; if (neg) num = -num; // Carry. let carry = 0; for (let i = 0; i < this.length; i++) { const w = this.words[i] * num; const lo = (w & 0x3ffffff) + (carry & 0x3ffffff); carry >>= 26; carry += (w / 0x4000000) | 0; carry += lo >>> 26; this.words[i] = lo & 0x3ffffff; } this.negative ^= neg; if (carry !== 0) { this._alloc(this.length + 1); this.words[this.length++] = carry; } else { this._strip(); } return this; } mul(num) { enforce(BN.isBN(num), 'num', 'bignum'); const len = this.length + num.length; const out = new BN(); out.words = new Array(len); for (let i = 0; i < len; i ++) out.words[i] = 0; return this._mul(num, out); } muln(num) { return this.clone().imuln(num); } /* * Multiplication + Shift */ mulShift(num, bits) { enforce(BN.isBN(num), 'num', 'bignum'); enforce((bits >>> 0) === bits, 'bits', 'uint32'); const r = this.mul(num); const b = r.utestn(bits - 1); r.iushrn(bits); if (this.negative ^ num.negative) return r.isubn(b); return r.iaddn(b); } /* * Division Engine */ _div(num, flags) { enforce(BN.isBN(num), 'num', 'bignum'); assert((flags & modes.ALL) === flags); assert(flags !== modes.NONE); const a = this; const b = num; nonzero(!b.isZero()); if (a.isZero()) return [new BN(0), new BN(0)]; const as = a.negative; const bs = b.negative; a.negative = 0; b.negative = 0; let q = null; let r = null; if (a.ucmp(b) < 0) { if (flags & modes.QUO) q = new BN(0); if (flags & modes.REM) r = a.clone(); } else if (b.length === 1) { if (flags & modes.QUO) q = a.quon(b.words[0]); if (flags & modes.REM) r = a.remn(b.words[0]); } else { [q, r] = a._wordDiv(b, flags); } a.negative = as; b.negative = bs; if (flags & modes.QUO) { q.negative = a.negative ^ b.negative; q._normalize(); } if (flags & modes.REM) { r.negative = a.negative; r._normalize(); } if (flags & modes.EUCLID) { if (flags & modes.QUO) { assert((flags & modes.REM) !== 0); if (r.negative !== 0) { if (b.negative !== 0) q.iaddn(1); else q.isubn(1); } } if (flags & modes.REM) { if (r.negative !== 0) { if (b.negative !== 0) r.isub(b); else r.iadd(b); } } } return [q, r]; } _wordDiv(num, flags) { let a = this.clone(); let b = num; let q = null; let hi; // Normalize. const word = b.words[b.length - 1] | 0; const shift = 26 - countBits(word); if (shift !== 0) { b = b.clone(); a.iushln(shift); b.iushln(shift); hi = b.words[b.length - 1] | 0; } else { hi = word; } // Initialize quotient. const m = a.length - b.length; assert(m >= 0); if (flags & modes.QUO) { q = new BN(0); q.length = m + 1; q.words = new Array(q.length); for (let i = 0; i < q.length; i++) q.words[i] = 0; } // Diff. const d = a.clone(); d._ishlnsubmul(b, 1, m); if (d.negative === 0) { if (q) q.words[m] = 1; a = d; } // Divide. for (let j = m - 1; j >= 0; j--) { const ahi = a.words[b.length + j]; const alo = a.words[b.length + j - 1]; const quo = ((ahi * 0x4000000 + alo) / hi) | 0; let qj = Math.min(quo, 0x3ffffff); a._ishlnsubmul(b, qj, j); while (a.negative !== 0) { qj -= 1; a.negative = 0; a._ishlnsubmul(b, 1, j); a.ineg(); } if (q) q.words[j] = qj; } // Strip. if (q) q._strip(); // Denormalize. // Note: we shouldn't need to strip `a` here. if ((flags & modes.REM) && shift !== 0) a.iushrn(shift); return [q, a]; } _ishlnsubmul(num, mul, shift) { let carry = 0; let i = 0; this._expand(num.length + shift); for (; i < num.length; i++) { const k = (this.words[i + shift] | 0) + carry; const r = num.words[i] * mul; const w = k - (r & 0x3ffffff); carry = (w >> 26) - ((r / 0x4000000) | 0); this.words[i + shift] = w & 0x3ffffff; } for (; i < this.length - shift; i++) { const w = (this.words[i + shift] | 0) + carry; carry = w >> 26; this.words[i + shift] = w & 0x3ffffff; } if (carry === 0) return this._strip(); // Subtraction overflow. assert(carry === -1); carry = 0; for (let i = 0; i < this.length; i++) { const w = -(this.words[i] | 0) + carry; carry = w >> 26; this.words[i] = w & 0x3ffffff; } this.negative = 1; return this._strip(); } /* * Truncation Division + Modulo */ quorem(num) { return this._div(num, modes.BOTH); } /* * Truncation Division */ iquo(num) { return this.quo(num)._move(this); } iquon(num) { enforce(isSMI(num), 'num', 'smi'); nonzero(num !== 0); const neg = (num < 0) | 0; if (neg) num = -num; let carry = 0; for (let i = this.length - 1; i >= 0; i--) { const w = (this.words[i] | 0) + carry * 0x4000000; this.words[i] = (w / num) | 0; carry = w % num; } this.negative ^= neg; return this._strip(); } quo(num) { return this._div(num, modes.QUO)[0]; } quon(num) { return this.clone().iquon(num); } /* * Truncation Modulo */ irem(num) { return this.rem(num)._move(this); } iremn(num) { let m = this.remrn(num); if (m < 0) m = -m; this.words[0] = m; this.length = 1; return this._normalize(); } rem(num) { return this._div(num, modes.REM)[1]; } remn(num) { return this.clone().iremn(num); } remrn(num) { enforce(isSMI(num), 'num', 'smi'); nonzero(num !== 0); if (num < 0) num = -num; const p = (1 << 26) % num; let acc = 0; for (let i = this.length - 1; i >= 0; i--) acc = (p * acc + (this.words[i] | 0)) % num; return this.negative !== 0 ? (-acc | 0) : acc; } /* * Euclidean Division + Modulo */ divmod(num) { return this._div(num, modes.BOTH | modes.EUCLID); } /* * Euclidean Division */ idiv(num) { return this.div(num)._move(this); } idivn(num) { if (this.negative === 0) return this.iquon(num); const r = this.remrn(num); this.iquon(num); if (r < 0) { if (num < 0) this.iaddn(1); else this.isubn(1); } return this; } div(num) { return this._div(num, modes.BOTH | modes.EUCLID)[0]; } divn(num) { return this.clone().idivn(num); } /* * Euclidean Modulo */ imod(num) { if (this.ucmp(num) < 0) { if (this.negative !== 0) { this._isub(num, this); this.negative = 0; } return this; } return this.mod(num)._move(this); } imodn(num) { this.words[0] = this.modrn(num); this.length = 1; this.negative = 0; return this; } mod(num) { return this._div(num, modes.REM | modes.EUCLID)[1]; } modn(num) { return this.clone().imodn(num); } modrn(num) { enforce(isSMI(num), 'num', 'smi'); let r = this.remrn(num); if (r < 0) { if (num < 0) r -= num; else r += num; } return r; } /* * Round Division */ divRound(num) { const [q, r] = this.quorem(num); // Fast case - exact division. if (r.isZero()) return q; const bit = num.words[0] & 1; num.iushrn(1); const cmp = r.ucmp(num); num.iushln(1); num.words[0] |= bit; // Round down. if (cmp < 0 || (num.isOdd() && cmp === 0)) return q; // Round up. if (this.negative ^ num.negative) return q.isubn(1); return q.iaddn(1); } /* * Exponentiation */ ipow(num) { return this.pow(num)._move(this); } ipown(num) { return this.pown(num)._move(this); } pow(num) { enforce(BN.isBN(num), 'num', 'bignum'); let b = countBits(num.words[num.length - 1]); let r = new BN(1); for (let i = num.length - 1; i >= 0; i--) { const word = num.words[i]; for (let j = b - 1; j >= 0; j--) { r = r.sqr(); if ((word >> j) & 1) r = r.mul(this); } b = 26; } return r; } pown(num) { enforce(isSMI(num), 'num', 'smi'); if (num < 0) num = -num; if (num === 0) return new BN(1); if (num === 1) return this.clone(); const bits = countBits(num); let r = this; for (let i = bits - 2; i >= 0; i--) { r = r.sqr(); if ((num >> i) & 1) r = r.mul(this); } return r; } isqr() { return this.imul(this); } sqr() { return this.mul(this); } /* * Roots Engine */ _rootrem(pow, rem) { enforce((pow >>> 0) === pow, 'num', 'uint32'); if (pow === 0) throw new RangeError('Zeroth root.'); if (~pow & this.negative) throw new RangeError('Negative with even root.'); if (this.ucmpn(1) <= 0) return [this.clone(), new BN(0)]; let u = new BN(0); let t = BN.shift(1, this.bitLength() / pow + 1 | 0); let v, r; if (this.negative !== 0) t.ineg(); if (pow === 2) { do { u = t; t = this.quo(u); t.iadd(u); t.iushrn(1); } while (t.ucmp(u) < 0); } else { do { u = t; t = u.pown(pow - 1); t = this.quo(t); v = u.muln(pow - 1); t.iadd(v); t = t.quon(pow); } while (t.ucmp(u) < 0); } if (rem) { t = u.pown(pow); r = this.sub(t); } return [u, r]; } /* * Roots */ rootrem(pow) { return this._rootrem(pow, 1); } iroot(pow) { return this.root(pow)._move(this); } root(pow) { return this._rootrem(pow, 0)[0]; } isPower(pow) { enforce((pow >>> 0) === pow, 'num', 'uint32'); if (pow === 0 || (~pow & this.negative)) return false; const [, r] = this.rootrem(pow); return r.sign() === 0; } sqrtrem() { return this.rootrem(2); } isqrt() { return this.sqrt()._move(this); } sqrt() { return this.root(2); } isSquare() { return this.isPower(2); } /* * AND */ iand(num) { enforce(BN.isBN(num), 'num', 'bignum'); let x = this; let y = num; if (x === y) return x; if ((x.negative | y.negative) === 0) return x.iuand(y); if ((x.negative & y.negative) === 1) { // (-x) & (-y) == ~(x-1) & ~(y-1) // == ~((x-1) | (y-1)) // == -(((x-1) | (y-1)) + 1) x.iaddn(1); y.iaddn(1); x.iuor(y); x.isubn(1); y.isubn(1); return x; } // Assume x is the positive number. if (x.negative !== 0) [x, y] = [y.clone(), x]; // x & (-y) == x & ~(y-1) // == x & ~(y-1) const width = x.bitLength(); y.iaddn(1); y.inotn(width); x.iuand(y); y.inotn(width); y.isubn(1); return x._move(this); } iandn(num) { enforce(isSMI(num), 'num', 'smi'); if ((this.negative | (num < 0)) !== 0) return this.iand(new BN(num)); this.words[0] &= num; this.length = 1; return this; } and(num) { return this.clone().iand(num); } andn(num) { return this.clone().iandn(num); } andrn(num) { enforce(isSMI(num), 'num', 'smi'); if ((this.negative | (num < 0)) !== 0) { const n = this.iand(new BN(num)); if (n.length > 1) throw new RangeError('Number exceeds 26 bits.'); return n.negative !== 0 ? -n.words[0] : n.words[0]; } return this.words[0] & num; } /* * Unsigned AND */ iuand(num) { enforce(BN.isBN(num), 'num', 'bignum'); this.length = Math.min(this.length, num.length); for (let i = 0; i < this.length; i++) this.words[i] &= num.words[i]; return this._strip(); } iuandn(num) { enforce(isSMI(num), 'num', 'smi'); this.words[0] &= Math.abs(num); this.length = 1; return this._normalize(); } uand(num) { return this.clone().iuand(num); } uandn(num) { return this.clone().iuandn(num); } uandrn(num) { enforce(isSMI(num), 'num', 'smi'); const n = this.words[0] & Math.abs(num); return this.negative !== 0 ? (-n | 0) : n; } /* * OR */ ior(num) { enforce(BN.isBN(num), 'num', 'bignum'); let x = this; let y = num; if (x === y) return x; if ((x.negative | y.negative) === 0) return x.iuor(y); if ((x.negative & y.negative) === 1) { // (-x) | (-y) == ~(x-1) | ~(y-1) // == ~((x-1) & (y-1)) // == -(((x-1) & (y-1)) + 1) x.iaddn(1); y.iaddn(1); x.iuand(y); x.isubn(1); y.isubn(1); return x; } // Assume x is the positive number. y = y.clone(); if (x.negative !== 0) [x, y] = [y, x]; // x | (-y) == x | ~(y-1) // == ~((y-1) & ~x) // == -(((y-1) & ~x) + 1) y.iaddn(1); x.inotn(y.bitLength()); y.iuand(x); y.isubn(1); return y._move(this); } iorn(num) { enforce(isSMI(num), 'num', 'smi'); if ((this.negative | (num < 0)) !== 0) return this.ior(new BN(num)); this.words[0] |= num; return this; } or(num) { return this.clone().ior(num); } orn(num) { return this.clone().iorn(num); } /* * Unsigned OR */ iuor(num) { enforce(BN.isBN(num), 'num', 'bignum'); this._expand(num.length); for (let i = 0; i < num.length; i++) this.words[i] |= num.words[i]; // Note: we shouldn't need to strip here. return this; } iuorn(num) { enforce(isSMI(num), 'num', 'smi'); this.words[0] |= Math.abs(num); return this; } uor(num) { return this.clone().iuor(num); } uorn(num) { return this.clone().iuorn(num); } /* * XOR */ ixor(num) { enforce(BN.isBN(num), 'num', 'bignum'); let x = this; let y = num; if (x === y) { x.words[0] = 0; x.length = 1; x.negative = 0; return x; } if ((x.negative | y.negative) === 0) return x.iuxor(y); if ((x.negative & y.negative) === 1) { // (-x) ^ (-y) == ~(x-1) ^ ~(y-1) // == (x-1) ^ (y-1) x.iaddn(1); y.iaddn(1); x.iuxor(y); x.ineg(); y.isubn(1); return x; } // Assume x is the positive number. if (x.negative !== 0) [x, y] = [y.clone(), x]; // x ^ (-y) == x ^ ~(y-1) // == ~(x ^ (y-1)) // == -((x ^ (y-1)) + 1) y.iaddn(1); x.iuxor(y); x.iaddn(1); x.ineg(); y.isubn(1); return x._move(this); } ixorn(num) { enforce(isSMI(num), 'num', 'smi'); if ((this.negative | (num < 0)) !== 0) return this.ixor(new BN(num)); this.words[0] ^= num; return this; } xor(num) { return this.clone().ixor(num); } xorn(num) { return this.clone().ixorn(num); } /* * Unsigned XOR */ iuxor(num) { enforce(BN.isBN(num), 'num', 'bignum'); let a = this; let b = num; if (a.length < b.length) [a, b] = [b, a]; let i = 0; for (; i < b.length; i++) this.words[i] = a.words[i] ^ b.words[i]; if (a !== this) { this._alloc(a.length); for (; i < a.length; i++) this.words[i] = a.words[i]; } this.length = a.length; return this._strip(); } iuxorn(num) { enforce(isSMI(num), 'num', 'smi'); this.words[0] ^= Math.abs(num); return this._normalize(); } uxor(num) { return this.clone().iuxor(num); } uxorn(num) { return this.clone().iuxorn(num); } /* * NOT */ inot() { if (this.negative !== 0) { // ~(-x) == ~(~(x-1)) == x-1 this.ineg().isubn(1); } else { // ~x == -x-1 == -(x+1) this.iaddn(1).ineg(); } return this; } not() { return this.clone().inot(); } inotn(width) { enforce((width >>> 0) === width, 'width', 'uint32'); const r = width % 26; let s = Math.ceil(width / 26); let i = 0; // Extend the buffer with leading zeroes. this._expand(s); if (r > 0) s -= 1; // Handle complete words. for (; i < s; i++) this.words[i] ^= 0x3ffffff; // Handle the residue. if (r > 0) this.words[i] ^= (1 << r) - 1; // And remove leading zeroes. return this._strip(); } notn(width) { return this.clone().inotn(width); } /* * Left Shift */ ishl(num) { enforce(BN.isBN(num), 'bits', 'bignum'); enforce(num.bitLength() <= 32, 'bits', 'uint32'); return this.ishln(num.toNumber()); } ishln(bits) { return this.iushln(bits); } shl(num) { return this.clone().ishl(num); } shln(bits) { return this.clone().ishln(bits); } /* * Unsigned Left Shift */ iushl(num) { enforce(BN.isBN(num), 'bits', 'bignum'); enforce(num.bitLength() <= 32, 'bits', 'uint32'); return this.iushln(num.toNumber()); } iushln(bits) { enforce((bits >>> 0) === bits, 'bits', 'uint32'); const r = bits % 26; const s = (bits - r) / 26; const mask = ((1 << r) - 1) << (26 - r); if (r !== 0) { let carry = 0; for (let i = 0; i < this.length; i++) { const ncarry = this.words[i] & mask; const c = ((this.words[i] | 0) - ncarry) << r; this.words[i] = c | carry; carry = ncarry >>> (26 - r); } if (carry !== 0) { this._alloc(this.length + 1); this.words[this.length++] = carry; } } if (s !== 0) { this._alloc(this.length + s); for (let i = this.length - 1; i >= 0; i--) this.words[i + s] = this.words[i]; for (let i = 0; i < s; i++) this.words[i] = 0; this.length += s; } return this._strip(); } ushl(num) { return this.clone().iushl(num); } ushln(bits) { return this.clone().iushln(bits); } /* * Right Shift Engine */ _split(bits, output) { const r = bits % 26; const s = Math.min((bits - r) / 26, this.length); const mask = (1 << r) - 1; // Extended mode, copy masked part. if (output) { output._alloc(s); for (let i = 0; i < s; i++) output.words[i] = this.words[i]; output.length = s; } if (s === 0) { // No-op, we should not move anything at all. } else if (this.length > s) { this.length -= s; for (let i = 0; i < this.length; i++) this.words[i] = this.words[i + s]; } else { this.words[0] = 0; this.length = 1; } let carry = 0; if (r !== 0) { for (let i = this.length - 1; i >= 0; i--) { const word = this.words[i] | 0; this.words[i] = (carry << (26 - r)) | (word >>> r); carry = word & mask; } } // Push carried bits as a mask. if (output) { if (carry !== 0) { output._alloc(output.length + 1); output.words[output.length++] = carry; } else { if (output.length === 0) output.words[output.length++] = 0; output._strip(); } } return this._strip(); } /* * Right Shift */ ishr(num) { enforce(BN.isBN(num), 'bits', 'bignum'); enforce(num.bitLength() <= 32, 'bits', 'uint32'); return this.ishrn(num.toNumber()); } ishrn(bits) { enforce((bits >>> 0) === bits, 'bits', 'uint32'); if (this.negative !== 0) { // (-x) >> y == ~(x-1) >> y // == ~((x-1) >> y) // == -(((x-1) >> y) + 1) this.iaddn(1); this.iushrn(bits); this.isubn(1); return this; } return this.iushrn(bits); } shr(num) { return this.clone().ishr(num); } shrn(bits) { return this.clone().ishrn(bits); } /* * Unsigned Right Shift */ iushr(num) { enforce(BN.isBN(num), 'bits', 'bignum'); enforce(num.bitLength() <= 32, 'bits', 'uint32'); return this.iushrn(num.toNumber()); } iushrn(bits) { enforce((bits >>> 0) === bits, 'bits', 'uint32'); return this._split(bits, null); } ushr(num) { return this.clone().iushr(num); } ushrn(bits) { return this.clone().iushrn(bits); } /* * Bit Manipulation */ setn(bit, val) { enforce((bit >>> 0) === bit, 'bit', 'uint32'); if (this.negative !== 0) { this.iaddn(1); this.usetn(bit, !val); this.isubn(1); return this; } return this.usetn(bit, val); } usetn(bit, val) { enforce((bit >>> 0) === bit, 'bit', 'uint32'); const r = bit % 26; const s = (bit - r) / 26; this._expand(s + 1); if (val) this.words[s] |= (1 << r); else this.words[s] &= ~(1 << r); return this._strip(); } testn(bit) { enforce((bit >>> 0) === bit, 'bit', 'uint32'); const r = bit % 26; const s = (bit - r) / 26; // Fast case: bit is much higher than all existing words. if (this.length <= s) return this.negative; // Check bit and return. const w = this.words[s]; const val = (w >> r) & 1; if (this.negative !== 0) { if (r > 0 && (w & ((1 << r) - 1))) return val ^ 1; let j = s; while (j--) { if (this.words[j] > 0) return val ^ 1; } } return val; } utestn(bit) { enforce((bit >>> 0) === bit, 'bit', 'uint32'); const r = bit % 26; const s = (bit - r) / 26; // Fast case: bit is much higher than all existing words. if (this.length <= s) return 0; // Check bit and return. return (this.words[s] >> r) & 1; } imaskn(bits) { enforce((bits >>> 0) === bits, 'bits', 'uint32'); if (this.negative !== 0) { this.iaddn(1); this.inotn(bits + 1); this.ineg(); } return this.iumaskn(bits); } maskn(bits) { return this.clone().imaskn(bits); } iumaskn(bits) { enforce((bits >>> 0) === bits, 'bits', 'uint32'); const r = bits % 26; let s = (bits - r) / 26; if (this.length <= s) return this; if (r !== 0) s += 1; this.length = Math.min(s, this.length); if (r !== 0) this.words[this.length - 1] &= (1 << r) - 1; if (this.length === 0) this.words[this.length++] = 0; return this._strip(); } umaskn(bits) { return this.clone().iumaskn(bits); } andln(num) { return this.words[0] & num; } bit(pos) { return this.utestn(pos); } bits(pos, width) { enforce((pos >>> 0) === pos, 'pos', 'uint32'); enforce((width >>> 0) === width, 'width', 'uint32'); enforce(width <= 26, 'width', 'width'); const shift = pos % 26; const index = (pos - shift) / 26; if (index >= this.length) return 0; let bits = (this.words[index] >> shift) & ((1 << width) - 1); if (shift + width > 26 && index + 1 < this.length) { const more = shift + width - 26; const next = this.words[index + 1] & ((1 << more) - 1); bits |= next << (26 - shift); } return bits; } /* * Negation */ ineg() { if (!this.isZero()) this.negative ^= 1; return this; } neg() { return this.clone().ineg(); } iabs() { this.negative = 0; return this; } abs() { return this.clone().iabs(); } /* * Comparison */ cmp(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.negative !== num.negative) return num.negative - this.negative; const res = this.ucmp(num); if (this.negative !== 0) return -res | 0; return res; } cmpn(num) { enforce(isSMI(num), 'num', 'smi'); const negative = (num < 0) | 0; if (this.negative !== negative) return negative - this.negative; const res = this.ucmpn(num); if (this.negative !== 0) return -res | 0; return res; } eq(num) { return this.cmp(num) === 0; } eqn(num) { return this.cmpn(num) === 0; } gt(num) { return this.cmp(num) > 0; } gtn(num) { return this.cmpn(num) > 0; } gte(num) { return this.cmp(num) >= 0; } gten(num) { return this.cmpn(num) >= 0; } lt(num) { return this.cmp(num) < 0; } ltn(num) { return this.cmpn(num) < 0; } lte(num) { return this.cmp(num) <= 0; } lten(num) { return this.cmpn(num) <= 0; } sign() { if (this.negative !== 0) return -1; if (this.length === 1 && this.words[0] === 0) return 0; return 1; } isZero() { return this.length === 1 && this.words[0] === 0; } isNeg() { return this.negative !== 0; } isPos() { return this.negative === 0; } isOdd() { return (this.words[0] & 1) === 1; } isEven() { return (this.words[0] & 1) === 0; } /* * Unsigned Comparison */ ucmp(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.length < num.length) return -1; if (this.length > num.length) return 1; for (let i = this.length - 1; i >= 0; i--) { const a = this.words[i] | 0; const b = num.words[i] | 0; if (a === b) continue; return (a > b) - (a < b); } return 0; } ucmpn(num) { enforce(isSMI(num), 'num', 'smi'); if (this.length > 1) return 1; const w = this.words[0] | 0; if (num < 0) num = -num; return (w > num) - (w < num); } /* * Number Theoretic Functions */ legendre(num) { const red = HAS_BIGINT ? BN.red(num) : BN.mont(num); return this.toRed(red).redLegendre(); } jacobi(num) { // See: A Binary Algorithm for the Jacobi Symbol // J. Shallit, J. Sorenson // Page 3, Section 3 enforce(BN.isBN(num), 'num', 'bignum'); if (num.isZero() || num.isEven()) throw new Error('jacobi: `num` must be odd.'); let a = this._cloneNormal(); let b = num.clone(); let j = 1; if (b.isNeg()) { if (a.isNeg()) j = -1; b.ineg(); } if (a.isNeg() || a.ucmp(b) >= 0) a.imod(b); while (!a.isZero()) { const bits = a._makeOdd(); if (bits & 1) { const bmod8 = b.andln(7); if (bmod8 === 3 || bmod8 === 5) j = -j; } if (a.ucmp(b) < 0) { [a, b] = [b, a]; if (a.andln(3) === 3 && b.andln(3) === 3) j = -j; } a._isub(a, b).iushrn(1); const bmod8 = b.andln(7); if (bmod8 === 3 || bmod8 === 5) j = -j; } if (b.cmpn(1) !== 0) return 0; return j; } kronecker(num) { enforce(BN.isBN(num), 'num', 'bignum'); const table = [ 0, 1, 0, -1, 0, -1, 0, 1 ]; let a = this._cloneNormal(); let b = num.clone(); let k = 1; if (b.isZero()) return a.ucmpn(1) === 0 ? k : 0; if (!a.isOdd() && !b.isOdd()) return 0; const bits = b._makeOdd(); if (bits & 1) k = table[a.andln(7)]; if (b.isNeg()) { if (a.isNeg()) k = -k; b.ineg(); } while (!a.isZero()) { const bits = a._makeOdd(); if (bits & 1) k *= table[b.andln(7)]; const w = a.words[0] ^ (a.negative * 0x3ffffff); if (w & b.words[0] & 2) k = -k; b.imod(a); [a, b] = [b, a]; b.negative = 0; } if (b.cmpn(1) !== 0) return 0; return k; } igcd(num) { return this.gcd(num)._move(this); } gcd(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.isZero()) return num.abs(); if (num.isZero()) return this.abs(); let a = this.clone(); let b = num.clone(); a.negative = 0; b.negative = 0; // Remove common factor of two. const shift = a._factor2(b); if (shift !== 0) { a.iushrn(shift); b.iushrn(shift); } for (;;) { a._makeOdd(); b._makeOdd(); const cmp = a.ucmp(b); if (cmp < 0) { // a > b [a, b] = [b, a]; } else if (cmp === 0 || b.ucmpn(1) === 0) { // Break if a == b. // Break if b == 1 to avoid repeated subtraction. break; } a._isub(a, b); } return b.iushln(shift); } ilcm(num) { return this.lcm(num)._move(this); } lcm(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.isZero() || num.isZero()) return new BN(0); return this.quo(this.gcd(num)).mul(num).iabs(); } egcd(num) { enforce(BN.isBN(num), 'num', 'bignum'); if (this.isZero()) { return [ new BN(0), new BN(num.sign()), num.abs() ]; } if (num.isZero()) { return [ new BN(this.sign()), new BN(0), this.abs() ]; } const x = this.clone(); const y = num.clone(); x.negative = 0; y.negative = 0; // A * x + B * y = x const A = new BN(1); const B = new BN(0); // C * x + D * y = y const C = new BN(0); const D = new BN(1); // Remove common factor of two. const g = x._factor2(y); if (g > 0) { x.iushrn(g); y.iushrn(g); } const xp = x.clone(); const yp = y.clone(); while (!x.isZero()) { let i = x._makeOdd(); let j = y._makeOdd(); while (i--) { if (A.isOdd() || B.isOdd()) { A.iadd(yp); B.isub(xp); } A.iushrn(1); B.iushrn(1); } while (j--) { if (C.isOdd() || D.isOdd()) { C.iadd(yp); D.isub(xp); } C.iushrn(1); D.iushrn(1); } if (x.cmp(y) >= 0) { x.isub(y); A.isub(C); B.isub(D); } else { y.isub(x); C.isub(A); D.isub(B); } } if (this.negative !== 0) C.ineg(); if (num.negative !== 0) D.ineg(); return [C, D, y.iushln(g)]; } iinvert(num) { return this.invert(num)._move(this); } invert(num) { enforce(BN.isBN(num), 'num', 'bignum'); range(num.sign() > 0, 'invert'); if (num.isOdd()) return this._invertp(num); if (num.cmpn(1) === 0) throw new RangeError('Not invertible.'); const [s,, g] = this.egcd(num); if (g.cmpn(1) !== 0) throw new RangeError('Not invertible.'); return s.imod(num); } ifermat(num) { return this.fermat(num)._move(this); } fermat(num) { const red = HAS_BIGINT ? BN.red(num) : BN.mont(num); return this.toRed(red).redFermat().fromRed(); } ipowm(y, m, mont) { return this.powm(y, m, mont)._move(this); } powm(y, m, mont) { const red = !HAS_BIGINT && mont ? BN.mont(m) : BN.red(m); return this.toRed(red).redPow(y).fromRed(); } ipowmn(y, m, mont) { return this.powmn(y, m, mont)._move(this); } powmn(y, m, mont) { const red = mont ? BN.mont(m) : BN.red(m); return this.toRed(red).redPown(y).fromRed(); } isqrtm(p) { return this.sqrtm(p)._move(this); } sqrtm(p) { enforce(BN.isBN(p), 'p', 'bignum'); let red; if (p.andln(3) === 3 || p.andln(7) === 5) { // Probably not worth the setup. red = BN.red(p); } else { red = BN.mont(p); } return this.toRed(red).redSqrt().fromRed(); } isqrtpq(p, q) { return this.sqrtpq(p, q)._move(this); } sqrtpq(p, q) { const sp = this.sqrtm(p); const sq = this.sqrtm(q); const [mp, mq] = p.egcd(q); const lhs = sq.mul(mp).mul(p); const rhs = sp.mul(mq).mul(q); const n = p.mul(q); return lhs.iadd(rhs).imod(n); } /* * Primality Testing */ isPrime(rng, reps, limit) { enforce((reps >>> 0) === reps, 'reps', 'uint32'); if (!this.isPrimeMR(rng, reps + 1, true)) return false; if (!this.isPrimeLucas(limit)) return false; return true; } isPrimeMR(rng, reps, force2 = false) { enforce((reps >>> 0) === reps, 'reps', 'uint32'); enforce(reps > 0, 'reps', 'integer'); enforce(typeof force2 === 'boolean', 'force2', 'boolean'); const n = this; if (n.cmpn(7) < 0) { return n.cmpn(2) === 0 || n.cmpn(3) === 0 || n.cmpn(5) === 0; } if (n.isEven()) return false; const nm1 = n.subn(1); const nm3 = nm1.subn(2); const k = nm1.zeroBits(); const q = nm1.ushrn(k); const red = BN.red(n); const rnm1 = nm1.toRed(red); const rone = new BN(1).toRed(red); next: for (let i = 0; i < reps; i++) { let x; if (i === reps - 1 && force2) { x = new BN(2); } else { x = BN.random(rng, 0, nm3); x.iaddn(2); } let y = x.toRed(red).redPow(q); if (y.cmp(rone) === 0 || y.cmp(rnm1) === 0) continue; for (let j = 1; j < k; j++) { y = y.redSqr(); if (y.cmp(rnm1) === 0) continue next; if (y.cmp(rone) === 0) return false; } return false; } return true; } isPrimeLucas(limit = 0) { enforce((limit >>> 0) === limit, 'limit', 'uint32'); const n = this; // Ignore 0 and 1. if (n.cmpn(1) <= 0) return false; // Two is the only even prime. if (n.isEven()) return n.cmpn(2) === 0; let p = 3; for (;;) { if (p > 10000) { // Thought to be impossible. throw new Error(`Cannot find (D/n) = -1 for ${n.toString(10)}.`); } if (limit !== 0 && p > limit) { // Optional DoS limit. return false; } const d = new BN(p * p - 4); const j = d.jacobi(n); if (j === -1) break; if (j === 0) return n.cmpn(p + 2) === 0; if (p === 40) { if (n.isSquare()) return false; } p += 1; } const s = n.addn(1); const r = s._makeOdd(); let vk = new BN(2); let vk1 = new BN(p); for (let i = s.bitLength(); i >= 0; i--) { if (s.utestn(i)) { vk = vk.mul(vk1).isubn(p).imod(n); vk1 = vk1.sqr().isubn(2).imod(n); } else { vk1 = vk1.mul(vk).isubn(p).imod(n); vk = vk.sqr().isubn(2).imod(n); } } if (vk.cmpn(2) === 0 || vk.cmp(n.subn(2)) === 0) { const a = vk.muln(p).imod(n); const b = vk1.ushln(1).imod(n); if (a.cmp(b) === 0) return true; } for (let t = 0; t < r - 1; t++) { if (vk.isZero()) return true; if (vk.cmpn(2) === 0) return false; vk = vk.sqr().isubn(2).imod(n); } return false; } /* * Twos Complement */ toTwos(width) { if (this.negative !== 0) return this.abs().inotn(width).iaddn(1); return this.clone(); } fromTwos(width) { enforce((width >>> 0) === width, 'width', 'uint32'); range(width > 0, 'width'); if (this.testn(width - 1)) return this.notn(width).iaddn(1).ineg(); return this.clone(); } /* * Reduction Context */ toRed(ctx) { enforce(ctx instanceof Red, 'ctx', 'reduction context'); if (this.red) throw new Error('Already in reduction context.'); return ctx.convertTo(this); } fromRed() { red(this.red, 'fromRed'); return this.red.convertFrom(this); } forceRed(ctx) { enforce(ctx instanceof Red, 'ctx', 'reduction context'); if (this.red) { if (!ctx.m.eq(this.red.m) || ctx.mont !== this.red.mont) throw new Error('Already in reduction context.'); } else { range(this.negative === 0, 'red'); range(this.ucmp(ctx.m) < 0, 'red'); } return this.clone()._forceRed(ctx); } redIAdd(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redIAdd'); return this.red.iadd(this, num); } redAdd(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redAdd'); return this.red.add(this, num); } redIAddn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redIAddn'); return this.red.iaddn(this, num); } redAddn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redAddn'); return this.red.addn(this, num); } redISub(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redISub'); return this.red.isub(this, num); } redSub(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redSub'); return this.red.sub(this, num); } redISubn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redISubn'); return this.red.isubn(this, num); } redSubn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redSubn'); return this.red.subn(this, num); } redIMul(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redIMul'); return this.red.imul(this, num); } redMul(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redMul'); return this.red.mul(this, num); } redIMuln(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redIMuln'); return this.red.imuln(this, num); } redMuln(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redMuln'); return this.red.muln(this, num); } redIDiv(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redIDiv'); return this.red.idiv(this, num); } redDiv(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redDiv'); return this.red.div(this, num); } redIDivn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redIDivn'); return this.red.idivn(this, num); } redDivn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redDivn'); return this.red.divn(this, num); } redIPow(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redIPow'); nonred(!num.red, 'redIPow'); return this.red.ipow(this, num); } redPow(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redPow'); nonred(!num.red, 'redPow'); return this.red.pow(this, num); } redIPown(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redIPown'); return this.red.ipown(this, num); } redPown(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redPown'); return this.red.pown(this, num); } redISqr() { red(this.red, 'redISqr'); return this.red.isqr(this); } redSqr() { red(this.red, 'redSqr'); return this.red.sqr(this); } redISqrt() { red(this.red, 'redISqrt'); return this.red.isqrt(this); } redSqrt() { red(this.red, 'redSqrt'); return this.red.sqrt(this); } redIDivSqrt(v) { red(this.red, 'redIDivSqrt'); return this.red.idivsqrt(this, v); } redDivSqrt(v) { red(this.red, 'redDivSqrt'); return this.red.divsqrt(this, v); } redIsSquare() { red(this.red, 'redIsSquare'); return this.red.isSquare(this); } redIShl(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redIShl'); nonred(!num.red, 'redIShl'); return this.red.ishl(this, num); } redShl(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redShl'); nonred(!num.red, 'redShl'); return this.red.shl(this, num); } redIShln(num) { enforce((num >>> 0) === num, 'num', 'uint32'); red(this.red, 'redIShln'); return this.red.ishln(this, num); } redShln(num) { enforce((num >>> 0) === num, 'num', 'uint32'); red(this.red, 'redShln'); return this.red.shln(this, num); } redINeg() { red(this.red, 'redINeg'); return this.red.ineg(this); } redNeg() { red(this.red, 'redNeg'); return this.red.neg(this); } redEq(num) { enforce(BN.isBN(num), 'num', 'bignum'); red(this.red, 'redEq'); return this.red.eq(this, num); } redEqn(num) { enforce(isSMI(num), 'num', 'smi'); red(this.red, 'redEqn'); return this.red.eqn(this, num); } redIsHigh() { red(this.red, 'redIsHigh'); return this.red.isHigh(this); } redIsLow() { red(this.red, 'redIsLow'); return this.red.isLow(this); } redIsOdd() { red(this.red, 'redIsOdd'); return this.red.isOdd(this); } redIsEven() { red(this.red, 'redIsEven'); return this.red.isEven(this); } redLegendre() { red(this.red, 'redLegendre'); return this.red.legendre(this); } redJacobi() { red(this.red, 'redJacobi'); return this.red.jacobi(this); } redKronecker() { red(this.red, 'redKronecker'); return this.red.kronecker(this); } redIInvert() { red(this.red, 'redIInvert'); return this.red.iinvert(this); } redInvert() { red(this.red, 'redInvert'); return this.red.invert(this); } redIFermat() { red(this.red, 'redIFermat'); return this.red.ifermat(this); } redFermat() { red(this.red, 'redFermat'); return this.red.fermat(this); } /* * Internal */ _move(dest) { dest.words = this.words; dest.length = this.length; dest.negative = this.negative; dest.red = this.red; return dest; } _alloc(size) { while (this.words.length < size) this.words.push(0); return this; } _expand(size) { this._alloc(size); while (this.length < size) this.words[this.length++] = 0; return this; } _strip() { while (this.length > 1 && this.words[this.length - 1] === 0) this.length -= 1; return this._normalize(); } _normalize() { assert(this.length > 0); // -0 = 0 if (this.length === 1 && this.words[0] === 0) this.negative = 0; return this; } _check() { // We never have a zero length number. assert(this.length > 0); // Cannot exceed array bounds. assert(this.length <= this.words.length); if (this.length === 1) { // Must be normalized. if (this.words[0] === 0) assert(this.negative === 0); return this; } // Must be stripped. assert(this.words[this.length - 1] !== 0); return this; } _invertp(p) { // Penk's right shift binary EGCD. // // See: The Art of Computer Programming, // Volume 2, Seminumerical Algorithms // Donald E. Knuth // Exercise 4.5.2.39 enforce(BN.isBN(p), 'p', 'bignum'); range(p.sign() > 0, 'invert'); assert(p.isOdd()); if (p.cmpn(1) === 0) throw new RangeError('Not invertible.'); const a = this.clone(); const b = p.clone(); const u = new BN(1); const v = new BN(0); if (a.isNeg() || a.ucmp(b) >= 0) a.imod(b); while (!a.isZero()) { let i = a._makeOdd(); let j = b._makeOdd(); while (i--) { if (u.isOdd()) u._iadd(u, p); u.iushrn(1); } while (j--) { if (v.isOdd()) v._iadd(v, p); v.iushrn(1); } if (a.ucmp(b) >= 0) { a._isub(a, b); if (u.ucmp(v) < 0) { u._isub(v, u); u._isub(p, u); } else { u._isub(u, v); } } else { b._isub(b, a); if (v.ucmp(u) < 0) { v._isub(u, v); v._isub(p, v); } else { v._isub(v, u); } } } if (b.cmpn(1) !== 0) throw new RangeError('Not invertible.'); assert(v.negative === 0); assert(v.ucmp(p) < 0); return v; } _makeOdd() { const shift = this.zeroBits(); if (shift > 0) this.iushrn(shift); return shift; } _factor2(num) { // Find common factor of two. // Expects inputs to be non-zero. if ((this.words[0] | num.words[0]) & 1) return 0; const len = Math.min(this.length, num.length); let r = 0; for (let i = 0; i < len; i++) { const b = zeroBits(this.words[i] | num.words[i]); r += b; if (b !== 26) break; } return r; } _cloneNormal() { return this.red ? this.fromRed() : this.clone(); } _forceRed(ctx) { this.red = ctx; return this; } /* * Helpers */ clone() { const copy = new BN(); copy.words = new Array(this.length); for (let i = 0; i < this.length; i++) copy.words[i] = this.words[i]; copy.length = this.length; copy.negative = this.negative; copy.red = this.red; return copy; } inject(num) { enforce(BN.isBN(num), 'num', 'bignum'); this._alloc(num.length); for (let i = 0; i < num.length; i++) this.words[i] = num.words[i]; this.length = num.length; this.negative = num.negative; this.red = num.red; return this; } set(num, endian) { return this.fromNumber(num, endian); } swap(num) { enforce(BN.isBN(num), 'num', 'bignum'); const x = this; const y = num; [x.words, y.words] = [y.words, x.words]; [x.length, y.length] = [y.length, x.length]; [x.negative, y.negative] = [y.negative, x.negative]; [x.red, y.red] = [y.red, x.red]; return x; } reverse() { const neg = this.negative; this.fromBuffer(this.toBuffer('be'), 'le'); this.negative = neg; return this; } byteLength() { return Math.ceil(this.bitLength() / 8); } bitLength() { const w = this.words[this.length - 1]; const hi = countBits(w); return (this.length - 1) * 26 + hi; } zeroBits() { if (this.isZero()) return 0; if (this.isOdd()) return 0; let r = 0; for (let i = 0; i < this.length; i++) { const b = zeroBits(this.words[i]); r += b; if (b !== 26) break; } return r; } isSafe() { if (this.length <= 2) return true; if (this.length === 3 && this.words[2] === 0x01) return true; return false; } word(pos) { enforce((pos >>> 0) === pos, 'pos', 'uint32'); if (pos >= this.length) return 0; return this.words[pos]; } [custom]() { let prefix = 'BN'; if (this.red) prefix = 'BN-R'; return `<${prefix}: ${this.toString(10)}>`; } /* * Conversion */ toNumber() { let num = this.words[0]; if (this.length === 2) { num += this.words[1] * 0x4000000; } else if (this.length === 3 && this.words[2] === 0x01) { // Note: at this stage it is known that the top bit is set. num += 0x10000000000000 + (this.words[1] * 0x4000000); } else if (this.length > 2) { throw new RangeError('Number can only safely store up to 53 bits.'); } return this.negative !== 0 ? -num : num; } toDouble() { let num = 0; for (let i = this.length - 1; i >= 0; i--) num = (num * 0x4000000) + this.words[i]; return this.negative !== 0 ? -num : num; } valueOf() { return this.toDouble(); } toBigInt() { if (!HAS_BIGINT) throw new Error('BigInt is not supported!'); const s52 = BigInt(52); const s26 = BigInt(26); let i = this.length - 1; let num = BigInt(0); for (; i >= 1; i -= 2) { const hi = this.words[i] * 0x4000000; const lo = this.words[i - 1]; num = (num << s52) | BigInt(hi + lo); } if (i >= 0) num = (num << s26) | BigInt(this.words[0]); return this.negative !== 0 ? -num : num; } toBool() { return !this.isZero(); } toString(base, padding) { base = getBase(base); if (padding == null) padding = 0; if (padding === 0) padding = 1; enforce((base >>> 0) === base, 'base', 'uint32'); enforce((padding >>> 0) === padding, 'padding', 'uint32'); if (base < 2 || base > 36) throw new RangeError('Base ranges between 2 and 36.'); this._check(); if (base === 16) { let out = ''; let off = 0; let carry = 0; for (let i = 0; i < this.length; i++) { const w = this.words[i]; const word = (((w << off) | carry) & 0xffffff).toString(16); carry = (w >>> (24 - off)) & 0xffffff; if (carry !== 0 || i !== this.length - 1) out = zeros[6 - word.length] + word + out; else out = word + out; off += 2; if (off >= 26) { off -= 26; i -= 1; } } if (carry !== 0) out = carry.toString(16) + out; while (out.length % padding !== 0) out = '0' + out; if (this.negative !== 0) out = '-' + out; return out; } const groupSize = groupSizes[base - 1]; const groupBase = groupBases[base - 1]; const c = this.clone(); let out = ''; c.negative = 0; while (!c.isZero()) { const r = c.remrn(groupBase).toString(base); c.iquon(groupBase); if (!c.isZero()) out = zeros[groupSize - r.length] + r + out; else out = r + out; } if (this.isZero()) out = '0'; while (out.length % padding !== 0) out = '0' + out; if (this.negative !== 0) out = '-' + out; return out; } toJSON() { return this.toString(16, 2); } toArray(endian, length) { return this.toArrayLike(Array, endian, length); } toBuffer(endian, length) { return this.toArrayLike(Buffer, endian, length); } toArrayLike(ArrayType, endian, length) { if (endian == null) endian = 'be'; if (length == null) length = 0; enforce(typeof ArrayType === 'function', 'ArrayType', 'function'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); enforce((length >>> 0) === length, 'length', 'uint32'); this._check(); const bytes = this.byteLength(); const size = length || Math.max(1, bytes); if (bytes > size) throw new RangeError('Byte array longer than desired length.'); const res = allocate(ArrayType, size); // See: https://github.com/indutny/bn.js/pull/222 if (endian === 'be') { let pos = res.length - 1; let carry = 0; for (let i = 0; i < this.length; i++) { const shift = (i & 3) << 1; const word = (this.words[i] << shift) | carry; res[pos--] = word & 0xff; if (pos >= 0) res[pos--] = (word >>> 8) & 0xff; if (pos >= 0) res[pos--] = (word >>> 16) & 0xff; if (shift === 6) { if (pos >= 0) res[pos--] = (word >>> 24) & 0xff; carry = 0; } else { carry = word >>> 24; } } if (pos >= 0) { res[pos--] = carry; while (pos >= 0) res[pos--] = 0; carry = 0; } assert(carry === 0); } else { let pos = 0; let carry = 0; for (let i = 0; i < this.length; i++) { const shift = (i & 3) << 1; const word = (this.words[i] << shift) | carry; res[pos++] = word & 0xff; if (pos < res.length) res[pos++] = (word >>> 8) & 0xff; if (pos < res.length) res[pos++] = (word >>> 16) & 0xff; if (shift === 6) { if (pos < res.length) res[pos++] = (word >>> 24) & 0xff; carry = 0; } else { carry = word >>> 24; } } if (pos < res.length) { res[pos++] = carry; while (pos < res.length) res[pos++] = 0; carry = 0; } assert(carry === 0); } return res; } encode(endian, length) { return this.toBuffer(endian, length); } /* * Instantiation */ of(num, endian) { return this.fromNumber(num, endian); } fromNumber(num, endian) { if (endian == null) endian = 'be'; enforce(isInteger(num), 'num', 'integer'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); const neg = (num < 0) | 0; if (neg) num = -num; if (num < 0x4000000) { this.words[0] = num & 0x3ffffff; this.length = 1; } else if (num < 0x10000000000000) { this.words = [ num & 0x3ffffff, (num / 0x4000000) & 0x3ffffff ]; this.length = 2; } else { this.words = [ num & 0x3ffffff, (num / 0x4000000) & 0x3ffffff, 1 ]; this.length = 3; } this.negative = neg; if (endian === 'le') this.reverse(); return this; } fromDouble(num, endian) { if (endian == null) endian = 'be'; enforce(typeof num === 'number', 'num', 'double'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); if (!isFinite(num)) num = 0; const neg = (num <= -1) | 0; if (num < 0) num = -num; num = Math.floor(num); this.words = []; while (num > 0) { const lo = num % 0x4000000; const hi = (num - lo) / 0x4000000; this.words.push(lo); num = hi; } if (this.words.length === 0) this.words.push(0); this.length = this.words.length; this.negative = neg; if (endian === 'le') this.reverse(); return this; } fromBigInt(num, endian) { if (endian == null) endian = 'be'; enforce(typeof num === 'bigint', 'num', 'bigint'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); if (!HAS_BIGINT) throw new Error('BigInt is not supported!'); // You know the implementation has a // problem when strings are twice // as fast as bigints. const start = (num < BigInt(0)) | 0; this._fromHex(num.toString(16), start); this.negative = start; if (endian === 'le') this.reverse(); return this; } fromBool(value) { enforce(typeof value === 'boolean', 'value', 'boolean'); this.words[0] = value | 0; this.length = 1; this.negative = 0; return this; } fromString(str, base, endian) { if (base === 'le' || base === 'be') [base, endian] = [endian, base]; base = getBase(base); if (endian == null) endian = 'be'; enforce(typeof str === 'string', 'string', 'string'); enforce((base >>> 0) === base, 'base', 'uint32'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); if (base < 2 || base > 36) throw new Error('Base ranges between 2 and 36.'); str = str.replace(/\s+/g, ''); let start = 0; if (str.length > 0 && str.charCodeAt(0) === 0x2d) start = 1; if (base === 16) this._fromHex(str, start); else this._fromBase(str, base, start); this.negative = start; this._normalize(); if (endian === 'le') this.reverse(); return this; } _fromHex(str, start) { this.length = Math.max(2, Math.ceil((str.length - start) / 6)); this.words = new Array(this.length); for (let i = 0; i < this.length; i++) this.words[i] = 0; // Scan 24-bit chunks and add them to the number. let off = 0; let i = str.length - 6; let j = 0; for (; i >= start; i -= 6) { const w = parseHex(str, i, i + 6); this.words[j] |= (w << off) & 0x3ffffff; // `0x3fffff` is intentional here, 26bits max shift + 24bit hex limb. this.words[j + 1] |= (w >>> (26 - off)) & 0x3fffff; off += 24; if (off >= 26) { off -= 26; j += 1; } } if (i + 6 !== start) { const w = parseHex(str, start, i + 6); this.words[j] |= (w << off) & 0x3ffffff; this.words[j + 1] |= (w >>> (26 - off)) & 0x3fffff; } return this._strip(); } _fromBase(str, base, start) { // Initialize as zero. this.words[0] = 0; this.length = 1; this.negative = 0; // Find length of limb in base. let limbLen = 0; let limbPow = 1; for (; limbPow <= 0x3ffffff; limbPow *= base) limbLen += 1; limbLen -= 1; limbPow = (limbPow / base) | 0; const total = str.length - start; const mod = total % limbLen; const end = Math.min(total, total - mod) + start; let i = start; for (; i < end; i += limbLen) { const word = parseBase(str, i, i + limbLen, base); this.imuln(limbPow); this._iaddn(word); } if (mod !== 0) { const pow = Math.pow(base, mod); const word = parseBase(str, i, str.length, base); this.imuln(pow); this._iaddn(word); } return this; } fromJSON(json) { if (BN.isBN(json)) { if (json.red) return json.fromRed(); return json.clone(); } if (Array.isArray(json)) { for (const chunk of json) enforce(typeof chunk === 'string', 'chunk', 'string'); json = json.join(''); } return this.fromString(json, 16); } fromBN(num) { return this.inject(num); } fromArray(data, endian) { enforce(Array.isArray(data), 'data', 'array'); return this.fromArrayLike(data, endian); } fromBuffer(data, endian) { enforce(Buffer.isBuffer(data), 'data', 'buffer'); return this.fromArrayLike(data, endian); } fromArrayLike(data, endian) { if (endian == null) endian = 'be'; enforce(data && (data.length >>> 0) === data.length, 'data', 'array-like'); enforce(endian === 'be' || endian === 'le', 'endian', 'endianness'); if (data.length === 0) { this.words[0] = 0; this.length = 1; this.negative = 0; return this; } this.length = Math.max(2, Math.ceil(data.length / 3)); this.words = new Array(this.length); this.negative = 0; for (let i = 0; i < this.length; i++) this.words[i] = 0; const left = data.length % 3; let off = 0; let j = 0; let w = 0; if (endian === 'be') { for (let i = data.length - 1; i >= 2; i -= 3) { const w = data[i] | (data[i - 1] << 8) | (data[i - 2] << 16); this.words[j] |= (w << off) & 0x3ffffff; this.words[j + 1] = (w >>> (26 - off)) & 0x3ffffff; off += 24; if (off >= 26) { off -= 26; j += 1; } } switch (left) { case 2: w = data[1] | (data[0] << 8); break; case 1: w = data[0]; break; } } else { const len = data.length - left; for (let i = 0; i < len; i += 3) { const w = data[i] | (data[i + 1] << 8) | (data[i + 2] << 16); this.words[j] |= (w << off) & 0x3ffffff; this.words[j + 1] = (w >>> (26 - off)) & 0x3ffffff; off += 24; if (off >= 26) { off -= 26; j += 1; } } switch (left) { case 2: w = data[len] | (data[len + 1] << 8); break; case 1: w = data[len]; break; } } if (left > 0) { this.words[j] |= (w << off) & 0x3ffffff; this.words[j + 1] = (w >>> (26 - off)) & 0x3ffffff; } return this._strip(); } decode(data, endian) { return this.fromBuffer(data, endian); } from(num, base, endian) { if (num == null) return this; if (base === 'le' || base === 'be') [base, endian] = [endian, base]; if (typeof num === 'number') return this.fromNumber(num, endian); if (typeof num === 'bigint') return this.fromBigInt(num, endian); if (typeof num === 'string') return this.fromString(num, base, endian); if (typeof num === 'object') { if (BN.isBN(num)) return this.fromBN(num, endian); if ((num.length >>> 0) === num.length) return this.fromArrayLike(num, endian); } if (typeof num === 'boolean') return this.fromBool(num); throw new TypeError('Non-numeric object passed to BN.'); } /* * Static Methods */ static min(...args) { let min = null; for (const num of args) { enforce(BN.isBN(num), 'num', 'bignum'); if (!min || num.cmp(min) < 0) min = num; } return min || new BN(0); } static max(...args) { let max = null; for (const num of args) { enforce(BN.isBN(num), 'num', 'bignum'); if (!max || num.cmp(max) > 0) max = num; } return max || new BN(0); } static cmp(a, b) { enforce(BN.isBN(a), 'a', 'bignum'); return a.cmp(b); } static ucmp(a, b) { enforce(BN.isBN(a), 'a', 'bignum'); return a.ucmp(b); } static red(num) { return new Red(num); } static barrett(num) { return new Barrett(num); } static mont(num) { return new Mont(num); } static _prime(name) { if (primes[name]) return primes[name]; let prime; if (name === 'p192') prime = new P192(); else if (name === 'p224') prime = new P224(); else if (name === 'p521') prime = new P521(); else if (name === 'k256') prime = new K256(); else if (name === 'p251') prime = new P251(); else if (name === 'p25519') prime = new P25519(); else if (name === 'p448') prime = new P448(); else throw new Error(`Unknown prime: "${name}".`); primes[name] = prime; return prime; } static prime(name) { return BN._prime(name).p.clone(); } static pow(num, exp) { if (num === 2) return BN.shift(1, exp); return new BN().fromNumber(num).pown(exp); } static shift(num, bits) { if (num === 1) return new BN(0).usetn(bits, 1); return new BN().fromNumber(num).ishln(bits); } static mask(bits) { return BN.shift(1, bits).isubn(1); } static randomBits(rng, bits) { enforce(rng != null, 'rng', 'rng'); enforce((bits >>> 0) === bits, 'bits', 'uint32'); if (typeof rng === 'object') { enforce(typeof rng.randomBytes === 'function', 'rng', 'rng'); const size = (bits + 7) >>> 3; const total = size * 8; const bytes = rng.randomBytes(size); enforce(Buffer.isBuffer(bytes), 'bytes', 'buffer'); if (bytes.length !== size) throw new RangeError('Invalid number of bytes returned from RNG.'); const num = BN.fromBuffer(bytes); if (total > bits) num.iushrn(total - bits); return num; } enforce(typeof rng === 'function', 'rng', 'rng'); const num = rng(bits); enforce(BN.isBN(num), 'num', 'bignum'); range(num.negative === 0, 'RNG'); nonred(!num.red, 'RNG'); if (num.bitLength() > bits) throw new RangeError('Invalid number of bits returned from RNG.'); return num; } static random(rng, min, max) { min = BN.cast(min, 16); max = BN.cast(max, 16); if (min.cmp(max) > 0) throw new RangeError('Minimum cannot be greater than maximum.'); const space = max.sub(min).iabs(); const bits = space.bitLength(); if (bits === 0) return min.clone(); for (;;) { const num = BN.randomBits(rng, bits); // Maximum is _exclusive_! if (num.cmp(space) >= 0) continue; // Minimum is _inclusive_! num.iadd(min); return num; } } static of(num, endian) { return new BN().of(num, endian); } static fromNumber(num, endian) { return new BN().fromNumber(num, endian); } static fromDouble(num, endian) { return new BN().fromDouble(num, endian); } static fromBigInt(num, endian) { return new BN().fromBigInt(num, endian); } static fromBool(value) { return new BN().fromBool(value); } static fromString(str, base, endian) { return new BN().fromString(str, base, endian); } static fromJSON(json) { return new BN().fromJSON(json); } static fromBN(num) { return new BN().fromBN(num); } static fromArray(data, endian) { return new BN().fromArray(data, endian); } static fromBuffer(data, endian) { return new BN().fromBuffer(data, endian); } static fromArrayLike(data, endian) { return new BN().fromArrayLike(data, endian); } static decode(data, endian) { return new BN().decode(data, endian); } static from(num, base, endian) { return new BN().from(num, base, endian); } static cast(num, base, endian) { if (BN.isBN(num)) return num; return new BN(num, base, endian); } static isBN(obj) { return obj instanceof BN; } } /* * Static */ BN.BN = BN; BN.wordSize = 26; BN.native = 0; /** * Prime */ class Prime { constructor(name, p) { // P = 2^N - K this.name = name; this.p = new BN(p, 16); this.n = this.p.bitLength(); this.k = BN.shift(1, this.n).isub(this.p); this.lo = this.p.clone(); this.one = this.p.clone(); } ireduce(num) { // Assumes that `num` is less than `P^2`: // num = HI * (2^N - K) + HI * K + LO = HI * K + LO (mod P) const neg = num.negative !== 0; // Track bits. let bits = num.bitLength(); // Must be less than P^2. assert(bits <= this.n * 2); // Ensure positive. num.negative = 0; // Reduce. while (bits > this.n) { // lo = num & ((1 << n) - 1) // num = num >> n this.split(num, this.lo); // num = num * K this.imulK(num); // num = num + lo num._iadd(num, this.lo); // bits = bitlen(num) bits = num.bitLength(); } // Final reduction. const cmp = bits < this.n ? -1 : num.ucmp(this.p); if (cmp === 0) { num.words[0] = 0; num.length = 1; } else if (cmp > 0) { num._isub(num, this.p); } else { // Note: we shouldn't need to strip here. } // Adjust sign. if (neg && !num.isZero()) num._isub(this.p, num); return num; } split(input, out) { input._split(this.n, out); } imulK(num) { return num.imul(this.k); } pm2(x1) { // Exponent: p - 2 throw new Error('Not implemented.'); } fermat(x) { return this.pm2(x); } } /** * Prime (3 mod 4) */ class Prime34 extends Prime { constructor(name, p) { super(name, p); } pm3d4(x1) { // Exponent: (p - 3) / 4 throw new Error('Not implemented.'); } pp1d4(x1) { // Exponent: (p + 1) / 4 throw new Error('Not implemented.'); } sqrt(x) { // r = x^((p + 1) / 4) mod p const {red} = x; const r = this.pp1d4(x); if (!red.sqr(r).eq(x)) throw new SquareRootError(r); return r; } divsqrt(u, v) { // x = u^3 * v * (u^5 * v^3)^((p - 3) / 4) mod p const {red} = u; const u2 = red.sqr(u); const u3 = red.mul(u2, u); const u5 = red.mul(u3, u2); const v3 = red.mul(red.sqr(v), v); const p = this.pm3d4(red.mul(u5, v3)); const x = red.mul(red.mul(u3, v), p); const c = red.mul(v, red.sqr(x)); if (c.eq(u)) return x; throw new SquareRootError(x); } } /** * Prime (5 mod 8) */ class Prime58 extends Prime { constructor(name, p, sm1) { super(name, p); this.sm1 = new BN(sm1, 16); } pm5d8(x1) { // Exponent: (p - 5) / 8 throw new Error('Not implemented.'); } pp3d8(x1) { // Exponent: (p + 3) / 8 throw new Error('Not implemented.'); } sqrt(x) { // r = x^((p + 3) / 8) mod p const {red} = x; const sm1 = this.sm1._forceRed(red); const r = this.pp3d8(x); if (red.sqr(r).eq(x)) return r; const c = red.mul(r, sm1); if (red.sqr(c).eq(x)) return c; throw new SquareRootError(r); } divsqrt(u, v) { // x = u * v^3 * (u * v^7)^((p - 5) / 8) mod p const {red} = u; const sm1 = this.sm1._forceRed(red); const v3 = red.mul(red.sqr(v), v); const v7 = red.mul(red.sqr(v3), v); const p = this.pm5d8(red.mul(u, v7)); const x = red.mul(red.mul(u, v3), p); const c = red.mul(v, red.sqr(x)); if (c.eq(u)) return x; const mc = red.ineg(c); if (mc.eq(u)) return red.mul(x, sm1); if (mc.eq(red.mul(u, sm1))) throw new SquareRootError(red.mul(x, sm1)); throw new SquareRootError(x); } } /** * Prime (1 mod 16) */ class Prime116 extends Prime { constructor(name, p, g) { super(name, p); this.g = new BN(g, 16); this.z = this.p.subn(1).zeroBits(); } powS(x1) { // Exponent: (p - 1) / 2^k throw new Error('Not implemented.'); } powE(x1) { // Exponent: (s + 1) / 2 throw new Error('Not implemented.'); } sqrt(x) { // Tonelli-Shanks (variable time). // // Constants: // // k = factors of 2 for (p - 1) // s = (p - 1) / 2^k // e = (s + 1) / 2 // n = first non-square in F(p) // // Algorithm: // // g = n^s mod p // y = x^e mod p // b = x^s mod p // // loop: // t = b // m = 0 // // while t != 1: // t = t^2 mod p // m += 1 // // if m == 0: // break // // if m >= k: // fail // // t = g^(2^(k - m - 1)) mod p // g = t^2 mod p // y = y * t mod p // b = b * g mod p // k = m // // return y // const {red} = x; switch (red.jacobi(x)) { case -1: throw new SquareRootError(x); case 0: return x.clone(); case 1: break; } let g = this.g._forceRed(red); let y = this.powE(x); let b = this.powS(x); let k = this.z; for (;;) { let t = b; let m = 0; while (t.cmpn(1) !== 0 && m < k) { t = red.sqr(t); m += 1; } if (m === 0) break; assert(m < k); t = red.sqrn(g, k - m - 1); g = red.sqr(t); y = red.mul(y, t); b = red.mul(b, g); k = m; } return y; } divsqrt(u, v) { const {red} = u; if (v.isZero()) throw new SquareRootError(v); return this.sqrt(red.div(u, v)); } } /** * P192 */ class P192 extends Prime34 { constructor() { // 2^192 - 2^64 - 1 (= 3 mod 4) super('p192', 'ffffffff ffffffff ffffffff fffffffe' + 'ffffffff ffffffff'); } imulK(num) { // K = 0x10000000000000001 // K = 2^64 + 1 const one = this.one.inject(num); return num.iushln(64)._iadd(num, one); } core(x1) { // Exponent: (p - 3) / 4 // Bits: 127x1 1x0 62x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x12 = red.sqrnmul(x6, 6, x6); const x24 = red.sqrnmul(x12, 12, x12); const x30 = red.sqrnmul(x24, 6, x6); const x31 = red.sqrnmul(x30, 1, x1); const x62 = red.sqrnmul(x31, 31, x31); const x124 = red.sqrnmul(x62, 62, x62); const x127 = red.sqrnmul(x124, 3, x3); const r0 = red.sqrn(x127, 1); const r1 = red.sqrnmul(r0, 62, x62); return r1; } pm3d4(x1) { // Exponent: (p - 3) / 4 // Bits: 127x1 1x0 62x1 return this.core(x1); } pm2(x1) { // Exponent: p - 2 // Bits: 127x1 1x0 62x1 1x0 1x1 const {red} = x1; const r0 = this.core(x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); return r2; } pp1d4(x1) { // Exponent: (p + 1) / 4 // Bits: 128x1 62x0 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x4 = red.sqrnmul(x2, 2, x2); const x8 = red.sqrnmul(x4, 4, x4); const x16 = red.sqrnmul(x8, 8, x8); const x32 = red.sqrnmul(x16, 16, x16); const x64 = red.sqrnmul(x32, 32, x32); const x128 = red.sqrnmul(x64, 64, x64); const r0 = red.sqrn(x128, 62); return r0; } } /** * P224 */ class P224 extends Prime116 { constructor() { // 2^224 - 2^96 + 1 (1 mod 16) super('p224', 'ffffffff ffffffff ffffffff ffffffff' + '00000000 00000000 00000001', '6a0fec67 8598a792 0c55b2d4 0b2d6ffb' + 'bea3d8ce f3fb3632 dc691b74'); } imulK(num) { // K = 0xffffffffffffffffffffffff // K = 2^96 - 1 const one = this.one.inject(num); return num.iushln(96)._isub(num, one); } powS(x1) { // Exponent: 2^128 - 1 // Bits: 128x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x4 = red.sqrnmul(x2, 2, x2); const x8 = red.sqrnmul(x4, 4, x4); const x16 = red.sqrnmul(x8, 8, x8); const x32 = red.sqrnmul(x16, 16, x16); const x64 = red.sqrnmul(x32, 32, x32); const x128 = red.sqrnmul(x64, 64, x64); return x128; } powE(x1) { // Exponent: 2^127 // Bits: 1x1 127x0 const {red} = x1; const r0 = red.sqrn(x1, 127); return r0; } pm2(x1) { // Exponent: p - 2 // Bits: 127x1 1x0 96x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x12 = red.sqrnmul(x6, 6, x6); const x24 = red.sqrnmul(x12, 12, x12); const x48 = red.sqrnmul(x24, 24, x24); const x96 = red.sqrnmul(x48, 48, x48); const x120 = red.sqrnmul(x96, 24, x24); const x126 = red.sqrnmul(x120, 6, x6); const x127 = red.sqrnmul(x126, 1, x1); const r0 = red.sqrn(x127, 1); const r1 = red.sqrnmul(r0, 96, x96); return r1; } } /** * P521 */ class P521 extends Prime34 { constructor() { // 2^521 - 1 (= 3 mod 4) super('p521', '000001ff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff'); } imulK(num) { // K = 0x01 return num; } core(x1) { // Exponent: 2^519 - 1 // Bits: 519x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x7 = red.sqrnmul(x6, 1, x1); const x8 = red.sqrnmul(x7, 1, x1); const x16 = red.sqrnmul(x8, 8, x8); const x32 = red.sqrnmul(x16, 16, x16); const x64 = red.sqrnmul(x32, 32, x32); const x128 = red.sqrnmul(x64, 64, x64); const x256 = red.sqrnmul(x128, 128, x128); const x512 = red.sqrnmul(x256, 256, x256); const x519 = red.sqrnmul(x512, 7, x7); return x519; } pm3d4(x1) { // Exponent: 2^519 - 1 // Bits: 519x1 return this.core(x1); } pm2(x1) { // Exponent: p - 2 // Bits: 519x1 1x0 1x1 const {red} = x1; const r0 = this.core(x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); return r2; } pp1d4(x1) { // Exponent: (p + 1) / 4 // Bits: 1x1 519x0 const {red} = x1; const r0 = red.sqrn(x1, 519); return r0; } } /** * K256 */ class K256 extends Prime34 { constructor() { // 2^256 - 2^32 - 977 (= 3 mod 4) super('k256', 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff fffffffe fffffc2f'); } split(input, output) { // 256 = 9 * 26 + 22 const mask = 0x3fffff; const len = Math.min(input.length, 9); output._alloc(len + 1); for (let i = 0; i < len; i++) output.words[i] = input.words[i]; output.length = len; if (input.length <= 9) { output._strip(); input.words[0] = 0; input.length = 1; return; } // Shift by 9 limbs. let prev = input.words[9]; let i = 10; output.words[output.length++] = prev & mask; output._strip(); for (; i < input.length; i++) { const next = input.words[i] | 0; input.words[i - 10] = ((next & mask) << 4) | (prev >>> 22); prev = next; } prev >>>= 22; input.words[i - 10] = prev; if (prev === 0 && input.length > 10) input.length -= 10; else input.length -= 9; input._strip(); // Unsure if we need this. } imulK(num) { // K = 0x1000003d1 = [0x40, 0x3d1] // K = 2^32 + 977 num._expand(num.length + 2); // Bounded at: 0x40 * 0x3ffffff + 0x3d0 = 0x100000390 let lo = 0; for (let i = 0; i < num.length; i++) { const w = num.words[i]; lo += w * 0x3d1; num.words[i] = lo & 0x3ffffff; lo = w * 0x40 + Math.floor(lo / 0x4000000); } // Fast length reduction. if (num.words[num.length - 1] === 0) { num.length -= 1; if (num.words[num.length - 1] === 0) num.length -= 1; } // Note: we shouldn't need to strip here. return num; } core(x1, x2) { // Exponent: (p - 47) / 64 // Bits: 223x1 1x0 22x1 4x0 const {red} = x1; const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x9 = red.sqrnmul(x6, 3, x3); const x11 = red.sqrnmul(x9, 2, x2); const x22 = red.sqrnmul(x11, 11, x11); const x44 = red.sqrnmul(x22, 22, x22); const x88 = red.sqrnmul(x44, 44, x44); const x176 = red.sqrnmul(x88, 88, x88); const x220 = red.sqrnmul(x176, 44, x44); const x223 = red.sqrnmul(x220, 3, x3); const r0 = red.sqrn(x223, 1); const r1 = red.sqrnmul(r0, 22, x22); const r2 = red.sqrn(r1, 4); return r2; } pm3d4(x1) { // Exponent: (p - 3) / 4 // Bits: 223x1 1x0 22x1 4x0 1x1 1x0 2x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r2 = this.core(x1, x2); const r3 = red.sqrnmul(r2, 1, x1); const r4 = red.sqrn(r3, 1); const r5 = red.sqrnmul(r4, 2, x2); return r5; } pm2(x1) { // Exponent: p - 2 // Bits: 223x1 1x0 22x1 4x0 1x1 1x0 2x1 1x0 1x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r2 = this.core(x1, x2); const r3 = red.sqrnmul(r2, 1, x1); const r4 = red.sqrn(r3, 1); const r5 = red.sqrnmul(r4, 2, x2); const r6 = red.sqrn(r5, 1); const r7 = red.sqrnmul(r6, 1, x1); return r7; } pp1d4(x1) { // Exponent: (p + 1) / 4 // Bits: 223x1 1x0 22x1 4x0 2x1 2x0 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r2 = this.core(x1, x2); const r3 = red.sqrnmul(r2, 2, x2); const r4 = red.sqrn(r3, 2); return r4; } } /** * P251 */ class P251 extends Prime34 { constructor() { // 2^251 - 9 super('p251', '07ffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff ffffffff fffffff7'); } imulK(num) { // K = 0x09 if (num.isZero()) return num; let carry = 0; for (let i = 0; i < num.length; i++) { const w = num.words[i] * 0x09 + carry; carry = w >>> 26; num.words[i] = w & 0x3ffffff; } if (carry !== 0) { num._alloc(num.length + 1); num.words[num.length++] = carry; } // Note: we shouldn't need to strip here. return num; } core(x1) { // Exponent: 2^247 - 1 // Bits: 247x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x12 = red.sqrnmul(x6, 6, x6); const x24 = red.sqrnmul(x12, 12, x12); const x48 = red.sqrnmul(x24, 24, x24); const x96 = red.sqrnmul(x48, 48, x48); const x192 = red.sqrnmul(x96, 96, x96); const x240 = red.sqrnmul(x192, 48, x48); const x246 = red.sqrnmul(x240, 6, x6); const x247 = red.sqrnmul(x246, 1, x1); return x247; } pm3d4(x1) { // Exponent: (p - 3) / 4 // Bits: 247x1 1x0 1x1 const {red} = x1; const r0 = this.core(x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); return r2; } pm2(x1) { // Exponent: p - 2 // Bits: 247x1 1x0 1x1 1x0 1x1 const {red} = x1; const r0 = this.core(x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); const r3 = red.sqrn(r2, 1); const r4 = red.sqrnmul(r3, 1, x1); return r4; } pp1d4(x1) { // Exponent: (p + 1) / 4 // Bits: 248x1 1x0 const {red} = x1; const r0 = this.core(x1); const r1 = red.sqrnmul(r0, 1, x1); const r2 = red.sqrn(r1, 1); return r2; } } /** * P25519 */ class P25519 extends Prime58 { constructor() { // 2^255 - 19 (= 5 mod 8) super('p25519', '7fffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff ffffffff ffffffed', '2b832480 4fc1df0b 2b4d0099 3dfbd7a7' + '2f431806 ad2fe478 c4ee1b27 4a0ea0b0'); } imulK(num) { // K = 0x13 let carry = 0; for (let i = 0; i < num.length; i++) { const w = num.words[i] * 0x13 + carry; carry = w >>> 26; num.words[i] = w & 0x3ffffff; } if (carry !== 0) { num._alloc(num.length + 1); num.words[num.length++] = carry; } // Note: we shouldn't need to strip here. return num; } core(x1, x2) { // Exponent: 2^250 - 1 // Bits: 250x1 const {red} = x1; const x4 = red.sqrnmul(x2, 2, x2); const x5 = red.sqrnmul(x4, 1, x1); const x10 = red.sqrnmul(x5, 5, x5); const x20 = red.sqrnmul(x10, 10, x10); const x40 = red.sqrnmul(x20, 20, x20); const x50 = red.sqrnmul(x40, 10, x10); const x100 = red.sqrnmul(x50, 50, x50); const x200 = red.sqrnmul(x100, 100, x100); const x250 = red.sqrnmul(x200, 50, x50); return x250; } pm5d8(x1) { // Exponent: (p - 5) / 8 // Bits: 250x1 1x0 1x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r0 = this.core(x1, x2); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); return r2; } pm2(x1) { // Exponent: p - 2 // Bits: 250x1 1x0 1x1 1x0 2x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r0 = this.core(x1, x2); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); const r3 = red.sqrn(r2, 1); const r4 = red.sqrnmul(r3, 2, x2); return r4; } pp3d8(x1) { // Exponent: (p + 3) / 8 // Bits: 251x1 1x0 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r0 = this.core(x1, x2); const r1 = red.sqrnmul(r0, 1, x1); const r2 = red.sqrn(r1, 1); return r2; } } /** * P448 */ class P448 extends Prime34 { constructor() { // 2^448 - 2^224 - 1 (= 3 mod 4) super('p448', 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff fffffffe ffffffff' + 'ffffffff ffffffff ffffffff ffffffff' + 'ffffffff ffffffff'); } imulK(num) { // K = 0x100000000000000000000000000000000000000000000000000000001 // K = 2^224 + 1 const one = this.one.inject(num); return num.iushln(224)._iadd(num, one); } core(x1, x2) { // Exponent: 2^222 - 1 // Bits: 222x1 const {red} = x1; const x3 = red.sqrnmul(x2, 1, x1); const x6 = red.sqrnmul(x3, 3, x3); const x9 = red.sqrnmul(x6, 3, x3); const x11 = red.sqrnmul(x9, 2, x2); const x22 = red.sqrnmul(x11, 11, x11); const x44 = red.sqrnmul(x22, 22, x22); const x88 = red.sqrnmul(x44, 44, x44); const x176 = red.sqrnmul(x88, 88, x88); const x220 = red.sqrnmul(x176, 44, x44); const x222 = red.sqrnmul(x220, 2, x2); return x222; } pm3d4(x1) { // Exponent: (p - 3) / 4 // Bits: 223x1 1x0 222x1 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const x222 = this.core(x1, x2); const r0 = red.sqrnmul(x222, 1, x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 222, x222); return r2; } pm2(x1) { // Exponent: p - 2 // Bits: 223x1 1x0 222x1 1x0 1x1 const {red} = x1; const r0 = this.pm3d4(x1); const r1 = red.sqrn(r0, 1); const r2 = red.sqrnmul(r1, 1, x1); return r2; } pp1d4(x1) { // Exponent: (p + 1) / 4 // Bits: 224x1 222x0 const {red} = x1; const x2 = red.sqrnmul(x1, 1, x1); const r0 = this.core(x1, x2); const r1 = red.sqrnmul(r0, 2, x2); const r2 = red.sqrn(r1, 222); return r2; } } /** * Reduction Engine */ class Red { constructor(m) { let prime = null; if (typeof m === 'string') { prime = BN._prime(m); m = prime.p; } enforce(BN.isBN(m), 'm', 'bignum'); nonred(!m.red, 'reduction'); range(m.sign() > 0, 'reduction'); this.m = m; this.prime = prime; this.mb = null; this.sm1 = null; } _verify1(a) { range(a.negative === 0, 'red'); red(a.red != null, 'red'); } _verify2(a, b) { range((a.negative | b.negative) === 0, 'red'); red(a.red != null && a.red === b.red, 'red'); } get mont() { return false; } precompute() { // Precompute `sqrt(-1)` for primes congruent to 5 mod 8. if (this.sm1 === null && this.m.andln(7) === 5) { if (this.prime) { this.sm1 = this.prime.sm1.clone()._forceRed(this); } else { const x = new BN(2).toRed(this); const e = this.m.subn(1).iushrn(2); // sqrt(-1) = 2^((p - 1) / 4) mod p this.sm1 = this.pow(x, e); } } return this; } convertTo(num) { const res = num.mod(this.m); res.red = this; return res; } convertFrom(num) { const res = num.clone(); res.red = null; return res; } intTo(a) { return a; } intFrom(a) { return a; } imod(a) { if (this.prime) return this.prime.ireduce(a)._forceRed(this); return a.imod(this.m)._forceRed(this); } iadd(a, b) { this._verify2(a, b); a._iadd(a, b); if (a.ucmp(this.m) >= 0) a._isub(a, this.m); return a; } add(a, b) { if (a.length < b.length) return this.iadd(b.clone(), a); return this.iadd(a.clone(), b); } iaddn(a, num) { this._verify1(a); if (num < 0) return this.isubn(a, -num); if (this.m.length === 1) num %= this.m.words[0]; a._iaddn(num); if (a.ucmp(this.m) >= 0) a._isub(a, this.m); return a; } addn(a, num) { return this.iaddn(a.clone(), num); } isub(a, b) { this._verify2(a, b); // 0: a - a mod m == 0 // -1: a - b mod m == m - (b - a) // +1: a - b mod m == a - b const cmp = a.ucmp(b); if (cmp === 0) { a.words[0] = 0; a.length = 1; return a; } if (cmp < 0) { a._isub(b, a); a._isub(this.m, a); } else { a._isub(a, b); } return a; } sub(a, b) { return this.isub(a.clone(), b); } isubn(a, num) { this._verify1(a); if (num < 0) return this.iaddn(a, -num); if (this.m.length === 1) num %= this.m.words[0]; // <: a - b mod m == m - (b - a) // >=: a - b mod m == a - b if (a.length === 1 && a.words[0] < num) { a.words[0] = num - a.words[0]; a._isub(this.m, a); } else { a._isubn(num); } return a; } subn(a, num) { return this.isubn(a.clone(), num); } imul(a, b) { this._verify2(a, b); return this.imod(a.imul(b)); } mul(a, b) { this._verify2(a, b); return this.imod(a.mul(b)); } imuln(a, num) { this._verify1(a); if (a.isZero()) return a; if (num === 0) { a.words[0] = 0; a.length = 1; return a; } const neg = num < 0; if (neg) num = -num; if (this.m.length === 1) num %= this.m.words[0]; a.imuln(num); if (num <= 16) { // Quick reduction. while (a.ucmp(this.m) >= 0) a._isub(a, this.m); } else { this.imod(a); } if (neg) this.ineg(a); return a; } muln(a, num) { return this.imuln(a.clone(), num); } idiv(a, b) { return this.div(a, b)._move(a); } div(a, b) { return this.mul(a, this.invert(b)); } idivn(a, num) { return this.divn(a, num)._move(a); } divn(a, num) { return this.div(a, this.convertTo(new BN(num))); } ipow(a, num) { return this.pow(a, num)._move(a); } pow(a, num) { this._verify1(a); if (num.isNeg()) a = this.invert(a); // Small exponent. if (num.length === 1) return this.pown(a, num.words[0]); // Call out to BigInt. if (HAS_BIGINT && !this.prime) return this.powInt(a, num); // Otherwise, a BN implementation. return this.powNum(a, num); } powNum(a, num) { // Sliding window (odd multiples only). const one = new BN(1).toRed(this); const wnd = new Array(WND_SIZE); const a2 = this.sqr(a); wnd[0] = a; for (let i = 1; i < WND_SIZE; i++) wnd[i] = this.mul(wnd[i - 1], a2); let i = num.bitLength(); let r = one; while (i >= WND_WIDTH) { let width = WND_WIDTH; let bits = num.bits(i - width, width); if (bits < WND_SIZE) { r = this.sqr(r); i -= 1; continue; } while ((bits & 1) === 0) { width -= 1; bits >>= 1; } if (r === one) { r = wnd[bits >> 1].clone(); } else { r = this.sqrn(r, width); r = this.mul(r, wnd[bits >> 1]); } i -= width; } if (i > 0) { const bits = num.bits(0, i); while (i--) { r = this.sqr(r); if ((bits >> i) & 1) r = this.mul(r, a); } } return r; } powInt(a, num) { if (this.mb === null) this.mb = this.m.toBigInt(); const x = this.intFrom(a.toBigInt()); const y = powInt(x, num, this.mb); const z = this.intTo(y); return BN.fromBigInt(z)._forceRed(this); } sqrn(a, n) { while (n--) a = this.sqr(a); return a; } sqrnmul(a, n, b) { return this.mul(this.sqrn(a, n), b); } ipown(a, num) { return this.pown(a, num)._move(a); } pown(a, num) { this._verify1(a); if (num < 0) { a = this.invert(a); num = -num; } if (num === 0) return new BN(1).toRed(this); if (num === 1) return a.clone(); const bits = countBits(num); let r = a; for (let i = bits - 2; i >= 0; i--) { r = this.sqr(r); if ((num >> i) & 1) r = this.mul(r, a); } return r; } isqr(a) { return this.imul(a, a); } sqr(a) { return this.mul(a, a); } isqrt(x) { return this.sqrt(x)._move(x); } sqrt(x) { this._verify1(x); // Optimized square root chain. if (this.prime) return this.prime.sqrt(x); // Fast case (p = 3 mod 4). if (this.m.andln(3) === 3) return this.sqrt3mod4(x); // Fast case (p = 5 mod 8). if (this.m.andln(7) === 5) { if (this.sm1 != null) return this.sqrt5mod8sm1(x); return this.sqrt5mod8(x); } // Slow case (Tonelli-Shanks). return this.sqrt0(x); } sqrt3mod4(x) { const e = this.m.addn(1).iushrn(2); // (p + 1) / 4 const b = this.pow(x, e); if (!this.sqr(b).eq(x)) throw new SquareRootError(b); return b; } sqrt5mod8(x) { // Atkin's Algorithm. const one = new BN(1).toRed(this); const e = this.m.ushrn(3); // (p - 5) / 8 const x2 = this.add(x, x); const alpha = this.pow(x2, e); const beta = this.mul(x2, this.sqr(alpha)); const b = this.mul(this.mul(alpha, x), this.isub(beta, one)); if (!this.sqr(b).eq(x)) throw new SquareRootError(b); return b; } sqrt5mod8sm1(x) { const e = this.m.addn(3).iushrn(3); // (p + 3) / 8 const b = this.pow(x, e); if (this.sqr(b).eq(x)) return b; const c = this.mul(b, this.sm1); if (this.sqr(c).eq(x)) return c; throw new SquareRootError(b); } sqrt0(x) { if (this.m.cmpn(1) === 0 || !this.m.isOdd()) throw new Error('Invalid prime.'); switch (this.jacobi(x)) { case -1: throw new SquareRootError(x); case 0: return x.clone(); case 1: break; } const one = new BN(1).toRed(this); const s = this.m.subn(1); const e = s._makeOdd(); const n = new BN(2).toRed(this); while (this.jacobi(n) !== -1) this.iadd(n, one); let g = this.pow(n, s); let b = this.pow(x, s); let y = this.pow(x, s.iaddn(1).iushrn(1)); let k = e; for (;;) { let t = b; let m = 0; while (!t.eq(one) && m < k) { t = this.sqr(t); m += 1; } if (m === 0) break; assert(m < k); t = this.sqrn(g, k - m - 1); g = this.sqr(t); y = this.mul(y, t); b = this.mul(b, g); k = m; } return y; } idivsqrt(u, v) { return this.divsqrt(u, v)._move(u); } divsqrt(u, v) { this._verify2(u, v); // u = 0, v = 0 if (u.isZero() && v.isZero()) throw new SquareRootError(v); // Optimized inverse square root chain. if (this.prime) return this.prime.divsqrt(u, v); // p = 3 mod 4 if (this.m.andln(3) === 3) return this.divsqrt3mod4(u, v); // p = 5 mod 8 if (this.sm1 != null && this.m.andln(7) === 5) return this.divsqrt5mod8(u, v); // v = 0 if (v.isZero()) throw new SquareRootError(v); return this.sqrt(this.div(u, v)); } divsqrt3mod4(u, v) { // x = u^3 * v * (u^5 * v^3)^((p - 3) / 4) mod p const e = this.m.subn(3).iushrn(2); const u2 = this.sqr(u); const u3 = this.mul(u2, u); const u5 = this.mul(u3, u2); const v3 = this.mul(this.sqr(v), v); const p = this.pow(this.mul(u5, v3), e); const x = this.mul(this.mul(u3, v), p); const c = this.mul(v, this.sqr(x)); if (c.eq(u)) return x; throw new SquareRootError(x); } divsqrt5mod8(u, v) { // x = u * v^3 * (u * v^7)^((p - 5) / 8) mod p const e = this.m.subn(5).iushrn(3); const v3 = this.mul(this.sqr(v), v); const v7 = this.mul(this.sqr(v3), v); const p = this.pow(this.mul(u, v7), e); const x = this.mul(this.mul(u, v3), p); const c = this.mul(v, this.sqr(x)); if (c.eq(u)) return x; const mc = this.ineg(c); if (mc.eq(u)) return this.mul(x, this.sm1); if (mc.eq(this.mul(u, this.sm1))) throw new SquareRootError(this.mul(x, this.sm1)); throw new SquareRootError(x); } isSquare(a) { if (this.m.isOdd()) return this.jacobi(a) >= 0; return this.kronecker(a) >= 0; } ishl(a, num) { this._verify1(a); return this.imod(a.iushl(num)); } shl(a, num) { return this.ishl(a.clone(), num); } ishln(a, num) { this._verify1(a); a.iushln(num); if (num <= 4) { // Quick reduction. while (a.ucmp(this.m) >= 0) a._isub(a, this.m); } else { this.imod(a); } return a; } shln(a, num) { return this.ishln(a.clone(), num); } ineg(a) { this._verify1(a); if (!a.isZero()) a._isub(this.m, a); return a; } neg(a) { return this.ineg(a.clone()); } eq(a, b) { this._verify2(a, b); return a.ucmp(b) === 0; } eqn(a, num) { this._verify1(a); if (this.m.length === 1) { num %= this.m.words[0]; if (num < 0) num += this.m.words[0]; return a.ucmpn(num) === 0; } if (num < 0) { this.m._isubn(-num); const cmp = a.ucmp(this.m); this.m._iaddn(-num); return cmp === 0; } return a.ucmpn(num) === 0; } isHigh(a) { return !this.isLow(a); } isLow(a) { this._verify1(a); return a.ucmp(this.m.ushrn(1)) <= 0; } isOdd(a) { this._verify1(a); return a.isOdd(); } isEven(a) { this._verify1(a); return a.isEven(); } legendre(num) { this._verify1(num); if (this.m.isEven()) throw new Error('legendre: `num` must be odd.'); // Euler's criterion. const e = this.m.subn(1).iushrn(1); // (p - 1) / 2 const symbol = this.pow(num, e); if (symbol.isZero()) return 0; const one = new BN(1).toRed(this); if (symbol.eq(one)) return 1; if (symbol.eq(this.ineg(one))) return -1; throw new Error('Invalid prime.'); } jacobi(a) { this._verify1(a); return a.jacobi(this.m); } kronecker(a) { this._verify1(a); return a.kronecker(this.m); } iinvert(a) { return this.invert(a)._move(a); } invert(a) { this._verify1(a); return a.invert(this.m)._forceRed(this); } ifermat(a) { return this.fermat(a)._move(a); } fermat(a) { this._verify1(a); if (a.isZero() || this.m.cmpn(1) === 0) throw new RangeError('Not invertible.'); // Optimized inversion chain. if (this.prime) return this.prime.fermat(a); // Invert using fermat's little theorem. return this.pow(a, this.m.subn(2)); } invertAll(elems) { // Montgomery's trick. enforce(Array.isArray(elems), 'elems', 'array'); for (const elem of elems) { enforce(BN.isBN(elem), 'elem', 'bignum'); this._verify1(elem); } if (this.m.cmpn(1) === 0 || this.m.isEven()) throw new RangeError('Not invertible.'); const len = elems.length; const invs = new Array(len); if (len === 0) return invs; let acc = new BN(1).toRed(this); for (let i = 0; i < len; i++) { if (elems[i].isZero()) { invs[i] = elems[i].clone(); continue; } invs[i] = acc; acc = this.mul(acc, elems[i]); } acc = this.invert(acc); for (let i = len - 1; i >= 0; i--) { if (elems[i].isZero()) continue; invs[i] = this.mul(acc, invs[i]); acc = this.mul(acc, elems[i]); } return invs; } [custom]() { if (this.prime) return ``; return ``; } } /** * Barrett Engine */ class Barrett extends Red { constructor(m) { super(m); this.prime = null; this.n = this.m.bitLength(); if ((this.n % 26) !== 0) this.n += 26 - (this.n % 26); this.k = this.n * 2; this.w = this.k / 26; this.b = BN.shift(1, this.k).div(this.m); } convertTo(num) { if (num.length > this.w) return super.convertTo(num); return this.imod(num.clone()); } _shift(q) { let i = 0; let j = this.w; while (j < q.length) q.words[i++] = q.words[j++]; if (i === 0) q.words[i++] = 0; q.length = i; } imod(a) { const neg = a.negative; assert(a.length <= this.w); a.negative = 0; const q = a.mul(this.b); // Shift right by `k` bits. this._shift(q); a._isub(a, q.mul(this.m)); if (a.ucmp(this.m) >= 0) a._isub(a, this.m); if (neg && !a.isZero()) a._isub(this.m, a); a.red = this; return a; } } /** * Montgomery Engine */ class Mont extends Red { constructor(m) { super(m); // Note that: // // mi = (-m^-1 mod (2^(n * 2))) mod r // // and: // // mi = (((2^n)^-1 mod m) * r^-1 - 1) / m // // are equivalent. this.prime = null; this.n = this.m.length * 26; this.r = BN.shift(1, this.n); this.r2 = BN.shift(1, this.n * 2).imod(this.m); this.ri = this.r.invert(this.m); this.mi = this.r.mul(this.ri).isubn(1).div(this.m); this.rib = null; } get mont() { return true; } convertTo(num) { if (num.isNeg() || num.ucmp(this.m) >= 0) return this.imod(num.ushln(this.n)); // Equivalent to: (num * 2^n) mod m return this.mul(num, this.r2); } convertFrom(num) { // Equivalent to: num * r^-1 mod m const r = this.mul(num, new BN(1)); r.red = null; return r; } intTo(a) { return (a << BigInt(this.n)) % this.mb; } intFrom(a) { if (this.rib === null) this.rib = this.ri.toBigInt(); return (a * this.rib) % this.mb; } iaddn(a, num) { return this.iadd(a, this.convertTo(new BN(num))); } isubn(a, num) { return this.isub(a, this.convertTo(new BN(num))); } imul(a, b) { return this.mul(a, b)._move(a); } mul(a, b) { if (a.isZero() || b.isZero()) return new BN(0)._forceRed(this); const t = a.mul(b); const c = t.umaskn(this.n).mul(this.mi).iumaskn(this.n); const u = t.iadd(c.mul(this.m)).iushrn(this.n); if (u.ucmp(this.m) >= 0) u._isub(u, this.m); return u._forceRed(this); } imuln(a, num) { this._verify1(a); if (a.isZero()) return a; if (num === 0) { a.words[0] = 0; a.length = 1; return a; } const neg = num < 0; if (neg) num = -num; if (this.m.length === 1) num %= this.m.words[0]; const bits = countBits(num); // Potentially compute with additions. // This avoids an expensive division. if (bits > 5) { // Slow case (num > 31). this.imul(a, this.convertTo(new BN(num))); } else if ((num & (num - 1)) === 0) { // Optimize for powers of two. for (let i = 0; i < bits - 1; i++) this.iadd(a, a); } else { // Multiply left to right. const c = a.clone(); for (let i = bits - 2; i >= 0; i--) { this.iadd(a, a); if ((num >> i) & 1) this.iadd(a, c); } } if (neg) this.ineg(a); return a; } eqn(a, num) { this._verify1(a); if (num === 0) return a.isZero(); return a.ucmp(this.convertTo(new BN(num))) === 0; } isLow(a) { this._verify1(a); return this.convertFrom(a).ucmp(this.m.ushrn(1)) <= 0; } isOdd(a) { this._verify1(a); return this.convertFrom(a).isOdd(); } isEven(a) { this._verify1(a); return this.convertFrom(a).isEven(); } invert(a) { this._verify1(a); // (AR)^-1 * R^2 = (A^-1 * R^-1) * R^2 = A^-1 * R return this.imod(a.invert(this.m).mul(this.r2)); } } /* * Helpers */ function makeError(Error, msg, start) { const err = new Error(msg); if (Error.captureStackTrace) Error.captureStackTrace(err, start); return err; } function assert(value, message) { if (!value) { const msg = message || 'Assertion failed.'; throw makeError(Error, msg, assert); } } function enforce(value, name, type) { if (!value) { const msg = `"${name}" must be a(n) ${type}.`; throw makeError(TypeError, msg, enforce); } } function range(value, name) { if (!value) { const msg = `"${name}" only works with positive numbers.`; throw makeError(RangeError, msg, range); } } function red(value, name) { if (!value) { const msg = `"${name}" only works with red numbers.`; throw makeError(TypeError, msg, red); } } function nonred(value, name) { if (!value) { const msg = `"${name}" only works with normal numbers.`; throw makeError(TypeError, msg, nonred); } } function nonzero(value) { if (!value) { const msg = 'Cannot divide by zero.'; throw makeError(RangeError, msg, nonzero); } } class SquareRootError extends Error { constructor(result) { super(); this.name = 'SquareRootError'; this.message = 'X is not a square mod P.'; this.result = result.fromRed(); if (Error.captureStackTrace) Error.captureStackTrace(this, SquareRootError); } } function isInteger(num) { return Number.isSafeInteger(num); } function isSMI(num) { return isInteger(num) && num >= -0x3ffffff && num <= 0x3ffffff; } function allocate(ArrayType, size) { if (ArrayType.allocUnsafeSlow) return ArrayType.allocUnsafeSlow(size); return new ArrayType(size); } function getBase(base) { if (base == null) return 10; if (typeof base === 'number') return base; switch (base) { case 'bin': return 2; case 'oct': return 8; case 'dec': return 10; case 'hex': return 16; } return 0; } /* * Internal */ function countBits(w) { if (Math.clz32) return 32 - Math.clz32(w); let t = w; let r = 0; if (t >= 0x1000) { r += 13; t >>>= 13; } if (t >= 0x40) { r += 7; t >>>= 7; } if (t >= 0x8) { r += 4; t >>>= 4; } if (t >= 0x02) { r += 2; t >>>= 2; } return r + t; } function zeroBits(w) { // Shortcut. if (w === 0) return 26; let t = w; let r = 0; if ((t & 0x1fff) === 0) { r += 13; t >>>= 13; } if ((t & 0x7f) === 0) { r += 7; t >>>= 7; } if ((t & 0xf) === 0) { r += 4; t >>>= 4; } if ((t & 0x3) === 0) { r += 2; t >>>= 2; } if ((t & 0x1) === 0) r += 1; return r; } function parseHex(str, start, end) { const len = Math.min(str.length, end); let r = 0; let z = 0; for (let i = start; i < len; i++) { const c = str.charCodeAt(i) - 48; r <<= 4; let b; if (c >= 49 && c <= 54) { // 'a' - 'f' b = c - 49 + 0xa; } else if (c >= 17 && c <= 22) { // 'A' - 'F' b = c - 17 + 0xa; } else { // '0' - '9' b = c; } r |= b; z |= b; } if (z & ~15) throw new Error('Invalid string.'); return r; } function parseBase(str, start, end, mul) { const len = Math.min(str.length, end); let r = 0; for (let i = start; i < len; i++) { const c = str.charCodeAt(i) - 48; r *= mul; let b; if (c >= 49) { // 'a' b = c - 49 + 0xa; } else if (c >= 17) { // 'A' b = c - 17 + 0xa; } else { // '0' - '9' b = c; } if (c < 0 || c > 207 || b >= mul) throw new Error('Invalid string.'); r += b; } return r; } /* * Exponentiation (bigint) */ function powInt(x, e, m) { // Sliding window (odd multiples only). const one = BigInt(1); const wnd = new Array(WND_SIZE); const x2 = (x * x) % m; wnd[0] = x; for (let i = 1; i < WND_SIZE; i++) wnd[i] = (wnd[i - 1] * x2) % m; let i = e.bitLength(); let r = one; while (i >= WND_WIDTH) { let width = WND_WIDTH; let bits = e.bits(i - width, width); if (bits < WND_SIZE) { r = (r * r) % m; i -= 1; continue; } while ((bits & 1) === 0) { width -= 1; bits >>= 1; } if (r === one) { r = wnd[bits >> 1]; } else { r = sqrn(r, width, m); r = (r * wnd[bits >> 1]) % m; } i -= width; } if (i > 0) { const bits = e.bits(0, i); while (i--) { r = (r * r) % m; if ((bits >> i) & 1) r = (r * x) % m; } } return r; } function sqrn(x, n, m) { for (let i = 0; i < n; i++) x = (x * x) % m; return x; } /* * Multiplication */ function smallMulTo(self, num, out) { const len = self.length + num.length; out.negative = self.negative ^ num.negative; out._alloc(len); out.length = len; // Peel one iteration (compiler can't // do it, because of code complexity). const a = self.words[0]; const b = num.words[0]; const r = a * b; const lo = r & 0x3ffffff; let carry = (r / 0x4000000) | 0; let k = 1; out.words[0] = lo; for (; k < out.length - 1; k++) { // Sum all words with the same // `i + j = k` and accumulate // `ncarry`, note that ncarry // could be >= 0x3ffffff. let ncarry = carry >>> 26; let rword = carry & 0x3ffffff; const min = Math.max(0, k - self.length + 1); const max = Math.min(k, num.length - 1); for (let j = min; j <= max; j++) { const i = k - j; const a = self.words[i]; const b = num.words[j]; const r = a * b + rword; ncarry += (r / 0x4000000) | 0; rword = r & 0x3ffffff; } out.words[k] = rword | 0; carry = ncarry | 0; } if (carry !== 0) out.words[k] = carry | 0; else out.length -= 1; return out._strip(); } function bigMulTo(self, num, out) { const len = self.length + num.length; out.negative = self.negative ^ num.negative; out._alloc(len); out.length = len; let carry = 0; let hncarry = 0; let k = 0; for (; k < out.length - 1; k++) { // Sum all words with the same // `i + j = k` and accumulate // `ncarry`, note that ncarry // could be >= 0x3ffffff. let ncarry = hncarry; hncarry = 0; let rword = carry & 0x3ffffff; const min = Math.max(0, k - self.length + 1); const max = Math.min(k, num.length - 1); for (let j = min; j <= max; j++) { const i = k - j; const a = self.words[i]; const b = num.words[j]; const r = a * b; let lo = r & 0x3ffffff; ncarry = (ncarry + ((r / 0x4000000) | 0)) | 0; lo = (lo + rword) | 0; rword = lo & 0x3ffffff; ncarry = (ncarry + (lo >>> 26)) | 0; hncarry += ncarry >>> 26; ncarry &= 0x3ffffff; } out.words[k] = rword; carry = ncarry; ncarry = hncarry; } if (carry !== 0) out.words[k] = carry; else out.length -= 1; return out._strip(); } function jumboMulTo(x, y, out) { // v8 has a 2147483519 bit max (~256mb). if (!HAS_BIGINT || x.length + y.length > 82595519) return bigMulTo(x, y, out); const zero = BigInt(0); const mask = BigInt(0x3ffffff); const shift = BigInt(26); let z = x.toBigInt() * y.toBigInt(); const neg = (z < zero) | 0; if (neg) z = -z; let i = 0; while (z > zero) { out.words[i++] = Number(z & mask); z >>= shift; } if (i === 0) out.words[i++] = 0; out.length = i; out.negative = neg; return out; } function comb10MulTo(self, num, out) { const a = self.words; const b = num.words; const o = out.words; const a0 = a[0] | 0; const al0 = a0 & 0x1fff; const ah0 = a0 >>> 13; const a1 = a[1] | 0; const al1 = a1 & 0x1fff; const ah1 = a1 >>> 13; const a2 = a[2] | 0; const al2 = a2 & 0x1fff; const ah2 = a2 >>> 13; const a3 = a[3] | 0; const al3 = a3 & 0x1fff; const ah3 = a3 >>> 13; const a4 = a[4] | 0; const al4 = a4 & 0x1fff; const ah4 = a4 >>> 13; const a5 = a[5] | 0; const al5 = a5 & 0x1fff; const ah5 = a5 >>> 13; const a6 = a[6] | 0; const al6 = a6 & 0x1fff; const ah6 = a6 >>> 13; const a7 = a[7] | 0; const al7 = a7 & 0x1fff; const ah7 = a7 >>> 13; const a8 = a[8] | 0; const al8 = a8 & 0x1fff; const ah8 = a8 >>> 13; const a9 = a[9] | 0; const al9 = a9 & 0x1fff; const ah9 = a9 >>> 13; const b0 = b[0] | 0; const bl0 = b0 & 0x1fff; const bh0 = b0 >>> 13; const b1 = b[1] | 0; const bl1 = b1 & 0x1fff; const bh1 = b1 >>> 13; const b2 = b[2] | 0; const bl2 = b2 & 0x1fff; const bh2 = b2 >>> 13; const b3 = b[3] | 0; const bl3 = b3 & 0x1fff; const bh3 = b3 >>> 13; const b4 = b[4] | 0; const bl4 = b4 & 0x1fff; const bh4 = b4 >>> 13; const b5 = b[5] | 0; const bl5 = b5 & 0x1fff; const bh5 = b5 >>> 13; const b6 = b[6] | 0; const bl6 = b6 & 0x1fff; const bh6 = b6 >>> 13; const b7 = b[7] | 0; const bl7 = b7 & 0x1fff; const bh7 = b7 >>> 13; const b8 = b[8] | 0; const bl8 = b8 & 0x1fff; const bh8 = b8 >>> 13; const b9 = b[9] | 0; const bl9 = b9 & 0x1fff; const bh9 = b9 >>> 13; let c = 0; let lo, mid, hi; out.negative = self.negative ^ num.negative; out._alloc(20); out.length = 19; /* k = 0 */ lo = Math.imul(al0, bl0); mid = Math.imul(al0, bh0); mid = (mid + Math.imul(ah0, bl0)) | 0; hi = Math.imul(ah0, bh0); let w0 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w0 >>> 26)) | 0; w0 &= 0x3ffffff; /* k = 1 */ lo = Math.imul(al1, bl0); mid = Math.imul(al1, bh0); mid = (mid + Math.imul(ah1, bl0)) | 0; hi = Math.imul(ah1, bh0); lo = (lo + Math.imul(al0, bl1)) | 0; mid = (mid + Math.imul(al0, bh1)) | 0; mid = (mid + Math.imul(ah0, bl1)) | 0; hi = (hi + Math.imul(ah0, bh1)) | 0; let w1 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w1 >>> 26)) | 0; w1 &= 0x3ffffff; /* k = 2 */ lo = Math.imul(al2, bl0); mid = Math.imul(al2, bh0); mid = (mid + Math.imul(ah2, bl0)) | 0; hi = Math.imul(ah2, bh0); lo = (lo + Math.imul(al1, bl1)) | 0; mid = (mid + Math.imul(al1, bh1)) | 0; mid = (mid + Math.imul(ah1, bl1)) | 0; hi = (hi + Math.imul(ah1, bh1)) | 0; lo = (lo + Math.imul(al0, bl2)) | 0; mid = (mid + Math.imul(al0, bh2)) | 0; mid = (mid + Math.imul(ah0, bl2)) | 0; hi = (hi + Math.imul(ah0, bh2)) | 0; let w2 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w2 >>> 26)) | 0; w2 &= 0x3ffffff; /* k = 3 */ lo = Math.imul(al3, bl0); mid = Math.imul(al3, bh0); mid = (mid + Math.imul(ah3, bl0)) | 0; hi = Math.imul(ah3, bh0); lo = (lo + Math.imul(al2, bl1)) | 0; mid = (mid + Math.imul(al2, bh1)) | 0; mid = (mid + Math.imul(ah2, bl1)) | 0; hi = (hi + Math.imul(ah2, bh1)) | 0; lo = (lo + Math.imul(al1, bl2)) | 0; mid = (mid + Math.imul(al1, bh2)) | 0; mid = (mid + Math.imul(ah1, bl2)) | 0; hi = (hi + Math.imul(ah1, bh2)) | 0; lo = (lo + Math.imul(al0, bl3)) | 0; mid = (mid + Math.imul(al0, bh3)) | 0; mid = (mid + Math.imul(ah0, bl3)) | 0; hi = (hi + Math.imul(ah0, bh3)) | 0; let w3 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w3 >>> 26)) | 0; w3 &= 0x3ffffff; /* k = 4 */ lo = Math.imul(al4, bl0); mid = Math.imul(al4, bh0); mid = (mid + Math.imul(ah4, bl0)) | 0; hi = Math.imul(ah4, bh0); lo = (lo + Math.imul(al3, bl1)) | 0; mid = (mid + Math.imul(al3, bh1)) | 0; mid = (mid + Math.imul(ah3, bl1)) | 0; hi = (hi + Math.imul(ah3, bh1)) | 0; lo = (lo + Math.imul(al2, bl2)) | 0; mid = (mid + Math.imul(al2, bh2)) | 0; mid = (mid + Math.imul(ah2, bl2)) | 0; hi = (hi + Math.imul(ah2, bh2)) | 0; lo = (lo + Math.imul(al1, bl3)) | 0; mid = (mid + Math.imul(al1, bh3)) | 0; mid = (mid + Math.imul(ah1, bl3)) | 0; hi = (hi + Math.imul(ah1, bh3)) | 0; lo = (lo + Math.imul(al0, bl4)) | 0; mid = (mid + Math.imul(al0, bh4)) | 0; mid = (mid + Math.imul(ah0, bl4)) | 0; hi = (hi + Math.imul(ah0, bh4)) | 0; let w4 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w4 >>> 26)) | 0; w4 &= 0x3ffffff; /* k = 5 */ lo = Math.imul(al5, bl0); mid = Math.imul(al5, bh0); mid = (mid + Math.imul(ah5, bl0)) | 0; hi = Math.imul(ah5, bh0); lo = (lo + Math.imul(al4, bl1)) | 0; mid = (mid + Math.imul(al4, bh1)) | 0; mid = (mid + Math.imul(ah4, bl1)) | 0; hi = (hi + Math.imul(ah4, bh1)) | 0; lo = (lo + Math.imul(al3, bl2)) | 0; mid = (mid + Math.imul(al3, bh2)) | 0; mid = (mid + Math.imul(ah3, bl2)) | 0; hi = (hi + Math.imul(ah3, bh2)) | 0; lo = (lo + Math.imul(al2, bl3)) | 0; mid = (mid + Math.imul(al2, bh3)) | 0; mid = (mid + Math.imul(ah2, bl3)) | 0; hi = (hi + Math.imul(ah2, bh3)) | 0; lo = (lo + Math.imul(al1, bl4)) | 0; mid = (mid + Math.imul(al1, bh4)) | 0; mid = (mid + Math.imul(ah1, bl4)) | 0; hi = (hi + Math.imul(ah1, bh4)) | 0; lo = (lo + Math.imul(al0, bl5)) | 0; mid = (mid + Math.imul(al0, bh5)) | 0; mid = (mid + Math.imul(ah0, bl5)) | 0; hi = (hi + Math.imul(ah0, bh5)) | 0; let w5 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w5 >>> 26)) | 0; w5 &= 0x3ffffff; /* k = 6 */ lo = Math.imul(al6, bl0); mid = Math.imul(al6, bh0); mid = (mid + Math.imul(ah6, bl0)) | 0; hi = Math.imul(ah6, bh0); lo = (lo + Math.imul(al5, bl1)) | 0; mid = (mid + Math.imul(al5, bh1)) | 0; mid = (mid + Math.imul(ah5, bl1)) | 0; hi = (hi + Math.imul(ah5, bh1)) | 0; lo = (lo + Math.imul(al4, bl2)) | 0; mid = (mid + Math.imul(al4, bh2)) | 0; mid = (mid + Math.imul(ah4, bl2)) | 0; hi = (hi + Math.imul(ah4, bh2)) | 0; lo = (lo + Math.imul(al3, bl3)) | 0; mid = (mid + Math.imul(al3, bh3)) | 0; mid = (mid + Math.imul(ah3, bl3)) | 0; hi = (hi + Math.imul(ah3, bh3)) | 0; lo = (lo + Math.imul(al2, bl4)) | 0; mid = (mid + Math.imul(al2, bh4)) | 0; mid = (mid + Math.imul(ah2, bl4)) | 0; hi = (hi + Math.imul(ah2, bh4)) | 0; lo = (lo + Math.imul(al1, bl5)) | 0; mid = (mid + Math.imul(al1, bh5)) | 0; mid = (mid + Math.imul(ah1, bl5)) | 0; hi = (hi + Math.imul(ah1, bh5)) | 0; lo = (lo + Math.imul(al0, bl6)) | 0; mid = (mid + Math.imul(al0, bh6)) | 0; mid = (mid + Math.imul(ah0, bl6)) | 0; hi = (hi + Math.imul(ah0, bh6)) | 0; let w6 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w6 >>> 26)) | 0; w6 &= 0x3ffffff; /* k = 7 */ lo = Math.imul(al7, bl0); mid = Math.imul(al7, bh0); mid = (mid + Math.imul(ah7, bl0)) | 0; hi = Math.imul(ah7, bh0); lo = (lo + Math.imul(al6, bl1)) | 0; mid = (mid + Math.imul(al6, bh1)) | 0; mid = (mid + Math.imul(ah6, bl1)) | 0; hi = (hi + Math.imul(ah6, bh1)) | 0; lo = (lo + Math.imul(al5, bl2)) | 0; mid = (mid + Math.imul(al5, bh2)) | 0; mid = (mid + Math.imul(ah5, bl2)) | 0; hi = (hi + Math.imul(ah5, bh2)) | 0; lo = (lo + Math.imul(al4, bl3)) | 0; mid = (mid + Math.imul(al4, bh3)) | 0; mid = (mid + Math.imul(ah4, bl3)) | 0; hi = (hi + Math.imul(ah4, bh3)) | 0; lo = (lo + Math.imul(al3, bl4)) | 0; mid = (mid + Math.imul(al3, bh4)) | 0; mid = (mid + Math.imul(ah3, bl4)) | 0; hi = (hi + Math.imul(ah3, bh4)) | 0; lo = (lo + Math.imul(al2, bl5)) | 0; mid = (mid + Math.imul(al2, bh5)) | 0; mid = (mid + Math.imul(ah2, bl5)) | 0; hi = (hi + Math.imul(ah2, bh5)) | 0; lo = (lo + Math.imul(al1, bl6)) | 0; mid = (mid + Math.imul(al1, bh6)) | 0; mid = (mid + Math.imul(ah1, bl6)) | 0; hi = (hi + Math.imul(ah1, bh6)) | 0; lo = (lo + Math.imul(al0, bl7)) | 0; mid = (mid + Math.imul(al0, bh7)) | 0; mid = (mid + Math.imul(ah0, bl7)) | 0; hi = (hi + Math.imul(ah0, bh7)) | 0; let w7 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w7 >>> 26)) | 0; w7 &= 0x3ffffff; /* k = 8 */ lo = Math.imul(al8, bl0); mid = Math.imul(al8, bh0); mid = (mid + Math.imul(ah8, bl0)) | 0; hi = Math.imul(ah8, bh0); lo = (lo + Math.imul(al7, bl1)) | 0; mid = (mid + Math.imul(al7, bh1)) | 0; mid = (mid + Math.imul(ah7, bl1)) | 0; hi = (hi + Math.imul(ah7, bh1)) | 0; lo = (lo + Math.imul(al6, bl2)) | 0; mid = (mid + Math.imul(al6, bh2)) | 0; mid = (mid + Math.imul(ah6, bl2)) | 0; hi = (hi + Math.imul(ah6, bh2)) | 0; lo = (lo + Math.imul(al5, bl3)) | 0; mid = (mid + Math.imul(al5, bh3)) | 0; mid = (mid + Math.imul(ah5, bl3)) | 0; hi = (hi + Math.imul(ah5, bh3)) | 0; lo = (lo + Math.imul(al4, bl4)) | 0; mid = (mid + Math.imul(al4, bh4)) | 0; mid = (mid + Math.imul(ah4, bl4)) | 0; hi = (hi + Math.imul(ah4, bh4)) | 0; lo = (lo + Math.imul(al3, bl5)) | 0; mid = (mid + Math.imul(al3, bh5)) | 0; mid = (mid + Math.imul(ah3, bl5)) | 0; hi = (hi + Math.imul(ah3, bh5)) | 0; lo = (lo + Math.imul(al2, bl6)) | 0; mid = (mid + Math.imul(al2, bh6)) | 0; mid = (mid + Math.imul(ah2, bl6)) | 0; hi = (hi + Math.imul(ah2, bh6)) | 0; lo = (lo + Math.imul(al1, bl7)) | 0; mid = (mid + Math.imul(al1, bh7)) | 0; mid = (mid + Math.imul(ah1, bl7)) | 0; hi = (hi + Math.imul(ah1, bh7)) | 0; lo = (lo + Math.imul(al0, bl8)) | 0; mid = (mid + Math.imul(al0, bh8)) | 0; mid = (mid + Math.imul(ah0, bl8)) | 0; hi = (hi + Math.imul(ah0, bh8)) | 0; let w8 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w8 >>> 26)) | 0; w8 &= 0x3ffffff; /* k = 9 */ lo = Math.imul(al9, bl0); mid = Math.imul(al9, bh0); mid = (mid + Math.imul(ah9, bl0)) | 0; hi = Math.imul(ah9, bh0); lo = (lo + Math.imul(al8, bl1)) | 0; mid = (mid + Math.imul(al8, bh1)) | 0; mid = (mid + Math.imul(ah8, bl1)) | 0; hi = (hi + Math.imul(ah8, bh1)) | 0; lo = (lo + Math.imul(al7, bl2)) | 0; mid = (mid + Math.imul(al7, bh2)) | 0; mid = (mid + Math.imul(ah7, bl2)) | 0; hi = (hi + Math.imul(ah7, bh2)) | 0; lo = (lo + Math.imul(al6, bl3)) | 0; mid = (mid + Math.imul(al6, bh3)) | 0; mid = (mid + Math.imul(ah6, bl3)) | 0; hi = (hi + Math.imul(ah6, bh3)) | 0; lo = (lo + Math.imul(al5, bl4)) | 0; mid = (mid + Math.imul(al5, bh4)) | 0; mid = (mid + Math.imul(ah5, bl4)) | 0; hi = (hi + Math.imul(ah5, bh4)) | 0; lo = (lo + Math.imul(al4, bl5)) | 0; mid = (mid + Math.imul(al4, bh5)) | 0; mid = (mid + Math.imul(ah4, bl5)) | 0; hi = (hi + Math.imul(ah4, bh5)) | 0; lo = (lo + Math.imul(al3, bl6)) | 0; mid = (mid + Math.imul(al3, bh6)) | 0; mid = (mid + Math.imul(ah3, bl6)) | 0; hi = (hi + Math.imul(ah3, bh6)) | 0; lo = (lo + Math.imul(al2, bl7)) | 0; mid = (mid + Math.imul(al2, bh7)) | 0; mid = (mid + Math.imul(ah2, bl7)) | 0; hi = (hi + Math.imul(ah2, bh7)) | 0; lo = (lo + Math.imul(al1, bl8)) | 0; mid = (mid + Math.imul(al1, bh8)) | 0; mid = (mid + Math.imul(ah1, bl8)) | 0; hi = (hi + Math.imul(ah1, bh8)) | 0; lo = (lo + Math.imul(al0, bl9)) | 0; mid = (mid + Math.imul(al0, bh9)) | 0; mid = (mid + Math.imul(ah0, bl9)) | 0; hi = (hi + Math.imul(ah0, bh9)) | 0; let w9 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w9 >>> 26)) | 0; w9 &= 0x3ffffff; /* k = 10 */ lo = Math.imul(al9, bl1); mid = Math.imul(al9, bh1); mid = (mid + Math.imul(ah9, bl1)) | 0; hi = Math.imul(ah9, bh1); lo = (lo + Math.imul(al8, bl2)) | 0; mid = (mid + Math.imul(al8, bh2)) | 0; mid = (mid + Math.imul(ah8, bl2)) | 0; hi = (hi + Math.imul(ah8, bh2)) | 0; lo = (lo + Math.imul(al7, bl3)) | 0; mid = (mid + Math.imul(al7, bh3)) | 0; mid = (mid + Math.imul(ah7, bl3)) | 0; hi = (hi + Math.imul(ah7, bh3)) | 0; lo = (lo + Math.imul(al6, bl4)) | 0; mid = (mid + Math.imul(al6, bh4)) | 0; mid = (mid + Math.imul(ah6, bl4)) | 0; hi = (hi + Math.imul(ah6, bh4)) | 0; lo = (lo + Math.imul(al5, bl5)) | 0; mid = (mid + Math.imul(al5, bh5)) | 0; mid = (mid + Math.imul(ah5, bl5)) | 0; hi = (hi + Math.imul(ah5, bh5)) | 0; lo = (lo + Math.imul(al4, bl6)) | 0; mid = (mid + Math.imul(al4, bh6)) | 0; mid = (mid + Math.imul(ah4, bl6)) | 0; hi = (hi + Math.imul(ah4, bh6)) | 0; lo = (lo + Math.imul(al3, bl7)) | 0; mid = (mid + Math.imul(al3, bh7)) | 0; mid = (mid + Math.imul(ah3, bl7)) | 0; hi = (hi + Math.imul(ah3, bh7)) | 0; lo = (lo + Math.imul(al2, bl8)) | 0; mid = (mid + Math.imul(al2, bh8)) | 0; mid = (mid + Math.imul(ah2, bl8)) | 0; hi = (hi + Math.imul(ah2, bh8)) | 0; lo = (lo + Math.imul(al1, bl9)) | 0; mid = (mid + Math.imul(al1, bh9)) | 0; mid = (mid + Math.imul(ah1, bl9)) | 0; hi = (hi + Math.imul(ah1, bh9)) | 0; let w10 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w10 >>> 26)) | 0; w10 &= 0x3ffffff; /* k = 11 */ lo = Math.imul(al9, bl2); mid = Math.imul(al9, bh2); mid = (mid + Math.imul(ah9, bl2)) | 0; hi = Math.imul(ah9, bh2); lo = (lo + Math.imul(al8, bl3)) | 0; mid = (mid + Math.imul(al8, bh3)) | 0; mid = (mid + Math.imul(ah8, bl3)) | 0; hi = (hi + Math.imul(ah8, bh3)) | 0; lo = (lo + Math.imul(al7, bl4)) | 0; mid = (mid + Math.imul(al7, bh4)) | 0; mid = (mid + Math.imul(ah7, bl4)) | 0; hi = (hi + Math.imul(ah7, bh4)) | 0; lo = (lo + Math.imul(al6, bl5)) | 0; mid = (mid + Math.imul(al6, bh5)) | 0; mid = (mid + Math.imul(ah6, bl5)) | 0; hi = (hi + Math.imul(ah6, bh5)) | 0; lo = (lo + Math.imul(al5, bl6)) | 0; mid = (mid + Math.imul(al5, bh6)) | 0; mid = (mid + Math.imul(ah5, bl6)) | 0; hi = (hi + Math.imul(ah5, bh6)) | 0; lo = (lo + Math.imul(al4, bl7)) | 0; mid = (mid + Math.imul(al4, bh7)) | 0; mid = (mid + Math.imul(ah4, bl7)) | 0; hi = (hi + Math.imul(ah4, bh7)) | 0; lo = (lo + Math.imul(al3, bl8)) | 0; mid = (mid + Math.imul(al3, bh8)) | 0; mid = (mid + Math.imul(ah3, bl8)) | 0; hi = (hi + Math.imul(ah3, bh8)) | 0; lo = (lo + Math.imul(al2, bl9)) | 0; mid = (mid + Math.imul(al2, bh9)) | 0; mid = (mid + Math.imul(ah2, bl9)) | 0; hi = (hi + Math.imul(ah2, bh9)) | 0; let w11 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w11 >>> 26)) | 0; w11 &= 0x3ffffff; /* k = 12 */ lo = Math.imul(al9, bl3); mid = Math.imul(al9, bh3); mid = (mid + Math.imul(ah9, bl3)) | 0; hi = Math.imul(ah9, bh3); lo = (lo + Math.imul(al8, bl4)) | 0; mid = (mid + Math.imul(al8, bh4)) | 0; mid = (mid + Math.imul(ah8, bl4)) | 0; hi = (hi + Math.imul(ah8, bh4)) | 0; lo = (lo + Math.imul(al7, bl5)) | 0; mid = (mid + Math.imul(al7, bh5)) | 0; mid = (mid + Math.imul(ah7, bl5)) | 0; hi = (hi + Math.imul(ah7, bh5)) | 0; lo = (lo + Math.imul(al6, bl6)) | 0; mid = (mid + Math.imul(al6, bh6)) | 0; mid = (mid + Math.imul(ah6, bl6)) | 0; hi = (hi + Math.imul(ah6, bh6)) | 0; lo = (lo + Math.imul(al5, bl7)) | 0; mid = (mid + Math.imul(al5, bh7)) | 0; mid = (mid + Math.imul(ah5, bl7)) | 0; hi = (hi + Math.imul(ah5, bh7)) | 0; lo = (lo + Math.imul(al4, bl8)) | 0; mid = (mid + Math.imul(al4, bh8)) | 0; mid = (mid + Math.imul(ah4, bl8)) | 0; hi = (hi + Math.imul(ah4, bh8)) | 0; lo = (lo + Math.imul(al3, bl9)) | 0; mid = (mid + Math.imul(al3, bh9)) | 0; mid = (mid + Math.imul(ah3, bl9)) | 0; hi = (hi + Math.imul(ah3, bh9)) | 0; let w12 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w12 >>> 26)) | 0; w12 &= 0x3ffffff; /* k = 13 */ lo = Math.imul(al9, bl4); mid = Math.imul(al9, bh4); mid = (mid + Math.imul(ah9, bl4)) | 0; hi = Math.imul(ah9, bh4); lo = (lo + Math.imul(al8, bl5)) | 0; mid = (mid + Math.imul(al8, bh5)) | 0; mid = (mid + Math.imul(ah8, bl5)) | 0; hi = (hi + Math.imul(ah8, bh5)) | 0; lo = (lo + Math.imul(al7, bl6)) | 0; mid = (mid + Math.imul(al7, bh6)) | 0; mid = (mid + Math.imul(ah7, bl6)) | 0; hi = (hi + Math.imul(ah7, bh6)) | 0; lo = (lo + Math.imul(al6, bl7)) | 0; mid = (mid + Math.imul(al6, bh7)) | 0; mid = (mid + Math.imul(ah6, bl7)) | 0; hi = (hi + Math.imul(ah6, bh7)) | 0; lo = (lo + Math.imul(al5, bl8)) | 0; mid = (mid + Math.imul(al5, bh8)) | 0; mid = (mid + Math.imul(ah5, bl8)) | 0; hi = (hi + Math.imul(ah5, bh8)) | 0; lo = (lo + Math.imul(al4, bl9)) | 0; mid = (mid + Math.imul(al4, bh9)) | 0; mid = (mid + Math.imul(ah4, bl9)) | 0; hi = (hi + Math.imul(ah4, bh9)) | 0; let w13 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w13 >>> 26)) | 0; w13 &= 0x3ffffff; /* k = 14 */ lo = Math.imul(al9, bl5); mid = Math.imul(al9, bh5); mid = (mid + Math.imul(ah9, bl5)) | 0; hi = Math.imul(ah9, bh5); lo = (lo + Math.imul(al8, bl6)) | 0; mid = (mid + Math.imul(al8, bh6)) | 0; mid = (mid + Math.imul(ah8, bl6)) | 0; hi = (hi + Math.imul(ah8, bh6)) | 0; lo = (lo + Math.imul(al7, bl7)) | 0; mid = (mid + Math.imul(al7, bh7)) | 0; mid = (mid + Math.imul(ah7, bl7)) | 0; hi = (hi + Math.imul(ah7, bh7)) | 0; lo = (lo + Math.imul(al6, bl8)) | 0; mid = (mid + Math.imul(al6, bh8)) | 0; mid = (mid + Math.imul(ah6, bl8)) | 0; hi = (hi + Math.imul(ah6, bh8)) | 0; lo = (lo + Math.imul(al5, bl9)) | 0; mid = (mid + Math.imul(al5, bh9)) | 0; mid = (mid + Math.imul(ah5, bl9)) | 0; hi = (hi + Math.imul(ah5, bh9)) | 0; let w14 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w14 >>> 26)) | 0; w14 &= 0x3ffffff; /* k = 15 */ lo = Math.imul(al9, bl6); mid = Math.imul(al9, bh6); mid = (mid + Math.imul(ah9, bl6)) | 0; hi = Math.imul(ah9, bh6); lo = (lo + Math.imul(al8, bl7)) | 0; mid = (mid + Math.imul(al8, bh7)) | 0; mid = (mid + Math.imul(ah8, bl7)) | 0; hi = (hi + Math.imul(ah8, bh7)) | 0; lo = (lo + Math.imul(al7, bl8)) | 0; mid = (mid + Math.imul(al7, bh8)) | 0; mid = (mid + Math.imul(ah7, bl8)) | 0; hi = (hi + Math.imul(ah7, bh8)) | 0; lo = (lo + Math.imul(al6, bl9)) | 0; mid = (mid + Math.imul(al6, bh9)) | 0; mid = (mid + Math.imul(ah6, bl9)) | 0; hi = (hi + Math.imul(ah6, bh9)) | 0; let w15 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w15 >>> 26)) | 0; w15 &= 0x3ffffff; /* k = 16 */ lo = Math.imul(al9, bl7); mid = Math.imul(al9, bh7); mid = (mid + Math.imul(ah9, bl7)) | 0; hi = Math.imul(ah9, bh7); lo = (lo + Math.imul(al8, bl8)) | 0; mid = (mid + Math.imul(al8, bh8)) | 0; mid = (mid + Math.imul(ah8, bl8)) | 0; hi = (hi + Math.imul(ah8, bh8)) | 0; lo = (lo + Math.imul(al7, bl9)) | 0; mid = (mid + Math.imul(al7, bh9)) | 0; mid = (mid + Math.imul(ah7, bl9)) | 0; hi = (hi + Math.imul(ah7, bh9)) | 0; let w16 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w16 >>> 26)) | 0; w16 &= 0x3ffffff; /* k = 17 */ lo = Math.imul(al9, bl8); mid = Math.imul(al9, bh8); mid = (mid + Math.imul(ah9, bl8)) | 0; hi = Math.imul(ah9, bh8); lo = (lo + Math.imul(al8, bl9)) | 0; mid = (mid + Math.imul(al8, bh9)) | 0; mid = (mid + Math.imul(ah8, bl9)) | 0; hi = (hi + Math.imul(ah8, bh9)) | 0; let w17 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w17 >>> 26)) | 0; w17 &= 0x3ffffff; /* k = 18 */ lo = Math.imul(al9, bl9); mid = Math.imul(al9, bh9); mid = (mid + Math.imul(ah9, bl9)) | 0; hi = Math.imul(ah9, bh9); let w18 = (((c + lo) | 0) + ((mid & 0x1fff) << 13)) | 0; c = (((hi + (mid >>> 13)) | 0) + (w18 >>> 26)) | 0; w18 &= 0x3ffffff; o[0] = w0; o[1] = w1; o[2] = w2; o[3] = w3; o[4] = w4; o[5] = w5; o[6] = w6; o[7] = w7; o[8] = w8; o[9] = w9; o[10] = w10; o[11] = w11; o[12] = w12; o[13] = w13; o[14] = w14; o[15] = w15; o[16] = w16; o[17] = w17; o[18] = w18; if (c !== 0) { o[19] = c; out.length += 1; } // Note: we shouldn't need to strip here. return out; } // Polyfill comb. if (!Math.imul) comb10MulTo = smallMulTo; /* * Expose */ BN.Red = Red; module.exports = BN; }], [/* 33 */ 'bcrypto', '/lib/internal/custom-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * custom.js - custom inspect symbol for bcrypto * Copyright (c) 2018-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; exports.custom = 'inspect'; }], [/* 34 */ 'bcrypto', '/lib/internal/asn1.js', function(exports, module, __filename, __dirname, __meta) { /*! * asn1.js - asn1 parsing for bcrypto * Copyright (c) 2020, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; const assert = require('assert'); const BN = __node_require__(31 /* '../bn' */); /* * ASN1 */ function readSize(data, pos, strict) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert(typeof strict === 'boolean'); if (pos >= data.length) throw new Error('Invalid size.'); const field = data[pos]; const bytes = field & 0x7f; pos += 1; // Definite form. if ((field & 0x80) === 0) { // Short form. return [bytes, pos]; } // Indefinite form. if (strict && bytes === 0) throw new Error('Indefinite length.'); // Long form. let size = 0; for (let i = 0; i < bytes; i++) { assert(pos < data.length); const ch = data[pos]; pos += 1; if (size >= (1 << 24)) throw new Error('Length too large.'); size *= 0x100; size += ch; if (strict && size === 0) throw new Error('Unexpected leading zeroes.'); } if (strict && size < 0x80) throw new Error('Non-minimal length.'); return [size, pos]; } function readSeq(data, pos, strict = true) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert(typeof strict === 'boolean'); if (pos >= data.length || data[pos] !== 0x30) throw new Error('Invalid sequence tag.'); pos += 1; let size; [size, pos] = readSize(data, pos, strict); if (strict && pos + size !== data.length) throw new Error('Trailing bytes.'); return pos; } function readInt(data, pos, strict = true) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert(typeof strict === 'boolean'); if (pos >= data.length || data[pos] !== 0x02) throw new Error('Invalid integer tag.'); pos += 1; let size; [size, pos] = readSize(data, pos, strict); if (pos + size > data.length) throw new Error('Integer body out of bounds.'); if (strict) { // Zero length integer. if (size === 0) throw new Error('Zero length integer.'); // No negatives. if (data[pos] & 0x80) throw new Error('Integers must be positive.'); // Allow zero only if it prefixes a high bit. if (size > 1) { if (data[pos] === 0x00 && (data[pos + 1] & 0x80) === 0x00) throw new Error('Unexpected leading zeroes.'); } } // Eat leading zeroes. while (size > 0 && data[pos] === 0x00) { pos += 1; size -= 1; } // No reason to have an integer larger than this. if (size > 2048) throw new Error('Invalid integer size.'); const num = BN.decode(data.slice(pos, pos + size)); pos += size; return [num, pos]; } function readVersion(data, pos, version, strict = true) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert((version & 0xff) === version); assert(typeof strict === 'boolean'); let num; [num, pos] = readInt(data, pos, strict); if (num.cmpn(version) !== 0) throw new Error('Invalid version.'); return pos; } function sizeSize(size) { assert((size >>> 0) === size); if (size <= 0x7f) // [size] return 1; if (size <= 0xff) // 0x81 [size] return 2; assert(size <= 0xffff); return 3; // 0x82 [size-hi] [size-lo] } function sizeSeq(size) { return 1 + sizeSize(size) + size; } function sizeInt(num) { assert(num instanceof BN); // 0x02 [size] [0x00?] [int] const bits = num.bitLength(); let size = (bits + 7) >>> 3; if (bits > 0 && (bits & 7) === 0) size += num.testn(bits - 1); if (bits === 0) size = 1; return 1 + sizeSize(size) + size; } function sizeVersion(version) { assert((version & 0xff) === version); return 3; } function writeSize(data, pos, size) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert((size >>> 0) === size); if (size <= 0x7f) { // [size] data[pos++] = size; } else if (size <= 0xff) { // 0x81 [size] data[pos++] = 0x81; data[pos++] = size; } else { // 0x82 [size-hi] [size-lo] assert(size <= 0xffff); data[pos++] = 0x82; data[pos++] = size >> 8; data[pos++] = size & 0xff; } assert(pos <= data.length); return pos; } function writeSeq(data, pos, size) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); data[pos++] = 0x30; return writeSize(data, pos, size); } function writeInt(data, pos, num) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert(num instanceof BN); // 0x02 [size] [0x00?] [int] const bits = num.bitLength(); let size = (bits + 7) >>> 3; let pad = 0; if (bits > 0 && (bits & 7) === 0) pad = num.testn(bits - 1); if (bits === 0) size = 1; data[pos++] = 0x02; pos = writeSize(data, pos, pad + size); if (pad) data[pos++] = 0x00; if (bits !== 0) num.encode().copy(data, pos); else data[pos] = 0x00; pos += size; assert(pos <= data.length); return pos; } function writeVersion(data, pos, version) { assert(Buffer.isBuffer(data)); assert((pos >>> 0) === pos); assert((version & 0xff) === version); assert(pos + 3 <= data.length); data[pos++] = 0x02; data[pos++] = 0x01; data[pos++] = version; return pos; } /* * Expose */ exports.readSize = readSize; exports.readSeq = readSeq; exports.readInt = readInt; exports.readVersion = readVersion; exports.sizeSize = sizeSize; exports.sizeSeq = sizeSeq; exports.sizeInt = sizeInt; exports.sizeVersion = sizeVersion; exports.writeSize = writeSize; exports.writeSeq = writeSeq; exports.writeInt = writeInt; exports.writeVersion = writeVersion; }], [/* 35 */ 'bcrypto', '/lib/js/schnorr-legacy.js', function(exports, module, __filename, __dirname, __meta) { /*! * schnorr-legacy.js - bip-schnorr for bcrypto * Copyright (c) 2019-2020, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on sipa/bip-schnorr: * Copyright (c) 2018-2019, Pieter Wuille (2-clause BSD License). * https://github.com/sipa/bips/blob/d194620/bip-schnorr/reference.py * * Parts of this software are based on ElementsProject/secp256k1-zkp: * Copyright (c) 2013, Pieter Wuille. * https://github.com/ElementsProject/secp256k1-zkp * * Resources: * https://github.com/sipa/bips/blob/d194620/bip-schnorr.mediawiki * https://github.com/sipa/bips/blob/d194620/bip-schnorr/reference.py * https://github.com/sipa/bips/blob/d194620/bip-schnorr/test-vectors.csv * https://github.com/ElementsProject/secp256k1-zkp/tree/11af701/src/modules/schnorrsig * https://github.com/bitcoincashorg/bitcoincash.org/blob/master/spec/2019-05-15-schnorr.md * * References: * * [SCHNORR] Schnorr Signatures for secp256k1 * Pieter Wuille * https://github.com/sipa/bips/blob/d194620/bip-schnorr.mediawiki * * [CASH] Schnorr Signature specification * Mark B. Lundeberg * https://github.com/bitcoincashorg/bitcoincash.org/blob/master/spec/2019-05-15-schnorr.md */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const BatchRNG = __node_require__(36 /* './batch-rng' */); const BN = __node_require__(31 /* '../bn' */); /** * Schnorr */ class Schnorr { constructor(curve, hash) { this.curve = curve; this.hash = hash; this.rng = new BatchRNG(this.curve, this.encode.bind(this)); } check() { // [SCHNORR] "Footnotes". // Must be congruent to 3 mod 4. if (this.curve.p.andln(3) !== 3) throw new Error(`Schnorr is not supported for ${this.curve.id}.`); } encode(key) { // Extra speedy key reserialization. assert(Buffer.isBuffer(key)); const {fieldSize} = this.curve; if (key.length === 1 + fieldSize) return key; if (key.length !== 1 + fieldSize * 2) throw new Error('Invalid point.'); const out = Buffer.alloc(1 + fieldSize); out[0] = 0x02 | (key[key.length - 1] & 1); key.copy(out, 1, 1, 1 + fieldSize); return out; } hashInt(...items) { // [SCHNORR] "Specification". // eslint-disable-next-line const h = new this.hash(); h.init(); for (const item of items) h.update(item); let hash = h.final(this.curve.scalarSize); if (hash.length > this.curve.scalarSize) hash = hash.slice(0, this.curve.scalarSize); const num = BN.decode(hash, this.curve.endian); num.iumaskn(this.curve.scalarBits); return num.imod(this.curve.n); } hashNonce(a, m) { return this.hashInt(a, m); } hashChallenge(R, A, m) { return this.hashInt(R, this.encode(A), m); } sign(msg, key) { assert(Buffer.isBuffer(msg)); this.check(); return this._sign(msg, key); } _sign(msg, key) { // Schnorr Signing. // // [SCHNORR] "Signing". // [CASH] "Recommended practices for secure signature generation". // // Assumptions: // // - Let `H` be a cryptographic hash function. // - Let `m` be a 32-byte array. // - Let `a` be a secret non-zero scalar. // - k != 0. // // Computation: // // A = G * a // k = H(a, m) mod n // R = G * k // k = -k mod n, if y(R) is not square // r = x(R) // e = H(r, A, m) mod n // s = (k + e * a) mod n // S = (r, s) // // Note that `k` must remain secret, // otherwise an attacker can compute: // // a = (s - k) / e mod n const {n} = this.curve; const G = this.curve.g; const a = this.curve.decodeScalar(key); if (a.isZero() || a.cmp(n) >= 0) throw new Error('Invalid private key.'); const A = G.mulBlind(a); const k = this.hashNonce(key, msg); if (k.isZero()) throw new Error('Signing failed (k\' = 0).'); const R = G.mulBlind(k); if (!R.isSquare()) k.ineg().imod(n); const Rraw = R.encodeX(); const Araw = A.encode(); const e = this.hashChallenge(Rraw, Araw, msg); const s = k.add(e.mul(a)).imod(n); return Buffer.concat([Rraw, this.curve.encodeScalar(s)]); } verify(msg, sig, key) { assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert(Buffer.isBuffer(key)); this.check(); if (sig.length !== this.curve.fieldSize + this.curve.scalarSize) return false; try { return this._verify(msg, sig, key); } catch (e) { return false; } } _verify(msg, sig, key) { // Schnorr Verification. // // [SCHNORR] "Verification". // [CASH] "Signature verification algorithm". // // Assumptions: // // - Let `H` be a cryptographic hash function. // - Let `m` be a 32-byte array. // - Let `r` and `s` be signature elements. // - Let `A` be a valid group element. // - r^3 + a * r + b is square in F(p). // - sqrt(r^3 + a * r + b) is square in F(p). // - r < p, s < n. // - R != O. // // Computation: // // R = (r, sqrt(r^3 + a * r + b)) // e = H(r, A, m) mod n // R == G * s - A * e // // We can skip a square root with: // // e = H(r, A, m) mod n // R = G * s - A * e // y(R) is square // x(R) == r // // We can also avoid affinization by // replacing the two assertions with: // // (y(R) * z(R) mod p) is square // x(R) == r * z(R)^2 mod p // // Furthermore, squareness can be calculated // with a variable time Jacobi symbol algorithm. const {p, n} = this.curve; const G = this.curve.g; const Rraw = sig.slice(0, this.curve.fieldSize); const sraw = sig.slice(this.curve.fieldSize); const r = this.curve.decodeField(Rraw); const s = this.curve.decodeScalar(sraw); const A = this.curve.decodePoint(key); if (r.cmp(p) >= 0 || s.cmp(n) >= 0) return false; const e = this.hashChallenge(Rraw, key, msg); const R = G.jmulAdd(s, A, e.ineg().imod(n)); if (!R.isSquare()) return false; if (!R.eqX(r)) return false; return true; } verifyBatch(batch) { assert(Array.isArray(batch)); this.check(); for (const item of batch) { assert(Array.isArray(item) && item.length === 3); const [msg, sig, key] = item; assert(Buffer.isBuffer(msg)); assert(Buffer.isBuffer(sig)); assert(Buffer.isBuffer(key)); if (sig.length !== this.curve.fieldSize + this.curve.scalarSize) return false; } try { return this._verifyBatch(batch); } catch (e) { return false; } } _verifyBatch(batch) { // Schnorr Batch Verification. // // [SCHNORR] "Batch Verification". // // Assumptions: // // - Let `H` be a cryptographic hash function. // - Let `m` be a 32-byte array. // - Let `r` and `s` be signature elements. // - Let `A` be a valid group element. // - Let `i` be the batch item index. // - r^3 + a * r + b is square in F(p). // - sqrt(r^3 + a * r + b) is square in F(p). // - r < p, s < n. // - a1 = 1 mod n. // // Computation: // // Ri = (ri, sqrt(ri^3 + a * ri + b)) // ei = H(ri, Ai, mi) mod n // ai = random integer in [1,n-1] // lhs = si * ai + ... mod n // rhs = Ri * ai + Ai * (ei * ai mod n) + ... // G * -lhs + rhs == O const {n} = this.curve; const G = this.curve.g; const points = new Array(1 + batch.length * 2); const coeffs = new Array(1 + batch.length * 2); const sum = new BN(0); this.rng.init(batch); points[0] = G; coeffs[0] = sum; for (let i = 0; i < batch.length; i++) { const [msg, sig, key] = batch[i]; const Rraw = sig.slice(0, this.curve.fieldSize); const sraw = sig.slice(this.curve.fieldSize); const R = this.curve.decodeSquare(Rraw); const s = this.curve.decodeScalar(sraw); const A = this.curve.decodePoint(key); if (s.cmp(n) >= 0) return false; const e = this.hashChallenge(Rraw, key, msg); const a = this.rng.generate(i); const ea = e.mul(a).imod(n); sum.iadd(s.mul(a)).imod(n); points[1 + i * 2 + 0] = R; coeffs[1 + i * 2 + 0] = a; points[1 + i * 2 + 1] = A; coeffs[1 + i * 2 + 1] = ea; } sum.ineg().imod(n); return this.curve.jmulAll(points, coeffs).isInfinity(); } } /* * Expose */ module.exports = Schnorr; }], [/* 36 */ 'bcrypto', '/lib/js/batch-rng.js', function(exports, module, __filename, __dirname, __meta) { /*! * batch-rng.js - batch rng for bcrypto * Copyright (c) 2019-2020, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on ElementsProject/secp256k1-zkp: * Copyright (c) 2013, Pieter Wuille. * https://github.com/ElementsProject/secp256k1-zkp * * Resources: * https://github.com/ElementsProject/secp256k1-zkp/blob/11af701/src/modules/schnorrsig/main_impl.h#L166 * https://github.com/ElementsProject/secp256k1-zkp/blob/11af701/src/scalar_4x64_impl.h#L972 * https://github.com/ElementsProject/secp256k1-zkp/blob/11af701/src/scalar_8x32_impl.h#L747 */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const BN = __node_require__(31 /* '../bn' */); const ChaCha20 = __node_require__(37 /* '../chacha20' */); const SHA256 = __node_require__(39 /* '../sha256' */); /** * BatchRNG */ class BatchRNG { constructor(curve, encode = key => key) { this.curve = curve; this.encode = encode; this.hash = new SHA256(); this.chacha = new ChaCha20(); this.key = Buffer.alloc(32, 0x00); this.iv = Buffer.alloc(8, 0x00); this.cache = [new BN(1), new BN(1)]; } init(batch) { assert(Array.isArray(batch)); this.hash.init(); for (const [msg, sig, key] of batch) { this.hash.update(SHA256.digest(msg)); this.hash.update(sig); this.hash.update(this.encode(key)); } this.key = this.hash.final(); this.cache[0] = new BN(1); this.cache[1] = new BN(1); return this; } encrypt(counter) { const size = this.curve.scalarSize * 2; const data = Buffer.alloc(size, 0x00); const left = data.slice(0, this.curve.scalarSize); const right = data.slice(this.curve.scalarSize); this.chacha.init(this.key, this.iv, counter); this.chacha.encrypt(data); return [ this.curve.decodeScalar(left), this.curve.decodeScalar(right) ]; } refresh(counter) { let overflow = 0; for (;;) { // First word is always zero. this.iv[4] = overflow; this.iv[5] = overflow >>> 8; this.iv[6] = overflow >>> 16; this.iv[7] = overflow >>> 24; overflow += 1; const [s1, s2] = this.encrypt(counter); if (s1.isZero() || s1.cmp(this.curve.n) >= 0) continue; if (s2.isZero() || s2.cmp(this.curve.n) >= 0) continue; this.cache[0] = s1; this.cache[1] = s2; break; } } generate(index) { assert((index >>> 0) === index); if (index & 1) this.refresh(index >>> 1); return this.cache[index & 1]; } } /* * Expose */ module.exports = BatchRNG; }], [/* 37 */ 'bcrypto', '/lib/chacha20-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * chacha20.js - chacha20 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(38 /* './js/chacha20' */); }], [/* 38 */ 'bcrypto', '/lib/js/chacha20.js', function(exports, module, __filename, __dirname, __meta) { /*! * chacha20.js - chacha20 for bcrypto * Copyright (c) 2016-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Resources * https://en.wikipedia.org/wiki/Chacha20 * https://tools.ietf.org/html/rfc7539#section-2 * https://cr.yp.to/chacha.html */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /* * Constants */ const BIG_ENDIAN = new Int8Array(new Int16Array([1]).buffer)[0] === 0; /** * ChaCha20 */ class ChaCha20 { /** * Create a ChaCha20 context. * @constructor */ constructor() { this.state = new Uint32Array(16); this.stream = new Uint32Array(16); this.bytes = new Uint8Array(this.stream.buffer); this.pos = -1; if (BIG_ENDIAN) this.bytes = Buffer.alloc(64); } /** * Initialize chacha20 with a key, nonce, and counter. * @param {Buffer} key * @param {Buffer} nonce * @param {Number} counter */ init(key, nonce, counter) { if (counter == null) counter = 0; assert(Buffer.isBuffer(key)); assert(Buffer.isBuffer(nonce)); assert(Number.isSafeInteger(counter)); if (key.length !== 16 && key.length !== 32) throw new RangeError('Invalid key size.'); if (nonce.length >= 24) { key = ChaCha20.derive(key, nonce.slice(0, 16)); nonce = nonce.slice(16); } this.state[0] = 0x61707865; this.state[1] = key.length < 32 ? 0x3120646e : 0x3320646e; this.state[2] = key.length < 32 ? 0x79622d36 : 0x79622d32; this.state[3] = 0x6b206574; this.state[4] = readU32(key, 0); this.state[5] = readU32(key, 4); this.state[6] = readU32(key, 8); this.state[7] = readU32(key, 12); this.state[8] = readU32(key, 16 % key.length); this.state[9] = readU32(key, 20 % key.length); this.state[10] = readU32(key, 24 % key.length); this.state[11] = readU32(key, 28 % key.length); this.state[12] = counter >>> 0; if (nonce.length === 8) { this.state[13] = (counter / 0x100000000) >>> 0; this.state[14] = readU32(nonce, 0); this.state[15] = readU32(nonce, 4); } else if (nonce.length === 12) { this.state[13] = readU32(nonce, 0); this.state[14] = readU32(nonce, 4); this.state[15] = readU32(nonce, 8); } else if (nonce.length === 16) { this.state[12] = readU32(nonce, 0); this.state[13] = readU32(nonce, 4); this.state[14] = readU32(nonce, 8); this.state[15] = readU32(nonce, 12); } else { throw new RangeError('Invalid nonce size.'); } this.pos = 0; return this; } /** * Encrypt/decrypt data. * @param {Buffer} data - Will be mutated. * @returns {Buffer} */ encrypt(data) { assert(Buffer.isBuffer(data)); if (this.pos === -1) throw new Error('Context is not initialized.'); for (let i = 0; i < data.length; i++) { if ((this.pos & 63) === 0) { this._block(); this.pos = 0; } data[i] ^= this.bytes[this.pos++]; } return data; } /** * Stir the stream. */ _block() { for (let i = 0; i < 16; i++) this.stream[i] = this.state[i]; for (let i = 0; i < 10; i++) { qround(this.stream, 0, 4, 8, 12); qround(this.stream, 1, 5, 9, 13); qround(this.stream, 2, 6, 10, 14); qround(this.stream, 3, 7, 11, 15); qround(this.stream, 0, 5, 10, 15); qround(this.stream, 1, 6, 11, 12); qround(this.stream, 2, 7, 8, 13); qround(this.stream, 3, 4, 9, 14); } for (let i = 0; i < 16; i++) this.stream[i] += this.state[i]; if (BIG_ENDIAN) { for (let i = 0; i < 16; i++) writeU32(this.bytes, this.stream[i], i * 4); } this.state[12] += 1; if (this.state[12] === 0) this.state[13] += 1; } /** * Destroy context. */ destroy() { for (let i = 0; i < 16; i++) { this.state[i] = 0; this.stream[i] = 0; } if (BIG_ENDIAN) { for (let i = 0; i < 64; i++) this.bytes[i] = 0; } this.pos = -1; return this; } /** * Derive key with XChaCha20. * @param {Buffer} key * @param {Buffer} nonce * @returns {Buffer} */ static derive(key, nonce) { assert(Buffer.isBuffer(key)); assert(Buffer.isBuffer(nonce)); if (key.length !== 16 && key.length !== 32) throw new RangeError('Invalid key size.'); if (nonce.length !== 16) throw new RangeError('Invalid nonce size.'); const state = new Uint32Array(16); state[0] = 0x61707865; state[1] = key.length < 32 ? 0x3120646e : 0x3320646e; state[2] = key.length < 32 ? 0x79622d36 : 0x79622d32; state[3] = 0x6b206574; state[4] = readU32(key, 0); state[5] = readU32(key, 4); state[6] = readU32(key, 8); state[7] = readU32(key, 12); state[8] = readU32(key, 16 % key.length); state[9] = readU32(key, 20 % key.length); state[10] = readU32(key, 24 % key.length); state[11] = readU32(key, 28 % key.length); state[12] = readU32(nonce, 0); state[13] = readU32(nonce, 4); state[14] = readU32(nonce, 8); state[15] = readU32(nonce, 12); for (let i = 0; i < 10; i++) { qround(state, 0, 4, 8, 12); qround(state, 1, 5, 9, 13); qround(state, 2, 6, 10, 14); qround(state, 3, 7, 11, 15); qround(state, 0, 5, 10, 15); qround(state, 1, 6, 11, 12); qround(state, 2, 7, 8, 13); qround(state, 3, 4, 9, 14); } const out = Buffer.alloc(32); writeU32(out, state[0], 0); writeU32(out, state[1], 4); writeU32(out, state[2], 8); writeU32(out, state[3], 12); writeU32(out, state[12], 16); writeU32(out, state[13], 20); writeU32(out, state[14], 24); writeU32(out, state[15], 28); return out; } } /* * Static */ ChaCha20.native = 0; /* * Helpers */ function qround(x, a, b, c, d) { x[a] += x[b]; x[d] = rotl32(x[d] ^ x[a], 16); x[c] += x[d]; x[b] = rotl32(x[b] ^ x[c], 12); x[a] += x[b]; x[d] = rotl32(x[d] ^ x[a], 8); x[c] += x[d]; x[b] = rotl32(x[b] ^ x[c], 7); } function rotl32(w, b) { return (w << b) | (w >>> (32 - b)); } function readU32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000); } function writeU32(dst, num, off) { dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; num >>>= 8; dst[off++] = num; return off; } /* * Expose */ module.exports = ChaCha20; }], [/* 39 */ 'bcrypto', '/lib/sha256-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha256.js - sha256 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(20 /* './js/sha256' */); }], [/* 40 */ 'bcrypto', '/lib/hmac-drbg-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * hmac-drbg.js - hmac-drbg for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(41 /* './js/hmac-drbg' */); }], [/* 41 */ 'bcrypto', '/lib/js/hmac-drbg.js', function(exports, module, __filename, __dirname, __meta) { /*! * hmac-drbg.js - hmac-drbg implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/hmac-drbg: * Copyright Fedor Indutny, 2017. * https://github.com/indutny/hmac-drbg * * Resources: * https://tools.ietf.org/html/rfc6979 * https://csrc.nist.gov/publications/detail/sp/800-90a/archive/2012-01-23 * https://github.com/indutny/hmac-drbg/blob/master/lib/hmac-drbg.js */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /* * Constants */ const RESEED_INTERVAL = 0x1000000000000; const ZERO = Buffer.from([0x00]); const ONE = Buffer.from([0x01]); /** * HmacDRBG */ class HmacDRBG { constructor(hash, entropy, nonce, pers) { assert(hash && typeof hash.id === 'string'); this.hash = hash; this.minEntropy = hash.id === 'SHA1' ? 10 : 24; this.K = Buffer.alloc(hash.size); this.V = Buffer.alloc(hash.size); this.rounds = 0; if (entropy) this.init(entropy, nonce, pers); } init(entropy, nonce, pers) { if (nonce == null) nonce = Buffer.alloc(0); if (pers == null) pers = Buffer.alloc(0); assert(Buffer.isBuffer(entropy)); assert(Buffer.isBuffer(nonce)); assert(Buffer.isBuffer(pers)); for (let i = 0; i < this.V.length; i++) { this.K[i] = 0x00; this.V[i] = 0x01; } const seed = Buffer.concat([entropy, nonce, pers]); if (seed.length < this.minEntropy) throw new Error('Not enough entropy.'); this.update(seed); this.rounds = 1; return this; } reseed(entropy, add) { if (add == null) add = Buffer.alloc(0); assert(Buffer.isBuffer(entropy)); assert(Buffer.isBuffer(add)); if (this.rounds === 0) throw new Error('DRBG not initialized.'); const seed = Buffer.concat([entropy, add]); if (seed.length < this.minEntropy) throw new Error('Not enough entropy.'); this.update(seed); this.rounds = 1; return this; } generate(len, add) { assert((len >>> 0) === len); assert(add == null || Buffer.isBuffer(add)); if (this.rounds === 0) throw new Error('DRBG not initialized.'); if (this.rounds > RESEED_INTERVAL) throw new Error('Reseed is required.'); if (add && add.length > 0) this.update(add); const blocks = Math.ceil(len / this.hash.size); const out = Buffer.alloc(blocks * this.hash.size); for (let i = 0; i < blocks; i++) { this.V = this.mac(this.V); this.V.copy(out, i * this.hash.size); } this.update(add); this.rounds += 1; return out.slice(0, len); } randomBytes(size) { return this.generate(size); } /* * Helpers */ mac(data) { return this.hash.mac(data, this.K); } hmac() { return this.hash.hmac().init(this.K); } update(seed) { assert(seed == null || Buffer.isBuffer(seed)); const kmac = this.hmac(); kmac.update(this.V); kmac.update(ZERO); if (seed) kmac.update(seed); this.K = kmac.final(); this.V = this.mac(this.V); if (seed && seed.length > 0) { const kmac = this.hmac(); kmac.update(this.V); kmac.update(ONE); kmac.update(seed); this.K = kmac.final(); this.V = this.mac(this.V); } return this; } } /* * Static */ HmacDRBG.native = 0; /* * Expose */ module.exports = HmacDRBG; }], [/* 42 */ 'bcrypto', '/lib/js/elliptic.js', function(exports, module, __filename, __dirname, __meta) { /*! * elliptic.js - elliptic curves for bcrypto * Copyright (c) 2018-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on indutny/elliptic: * Copyright (c) 2014, Fedor Indutny (MIT License). * https://github.com/indutny/elliptic * * Formulas from DJB and Tanja Lange [EFD]. * * References: * * [GECC] Guide to Elliptic Curve Cryptography * D. Hankerson, A. Menezes, and S. Vanstone * https://tinyurl.com/guide-to-ecc * * [GLV] Faster Point Multiplication on Elliptic Curves * R. Gallant, R. Lambert, and S. Vanstone * https://link.springer.com/content/pdf/10.1007/3-540-44647-8_11.pdf * * [MONT1] Montgomery curves and the Montgomery ladder * Daniel J. Bernstein, Tanja Lange * https://eprint.iacr.org/2017/293.pdf * * [SQUARED] Elligator Squared * Mehdi Tibouchi * https://eprint.iacr.org/2014/043.pdf * * [SEC1] SEC 1 - Standards for Efficient Cryptography Group * Certicom Research * https://www.secg.org/sec1-v2.pdf * * [SEC2] SEC 2: Recommended Elliptic Curve Domain Parameters * Certicom Research * https://www.secg.org/sec2-v2.pdf * * [SIDE1] Elliptic Curves and Side-Channel Attacks * Marc Joye * https://pdfs.semanticscholar.org/8d69/9645033e25d74fcfd4cbf07a770d2e943e14.pdf * * [BLIND] Side-Channel Analysis on Blinding Regular Scalar Multiplications * B. Feix, M. Roussellet, A. Venelli * https://eprint.iacr.org/2014/191.pdf * * [ALT] Alternative Elliptic Curve Representations * R. Struik * https://tools.ietf.org/id/draft-ietf-lwig-curve-representations-02.html * * [ARITH1] Arithmetic of Elliptic Curves * Christophe Doche, Tanja Lange * Handbook of Elliptic and Hyperelliptic Curve Cryptography * Page 267, Section 13 (978-1-58488-518-4) * https://hyperelliptic.org/HEHCC/index.html * * [ARITH2] The Arithmetic of Elliptic Curves, 2nd Edition * Joseph H. Silverman * http://www.pdmi.ras.ru/~lowdimma/BSD/Silverman-Arithmetic_of_EC.pdf * * [EFD] Explicit-Formulas Database * Daniel J. Bernstein, Tanja Lange * https://hyperelliptic.org/EFD/index.html * * [SAFE] SafeCurves: choosing safe curves for elliptic-curve cryptography * Daniel J. Bernstein * https://safecurves.cr.yp.to/ * * [4GLV] Refinement of the Four-Dimensional GLV Method on Elliptic Curves * Hairong Yi, Yuqing Zhu, and Dongdai Lin * http://www.site.uottawa.ca/~cadams/papers/prepro/paper_19_slides.pdf * * [SSWU1] Efficient Indifferentiable Hashing into Ordinary Elliptic Curves * E. Brier, J. Coron, T. Icart, D. Madore, H. Randriam, M. Tibouchi * https://eprint.iacr.org/2009/340.pdf * * [SSWU2] Rational points on certain hyperelliptic curves over finite fields * Maciej Ulas * https://arxiv.org/abs/0706.1448 * * [H2EC] Hashing to Elliptic Curves * A. Faz-Hernandez, S. Scott, N. Sullivan, R. S. Wahby, C. A. Wood * https://git.io/JeWz6 * https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve * * [SVDW1] Construction of Rational Points on Elliptic Curves * A. Shallue, C. E. van de Woestijne * https://works.bepress.com/andrew_shallue/1/download/ * * [SVDW2] Indifferentiable Hashing to Barreto-Naehrig Curves * Pierre-Alain Fouque, Mehdi Tibouchi * https://www.di.ens.fr/~fouque/pub/latincrypt12.pdf * * [SVDW3] Covert ECDH over secp256k1 * Pieter Wuille * https://gist.github.com/sipa/29118d3fcfac69f9930d57433316c039 * * [MONT2] Montgomery Curve (wikipedia) * https://en.wikipedia.org/wiki/Montgomery_curve * * [MONT3] Montgomery Curves and their arithmetic * C. Costello, B. Smith * https://eprint.iacr.org/2017/212.pdf * * [ELL2] Elliptic-curve points indistinguishable from uniform random strings * D. Bernstein, M. Hamburg, A. Krasnova, T. Lange * https://elligator.cr.yp.to/elligator-20130828.pdf * * [RFC7748] Elliptic Curves for Security * A. Langley, M. Hamburg, S. Turner * https://tools.ietf.org/html/rfc7748 * * [TWISTED] Twisted Edwards Curves * D. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters * https://eprint.iacr.org/2008/013.pdf * * [ELL1] Injective Encodings to Elliptic Curves * P. Fouque, A. Joux, M. Tibouchi * https://eprint.iacr.org/2013/373.pdf * * [ISOGENY] Twisting Edwards curves with isogenies * Mike Hamburg * https://www.shiftleft.org/papers/isogeny/isogeny.pdf * * [RFC8032] Edwards-Curve Digital Signature Algorithm (EdDSA) * S. Josefsson, SJD AB, I. Liusvaara * https://tools.ietf.org/html/rfc8032 * * [SCHNORR] Schnorr Signatures for secp256k1 * Pieter Wuille * https://github.com/sipa/bips/blob/d194620/bip-schnorr.mediawiki * * [BIP340] Schnorr Signatures for secp256k1 * Pieter Wuille, Jonas Nick, Tim Ruffing * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki * * [JCEN12] Efficient Software Implementation of Public-Key Cryptography * on Sensor Networks Using the MSP430X Microcontroller * C. P. L. Gouvea, L. B. Oliveira, J. Lopez * http://conradoplg.cryptoland.net/files/2010/12/jcen12.pdf * * [FIPS186] Federal Information Processing Standards Publication * National Institute of Standards and Technology * https://tinyurl.com/fips-186-3 * * [RFC5639] Elliptic Curve Cryptography (ECC) Brainpool * Standard Curves and Curve Generation * M. Lochter, BSI, J. Merkle * https://tools.ietf.org/html/rfc5639 * * [TWISTEQ] Twisted Edwards & Short Weierstrass Equivalence * Christopher Jeffrey * https://gist.github.com/chjj/16ba7fa08d64e8dda269a9fe5b2a8bbc * * [ECPM] Elliptic Curve Point Multiplication (wikipedia) * https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication */ 'use strict'; const {custom} = __node_require__(33 /* '../internal/custom' */); const BN = __node_require__(31 /* '../bn' */); /* * Constants */ const types = { AFFINE: 0, JACOBIAN: 1, PROJECTIVE: 2, EXTENDED: 3 }; const jsfIndex = [ -3, // -1 -1 -1, // -1 0 -5, // -1 1 -7, // 0 -1 0, // 0 0 7, // 0 1 5, // 1 -1 1, // 1 0 3 // 1 1 ]; const USE_FIXED = false; let uid = 0; /** * Curve */ class Curve { constructor(Point, type, conf) { this.Point = null; this.id = null; this.uid = uid++; this.ossl = null; this.type = 'base'; this.endian = 'be'; this.hash = null; this.prefix = null; this.context = false; this.prime = null; this.p = null; this.red = null; this.fieldSize = 0; this.fieldBits = 0; this.adjustedSize = 0; this.signBit = 0; this.mask = 0; this.n = null; this.h = null; this.q = null; this.z = null; this.g = null; this.nh = null; this.scalarSize = 0; this.scalarBits = 0; this.zero = null; this.one = null; this.two = null; this.three = null; this.four = null; this.i2 = null; this.i3 = null; this.i4 = null; this.i6 = null; this.torsion = null; this.endo = null; this.hi = null; this._init(Point, type, conf); } _init(Point, type, conf) { assert(typeof Point === 'function'); assert(typeof type === 'string'); assert(conf && typeof conf === 'object'); assert(conf.red == null || (conf.red instanceof BN.Red)); assert(conf.p != null, 'Must pass a prime.'); assert(conf.id == null || typeof conf.id === 'string'); assert(conf.ossl == null || typeof conf.ossl === 'string'); assert(conf.endian == null || typeof conf.endian === 'string'); assert(conf.hash == null || typeof conf.hash === 'string'); assert(conf.prefix == null || typeof conf.prefix === 'string'); assert(conf.context == null || typeof conf.context === 'boolean'); assert(conf.prime == null || typeof conf.prime === 'string'); assert(conf.torsion == null || Array.isArray(conf.torsion)); // Point class. this.Point = Point; // Meta. this.id = conf.id || null; this.ossl = conf.ossl || null; this.type = type; this.endian = conf.endian || (type === 'short' ? 'be' : 'le'); this.hash = conf.hash || null; this.prefix = conf.prefix ? Buffer.from(conf.prefix, 'binary') : null; this.context = conf.context || false; this.prime = conf.prime || null; // Prime. this.p = BN.fromJSON(conf.p); // Reduction. if (conf.red) { this.red = conf.red; } else { // Use Montgomery when there is no fast reduction for the prime. this.red = conf.prime ? BN.red(conf.prime) : BN.mont(this.p); this.red.precompute(); } // Precalculate encoding length. this.fieldSize = this.p.byteLength(); this.fieldBits = this.p.bitLength(); this.adjustedSize = this.fieldSize + ((this.fieldBits & 7) === 0); this.signBit = this.adjustedSize * 8 - 1; this.mask = 0xff; if ((this.fieldBits & 7) !== 0) this.mask = (1 << (this.fieldBits & 7)) - 1; // Curve configuration, optional. this.n = BN.fromJSON(conf.n || '0'); this.h = BN.fromJSON(conf.h || '1'); this.q = this.n.mul(this.h); this.z = BN.fromJSON(conf.z || '0').toRed(this.red); this.g = null; this.nh = this.n.ushrn(1); this.scalarSize = this.n.byteLength(); this.scalarBits = this.n.bitLength(); // Useful for many curves. this.zero = new BN(0).toRed(this.red); this.one = new BN(1).toRed(this.red); this.two = new BN(2).toRed(this.red); this.three = new BN(3).toRed(this.red); this.four = new BN(4).toRed(this.red); // Inverses. this.i2 = this.two.redInvert(); this.i3 = this.three.redInvert(); this.i4 = this.i2.redSqr(); this.i6 = this.i2.redMul(this.i3); // Torsion. this.torsion = new Array(this.h.word(0)); for (let i = 0; i < this.torsion.length; i++) this.torsion[i] = this.point(); // Endomorphism. this.endo = null; // Cache. this.hi = null; // Memoize. this._scale = memoize(this._scale, this); this.isIsomorphic = memoize(this.isIsomorphic, this); this.isIsogenous = memoize(this.isIsogenous, this); // Sanity checks. assert(this.p.sign() > 0 && this.p.isOdd()); assert(this.n.sign() >= 0); assert(this.h.sign() > 0 && this.h.cmpn(255) <= 0); assert(this.endian === 'be' || this.endian === 'le'); return this; } _finalize(conf) { assert(conf && typeof conf === 'object'); // Create base point. this.g = conf.g ? this.pointFromJSON(conf.g) : this.point(); // Parse small order points. if (conf.torsion) { assert(conf.torsion.length === this.torsion.length); for (let i = 0; i < this.torsion.length; i++) this.torsion[i] = this.pointFromJSON(conf.torsion[i]); } return this; } _findTorsion() { // Find all torsion points by grinding. assert(!this.n.isZero()); const h = this.h.word(0); const x = this.one.redNeg(); const out = [this.point()]; const set = new Set(); let len = h; while (out.length < len) { let p; x.redIAdd(this.one); try { p = this.pointFromX(x.clone()); } catch (e) { continue; } try { p = p.mul(this.n); } catch (e) { len = 2; continue; } if (p.isInfinity()) continue; p.normalize(); for (const point of [p, p.neg()]) { const key = point.key(); if (!set.has(key)) { out.push(point); set.add(key); } } } out.sort((a, b) => a.cmp(b)); while (out.length < h) out.push(this.point()); return out; } _fixedMul(p, k) { // Fixed-base method for point multiplication. // // [ECPM] "Windowed method". // [GECC] Page 95, Section 3.3. // // Windows are appropriately shifted to avoid any // doublings. This reduces a 256 bit multiplication // down to 64 additions with a window size of 4. assert(p instanceof Point); assert(k instanceof BN); assert(p.pre && p.pre.windows); // Get precomputed windows. const {width, points} = p._getWindows(0, 0); // Recompute window size. const size = 1 << width; // Recompute steps. const bits = k.bitLength(); const steps = ((bits + width - 1) / width) >>> 0; // Multiply. let acc = this.jpoint(); for (let i = 0; i < steps; i++) { const bits = k.bits(i * width, width); acc = acc.add(points[i * size + bits]); } // Adjust sign. if (k.isNeg()) acc = acc.neg(); return acc; } _fixedNafMul(p, k) { // Fixed-base NAF windowing method for point multiplication. // // [GECC] Algorithm 3.42, Page 105, Section 3.3. assert(p instanceof Point); assert(k instanceof BN); assert(p.pre && p.pre.doubles); // Get precomputed doubles. const {step, points} = p._getDoubles(0, 0); // Get fixed NAF (in a more windowed form). const naf = getFixedNAF(k, 2, k.bitLength() + 1, step); // Compute steps. const I = ((1 << (step + 1)) - (step % 2 === 0 ? 2 : 1)) / 3; // Multiply. let a = this.jpoint(); let b = this.jpoint(); for (let i = I; i > 0; i--) { for (let j = 0; j < naf.length; j++) { const nafW = naf[j]; if (nafW === i) b = b.add(points[j]); else if (nafW === -i) b = b.sub(points[j]); } a = a.add(b); } return a; } _wnafMul(w, p, k) { // Window NAF method for point multiplication. // // [GECC] Algorithm 3.36, Page 100, Section 3.3. assert(p instanceof Point); assert(k instanceof BN); // Precompute window. const {width, points} = p._safeNAF(w); // Get NAF form. const naf = getNAF(k, width, k.bitLength() + 1); // Add `this`*(N+1) for every w-NAF index. let acc = this.jpoint(); for (let i = naf.length - 1; i >= 0; i--) { const z = naf[i]; if (i !== naf.length - 1) acc = acc.dbl(); if (z > 0) acc = acc.add(points[(z - 1) >> 1]); else if (z < 0) acc = acc.sub(points[(-z - 1) >> 1]); } return acc; } _wnafMulAdd(w, points, coeffs) { // Multiple point multiplication, also known // as "Shamir's trick" (with interleaved NAFs). // // [GECC] Algorithm 3.48, Page 109, Section 3.3.3. // Algorithm 3.51, Page 112, Section 3.3. // // This is particularly useful for signature // verifications and mutiplications after an // endomorphism split. assert((w >>> 0) === w); assert(Array.isArray(points)); assert(Array.isArray(coeffs)); assert(points.length === coeffs.length); const length = points.length; const wnd = new Array(length); const naf = new Array(length); // Check arrays and calculate size. let max = 0; for (let i = 0; i < length; i++) { const point = points[i]; const coeff = coeffs[i]; assert(point instanceof Point); assert(coeff instanceof BN); if (i > 0 && point.type !== points[i - 1].type) throw new Error('Cannot mix points.'); // Avoid sparse arrays. wnd[i] = null; naf[i] = null; // Compute max scalar size. max = Math.max(max, coeff.bitLength() + 1); } // Compute NAFs. let ppoint = null; let pcoeff = null; let len = 0; for (let i = 0; i < length; i++) { const point = points[i]; const coeff = coeffs[i]; const pre = point._getNAF(0); // Use precomputation if available. if (pre) { wnd[len] = pre.points; naf[len] = getNAF(coeff, pre.width, max); len += 1; continue; } // Save last non-precomputed point. if (!ppoint) { ppoint = point; pcoeff = coeff; continue; } // Compute JSF in NAF form. wnd[len] = ppoint._getJNAF(point); naf[len] = getJNAF(pcoeff, coeff, max); ppoint = null; pcoeff = null; len += 1; } // Regular NAF for odd points. if (ppoint) { const nafw = ppoint._safeNAF(w); wnd[len] = nafw.points; naf[len] = getNAF(pcoeff, nafw.width, max); len += 1; } // Multiply and add. let acc = this.jpoint(); for (let i = max - 1; i >= 0; i--) { if (i !== max - 1) acc = acc.dbl(); for (let j = 0; j < len; j++) { const z = naf[j][i]; if (z > 0) acc = acc.add(wnd[j][(z - 1) >> 1]); else if (z < 0) acc = acc.sub(wnd[j][(-z - 1) >> 1]); } } return acc; } _endoWnafMulAdd(points, coeffs) { throw new Error('Not implemented.'); } _scale(curve, invert) { assert(curve instanceof Curve); assert(curve.p.eq(this.p)); switch (curve.type) { case 'short': return this._scaleShort(curve, invert); case 'mont': return this._scaleMont(curve, invert); case 'edwards': return this._scaleEdwards(curve, invert); default: throw new Error('Not implemented.'); } } _scaleShort(curve, invert) { throw new Error('Not implemented.'); } _scaleMont(curve, invert) { throw new Error('Not implemented.'); } _scaleEdwards(curve, invert) { throw new Error('Not implemented.'); } isElliptic() { throw new Error('Not implemented.'); } jinv() { throw new Error('Not implemented.'); } isComplete() { return false; } precompute(rng) { assert(!this.g.isInfinity(), 'Must have base point.'); assert(!this.n.isZero(), 'Must have order.'); this.g.precompute(this.n.bitLength(), rng); return this; } scalar(num, base, endian) { const k = new BN(num, base, endian); assert(!k.red); if (this.n.isZero()) return k; return k.imod(this.n); } field(num, base, endian) { const x = BN.cast(num, base, endian); if (x.red) return x.forceRed(this.red); return x.toRed(this.red); } point(x, y) { throw new Error('Not implemented.'); } jpoint(x, y, z) { throw new Error('Not implemented.'); } xpoint(x, z) { throw new Error('Not implemented.'); } cpoint(xx, xz, yy, yz) { assert(xx instanceof BN); assert(xz instanceof BN); assert(yy instanceof BN); assert(yz instanceof BN); if (xz.isZero() || yz.isZero()) return this.point(); const z = xz.redMul(yz).redInvert(); const x = xx.redMul(yz).redMul(z); const y = yy.redMul(xz).redMul(z); return this.point(x, y); } solveX2(y) { throw new Error('Not implemented.'); } solveX(y) { return this.solveX2(y).redSqrt(); } solveY2(x) { throw new Error('Not implemented.'); } solveY(x) { return this.solveY2(x).redSqrt(); } validate(point) { throw new Error('Not implemented.'); } pointFromX(x, sign) { throw new Error('Not implemented.'); } pointFromY(y, sign) { throw new Error('Not implemented.'); } isIsomorphic(curve) { throw new Error('Not implemented.'); } isIsogenous(curve) { throw new Error('Not implemented.'); } pointFromShort(point) { throw new Error('Not implemented.'); } pointFromMont(point, sign) { throw new Error('Not implemented.'); } pointFromEdwards(point) { throw new Error('Not implemented.'); } pointFromUniform(u) { throw new Error('Not implemented.'); } pointToUniform(p) { throw new Error('Not implemented.'); } pointFromHash(bytes, pake = false) { // [H2EC] "Roadmap". assert(Buffer.isBuffer(bytes)); assert(typeof pake === 'boolean'); if (bytes.length !== this.fieldSize * 2) throw new Error('Invalid hash size.'); // Random oracle encoding. // Ensure a proper distribution. const s1 = bytes.slice(0, this.fieldSize); const s2 = bytes.slice(this.fieldSize); const u1 = this.decodeUniform(s1); const u2 = this.decodeUniform(s2); const p1 = this.pointFromUniform(u1); const p2 = this.pointFromUniform(u2); const p3 = p1.add(p2); return pake ? p3.mulH() : p3; } pointToHash(p, subgroup, rng) { // [SQUARED] Algorithm 1, Page 8, Section 3.3. assert(p instanceof this.Point); assert((subgroup >>> 0) === subgroup); // Add a random torsion component. const i = subgroup % this.torsion.length; const p0 = p.add(this.torsion[i]); // Average Cost (R = sqrt): // // SSWU (~4 iterations) => 8I + 16R // SVDW (~4 iterations) => 12I + 28R // Elligator 1 (~2 iterations) => 6I + 10R // Elligator 2 (~2 iterations) => 4I + 6R // Ristretto (~1 iteration) => 1I + 2R + h*1R for (;;) { const u1 = this.randomField(rng); const p1 = this.pointFromUniform(u1); // Avoid 2-torsion points: // Short Weierstrass: ((A / 3) / B, 0) // Montgomery: (0, 0) // Twisted Edwards: (0, -1) if (p1.neg().eq(p1)) continue; const p2 = p0.sub(p1); const hint = randomInt(rng); let u2; try { u2 = this.pointToUniform(p2, hint & 15); } catch (e) { if (e.message === 'Invalid point.') continue; throw e; } const s1 = this.encodeUniform(u1, hint >>> 8); const s2 = this.encodeUniform(u2, hint >>> 16); return Buffer.concat([s1, s2]); } } randomScalar(rng) { const max = this.n.isZero() ? this.p : this.n; return BN.random(rng, 1, max); } randomField(rng) { return BN.random(rng, 1, this.p).toRed(this.red); } randomPoint(rng) { let p; for (;;) { const x = this.randomField(rng); const sign = (randomInt(rng) & 1) !== 0; try { p = this.pointFromX(x, sign); } catch (e) { continue; } assert(p.validate()); return p.mulH(); } } mulAll(points, coeffs) { return this.jmulAll(points, coeffs); } jmulAll(points, coeffs) { assert(Array.isArray(points)); assert(points.length === 0 || (points[0] instanceof Point)); // Multiply with endomorphism if we're using affine points. if (this.endo && points.length > 0 && points[0].type === types.AFFINE) return this._endoWnafMulAdd(points, coeffs); // Otherwise, a regular Shamir's trick. return this._wnafMulAdd(5, points, coeffs); } mulH(k) { assert(k instanceof BN); return this.imulH(k.clone()); } imulH(k) { assert(k instanceof BN); assert(!k.red); const word = this.h.word(0); // Optimize for powers of two. if ((word & (word - 1)) === 0) { const bits = this.h.bitLength(); return k.iushln(bits - 1).imod(this.n); } return k.imuln(word).imod(this.n); } normalizeAll(points) { assert(Array.isArray(points)); const len = points.length; const z = new Array(len); for (let i = 0; i < len; i++) { const p = points[i]; assert(p instanceof Point); assert(p.curve === this); if (p.type === types.AFFINE) { z[i] = this.one; continue; } z[i] = p.z; } const zi = this.red.invertAll(z); const out = new Array(len); for (let i = 0; i < len; i++) out[i] = points[i].scale(zi[i]); return out; } affinizeAll(points) { return this.normalizeAll(points); } clamp(scalar) { // [RFC7748] Page 8, Section 5. // [RFC8032] Section 5.1.5 & 5.2.5. assert(Buffer.isBuffer(scalar)); assert(scalar.length === this.scalarSize); assert(this.scalarSize <= this.fieldSize); let top = (this.fieldBits & 7) || 8; let lsb = 0; let msb = this.scalarSize - 1; // Swap endianness. if (this.endian === 'be') [lsb, msb] = [msb, lsb]; // Adjust for low order. if (this.scalarSize < this.fieldSize) top = 8; // Ensure a multiple of the cofactor. scalar[lsb] &= -this.h.word(0) & 0xff; // Clamp to the prime. scalar[msb] &= (1 << top) - 1; // Set the high bit. scalar[msb] |= 1 << (top - 1); return scalar; } splitHash(bytes) { // [RFC8032] Section 5.1.6 & 5.2.6. assert(Buffer.isBuffer(bytes)); assert(bytes.length === this.adjustedSize * 2); assert(this.scalarSize <= this.adjustedSize); let off = 0; if (this.endian === 'be') off = this.adjustedSize - this.scalarSize; const scalar = bytes.slice(off, off + this.scalarSize); const prefix = bytes.slice(this.adjustedSize); this.clamp(scalar); return [scalar, prefix]; } encodeField(x) { // [SEC1] Page 12, Section 2.3.5. assert(x instanceof BN); assert(!x.red); return x.encode(this.endian, this.fieldSize); } decodeField(bytes) { // [SEC1] Page 13, Section 2.3.6. assert(Buffer.isBuffer(bytes)); if (bytes.length !== this.fieldSize) throw new Error('Invalid field element size.'); return BN.decode(bytes, this.endian); } encodeAdjusted(x) { assert(x instanceof BN); assert(!x.red); return x.encode(this.endian, this.adjustedSize); } decodeAdjusted(bytes) { assert(Buffer.isBuffer(bytes)); if (bytes.length !== this.adjustedSize) throw new Error('Invalid field element size.'); return BN.decode(bytes, this.endian); } encodeScalar(k) { // [SEC1] Page 13, Section 2.3.7. assert(k instanceof BN); assert(!k.red); return k.encode(this.endian, this.scalarSize); } decodeScalar(bytes) { // [SEC1] Page 14, Section 2.3.8. assert(Buffer.isBuffer(bytes)); if (bytes.length !== this.scalarSize) throw new Error('Invalid scalar size.'); return BN.decode(bytes, this.endian); } encodeClamped(k) { // [RFC7748] Page 8, Section 5. // [RFC8032] Section 5.1.5 & 5.2.5. return this.clamp(this.encodeScalar(k)); } decodeClamped(bytes) { // [RFC7748] Page 8, Section 5. // [RFC8032] Section 5.1.5 & 5.2.5. assert(Buffer.isBuffer(bytes)); if (bytes.length !== this.scalarSize) throw new Error('Invalid scalar size.'); const clamped = this.clamp(Buffer.from(bytes)); return BN.decode(clamped, this.endian); } encodeUniform(x, bits) { assert(x instanceof BN); assert((bits >>> 0) === bits); const msb = this.endian === 'le' ? this.fieldSize - 1 : 0; const bytes = x.fromRed().encode(this.endian, this.fieldSize); bytes[msb] |= (bits & ~this.mask) & 0xff; return bytes; } decodeUniform(bytes) { assert(Buffer.isBuffer(bytes)); if (bytes.length !== this.fieldSize) throw new Error('Invalid field size.'); const x = BN.decode(bytes, this.endian); x.iumaskn(this.fieldBits); return x.toRed(this.red); } encodePoint(point, compact) { assert(point instanceof Point); return point.encode(compact); } decodePoint(bytes) { throw new Error('Not implemented.'); } encodeX(point) { throw new Error('Not implemented.'); } decodeX(bytes) { throw new Error('Not implemented.'); } decodeEven(bytes) { throw new Error('Not implemented.'); } decodeSquare(bytes) { throw new Error('Not implemented.'); } toShort() { throw new Error('Not implemented.'); } toMont(b0) { throw new Error('Not implemented.'); } toEdwards(a0) { throw new Error('Not implemented.'); } pointToJSON(point, pre) { assert(point instanceof Point); return point.toJSON(pre); } pointFromJSON(json) { throw new Error('Not implemented.'); } toJSON(pre) { let prefix, context; let n, z, endo; if (this.type === 'edwards') { prefix = this.prefix ? this.prefix.toString() : null; context = this.context; } if (!this.n.isZero()) n = this.n.toJSON(); if (!this.z.isZero()) { z = this.z.fromRed(); if (this.z.redIsHigh()) z.isub(this.p); z = z.toString(16); } if (this.endo) endo = this.endo.toJSON(); return { id: this.id, ossl: this.ossl, type: this.type, endian: this.endian, hash: this.hash, prefix, context, prime: this.prime, p: this.p.toJSON(), a: undefined, b: undefined, d: undefined, n, h: this.h.toString(16), s: undefined, z, c: undefined, g: this.g.toJSON(pre), endo }; } static fromJSON(json) { return new this(json); } } /** * Point */ class Point { constructor(curve, type) { assert(curve instanceof Curve); assert((type >>> 0) === type); this.curve = curve; this.type = type; this.pre = null; } _init() { throw new Error('Not implemented.'); } _safeNAF(width) { assert((width >>> 0) === width); if (this.pre && this.pre.naf) return this.pre.naf; if (width === 0) return null; const size = 1 << (width - 2); const points = new Array(size); const p = this.toJ(); const dbl = size === 1 ? null : p.dbl(); points[0] = p; for (let i = 1; i < size; i++) points[i] = points[i - 1].add(dbl); return new NAF(width, points); } _getNAF(width) { assert((width >>> 0) === width); if (this.pre && this.pre.naf) return this.pre.naf; if (width === 0) return null; const odds = this._safeNAF(width).points; const points = this.curve.affinizeAll(odds); return new NAF(width, points); } _getWindows(width, bits) { assert((width >>> 0) === width); assert((bits >>> 0) === bits); if (this.pre && this.pre.windows) return this.pre.windows; if (width === 0) return null; const size = 1 << width; const steps = ((bits + width - 1) / width) >>> 0; const wnds = new Array(steps * size); let g = this.toJ(); for (let i = 0; i < steps; i++) { wnds[i * size] = this.curve.jpoint(); for (let j = 1; j < size; j++) wnds[i * size + j] = wnds[i * size + j - 1].add(g); g = g.dblp(width); } const points = this.curve.affinizeAll(wnds); return new Windows(width, bits, points); } _getDoubles(step, power) { assert((step >>> 0) === step); assert((power >>> 0) === power); if (this.pre && this.pre.doubles) return this.pre.doubles; if (step === 0) return null; const len = Math.ceil(power / step) + 1; const dbls = new Array(len); let acc = this.toJ(); let k = 0; dbls[k++] = acc; for (let i = 0; i < power; i += step) { for (let j = 0; j < step; j++) acc = acc.dbl(); dbls[k++] = acc; } assert(k === len); const points = this.curve.affinizeAll(dbls); return new Doubles(step, points); } _getBeta() { return null; } _getBlinding(rng) { if (this.pre && this.pre.blinding) return this.pre.blinding; if (!rng) return null; if (this.curve.n.isZero()) return null; // Pregenerate a random blinding value: // // blind = random integer in [1,n-1] // unblind = G * blind // // We intend to subtract the blinding value // from scalars before multiplication. We // can add the unblinding point once the // multiplication is complete. const blind = this.curve.randomScalar(rng); const unblind = this.mul(blind); return new Blinding(blind, unblind); } _hasWindows(k) { assert(k instanceof BN); if (!this.pre || !this.pre.windows) return false; const {width, bits} = this.pre.windows; const steps = ((bits + width - 1) / width) >>> 0; return k.bitLength() <= steps * width; } _hasDoubles(k) { assert(k instanceof BN); if (!this.pre || !this.pre.doubles) return false; const {step, points} = this.pre.doubles; const power = k.bitLength() + 1; return points.length >= Math.ceil(power / step) + 1; } _getJNAF(point) { assert(point instanceof Point); assert(point.type === this.type); // Create comb for JSF. return [ this, // 1 this.add(point), // 3 this.sub(point), // 5 point // 7 ]; } _blind(k, rng) { // [SIDE1] Page 5, Section 4. // [BLIND] Page 20, Section 7. assert(k instanceof BN); assert(!k.red); // Scalar splitting (requires precomputation). // // Blind a multiplication by first subtracting // a blinding value from the scalar. Example: // // b = random integer in [1,n-1] // B = P * b (precomputed) // Q = P * (k - b) + B // // Note that Joye describes a different method // (multiplier randomization) which computes: // // B = random point in E // Q = (P + B) * k - B * k // // Our method is more similar to the "scalar // splitting" technique described in the // second source above. // // The blinding value and its corresponding // point are randomly generated and computed // on boot. As long as an attacker is not // able to observe the boot, this should give // a decent bit of protection against various // channel attacks. if (this.pre && this.pre.blinding) { const {blind, unblind} = this.pre.blinding; const t = k.sub(blind); return [this, t, unblind]; } // Randomization is not possible without // an RNG. Do a normal multiplication. if (!rng) return [this, k, null]; // If we have no precomputed blinding // factor, there are two possibilities // for randomization: // // 1. Randomize the multiplier by adding // a random multiple of `n`. // // 2. Re-scale the point itself by a // random factor. // // The first option can be accomplished // with some like: // // a = random integer in [1,n-1] // r = a * n // Q = P * (k + r) // // The second is accomplished with: // // a = random element in F(p) // R = (x * a^2, y * a^3, z * a) // Q = R * k // // If we have precomputed doubles / naf // points, we opt for the first method // to avoid randomizing everything. if (this.pre) { if (this.curve.n.isZero()) return [this, k, null]; const a = this.curve.randomScalar(rng); const r = a.mul(this.curve.n); const t = r.iadd(k); return [this, t, null]; } // If there is no precomputation _at all_, // we opt for the second method. const p = this.randomize(rng); return [p, k, null]; } clone() { throw new Error('Not implemented.'); } precompute(bits, rng) { assert((bits >>> 0) === bits); if (!this.pre) this.pre = new Precomp(); if (!this.pre.naf) this.pre.naf = this._getNAF(9); if (USE_FIXED && !this.pre.windows) this.pre.windows = this._getWindows(4, bits); if (!this.pre.doubles) this.pre.doubles = this._getDoubles(4, bits + 1); if (!this.pre.beta) this.pre.beta = this._getBeta(); if (!this.pre.blinding) this.pre.blinding = this._getBlinding(rng); return this; } validate() { return this.curve.validate(this); } normalize() { return this; } scale(a) { throw new Error('Not implemented.'); } randomize(rng) { const z = this.curve.randomField(rng); return this.scale(z); } neg() { throw new Error('Not implemented.'); } add(point) { throw new Error('Not implemented.'); } sub(point) { assert(point instanceof Point); return this.add(point.neg()); } dbl() { throw new Error('Not implemented.'); } dblp(pow) { // Repeated doubling. This can // be optimized by child classes. assert((pow >>> 0) === pow); let r = this; for (let i = 0; i < pow; i++) r = r.dbl(); return r; } diffAddDbl(p, q) { throw new Error('Not implemented.'); } getX() { throw new Error('Not implemented.'); } getY() { throw new Error('Not implemented.'); } eq(point) { throw new Error('Not implemented.'); } cmp(point) { throw new Error('Not implemented.'); } isInfinity() { throw new Error('Not implemented.'); } isOrder2() { throw new Error('Not implemented.'); } isOdd() { throw new Error('Not implemented.'); } isEven() { throw new Error('Not implemented.'); } isSquare() { throw new Error('Not implemented.'); } eqX(x) { throw new Error('Not implemented.'); } eqR(x) { throw new Error('Not implemented.'); } isSmall() { // Test whether the point is of small order. if (this.isInfinity()) return false; // P * h = O return this.jmulH().isInfinity(); } hasTorsion() { // Test whether the point is in another subgroup. if (this.isInfinity()) return false; // P * n != O return !this.jmul(this.curve.n).isInfinity(); } order() { // Calculate point order. const {h, n} = this.curve; let p = this.toJ(); let q = new BN(1); while (!p.isInfinity()) { q.iaddn(1); if (q.cmp(h) > 0) { q = n.clone(); break; } p = p.add(this); } return q; } mul(k) { return this.jmul(k); } muln(k) { return this.jmuln(k); } mulBlind(k, rng) { return this.jmulBlind(k, rng); } mulAdd(k1, p2, k2) { return this.jmulAdd(k1, p2, k2); } mulH() { return this.jmulH(); } div(k) { return this.jdiv(k); } divn(k) { return this.jdivn(k); } divH() { return this.jdivH(); } jmul(k) { if (USE_FIXED && this._hasWindows(k)) return this.curve._fixedMul(this, k); if (this._hasDoubles(k)) return this.curve._fixedNafMul(this, k); if (this.curve.endo && this.type === types.AFFINE) return this.curve._endoWnafMulAdd([this], [k]); return this.curve._wnafMul(5, this, k); } jmuln(k) { assert((k | 0) === k); return this.jmul(new BN(k)); } jmulBlind(k, rng = null) { const [p, t, unblind] = this._blind(k, rng); const q = p.jmul(t); if (unblind) return q.add(unblind); return q; } jmulAdd(k1, p2, k2) { if (this.curve.endo && this.type === types.AFFINE) return this.curve._endoWnafMulAdd([this, p2], [k1, k2]); return this.curve._wnafMulAdd(5, [this, p2], [k1, k2]); } jmulH() { const word = this.curve.h.word(0); // Optimize for powers of two. if ((word & (word - 1)) === 0) { const bits = this.curve.h.bitLength(); return this.toJ().dblp(bits - 1); } return this.jmul(this.curve.h); } jdiv(k) { assert(k instanceof BN); assert(!k.red); return this.jmul(k.invert(this.curve.n)); } jdivn(k) { assert(!this.curve.n.isZero()); if (this.curve.h.cmpn(k) === 0) return this.jdivH(); return this.jdiv(new BN(k)); } jdivH() { if (this.curve.n.isZero()) return this.toJ(); if (this.curve.h.cmpn(1) === 0) return this.toJ(); if (this.curve.hi === null) this.curve.hi = this.curve.h.invert(this.curve.n); return this.jmul(this.curve.hi); } toP() { return this.normalize(); } toJ() { return this; } toX() { return this; } key() { if (this.isInfinity()) return `${this.curve.uid}:oo`; this.normalize(); const x = this.getX().toString(16); const y = this.getY().toString(16); return `${this.curve.uid}:${x},${y}`; } encode(compact) { throw new Error('Not implemented.'); } static decode(curve, bytes) { throw new Error('Not implemented.'); } encodeX() { throw new Error('Not implemented.'); } static decodeX(curve, bytes) { throw new Error('Not implemented.'); } static decodeEven(curve, bytes) { throw new Error('Not implemented.'); } static decodeSquare(curve, bytes) { throw new Error('Not implemented.'); } toJSON(pre) { throw new Error('Not implemented.'); } static fromJSON(curve, json) { throw new Error('Not implemented.'); } [custom]() { return ''; } } /** * ShortCurve */ class ShortCurve extends Curve { constructor(conf) { super(ShortPoint, 'short', conf); this.a = BN.fromJSON(conf.a).toRed(this.red); this.b = BN.fromJSON(conf.b).toRed(this.red); this.c = BN.fromJSON(conf.c || '0').toRed(this.red); this.ai = this.a.isZero() ? this.zero : this.a.redInvert(); this.zi = this.z.isZero() ? this.zero : this.z.redInvert(); this.zeroA = this.a.isZero(); this.threeA = this.a.eq(this.three.redNeg()); this.redN = this.n.toRed(this.red); this.pmodn = this.p.clone(); this.highOrder = this.n.cmp(this.p) >= 0; this.smallGap = false; this._finalize(conf); } _finalize(conf) { super._finalize(conf); // Precalculate endomorphism. if (conf.endo != null) this.endo = Endo.fromJSON(this, conf.endo); else this.endo = this._getEndomorphism(); if (!this.n.isZero()) { this.pmodn = this.p.mod(this.n); // Check for Maxwell's trick (see eqR). this.smallGap = this.p.div(this.n).cmpn(1) <= 0; } return this; } static _isomorphism(curveA, curveB, custom, odd) { // Short Weierstrass Isomorphism. // // [GECC] Page 84, Section 3.1.5. // [ARITH1] Page 274, Section 13.1.5. // [ALT] Appendix F.3 (Isomorphic Mapping between Weierstrass Curves). // // Find `u` such that `a * u^4 = a'` and `b * u^6 = b'`. // // Transformation: // // u4 = a' / a // u2 = +-sqrt(u4) // u6 = u4 * u2 // a' = a * u4 // b' = b * u6 // // Where `u2` is any root that is square. // // If a = 0, we can do: // // a' = 0 // b' = b' // // Where (b' / b)^(1 / 3) is square. // // If b = 0, we can do: // // a' = a' // b' = 0 // // Where sqrt(a' / a) is square. assert(curveA instanceof BN); assert(curveB instanceof BN); assert(custom instanceof BN); assert(odd == null || typeof odd === 'boolean'); assert(!curveA.isZero() || !curveB.isZero()); if (custom.isZero()) throw new Error('Invalid coefficient.'); if (curveA.isZero()) { const customB = custom; const u6 = customB.redDiv(curveB); // Todo: allow index flag. const u2 = uncube(u6); // Already checked in uncube(). assert(u2.redJacobi() === 1); return [curveA.clone(), customB.clone()]; } if (curveB.isZero()) { const customA = custom; const u4 = customA.redDiv(curveA); const u2 = u4.redSqrt(); // Todo: allow odd flag. if (u2.redJacobi() !== 1) u2.redINeg(); if (u2.redJacobi() !== 1) throw new Error('Invalid `a` coefficient.'); return [customA.clone(), curveB.clone()]; } const customA = custom; const u4 = customA.redDiv(curveA); const u2 = u4.redSqrt(); if (odd != null) { if (u2.redIsOdd() !== odd) u2.redINeg(); } else { if (u2.redJacobi() !== 1) u2.redINeg(); } if (u2.redJacobi() !== 1) throw new Error('Invalid `a` coefficient.'); const u6 = u4.redMul(u2); const a = curveA.redMul(u4); const b = curveB.redMul(u6); assert(a.eq(customA)); return [a, b]; } _short(a0, odd) { return ShortCurve._isomorphism(this.a, this.b, a0, odd); } _mont(b0, odd) { // Short Weierstrass->Montgomery Equivalence. // // [ARITH1] Page 286, Section 13.2.3.c. // [SAFE] "Ladders". // // Transformation: // // r = A / (3 * B) // s = +-sqrt(3 * r^2 + a) // A = 3 * r / s // B = 1 / s const [r, s] = this._findRS(odd); const b = s.redInvert(); const a = r.redMuln(3).redMul(b); if (b0 != null) return MontCurve._isomorphism(a, b, b0); return [a, b]; } _edwards(a0, odd) { // Short Weierstrass->Twisted Edwards Equivalence. // // [TWISTEQ] Section 1. // // Transformation: // // r = (a' + d') / 6 // s = +-sqrt(3 * r^2 + a) // a' = 3 * r + 2 * s // d' = 3 * r - 2 * s const [r, s] = this._findRS(odd); const r3 = r.redMuln(3); const s2 = s.redMuln(2); const a = r3.redAdd(s2); const d = r3.redSub(s2); if (a0 != null) return EdwardsCurve._isomorphism(a, d, a0); return [a, d]; } _findRS(sign) { // Find `r` and `s` for equivalence. // // [ARITH1] Page 286, Section 13.2.3.c. // [SAFE] "Ladders". // // Computation: // // r = solve(r^3 + a * r + b == 0, r) // s = +-sqrt(3 * r^2 + a) // // Computing `r` is non-trivial. We need // to solve `r^3 + a * r + b = 0`, but we // don't have a polynomial solver, so we // loop over random points until we find // one with 2-torsion. Multiplying by the // subgroup order should yield a point of // ((A / 3) / B, 0) which is a solution. assert(sign == null || typeof sign === 'boolean'); assert(this.h.word(0) >= 4); assert(!this.n.isZero()); const x = this.one.redNeg(); let p; for (;;) { x.redIAdd(this.one); try { p = this.pointFromX(x.clone()); } catch (e) { continue; } p = p.mul(this.n); if (p.isInfinity()) continue; if (!p.y.isZero()) continue; break; } const r = p.x; const r2 = r.redSqr(); const s = r2.redMuln(3).redIAdd(this.a).redSqrt(); if (sign != null) { if (s.redIsOdd() !== sign) s.redINeg(); } return [r, s]; } _scale0(a, b) { // We can extract the isomorphism factors with: // // u4 = a' / a // u6 = b' / b // u2 = +-sqrt(u4) // u = +-sqrt(u2) // u3 = u2 * u // // `u2` should be picked such that `u4 * u2 = u6`. // // If a = 0, we can do: // // u6 = b' / b // u2 = u6^(1 / 3) // u = +-sqrt(u2) // u3 = u2 * u // // Where `u2` is any root that is square. // // If b = 0, we can do: // // u4 = a' / a // u2 = +-sqrt(u4) // u = +-sqrt(u2) // u3 = u2 * u // // Where `u2` is any root that is square. assert(this.a.isZero() === a.isZero()); assert(this.b.isZero() === b.isZero()); if (this.a.isZero()) { const u6 = this.b.redDiv(this.field(b)); // Todo: figure out how to check index. const u2 = uncube(u6); const u = u2.redSqrt(); const u3 = u2.redMul(u); assert(u3.redSqr().eq(u6)); assert(!u.isZero()); return [u2, u3]; } if (this.b.isZero()) { const u4 = this.a.redDiv(this.field(a)); const u2 = u4.redSqrt(); // Todo: figure out how to check oddness. if (u2.redJacobi() !== 1) u2.redINeg(); const u = u2.redSqrt(); const u3 = u2.redMul(u); assert(u3.redMul(u).eq(u4)); assert(!u.isZero()); return [u2, u3]; } const u4 = this.a.redDiv(this.field(a)); const u6 = this.b.redDiv(this.field(b)); const u2 = u4.redSqrt(); if (!u4.redMul(u2).eq(u6)) u2.redINeg(); assert(u4.redMul(u2).eq(u6)); const u = u2.redSqrt(); const u3 = u2.redMul(u); assert(!u.isZero()); return [u2, u3]; } _scale1(x, y) { // If base points are available, it is much // easier, with: // // u2 = x' / x // u3 = y' / y // u = +-sqrt(u2) // // `u` should be picked such that `u2 * u = u3`. const u2 = this.g.x.redDiv(this.field(x)); const u3 = this.g.y.redDiv(this.field(y)); const u = u2.redSqrt(); if (!u2.redMul(u).eq(u3)) u.redINeg(); assert(u2.redMul(u).eq(u3)); assert(!u.isZero()); return [u2, u3]; } _scaleShort(curve) { assert(curve instanceof ShortCurve); if (this.g.isInfinity() || curve.g.isInfinity()) return this._scale0(curve.a, curve.b); return this._scale1(curve.g.x, curve.g.y); } _scaleMont(curve) { assert(curve instanceof MontCurve); if (this.g.isInfinity() || curve.g.isInfinity()) { const [a, b] = curve._short(); return this._scale0(a, b); } const {x, y} = curve.g; const nx = x.redAdd(curve.a3).redMul(curve.bi); const ny = y.redMul(curve.bi); return this._scale1(nx, ny); } _scaleEdwards(curve) { assert(curve instanceof EdwardsCurve); if (this.g.isInfinity() || curve.g.isInfinity()) { const [a, b] = curve._short(); return this._scale0(a, b); } const {x, y, z} = curve.g; const a5 = curve.a.redMuln(5); const d5 = curve.d.redMuln(5); const dma = curve.d.redSub(curve.a); const d5a = d5.redSub(curve.a); const da5 = curve.d.redSub(a5); const ypz = y.redAdd(z); const ymz = y.redSub(z); const xx = d5a.redMul(y).redIAdd(da5.redMul(z)); const xz = ymz.redMuln(12); const yy = dma.redMul(ypz).redMul(z); const yz = ymz.redMul(x).redIMuln(4); const zi = xz.redMul(yz).redInvert(); const nx = xx.redMul(yz).redMul(zi); const ny = yy.redMul(xz).redMul(zi); return this._scale1(nx, ny); } _getEndomorphism(index = 0) { // Compute endomorphism. // // [GECC] Example 3.76, Page 128, Section 3.5. // No curve params. if (this.n.isZero() || this.g.isInfinity()) return null; // No efficient endomorphism. if (!this.zeroA || this.p.modrn(3) !== 1 || this.n.modrn(3) !== 1) return null; // Solve beta^3 mod p = 1. const [b1, b2] = this._getEndoRoots(this.p); // Choose the smallest beta by default. const beta = [b1, b2][index & 1].toRed(this.red); // Solve lambda^3 mod n = 1. const [l1, l2] = this._getEndoRoots(this.n); // Choose the lambda matching selected beta. // Note that P * lambda = (x * beta, y). const p = this.point(this.g.x.redMul(beta), this.g.y); let lambda; if (this.g.mul(l1).eq(p)) { lambda = l1; } else { assert(this.g.mul(l2).eq(p)); lambda = l2; } // Get basis vectors. const basis = this._getEndoBasis(lambda); // Precompute `g1` and `g2`. const pre = this._getEndoPrecomp(basis); return new Endo(beta, lambda, basis, pre); } _getEndoRoots(num) { // Find roots for x^2 + x + 1 in F. // // [GECC] Example 3.76, Page 128, Section 3.5. // [GLV] Page 192, Section 2 (Endomorphisms). // // The above document doesn't fully explain how // to derive these and only "hints" at it, as // mentioned by Hal Finney[1], but we're basically // computing two possible cube roots of 1 here. // // Note that we could also compute[2]: // // beta = 2^((p - 1) / 3) mod p // lambda = 3^((n - 1) / 3) mod n // // As an extension of Fermat's little theorem: // // g^(p - 1) mod p == 1 // // It is suspected[3] this is how Hal Finney[4] // computed his original endomorphism roots. // // @indutny's method for computing cube roots // of unity[5] appears to be the method described // on wikipedia[6][7]. // // Sage produces the same solution: // // sage: solve(x^2 + x + 1 == 0, x) // [x == -1/2*I*sqrt(3) - 1/2, x == 1/2*I*sqrt(3) - 1/2] // // This can be reduced to: // // x = (+-sqrt(-3) - 1) / 2 // // [1] https://bitcointalk.org/index.php?topic=3238.msg45565#msg45565 // [2] https://crypto.stackexchange.com/a/22739 // [3] https://bitcoin.stackexchange.com/a/35872 // [4] https://github.com/halfinney/bitcoin/commit/dc411b5 // [5] https://en.wikipedia.org/wiki/Cube_root_of_unity // [6] https://en.wikipedia.org/wiki/Splitting_field#Cubic_example // [7] http://mathworld.wolfram.com/SplittingField.html const red = num === this.p ? this.red : BN.mont(num); const two = new BN(2).toRed(red); const three = new BN(3).toRed(red); const i2 = two.redInvert(); // S1 = sqrt(-3) / 2 const s1 = three.redNeg().redSqrt().redMul(i2); // S2 = -S1 const s2 = s1.redNeg(); // R1 = S1 - 1 / 2 const r1 = s1.redSub(i2).fromRed(); // R2 = S2 - 1 / 2 const r2 = s2.redSub(i2).fromRed(); return [r1, r2].sort(BN.cmp); } _getEndoBasis(lambda) { // Compute endomorphic basis. // // This essentially computes Cornacchia's algorithm // for solving x^2 + d * y^2 = m (d = lambda, m = order). // // https://en.wikipedia.org/wiki/Cornacchia%27s_algorithm // // [GECC] Algorithm 3.74, Page 127, Section 3.5. // [GLV] Page 196, Section 4 (Decomposing K). // // Balanced length-two representation of a multiplier. // // 1. Run the extended euclidean algorithm with inputs n // and lambda. The algorithm produces a sequence of // equations si*n + ti*lam = ri where s0=1, t0=0, // r0=n, s1=0, t1=1, r1=lam, and the remainders ri // and are non-negative and strictly decreasing. Let // l be the greatest index for which rl >= sqrt(n). const [rl, tl, rl1, tl1, rl2, tl2] = this._egcdSqrt(lambda); // 2. Set (a1, b1) <- (rl+1, -tl+1). const a1 = rl1; const b1 = tl1.neg(); // 3. If (rl^2 + tl^2) <= (rl+2^2 + tl+2^2) // then set (a2, b2) <- (rl, -tl). // else set (a2, b2) <- (rl+2, -tl+2). const lhs = rl.sqr().iadd(tl.sqr()); const rhs = rl2.sqr().iadd(tl2.sqr()); let a2, b2; if (lhs.cmp(rhs) <= 0) { a2 = rl; b2 = tl.neg(); } else { a2 = rl2; b2 = tl2.neg(); } return [ new Vector(a1, b1), new Vector(a2, b2) ]; } _egcdSqrt(lambda) { // Extended Euclidean algorithm for integers. // // [GECC] Algorithm 2.19, Page 40, Section 2.2. // [GLV] Page 196, Section 4 (Decomposing K). assert(lambda instanceof BN); assert(!lambda.red); assert(lambda.sign() > 0); assert(this.n.sign() > 0); // Note that we insert the approximate square // root checks as described in algorithm 3.74. // // Algorithm 2.19 is defined as: // // 1. u <- a // v <- b // // 2. x1 <- 1 // y1 <- 0 // x2 <- 0 // y2 <- 1 // // 3. while u != 0 do // // 3.1. q <- floor(v / u) // r <- v - q * u // x <- x2 - q * x1 // y <- y2 - q * y1 // // 3.2. v <- u // u <- r // x2 <- x1 // x1 <- x // y2 <- y1 // y1 <- y // // 4. d <- v // x <- x2 // y <- y2 // // 5. Return (d, x, y). // Start with an approximate square root of n. const sqrtn = this.n.ushrn(this.n.bitLength() >>> 1); let u = lambda; // r1 let v = this.n.clone(); // r0 let x1 = new BN(1); // t1 let y1 = new BN(0); // t0 let x2 = new BN(0); // s1 let y2 = new BN(1); // s0 // All vectors are roots of: a + b * lambda = 0 (mod n). let rl, tl; // First vector. let rl1, tl1; // Inner. let i = 0; let j = 0; let p; // Compute EGCD. while (!u.isZero() && i < 2) { const q = v.quo(u); const r = v.sub(q.mul(u)); const x = x2.sub(q.mul(x1)); const y = y2.sub(q.mul(y1)); // Check for r < sqrt(n). if (j === 0 && r.cmp(sqrtn) < 0) { rl = p; tl = x1; rl1 = r; tl1 = x; j = 1; // 1 more round. } p = r; v = u; u = r; x2 = x1; x1 = x; y2 = y1; y1 = y; i += j; } // Should never happen. assert(j !== 0, 'Could not find r < sqrt(n).'); // Second vector. const rl2 = x2; const tl2 = x1; return [ rl, tl, rl1, tl1, rl2, tl2 ]; } _getEndoPrecomp(basis) { // Precompute `g1` and `g2` to avoid round division. // // [JCEN12] Page 5, Section 4.3. // // Computation: // // d = a1 * b2 - b1 * a2 // t = ceil(log2(d+1)) + p // g1 = round((2^t * b2) / d) // g2 = round((2^t * b1) / d) // // Where: // // `p` is the number of precision bits. // `d` is equal to `n` (the curve order). // // The paper above uses 2 as the value of `p`, // whereas libsecp256k1 uses 128 (total=384). // // We pick precision for `g1` and `g2` such that: // // abs(g1) < n // abs(g2) < n // // This ensures maximum precision for the constants // while also ensuring they fit into a fixed number // of scalar limbs in more optimized implementations. // // Furthermore, we attempt to align to a limb width // of 64 bits. This allows us to optimize the shift, // a la libsecp256k1[1]. // // [1] https://github.com/bitcoin-core/secp256k1/pull/822 assert(Array.isArray(basis)); assert(basis.length === 2); assert(basis[0] instanceof Vector); assert(basis[1] instanceof Vector); const [v1, v2] = basis; const d = v1.a.mul(v2.b).isub(v1.b.mul(v2.a)); const bits = d.bitLength(); const align = bits >= 160; assert(d.eq(this.n)); // Start with a rough estimate. let shift = bits + Math.ceil(bits / 2) + 1; let g1, g2; if (align) shift -= shift & 63; while (shift > bits) { g1 = v2.b.ushln(shift).divRound(d); g2 = v1.b.ushln(shift).divRound(d); if (g1.ucmp(d) < 0 && g2.ucmp(d) < 0) break; if (align) shift -= 64; else shift -= 1; } if (shift <= bits) throw new Error('Could not calculate g1 and g2.'); return [shift, g1, g2]; } _endoSplit(k) { // Balanced length-two representation of a multiplier. // // [GECC] Algorithm 3.74, Page 127, Section 3.5. // // Also note that it is possible to precompute[1] // values in order to avoid the division[2][3][4]. // // This involves precomputing `g1` and `g2 (see // above). `c1` and `c2` can then be computed as // follows: // // t = ceil(log2(n+1)) + p // c1 = (k * g1) >> t // c2 = -((k * g2) >> t) // // Where `>>` is an _unsigned_ right shift. Also // note that the last bit discarded in the shift // must be stored. If it is 1, then add 1 to the // scalar (absolute addition). // // It's worth noting that libsecp256k1 uses a // different calculation along the lines of: // // t = ceil(log2(n+1)) + p // c1 = ((k * g1) >> t) * -b1 // c2 = ((k * -g2) >> t) * -b2 // k2 = c1 + c2 // k1 = k2 * -lambda + k // // So, in the future, we can consider changing // step 4 to: // // 4. Compute c1 = (k * g1) >> t // and c2 = -((k * g2) >> t). // // const [shift, g1, g2] = this.endo.pre; // const c1 = k.mulShift(g1, shift); // const c2 = k.mulShift(g2, shift).ineg(); // // Once we're brave enough, that is. // // [1] [JCEN12] Page 5, Section 4.3. // [2] https://github.com/bitcoin-core/secp256k1/blob/0b70241/src/scalar_impl.h#L259 // [3] https://github.com/bitcoin-core/secp256k1/pull/21 // [4] https://github.com/bitcoin-core/secp256k1/pull/127 assert(k instanceof BN); assert(!k.red); assert(!this.n.isZero()); const [v1, v2] = this.endo.basis; // 4. Compute c1 = round(b2 * k / n) // and c2 = round(-b1 * k / n). const c1 = v2.b.mul(k).divRound(this.n); const c2 = v1.b.neg().mul(k).divRound(this.n); // 5. Compute k1 = k - c1 * a1 - c2 * a2 // and k2 = -c1 * b1 - c2 * b2. const p1 = c1.mul(v1.a); const p2 = c2.mul(v2.a); const q1 = c1.ineg().mul(v1.b); const q2 = c2.mul(v2.b); // Calculate answer. const k1 = k.sub(p1).isub(p2); const k2 = q1.isub(q2); // 6. Return (k1, k2). return [k1, k2]; } _endoBeta(point) { assert(point instanceof ShortPoint); return [point, point._getBeta()]; } _endoWnafMulAdd(points, coeffs) { // Point multiplication with efficiently computable endomorphisms. // // [GECC] Algorithm 3.77, Page 129, Section 3.5. // [GLV] Page 193, Section 3 (Using Efficient Endomorphisms). // // Note it may be possible to do this 4-dimensionally [4GLV]. assert(Array.isArray(points)); assert(Array.isArray(coeffs)); assert(points.length === coeffs.length); assert(this.endo != null); const len = points.length; const npoints = new Array(len * 2); const ncoeffs = new Array(len * 2); for (let i = 0; i < len; i++) { const [p1, p2] = this._endoBeta(points[i]); const [k1, k2] = this._endoSplit(coeffs[i]); npoints[i * 2 + 0] = p1; ncoeffs[i * 2 + 0] = k1; npoints[i * 2 + 1] = p2; ncoeffs[i * 2 + 1] = k2; } return this._wnafMulAdd(5, npoints, ncoeffs); } _sswu(u) { // Simplified Shallue-Woestijne-Ulas Method. // // Distribution: 3/8. // // [SSWU1] Page 15-16, Section 7. Appendix G. // [SSWU2] Page 5, Theorem 2.3. // [H2EC] "Simplified Shallue-van de Woestijne-Ulas Method". // // Assumptions: // // - a != 0, b != 0. // - Let z be a non-square in F(p). // - z != -1. // - The polynomial g(x) - z is irreducible over F(p). // - g(b / (z * a)) is square in F(p). // - u != 0, u != +-sqrt(-1 / z). // // Map: // // g(x) = x^3 + a * x + b // t1 = 1 / (z^2 * u^4 + z * u^2) // x1 = (-b / a) * (1 + t1) // x1 = b / (z * a), if t1 = 0 // x2 = z * u^2 * x1 // x = x1, if g(x1) is square // = x2, otherwise // y = sign(u) * abs(sqrt(g(x))) const {b, z, ai, zi, one} = this; const z2 = z.redSqr(); const ba = b.redNeg().redMul(ai); const bza = b.redMul(zi).redMul(ai); const u2 = u.redSqr(); const u4 = u2.redSqr(); const t0 = z2.redMul(u4).redIAdd(z.redMul(u2)); const t1 = t0.isZero() ? t0 : t0.redInvert(); const x1 = t1.isZero() ? bza : ba.redMul(one.redAdd(t1)); const x2 = z.redMul(u2).redMul(x1); const y1 = this.solveY2(x1); const y2 = this.solveY2(x2); const alpha = y1.redIsSquare() | 0; const x = [x1, x2][alpha ^ 1]; const y = [y1, y2][alpha ^ 1].redSqrt(); if (y.redIsOdd() !== u.redIsOdd()) y.redINeg(); return this.point(x, y); } _sswui(p, hint) { // Inverting the Map (Simplified Shallue-Woestijne-Ulas). // // Assumptions: // // - a^2 * x^2 - 2 * a * b * x - 3 * b^2 is square in F(p). // - If r < 3 then x != -b / a. // // Unlike SVDW, the preimages here are evenly // distributed (more or less). SSWU covers ~3/8 // of the curve points. Each preimage has a 1/2 // chance of mapping to either x1 or x2. // // Assuming the point is within that set, each // point has a 1/4 chance of inverting to any // of the preimages. This means we can simply // randomly select a preimage if one exists. // // However, the [SVDW2] sampling method seems // slighly faster in practice for [SQUARED]. // // Map: // // c = sqrt(a^2 * x^2 - 2 * a * b * x - 3 * b^2) // u1 = -(a * x + b - c) / (2 * (a * x + b) * z) // u2 = -(a * x + b + c) / (2 * (a * x + b) * z) // u3 = -(a * x + b - c) / (2 * b * z) // u4 = -(a * x + b + c) / (2 * b * z) // r = random integer in [1,4] // u = sign(y) * abs(sqrt(ur)) const {a, b, z} = this; const {x, y} = p; const r = hint & 3; const a2x2 = a.redSqr().redMul(x.redSqr()); const abx2 = a.redMul(b).redMul(x).redIMuln(2); const b23 = b.redSqr().redMuln(3); const axb = a.redMul(x).redIAdd(b); const c = a2x2.redISub(abx2).redISub(b23).redSqrt(); const n0 = axb.redSub(c).redINeg(); const n1 = axb.redAdd(c).redINeg(); const d0 = axb.redMul(z).redIMuln(2); const d1 = b.redMul(z).redIMuln(2); const n = [n0, n1][r & 1]; // r = 1 or 3 const d = [d0, d1][r >>> 1]; // r = 2 or 3 const u = n.redDivSqrt(d); if (u.redIsOdd() !== y.redIsOdd()) u.redINeg(); return u; } _svdwf(u) { // Shallue-van de Woestijne Method. // // Distribution: 9/16. // // [SVDW1] Section 5. // [SVDW2] Page 8, Section 3. // Page 15, Section 6, Algorithm 1. // [H2EC] "Shallue-van de Woestijne Method". // // Assumptions: // // - p = 1 (mod 3). // - a = 0, b != 0. // - Let z be a unique element in F(p). // - g((sqrt(-3 * z^2) - z) / 2) is square in F(p). // - u != 0, u != +-sqrt(-g(z)). // // Map: // // g(x) = x^3 + b // c = sqrt(-3 * z^2) // t1 = u^2 + g(z) // t2 = 1 / (u^2 * t1) // t3 = u^4 * t2 * c // x1 = (c - z) / 2 - t3 // x2 = t3 - (c + z) / 2 // x3 = z - t1^3 * t2 / (3 * z^2) // x = x1, if g(x1) is square // = x2, if g(x2) is square // = x3, otherwise // y = sign(u) * abs(sqrt(g(x))) const {c, z, zi, i2, i3} = this; const gz = this.solveY2(z); const z3 = i3.redMul(zi.redSqr()); const u2 = u.redSqr(); const u4 = u2.redSqr(); const t1 = u2.redAdd(gz); const u2t1 = u2.redMul(t1); const t2 = u2t1.isZero() ? u2t1 : u2t1.redInvert(); const t3 = u4.redMul(t2).redMul(c); const t4 = t1.redSqr().redMul(t1); const x1 = c.redSub(z).redMul(i2).redISub(t3); const x2 = t3.redSub(c.redAdd(z).redMul(i2)); const x3 = z.redSub(t4.redMul(t2).redMul(z3)); const y1 = this.solveY2(x1); const y2 = this.solveY2(x2); const y3 = this.solveY2(x3); const alpha = y1.redJacobi() | 1; const beta = y2.redJacobi() | 1; const i = mod((alpha - 1) * beta, 3); const x = [x1, x2, x3][i]; const y = [y1, y2, y3][i]; return [x, y]; } _svdw(u) { const [x, yy] = this._svdwf(u); const y = yy.redSqrt(); if (y.redIsOdd() !== u.redIsOdd()) y.redINeg(); return this.point(x, y); } _svdwi(p, hint) { // Inverting the Map (Shallue-van de Woestijne). // // [SQUARED] Algorithm 1, Page 8, Section 3.3. // [SVDW2] Page 12, Section 5. // [SVDW3] "Inverting the map". // // Assumptions: // // - If r = 1 then x != -(c + z) / 2. // - If r = 2 then x != (c - z) / 2. // - If r > 2 then (t0 - t1 + t2) is square in F(p). // - f(f^-1(x)) = x where f is the map function. // // We use the sampling method from [SVDW2], // _not_ [SQUARED]. This seems to have a // better distribution in practice. // // Note that [SVDW3] also appears to be // incorrect in terms of distribution. // // The distribution of f(u), assuming u is // random, is (1/2, 1/4, 1/4). // // To mirror this, f^-1(x) should simply // pick (1/2, 1/4, 1/8, 1/8). // // To anyone running the forward map, our // strings will appear to be random. // // Map: // // g(x) = x^3 + b // c = sqrt(-3 * z^2) // t0 = 9 * (x^2 * z^2 + z^4) // t1 = 18 * x * z^3 // t2 = 12 * g(z) * (x - z) // t3 = sqrt(t0 - t1 + t2) // t4 = t3 * z // u1 = g(z) * (c - 2 * x - z) / (c + 2 * x + z) // u2 = g(z) * (c + 2 * x + z) / (c - 2 * x - z) // u3 = (3 * (z^3 - x * z^2) - 2 * g(z) + t4) / 2 // u4 = (3 * (z^3 - x * z^2) - 2 * g(z) - t4) / 2 // r = random integer in [1,4] // u = sign(y) * abs(sqrt(ur)) const {b, c, z, zero, two} = this; const {x, y} = p; const r = hint & 3; const z2 = z.redSqr(); const z3 = z2.redMul(z); const z4 = z2.redSqr(); const gz = z3.redAdd(b); const gz2 = gz.redMuln(2); const xx = x.redSqr(); const x2z = x.redMuln(2).redIAdd(z); const xz2 = x.redMul(z2); const c0 = c.redSub(x2z); const c1 = c.redAdd(x2z); const t0 = xx.redMul(z2).redIAdd(z4).redIMuln(9); const t1 = x.redMul(z3).redIMuln(18); const t2 = gz.redMul(x.redSub(z)).redIMuln(12); const t3 = r >= 2 ? t0.redISub(t1).redIAdd(t2).redSqrt() : zero; const t4 = t3.redMul(z); const t5 = z3.redISub(xz2).redIMuln(3).redISub(gz2); const n0 = gz.redMul(c0); const n1 = gz.redMul(c1); const n2 = t5.redAdd(t4); const n3 = t5.redSub(t4); const d2 = two; const n = [n0, n1, n2, n3][r]; const d = [c1, c0, d2, d2][r]; const u = n.redDivSqrt(d); const [x0] = this._svdwf(u); if (!x0.eq(x)) throw new Error('Invalid point.'); if (u.redIsOdd() !== y.redIsOdd()) u.redINeg(); return u; } isElliptic() { const {a, b} = this; const a2 = a.redSqr(); const a3 = a2.redMul(a); const b2 = b.redSqr(); const d = b2.redMuln(27).redIAdd(a3.redMuln(4)); // 4 * a^3 + 27 * b^2 != 0 return !d.isZero(); } jinv() { // [ARITH1] Page 71, Section 4.4. // http://mathworld.wolfram.com/j-Invariant.html const {a, b} = this; const a2 = a.redSqr(); const a3 = a2.redMul(a); const b2 = b.redSqr(); const t0 = a3.redMuln(4); const lhs = t0.redMuln(1728); const rhs = b2.redMuln(27).redIAdd(t0); if (rhs.isZero()) throw new Error('Curve is not elliptic.'); // (1728 * 4 * a^3) / (4 * a^3 + 27 * b^2) return lhs.redDiv(rhs).fromRed(); } point(x, y) { return new ShortPoint(this, x, y); } jpoint(x, y, z) { return new JPoint(this, x, y, z); } solveX(y) { assert(y instanceof BN); if (!this.a.isZero()) throw new Error('Not implemented.'); // x^3 = y^2 - b const y2 = y.redSqr(); const x3 = y2.redSub(this.b); return cubeRoots(x3); } solveY2(x) { // [GECC] Page 89, Section 3.2.2. // https://hyperelliptic.org/EFD/g1p/auto-shortw.html assert(x instanceof BN); // y^2 = x^3 + a * x + b const x3 = x.redSqr().redMul(x); const y2 = x3.redIAdd(this.b); if (!this.zeroA) { // Save some cycles for a = -3. if (this.threeA) y2.redIAdd(x.redMuln(-3)); else y2.redIAdd(this.a.redMul(x)); } return y2; } validate(point) { assert(point instanceof ShortPoint); if (point.inf) return true; const {x, y} = point; const y2 = this.solveY2(x); return y.redSqr().eq(y2); } pointFromX(x, sign = null) { assert(x instanceof BN); assert(sign == null || typeof sign === 'boolean'); if (!x.red) x = x.toRed(this.red); const y = this.solveY(x); if (sign != null) { if (this.h.cmpn(1) > 0) { if (y.isZero() && sign) throw new Error('Invalid point.'); } if (y.redIsOdd() !== sign) y.redINeg(); } return this.point(x, y); } pointFromY(y, index = 0) { assert(y instanceof BN); assert((index >>> 0) === index); if (!y.red) y = y.toRed(this.red); const coords = this.solveX(y); if (index >= coords.length) throw new Error('Invalid X coordinate index.'); const x = coords[index]; return this.point(x, y); } isIsomorphic(curve) { // [GECC] Page 84, Section 3.1.5. // [ARITH1] Page 286, Section 13.2.3.c. assert(curve instanceof Curve); if (!curve.p.eq(this.p)) return false; let u2, u3; try { [u2, u3] = this._scale(curve); } catch (e) { return false; } // E(a,b) <-> E(au^4,bu^6) if (curve.type === 'short') { // a' = a * u^4, b' = b * u^6 const a = this.field(curve.a).redMul(u2.redSqr()); const b = this.field(curve.b).redMul(u3.redSqr()); return this.a.eq(a) && this.b.eq(b); } // E(a,b) <-> M(A,B) if (curve.type === 'mont') { // (A / (3 * B))^3 + a * (A / (3 * B)) + b = 0 const {a3, bi} = curve; const x = this.field(a3.redMul(bi)).redMul(u2); const y2 = this.solveY2(x); return y2.isZero(); } // E(a,b) <-> E(a,d) if (curve.type === 'edwards') { // ((a' + d') / 6)^3 + a * ((a' + d') / 6) + b = 0 const x = this.field(curve.ad6).redMul(u2); const y2 = this.solveY2(x); return y2.isZero(); } return false; } isIsogenous(curve) { assert(curve instanceof Curve); return false; } pointFromShort(point) { // [GECC] Page 84, Section 3.1.5. // [ALT] Appendix F.3 (Isomorphic Mapping between Weierstrass Curves). assert(point instanceof ShortPoint); if (this.isIsomorphic(point.curve)) { // Isomorphic maps for E(a,b)<->E(au^4,bu^6): // // x' = x * u^2 // y' = y * u^3 // // Where a * u^4 = a' and b * u^6 = b'. if (point.isInfinity()) return this.point(); const [u2, u3] = this._scale(point.curve); const x = this.field(point.x); const y = this.field(point.y); const nx = x.redMul(u2); const ny = y.redMul(u3); return this.point(nx, ny); } throw new Error('Not implemented.'); } pointFromMont(point) { // [ALT] Appendix E.2 (Switching between Alternative Representations). // [MONT2] "Equivalence with Weierstrass curves" assert(point instanceof MontPoint); if (this.isIsomorphic(point.curve)) { // Equivalence for M(A,B)->E(a,b): // // x = (u + A / 3) / B // y = v / B // // Undefined if ((u^3 + A * u^2 + u) / B) is not square. if (point.isInfinity()) return this.point(); const {a3, bi} = point.curve; const [u2, u3] = this._scale(point.curve); const nx = point.x.redAdd(a3).redMul(bi); const ny = point.y.redMul(bi); return this.point(this.field(nx).redMul(u2), this.field(ny).redMul(u3)); } throw new Error('Not implemented.'); } pointFromEdwards(point) { // [TWISTEQ] Section 2. assert(point instanceof EdwardsPoint); if (this.isIsomorphic(point.curve)) { // Equivalence for E(a,d)->E(a',b'): // // x' = ((5 * d - a) * y + d - 5 * a) / (12 * (y - 1)) // y' = (d - a) * (y + 1) / (4 * x * (y - 1)) // // Undefined for x = 0 or y = 1. // // Exceptional Cases: // - (0, 1) -> O // - (0, -1) -> ((a + d) / 6, 0) // // Unexceptional Cases: // - (sqrt(1 / a), 0) -> ((5 * a - d) / 12, (a - d) / 4 * sqrt(a)) const {a, d, ad6} = point.curve; const [u2, u3] = this._scale(point.curve); if (point.isInfinity()) return this.point(); if (point.x.isZero()) { const x = this.field(ad6).redMul(u2); return this.point(x, this.zero); } const {x, y, z} = point; const a5 = a.redMuln(5); const d5 = d.redMuln(5); const dma = d.redSub(a); const d5a = d5.redSub(a); const da5 = d.redSub(a5); const ypz = y.redAdd(z); const ymz = y.redSub(z); const xx = d5a.redMul(y).redIAdd(da5.redMul(z)); const xz = ymz.redMuln(12); const yy = dma.redMul(ypz).redMul(z); const yz = ymz.redMul(x).redIMuln(4); return this.cpoint(this.field(xx).redMul(u2), this.field(xz), this.field(yy).redMul(u3), this.field(yz)); } throw new Error('Not implemented.'); } pointFromUniform(u) { assert(u instanceof BN); // z = 0 or b = 0 if (this.z.isZero() || this.b.isZero()) throw new Error('Not implemented.'); // a != 0, b != 0 if (!this.a.isZero()) return this._sswu(u); // p = 1 mod 3, a = 0, b != 0 if (!this.c.isZero()) return this._svdw(u); throw new Error('Not implemented.'); } pointToUniform(p, hint) { // Convert a short weierstrass point to a field // element by inverting either the SSWU or SVDW // map. // // Hint Layout: // // [00000000] [0000] [0000] // | | | // | | +-- preimage index // | +--- subgroup // +-- bits to OR with uniform bytes assert(p instanceof ShortPoint); assert((hint >>> 0) === hint); // z = 0 or b = 0 if (this.z.isZero() || this.b.isZero()) throw new Error('Not implemented.'); // P = O if (p.isInfinity()) throw new Error('Invalid point.'); // Add a random torsion component. const i = ((hint >>> 4) & 15) % this.torsion.length; const q = p.add(this.torsion[i]); return wrapErrors(() => { // a != 0, b != 0 if (!this.a.isZero()) return this._sswui(q, hint); // p = 1 mod 3, a = 0, b != 0 if (!this.c.isZero()) return this._svdwi(q, hint); throw new Error('Not implemented.'); }); } mulAll(points, coeffs) { return super.mulAll(points, coeffs).toP(); } affinizeAll(points) { const out = this.normalizeAll(points); for (let i = 0; i < out.length; i++) out[i] = out[i].toP(); return out; } decodePoint(bytes) { return ShortPoint.decode(this, bytes); } encodeX(point) { assert(point instanceof Point); return point.encodeX(); } decodeEven(bytes) { return ShortPoint.decodeEven(this, bytes); } decodeSquare(bytes) { return ShortPoint.decodeSquare(this, bytes); } toShort(a0, odd, sign = null) { const [a, b] = this._short(a0, odd); const curve = new ShortCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h }); if (sign != null) { const [, u3] = curve._scale(this); if (u3.redIsOdd() !== sign) u3.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromShort(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromShort(this.torsion[i]); return curve; } toMont(b0, odd, sign = null) { const [a, b] = this._mont(b0, odd); const curve = new MontCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h }); if (sign != null) { const [, u3] = this._scale(curve); if (u3.redIsOdd() !== sign) u3.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromShort(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromShort(this.torsion[i]); return curve; } toEdwards(a0, odd, sign = null) { const [a, d] = this._edwards(a0, odd); const curve = new EdwardsCurve({ red: this.red, prime: this.prime, p: this.p, a: a, d: d, n: this.n, h: this.h }); if (sign != null) { const [, u3] = this._scale(curve); if (u3.redIsOdd() !== sign) u3.redINeg(); } if (!this.g.isInfinity()) { curve.g = curve.pointFromShort(this.g); curve.g.normalize(); } if (curve.isComplete()) { for (let i = 0; i < this.h.word(0); i++) { curve.torsion[i] = curve.pointFromShort(this.torsion[i]); curve.torsion[i].normalize(); } } return curve; } pointFromJSON(json) { return ShortPoint.fromJSON(this, json); } toJSON(pre) { const json = super.toJSON(pre); json.a = this.a.fromRed().toJSON(); json.b = this.b.fromRed().toJSON(); if (!this.c.isZero()) json.c = this.c.fromRed().toJSON(); return json; } } /** * ShortPoint */ class ShortPoint extends Point { constructor(curve, x, y) { assert(curve instanceof ShortCurve); super(curve, types.AFFINE); this.x = this.curve.zero; this.y = this.curve.zero; this.inf = true; if (x != null) this._init(x, y); } _init(x, y) { assert(x instanceof BN); assert(y instanceof BN); this.x = x; this.y = y; if (!this.x.red) this.x = this.x.toRed(this.curve.red); if (!this.y.red) this.y = this.y.toRed(this.curve.red); this.inf = false; } _getBeta() { if (!this.curve.endo) return null; if (this.pre && this.pre.beta) return this.pre.beta; // Augment the point with our beta value. // This is the counterpart to `k2` after // the endomorphism split of `k`. // // Note that if we have precomputation, // we have to clone and update all of the // precomputed points below. const xb = this.x.redMul(this.curve.endo.beta); const beta = this.curve.point(xb, this.y); if (this.pre) { beta.pre = this.pre.map((point) => { const xb = point.x.redMul(this.curve.endo.beta); return this.curve.point(xb, point.y); }); this.pre.beta = beta; } return beta; } _getJNAF(point) { assert(point instanceof ShortPoint); if (this.inf || point.inf) return super._getJNAF(point); // Create comb for JSF. const comb = [ this, // 1 null, // 3 null, // 5 point // 7 ]; // Try to avoid Jacobian points, if possible. if (this.y.eq(point.y)) { comb[1] = this.add(point); comb[2] = this.toJ().sub(point); } else if (this.y.eq(point.y.redNeg())) { comb[1] = this.toJ().add(point); comb[2] = this.sub(point); } else { comb[1] = this.toJ().add(point); comb[2] = this.toJ().sub(point); } return comb; } clone() { if (this.inf) return this.curve.point(); return this.curve.point(this.x, this.y); } scale(a) { return this.toJ().scale(a); } neg() { // P = O if (this.inf) return this; // -(X1, Y1) = (X1, -Y1) return this.curve.point(this.x, this.y.redNeg()); } add(p) { // [GECC] Page 80, Section 3.1.2. // // Addition Law: // // l = (y1 - y2) / (x1 - x2) // x3 = l^2 - x1 - x2 // y3 = l * (x1 - x3) - y1 // // 1I + 2M + 1S + 6A assert(p instanceof ShortPoint); // O + P = P if (this.inf) return p; // P + O = P if (p.inf) return this; // P + P, P + -P if (this.x.eq(p.x)) { // P + -P = O if (!this.y.eq(p.y)) return this.curve.point(); // P + P = 2P return this.dbl(); } // X1 != X2, Y1 = Y2 if (this.y.eq(p.y)) { // X3 = -X1 - X2 const nx = this.x.redNeg().redISub(p.x); // Y3 = -Y1 const ny = this.y.redNeg(); // Skip the inverse. return this.curve.point(nx, ny); } // H = X1 - X2 const h = this.x.redSub(p.x); // R = Y1 - Y2 const r = this.y.redSub(p.y); // L = R / H const l = r.redDiv(h); // X3 = L^2 - X1 - X2 const nx = l.redSqr().redISub(this.x).redISub(p.x); // Y3 = L * (X1 - X3) - Y1 const ny = l.redMul(this.x.redSub(nx)).redISub(this.y); return this.curve.point(nx, ny); } dbl() { // [GECC] Page 80, Section 3.1.2. // // Addition Law (doubling): // // l = (3 * x1^2 + a) / (2 * y1) // x3 = l^2 - 2 * x1 // y3 = l * (x1 - x3) - y1 // // 1I + 2M + 2S + 3A + 2*2 + 1*3 // P = O if (this.inf) return this; // Y1 = 0 if (this.y.isZero()) return this.curve.point(); // XX = X1^2 const xx = this.x.redSqr(); // M = 3 * XX + a const m = xx.redIMuln(3).redIAdd(this.curve.a); // Z = 2 * Y1 const z = this.y.redMuln(2); // L = M / Z const l = m.redDiv(z); // X3 = L^2 - 2 * X1 const nx = l.redSqr().redISub(this.x).redISub(this.x); // Y3 = L * (X1 - X3) - Y1 const ny = l.redMul(this.x.redSub(nx)).redISub(this.y); return this.curve.point(nx, ny); } dblp(pow) { return this.toJ().dblp(pow).toP(); } getX() { if (this.inf) throw new Error('Invalid point.'); return this.x.fromRed(); } getY() { if (this.inf) throw new Error('Invalid point.'); return this.y.fromRed(); } eq(p) { assert(p instanceof ShortPoint); // P = Q if (this === p) return true; // P = O if (this.inf) return p.inf; // Q = O if (p.inf) return false; // X1 = X2, Y1 = Y2 return this.x.eq(p.x) && this.y.eq(p.y); } cmp(point) { assert(point instanceof ShortPoint); if (this.inf && !point.inf) return -1; if (!this.inf && point.inf) return 1; if (this.inf && point.inf) return 0; return this.order().cmp(point.order()) || this.getX().cmp(point.getX()) || this.getY().cmp(point.getY()); } isInfinity() { // Infinity cannot be represented in // the affine space, except by a flag. return this.inf; } isOrder2() { if (this.inf) return false; return this.y.isZero(); } isOdd() { if (this.inf) return false; return this.y.redIsOdd(); } isEven() { if (this.inf) return false; return this.y.redIsEven(); } isSquare() { if (this.inf) return false; return this.y.redJacobi() !== -1; } eqX(x) { assert(x instanceof BN); assert(!x.red); if (this.inf) return false; return this.getX().eq(x); } eqR(x) { assert(x instanceof BN); assert(!x.red); assert(!this.curve.n.isZero()); if (this.inf) return false; return this.getX().imod(this.curve.n).eq(x); } mul(k) { return super.mul(k).toP(); } muln(k) { return super.muln(k).toP(); } mulBlind(k, rng) { return super.mulBlind(k, rng).toP(); } mulAdd(k1, p2, k2) { return super.mulAdd(k1, p2, k2).toP(); } mulH() { return super.mulH().toP(); } div(k) { return super.div(k).toP(); } divn(k) { return super.divn(k).toP(); } divH() { return super.divH().toP(); } toP() { return this; } toJ() { // (X3, Y3, Z3) = (1, 1, 0) if (this.inf) return this.curve.jpoint(); // (X3, Y3, Z3) = (X1, Y1, 1) return this.curve.jpoint(this.x, this.y, this.curve.one); } encode(compact) { // [SEC1] Page 10, Section 2.3.3. if (compact == null) compact = true; assert(typeof compact === 'boolean'); const {fieldSize} = this.curve; // We do not serialize points at infinity. if (this.inf) throw new Error('Invalid point.'); // Compressed form (0x02 = even, 0x03 = odd). if (compact) { const p = Buffer.alloc(1 + fieldSize); const x = this.curve.encodeField(this.getX()); p[0] = 0x02 | this.y.redIsOdd(); x.copy(p, 1); return p; } // Uncompressed form (0x04). const p = Buffer.alloc(1 + fieldSize * 2); const x = this.curve.encodeField(this.getX()); const y = this.curve.encodeField(this.getY()); p[0] = 0x04; x.copy(p, 1); y.copy(p, 1 + fieldSize); return p; } static decode(curve, bytes) { // [SEC1] Page 11, Section 2.3.4. assert(curve instanceof ShortCurve); assert(Buffer.isBuffer(bytes)); const len = curve.fieldSize; if (bytes.length < 1 + len) throw new Error('Not a point.'); // Point forms: // // 0x00 -> Infinity (openssl, unsupported) // 0x02 -> Compressed Even // 0x03 -> Compressed Odd // 0x04 -> Uncompressed // 0x06 -> Hybrid Even (openssl) // 0x07 -> Hybrid Odd (openssl) // // Note that openssl supports serializing points // at infinity as {0}. We choose not to support it // because it's strange and not terribly useful. const form = bytes[0]; switch (form) { case 0x02: case 0x03: { if (bytes.length !== 1 + len) throw new Error('Invalid point size for compressed.'); const x = curve.decodeField(bytes.slice(1, 1 + len)); if (x.cmp(curve.p) >= 0) throw new Error('Invalid point.'); const p = curve.pointFromX(x, form === 0x03); assert(!p.isInfinity()); return p; } case 0x04: case 0x06: case 0x07: { if (bytes.length !== 1 + len * 2) throw new Error('Invalid point size for uncompressed.'); const x = curve.decodeField(bytes.slice(1, 1 + len)); const y = curve.decodeField(bytes.slice(1 + len, 1 + 2 * len)); // [GECC] Algorithm 4.3, Page 180, Section 4. if (x.cmp(curve.p) >= 0 || y.cmp(curve.p) >= 0) throw new Error('Invalid point.'); // OpenSSL hybrid encoding. if (form !== 0x04 && form !== (0x06 | y.isOdd())) throw new Error('Invalid hybrid encoding.'); const p = curve.point(x, y); if (!p.validate()) throw new Error('Invalid point.'); assert(!p.isInfinity()); return p; } default: { throw new Error('Unknown point format.'); } } } encodeX() { // [SCHNORR] "Specification". // [BIP340] "Specification". return this.curve.encodeField(this.getX()); } static decodeEven(curve, bytes) { // [BIP340] "Specification". assert(curve instanceof ShortCurve); const x = curve.decodeField(bytes); if (x.cmp(curve.p) >= 0) throw new Error('Invalid point.'); return curve.pointFromX(x, false); } static decodeSquare(curve, bytes) { // [SCHNORR] "Specification". assert(curve instanceof ShortCurve); const x = curve.decodeField(bytes); if (x.cmp(curve.p) >= 0) throw new Error('Invalid point.'); return curve.pointFromX(x); } toJSON(pre) { if (this.inf) return []; const x = this.getX().toJSON(); const y = this.getY().toJSON(); if (pre === true && this.pre) return [x, y, this.pre.toJSON()]; return [x, y]; } toPretty() { if (this.inf) return []; const size = this.curve.fieldSize * 2; const x = toPretty(this.getX(), size); const y = toPretty(this.getY(), size); return [x, y]; } static fromJSON(curve, json) { assert(curve instanceof ShortCurve); assert(Array.isArray(json)); assert(json.length === 0 || json.length === 2 || json.length === 3); if (json.length === 0) return curve.point(); const x = BN.fromJSON(json[0]); const y = BN.fromJSON(json[1]); const point = curve.point(x, y); if (json.length > 2 && json[2] != null) point.pre = Precomp.fromJSON(point, json[2]); return point; } [custom]() { if (this.inf) return ''; return ''; } } /** * JPoint */ class JPoint extends Point { constructor(curve, x, y, z) { assert(curve instanceof ShortCurve); super(curve, types.JACOBIAN); this.x = this.curve.one; this.y = this.curve.one; this.z = this.curve.zero; this.zOne = false; if (x != null) this._init(x, y, z); } _init(x, y, z) { assert(x instanceof BN); assert(y instanceof BN); assert(z == null || (z instanceof BN)); this.x = x; this.y = y; this.z = z || this.curve.one; if (!this.x.red) this.x = this.x.toRed(this.curve.red); if (!this.y.red) this.y = this.y.toRed(this.curve.red); if (!this.z.red) this.z = this.z.toRed(this.curve.red); this.zOne = this.z.eq(this.curve.one); } clone() { return this.curve.jpoint(this.x, this.y, this.z); } validate() { // [GECC] Example 3.20, Page 88, Section 3. const {a, b} = this.curve; // P = O if (this.isInfinity()) return true; // Z1 = 1 if (this.zOne) return this.curve.validate(this.toP()); // y^2 = x^3 + a * x * z^4 + b * z^6 const lhs = this.y.redSqr(); const x3 = this.x.redSqr().redMul(this.x); const z2 = this.z.redSqr(); const z4 = z2.redSqr(); const z6 = z4.redMul(z2); const rhs = x3.redIAdd(b.redMul(z6)); if (!this.curve.zeroA) { // Save some cycles for a = -3. if (this.curve.threeA) rhs.redIAdd(z4.redIMuln(-3).redMul(this.x)); else rhs.redIAdd(a.redMul(z4).redMul(this.x)); } return lhs.eq(rhs); } normalize() { // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#scaling-z // 1I + 3M + 1S // Z = 1 if (this.zOne) return this; // P = O if (this.isInfinity()) return this; // A = 1 / Z1 const a = this.z.redInvert(); // AA = A^2 const aa = a.redSqr(); // X3 = X1 * AA this.x = this.x.redMul(aa); // Y3 = Y1 * AA * A this.y = this.y.redMul(aa).redMul(a); // Z3 = 1 this.z = this.curve.one; this.zOne = true; return this; } scale(a) { assert(a instanceof BN); // P = O if (this.isInfinity()) return this.curve.jpoint(); // AA = A^2 const aa = a.redSqr(); // X3 = X1 * AA const nx = this.x.redMul(aa); // Y3 = Y1 * AA * A const ny = this.y.redMul(aa).redMul(a); // Z3 = Z1 * A const nz = this.z.redMul(a); return this.curve.jpoint(nx, ny, nz); } neg() { // -(X1, Y1, Z1) = (X1, -Y1, Z1) return this.curve.jpoint(this.x, this.y.redNeg(), this.z); } add(p) { assert(p instanceof Point); if (p.type === types.AFFINE) return this._mixedAdd(p); return this._add(p); } _add(p) { assert(p instanceof JPoint); // O + P = P if (this.isInfinity()) return p; // P + O = P if (p.isInfinity()) return this; // Z1 = 1 if (this.zOne) return p._addJA(this); // Z2 = 1 if (p.zOne) return this._addJA(p); return this._addJJ(p); } _mixedAdd(p) { assert(p instanceof ShortPoint); // O + P = P if (this.isInfinity()) return p.toJ(); // P + O = P if (p.isInfinity()) return this; return this._addJA(p); } _addJJ(p) { // No assumptions. // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-add-1998-cmo-2 // 12M + 4S + 6A + 1*2 (implemented as: 12M + 4S + 7A) // Z1Z1 = Z1^2 const z1z1 = this.z.redSqr(); // Z2Z2 = Z2^2 const z2z2 = p.z.redSqr(); // U1 = X1 * Z2Z2 const u1 = this.x.redMul(z2z2); // U2 = X2 * Z1Z1 const u2 = p.x.redMul(z1z1); // S1 = Y1 * Z2 * Z2Z2 const s1 = this.y.redMul(p.z).redMul(z2z2); // S2 = Y2 * Z1 * Z1Z1 const s2 = p.y.redMul(this.z).redMul(z1z1); // H = U2 - U1 const h = u2.redISub(u1); // r = S2 - S1 const r = s2.redISub(s1); // H = 0 if (h.isZero()) { if (!r.isZero()) return this.curve.jpoint(); return this.dbl(); } // HH = H^2 const hh = h.redSqr(); // HHH = H * HH const hhh = h.redMul(hh); // V = U1 * HH const v = u1.redMul(hh); // X3 = r^2 - HHH - 2 * V const nx = r.redSqr().redISub(hhh).redISub(v).redISub(v); // Y3 = r * (V - X3) - S1 * HHH const ny = r.redMul(v.redISub(nx)).redISub(s1.redMul(hhh)); // Z3 = Z1 * Z2 * H const nz = this.z.redMul(p.z).redMul(h); return this.curve.jpoint(nx, ny, nz); } _addJA(p) { // Assumes Z2 = 1. // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-madd // 8M + 3S + 6A + 5*2 (implemented as: 8M + 3S + 7A + 4*2) // Z1Z1 = Z1^2 const z1z1 = this.z.redSqr(); // U2 = X2 * Z1Z1 const u2 = p.x.redMul(z1z1); // S2 = Y2 * Z1 * Z1Z1 const s2 = p.y.redMul(this.z).redMul(z1z1); // H = U2 - X1 const h = u2.redISub(this.x); // r = 2 * (S2 - Y1) const r = s2.redISub(this.y).redIMuln(2); // H = 0 if (h.isZero()) { if (!r.isZero()) return this.curve.jpoint(); return this.dbl(); } // I = (2 * H)^2 const i = h.redMuln(2).redSqr(); // J = H * I const j = h.redMul(i); // V = X1 * I const v = this.x.redMul(i); // X3 = r^2 - J - 2 * V const nx = r.redSqr().redISub(j).redISub(v).redISub(v); // Y3 = r * (V - X3) - 2 * Y1 * J const ny = r.redMul(v.redISub(nx)).redISub(this.y.redMul(j).redIMuln(2)); // Z3 = 2 * Z1 * H const nz = this.z.redMul(h).redIMuln(2); return this.curve.jpoint(nx, ny, nz); } dbl() { // P = O if (this.isInfinity()) return this; // Y1 = 0 if (this.y.isZero()) return this.curve.jpoint(); // a = 0 if (this.curve.zeroA) return this._dbl0(); // a = -3 if (this.curve.threeA) return this._dbl3(); return this._dblJ(); } _dblJ() { // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 // 3M + 6S + 4A + 1*a + 2*2 + 1*3 + 1*4 + 1*8 // (implemented as: 3M + 6S + 5A + 1*a + 1*2 + 1*3 + 1*4 + 1*8) // XX = X1^2 const xx = this.x.redSqr(); // YY = Y1^2 const yy = this.y.redSqr(); // ZZ = Z1^2 const zz = this.z.redSqr(); // S = 4 * X1 * YY const s = this.x.redMul(yy).redIMuln(4); // M = 3 * XX + a * ZZ^2 const m = xx.redIMuln(3).redIAdd(this.curve.a.redMul(zz.redSqr())); // T = M^2 - 2 * S const t = m.redSqr().redISub(s).redISub(s); // X3 = T const nx = t; // Y3 = M * (S - T) - 8 * YY^2 const ny = m.redMul(s.redISub(t)).redISub(yy.redSqr().redIMuln(8)); // Z3 = 2 * Y1 * Z1 const nz = this.y.redMul(this.z).redIMuln(2); return this.curve.jpoint(nx, ny, nz); } _dbl0() { // Assumes a = 0. // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l // 2M + 5S + 6A + 3*2 + 1*3 + 1*8 // (implemented as: 2M + 5S + 7A + 2*2 + 1*3 + 1*8) // A = X1^2 const a = this.x.redSqr(); // B = Y1^2 const b = this.y.redSqr(); // C = B^2 const c = b.redSqr(); // + XB2 = (X1 + B)^2 const xb2 = b.redIAdd(this.x).redSqr(); // D = 2 * ((X1 + B)^2 - A - C) const d = xb2.redISub(a).redISub(c).redIMuln(2); // E = 3 * A const e = a.redIMuln(3); // F = E^2 const f = e.redSqr(); // X3 = F - 2 * D const nx = f.redISub(d).redISub(d); // Y3 = E * (D - X3) - 8 * C const ny = e.redMul(d.redISub(nx)).redISub(c.redIMuln(8)); // Z3 = 2 * Y1 * Z1 const nz = this.y.redMul(this.z).redIMuln(2); return this.curve.jpoint(nx, ny, nz); } _dbl3() { // Assumes a = -3. // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b // 3M + 5S + 8A + 1*3 + 1*4 + 2*8 // (implemented as: 3M + 5S + 8A + 1*2 + 1*3 + 1*4 + 1*8) // delta = Z1^2 const delta = this.z.redSqr(); // gamma = Y1^2 const gamma = this.y.redSqr(); // beta = X1 * gamma const beta = this.x.redMul(gamma); // + xmdelta = X1 - delta const xmdelta = this.x.redSub(delta); // + xpdelta = X1 + delta const xpdelta = this.x.redAdd(delta); // alpha = 3 * (X1 - delta) * (X1 + delta) const alpha = xmdelta.redMul(xpdelta).redIMuln(3); // + beta4 = 4 * beta const beta4 = beta.redIMuln(4); // + beta8 = 2 * beta4 const beta8 = beta4.redMuln(2); // + gamma28 = 8 * gamma^2 const gamma28 = gamma.redSqr().redIMuln(8); // X3 = alpha^2 - 8 * beta const nx = alpha.redSqr().redISub(beta8); // Z3 = (Y1 + Z1)^2 - gamma - delta const nz = this.y.redAdd(this.z).redSqr().redISub(gamma).redISub(delta); // Y3 = alpha * (4 * beta - X3) - 8 * gamma^2 const ny = alpha.redMul(beta4.redISub(nx)).redISub(gamma28); return this.curve.jpoint(nx, ny, nz); } getX() { if (this.isInfinity()) throw new Error('Invalid point.'); this.normalize(); return this.x.fromRed(); } getY() { if (this.isInfinity()) throw new Error('Invalid point.'); this.normalize(); return this.y.fromRed(); } eq(p) { assert(p instanceof JPoint); // P = Q if (this === p) return true; // P = O if (this.isInfinity()) return p.isInfinity(); // Q = O if (p.isInfinity()) return false; // Z1 = Z2 if (this.z.eq(p.z)) { return this.x.eq(p.x) && this.y.eq(p.y); } // X1 * Z2^2 = X2 * Z1^2 const zz1 = this.z.redSqr(); const zz2 = p.z.redSqr(); const x1 = this.x.redMul(zz2); const x2 = p.x.redMul(zz1); if (!x1.eq(x2)) return false; // Y1 * Z2^3 = Y2 * Z1^3 const zzz1 = zz1.redMul(this.z); const zzz2 = zz2.redMul(p.z); const y1 = this.y.redMul(zzz2); const y2 = p.y.redMul(zzz1); return y1.eq(y2); } cmp(point) { assert(point instanceof JPoint); const inf1 = this.isInfinity(); const inf2 = point.isInfinity(); if (inf1 && !inf2) return -1; if (!inf1 && inf2) return 1; if (inf1 && inf2) return 0; return this.order().cmp(point.order()) || this.getX().cmp(point.getX()) || this.getY().cmp(point.getY()); } isInfinity() { // Z1 = 0 return this.z.isZero(); } isOrder2() { if (this.isInfinity()) return false; return this.y.isZero(); } isOdd() { if (this.isInfinity()) return false; this.normalize(); return this.y.redIsOdd(); } isEven() { if (this.isInfinity()) return false; this.normalize(); return this.y.redIsEven(); } isSquare() { if (this.isInfinity()) return false; return this.y.redMul(this.z).redJacobi() !== -1; } eqX(x) { // Verify that integer `x` is equal to field // element `x` by scaling it by our z coordinate. // This optimization is mentioned in and used for // bip-schnorr[1]. This avoids having to affinize // the resulting point during verification. // // [1] [SCHNORR] "Optimizations". assert(x instanceof BN); assert(!x.red); if (this.isInfinity()) return false; const zz = this.z.redSqr(); const rx = x.toRed(this.curve.red).redMul(zz); return this.x.eq(rx); } eqR(x) { // Similar to the optimization above, this // optimization, suggested by Maxwell[1], // compares an integer to an X coordinate // by scaling it. // // Since a signature's R value is modulo N // in ECDSA, we may be dealing with an R // value greater than N in actuality. // // If the equality check fails, we can // scale N itself by Z and add it to the // X field element. // // [1] https://github.com/bitcoin-core/secp256k1/commit/ce7eb6f assert(x instanceof BN); assert(!x.red); if (!this.curve.smallGap) return this.toP().eqR(x); if (this.isInfinity()) return false; if (x.cmp(this.curve.p) >= 0) return false; const zz = this.z.redSqr(); const rx = x.toRed(this.curve.red).redMul(zz); if (this.x.eq(rx)) return true; if (this.curve.highOrder) return false; if (x.cmp(this.curve.pmodn) >= 0) return false; const rn = this.curve.redN.redMul(zz); rx.redIAdd(rn); return this.x.eq(rx); } toP() { // P = O if (this.isInfinity()) return this.curve.point(); this.normalize(); // (X3, Y3) = (X1 / Z1^2, Y1 / Z1^3) return this.curve.point(this.x, this.y); } toJ() { return this; } encode(compact) { return this.toP().encode(compact); } static decode(curve, bytes) { return ShortPoint.decode(curve, bytes).toJ(); } encodeX() { return this.toP().encodeX(); } static decodeEven(curve, bytes) { return ShortPoint.decodeEven(curve, bytes).toJ(); } static decodeSquare(curve, bytes) { return ShortPoint.decodeSquare(curve, bytes).toJ(); } toJSON(pre) { return this.toP().toJSON(pre); } toPretty() { return this.toP().toPretty(); } static fromJSON(curve, json) { return ShortPoint.fromJSON(curve, json).toJ(); } [custom]() { if (this.isInfinity()) return ''; return ''; } } /** * MontCurve */ class MontCurve extends Curve { constructor(conf) { super(MontPoint, 'mont', conf); this.a = BN.fromJSON(conf.a).toRed(this.red); this.b = BN.fromJSON(conf.b).toRed(this.red); this.bi = this.b.redInvert(); this.a2 = this.a.redAdd(this.two); this.a24 = this.a2.redMul(this.i4); this.a3 = this.a.redMul(this.i3); this.a0 = this.a.redMul(this.bi); this.b0 = this.bi.redSqr(); this._finalize(conf); } static _isomorphism(curveA, curveB, customB) { // Montgomery Isomorphism. // // [MONT3] Page 3, Section 2.1. // // Transformation: // // A' = A // B' = B' // // Where (B / B') is square. assert(curveA instanceof BN); assert(curveB instanceof BN); assert(customB instanceof BN); const a = curveA.clone(); const b = customB.clone(); const c = curveB.redDiv(customB); if (c.redJacobi() !== 1) throw new Error('Invalid `b` coefficient.'); return [a, b]; } _short(a0, odd) { // Montgomery->Short Weierstrass Equivalence. // // [MONT2] "Equivalence with Weierstrass curves". // // Transformation: // // a = (3 - A^2) / (3 * B^2) // b = (2 * A^3 - 9 * A) / (27 * B^3) const {a, b, three} = this; const a2 = a.redSqr(); const a3 = a2.redMul(a); const b2 = b.redSqr(); const b3 = b2.redMul(b); const n0 = three.redSub(a2); const d0 = b2.redMuln(3); const n1 = a3.redMuln(2).redISub(a.redMuln(9)); const d1 = b3.redMuln(27); const wa = n0.redDiv(d0); const wb = n1.redDiv(d1); if (a0 != null) return ShortCurve._isomorphism(wa, wb, a0, odd); return [wa, wb]; } _mont(b0) { return MontCurve._isomorphism(this.a, this.b, b0); } _edwards(a0, invert = false) { // Montgomery->Twisted Edwards Transformation. // // [MONT1] Page 11, Section 4.3.5. // [TWISTED] Theorem 3.2, Page 4, Section 3. // // Equivalence: // // a = (A + 2) / B // d = (A - 2) / B // // Isomorphism: // // a = a' // d = a' * (A - 2) / (A + 2) // // Where ((A + 2) / (B * a')) is square. // // If `d` is square, we can usually find // a complete curve by using the `invert` // option. This will create an isomorphism // chain of: M(A,B)->E(a,d)->E(d,a). // // The equivalence between E(a,d) and // E(d,a) is: // // (x, y) = (x, 1 / y) // // Meaning our map to E(d,a) is: // // x = u / v // y = 1 / ((u - 1) / (u + 1)) // = (u + 1) / (u - 1) assert(typeof invert === 'boolean'); const {two, bi} = this; const a = this.a.redAdd(two).redMul(bi); const d = this.a.redSub(two).redMul(bi); if (invert) a.swap(d); if (a0 != null) return EdwardsCurve._isomorphism(a, d, a0); return [a, d]; } _scaleShort(curve) { assert(curve instanceof ShortCurve); const [u2, u3] = curve._scale(this); return [this.field(u2.redInvert()), this.field(u3.redInvert())]; } _scaleMont(curve) { // We can extract the isomorphism factor with: // // c = +-sqrt(B / B') // // If base points are available, we can do: // // c = v' / v assert(curve instanceof MontCurve); if (this.g.isInfinity() || curve.g.isInfinity()) return this.field(curve.b).redDivSqrt(this.b); return this.g.y.redDiv(this.field(curve.g.y)); } _scaleEdwards(curve, invert) { // We _could_ do something like: // // B = 4 / (a - d) // c = +-sqrt(B / B') // // Which can be reduced to: // // c = +-sqrt(4 / ((a - d) * B')) // // If base points are available: // // v = u' / x // c = v' / v // // Which can be reduced to: // // c = v' * x / u' // // However, the way our maps are // written, we can re-use the Edwards // isomorphism factor when going the // other direction. assert(curve instanceof EdwardsCurve); const c = curve._scale(this, invert); return this.field(c); } _solveY0(x) { assert(x instanceof BN); // y^2 = x^3 + A * x^2 + B * x const a = this.a0; const b = this.b0; const x2 = x.redSqr(); const x3 = x2.redMul(x); const y2 = x3.redIAdd(a.redMul(x2)).redIAdd(b.redMul(x)); return y2; } _elligator2(u) { // Elligator 2. // // Distribution: 1/2. // // [ELL2] Page 11, Section 5.2. // [H2EC] "Elligator 2 Method". // "Mappings for Montgomery curves". // [SAFE] "Indistinguishability from uniform random strings". // // Assumptions: // // - y^2 = x^3 + A * x^2 + B * x. // - A != 0, B != 0. // - A^2 - 4 * B is non-zero and non-square in F(p). // - Let z be a non-square in F(p). // - u != +-sqrt(-1 / z). // // Note that Elligator 2 is defined over the form: // // y'^2 = x'^3 + A' * x'^2 + B' * x' // // Instead of: // // B * y^2 = x^3 + A * x^2 + x // // Where: // // A' = A / B // B' = 1 / B^2 // x' = x / B // y' = y / B // // And: // // x = B * x' // y = B * y' // // This is presumably the result of Elligator 2 // being designed in long Weierstrass form. If // we want to support B != 1, we need to do the // conversion. // // Map: // // g(x) = x^3 + A * x^2 + B * x // x1 = -A / (1 + z * u^2) // x1 = -A, if x1 = 0 // x2 = -x1 - A // x = x1, if g(x1) is square // = x2, otherwise // y = sign(u) * abs(sqrt(g(x))) const lhs = this.a0.redNeg(); const rhs = this.one.redAdd(this.z.redMul(u.redSqr())); if (rhs.isZero()) rhs.inject(this.one); const x1 = lhs.redMul(rhs.redInvert()); const x2 = x1.redNeg().redISub(this.a0); const y1 = this._solveY0(x1); const y2 = this._solveY0(x2); const alpha = y1.redIsSquare() | 0; const x0 = [x1, x2][alpha ^ 1]; const y0 = [y1, y2][alpha ^ 1].redSqrt(); if (y0.redIsOdd() !== u.redIsOdd()) y0.redINeg(); const x = this.b.redMul(x0); const y = this.b.redMul(y0); return this.point(x, y); } _invert2(p, hint) { // Inverting the Map (Elligator 2). // // [ELL2] Page 12, Section 5.3. // // Assumptions: // // - -z * x * (x + A) is square in F(p). // - If r = 1 then x != 0. // - If r = 2 then x != -A. // // Map: // // u1 = -(x + A) / (x * z) // u2 = -x / ((x + A) * z) // r = random integer in [1,2] // u = sign(y) * abs(sqrt(ur)) // // Note that `0 / 0` can only occur if A = 0 // (this violates the assumptions of Elligator 2). const {x, y} = p; const r = hint & 1; const x0 = x.redMul(this.bi); const y0 = y.redMul(this.bi); const n = x0.redAdd(this.a0); const d = x0; const lhs = [n, d][r].redINeg(); const rhs = [d, n][r].redMul(this.z); const u = lhs.redDivSqrt(rhs); if (u.redIsOdd() !== y0.redIsOdd()) u.redINeg(); return u; } isElliptic() { const a2 = this.a.redSqr(); const d = this.b.redMul(a2.redSub(this.four)); // B * (A^2 - 4) != 0 return !d.isZero(); } jinv() { // [MONT3] Page 3, Section 2. const {a, three, four} = this; const a2 = a.redSqr(); const t0 = a2.redSub(three); const lhs = t0.redPown(3).redIMuln(256); const rhs = a2.redSub(four); if (rhs.isZero()) throw new Error('Curve is not elliptic.'); // (256 * (A^2 - 3)^3) / (A^2 - 4) return lhs.redDiv(rhs).fromRed(); } point(x, y) { return new MontPoint(this, x, y); } jpoint(x, y, z) { assert(x == null && y == null && z == null); return this.point(); } xpoint(x, z) { return new XPoint(this, x, z); } solveY2(x) { // [MONT3] Page 3, Section 2. // https://hyperelliptic.org/EFD/g1p/auto-montgom.html assert(x instanceof BN); // B * y^2 = x^3 + A * x^2 + x const x2 = x.redSqr(); const x3 = x2.redMul(x); const by2 = x3.redIAdd(this.a.redMul(x2)).redIAdd(x); const y2 = by2.redMul(this.bi); return y2; } validate(point) { assert(point instanceof MontPoint); if (point.isInfinity()) return true; const {x, y} = point; const y2 = this.solveY2(x); return y.redSqr().eq(y2); } pointFromX(x, sign = null) { assert(x instanceof BN); assert(sign == null || typeof sign === 'boolean'); if (!x.red) x = x.toRed(this.red); const y = this.solveY(x); if (sign != null) { if (y.isZero() && sign) throw new Error('Invalid point.'); if (y.redIsOdd() !== sign) y.redINeg(); } return this.point(x, y); } isIsomorphic(curve, invert) { // [MONT3] Page 3, Section 2.1. assert(curve instanceof Curve); if (!curve.p.eq(this.p)) return false; // M(A,B) <-> M(A,B') if (curve.type === 'mont') { const a = this.field(curve.a); const b = this.field(curve.b); // A' = A if (!this.a.eq(a)) return false; // B' != 0 if (this.b.isZero()) return false; // jacobi(B / B') = 1 const c = b.redDiv(this.b); return c.redJacobi() === 1; } return curve.isIsomorphic(this, invert); } isIsogenous(curve) { assert(curve instanceof Curve); if (curve.type === 'mont') return false; return curve.isIsogenous(this); } pointFromShort(point) { // [ALT] Appendix E.2 (Switching between Alternative Representations). // [MONT2] "Equivalence with Weierstrass curves" assert(point instanceof ShortPoint); if (this.isIsomorphic(point.curve)) { // Equivalence for E(a,b)->M(A,B): // // u = B * x - A / 3 // v = B * y // // Undefined if ((u^3 + A * u^2 + u) / B) is not square. if (point.isInfinity()) return this.point(); const {a3, b} = this; const [u2, u3] = this._scale(point.curve); const x = this.field(point.x).redMul(u2); const y = this.field(point.y).redMul(u3); const u = b.redMul(x).redISub(a3); const v = b.redMul(y); return this.point(u, v); } throw new Error('Not implemented.'); } pointFromMont(point) { // [MONT3] Page 3, Section 2.1. assert(point instanceof MontPoint); if (this.isIsomorphic(point.curve)) { // Isomorphic maps for M(A,B)<->M(A,B'): // // u' = u // v' = +-sqrt(B / B') * v // // Undefined if (B / B') is not square. if (point.isInfinity()) return this.point(); const c = this._scale(point.curve); const u = this.field(point.x); const v = this.field(point.y); const nu = u; const nv = c.redMul(v); return this.point(nu, nv); } throw new Error('Not implemented.'); } pointFromEdwards(point) { // [RFC7748] Section 4.1 & 4.2. // [MONT3] Page 6, Section 2.5. // [TWISTED] Theorem 3.2, Page 4, Section 3. assert(point instanceof EdwardsPoint); assert(point.curve.p.eq(this.p)); // Edwards `x`, `y`, `z`. const x = this.field(point.x); const y = this.field(point.y); const z = this.field(point.z); if (this.isIsogenous(point.curve)) { // 4-isogeny maps for E(1,d)->M(2-4d,1): // // u = y^2 / x^2 // v = (2 - x^2 - y^2) * y / x^3 // // Undefined for x = 0. // // Exceptional Cases: // - (0, 1) -> O // - (0, -1) -> (0, 0) // // Unexceptional Cases: // - (+-1, 0) -> (0, 0) if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(this.zero, this.zero); const c = z.redSqr().redIMuln(2); const uu = y.redSqr(); const uz = x.redSqr(); const vv = c.redISub(uz).redISub(uu).redMul(y); const vz = uz.redMul(x); return this.cpoint(uu, uz, vv, vz); } if (this.isIsomorphic(point.curve, true)) { // Isomorphic maps for E(d,a)->M(A,B): // // u = (y + 1) / (y - 1) // v = +-sqrt((A - 2) / (B * a)) * u / x // // Undefined for x = 0 or y = 1. // // Exceptional Cases: // - (0, 1) -> O // - (0, -1) -> (0, 0) // // Unexceptional Cases: // - (+-sqrt(1 / a), 0) -> (-1, +-sqrt((A - 2) / B)) if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(this.zero, this.zero); const c = this._scale(point.curve, true); const uu = y.redAdd(z); const uz = y.redSub(z); const vv = c.redMul(z).redMul(uu); const vz = x.redMul(uz); return this.cpoint(uu, uz, vv, vz); } if (this.isIsomorphic(point.curve, false)) { // Isomorphic maps for E(a,d)->M(A,B): // // u = (1 + y) / (1 - y) // v = +-sqrt((A + 2) / (B * a)) * u / x // // Undefined for x = 0 or y = 1. // // Exceptional Cases: // - (0, 1) -> O // - (0, -1) -> (0, 0) // // Unexceptional Cases: // - (+-sqrt(1 / a), 0) -> (1, +-sqrt((A + 2) / B)) if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(this.zero, this.zero); const c = this._scale(point.curve, false); const uu = z.redAdd(y); const uz = z.redSub(y); const vv = c.redMul(z).redMul(uu); const vz = x.redMul(uz); return this.cpoint(uu, uz, vv, vz); } throw new Error('Not implemented.'); } pointFromUniform(u) { assert(u instanceof BN); // z = 0 or A = 0 if (this.z.isZero() || this.a.isZero()) throw new Error('Not implemented.'); return this._elligator2(u); } pointToUniform(p, hint) { // Convert a montgomery point to a field // element by inverting the elligator2 map. // // Hint Layout: // // [00000000] [0000] [0000] // | | | // | | +-- preimage index // | +--- subgroup // +-- bits to OR with uniform bytes assert(p instanceof MontPoint); assert((hint >>> 0) === hint); // z = 0 or A = 0 if (this.z.isZero() || this.a.isZero()) throw new Error('Not implemented.'); // P = O if (p.isInfinity()) throw new Error('Invalid point.'); // Add a random torsion component. const i = ((hint >>> 4) & 15) % this.torsion.length; const q = p.add(this.torsion[i]); return wrapErrors(() => { return this._invert2(q, hint); }); } decodePoint(bytes, sign) { return MontPoint.decode(this, bytes, sign); } encodeX(point) { assert(point instanceof XPoint); return point.encode(); } decodeX(bytes) { return XPoint.decode(this, bytes); } toShort(a0, odd, sign = null) { const [a, b] = this._short(a0, odd); const curve = new ShortCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h }); if (sign != null) { const [, u3] = curve._scale(this); if (u3.redIsOdd() !== sign) u3.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromMont(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromMont(this.torsion[i]); return curve; } toMont(b0, sign = null) { const [a, b] = this._mont(b0); const curve = new MontCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h, z: this.z }); if (sign != null) { const c = curve._scale(this); if (c.redIsOdd() !== sign) c.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromMont(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromMont(this.torsion[i]); return curve; } toEdwards(a0, invert, sign = null) { const [a, d] = this._edwards(a0, invert); const curve = new EdwardsCurve({ red: this.red, prime: this.prime, p: this.p, a: a, d: d, n: this.n, h: this.h, z: this.z }); if (sign != null) { const c = curve._scale(this, invert); if (c.redIsOdd() !== sign) c.redINeg(); } if (!this.g.isInfinity()) { curve.g = curve.pointFromMont(this.g); curve.g.normalize(); } if (curve.isComplete()) { for (let i = 0; i < this.h.word(0); i++) { curve.torsion[i] = curve.pointFromMont(this.torsion[i]); curve.torsion[i].normalize(); } } return curve; } pointFromJSON(json) { return MontPoint.fromJSON(this, json); } toJSON(pre) { const json = super.toJSON(pre); json.a = this.a.fromRed().toJSON(); json.b = this.b.fromRed().toJSON(); return json; } } /** * MontPoint */ class MontPoint extends Point { constructor(curve, x, y) { assert(curve instanceof MontCurve); super(curve, types.AFFINE); this.x = this.curve.zero; this.y = this.curve.zero; this.inf = true; if (x != null) this._init(x, y); } _init(x, y) { assert(x instanceof BN); assert(y instanceof BN); this.x = x; this.y = y; if (!this.x.red) this.x = this.x.toRed(this.curve.red); if (!this.y.red) this.y = this.y.toRed(this.curve.red); this.inf = false; } clone() { if (this.inf) return this.curve.point(); return this.curve.point(this.x, this.y); } scale(a) { return this.clone(); } randomize(rng) { return this.clone(); } neg() { // P = O if (this.inf) return this; // -(X1, Y1) = (X1, -Y1) return this.curve.point(this.x, this.y.redNeg()); } add(p) { // [MONT1] Page 8, Section 4.3.2. // // Addition Law: // // l = (y2 - y1) / (x2 - x1) // x3 = b * l^2 - a - x1 - x2 // y3 = l * (x1 - x3) - y1 // // 1I + 2M + 1S + 7A + 1*b assert(p instanceof MontPoint); // O + P = P if (this.inf) return p; // P + O = P if (p.inf) return this; // P + P, P + -P if (this.x.eq(p.x)) { // P + -P = O if (!this.y.eq(p.y)) return this.curve.point(); // P + P = 2P return this.dbl(); } // H = X2 - X1 const h = p.x.redSub(this.x); // R = Y2 - Y1 const r = p.y.redSub(this.y); // L = R / H const l = r.redDiv(h); // K = b * L^2 const k = this.curve.b.redMul(l.redSqr()); // X3 = K - a - X1 - X2 const nx = k.redISub(this.curve.a).redISub(this.x).redISub(p.x); // Y3 = L * (X1 - X3) - Y1 const ny = l.redMul(this.x.redSub(nx)).redISub(this.y); return this.curve.point(nx, ny); } dbl() { // [MONT1] Page 8, Section 4.3.2. // // Addition Law (doubling): // // l = (3 * x1^2 + 2 * a * x1 + 1) / (2 * b * y1) // x3 = b * l^2 - a - 2 * x1 // y3 = l * (x1 - x3) - y1 // // 1I + 3M + 2S + 7A + 1*a + 1*b + 1*b + 2*2 + 1*3 // P = O if (this.inf) return this; // Y1 = 0 if (this.y.isZero()) return this.curve.point(); // M1 = 3 * X1^2 const m1 = this.x.redSqr().redIMuln(3); // M2 = 2 * a * X1 const m2 = this.curve.a.redMul(this.x).redIMuln(2); // M = M1 + M2 + 1 const m = m1.redIAdd(m2).redIAdd(this.curve.one); // Z = 2 * b * Y1 const z = this.curve.b.redMul(this.y).redIMuln(2); // L = M / Z const l = m.redDiv(z); // K = b * L^2 const k = this.curve.b.redMul(l.redSqr()); // X3 = K - a - 2 * X1 const nx = k.redISub(this.curve.a).redISub(this.x).redISub(this.x); // Y3 = L * (X1 - X3) - Y1 const ny = l.redMul(this.x.redSub(nx)).redISub(this.y); return this.curve.point(nx, ny); } getX() { if (this.inf) throw new Error('Invalid point.'); return this.x.fromRed(); } getY() { if (this.inf) throw new Error('Invalid point.'); return this.y.fromRed(); } eq(p) { assert(p instanceof MontPoint); // P = Q if (this === p) return true; // P = O if (this.inf) return p.inf; // Q = O if (p.inf) return false; // X1 = X2, Y1 = Y2 return this.x.eq(p.x) && this.y.eq(p.y); } cmp(point) { assert(point instanceof MontPoint); if (this.inf && !point.inf) return -1; if (!this.inf && point.inf) return 1; if (this.inf && point.inf) return 0; return this.order().cmp(point.order()) || this.getX().cmp(point.getX()) || this.getY().cmp(point.getY()); } isInfinity() { // Infinity cannot be represented in // the affine space, except by a flag. return this.inf; } isOrder2() { if (this.inf) return false; return this.y.isZero(); } isOdd() { if (this.inf) return false; return this.y.redIsOdd(); } isEven() { if (this.inf) return false; return this.y.redIsEven(); } toP() { return this; } toJ() { return this; } toX() { // (X3, Z3) = (1, 0) if (this.inf) return this.curve.xpoint(); // (X3, Z3) = (X1, 1) return this.curve.xpoint(this.x, this.curve.one); } encode() { return this.toX().encode(); } static decode(curve, bytes, sign) { assert(curve instanceof MontCurve); return curve.decodeX(bytes).toP(sign); } toJSON(pre) { if (this.inf) return []; const x = this.getX().toJSON(); const y = this.getY().toJSON(); return [x, y]; } toPretty() { if (this.inf) return []; const size = this.curve.fieldSize * 2; const x = toPretty(this.getX(), size); const y = toPretty(this.getY(), size); return [x, y]; } static fromJSON(curve, json) { assert(curve instanceof MontCurve); assert(Array.isArray(json)); assert(json.length === 0 || json.length === 2 || json.length === 3); if (json.length === 0) return curve.point(); const x = BN.fromJSON(json[0]); const y = BN.fromJSON(json[1]); return curve.point(x, y); } [custom]() { if (this.inf) return ''; return ''; } } /** * XPoint */ class XPoint extends Point { constructor(curve, x, z) { assert(curve instanceof MontCurve); super(curve, types.PROJECTIVE); this.x = this.curve.one; this.z = this.curve.zero; if (x != null) this._init(x, z); } _init(x, z) { assert(x instanceof BN); assert(z == null || (z instanceof BN)); this.x = x; this.z = z || this.curve.one; if (!this.x.red) this.x = this.x.toRed(this.curve.red); if (!this.z.red) this.z = this.z.toRed(this.curve.red); } clone() { return this.curve.xpoint(this.x, this.z); } precompute(power, rng) { // No-op. return this; } validate() { if (this.isInfinity()) return true; // B * y^2 * z = x^3 + A * x^2 * z + x * z^2 const {x, z} = this; const x2 = x.redSqr(); const x3 = x2.redMul(x); const z2 = z.redSqr(); const ax2 = this.curve.a.redMul(x2).redMul(z); const by2 = x3.redIAdd(ax2).redIAdd(x.redMul(z2)); const y2 = by2.redMul(this.curve.bi); // sqrt(y^2 * z^4) = y * z^2 return y2.redMul(z).redJacobi() !== -1; } normalize() { // https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#scaling-scale // 1I + 1M // P = O if (this.isInfinity()) return this; // Z1 = 1 if (this.z.eq(this.curve.one)) return this; // X3 = X1 / Z1 this.x = this.x.redDiv(this.z); // Z3 = 1 this.z = this.curve.one; return this; } scale(a) { assert(a instanceof BN); // P = O if (this.isInfinity()) return this.curve.xpoint(); // X3 = X1 * A const nx = this.x.redMul(a); // Y3 = Y1 * A const nz = this.z.redMul(a); return this.curve.xpoint(nx, nz); } neg() { // -(X1, Z1) = (X1, Z1) return this; } dbl() { // https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3 // 2M + 2S + 4A + 1*a24 // A = X1 + Z1 const a = this.x.redAdd(this.z); // AA = A^2 const aa = a.redSqr(); // B = X1 - Z1 const b = this.x.redSub(this.z); // BB = B^2 const bb = b.redSqr(); // C = AA - BB const c = aa.redSub(bb); // X3 = AA * BB const nx = aa.redMul(bb); // Z3 = C * (BB + a24 * C) const nz = c.redMul(bb.redIAdd(this.curve.a24.redMul(c))); return this.curve.xpoint(nx, nz); } diffAddDbl(p2, p3) { // https://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#ladder-ladd-1987-m-3 // 6M + 4S + 8A + 1*a24 assert(p2 instanceof XPoint); assert(p3 instanceof XPoint); // A = X2 + Z2 const a = p2.x.redAdd(p2.z); // AA = A^2 const aa = a.redSqr(); // B = X2 - Z2 const b = p2.x.redSub(p2.z); // BB = B^2 const bb = b.redSqr(); // E = AA - BB const e = aa.redSub(bb); // C = X3 + Z3 const c = p3.x.redAdd(p3.z); // D = X3 - Z3 const d = p3.x.redSub(p3.z); // DA = D * A const da = d.redMul(a); // CB = C * B const cb = c.redMul(b); // X5 = Z1 * (DA + CB)^2 const x5 = this.z.redMul(da.redAdd(cb).redSqr()); // Z5 = X1 * (DA - CB)^2 const z5 = this.x.redMul(da.redISub(cb).redSqr()); // X4 = AA * BB const x4 = aa.redMul(bb); // Z4 = E * (BB + a24 * E) const z4 = e.redMul(bb.redIAdd(this.curve.a24.redMul(e))); return [ this.curve.xpoint(x4, z4), this.curve.xpoint(x5, z5) ]; } getX() { if (this.isInfinity()) throw new Error('Invalid point.'); this.normalize(); return this.x.fromRed(); } getY(sign) { return this.toP(sign).getY(); } eq(p) { assert(p instanceof XPoint); // P = Q if (this === p) return true; // P = O if (this.isInfinity()) return p.isInfinity(); // Q = O if (p.isInfinity()) return false; // Z1 = Z2 if (this.z.eq(p.z)) return this.x.eq(p.x); // X1 * Z2 = X2 * Z1 const x1 = this.x.redMul(p.z); const x2 = p.x.redMul(this.z); return x1.eq(x2); } cmp(point) { assert(point instanceof XPoint); const inf1 = this.isInfinity(); const inf2 = point.isInfinity(); if (inf1 && !inf2) return -1; if (!inf1 && inf2) return 1; if (inf1 && inf2) return 0; return this.order().cmp(point.order()) || this.getX().cmp(point.getX()); } isInfinity() { // Z1 = 0 return this.z.isZero(); } isOrder2() { if (this.isInfinity()) return false; return this.x.isZero(); } isOdd() { return false; } isEven() { return false; } hasTorsion() { if (this.isInfinity()) return false; // X1 = 0, Z1 != 0 (edge case) if (this.x.isZero()) return true; return super.hasTorsion(); } order() { try { return this.toP().order(); } catch (e) { return new BN(1); } } jmul(k) { // Multiply with the Montgomery Ladder. // // [MONT3] Algorithm 4, Page 12, Section 4.2. // // Note that any clamping is meant to // be done _outside_ of this function. assert(k instanceof BN); assert(!k.red); const bits = k.bitLength(); let a = this.curve.xpoint(); let b = this; for (let i = bits - 1; i >= 0; i--) { const bit = k.bit(i); if (bit === 0) [a, b] = this.diffAddDbl(a, b); else [b, a] = this.diffAddDbl(b, a); } return a; } jmulBlind(k, rng) { if (!rng) return this.jmul(k); // Randomize if available. return this.randomize(rng).jmul(k); } jmulAdd(k1, p2, k2) { throw new Error('Not implemented.'); } toP(sign = null) { assert(sign == null || typeof sign === 'boolean'); if (this.isInfinity()) return this.curve.point(); this.normalize(); return this.curve.pointFromX(this.x, sign); } toJ() { return this; } toX() { return this; } key() { if (this.isInfinity()) return `${this.curve.uid}:oo`; this.normalize(); const x = this.getX().toString(16); return `${this.curve.uid}:${x}`; } encode() { // [RFC7748] Section 5. return this.curve.encodeField(this.getX()); } static decode(curve, bytes) { assert(curve instanceof MontCurve); // [RFC7748] Section 5. const x = curve.decodeField(bytes); // We're supposed to ignore the hi bit // on montgomery points... I think. If // we don't, the X25519 test vectors // break, which is pretty convincing // evidence. This is a no-op for X448. x.iumaskn(curve.fieldBits); // Note: montgomery points are meant to be // reduced by the prime and do not have to // be explicitly validated in order to do // the montgomery ladder. const p = curve.xpoint(x, curve.one); assert(!p.isInfinity()); return p; } toJSON(pre) { return this.toP().toJSON(pre); } toPretty() { return this.toP().toPretty(); } static fromJSON(curve, json) { return MontPoint.fromJSON(curve, json).toX(); } [custom]() { if (this.isInfinity()) return ''; return ''; } } /** * EdwardsCurve */ class EdwardsCurve extends Curve { constructor(conf) { super(EdwardsPoint, 'edwards', conf); this.a = BN.fromJSON(conf.a).toRed(this.red); this.d = BN.fromJSON(conf.d).toRed(this.red); this.s = BN.fromJSON(conf.s || '0').toRed(this.red); this.si = this.s.isZero() ? this.zero : this.s.redInvert(); this.k = this.d.redMuln(2); this.smi = -this.d.redNeg().word(0); this.ad6 = this.a.redAdd(this.d).redMul(this.i6); this.twisted = !this.a.eq(this.one); this.oneA = this.a.eq(this.one); this.mOneA = this.a.eq(this.one.redNeg()); this.smallD = this.prime != null && this.d.redNeg().length === 1; this.alt = null; this._finalize(conf); } static _isomorphism(curveA, curveD, customA) { // Twisted Edwards Isomorphism. // // [TWISTED] Definition 2.1, Page 3, Section 2. // // Transformation: // // a' = a' // d' = a' * d / a // // Where (a / a') is square. assert(curveA instanceof BN); assert(curveD instanceof BN); assert(customA instanceof BN); const a = customA.clone(); const d = customA.redMul(curveD).redDiv(curveA); const c = curveA.redDiv(customA); if (c.redJacobi() !== 1) throw new Error('Invalid `a` coefficient.'); return [a, d]; } _short(a0, odd) { // Twisted Edwards->Short Weierstrass Equivalence. // // [TWISTEQ] Section 2. // // Transformation: // // a' = -(a^2 + 14 * a * d + d^2) / 48 // b' = (33 * (a^2 * d + a * d^2) - a^3 - d^3) / 864 const {a, d} = this; const a2 = a.redSqr(); const a3 = a2.redMul(a); const d2 = d.redSqr(); const d3 = d2.redMul(d); const ad14 = a.redMul(d).redIMuln(14); const a2d = a2.redMul(d); const ad2 = a.redMul(d2); const t0 = a2d.redIAdd(ad2).redIMuln(33); const wa = a2.redAdd(ad14).redIAdd(d2).redDivn(-48); const wb = t0.redISub(a3).redISub(d3).redDivn(864); if (a0 != null) return ShortCurve._isomorphism(wa, wb, a0, odd); return [wa, wb]; } _mont(b0, invert = false) { // Twisted Edwards->Montgomery Transformation. // // [TWISTED] Theorem 3.2, Page 4, Section 3. // // Equivalence: // // A = 2 * (a + d) / (a - d) // B = 4 / (a - d) // // Isomorphism: // // A = 2 * (a + d) / (a - d) // B = B' // // Where ((4 / (a - d)) / B') is square. // // If `4 / (a - d)` is non-square, we can // usually force B=1 by using the `invert` // option. This will create an isomorphism // chain of: E(a,d)->E(d,a)->M(-A,-B). // // The equivalence between E(a,d) and E(d,a) // is: // // (x, y) = (x, 1 / y) // // Meaning our map to M(-A,-B) is: // // u = (1 + 1 / y) / (1 - 1 / y) // = (y + 1) / (y - 1) // v = u / x assert(typeof invert === 'boolean'); let apd, amd; if (invert) { apd = this.d.redAdd(this.a); amd = this.d.redSub(this.a); } else { apd = this.a.redAdd(this.d); amd = this.a.redSub(this.d); } const z = amd.redInvert(); const a = apd.redMuln(2).redMul(z); const b = z.redMuln(4); if (b0 != null) return MontCurve._isomorphism(a, b, b0); return [a, b]; } _edwards(a0) { return EdwardsCurve._isomorphism(this.a, this.d, a0); } _scaleShort(curve) { assert(curve instanceof ShortCurve); const [u2, u3] = curve._scale(this); return [this.field(u2.redInvert()), this.field(u3.redInvert())]; } _scaleMont(curve, invert = false) { // Calculate isomorphism factor between // Twisted Edwards and Montgomery with: // // a = (A + 2) / B // c = +-sqrt(a / a') // // Which can be reduced to: // // c = +-sqrt((A + 2) / (B * a')) // // If base points are available, we can do: // // x = u / v // c = x' / x // // Which can be reduced to: // // c = v * x' / u // // We can now calculate the Edwards `x` with: // // x' = c * u / v // // And likewise, the Montgomery `v`: // // v = c * u / x' assert(curve instanceof MontCurve); assert(typeof invert === 'boolean'); if (this.g.isInfinity() || curve.g.isInfinity()) { const [a] = curve._edwards(null, invert); return this.field(a).redDivSqrt(this.a); } const x = curve.g.x.redDiv(curve.g.y); return this.g.x.redDiv(this.field(x)); } _scaleEdwards(curve) { // We can extract the isomorphism factor with: // // c = +-sqrt(a / a') // // If base points are available, we can do: // // c = x' / x assert(curve instanceof EdwardsCurve); if (this.g.isInfinity() || curve.g.isInfinity()) return this.field(curve.a).redDivSqrt(this.a); return this.g.x.redDiv(this.field(curve.g.x)); } _mulA(num) { assert(num instanceof BN); // n * a = n if (this.oneA) return num.clone(); // n * a = -n if (this.mOneA) return num.redNeg(); return this.a.redMul(num); } _mulD(num) { assert(num instanceof BN); // -d < 0x4000000 if (this.smallD) return num.redMuln(this.smi); return this.d.redMul(num); } _elligator1(t) { // Elligator 1. // // Distribution: 1/2. // // [ELL1] Page 6, Section 3. // Page 15, Appendix A. // [ELL2] Page 7, Section 3.2. // // Assumptions: // // - Let p be a prime power congruent to 3 mod 4. // - Let s be a nonzero element of F(p). // - Let c = 2 / s^2. // - Let r = c + 1 / c. // - Let d = -(c + 1)^2 / (c - 1)^2. // - (s^2 - 2) * (s^2 + 2) != 0. // - c * (c - 1) * (c + 1) != 0. // - r != 0. // - d is not square. // - x^2 + y^2 = 1 + d * x^2 * y^2. // - u * v * X * Y * x * (Y + 1) != 0. // - Y^2 = X^5 + (r^2 - 2) * X^3 + X. // // Elligator 1, as devised by Fouque et al, // takes place on the hyperelliptic curve of: // // y^2 = x^5 + (r^2 - 2) * x^3 + x // // Not only must our Edwards curve be complete, // with a prime congruent to 3 mod 4, and a = 1, // our curve must be isomorphic to a hyperelliptic // curve of the above form. Roughly one half of // all Edwards curves are isomorphic to a curve // of said form. // // We can derive the isomorphism with: // // c = (d +- 2 * sqrt(-d) - 1) / (d + 1) // s = +-sqrt(2 / c) // r = c + 1 / c // // Note that even if your curve is an Elligator 1 // curve, Elligator 2 is probably still preferable, // as it has nearly the same properties (i.e. the // same distribution), and is much less complex. // // Map: // // f(a) = a^((p - 1) / 2) // u = (1 - t) / (1 + t) // v = u^5 + (r^2 - 2) * u^3 + u // X = f(v) * u // Y = (f(v) * v)^((p + 1) / 4) * f(v) * f(u^2 + 1 / c^2) // Y = 1, if u = 0 // x = (c - 1) * s * X * (1 + X) / Y // y = (r * X - (1 + X)^2) / (r * X + (1 + X)^2) // // When t = +-1, we create the hyperelliptic // 2-torsion point of (0, 0). This needs to be // mapped to (0, -1) in Edwards form, but the x // denominator becomes zero. As far as I can // tell, this is the only exceptional case. // // The only other exceptional case initially // appears to be when the y denominator sums to // zero (when t = sqrt(4 / r + 1)), however, the // hyperelliptic `X` is negated by the sign of // `v`, making this impossible. const {s, si, i2, one, two} = this; const c = si.redSqr().redIMuln(2); const ci = s.redSqr().redMul(i2); const ci2 = ci.redSqr(); const r = c.redAdd(ci); const r2 = r.redSqr().redISub(two); const cm1 = c.redSub(one); const uu = one.redSub(t); const uz = one.redAdd(t); const u = uz.isZero() ? uz : uu.redDiv(uz); const u2 = u.redSqr(); const u3 = u2.redMul(u); const u5 = u3.redMul(u2); const v = u5.redAdd(r2.redMul(u3)).redIAdd(u); const f0 = this.field(v.redJacobi()); const f1 = this.field(u2.redAdd(ci2).redJacobi()); const f2 = f0.redMul(f1); const X = f0.redMul(u); const Y = f0.redMul(v).redSqrt().redMul(f2); const X1 = one.redAdd(X); const rX = r.redMul(X); const X12 = X1.redSqr(); const xx = cm1.redMul(s).redMul(X).redMul(X1); const xz = u.isZero() ? this.one : Y; const yy = rX.redSub(X12); const yz = rX.redAdd(X12); return this.cpoint(xx, xz, yy, yz); } _invert1(p, hint) { // Inverting the Map (Elligator 1). // // [ELL1] Page 6, Section 3. // Page 15, Appendix A. // [ELL2] Page 7, Section 3.3. // // Assumptions: // // - y + 1 != 0. // - (1 + n * r)^2 - 1 is square in F(p). // - If n * r = -2 then x = 2 * s * (c - 1) * f(c) / r. // - Y = (c - 1) * s * X * (1 + X) / x. // // Map: // // f(a) = a^((p - 1) / 2) // n = (y - 1) / (2 * (y + 1)) // X = -(1 + n * r) + ((1 + n * r)^2 - 1)^((p + 1) / 4) // z = f((c - 1) * s * X * (1 + X) * x * (X^2 + 1 / c^2)) // u = z * X // t = (1 - u) / (1 + u) const {s, si, i2, one} = this; const {x, y, z} = p; const sign = hint & 1; const c = si.redSqr().redIMuln(2); const ci = s.redSqr().redMul(i2); const ci2 = ci.redSqr(); const r = c.redAdd(ci); const cm1 = c.redSub(one); const nn = y.redSub(z); const nz = y.redAdd(z).redIMuln(2); const n = nz.isZero() ? nz : nn.redDiv(nz); const nr1 = one.redAdd(n.redMul(r)); const w2 = nr1.redSqr().redISub(one); const w = w2.redSqrt(); const X = w.redSub(nr1); const X1 = one.redAdd(X); const YY = cm1.redMul(s).redMul(X).redMul(X1); const Y = YY.redMul(x.redMul(z)); const X2 = X.redSqr().redIAdd(ci2); const Z = this.field(Y.redMul(X2).redJacobi()); const u = Z.redMul(X); const tt = one.redSub(u); const tz = one.redAdd(u); const t = tz.isZero() ? tz : tt.redDiv(tz); if (t.redIsOdd() !== Boolean(sign)) t.redINeg(); return t; } _alt() { if (!this.alt) this.alt = this.toMont(); return this.alt; } isElliptic() { const ad = this.a.redMul(this.d); const amd = this.a.redSub(this.d); // a * d * (a - d) != 0 return !ad.redMul(amd).isZero(); } jinv() { // [TWISTED] Definition 2.1, Page 3, Section 2. const {a, d} = this; const ad = a.redMul(d); const amd4 = a.redSub(d).redPown(4); const a2 = a.redSqr(); const d2 = d.redSqr(); const t0 = a2.redAdd(ad.redMuln(14)).redIAdd(d2); const lhs = t0.redPown(3).redIMuln(16); const rhs = ad.redMul(amd4); if (rhs.isZero()) throw new Error('Curve is not elliptic.'); // 16 * (a^2 + 14 * a * d + d^2)^3 / (a * d * (a - d)^4) return lhs.redDiv(rhs).fromRed(); } isComplete() { return this.a.redJacobi() === 1 && this.d.redJacobi() === -1; } point(x, y, z, t) { return new EdwardsPoint(this, x, y, z, t); } jpoint(x, y, z) { assert(x == null && y == null && z == null); return this.point(); } cpoint(xx, xz, yy, yz) { assert(xx instanceof BN); assert(xz instanceof BN); assert(yy instanceof BN); assert(yz instanceof BN); const x = xx.redMul(yz); const y = yy.redMul(xz); const z = xz.redMul(yz); const t = xx.redMul(yy); return this.point(x, y, z, t); } solveX2(y) { // [RFC8032] Section 5.1.3 & 5.2.3. assert(y instanceof BN); // x^2 = (y^2 - 1) / (d * y^2 - a) const y2 = y.redSqr(); const rhs = this._mulD(y2).redISub(this.a); const lhs = y2.redISub(this.one); const x2 = lhs.redDiv(rhs); return x2; } solveX(y) { // Optimize with inverse square root trick. // // Note that `0 / 0` can only occur if // `a == d` (i.e. the curve is singular). const y2 = y.redSqr(); const rhs = this._mulD(y2).redISub(this.a); const lhs = y2.redISub(this.one); return lhs.redDivSqrt(rhs); } solveY2(x) { assert(x instanceof BN); // y^2 = (a * x^2 - 1) / (d * x^2 - 1) const x2 = x.redSqr(); const lhs = this._mulA(x2).redISub(this.one); const rhs = this._mulD(x2).redISub(this.one); const y2 = lhs.redDiv(rhs); return y2; } solveY(x) { // Optimize with inverse square root trick. // // Note that `0 / 0` can only occur if // `a == d` (i.e. the curve is singular). const x2 = x.redSqr(); const lhs = this._mulA(x2).redISub(this.one); const rhs = this._mulD(x2).redISub(this.one); return lhs.redDivSqrt(rhs); } validate(point) { // [TWISTED] Definition 2.1, Page 3, Section 2. // Page 11, Section 6. assert(point instanceof EdwardsPoint); // Z1 = 1 if (point.zOne) { // a * x^2 + y^2 = 1 + d * x^2 * y^2 const x2 = point.x.redSqr(); const y2 = point.y.redSqr(); const dxy = this._mulD(x2).redMul(y2); const lhs = this._mulA(x2).redIAdd(y2); const rhs = this.one.redAdd(dxy); const tz = point.t; const xy = point.x.redMul(point.y); return lhs.eq(rhs) && tz.eq(xy); } // (a * x^2 + y^2) * z^2 = z^4 + d * x^2 * y^2 const x2 = point.x.redSqr(); const y2 = point.y.redSqr(); const z2 = point.z.redSqr(); const z4 = z2.redSqr(); const dxy = this._mulD(x2).redMul(y2); const lhs = this._mulA(x2).redIAdd(y2).redMul(z2); const rhs = z4.redIAdd(dxy); const tz = point.t.redMul(point.z); const xy = point.x.redMul(point.y); return lhs.eq(rhs) && tz.eq(xy); } pointFromX(x, sign = null) { assert(x instanceof BN); assert(sign == null || typeof sign === 'boolean'); if (!x.red) x = x.toRed(this.red); const y = this.solveY(x); if (sign != null) { if (y.isZero() && sign) throw new Error('Invalid point.'); if (y.redIsOdd() !== sign) y.redINeg(); } return this.point(x, y); } pointFromY(y, sign = null) { assert(y instanceof BN); assert(sign == null || typeof sign === 'boolean'); if (!y.red) y = y.toRed(this.red); const x = this.solveX(y); if (sign != null) { if (x.isZero() && sign) throw new Error('Invalid point.'); if (x.redIsOdd() !== sign) x.redINeg(); } return this.point(x, y); } isIsomorphic(curve, invert = false) { // [TWISTED] Theorem 3.2, Page 4, Section 3. // Definition 2.1, Page 3, Section 2. assert(curve instanceof Curve); assert(typeof invert === 'boolean'); if (!curve.p.eq(this.p)) return false; // E(a,d) <-> E(a,b) if (curve.type === 'short') return curve.isIsomorphic(this); // E(a,d) <-> M(A,B) // E(a,d) <-> M(-A,-B) if (curve.type === 'mont') { // A * (a - d) = 2 * (a + d) const a = this.field(curve.a); let apd, amd; if (invert) { apd = this.d.redAdd(this.a); amd = this.d.redSub(this.a); } else { apd = this.a.redAdd(this.d); amd = this.a.redSub(this.d); } return a.redMul(amd).eq(apd.redIMuln(2)); } // E(a,d) <-> E(a',a'd/a) if (curve.type === 'edwards') { // a' * d = a * d' const a = this.field(curve.a); const d = this.field(curve.d); return this.a.redMul(d).eq(a.redMul(this.d)); } return false; } isIsogenous(curve) { // Check for the 4-isogenies described by Hamburg: // https://moderncrypto.org/mail-archive/curves/2016/000806.html assert(curve instanceof Curve); if (!curve.p.eq(this.p)) return false; // E(1,d) <-> M(2-4d,1) if (curve.type === 'mont') { if (!this.a.eq(this.one)) return false; const a = this.field(curve.a); const b = this.field(curve.b); const d24 = this.two.redSub(this.d.redMuln(4)); return a.eq(d24) && b.eq(this.one); } // E(a,d) <-> E(-a,d-a) if (curve.type === 'edwards') { const a = this.field(curve.a); const d = this.field(curve.d); return a.eq(this.a.redNeg()) && d.eq(this.d.redSub(this.a)); } return false; } pointFromShort(point) { // [TWISTEQ] Section 1. assert(point instanceof ShortPoint); if (this.isIsomorphic(point.curve)) { // Equivalence for E(a,b)->E(a',d'): // // x' = (6 * x - a' - d') / (6 * y) // y' = (12 * x - 5 * a' + d') / (12 * x + a' - 5 * d') // // Undefined for x = (5 * d' - a') / 12 or y = 0. // // Exceptional Cases: // - O -> (0, 1) // - ((a' + d') / 6, 0) -> (0, -1) // - ((5 * d' - a') / 12, (d' - a') / 4 * sqrt(d')) -> (sqrt(1/d'), oo) // // Unexceptional Cases: // - ((5 * a' - d') / 12, (a' - d') / 4 * sqrt(a')) -> (sqrt(1/a'), 0) if (point.isInfinity()) return this.point(); if (point.y.isZero()) return this.point(this.zero, this.one.redNeg()); const {a, d} = this; const [u2, u3] = this._scale(point.curve); const a5 = a.redMuln(5); const d5 = d.redMuln(5); const x = this.field(point.x).redMul(u2); const y = this.field(point.y).redMul(u3); const x6 = x.redMuln(6); const x12 = x.redMuln(12); const xx = x6.redSub(a).redISub(d); const xz = y.redMuln(6); const yy = x12.redSub(a5).redIAdd(d); const yz = x12.redAdd(a).redISub(d5); return this.cpoint(xx, xz, yy, yz); } throw new Error('Not implemented.'); } pointFromMont(point) { // [RFC7748] Section 4.1 & 4.2. // [MONT3] Page 6, Section 2.5. // [TWISTED] Theorem 3.2, Page 4, Section 3. assert(point instanceof MontPoint); assert(point.curve.p.eq(this.p)); // Montgomery `u`, `v`. const u = this.field(point.x); const v = this.field(point.y); if (this.isIsogenous(point.curve)) { // 4-isogeny maps for M(2-4d,1)->E(1,d): // // x = 4 * v * (u^2 - 1) / (u^4 - 2 * u^2 + 4 * v^2 + 1) // y = -(u^5 - 2 * u^3 - 4 * u * v^2 + u) / // (u^5 - 2 * u^2 * v^2 - 2 * u^3 - 2 * v^2 + u) // // Undefined for u = 0 and v = 0. // // Exceptional Cases: // - O -> (0, 1) // - (0, 0) -> (0, 1) // // Unexceptional Cases: // - (-1, +-sqrt(A - 2)) -> (0, 1) // - (1, +-sqrt(A + 2)) -> (0, -1) // // The point (1, v) is invalid on Curve448. if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(); const u2 = u.redSqr(); const u3 = u2.redMul(u); const u4 = u3.redMul(u); const u5 = u4.redMul(u); const v2 = v.redSqr(); const a = v.redMuln(4); const b = u2.redSub(this.one); const c = u2.redMuln(2); const d = v2.redMuln(4); const e = u3.redIMuln(2); const f = u.redMul(v2).redIMuln(4); const g = u2.redMul(v2).redIMuln(2); const h = v2.redIMuln(2); const xx = a.redMul(b); const xz = u4.redISub(c).redIAdd(d).redIAdd(this.one); const yy = u5.redSub(e).redISub(f).redIAdd(u).redINeg(); const yz = u5.redISub(g).redISub(e).redISub(h).redIAdd(u); return this.cpoint(xx, xz, yy, yz).divn(4); } if (this.isIsomorphic(point.curve, true)) { // Isomorphic maps for M(-A,-B)->E(a,d): // // x = +-sqrt((A - 2) / (B * a)) * u / v // y = (u + 1) / (u - 1) // // Undefined for u = 1 or v = 0. // // Exceptional Cases: // - O -> (0, 1) // - (0, 0) -> (0, -1) // - (1, +-sqrt((A + 2) / B)) -> (+-sqrt(1 / d), oo) // // Unexceptional Cases: // - (-1, +-sqrt((A - 2) / B)) -> (+-sqrt(1 / a), 0) // // The point (1, v) is invalid on Curve448. if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(this.zero, this.one.redNeg()); const c = this._scale(point.curve, true); const xx = c.redMul(u); const xz = v; const yy = u.redAdd(this.one); const yz = u.redSub(this.one); return this.cpoint(xx, xz, yy, yz); } if (this.isIsomorphic(point.curve, false)) { // Isomorphic maps for M(A,B)->E(a,d): // // x = +-sqrt((A + 2) / (B * a)) * u / v // y = (u - 1) / (u + 1) // // Undefined for u = -1 or v = 0. // // Exceptional Cases: // - O -> (0, 1) // - (0, 0) -> (0, -1) // - (-1, +-sqrt((A - 2) / B)) -> (+-sqrt(1 / d), oo) // // Unexceptional Cases: // - (1, +-sqrt((A + 2) / B)) -> (+-sqrt(1 / a), 0) // // The point (-1, v) is invalid on Curve25519. if (point.isInfinity()) return this.point(); if (point.x.isZero()) return this.point(this.zero, this.one.redNeg()); const c = this._scale(point.curve, false); const xx = c.redMul(u); const xz = v; const yy = u.redSub(this.one); const yz = u.redAdd(this.one); return this.cpoint(xx, xz, yy, yz); } throw new Error('Not implemented.'); } pointFromEdwards(point) { // [TWISTED] Definition 2.1, Page 3, Section 2. // [ISOGENY] Page 2, Section 2. assert(point instanceof EdwardsPoint); assert(point.curve.p.eq(this.p)); // Edwards `x`, `y`, `z`, `t`. const a = this.field(point.curve.a); const x = this.field(point.x); const y = this.field(point.y); const z = this.field(point.z); const t = this.field(point.t); if (this.isIsogenous(point.curve)) { // 4-isogeny maps for E(a,d)<->E(-a,d-a): // // x' = (2 * x * y) / (y^2 - a * x^2) // y' = (y^2 + a * x^2) / (2 - y^2 - a * x^2) // // Undefined for y^2 - a * x^2 = 0 // or y^2 + a * x^2 = 2. const xy = x.redMul(y); const x2 = x.redSqr(); const y2 = y.redSqr(); const z2 = z.redSqr(); const ax2 = a.redMul(x2); const xx = xy.redIMuln(2); const xz = y2.redSub(ax2); const yy = y2.redAdd(ax2); const yz = z2.redIMuln(2).redISub(yy); const p = this.cpoint(xx, xz, yy, yz); return !this.twisted ? p.divn(4) : p; } if (this.isIsomorphic(point.curve)) { // Isomorphic maps for E(a,d)<->E(a',a'd/a): // // x' = +-sqrt(a / a') * x // y' = y // // Undefined when (a / a') is not square. const c = this._scale(point.curve); const nx = c.redMul(x); const ny = y; const nz = z; const nt = c.redMul(t); return this.point(nx, ny, nz, nt); } throw new Error('Not implemented.'); } pointFromUniform(u, curve = null) { assert(u instanceof BN); assert(u.red === this.red); assert(curve == null || (curve instanceof MontCurve)); if (!curve) curve = this._alt(); const u0 = curve.field(u); const p0 = curve.pointFromUniform(u0); return this.pointFromMont(p0); } pointToUniform(p, hint, curve = null) { // Convert an edwards point to a field // element by inverting the elligator2 map. // // Hint Layout: // // [00000000] [0000] [0000] // | | | // | | +-- preimage index // | +--- subgroup // +-- bits to OR with uniform bytes assert(p instanceof EdwardsPoint); assert((hint >>> 0) === hint); assert(curve == null || (curve instanceof MontCurve)); if (!curve) curve = this._alt(); // Add a random torsion component. const i = ((hint >> 4) & 15) % this.torsion.length; const q = p.add(this.torsion[i]); // Convert and invert. const p0 = curve.pointFromEdwards(q); const u0 = curve.pointToUniform(p0, hint & 15); return this.field(u0); } pointFromHash(bytes, pake, curve = null) { assert(curve == null || (curve instanceof MontCurve)); if (!curve) curve = this._alt(); const p0 = curve.pointFromHash(bytes, pake); return this.pointFromMont(p0); } pointToHash(p, subgroup, rng, curve = null) { assert(p instanceof EdwardsPoint); assert((subgroup >>> 0) === subgroup); assert(curve == null || (curve instanceof MontCurve)); if (!curve) curve = this._alt(); // Add a random torsion component. const i = subgroup % this.torsion.length; const q = p.add(this.torsion[i]); // Convert and invert. const p0 = curve.pointFromEdwards(q); return curve.pointToHash(p0, 0, rng); } decodePoint(bytes) { return EdwardsPoint.decode(this, bytes); } toShort(a0, odd, sign = null) { const [a, b] = this._short(a0, odd); const curve = new ShortCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h }); if (sign != null) { const [, u3] = curve._scale(this); if (u3.redIsOdd() !== sign) u3.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromEdwards(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromEdwards(this.torsion[i]); return curve; } toMont(b0, invert, sign = null) { const [a, b] = this._mont(b0, invert); const curve = new MontCurve({ red: this.red, prime: this.prime, p: this.p, a: a, b: b, n: this.n, h: this.h, z: this.z }); if (sign != null) { const c = this._scale(curve, invert); if (c.redIsOdd() !== sign) c.redINeg(); } if (!this.g.isInfinity()) curve.g = curve.pointFromEdwards(this.g); for (let i = 0; i < this.h.word(0); i++) curve.torsion[i] = curve.pointFromEdwards(this.torsion[i]); return curve; } toEdwards(a0, sign = null) { const [a, d] = this._edwards(a0); const curve = new EdwardsCurve({ red: this.red, prime: this.prime, p: this.p, a: a, d: d, n: this.n, h: this.h, z: this.z }); if (sign != null) { const c = curve._scale(this); if (c.redIsOdd() !== sign) c.redINeg(); } if (!this.g.isInfinity()) { curve.g = curve.pointFromEdwards(this.g); curve.g.normalize(); } if (curve.isComplete()) { for (let i = 0; i < this.h.word(0); i++) { curve.torsion[i] = curve.pointFromEdwards(this.torsion[i]); curve.torsion[i].normalize(); } } return curve; } pointFromJSON(json) { return EdwardsPoint.fromJSON(this, json); } toJSON(pre) { const json = super.toJSON(pre); json.a = this.a.fromRed().toJSON(); json.d = this.d.fromRed().toJSON(); if (!this.s.isZero()) json.s = this.s.fromRed().toJSON(); return json; } } /** * EdwardsPoint */ class EdwardsPoint extends Point { constructor(curve, x, y, z, t) { assert(curve instanceof EdwardsCurve); super(curve, types.EXTENDED); this.x = this.curve.zero; this.y = this.curve.one; this.z = this.curve.one; this.t = this.curve.zero; this.zOne = true; if (x != null) this._init(x, y, z, t); } _init(x, y, z, t) { assert(x instanceof BN); assert(y instanceof BN); assert(z == null || (z instanceof BN)); assert(t == null || (t instanceof BN)); this.x = x; this.y = y; this.z = z || this.curve.one; this.t = t || null; if (!this.x.red) this.x = this.x.toRed(this.curve.red); if (!this.y.red) this.y = this.y.toRed(this.curve.red); if (!this.z.red) this.z = this.z.toRed(this.curve.red); if (this.t && !this.t.red) this.t = this.t.toRed(this.curve.red); this.zOne = this.z.eq(this.curve.one); this._check(); if (!this.t) { this.t = this.x.redMul(this.y); if (!this.zOne) this.t = this.t.redDiv(this.z); } } _check() { // In order to achieve complete // addition formulas, `a` must // be a square (always the case // for a=1), and `d` must be a // non-square. // // If this is not the case, the // addition formulas may have // exceptional cases where Z3=0. // // In particular, this can occur // when: Q*h = -P*h and Q != -P. // // This is assuming 4-torsion is // involved (the 4-torsion point // is _not_ representable when // `d` is square). if (this.z.isZero()) throw new Error('Invalid point.'); } clone() { return this.curve.point(this.x, this.y, this.z, this.t); } normalize() { // https://hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#scaling-z // 1I + 2M (+ 1M if extended) // Z1 = 1 if (this.zOne) return this; // A = 1 / Z1 const a = this.z.redInvert(); // X3 = X1 * A this.x = this.x.redMul(a); // Y3 = Y1 * A this.y = this.y.redMul(a); // T3 = T1 * A this.t = this.t.redMul(a); // Z3 = 1 this.z = this.curve.one; this.zOne = true; return this; } scale(a) { assert(a instanceof BN); // X3 = X1 * A const nx = this.x.redMul(a); // Y3 = Y1 * A const ny = this.y.redMul(a); // Z3 = Z1 * A const nz = this.z.redMul(a); // T3 = T1 * A const nt = this.t.redMul(a); return this.curve.point(nx, ny, nz, nt); } neg() { // -(X1, Y1, Z1, T1) = (-X1, Y1, Z1, -T1) const nx = this.x.redNeg(); const ny = this.y; const nz = this.z; const nt = this.t.redNeg(); return this.curve.point(nx, ny, nz, nt); } add(p) { assert(p instanceof EdwardsPoint); // P = O if (this.isInfinity()) return p; // Q = O if (p.isInfinity()) return this; // Z1 = 1 if (this.zOne) return p._add(this); return this._add(p); } _add(p) { // a = -1 if (this.curve.mOneA) return this._addM1(p); return this._addA(p); } _addM1(p) { // Assumes a = -1. // // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-3 // 8M + 8A + 1*k + 1*2 // // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-madd-2008-hwcd-3 // 7M + 8A + 1*k + 1*2 // A = (Y1 - X1) * (Y2 - X2) const a = this.y.redSub(this.x).redMul(p.y.redSub(p.x)); // B = (Y1 + X1) * (Y2 + X2) const b = this.y.redAdd(this.x).redMul(p.y.redAdd(p.x)); // C = T1 * k * T2 const c = this.t.redMul(this.curve.k).redMul(p.t); // D = Z1 * 2 * Z2 const d = p.zOne ? this.z.redAdd(this.z) : this.z.redMul(p.z).redIMuln(2); // E = B - A const e = b.redSub(a); // F = D - C const f = d.redSub(c); // G = D + C const g = d.redIAdd(c); // H = B + A const h = b.redIAdd(a); // X3 = E * F const nx = e.redMul(f); // Y3 = G * H const ny = g.redMul(h); // T3 = E * H const nt = e.redMul(h); // Z3 = F * G const nz = f.redMul(g); return this.curve.point(nx, ny, nz, nt); } _addA(p) { // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd // 9M + 7A + 1*a + 1*d // // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-madd-2008-hwcd // 8M + 7A + 1*a + 1*d // A = X1 * X2 const a = this.x.redMul(p.x); // B = Y1 * Y2 const b = this.y.redMul(p.y); // C = T1 * d * T2 const c = this.curve._mulD(this.t).redMul(p.t); // D = Z1 * Z2 const d = p.zOne ? this.z.clone() : this.z.redMul(p.z); // + XYXY = (X1 + Y1) * (X2 + Y2) const xyxy = this.x.redAdd(this.y).redMul(p.x.redAdd(p.y)); // E = (X1 + Y1) * (X2 + Y2) - A - B const e = xyxy.redISub(a).redISub(b); // F = D - C const f = d.redSub(c); // G = D + C const g = d.redIAdd(c); // H = B - a * A const h = b.redISub(this.curve._mulA(a)); // X3 = E * F const nx = e.redMul(f); // Y3 = G * H const ny = g.redMul(h); // T3 = E * H const nt = e.redMul(h); // Z3 = F * G const nz = f.redMul(g); return this.curve.point(nx, ny, nz, nt); } dbl() { // P = O if (this.isInfinity()) return this; return this._dbl(); } _dbl() { // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd // 4M + 4S + 6A + 1*a + 1*2 // // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-mdbl-2008-hwcd // 3M + 4S + 7A + 1*a + 1*2 // A = X1^2 const a = this.x.redSqr(); // B = Y1^2 const b = this.y.redSqr(); // C = 2 * Z1^2 const c = this.zOne ? this.curve.two : this.z.redSqr().redIMuln(2); // D = a * A const d = this.curve._mulA(a); // E = (X1 + Y1)^2 - A - B const e = this.x.redAdd(this.y).redSqr().redISub(a).redISub(b); // G = D + B const g = d.redAdd(b); // F = G - C const f = g.redSub(c); // H = D - B const h = d.redISub(b); // X3 = E * F const nx = e.redMul(f); // Y3 = G * H const ny = g.redMul(h); // T3 = E * H const nt = e.redMul(h); // Z3 = F * G const nz = f.redMul(g); return this.curve.point(nx, ny, nz, nt); } getX() { this.normalize(); return this.x.fromRed(); } getY() { this.normalize(); return this.y.fromRed(); } eq(p) { assert(p instanceof EdwardsPoint); assert(!this.z.isZero()); assert(!p.z.isZero()); // P = Q if (this === p) return true; // Z1 = Z2 if (this.z.eq(p.z)) { return this.x.eq(p.x) && this.y.eq(p.y); } // X1 * Z2 = X2 * Z1 const x1 = this.x.redMul(p.z); const x2 = p.x.redMul(this.z); if (!x1.eq(x2)) return false; const y1 = this.y.redMul(p.z); const y2 = p.y.redMul(this.z); return y1.eq(y2); } cmp(point) { assert(point instanceof EdwardsPoint); return this.order().cmp(point.order()) || this.getY().cmp(point.getY()) || this.getX().cmp(point.getX()); } isInfinity() { assert(!this.z.isZero()); // X1 = 0 if (!this.x.isZero()) return false; // Y1 = Z1 return this.y.eq(this.z); } isOrder2() { if (this.isInfinity()) return false; return this.x.isZero(); } isOdd() { this.normalize(); return this.x.redIsOdd(); } isEven() { this.normalize(); return this.x.redIsEven(); } toP() { return this.normalize(); } toJ() { return this; } encode() { // [RFC8032] Section 5.1.2. const y = this.getY(); // Note: `x` normalized from `getY()` call. y.setn(this.curve.signBit, this.x.redIsOdd()); return this.curve.encodeAdjusted(y); } static decode(curve, bytes) { // [RFC8032] Section 5.1.3. assert(curve instanceof EdwardsCurve); const y = curve.decodeAdjusted(bytes); const sign = y.testn(curve.signBit) !== 0; y.setn(curve.signBit, 0); if (y.cmp(curve.p) >= 0) throw new Error('Invalid point.'); return curve.pointFromY(y, sign); } toJSON(pre) { if (this.isInfinity()) return []; const x = this.getX().toJSON(); const y = this.getY().toJSON(); if (pre === true && this.pre) return [x, y, this.pre.toJSON()]; return [x, y]; } toPretty() { const size = this.curve.fieldSize * 2; const x = toPretty(this.getX(), size); const y = toPretty(this.getY(), size); return [x, y]; } static fromJSON(curve, json) { assert(curve instanceof EdwardsCurve); assert(Array.isArray(json)); assert(json.length === 0 || json.length === 2 || json.length === 3); if (json.length === 0) return curve.point(); const x = BN.fromJSON(json[0]); const y = BN.fromJSON(json[1]); const point = curve.point(x, y); if (json.length > 2 && json[2] != null) point.pre = Precomp.fromJSON(point, json[2]); return point; } [custom]() { if (this.isInfinity()) return ''; return ''; } } /** * Precomp */ class Precomp { constructor() { this.naf = null; this.windows = null; this.doubles = null; this.blinding = null; this.beta = null; } map(func) { assert(typeof func === 'function'); const out = new this.constructor(); if (this.naf) out.naf = this.naf.map(func); if (this.doubles) out.doubles = this.doubles.map(func); return out; } toJSON() { return { naf: this.naf ? this.naf.toJSON() : null, windows: this.windows ? this.windows.toJSON() : null, doubles: this.doubles ? this.doubles.toJSON() : null, blinding: this.blinding ? this.blinding.toJSON() : undefined }; } fromJSON(point, json) { assert(point instanceof Point); assert(json && typeof json === 'object'); if (json.naf != null) this.naf = NAF.fromJSON(point, json.naf); if (json.windows != null) this.windows = Windows.fromJSON(point, json.windows); if (json.doubles != null) this.doubles = Doubles.fromJSON(point, json.doubles); if (json.blinding != null) this.blinding = Blinding.fromJSON(point, json.blinding); return this; } static fromJSON(point, json) { return new this().fromJSON(point, json); } } /** * NAF */ class NAF { constructor(width, points) { this.width = width; this.points = points; } map(func) { assert(typeof func === 'function'); const {width} = this; const points = []; for (const point of this.points) points.push(func(point)); return new this.constructor(width, points); } toJSON() { return { width: this.width, points: this.points.slice(1).map((point) => { return point.toJSON(); }) }; } static fromJSON(point, json) { assert(point instanceof Point); assert(json && typeof json === 'object'); assert((json.width >>> 0) === json.width); assert(Array.isArray(json.points)); const {curve} = point; const {width} = json; const points = [point]; for (const item of json.points) points.push(curve.pointFromJSON(item)); return new this(width, points); } } /** * Windows */ class Windows { constructor(width, bits, points) { this.width = width; this.bits = bits; this.points = points; } toJSON() { return { width: this.width, bits: this.bits, points: this.points.slice(1).map((point) => { return point.toJSON(); }) }; } static fromJSON(point, json) { assert(point instanceof Point); assert(json && typeof json === 'object'); assert((json.width >>> 0) === json.width); assert((json.bits >>> 0) === json.bits); assert(Array.isArray(json.points)); const {curve} = point; const {width, bits} = json; const points = [point]; for (const item of json.points) points.push(curve.pointFromJSON(item)); return new this(width, bits, points); } } /** * Doubles */ class Doubles { constructor(step, points) { this.step = step; this.points = points; } map(func) { assert(typeof func === 'function'); const {step} = this; const points = []; for (const point of this.points) points.push(func(point)); return new this.constructor(step, points); } toJSON() { return { step: this.step, points: this.points.slice(1).map((point) => { return point.toJSON(); }) }; } static fromJSON(point, json) { assert(point instanceof Point); assert(json && typeof json === 'object'); assert((json.step >>> 0) === json.step); assert(Array.isArray(json.points)); const {curve} = point; const {step} = json; const points = [point]; for (const item of json.points) points.push(curve.pointFromJSON(item)); return new this(step, points); } } /** * Blinding */ class Blinding { constructor(blind, unblind) { this.blind = blind; this.unblind = unblind; } toJSON() { return { blind: this.blind.toJSON(), unblind: this.unblind.toJSON() }; } static fromJSON(point, json) { assert(point instanceof Point); assert(json && typeof json === 'object'); const {curve} = point; const blind = BN.fromJSON(json.blind); const unblind = curve.pointFromJSON(json.unblind); return new this(blind, unblind); } } /** * Endo */ class Endo { constructor(beta, lambda, basis, pre) { this.beta = beta; this.lambda = lambda; this.basis = basis; this.pre = pre; } toJSON() { return { beta: this.beta.fromRed().toJSON(), lambda: this.lambda.toJSON(), basis: [ this.basis[0].toJSON(), this.basis[1].toJSON() ], pre: [ this.pre[0], this.pre[1].toJSON(), this.pre[2].toJSON() ] }; } static fromJSON(curve, json) { assert(curve instanceof Curve); assert(json && typeof json === 'object'); assert(Array.isArray(json.basis)); assert(Array.isArray(json.pre)); assert(json.basis.length === 2); assert(json.pre.length === 3); assert((json.pre[0] >>> 0) === json.pre[0]); const beta = BN.fromJSON(json.beta).toRed(curve.red); const lambda = BN.fromJSON(json.lambda); const basis = [ Vector.fromJSON(json.basis[0]), Vector.fromJSON(json.basis[1]) ]; const pre = [ json.pre[0], BN.fromJSON(json.pre[1]), BN.fromJSON(json.pre[2]) ]; return new this(beta, lambda, basis, pre); } } /** * Vector */ class Vector { constructor(a, b) { this.a = a; this.b = b; } toJSON() { return { a: this.a.toJSON(), b: this.b.toJSON() }; } static fromJSON(json) { assert(json && typeof json === 'object'); const a = BN.fromJSON(json.a); const b = BN.fromJSON(json.b); return new this(a, b); } } /** * P192 * https://tinyurl.com/fips-186-2 (page 29) * https://tinyurl.com/fips-186-3 (page 88) */ class P192 extends ShortCurve { constructor(pre) { super({ id: 'P192', ossl: 'prime192v1', type: 'short', endian: 'be', hash: 'SHA256', prime: 'p192', // 2^192 - 2^64 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff fffffffe', 'ffffffff ffffffff'], // -3 mod p a: ['ffffffff ffffffff ffffffff fffffffe', 'ffffffff fffffffc'], b: ['64210519 e59c80e7 0fa7e9ab 72243049', 'feb8deec c146b9b1'], n: ['ffffffff ffffffff ffffffff 99def836', '146bc9b1 b4d22831'], h: '1', // Icart z: '-5', g: [ ['188da80e b03090f6 7cbf20eb 43a18800', 'f4ff0afd 82ff1012'], ['07192b95 ffc8da78 631011ed 6b24cdd5', '73f977a1 1e794811'], pre ] }); } } /** * P224 * https://tinyurl.com/fips-186-2 (page 30) * https://tinyurl.com/fips-186-3 (page 88) */ class P224 extends ShortCurve { constructor(pre) { super({ id: 'P224', ossl: 'secp224r1', type: 'short', endian: 'be', hash: 'SHA256', prime: 'p224', // 2^224 - 2^96 + 1 (1 mod 16) p: ['ffffffff ffffffff ffffffff ffffffff', '00000000 00000000 00000001'], // -3 mod p a: ['ffffffff ffffffff ffffffff fffffffe', 'ffffffff ffffffff fffffffe'], b: ['b4050a85 0c04b3ab f5413256 5044b0b7', 'd7bfd8ba 270b3943 2355ffb4'], n: ['ffffffff ffffffff ffffffff ffff16a2', 'e0b8f03e 13dd2945 5c5c2a3d'], h: '1', // SSWU z: '1f', g: [ ['b70e0cbd 6bb4bf7f 321390b9 4a03c1d3', '56c21122 343280d6 115c1d21'], ['bd376388 b5f723fb 4c22dfe6 cd4375a0', '5a074764 44d58199 85007e34'], pre ] }); } } /** * P256 * https://tinyurl.com/fips-186-2 (page 31) * https://tinyurl.com/fips-186-3 (page 89) */ class P256 extends ShortCurve { constructor(pre) { super({ id: 'P256', ossl: 'prime256v1', type: 'short', endian: 'be', hash: 'SHA256', prime: null, // 2^256 - 2^224 + 2^192 + 2^96 - 1 (= 3 mod 4) p: ['ffffffff 00000001 00000000 00000000', '00000000 ffffffff ffffffff ffffffff'], // -3 mod p a: ['ffffffff 00000001 00000000 00000000', '00000000 ffffffff ffffffff fffffffc'], b: ['5ac635d8 aa3a93e7 b3ebbd55 769886bc', '651d06b0 cc53b0f6 3bce3c3e 27d2604b'], n: ['ffffffff 00000000 ffffffff ffffffff', 'bce6faad a7179e84 f3b9cac2 fc632551'], h: '1', // SSWU z: '-a', g: [ ['6b17d1f2 e12c4247 f8bce6e5 63a440f2', '77037d81 2deb33a0 f4a13945 d898c296'], ['4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16', '2bce3357 6b315ece cbb64068 37bf51f5'], pre ] }); } } /** * P384 * https://tinyurl.com/fips-186-2 (page 32) * https://tinyurl.com/fips-186-3 (page 89) */ class P384 extends ShortCurve { constructor(pre) { super({ id: 'P384', ossl: 'secp384r1', type: 'short', endian: 'be', hash: 'SHA384', prime: null, // 2^384 - 2^128 - 2^96 + 2^32 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff fffffffe', 'ffffffff 00000000 00000000 ffffffff'], // -3 mod p a: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff fffffffe', 'ffffffff 00000000 00000000 fffffffc'], b: ['b3312fa7 e23ee7e4 988e056b e3f82d19', '181d9c6e fe814112 0314088f 5013875a', 'c656398d 8a2ed19d 2a85c8ed d3ec2aef'], n: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff c7634d81 f4372ddf', '581a0db2 48b0a77a ecec196a ccc52973'], h: '1', // Icart z: '-c', g: [ ['aa87ca22 be8b0537 8eb1c71e f320ad74', '6e1d3b62 8ba79b98 59f741e0 82542a38', '5502f25d bf55296c 3a545e38 72760ab7'], ['3617de4a 96262c6f 5d9e98bf 9292dc29', 'f8f41dbd 289a147c e9da3113 b5f0b8c0', '0a60b1ce 1d7e819d 7a431d7c 90ea0e5f'], pre ] }); } } /** * P521 * https://tinyurl.com/fips-186-2 (page 33) * https://tinyurl.com/fips-186-3 (page 90) */ class P521 extends ShortCurve { constructor(pre) { super({ id: 'P521', ossl: 'secp521r1', type: 'short', endian: 'be', hash: 'SHA512', prime: 'p521', // 2^521 - 1 (= 3 mod 4) p: ['000001ff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff'], // -3 mod p a: ['000001ff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'fffffffc'], b: ['00000051 953eb961 8e1c9a1f 929a21a0', 'b68540ee a2da725b 99b315f3 b8b48991', '8ef109e1 56193951 ec7e937b 1652c0bd', '3bb1bf07 3573df88 3d2c34f1 ef451fd4', '6b503f00'], n: ['000001ff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'fffffffa 51868783 bf2f966b 7fcc0148', 'f709a5d0 3bb5c9b8 899c47ae bb6fb71e', '91386409'], h: '1', // SSWU z: '-4', g: [ ['000000c6 858e06b7 0404e9cd 9e3ecb66', '2395b442 9c648139 053fb521 f828af60', '6b4d3dba a14b5e77 efe75928 fe1dc127', 'a2ffa8de 3348b3c1 856a429b f97e7e31', 'c2e5bd66'], ['00000118 39296a78 9a3bc004 5c8a5fb4', '2c7d1bd9 98f54449 579b4468 17afbd17', '273e662c 97ee7299 5ef42640 c550b901', '3fad0761 353c7086 a272c240 88be9476', '9fd16650'], pre ] }); } } /** * SECP256K1 * https://www.secg.org/SEC2-Ver-1.0.pdf (page 15, section 2.7.1) * https://www.secg.org/sec2-v2.pdf (page 9, section 2.4.1) */ class SECP256K1 extends ShortCurve { constructor(pre) { super({ id: 'SECP256K1', ossl: 'secp256k1', type: 'short', endian: 'be', hash: 'SHA256', prime: 'k256', // 2^256 - 2^32 - 977 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe fffffc2f'], a: '0', b: '7', n: ['ffffffff ffffffff ffffffff fffffffe', 'baaedce6 af48a03b bfd25e8c d0364141'], h: '1', // SVDW z: '1', // sqrt(-3) c: ['0a2d2ba9 3507f1df 233770c2 a797962c', 'c61f6d15 da14ecd4 7d8d27ae 1cd5f852'], g: [ ['79be667e f9dcbbac 55a06295 ce870b07', '029bfcdb 2dce28d9 59f2815b 16f81798'], ['483ada77 26a3c465 5da4fbfc 0e1108a8', 'fd17b448 a6855419 9c47d08f fb10d4b8'], pre ], // Precomputed endomorphism. endo: { beta: ['7ae96a2b 657c0710 6e64479e ac3434e9', '9cf04975 12f58995 c1396c28 719501ee'], lambda: ['5363ad4c c05c30e0 a5261c02 8812645a', '122e22ea 20816678 df02967c 1b23bd72'], basis: [ { a: '3086d221a7d46bcde86c90e49284eb15', b: '-e4437ed6010e88286f547fa90abfe4c3' }, { a: '114ca50f7a8e2f3f657c1108d9d44cfd8', b: '3086d221a7d46bcde86c90e49284eb15' } ], pre: [ 384, ['3086d221 a7d46bcd e86c90e4 9284eb15', '3daa8a14 71e8ca7f e893209a 45dbb031'], ['-', 'e4437ed6 010e8828 6f547fa9 0abfe4c4', '221208ac 9df506c6 1571b4ae 8ac47f71'] ] } }); } } /** * BRAINPOOLP256 * https://tools.ietf.org/html/rfc5639#section-3.4 */ class BRAINPOOLP256 extends ShortCurve { constructor(pre) { super({ id: 'BRAINPOOLP256', ossl: 'brainpoolP256r1', type: 'short', endian: 'be', hash: 'SHA256', prime: null, // (= 3 mod 4) p: ['a9fb57db a1eea9bc 3e660a90 9d838d72', '6e3bf623 d5262028 2013481d 1f6e5377'], a: ['7d5a0975 fc2c3057 eef67530 417affe7', 'fb8055c1 26dc5c6c e94a4b44 f330b5d9'], b: ['26dc5c6c e94a4b44 f330b5d9 bbd77cbf', '95841629 5cf7e1ce 6bccdc18 ff8c07b6'], n: ['a9fb57db a1eea9bc 3e660a90 9d838d71', '8c397aa3 b561a6f7 901e0e82 974856a7'], h: '1', // Icart z: '-2', g: [ ['8bd2aeb9 cb7e57cb 2c4b482f fc81b7af', 'b9de27e1 e3bd23c2 3a4453bd 9ace3262'], ['547ef835 c3dac4fd 97f8461a 14611dc9', 'c2774513 2ded8e54 5c1d54c7 2f046997'], pre ] }); } } /** * BRAINPOOLP384 * https://tools.ietf.org/html/rfc5639#section-3.6 */ class BRAINPOOLP384 extends ShortCurve { constructor(pre) { super({ id: 'BRAINPOOLP384', ossl: 'brainpoolP384r1', type: 'short', endian: 'be', hash: 'SHA384', prime: null, // (= 3 mod 4) p: ['8cb91e82 a3386d28 0f5d6f7e 50e641df', '152f7109 ed5456b4 12b1da19 7fb71123', 'acd3a729 901d1a71 87470013 3107ec53'], a: ['7bc382c6 3d8c150c 3c72080a ce05afa0', 'c2bea28e 4fb22787 139165ef ba91f90f', '8aa5814a 503ad4eb 04a8c7dd 22ce2826'], b: ['04a8c7dd 22ce2826 8b39b554 16f0447c', '2fb77de1 07dcd2a6 2e880ea5 3eeb62d5', '7cb43902 95dbc994 3ab78696 fa504c11'], n: ['8cb91e82 a3386d28 0f5d6f7e 50e641df', '152f7109 ed5456b3 1f166e6c ac0425a7', 'cf3ab6af 6b7fc310 3b883202 e9046565'], h: '1', // SSWU z: '-5', g: [ ['1d1c64f0 68cf45ff a2a63a81 b7c13f6b', '8847a3e7 7ef14fe3 db7fcafe 0cbd10e8', 'e826e034 36d646aa ef87b2e2 47d4af1e'], ['8abe1d75 20f9c2a4 5cb1eb8e 95cfd552', '62b70b29 feec5864 e19c054f f9912928', '0e464621 77918111 42820341 263c5315'], pre ] }); } } /** * BRAINPOOLP512 * https://tools.ietf.org/html/rfc5639#section-3.7 */ class BRAINPOOLP512 extends ShortCurve { constructor(pre) { super({ id: 'BRAINPOOLP512', ossl: 'brainpoolP512r1', type: 'short', endian: 'be', hash: 'SHA512', prime: null, // (= 3 mod 4) p: ['aadd9db8 dbe9c48b 3fd4e6ae 33c9fc07', 'cb308db3 b3c9d20e d6639cca 70330871', '7d4d9b00 9bc66842 aecda12a e6a380e6', '2881ff2f 2d82c685 28aa6056 583a48f3'], a: ['7830a331 8b603b89 e2327145 ac234cc5', '94cbdd8d 3df91610 a83441ca ea9863bc', '2ded5d5a a8253aa1 0a2ef1c9 8b9ac8b5', '7f1117a7 2bf2c7b9 e7c1ac4d 77fc94ca'], b: ['3df91610 a83441ca ea9863bc 2ded5d5a', 'a8253aa1 0a2ef1c9 8b9ac8b5 7f1117a7', '2bf2c7b9 e7c1ac4d 77fc94ca dc083e67', '984050b7 5ebae5dd 2809bd63 8016f723'], n: ['aadd9db8 dbe9c48b 3fd4e6ae 33c9fc07', 'cb308db3 b3c9d20e d6639cca 70330870', '553e5c41 4ca92619 41866119 7fac1047', '1db1d381 085ddadd b5879682 9ca90069'], h: '1', // Icart z: '7', g: [ ['81aee4bd d82ed964 5a21322e 9c4c6a93', '85ed9f70 b5d916c1 b43b62ee f4d0098e', 'ff3b1f78 e2d0d48d 50d1687b 93b97d5f', '7c6d5047 406a5e68 8b352209 bcb9f822'], ['7dde385d 566332ec c0eabfa9 cf7822fd', 'f209f700 24a57b1a a000c55b 881f8111', 'b2dcde49 4a5f485e 5bca4bd8 8a2763ae', 'd1ca2b2f a8f05406 78cd1e0f 3ad80892'], pre ] }); } } /** * X25519 * https://tools.ietf.org/html/rfc7748#section-4.1 */ class X25519 extends MontCurve { constructor() { super({ id: 'X25519', ossl: 'X25519', type: 'mont', endian: 'le', hash: 'SHA512', prime: 'p25519', // 2^255 - 19 (= 5 mod 8) p: ['7fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffed'], // 486662 a: '76d06', b: '1', n: ['10000000 00000000 00000000 00000000', '14def9de a2f79cd6 5812631a 5cf5d3ed'], h: '8', // Elligator 2 z: '2', g: [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000009'], // See: https://www.rfc-editor.org/errata/eid4730 ['5f51e65e 475f794b 1fe122d3 88b72eb3', '6dc2b281 92839e4d d6163a5d 81312c14'] ], torsion: [ [], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000001'], ['6be4f497 f9a9c2af c21fa77a d7f4a6ef', '635a11c7 284a9363 e9a248ef 9c884415'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000001'], ['141b0b68 06563d50 3de05885 280b5910', '9ca5ee38 d7b56c9c 165db710 6377bbd8'] ], [ ['57119fd0 dd4e22d8 868e1c58 c45c4404', '5bef839c 55b1d0b1 248c50a3 bc959c5f'], ['68c59389 3d458e64 31c6ca00 45fb5015', '20a44346 8eaa68dd 0f103842 048065b7'] ], [ ['57119fd0 dd4e22d8 868e1c58 c45c4404', '5bef839c 55b1d0b1 248c50a3 bc959c5f'], ['173a6c76 c2ba719b ce3935ff ba04afea', 'df5bbcb9 71559722 f0efc7bd fb7f9a36'] ], [ ['00b8495f 16056286 fdb1329c eb8d09da', '6ac49ff1 fae35616 aeb8413b 7c7aebe0'], ['3931c129 569e83a5 29482c14 e628b457', '933bfc29 ed801b4d 68871483 92507b1a'] ], [ ['00b8495f 16056286 fdb1329c eb8d09da', '6ac49ff1 fae35616 aeb8413b 7c7aebe0'], ['46ce3ed6 a9617c5a d6b7d3eb 19d74ba8', '6cc403d6 127fe4b2 9778eb7c 6daf84d3'] ] ] }); } } /** * X448 * https://tools.ietf.org/html/rfc7748#section-4.2 */ class X448 extends MontCurve { constructor() { super({ id: 'X448', ossl: 'X448', type: 'mont', endian: 'le', hash: 'SHAKE256', prime: 'p448', // 2^448 - 2^224 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff'], // 156326 a: '262a6', b: '1', n: ['3fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff 7cca23e9', 'c44edb49 aed63690 216cc272 8dc58f55', '2378c292 ab5844f3'], h: '4', // Elligator 2 z: '-1', g: [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000005'], ['7d235d12 95f5b1f6 6c98ab6e 58326fce', 'cbae5d34 f55545d0 60f75dc2 8df3f6ed', 'b8027e23 46430d21 1312c4b1 50677af7', '6fd7223d 457b5b1a'] ], torsion: [ [], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['ba4d3a08 29b6112f 8812e51b a0bb2abe', 'bc1cb08e b48e5569 36ba50fd d2e7d68a', 'f8cb3216 0522425b 3f990812 abbe635a', 'd37a21e1 7551b193'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['45b2c5f7 d649eed0 77ed1ae4 5f44d541', '43e34f71 4b71aa96 c945af01 2d182975', '0734cde9 faddbda4 c066f7ed 54419ca5', '2c85de1e 8aae4e6c'] ] ] }); } } /** * MONT448 * Isomorphic to Ed448-Goldilocks. */ class MONT448 extends MontCurve { constructor() { super({ id: 'MONT448', ossl: null, type: 'mont', endian: 'le', hash: 'SHAKE256', prime: 'p448', // 2^448 - 2^224 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff'], // -78160 / -39082 mod p a: ['b2cf97d2 d43459a9 31ed36b1 fc4e3cb5', '5d93f8d2 22746997 60ccffc6 49961ed6', 'c5b05fca c24864ed 6fb59697 931b78da', '84ddecd8 ca2b5cfb'], b: '1', n: ['3fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff 7cca23e9', 'c44edb49 aed63690 216cc272 8dc58f55', '2378c292 ab5844f3'], h: '4', // Elligator 2 z: '-1', g: [ ['ac0d24cc c6c75cb0 eb71f81e 7a6edf51', '48e88aee 009a2a24 e795687e c28e125a', '3e6730a6 0d46367b aa7fe99d 152128dc', '41321bc7 7817f059'], ['5a4437f6 80c0d0db 9b061276 d5d0ffcc', 'e786ff33 b6a53d30 98746425 82e66f09', '4433dae7 7244a6e2 6b11e905 7228f483', '556c41a5 913f55fe'] ], torsion: [ [], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['bec92fd0 6da2acf2 b4e261e8 7cef0d34', '22e75c18 3c589857 b71924e5 73c2f9ce', 'e18da5f2 466e2f39 3c2eedf0 f105a60a', 'b40c717d 4f1e1fd7'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['4136d02f 925d530d 4b1d9e17 8310f2cb', 'dd18a3e7 c3a767a8 48e6db19 8c3d0631', '1e725a0d b991d0c6 c3d1120f 0efa59f5', '4bf38e82 b0e1e028'] ] ] }); } } /** * ED25519 * https://tools.ietf.org/html/rfc8032#section-5.1 */ class ED25519 extends EdwardsCurve { constructor(pre) { super({ id: 'ED25519', ossl: 'ED25519', type: 'edwards', endian: 'le', hash: 'SHA512', prefix: 'SigEd25519 no Ed25519 collisions', context: false, prime: 'p25519', // 2^255 - 19 (= 5 mod 8) p: ['7fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffed'], a: '-1', // -121665 / 121666 mod p d: ['52036cee 2b6ffe73 8cc74079 7779e898', '00700a4d 4141d8ab 75eb4dca 135978a3'], n: ['10000000 00000000 00000000 00000000', '14def9de a2f79cd6 5812631a 5cf5d3ed'], h: '8', // Elligator 2 z: '2', g: [ ['216936d3 cd6e53fe c0a4e231 fdd6dc5c', '692cc760 9525a7b2 c9562d60 8f25d51a'], // 4/5 ['66666666 66666666 66666666 66666666', '66666666 66666666 66666666 66666658'], pre ], torsion: [ [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000001'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'], ['7fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff ffffffec'] ], [ ['2b832480 4fc1df0b 2b4d0099 3dfbd7a7', '2f431806 ad2fe478 c4ee1b27 4a0ea0b0'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'] ], [ ['547cdb7f b03e20f4 d4b2ff66 c2042858', 'd0bce7f9 52d01b87 3b11e4d8 b5f15f3d'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000'] ], [ ['1fd5b9a0 06394a28 e9339932 38de4abb', '5c193c70 13e5e238 dea14646 c545d14a'], ['05fc536d 880238b1 3933c6d3 05acdfd5', 'f098eff2 89f4c345 b027b2c2 8f95e826'] ], [ ['602a465f f9c6b5d7 16cc66cd c721b544', 'a3e6c38f ec1a1dc7 215eb9b9 3aba2ea3'], ['05fc536d 880238b1 3933c6d3 05acdfd5', 'f098eff2 89f4c345 b027b2c2 8f95e826'] ], [ ['1fd5b9a0 06394a28 e9339932 38de4abb', '5c193c70 13e5e238 dea14646 c545d14a'], ['7a03ac92 77fdc74e c6cc392c fa53202a', '0f67100d 760b3cba 4fd84d3d 706a17c7'] ], [ ['602a465f f9c6b5d7 16cc66cd c721b544', 'a3e6c38f ec1a1dc7 215eb9b9 3aba2ea3'], ['7a03ac92 77fdc74e c6cc392c fa53202a', '0f67100d 760b3cba 4fd84d3d 706a17c7'] ] ] }); } } /** * ISO448 * https://tools.ietf.org/html/rfc7748#section-4.2 * https://git.zx2c4.com/goldilocks/tree/_aux/ristretto/ristretto.sage#n658 */ class ISO448 extends EdwardsCurve { constructor(pre) { super({ id: 'ISO448', ossl: null, type: 'edwards', endian: 'le', hash: 'SHAKE256', prefix: 'SigEd448', context: true, prime: 'p448', // 2^448 - 2^224 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff'], a: '1', // 39082 / 39081 mod p d: ['d78b4bdc 7f0daf19 f24f38c2 9373a2cc', 'ad461572 42a50f37 809b1da3 412a12e7', '9ccc9c81 264cfe9a d0809970 58fb61c4', '243cc32d baa156b9'], n: ['3fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff 7cca23e9', 'c44edb49 aed63690 216cc272 8dc58f55', '2378c292 ab5844f3'], h: '4', // Elligator 2 z: '-1', g: [ ['79a70b2b 70400553 ae7c9df4 16c792c6', '1128751a c9296924 0c25a07d 728bdc93', 'e21f7787 ed697224 9de732f3 8496cd11', '69871309 3e9c04fc'], // Note: the RFC has this wrong. ['7fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff 80000000', '00000000 00000000 00000000 00000000', '00000000 00000001'], pre ], torsion: [ [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000001'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000001'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ] ] }); } } /** * ED448 * https://tools.ietf.org/html/rfc8032#section-5.2 */ class ED448 extends EdwardsCurve { constructor(pre) { super({ id: 'ED448', ossl: 'ED448', type: 'edwards', endian: 'le', hash: 'SHAKE256', prefix: 'SigEd448', context: true, prime: 'p448', // 2^448 - 2^224 - 1 (= 3 mod 4) p: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff'], a: '1', // -39081 mod p d: ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffff6756'], n: ['3fffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff ffffffff 7cca23e9', 'c44edb49 aed63690 216cc272 8dc58f55', '2378c292 ab5844f3'], h: '4', // Elligator 2 z: '-1', g: [ ['4f1970c6 6bed0ded 221d15a6 22bf36da', '9e146570 470f1767 ea6de324 a3d3a464', '12ae1af7 2ab66511 433b80e1 8b00938e', '2626a82b c70cc05e'], ['693f4671 6eb6bc24 88762037 56c9c762', '4bea7373 6ca39840 87789c1e 05a0c2d7', '3ad3ff1c e67c39c4 fdbd132c 4ed7c8ad', '9808795b f230fa14'], pre ], torsion: [ [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000001'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'], ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'] ], [ ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000001'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ], [ ['ffffffff ffffffff ffffffff ffffffff', 'ffffffff ffffffff fffffffe ffffffff', 'ffffffff ffffffff ffffffff ffffffff', 'ffffffff fffffffe'], ['00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000 00000000 00000000', '00000000 00000000'] ] ] }); } } /* * Curve Registry */ const curves = { __proto__: null, P192, P224, P256, P384, P521, SECP256K1, BRAINPOOLP256, BRAINPOOLP384, BRAINPOOLP512, X25519, X448, MONT448, ED25519, ISO448, ED448 }; const cache = { __proto__: null, P192: null, P224: null, P256: null, P384: null, P521: null, SECP256K1: null, BRAINPOOLP256: null, BRAINPOOLP384: null, BRAINPOOLP512: null, X25519: null, X448: null, MONT448: null, ED25519: null, ISO448: null, ED448: null }; function curve(name, ...args) { assert(typeof name === 'string'); const key = name.toUpperCase(); let curve = cache[key]; if (!curve) { const Curve = curves[key]; if (!Curve) throw new Error(`Curve not found: "${name}".`); curve = new Curve(...args); cache[key] = curve; } return curve; } function register(name, Curve) { assert(typeof name === 'string'); assert(typeof Curve === 'function'); const key = name.toUpperCase(); if (curves[key]) throw new Error(`Curve already registered: "${name}".`); curves[key] = Curve; cache[key] = null; } /* * Scalar Recoding */ function getNAF(k, width, max) { // Computing the width-w NAF of a positive integer. // // [GECC] Algorithm 3.35, Page 100, Section 3.3. // // The above document describes a rather abstract // method of recoding. The more optimal method // below was ported from libsecp256k1. assert(k instanceof BN); assert(!k.red); assert((width >>> 0) === width); assert((max >>> 0) === max); const naf = new Array(max); const bits = k.bitLength() + 1; const sign = k.sign() | 1; assert(bits <= max); for (let i = 0; i < max; i++) naf[i] = 0; let i = 0; let carry = 0; let word; while (i < bits) { if (k.bit(i) === carry) { i += 1; continue; } word = k.bits(i, width) + carry; carry = (word >> (width - 1)) & 1; word -= carry << width; naf[i] = sign * word; i += width; } assert(carry === 0); return naf; } function getFixedNAF(k, width, max, step) { assert((step >>> 0) === step); // Recode to NAF. const naf = getNAF(k, width, max); // Translate into more windowed form. const len = Math.ceil(naf.length / step); const repr = new Array(len); let i = 0; for (let j = 0; j < naf.length; j += step) { let nafW = 0; for (let k = j + step - 1; k >= j; k--) nafW = (nafW << 1) + naf[k]; repr[i++] = nafW; } assert(i === len); return repr; } function getJSF(k1, k2, max) { // Joint sparse form. // // [GECC] Algorithm 3.50, Page 111, Section 3.3. assert(k1 instanceof BN); assert(k2 instanceof BN); assert(!k1.red); assert(!k2.red); assert((max >>> 0) === max); const jsf = [new Array(max), new Array(max)]; const bits = Math.max(k1.bitLength(), k2.bitLength()) + 1; const s1 = k1.sign() | 1; const s2 = k2.sign() | 1; assert(bits <= max); let d1 = 0; let d2 = 0; for (let i = 0; i < bits; i++) { const b1 = k1.bits(i, 3); const b2 = k2.bits(i, 3); // First phase. let m14 = ((b1 & 3) + d1) & 3; let m24 = ((b2 & 3) + d2) & 3; let u1 = 0; let u2 = 0; if (m14 === 3) m14 = -1; if (m24 === 3) m24 = -1; if (m14 & 1) { const m8 = ((b1 & 7) + d1) & 7; if ((m8 === 3 || m8 === 5) && m24 === 2) u1 = -m14; else u1 = m14; } if (m24 & 1) { const m8 = ((b2 & 7) + d2) & 7; if ((m8 === 3 || m8 === 5) && m14 === 2) u2 = -m24; else u2 = m24; } jsf[0][i] = u1 * s1; jsf[1][i] = u2 * s2; // Second phase. if (2 * d1 === 1 + u1) d1 = 1 - d1; if (2 * d2 === 1 + u2) d2 = 1 - d2; } for (let i = bits; i < max; i++) { jsf[0][i] = 0; jsf[1][i] = 0; } return jsf; } function getJNAF(c1, c2, max) { const jsf = getJSF(c1, c2, max); const naf = new Array(max); // JSF -> NAF conversion. for (let i = 0; i < max; i++) { const ja = jsf[0][i]; const jb = jsf[1][i]; naf[i] = jsfIndex[(ja + 1) * 3 + (jb + 1)]; } return naf; } /* * Helpers */ function assert(val, msg) { if (!val) { const err = new Error(msg || 'Assertion failed'); if (Error.captureStackTrace) Error.captureStackTrace(err, assert); throw err; } } function wrapErrors(fn) { assert(typeof fn === 'function'); try { return fn(); } catch (e) { if (e.message === 'X is not a square mod P.' || e.message === 'Not invertible.') { throw new Error('Invalid point.'); } throw e; } } function mod(x, y) { // Euclidean modulo. let r = x % y; if (r < 0) { if (y < 0) r -= y; else r += y; } return r; } function cubeRoot(x) { assert(x instanceof BN); assert(x.red); const p = x.red.m; if (p.cmpn(3) <= 0) return x.clone(); // p = 2 mod 3 if (p.modrn(3) === 2) { // e = (2 * p - 1) / 3 const e = p.ushln(1).isubn(1).idivn(3); return x.redPow(e); } const mod9 = p.modrn(9); // p = 4 mod 9 if (mod9 === 4) { // e = (2 * p + 1) / 9 const e = p.ushln(1).iaddn(1).idivn(9); const r = x.redPow(e); const c = r.redSqr().redMul(r); if (!c.eq(x)) throw new Error('X is not a cube mod P.'); return r; } // p = 7 mod 9 if (mod9 === 7) { // e = (p + 2) / 9 const e = p.addn(2).idivn(9); const r = x.redPow(e); const c = r.redSqr().redMul(r); if (!c.eq(x)) throw new Error('X is not a cube mod P.'); return r; } throw new Error('Not implemented.'); } function cubeRoots(x) { const r0 = cubeRoot(x); // p = 1 mod 3 if (x.red.m.modrn(3) === 1) { // Multiply by roots of unity to find other roots. const two = new BN(2).toRed(x.red); const three = new BN(3).toRed(x.red); const i2 = two.redInvert(); const s1 = three.redNeg().redSqrt().redMul(i2); const s2 = s1.redNeg(); const u1 = s1.redSub(i2); const u2 = s2.redSub(i2); const r1 = r0.redMul(u1); const r2 = r0.redMul(u2); return [r0, r1, r2]; } // p = 2 mod 3 guarantees 1 cube root per element. return [r0]; } function uncube(x) { // Find a cube root which is also a quadratic residue. for (const root of cubeRoots(x)) { if (root.redJacobi() >= 0) return root; } throw new Error('X^(1/3) is not a square mod P.'); } function randomInt(rng) { return BN.randomBits(rng, 32).toNumber(); } function memoize(method, self) { const cache = new WeakMap(); return function memoized(curve, invert) { const i = invert & 1; const item = cache.get(curve); if (item && item[i] !== null) return item[i]; const result = method.call(self, curve, invert); if (!cache.has(curve)) cache.set(curve, [null, null]); cache.get(curve)[i] = result; return result; }; } function toPretty(x, size) { assert(x instanceof BN); assert((size >>> 0) === size); if (size & 7) size += 8 - (size & 7); const str = x.toString(16, size); const chunks = []; const out = []; assert((str.length & 7) === 0); for (let i = 0; i < str.length; i += 8) chunks.push(str.slice(i, i + 8)); for (let i = 0; i < chunks.length; i += 4) out.push(chunks.slice(i, i + 4).join(' ')); return out; } /* * Expose */ exports.Curve = Curve; exports.Point = Point; exports.ShortCurve = ShortCurve; exports.ShortPoint = ShortPoint; exports.JPoint = JPoint; exports.MontCurve = MontCurve; exports.MontPoint = MontPoint; exports.XPoint = XPoint; exports.EdwardsCurve = EdwardsCurve; exports.EdwardsPoint = EdwardsPoint; exports.curves = curves; exports.curve = curve; exports.register = register; }], [/* 43 */ 'bcrypto', '/lib/js/precomputed/secp256k1.json', function(exports, module, __filename, __dirname, __meta) { module.exports = { "naf": { "width": 9, "points": [ [ "f9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9", "388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672" ], [ "2f8bde4d1a07209355b4a7250a5c5128e88b84bddc619ab7cba8d569b240efe4", "d8ac222636e5e3d6d4dba9dda6c9c426f788271bab0d6840dca87d3aa6ac62d6" ], [ "5cbdf0646e5db4eaa398f365f2ea7a0e3d419b7e0330e39ce92bddedcac4f9bc", "6aebca40ba255960a3178d6d861a54dba813d0b813fde7b5a5082628087264da" ], [ "acd484e2f0c7f65309ad178a9f559abde09796974c57e714c35f110dfc27ccbe", "cc338921b0a7d9fd64380971763b61e9add888a4375f8e0f05cc262ac64f9c37" ], [ "774ae7f858a9411e5ef4246b70c65aac5649980be5c17891bbec17895da008cb", "d984a032eb6b5e190243dd56d7b7b365372db1e2dff9d6a8301d74c9c953c61b" ], [ "f28773c2d975288bc7d1d205c3748651b075fbc6610e58cddeeddf8f19405aa8", "0ab0902e8d880a89758212eb65cdaf473a1a06da521fa91f29b5cb52db03ed81" ], [ "d7924d4f7d43ea965a465ae3095ff41131e5946f3c85f79e44adbcf8e27e080e", "581e2872a86c72a683842ec228cc6defea40af2bd896d3a5c504dc9ff6a26b58" ], [ "defdea4cdb677750a420fee807eacf21eb9898ae79b9768766e4faa04a2d4a34", "4211ab0694635168e997b0ead2a93daeced1f4a04a95c0f6cfb199f69e56eb77" ], [ "2b4ea0a797a443d293ef5cff444f4979f06acfebd7e86d277475656138385b6c", "85e89bc037945d93b343083b5a1c86131a01f60c50269763b570c854e5c09b7a" ], [ "352bbf4a4cdd12564f93fa332ce333301d9ad40271f8107181340aef25be59d5", "321eb4075348f534d59c18259dda3e1f4a1b3b2e71b1039c67bd3d8bcf81998c" ], [ "2fa2104d6b38d11b0230010559879124e42ab8dfeff5ff29dc9cdadd4ecacc3f", "02de1068295dd865b64569335bd5dd80181d70ecfc882648423ba76b532b7d67" ], [ "9248279b09b4d68dab21a9b066edda83263c3d84e09572e269ca0cd7f5453714", "73016f7bf234aade5d1aa71bdea2b1ff3fc0de2a887912ffe54a32ce97cb3402" ], [ "daed4f2be3a8bf278e70132fb0beb7522f570e144bf615c07e996d443dee8729", "a69dce4a7d6c98e8d4a1aca87ef8d7003f83c230f3afa726ab40e52290be1c55" ], [ "c44d12c7065d812e8acf28d7cbb19f9011ecd9e9fdf281b0e6a3b5e87d22e7db", "2119a460ce326cdc76c45926c982fdac0e106e861edf61c5a039063f0e0e6482" ], [ "6a245bf6dc698504c89a20cfded60853152b695336c28063b61c65cbd269e6b4", "e022cf42c2bd4a708b3f5126f16a24ad8b33ba48d0423b6efd5e6348100d8a82" ], [ "1697ffa6fd9de627c077e3d2fe541084ce13300b0bec1146f95ae57f0d0bd6a5", "b9c398f186806f5d27561506e4557433a2cf15009e498ae7adee9d63d01b2396" ], [ "605bdb019981718b986d0f07e834cb0d9deb8360ffb7f61df982345ef27a7479", "02972d2de4f8d20681a78d93ec96fe23c26bfae84fb14db43b01e1e9056b8c49" ], [ "62d14dab4150bf497402fdc45a215e10dcb01c354959b10cfe31c7e9d87ff33d", "80fc06bd8cc5b01098088a1950eed0db01aa132967ab472235f5642483b25eaf" ], [ "80c60ad0040f27dade5b4b06c408e56b2c50e9f56b9b8b425e555c2f86308b6f", "1c38303f1cc5c30f26e66bad7fe72f70a65eed4cbe7024eb1aa01f56430bd57a" ], [ "7a9375ad6167ad54aa74c6348cc54d344cc5dc9487d847049d5eabb0fa03c8fb", "0d0e3fa9eca8726909559e0d79269046bdc59ea10c70ce2b02d499ec224dc7f7" ], [ "d528ecd9b696b54c907a9ed045447a79bb408ec39b68df504bb51f459bc3ffc9", "eecf41253136e5f99966f21881fd656ebc4345405c520dbc063465b521409933" ], [ "049370a4b5f43412ea25f514e8ecdad05266115e4a7ecb1387231808f8b45963", "758f3f41afd6ed428b3081b0512fd62a54c3f3afbb5b6764b653052a12949c9a" ], [ "77f230936ee88cbbd73df930d64702ef881d811e0e1498e2f1c13eb1fc345d74", "958ef42a7886b6400a08266e9ba1b37896c95330d97077cbbe8eb3c7671c60d6" ], [ "f2dac991cc4ce4b9ea44887e5c7c0bce58c80074ab9d4dbaeb28531b7739f530", "e0dedc9b3b2f8dad4da1f32dec2531df9eb5fbeb0598e4fd1a117dba703a3c37" ], [ "463b3d9f662621fb1b4be8fbbe2520125a216cdfc9dae3debcba4850c690d45b", "5ed430d78c296c3543114306dd8622d7c622e27c970a1de31cb377b01af7307e" ], [ "f16f804244e46e2a09232d4aff3b59976b98fac14328a2d1a32496b49998f247", "cedabd9b82203f7e13d206fcdf4e33d92a6c53c26e5cce26d6579962c4e31df6" ], [ "caf754272dc84563b0352b7a14311af55d245315ace27c65369e15f7151d41d1", "cb474660ef35f5f2a41b643fa5e460575f4fa9b7962232a5c32f908318a04476" ], [ "2600ca4b282cb986f85d0f1709979d8b44a09c07cb86d7c124497bc86f082120", "4119b88753c15bd6a693b03fcddbb45d5ac6be74ab5f0ef44b0be9475a7e4b40" ], [ "7635ca72d7e8432c338ec53cd12220bc01c48685e24f7dc8c602a7746998e435", "091b649609489d613d1d5e590f78e6d74ecfc061d57048bad9e76f302c5b9c61" ], [ "754e3239f325570cdbbf4a87deee8a66b7f2b33479d468fbc1a50743bf56cc18", "0673fb86e5bda30fb3cd0ed304ea49a023ee33d0197a695d0c5d98093c536683" ], [ "e3e6bd1071a1e96aff57859c82d570f0330800661d1c952f9fe2694691d9b9e8", "59c9e0bba394e76f40c0aa58379a3cb6a5a2283993e90c4167002af4920e37f5" ], [ "186b483d056a033826ae73d88f732985c4ccb1f32ba35f4b4cc47fdcf04aa6eb", "3b952d32c67cf77e2e17446e204180ab21fb8090895138b4a4a797f86e80888b" ], [ "df9d70a6b9876ce544c98561f4be4f725442e6d2b737d9c91a8321724ce0963f", "55eb2dafd84d6ccd5f862b785dc39d4ab157222720ef9da217b8c45cf2ba2417" ], [ "5edd5cc23c51e87a497ca815d5dce0f8ab52554f849ed8995de64c5f34ce7143", "efae9c8dbc14130661e8cec030c89ad0c13c66c0d17a2905cdc706ab7399a868" ], [ "290798c2b6476830da12fe02287e9e777aa3fba1c355b17a722d362f84614fba", "e38da76dcd440621988d00bcf79af25d5b29c094db2a23146d003afd41943e7a" ], [ "af3c423a95d9f5b3054754efa150ac39cd29552fe360257362dfdecef4053b45", "f98a3fd831eb2b749a93b0e6f35cfb40c8cd5aa667a15581bc2feded498fd9c6" ], [ "766dbb24d134e745cccaa28c99bf274906bb66b26dcf98df8d2fed50d884249a", "744b1152eacbe5e38dcc887980da38b897584a65fa06cedd2c924f97cbac5996" ], [ "59dbf46f8c94759ba21277c33784f41645f7b44f6c596a58ce92e666191abe3e", "c534ad44175fbc300f4ea6ce648309a042ce739a7919798cd85e216c4a307f6e" ], [ "f13ada95103c4537305e691e74e9a4a8dd647e711a95e73cb62dc6018cfd87b8", "e13817b44ee14de663bf4bc808341f326949e21a6a75c2570778419bdaf5733d" ], [ "7754b4fa0e8aced06d4167a2c59cca4cda1869c06ebadfb6488550015a88522c", "30e93e864e669d82224b967c3020b8fa8d1e4e350b6cbcc537a48b57841163a2" ], [ "948dcadf5990e048aa3874d46abef9d701858f95de8041d2a6828c99e2262519", "e491a42537f6e597d5d28a3224b1bc25df9154efbd2ef1d2cbba2cae5347d57e" ], [ "7962414450c76c1689c7b48f8202ec37fb224cf5ac0bfa1570328a8a3d7c77ab", "100b610ec4ffb4760d5c1fc133ef6f6b12507a051f04ac5760afa5b29db83437" ], [ "3514087834964b54b15b160644d915485a16977225b8847bb0dd085137ec47ca", "ef0afbb2056205448e1652c48e8127fc6039e77c15c2378b7e7d15a0de293311" ], [ "d3cc30ad6b483e4bc79ce2c9dd8bc54993e947eb8df787b442943d3f7b527eaf", "8b378a22d827278d89c5e9be8f9508ae3c2ad46290358630afb34db04eede0a4" ], [ "1624d84780732860ce1c78fcbfefe08b2b29823db913f6493975ba0ff4847610", "68651cf9b6da903e0914448c6cd9d4ca896878f5282be4c8cc06e2a404078575" ], [ "733ce80da955a8a26902c95633e62a985192474b5af207da6df7b4fd5fc61cd4", "f5435a2bd2badf7d485a4d8b8db9fcce3e1ef8e0201e4578c54673bc1dc5ea1d" ], [ "15d9441254945064cf1a1c33bbd3b49f8966c5092171e699ef258dfab81c045c", "d56eb30b69463e7234f5137b73b84177434800bacebfc685fc37bbe9efe4070d" ], [ "a1d0fcf2ec9de675b612136e5ce70d271c21417c9d2b8aaaac138599d0717940", "edd77f50bcb5a3cab2e90737309667f2641462a54070f3d519212d39c197a629" ], [ "e22fbe15c0af8ccc5780c0735f84dbe9a790badee8245c06c7ca37331cb36980", "0a855babad5cd60c88b430a69f53a1a7a38289154964799be43d06d77d31da06" ], [ "311091dd9860e8e20ee13473c1155f5f69635e394704eaa74009452246cfa9b3", "66db656f87d1f04fffd1f04788c06830871ec5a64feee685bd80f0b1286d8374" ], [ "34c1fd04d301be89b31c0442d3e6ac24883928b45a9340781867d4232ec2dbdf", "09414685e97b1b5954bd46f730174136d57f1ceeb487443dc5321857ba73abee" ], [ "f219ea5d6b54701c1c14de5b557eb42a8d13f3abbcd08affcc2a5e6b049b8d63", "4cb95957e83d40b0f73af4544cccf6b1f4b08d3c07b27fb8d8c2962a400766d1" ], [ "d7b8740f74a8fbaab1f683db8f45de26543a5490bca627087236912469a0b448", "fa77968128d9c92ee1010f337ad4717eff15db5ed3c049b3411e0315eaa4593b" ], [ "32d31c222f8f6f0ef86f7c98d3a3335ead5bcd32abdd94289fe4d3091aa824bf", "5f3032f5892156e39ccd3d7915b9e1da2e6dac9e6f26e961118d14b8462e1661" ], [ "7461f371914ab32671045a155d9831ea8793d77cd59592c4340f86cbc18347b5", "8ec0ba238b96bec0cbdddcae0aa442542eee1ff50c986ea6b39847b3cc092ff6" ], [ "ee079adb1df1860074356a25aa38206a6d716b2c3e67453d287698bad7b2b2d6", "8dc2412aafe3be5c4c5f37e0ecc5f9f6a446989af04c4e25ebaac479ec1c8c1e" ], [ "16ec93e447ec83f0467b18302ee620f7e65de331874c9dc72bfd8616ba9da6b5", "5e4631150e62fb40d0e8c2a7ca5804a39d58186a50e497139626778e25b0674d" ], [ "eaa5f980c245f6f038978290afa70b6bd8855897f98b6aa485b96065d537bd99", "f65f5d3e292c2e0819a528391c994624d784869d7e6ea67fb18041024edc07dc" ], [ "078c9407544ac132692ee1910a02439958ae04877151342ea96c4b6b35a49f51", "f3e0319169eb9b85d5404795539a5e68fa1fbd583c064d2462b675f194a3ddb4" ], [ "494f4be219a1a77016dcd838431aea0001cdc8ae7a6fc688726578d9702857a5", "42242a969283a5f339ba7f075e36ba2af925ce30d767ed6e55f4b031880d562c" ], [ "a598a8030da6d86c6bc7f2f5144ea549d28211ea58faa70ebf4c1e665c1fe9b5", "204b5d6f84822c307e4b4a7140737aec23fc63b65b35f86a10026dbd2d864e6b" ], [ "c41916365abb2b5d09192f5f2dbeafec208f020f12570a184dbadc3e58595997", "04f14351d0087efa49d245b328984989d5caf9450f34bfc0ed16e96b58fa9913" ], [ "841d6063a586fa475a724604da03bc5b92a2e0d2e0a36acfe4c73a5514742881", "073867f59c0659e81904f9a1c7543698e62562d6744c169ce7a36de01a8d6154" ], [ "5e95bb399a6971d376026947f89bde2f282b33810928be4ded112ac4d70e20d5", "39f23f366809085beebfc71181313775a99c9aed7d8ba38b161384c746012865" ], [ "36e4641a53948fd476c39f8a99fd974e5ec07564b5315d8bf99471bca0ef2f66", "d2424b1b1abe4eb8164227b085c9aa9456ea13493fd563e06fd51cf5694c78fc" ], [ "0336581ea7bfbbb290c191a2f507a41cf5643842170e914faeab27c2c579f726", "ead12168595fe1be99252129b6e56b3391f7ab1410cd1e0ef3dcdcabd2fda224" ], [ "8ab89816dadfd6b6a1f2634fcf00ec8403781025ed6890c4849742706bd43ede", "6fdcef09f2f6d0a044e654aef624136f503d459c3e89845858a47a9129cdd24e" ], [ "1e33f1a746c9c5778133344d9299fcaa20b0938e8acff2544bb40284b8c5fb94", "060660257dd11b3aa9c8ed618d24edff2306d320f1d03010e33a7d2057f3b3b6" ], [ "85b7c1dcb3cec1b7ee7f30ded79dd20a0ed1f4cc18cbcfcfa410361fd8f08f31", "3d98a9cdd026dd43f39048f25a8847f4fcafad1895d7a633c6fed3c35e999511" ], [ "29df9fbd8d9e46509275f4b125d6d45d7fbe9a3b878a7af872a2800661ac5f51", "0b4c4fe99c775a606e2d8862179139ffda61dc861c019e55cd2876eb2a27d84b" ], [ "a0b1cae06b0a847a3fea6e671aaf8adfdfe58ca2f768105c8082b2e449fce252", "ae434102edde0958ec4b19d917a6a28e6b72da1834aff0e650f049503a296cf2" ], [ "04e8ceafb9b3e9a136dc7ff67e840295b499dfb3b2133e4ba113f2e4c0e121e5", "cf2174118c8b6d7a4b48f6d534ce5c79422c086a63460502b827ce62a326683c" ], [ "d24a44e047e19b6f5afb81c7ca2f69080a5076689a010919f42725c2b789a33b", "6fb8d5591b466f8fc63db50f1c0f1c69013f996887b8244d2cdec417afea8fa3" ], [ "ea01606a7a6c9cdd249fdfcfacb99584001edd28abbab77b5104e98e8e3b35d4", "322af4908c7312b0cfbfe369f7a7b3cdb7d4494bc2823700cfd652188a3ea98d" ], [ "af8addbf2b661c8a6c6328655eb96651252007d8c5ea31be4ad196de8ce2131f", "6749e67c029b85f52a034eafd096836b2520818680e26ac8f3dfbcdb71749700" ], [ "e3ae1974566ca06cc516d47e0fb165a674a3dabcfca15e722f0e3450f45889", "2aeabe7e4531510116217f07bf4d07300de97e4874f81f533420a72eeb0bd6a4" ], [ "591ee355313d99721cf6993ffed1e3e301993ff3ed258802075ea8ced397e246", "b0ea558a113c30bea60fc4775460c7901ff0b053d25ca2bdeee98f1a4be5d196" ], [ "11396d55fda54c49f19aa97318d8da61fa8584e47b084945077cf03255b52984", "998c74a8cd45ac01289d5833a7beb4744ff536b01b257be4c5767bea93ea57a4" ], [ "3c5d2a1ba39c5a1790000738c9e0c40b8dcdfd5468754b6405540157e017aa7a", "b2284279995a34e2f9d4de7396fc18b80f9b8b9fdd270f6661f79ca4c81bd257" ], [ "cc8704b8a60a0defa3a99a7299f2e9c3fbc395afb04ac078425ef8a1793cc030", "bdd46039feed17881d1e0862db347f8cf395b74fc4bcdc4e940b74e3ac1f1b13" ], [ "c533e4f7ea8555aacd9777ac5cad29b97dd4defccc53ee7ea204119b2889b197", "6f0a256bc5efdf429a2fb6242f1a43a2d9b925bb4a4b3a26bb8e0f45eb596096" ], [ "0c14f8f2ccb27d6f109f6d08d03cc96a69ba8c34eec07bbcf566d48e33da6593", "c359d6923bb398f7fd4473e16fe1c28475b740dd098075e6c0e8649113dc3a38" ], [ "a6cbc3046bc6a450bac24789fa17115a4c9739ed75f8f21ce441f72e0b90e6ef", "021ae7f4680e889bb130619e2c0f95a360ceb573c70603139862afd617fa9b9f" ], [ "347d6d9a02c48927ebfb86c1359b1caf130a3c0267d11ce6344b39f99d43cc38", "60ea7f61a353524d1c987f6ecec92f086d565ab687870cb12689ff1e31c74448" ], [ "da6545d2181db8d983f7dcb375ef5866d47c67b1bf31c8cf855ef7437b72656a", "49b96715ab6878a79e78f07ce5680c5d6673051b4935bd897fea824b77dc208a" ], [ "c40747cc9d012cb1a13b8148309c6de7ec25d6945d657146b9d5994b8feb1111", "5ca560753be2a12fc6de6caf2cb489565db936156b9514e1bb5e83037e0fa2d4" ], [ "4e42c8ec82c99798ccf3a610be870e78338c7f713348bd34c8203ef4037f3502", "7571d74ee5e0fb92a7a8b33a07783341a5492144cc54bcc40a94473693606437" ], [ "3775ab7089bc6af823aba2e1af70b236d251cadb0c86743287522a1b3b0dedea", "be52d107bcfa09d8bcb9736a828cfa7fac8db17bf7a76a2c42ad961409018cf7" ], [ "cee31cbf7e34ec379d94fb814d3d775ad954595d1314ba8846959e3e82f74e26", "8fd64a14c06b589c26b947ae2bcf6bfa0149ef0be14ed4d80f448a01c43b1c6d" ], [ "b4f9eaea09b6917619f6ea6a4eb5464efddb58fd45b1ebefcdc1a01d08b47986", "39e5c9925b5a54b07433a4f18c61726f8bb131c012ca542eb24a8ac07200682a" ], [ "d4263dfc3d2df923a0179a48966d30ce84e2515afc3dccc1b77907792ebcc60e", "62dfaf07a0f78feb30e30d6295853ce189e127760ad6cf7fae164e122a208d54" ], [ "48457524820fa65a4f8d35eb6930857c0032acc0a4a2de422233eeda897612c4", "25a748ab367979d98733c38a1fa1c2e7dc6cc07db2d60a9ae7a76aaa49bd0f77" ], [ "dfeeef1881101f2cb11644f3a2afdfc2045e19919152923f367a1767c11cceda", "ecfb7056cf1de042f9420bab396793c0c390bde74b4bbdff16a83ae09a9a7517" ], [ "6d7ef6b17543f8373c573f44e1f389835d89bcbc6062ced36c82df83b8fae859", "cd450ec335438986dfefa10c57fea9bcc521a0959b2d80bbf74b190dca712d10" ], [ "e75605d59102a5a2684500d3b991f2e3f3c88b93225547035af25af66e04541f", "f5c54754a8f71ee540b9b48728473e314f729ac5308b06938360990e2bfad125" ], [ "eb98660f4c4dfaa06a2be453d5020bc99a0c2e60abe388457dd43fefb1ed620c", "6cb9a8876d9cb8520609af3add26cd20a0a7cd8a9411131ce85f44100099223e" ], [ "13e87b027d8514d35939f2e6892b19922154596941888336dc3563e3b8dba942", "fef5a3c68059a6dec5d624114bf1e91aac2b9da568d6abeb2570d55646b8adf1" ], [ "ee163026e9fd6fe017c38f06a5be6fc125424b371ce2708e7bf4491691e5764a", "1acb250f255dd61c43d94ccc670d0f58f49ae3fa15b96623e5430da0ad6c62b2" ], [ "b268f5ef9ad51e4d78de3a750c2dc89b1e626d43505867999932e5db33af3d80", "5f310d4b3c99b9ebb19f77d41c1dee018cf0d34fd4191614003e945a1216e423" ], [ "ff07f3118a9df035e9fad85eb6c7bfe42b02f01ca99ceea3bf7ffdba93c4750d", "438136d603e858a3a5c440c38eccbaddc1d2942114e2eddd4740d098ced1f0d8" ], [ "8d8b9855c7c052a34146fd20ffb658bea4b9f69e0d825ebec16e8c3ce2b526a1", "cdb559eedc2d79f926baf44fb84ea4d44bcf50fee51d7ceb30e2e7f463036758" ], [ "52db0b5384dfbf05bfa9d472d7ae26dfe4b851ceca91b1eba54263180da32b63", "0c3b997d050ee5d423ebaf66a6db9f57b3180c902875679de924b69d84a7b375" ], [ "e62f9490d3d51da6395efd24e80919cc7d0f29c3f3fa48c6fff543becbd43352", "6d89ad7ba4876b0b22c2ca280c682862f342c8591f1daf5170e07bfd9ccafa7d" ], [ "7f30ea2476b399b4957509c88f77d0191afa2ff5cb7b14fd6d8e7d65aaab1193", "ca5ef7d4b231c94c3b15389a5f6311e9daff7bb67b103e9880ef4bff637acaec" ], [ "5098ff1e1d9f14fb46a210fada6c903fef0fb7b4a1dd1d9ac60a0361800b7a00", "09731141d81fc8f8084d37c6e7542006b3ee1b40d60dfe5362a5b132fd17ddc0" ], [ "32b78c7de9ee512a72895be6b9cbefa6e2f3c4ccce445c96b9f2c81e2778ad58", "ee1849f513df71e32efc3896ee28260c73bb80547ae2275ba497237794c8753c" ], [ "e2cb74fddc8e9fbcd076eef2a7c72b0ce37d50f08269dfc074b581550547a4f7", "d3aa2ed71c9dd2247a62df062736eb0baddea9e36122d2be8641abcb005cc4a4" ], [ "8438447566d4d7bedadc299496ab357426009a35f235cb141be0d99cd10ae3a8", "c4e1020916980a4da5d01ac5e6ad330734ef0d7906631c4f2390426b2edd791f" ], [ "4162d488b89402039b584c6fc6c308870587d9c46f660b878ab65c82c711d67e", "67163e903236289f776f22c25fb8a3afc1732f2b84b4e95dbda47ae5a0852649" ], [ "3fad3fa84caf0f34f0f89bfd2dcf54fc175d767aec3e50684f3ba4a4bf5f683d", "0cd1bc7cb6cc407bb2f0ca647c718a730cf71872e7d0d2a53fa20efcdfe61826" ], [ "674f2600a3007a00568c1a7ce05d0816c1fb84bf1370798f1c69532faeb1a86b", "299d21f9413f33b3edf43b257004580b70db57da0b182259e09eecc69e0d38a5" ], [ "d32f4da54ade74abb81b815ad1fb3b263d82d6c692714bcff87d29bd5ee9f08f", "f9429e738b8e53b968e99016c059707782e14f4535359d582fc416910b3eea87" ], [ "30e4e670435385556e593657135845d36fbb6931f72b08cb1ed954f1e3ce3ff6", "462f9bce619898638499350113bbc9b10a878d35da70740dc695a559eb88db7b" ], [ "be2062003c51cc3004682904330e4dee7f3dcd10b01e580bf1971b04d4cad297", "62188bc49d61e5428573d48a74e1c655b1c61090905682a0d5558ed72dccb9bc" ], [ "93144423ace3451ed29e0fb9ac2af211cb6e84a601df5993c419859fff5df04a", "7c10dfb164c3425f5c71a3f9d7992038f1065224f72bb9d1d902a6d13037b47c" ], [ "b015f8044f5fcbdcf21ca26d6c34fb8197829205c7b7d2a7cb66418c157b112c", "ab8c1e086d04e813744a655b2df8d5f83b3cdc6faa3088c1d3aea1454e3a1d5f" ], [ "d5e9e1da649d97d89e4868117a465a3a4f8a18de57a140d36b3f2af341a21b52", "4cb04437f391ed73111a13cc1d4dd0db1693465c2240480d8955e8592f27447a" ], [ "d3ae41047dd7ca065dbf8ed77b992439983005cd72e16d6f996a5316d36966bb", "bd1aeb21ad22ebb22a10f0303417c6d964f8cdd7df0aca614b10dc14d125ac46" ], [ "463e2763d885f958fc66cdd22800f0a487197d0a82e377b49f80af87c897b065", "bfefacdb0e5d0fd7df3a311a94de062b26b80c61fbc97508b79992671ef7ca7f" ], [ "7985fdfd127c0567c6f53ec1bb63ec3158e597c40bfe747c83cddfc910641917", "603c12daf3d9862ef2b25fe1de289aed24ed291e0ec6708703a5bd567f32ed03" ], [ "74a1ad6b5f76e39db2dd249410eac7f99e74c59cb83d2d0ed5ff1543da7703e9", "cc6157ef18c9c63cd6193d83631bbea0093e0968942e8c33d5737fd790e0db08" ], [ "30682a50703375f602d416664ba19b7fc9bab42c72747463a71d0896b22f6da3", "553e04f6b018b4fa6c8f39e7f311d3176290d0e0f19ca73f17714d9977a22ff8" ], [ "9e2158f0d7c0d5f26c3791efefa79597654e7a2b2464f52b1ee6c1347769ef57", "0712fcdd1b9053f09003a3481fa7762e9ffd7c8ef35a38509e2fbf2629008373" ], [ "176e26989a43c9cfeba4029c202538c28172e566e3c4fce7322857f3be327d66", "ed8cc9d04b29eb877d270b4878dc43c19aefd31f4eee09ee7b47834c1fa4b1c3" ], [ "75d46efea3771e6e68abb89a13ad747ecf1892393dfc4f1b7004788c50374da8", "9852390a99507679fd0b86fd2b39a868d7efc22151346e1a3ca4726586a6bed8" ], [ "809a20c67d64900ffb698c4c825f6d5f2310fb0451c869345b7319f645605721", "9e994980d9917e22b76b061927fa04143d096ccc54963e6a5ebfa5f3f8e286c1" ], [ "1b38903a43f7f114ed4500b4eac7083fdefece1cf29c63528d563446f972c180", "4036edc931a60ae889353f77fd53de4a2708b26b6f5da72ad3394119daf408f9" ] ] }, "doubles": { "step": 4, "points": [ [ "e60fce93b59e9ec53011aabc21c23e97b2a31369b87a5ae9c44ee89e2a6dec0a", "f7e3507399e595929db99f34f57937101296891e44d23f0be1f32cce69616821" ], [ "8282263212c609d9ea2a6e3e172de238d8c39cabd5ac1ca10646e23fd5f51508", "11f8a8098557dfe45e8256e830b60ace62d613ac2f7b17bed31b6eaff6e26caf" ], [ "175e159f728b865a72f99cc6c6fc846de0b93833fd2222ed73fce5b551e5b739", "d3506e0d9e3c79eba4ef97a51ff71f5eacb5955add24345c6efa6ffee9fed695" ], [ "363d90d447b00c9c99ceac05b6262ee053441c7e55552ffe526bad8f83ff4640", "04e273adfc732221953b445397f3363145b9a89008199ecb62003c7f3bee9de9" ], [ "8b4b5f165df3c2be8c6244b5b745638843e4a781a15bcd1b69f79a55dffdf80c", "4aad0a6f68d308b4b3fbd7813ab0da04f9e336546162ee56b3eff0c65fd4fd36" ], [ "723cbaa6e5db996d6bf771c00bd548c7b700dbffa6c0e77bcb6115925232fcda", "96e867b5595cc498a921137488824d6e2660a0653779494801dc069d9eb39f5f" ], [ "eebfa4d493bebf98ba5feec812c2d3b50947961237a919839a533eca0e7dd7fa", "5d9a8ca3970ef0f269ee7edaf178089d9ae4cdc3a711f712ddfd4fdae1de8999" ], [ "100f44da696e71672791d0a09b7bde459f1215a29b3c03bfefd7835b39a48db0", "cdd9e13192a00b772ec8f3300c090666b7ff4a18ff5195ac0fbd5cd62bc65a09" ], [ "e1031be262c7ed1b1dc9227a4a04c017a77f8d4464f3b3852c8acde6e534fd2d", "9d7061928940405e6bb6a4176597535af292dd419e1ced79a44f18f29456a00d" ], [ "feea6cae46d55b530ac2839f143bd7ec5cf8b266a41d6af52d5e688d9094696d", "e57c6b6c97dce1bab06e4e12bf3ecd5c981c8957cc41442d3155debf18090088" ], [ "da67a91d91049cdcb367be4be6ffca3cfeed657d808583de33fa978bc1ec6cb1", "9bacaa35481642bc41f463f7ec9780e5dec7adc508f740a17e9ea8e27a68be1d" ], [ "53904faa0b334cdda6e000935ef22151ec08d0f7bb11069f57545ccc1a37b7c0", "5bc087d0bc80106d88c9eccac20d3c1c13999981e14434699dcb096b022771c8" ], [ "8e7bcd0bd35983a7719cca7764ca906779b53a043a9b8bcaeff959f43ad86047", "10b7770b2a3da4b3940310420ca9514579e88e2e47fd68b3ea10047e8460372a" ], [ "385eed34c1cdff21e6d0818689b81bde71a7f4f18397e6690a841e1599c43862", "283bebc3e8ea23f56701de19e9ebf4576b304eec2086dc8cc0458fe5542e5453" ], [ "06f9d9b803ecf191637c73a4413dfa180fddf84a5947fbc9c606ed86c3fac3a7", "7c80c68e603059ba69b8e2a30e45c4d47ea4dd2f5c281002d86890603a842160" ], [ "3322d401243c4e2582a2147c104d6ecbf774d163db0f5e5313b7e0e742d0e6bd", "56e70797e9664ef5bfb019bc4ddaf9b72805f63ea2873af624f3a2e96c28b2a0" ], [ "85672c7d2de0b7da2bd1770d89665868741b3f9af7643397721d74d28134ab83", "7c481b9b5b43b2eb6374049bfa62c2e5e77f17fcc5298f44c8e3094f790313a6" ], [ "0948bf809b1988a46b06c9f1919413b10f9226c60f668832ffd959af60c82a0a", "53a562856dcb6646dc6b74c5d1c3418c6d4dff08c97cd2bed4cb7f88d8c8e589" ], [ "6260ce7f461801c34f067ce0f02873a8f1b0e44dfc69752accecd819f38fd8e8", "bc2da82b6fa5b571a7f09049776a1ef7ecd292238051c198c1a84e95b2b4ae17" ], [ "e5037de0afc1d8d43d8348414bbf4103043ec8f575bfdc432953cc8d2037fa2d", "4571534baa94d3b5f9f98d09fb990bddbd5f5b03ec481f10e0e5dc841d755bda" ], [ "e06372b0f4a207adf5ea905e8f1771b4e7e8dbd1c6a6c5b725866a0ae4fce725", "7a908974bce18cfe12a27bb2ad5a488cd7484a7787104870b27034f94eee31dd" ], [ "213c7a715cd5d45358d0bbf9dc0ce02204b10bdde2a3f58540ad6908d0559754", "4b6dad0b5ae462507013ad06245ba190bb4850f5f36a7eeddff2c27534b458f2" ], [ "4e7c272a7af4b34e8dbb9352a5419a87e2838c70adc62cddf0cc3a3b08fbd53c", "17749c766c9d0b18e16fd09f6def681b530b9614bff7dd33e0b3941817dcaae6" ], [ "fea74e3dbe778b1b10f238ad61686aa5c76e3db2be43057632427e2840fb27b6", "6e0568db9b0b13297cf674deccb6af93126b596b973f7b77701d3db7f23cb96f" ], [ "76e64113f677cf0e10a2570d599968d31544e179b760432952c02a4417bdde39", "c90ddf8dee4e95cf577066d70681f0d35e2a33d2b56d2032b4b1752d1901ac01" ], [ "c738c56b03b2abe1e8281baa743f8f9a8f7cc643df26cbee3ab150242bcbb891", "893fb578951ad2537f718f2eacbfbbbb82314eef7880cfe917e735d9699a84c3" ], [ "d895626548b65b81e264c7637c972877d1d72e5f3a925014372e9f6588f6c14b", "febfaa38f2bc7eae728ec60818c340eb03428d632bb067e179363ed75d7d991f" ], [ "b8da94032a957518eb0f6433571e8761ceffc73693e84edd49150a564f676e03", "2804dfa44805a1e4d7c99cc9762808b092cc584d95ff3b511488e4e74efdf6e7" ], [ "e80fea14441fb33a7d8adab9475d7fab2019effb5156a792f1a11778e3c0df5d", "eed1de7f638e00771e89768ca3ca94472d155e80af322ea9fcb4291b6ac9ec78" ], [ "a301697bdfcd704313ba48e51d567543f2a182031efd6915ddc07bbcc4e16070", "7370f91cfb67e4f5081809fa25d40f9b1735dbf7c0a11a130c0d1a041e177ea1" ], [ "90ad85b389d6b936463f9d0512678de208cc330b11307fffab7ac63e3fb04ed4", "0e507a3620a38261affdcbd9427222b839aefabe1582894d991d4d48cb6ef150" ], [ "8f68b9d2f63b5f339239c1ad981f162ee88c5678723ea3351b7b444c9ec4c0da", "662a9f2dba063986de1d90c2b6be215dbbea2cfe95510bfdf23cbf79501fff82" ], [ "e4f3fb0176af85d65ff99ff9198c36091f48e86503681e3e6686fd5053231e11", "1e63633ad0ef4f1c1661a6d0ea02b7286cc7e74ec951d1c9822c38576feb73bc" ], [ "8c00fa9b18ebf331eb961537a45a4266c7034f2f0d4e1d0716fb6eae20eae29e", "efa47267fea521a1a9dc343a3736c974c2fadafa81e36c54e7d2a4c66702414b" ], [ "e7a26ce69dd4829f3e10cec0a9e98ed3143d084f308b92c0997fddfc60cb3e41", "2a758e300fa7984b471b006a1aafbb18d0a6b2c0420e83e20e8a9421cf2cfd51" ], [ "b6459e0ee3662ec8d23540c223bcbdc571cbcb967d79424f3cf29eb3de6b80ef", "067c876d06f3e06de1dadf16e5661db3c4b3ae6d48e35b2ff30bf0b61a71ba45" ], [ "d68a80c8280bb840793234aa118f06231d6f1fc67e73c5a5deda0f5b496943e8", "db8ba9fff4b586d00c4b1f9177b0e28b5b0e7b8f7845295a294c84266b133120" ], [ "324aed7df65c804252dc0270907a30b09612aeb973449cea4095980fc28d3d5d", "648a365774b61f2ff130c0c35aec1f4f19213b0c7e332843967224af96ab7c84" ], [ "4df9c14919cde61f6d51dfdbe5fee5dceec4143ba8d1ca888e8bd373fd054c96", "35ec51092d8728050974c23a1d85d4b5d506cdc288490192ebac06cad10d5d" ], [ "9c3919a84a474870faed8a9c1cc66021523489054d7f0308cbfc99c8ac1f98cd", "ddb84f0f4a4ddd57584f044bf260e641905326f76c64c8e6be7e5e03d4fc599d" ], [ "6057170b1dd12fdf8de05f281d8e06bb91e1493a8b91d4cc5a21382120a959e5", "9a1af0b26a6a4807add9a2daf71df262465152bc3ee24c65e899be932385a2a8" ], [ "a576df8e23a08411421439a4518da31880cef0fba7d4df12b1a6973eecb94266", "40a6bf20e76640b2c92b97afe58cd82c432e10a7f514d9f3ee8be11ae1b28ec8" ], [ "7778a78c28dec3e30a05fe9629de8c38bb30d1f5cf9a3a208f763889be58ad71", "34626d9ab5a5b22ff7098e12f2ff580087b38411ff24ac563b513fc1fd9f43ac" ], [ "0928955ee637a84463729fd30e7afd2ed5f96274e5ad7e5cb09eda9c06d903ac", "c25621003d3f42a827b78a13093a95eeac3d26efa8a8d83fc5180e935bcd091f" ], [ "85d0fef3ec6db109399064f3a0e3b2855645b4a907ad354527aae75163d82751", "1f03648413a38c0be29d496e582cf5663e8751e96877331582c237a24eb1f962" ], [ "ff2b0dce97eece97c1c9b6041798b85dfdfb6d8882da20308f5404824526087e", "493d13fef524ba188af4c4dc54d07936c7b7ed6fb90e2ceb2c951e01f0c29907" ], [ "827fbbe4b1e880ea9ed2b2e6301b212b57f1ee148cd6dd28780e5e2cf856e241", "c60f9c923c727b0b71bef2c67d1d12687ff7a63186903166d605b68baec293ec" ], [ "eaa649f21f51bdbae7be4ae34ce6e5217a58fdce7f47f9aa7f3b58fa2120e2b3", "be3279ed5bbbb03ac69a80f89879aa5a01a6b965f13f7e59d47a5305ba5ad93d" ], [ "e4a42d43c5cf169d9391df6decf42ee541b6d8f0c9a137401e23632dda34d24f", "4d9f92e716d1c73526fc99ccfb8ad34ce886eedfa8d8e4f13a7f7131deba9414" ], [ "1ec80fef360cbdd954160fadab352b6b92b53576a88fea4947173b9d4300bf19", "aeefe93756b5340d2f3a4958a7abbf5e0146e77f6295a07b671cdc1cc107cefd" ], [ "146a778c04670c2f91b00af4680dfa8bce3490717d58ba889ddb5928366642be", "b318e0ec3354028add669827f9d4b2870aaa971d2f7e5ed1d0b297483d83efd0" ], [ "fa50c0f61d22e5f07e3acebb1aa07b128d0012209a28b9776d76a8793180eef9", "6b84c6922397eba9b72cd2872281a68a5e683293a57a213b38cd8d7d3f4f2811" ], [ "da1d61d0ca721a11b1a5bf6b7d88e8421a288ab5d5bba5220e53d32b5f067ec2", "8157f55a7c99306c79c0766161c91e2966a73899d279b48a655fba0f1ad836f1" ], [ "a8e282ff0c9706907215ff98e8fd416615311de0446f1e062a73b0610d064e13", "7f97355b8db81c09abfb7f3c5b2515888b679a3e50dd6bd6cef7c73111f4cc0c" ], [ "174a53b9c9a285872d39e56e6913cab15d59b1fa512508c022f382de8319497c", "ccc9dc37abfc9c1657b4155f2c47f9e6646b3a1d8cb9854383da13ac079afa73" ], [ "959396981943785c3d3e57edf5018cdbe039e730e4918b3d884fdff09475b7ba", "2e7e552888c331dd8ba0386a4b9cd6849c653f64c8709385e9b8abf87524f2fd" ], [ "d2a63a50ae401e56d645a1153b109a8fcca0a43d561fba2dbb51340c9d82b151", "e82d86fb6443fcb7565aee58b2948220a70f750af484ca52d4142174dcf89405" ], [ "64587e2335471eb890ee7896d7cfdc866bacbdbd3839317b3436f9b45617e073", "d99fcdd5bf6902e2ae96dd6447c299a185b90a39133aeab358299e5e9faf6589" ], [ "8481bde0e4e4d885b3a546d3e549de042f0aa6cea250e7fd358d6c86dd45e458", "38ee7b8cba5404dd84a25bf39cecb2ca900a79c42b262e556d64b1b59779057e" ], [ "13464a57a78102aa62b6979ae817f4637ffcfed3c4b1ce30bcd6303f6caf666b", "69be159004614580ef7e433453ccb0ca48f300a81d0942e13f495a907f6ecc27" ], [ "bc4a9df5b713fe2e9aef430bcc1dc97a0cd9ccede2f28588cada3a0d2d83f366", "0d3a81ca6e785c06383937adf4b798caa6e8a9fbfa547b16d758d666581f33c1" ], [ "8c28a97bf8298bc0d23d8c749452a32e694b65e30a9472a3954ab30fe5324caa", "40a30463a3305193378fedf31f7cc0eb7ae784f0451cb9459e71dc73cbef9482" ], [ "08ea9666139527a8c1dd94ce4f071fd23c8b350c5a4bb33748c4ba111faccae0", "620efabbc8ee2782e24e7c0cfb95c5d735b783be9cf0f8e955af34a30e62b945" ], [ "dd3625faef5ba06074669716bbd3788d89bdde815959968092f76cc4eb9a9787", "7a188fa3520e30d461da2501045731ca941461982883395937f68d00c644a573" ], [ "f710d79d9eb962297e4f6232b40e8f7feb2bc63814614d692c12de752408221e", "ea98e67232d3b3295d3b535532115ccac8612c721851617526ae47a9c77bfc82" ] ] } }; }], [/* 44 */ 'hsd', '/lib/protocol/network.js', function(exports, module, __filename, __dirname, __meta) { /*! * network.js - network object for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); const binary = __node_require__(45 /* '../utils/binary' */); const networks = __node_require__(46 /* './networks' */); const TimeData = __node_require__(49 /* './timedata' */); /** * Network * Represents a network. * @alias module:protocol.Network */ class Network { /** * Create a network. * @constructor * @param {Object} options */ constructor(options) { assert(!Network[options.type], 'Cannot create two networks.'); this.type = options.type; this.seeds = options.seeds; this.magic = options.magic; this.port = options.port; this.brontidePort = options.brontidePort; this.checkpointMap = options.checkpointMap; this.lastCheckpoint = options.lastCheckpoint; this.checkpoints = []; this.halvingInterval = options.halvingInterval; this.coinbaseMaturity = options.coinbaseMaturity; this.genesis = options.genesis; this.genesisBlock = options.genesisBlock; this.pow = options.pow; this.names = options.names; this.goosigStop = options.goosigStop; this.block = options.block; this.activationThreshold = options.activationThreshold; this.minerWindow = options.minerWindow; this.deployments = options.deployments; this.deploys = options.deploys; this.unknownBits = 0; this.keyPrefix = options.keyPrefix; this.addressPrefix = options.addressPrefix; this.requireStandard = options.requireStandard; this.rpcPort = options.rpcPort; this.walletPort = options.walletPort; this.nsPort = options.nsPort; this.rsPort = options.rsPort; this.minRelay = options.minRelay; this.feeRate = options.feeRate; this.maxFeeRate = options.maxFeeRate; this.identityKey = options.identityKey; this.selfConnect = options.selfConnect; this.requestMempool = options.requestMempool; this.claimPrefix = options.claimPrefix; this.deflationHeight = options.deflationHeight; this.time = new TimeData(); this.txStart = options.txStart; this.init(); } /** * Get a deployment by bit index. * @param {Number} bit * @returns {Object} */ init() { let bits = 0; for (const deployment of this.deploys) bits |= 1 << deployment.bit; this.unknownBits = ~bits >>> 0; for (const key of Object.keys(this.checkpointMap)) { const hash = this.checkpointMap[key]; const height = Number(key); this.checkpoints.push({ hash, height }); } this.checkpoints.sort(cmpNode); } /** * Get a deployment by bit index. * @param {Number} bit * @returns {Object} */ byBit(bit) { const index = binary.search(this.deploys, bit, cmpBit); if (index === -1) return null; return this.deploys[index]; } /** * Get network adjusted time. * @returns {Number} */ now() { return this.time.now(); } /** * Get network adjusted time in milliseconds. * @returns {Number} */ ms() { return this.time.ms(); } /** * Create a network. Get existing network if possible. * @param {NetworkType|Object} options * @returns {Network} */ static create(options) { if (typeof options === 'string') options = networks[options]; assert(options, 'Unknown network.'); if (Network[options.type]) return Network[options.type]; const network = new Network(options); Network[network.type] = network; if (!Network.primary) Network.primary = network; return network; } /** * Set the default network. This network will be used * if nothing is passed as the `network` option for * certain objects. * @param {NetworkType} type - Network type. * @returns {Network} */ static set(type) { assert(typeof type === 'string', 'Bad network.'); Network.primary = Network.get(type); Network.type = type; return Network.primary; } /** * Get a network with a string or a Network object. * @param {NetworkType|Network} type - Network type. * @returns {Network} */ static get(type) { if (!type) { assert(Network.primary, 'No default network.'); return Network.primary; } if (type instanceof Network) return type; if (typeof type === 'string') return Network.create(type); throw new Error('Unknown network.'); } /** * Get a network with a string or a Network object. * @param {NetworkType|Network} type - Network type. * @returns {Network} */ static ensure(type) { if (!type) { assert(Network.primary, 'No default network.'); return Network.primary; } if (type instanceof Network) return type; if (typeof type === 'string') { if (networks[type]) return Network.create(type); } assert(Network.primary, 'No default network.'); return Network.primary; } /** * Get a network by an associated comparator. * @private * @param {Object} value * @param {Function} compare * @param {Network|null} network * @param {String} name * @returns {Network} */ static by(value, compare, network, name) { if (network) { network = Network.get(network); if (compare(network, value)) return network; throw new Error(`Network mismatch for ${name}.`); } for (const type of networks.types) { network = networks[type]; if (compare(network, value)) return Network.get(type); } throw new Error(`Network not found for ${name}.`); } /** * Get a network by its magic number. * @param {Number} value * @param {Network?} network * @returns {Network} */ static fromMagic(value, network) { return Network.by(value, cmpMagic, network, 'magic number'); } /** * Get a network by its WIF prefix. * @param {Number} value * @param {Network?} network * @returns {Network} */ static fromWIF(prefix, network) { return Network.by(prefix, cmpWIF, network, 'WIF'); } /** * Get a network by its xpubkey prefix. * @param {Number} value * @param {Network?} network * @returns {Network} */ static fromPublic(prefix, network) { return Network.by(prefix, cmpPub, network, 'xpubkey'); } /** * Get a network by its xprivkey prefix. * @param {Number} value * @param {Network?} network * @returns {Network} */ static fromPrivate(prefix, network) { return Network.by(prefix, cmpPriv, network, 'xprivkey'); } /** * Get a network by its xpubkey base58 prefix. * @param {String} prefix * @param {Network?} network * @returns {Network} */ static fromPublic58(prefix, network) { return Network.by(prefix, cmpPub58, network, 'xpubkey'); } /** * Get a network by its xprivkey base58 prefix. * @param {String} prefix * @param {Network?} network * @returns {Network} */ static fromPrivate58(prefix, network) { return Network.by(prefix, cmpPriv58, network, 'xprivkey'); } /** * Get a network by its bech32 address prefix. * @param {String} hrp * @param {Network?} network * @returns {Network} */ static fromAddress(hrp, network) { return Network.by(hrp, cmpAddress, network, 'address'); } /** * Convert the network to a string. * @returns {String} */ toString() { return this.type; } /** * Inspect the network. * @returns {String} */ inspect() { return ``; } /** * Test an object to see if it is a Network. * @param {Object} obj * @returns {Boolean} */ static isNetwork(obj) { return obj instanceof Network; } } /** * Default network. * @type {Network} */ Network.primary = null; /** * Default network type. * @type {String} */ Network.type = null; /* * Networks (to avoid hash table mode). */ Network.main = null; Network.testnet = null; Network.regtest = null; Network.segnet4 = null; Network.simnet = null; /* * Set initial network. */ Network.set(process.env.HSD_NETWORK || 'main'); /* * Helpers */ function cmpBit(a, b) { return a.bit - b; } function cmpNode(a, b) { return a.height - b.height; } function cmpMagic(network, magic) { return network.magic === magic; } function cmpWIF(network, prefix) { return network.keyPrefix.privkey === prefix; } function cmpPub(network, prefix) { return network.keyPrefix.xpubkey === prefix; } function cmpPriv(network, prefix) { return network.keyPrefix.xprivkey === prefix; } function cmpPub58(network, prefix) { return network.keyPrefix.xpubkey58 === prefix; } function cmpPriv58(network, prefix) { return network.keyPrefix.xprivkey58 === prefix; } function cmpAddress(network, hrp) { return network.addressPrefix === hrp; } /* * Expose */ module.exports = Network; }], [/* 45 */ 'hsd', '/lib/utils/binary.js', function(exports, module, __filename, __dirname, __meta) { /*! * binary.js - binary search utils for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; /** * Perform a binary search on a sorted array. * @param {Array} items * @param {Object} key * @param {Function} compare * @param {Boolean?} insert * @returns {Number} Index. */ exports.search = function search(items, key, compare, insert) { let start = 0; let end = items.length - 1; while (start <= end) { const pos = (start + end) >>> 1; const cmp = compare(items[pos], key); if (cmp === 0) return pos; if (cmp < 0) start = pos + 1; else end = pos - 1; } if (!insert) return -1; return start; }; /** * Perform a binary insert on a sorted array. * @param {Array} items * @param {Object} item * @param {Function} compare * @returns {Number} index */ exports.insert = function insert(items, item, compare, uniq) { const i = exports.search(items, item, compare, true); if (uniq && i < items.length) { if (compare(items[i], item) === 0) return -1; } if (i === 0) items.unshift(item); else if (i === items.length) items.push(item); else items.splice(i, 0, item); return i; }; /** * Perform a binary removal on a sorted array. * @param {Array} items * @param {Object} item * @param {Function} compare * @returns {Boolean} */ exports.remove = function remove(items, item, compare) { const i = exports.search(items, item, compare, false); if (i === -1) return false; splice(items, i); return true; }; /* * Helpers */ function splice(list, i) { if (i === 0) { list.shift(); return; } let k = i + 1; while (k < list.length) list[i++] = list[k++]; list.pop(); } }], [/* 46 */ 'hsd', '/lib/protocol/networks.js', function(exports, module, __filename, __dirname, __meta) { /*! * network.js - handshake networks for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ /* eslint no-implicit-coercion: "off" */ 'use strict'; /** * @module protocol/networks */ const BN = __node_require__(31 /* 'bcrypto/lib/bn.js' */); const genesis = __node_require__(47 /* './genesis' */); const network = exports; /** * Network type list. * @memberof module:protocol/networks * @const {String[]} * @default */ network.types = ['main', 'testnet', 'regtest', 'simnet']; /** * Mainnet * @static * @lends module:protocol/networks * @type {Object} */ const main = {}; /** * Symbolic network type. * @const {String} * @default */ main.type = 'main'; /** * Default DNS seeds. * @const {String[]} * @default */ main.seeds = [ 'hs-mainnet.bcoin.ninja', // Christopher Jeffrey 'seed.easyhandshake.com' // Matthew Zipkin ]; /** * Packet magic number. * @const {Number} * @default */ main.magic = genesis.main.magic; /** * Default network port. * @const {Number} * @default */ main.port = 12038; /** * Default brontide port. * @const {Number} * @default */ main.brontidePort = 44806; /** * Checkpoint block list. * @const {Object} */ main.checkpointMap = { 1008: Buffer.from( '0000000000001013c28fa079b545fb805f04c496687799b98e35e83cbbb8953e', 'hex'), 2016: Buffer.from( '0000000000000424ee6c2a5d6e0da5edfc47a4a10328c1792056ee48303c3e40', 'hex'), 10000: Buffer.from( '00000000000001a86811a6f520bf67cefa03207dc84fd315f58153b28694ec51', 'hex'), 20000: Buffer.from( '0000000000000162c7ac70a582256f59c189b5c90d8e9861b3f374ed714c58de', 'hex'), 30000: Buffer.from( '0000000000000004f790862846b23c3a81585aea0fa79a7d851b409e027bcaa7', 'hex'), 40000: Buffer.from( '0000000000000002966206a40b10a575cb46531253b08dae8e1b356cfa277248', 'hex'), 50000: Buffer.from( '00000000000000020c7447e7139feeb90549bfc77a7f18d4ff28f327c04f8d6e', 'hex'), 56880: Buffer.from( '0000000000000001d4ef9ea6908bb4eb970d556bd07cbd7d06a634e1cd5bbf4e', 'hex'), 61043: Buffer.from( '00000000000000015b84385e0307370f8323420eaa27ef6e407f2d3162f1fd05', 'hex') }; /** * Last checkpoint height. * @const {Number} * @default */ main.lastCheckpoint = 61043; /** * Reward halving interval. * Roughly every 3.25 years. * @const {Number} * @default */ main.halvingInterval = 170000; /** * Number of blocks before a coinbase * spend can occur (consensus). * @const {Number} * @default */ main.coinbaseMaturity = 100; /** * Genesis block header. * @const {Object} */ main.genesis = genesis.main; /** * The network's genesis block in a hex string. * @const {String} */ main.genesisBlock = genesis.mainData; /** * POW-related constants. * @enum {Number} * @default */ main.pow = {}; /** * Default target. * @const {BN} */ main.pow.limit = new BN( '0000000000ffff00000000000000000000000000000000000000000000000000', 'hex' ); /** * Compact pow limit. * @const {Number} * @default */ main.pow.bits = 0x1c00ffff; /** * Minimum chainwork for best chain. * @const {BN} */ main.pow.chainwork = new BN( '00000000000000000000000000000000000000000000000075b5a2b7bf522d45', 'hex' ); /** * Retarget window in blocks. * @const {Number} * @default */ main.pow.targetWindow = 144; /** * Average block time. * @const {Number} * @default */ main.pow.targetSpacing = 10 * 60; /** * Average blocks per day. * @const {Number} * @default */ main.pow.blocksPerDay = ((24 * 60 * 60) / main.pow.targetSpacing) >>> 0; /** * Desired retarget period in seconds. * @const {Number} * @default */ main.pow.targetTimespan = main.pow.targetWindow * main.pow.targetSpacing; /** * Minimum actual time. * @const {Number} * @default */ main.pow.minActual = (main.pow.targetTimespan / 4) >>> 0; /** * Maximum actual time. * @const {Number} * @default */ main.pow.maxActual = main.pow.targetTimespan * 4; /** * Whether to reset target if a block * has not been mined recently. * @const {Boolean} * @default */ main.pow.targetReset = false; /** * Do not allow retargetting. * @const {Boolean} * @default */ main.pow.noRetargeting = false; /** * Prohibit all transactions until * sufficient chainwork has been accumulated. * @const {Number} */ main.txStart = 14 * main.pow.blocksPerDay; /** * Name-related constants. * @enum {Number} * @default */ main.names = { /** * Height at which the auction system activates. * Must be greater or equal to txStart. * @const {Number} */ auctionStart: 14 * main.pow.blocksPerDay, /** * Interval at which names are rolled out. * @const {Number} */ rolloutInterval: 7 * main.pow.blocksPerDay, /** * Amount of time a name is locked for after being claimed. * @const {Number} */ lockupPeriod: 30 * main.pow.blocksPerDay, /** * Time period after which names expire. * @const {Number} */ renewalWindow: (2 * 365) * main.pow.blocksPerDay, /** * Committed renewal block hashes * must be no older than this. * @const {Number} */ renewalPeriod: 182 * main.pow.blocksPerDay, /** * Committed renewal block hashes * must be at least this old. * @const {Number} */ renewalMaturity: 30 * main.pow.blocksPerDay, /** * The time window in which the * nameholders can claim reserved names. * @const {Number} */ claimPeriod: (4 * 365) * main.pow.blocksPerDay, /** * Amount of time required in between * replacement claims. * @const {Number} */ claimFrequency: 2 * main.pow.blocksPerDay, /** * Bidding time period. * @const {Number} */ biddingPeriod: 5 * main.pow.blocksPerDay, /** * Reveal time period. * @const {Number} */ revealPeriod: 10 * main.pow.blocksPerDay, /** * Interval at which the name tree is updated. * @const {Number} */ treeInterval: main.pow.blocksPerDay >>> 2, /** * Amount of time transfers are locked up for. * @const {Number} */ transferLockup: 2 * main.pow.blocksPerDay, /** * Amount of time before a transfer * or revocation is possible. * @const {Number} */ revocationDelay: 14 * main.pow.blocksPerDay, /** * Sum of total period and revocation delay. * @const {Number} */ auctionMaturity: (5 + 10 + 14) * main.pow.blocksPerDay, /** * Whether there is no weekly rollout. * @const {Boolean} */ noRollout: false, /** * Whether there are no names reserved. * @const {Boolean} */ noReserved: false }; /** * Block constants. * @enum {Number} * @default */ main.block = { /** * Safe height to start pruning. */ pruneAfterHeight: 1000, /** * Safe number of blocks to keep. */ keepBlocks: 288, /** * Age used for the time delta to * determine whether the chain is synced. */ maxTipAge: 12 * 60 * 60, /** * Height at which block processing is * slow enough that we can output * logs without spamming. */ slowHeight: 0 }; /** * Block height at which GooSig claims are * disabled. This limits risk associated * with newly discovered cryptography * attacks or social engineering attacks. * * Estimated to be disabled at 1 year + * 1 month from the start of the network * on mainnet. */ main.goosigStop = (365 + 30) * main.pow.blocksPerDay; /** * For versionbits. * @const {Number} * @default */ main.activationThreshold = 1916; /** * Confirmation window for versionbits. * @const {Number} * @default */ main.minerWindow = 2016; /** * Deployments for versionbits. * @const {Object} * @default */ main.deployments = { hardening: { name: 'hardening', bit: 0, startTime: 1581638400, // February 14th, 2020 timeout: 1707868800, // February 14th, 2024 threshold: -1, window: -1, required: false, force: false }, testdummy: { name: 'testdummy', bit: 28, startTime: 1199145601, // January 1, 2008 timeout: 1230767999, // December 31, 2008 threshold: -1, window: -1, required: false, force: true } }; /** * Deployments for versionbits (array form, sorted). * @const {Array} * @default */ main.deploys = [ main.deployments.hardening, main.deployments.testdummy ]; /** * Key prefixes. * @enum {Number} * @default */ main.keyPrefix = { privkey: 0x80, xpubkey: 0x0488b21e, xprivkey: 0x0488ade4, xpubkey58: 'xpub', xprivkey58: 'xprv', coinType: 5353 }; /** * Address prefix. * @const {String} */ main.addressPrefix = 'hs'; /** * Default value for whether the mempool * accepts non-standard transactions. * @const {Boolean} * @default */ main.requireStandard = true; /** * Default http port. * @const {Number} * @default */ main.rpcPort = 12037; /** * Default wallet port. * @const {Number} * @default */ main.walletPort = 12039; /** * Default DNS port. * @const {Number} * @default */ main.nsPort = 5349; /** * Default recursive DNS port. * @const {Number} * @default */ main.rsPort = 5350; /** * Default min relay rate. * @const {Rate} * @default */ main.minRelay = 1000; /** * Default normal relay rate. * @const {Rate} * @default */ main.feeRate = 100000; /** * Maximum normal relay rate. * @const {Rate} * @default */ main.maxFeeRate = 400000; /** * Default identity key (testing only). * @const {Buffer|null} * @default */ main.identityKey = null; /** * Whether to allow self-connection. * @const {Boolean} */ main.selfConnect = false; /** * Whether to request mempool on sync. * @const {Boolean} */ main.requestMempool = false; /** * DNSSEC ownership prefix. * @const {String} */ main.claimPrefix = 'hns-claim:'; /** * Activation height for inflation bug fix. * @const {Number} */ main.deflationHeight = 61043; /* * Testnet */ const testnet = {}; testnet.type = 'testnet'; testnet.seeds = [ 'hs-testnet.bcoin.ninja' // Christopher Jeffrey ]; testnet.magic = genesis.testnet.magic; testnet.port = 13038; testnet.brontidePort = 45806; testnet.checkpointMap = {}; testnet.lastCheckpoint = 0; testnet.halvingInterval = 170000; testnet.coinbaseMaturity = 100; testnet.genesis = genesis.testnet; testnet.genesisBlock = genesis.testnetData; testnet.pow = {}; // Probably minable very quick with 1 GPU. testnet.pow.limit = new BN( '00000000ffff0000000000000000000000000000000000000000000000000000', 'hex' ); testnet.pow.bits = 0x1d00ffff; testnet.pow.chainwork = new BN( '0000000000000000000000000000000000000000000000000000000000000000', 'hex' ); testnet.pow.targetWindow = 144; testnet.pow.targetSpacing = 10 * 60; testnet.pow.blocksPerDay = ((24 * 60 * 60) / testnet.pow.targetSpacing) >>> 0; testnet.pow.targetTimespan = testnet.pow.targetWindow * testnet.pow.targetSpacing; testnet.pow.minActual = (testnet.pow.targetTimespan / 4) >>> 0; testnet.pow.maxActual = testnet.pow.targetTimespan * 4; testnet.pow.targetReset = true; testnet.pow.noRetargeting = false; testnet.txStart = 0; testnet.names = { auctionStart: (0.25 * testnet.pow.blocksPerDay) | 0, rolloutInterval: (0.25 * testnet.pow.blocksPerDay) | 0, lockupPeriod: (0.25 * testnet.pow.blocksPerDay) | 0, renewalWindow: 30 * testnet.pow.blocksPerDay, renewalPeriod: 7 * testnet.pow.blocksPerDay, renewalMaturity: 1 * testnet.pow.blocksPerDay, claimPeriod: 90 * testnet.pow.blocksPerDay, claimFrequency: 2 * testnet.pow.blocksPerDay, biddingPeriod: 1 * testnet.pow.blocksPerDay, revealPeriod: 2 * testnet.pow.blocksPerDay, treeInterval: testnet.pow.blocksPerDay >>> 2, transferLockup: 2 * testnet.pow.blocksPerDay, revocationDelay: 4 * testnet.pow.blocksPerDay, auctionMaturity: (1 + 2 + 4) * testnet.pow.blocksPerDay, noRollout: false, noReserved: false }; testnet.block = { pruneAfterHeight: 1000, keepBlocks: 10000, maxTipAge: 12 * 60 * 60, slowHeight: 0 }; testnet.goosigStop = 20 * testnet.pow.blocksPerDay; testnet.activationThreshold = 1512; testnet.minerWindow = 2016; testnet.deployments = { hardening: { name: 'hardening', bit: 0, startTime: 1581638400, // February 14th, 2020 timeout: 1707868800, // February 14th, 2024 threshold: -1, window: -1, required: false, force: false }, testdummy: { name: 'testdummy', bit: 28, startTime: 1199145601, // January 1, 2008 timeout: 1230767999, // December 31, 2008 threshold: -1, window: -1, required: false, force: true } }; testnet.deploys = [ testnet.deployments.hardening, testnet.deployments.testdummy ]; testnet.keyPrefix = { privkey: 0xef, xpubkey: 0x043587cf, xprivkey: 0x04358394, xpubkey58: 'tpub', xprivkey58: 'tprv', coinType: 5354 }; testnet.addressPrefix = 'ts'; testnet.requireStandard = false; testnet.rpcPort = 13037; testnet.walletPort = 13039; testnet.nsPort = 15349; testnet.rsPort = 15350; testnet.minRelay = 1000; testnet.feeRate = 20000; testnet.maxFeeRate = 60000; testnet.identityKey = null; testnet.selfConnect = false; testnet.requestMempool = false; testnet.claimPrefix = 'hns-testnet:'; testnet.deflationHeight = 0; /* * Regtest */ const regtest = {}; regtest.type = 'regtest'; regtest.seeds = []; regtest.magic = genesis.regtest.magic; regtest.port = 14038; regtest.brontidePort = 46806; regtest.checkpointMap = {}; regtest.lastCheckpoint = 0; regtest.halvingInterval = 2500; regtest.coinbaseMaturity = 2; regtest.genesis = genesis.regtest; regtest.genesisBlock = genesis.regtestData; regtest.pow = {}; regtest.pow.limit = new BN( '7fffff0000000000000000000000000000000000000000000000000000000000', 'hex' ); regtest.pow.bits = 0x207fffff; regtest.pow.chainwork = new BN( '0000000000000000000000000000000000000000000000000000000000000000', 'hex' ); regtest.pow.targetWindow = 144; regtest.pow.targetSpacing = 10 * 60; regtest.pow.blocksPerDay = ((24 * 60 * 60) / regtest.pow.targetSpacing) >>> 0; regtest.pow.targetTimespan = regtest.pow.targetWindow * regtest.pow.targetSpacing; regtest.pow.minActual = (regtest.pow.targetTimespan / 4) >>> 0; regtest.pow.maxActual = regtest.pow.targetTimespan * 4; regtest.pow.targetReset = true; regtest.pow.noRetargeting = true; regtest.txStart = 0; regtest.names = { auctionStart: 0, rolloutInterval: 2, lockupPeriod: 2, renewalWindow: 5000, renewalPeriod: 2500, renewalMaturity: 50, claimPeriod: 250000, claimFrequency: 0, biddingPeriod: 5, revealPeriod: 10, treeInterval: 5, transferLockup: 10, revocationDelay: 50, auctionMaturity: 5 + 10 + 50, noRollout: false, noReserved: false }; regtest.block = { pruneAfterHeight: 1000, keepBlocks: 10000, maxTipAge: 0xffffffff, slowHeight: 0 }; regtest.goosigStop = -1 >>> 0; regtest.activationThreshold = 108; regtest.minerWindow = 144; regtest.deployments = { hardening: { name: 'hardening', bit: 0, startTime: 1581638400, // February 14th, 2020 timeout: 1707868800, // February 14th, 2024 threshold: -1, window: -1, required: false, force: false }, testdummy: { name: 'testdummy', bit: 28, startTime: 0, timeout: 0xffffffff, threshold: -1, window: -1, required: false, force: true } }; regtest.deploys = [ regtest.deployments.hardening, regtest.deployments.testdummy ]; regtest.keyPrefix = { privkey: 0x5a, xpubkey: 0xeab4fa05, xprivkey: 0xeab404c7, xpubkey58: 'rpub', xprivkey58: 'rprv', coinType: 5355 }; regtest.addressPrefix = 'rs'; regtest.requireStandard = false; regtest.rpcPort = 14037; regtest.walletPort = 14039; regtest.nsPort = 25349; regtest.rsPort = 25350; regtest.minRelay = 1000; regtest.feeRate = 20000; regtest.maxFeeRate = 60000; regtest.identityKey = Buffer.from( '104932181cfed7584105c728cdc0eb9af1e7ffdc4a00743fd45e5de66cac7668', 'hex' ); regtest.selfConnect = true; regtest.requestMempool = true; regtest.claimPrefix = 'hns-regtest:'; regtest.deflationHeight = 200; /* * Simnet */ const simnet = {}; simnet.type = 'simnet'; simnet.seeds = []; simnet.magic = genesis.simnet.magic; simnet.port = 15038; simnet.brontidePort = 47806; simnet.checkpointMap = {}; simnet.lastCheckpoint = 0; simnet.halvingInterval = 170000; simnet.coinbaseMaturity = 6; simnet.genesis = genesis.simnet; simnet.genesisBlock = genesis.simnetData; simnet.pow = {}; simnet.pow.limit = new BN( '7fffff0000000000000000000000000000000000000000000000000000000000', 'hex' ); simnet.pow.bits = 0x207fffff; simnet.pow.chainwork = new BN( '0000000000000000000000000000000000000000000000000000000000000000', 'hex' ); simnet.pow.targetWindow = 144; simnet.pow.targetSpacing = 10 * 60; simnet.pow.blocksPerDay = ((24 * 60 * 60) / simnet.pow.targetSpacing) >>> 0; simnet.pow.targetTimespan = simnet.pow.targetWindow * simnet.pow.targetSpacing; simnet.pow.minActual = (simnet.pow.targetTimespan / 4) >>> 0; simnet.pow.maxActual = simnet.pow.targetTimespan * 4; simnet.pow.targetReset = false; simnet.pow.noRetargeting = false; simnet.txStart = 0; simnet.names = { auctionStart: 0, rolloutInterval: 1, lockupPeriod: 1, renewalWindow: 2500, renewalPeriod: 1250, renewalMaturity: 25, claimPeriod: 75000, claimFrequency: 0, biddingPeriod: 25, revealPeriod: 50, treeInterval: 2, transferLockup: 5, revocationDelay: 25, auctionMaturity: 25 + 50 + 25, noRollout: false, noReserved: false }; simnet.block = { pruneAfterHeight: 1000, keepBlocks: 10000, maxTipAge: 0xffffffff, slowHeight: 0 }; simnet.goosigStop = -1 >>> 0; simnet.activationThreshold = 75; simnet.minerWindow = 100; simnet.deployments = { hardening: { name: 'hardening', bit: 0, startTime: 1581638400, // February 14th, 2020 timeout: 1707868800, // February 14th, 2024 threshold: -1, window: -1, required: false, force: false }, testdummy: { name: 'testdummy', bit: 28, startTime: 1199145601, // January 1, 2008 timeout: 1230767999, // December 31, 2008 threshold: -1, window: -1, required: false, force: true } }; simnet.deploys = [ simnet.deployments.hardening, simnet.deployments.testdummy ]; simnet.keyPrefix = { privkey: 0x64, xpubkey: 0x0420bd3a, xprivkey: 0x0420b900, xpubkey58: 'spub', xprivkey58: 'sprv', coinType: 5356 }; simnet.addressPrefix = 'ss'; simnet.requireStandard = false; simnet.rpcPort = 15037; simnet.walletPort = 15039; simnet.nsPort = 35349; simnet.rsPort = 35350; simnet.minRelay = 1000; simnet.feeRate = 20000; simnet.maxFeeRate = 60000; simnet.identityKey = Buffer.from( '104932181cfed7584105c728cdc0eb9af1e7ffdc4a00743fd45e5de66cac7668', 'hex' ); simnet.selfConnect = true; simnet.requestMempool = false; simnet.claimPrefix = 'hns-simnet:'; simnet.deflationHeight = 0; /* * Expose */ network.main = main; network.testnet = testnet; network.regtest = regtest; network.simnet = simnet; }], [/* 47 */ 'hsd', '/lib/protocol/genesis.js', function(exports, module, __filename, __dirname, __meta) { // Autogenerated, do not edit. 'use strict'; const data = __node_require__(48 /* './genesis-data.json' */); const genesis = exports; /* * Main */ genesis.main = { version: 0, hash: Buffer.from( '5b6ef2d3c1f3cdcadfd9a030ba1811efdd17740f14e166489760741d075992e0', 'hex'), prevBlock: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), merkleRoot: Buffer.from( '8e4c9756fef2ad10375f360e0560fcc7587eb5223ddf8cd7c7e06e60a1140b15', 'hex'), witnessRoot: Buffer.from( '1a2c60b9439206938f8d7823782abdb8b211a57431e9c9b6a6365d8d42893351', 'hex'), treeRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), reservedRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), time: 1580745078, bits: 0x1c00ffff, nonce: 0x00000000, extraNonce: Buffer.from( '000000000000000000000000000000000000000000000000', 'hex'), mask: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), height: 0, magic: 1533997779 }; genesis.mainData = Buffer.from(data.main, 'base64'); /* * Testnet */ genesis.testnet = { version: 0, hash: Buffer.from( 'b1520dd24372f82ec94ebf8cf9d9b037d419c4aa3575d05dec70aedd1b427901', 'hex'), prevBlock: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), merkleRoot: Buffer.from( '8e4c9756fef2ad10375f360e0560fcc7587eb5223ddf8cd7c7e06e60a1140b15', 'hex'), witnessRoot: Buffer.from( '1a2c60b9439206938f8d7823782abdb8b211a57431e9c9b6a6365d8d42893351', 'hex'), treeRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), reservedRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), time: 1580745079, bits: 0x1d00ffff, nonce: 0x00000000, extraNonce: Buffer.from( '000000000000000000000000000000000000000000000000', 'hex'), mask: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), height: 0, magic: 2974944722 }; genesis.testnetData = Buffer.from(data.testnet, 'base64'); /* * Regtest */ genesis.regtest = { version: 0, hash: Buffer.from( 'ae3895cf597eff05b19e02a70ceeeecb9dc72dbfe6504a50e9343a72f06a87c5', 'hex'), prevBlock: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), merkleRoot: Buffer.from( '8e4c9756fef2ad10375f360e0560fcc7587eb5223ddf8cd7c7e06e60a1140b15', 'hex'), witnessRoot: Buffer.from( '1a2c60b9439206938f8d7823782abdb8b211a57431e9c9b6a6365d8d42893351', 'hex'), treeRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), reservedRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), time: 1580745080, bits: 0x207fffff, nonce: 0x00000000, extraNonce: Buffer.from( '000000000000000000000000000000000000000000000000', 'hex'), mask: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), height: 0, magic: 2922943951 }; genesis.regtestData = Buffer.from(data.regtest, 'base64'); /* * Simnet */ genesis.simnet = { version: 0, hash: Buffer.from( '0e648edc9cddb179014658061ea3f666a45cf44881877ae506e6babefbef6992', 'hex'), prevBlock: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), merkleRoot: Buffer.from( '8e4c9756fef2ad10375f360e0560fcc7587eb5223ddf8cd7c7e06e60a1140b15', 'hex'), witnessRoot: Buffer.from( '1a2c60b9439206938f8d7823782abdb8b211a57431e9c9b6a6365d8d42893351', 'hex'), treeRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), reservedRoot: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), time: 1580745081, bits: 0x207fffff, nonce: 0x00000000, extraNonce: Buffer.from( '000000000000000000000000000000000000000000000000', 'hex'), mask: Buffer.from( '0000000000000000000000000000000000000000000000000000000000000000', 'hex'), height: 0, magic: 241471196 }; genesis.simnetData = Buffer.from(data.simnet, 'base64'); }], [/* 48 */ 'hsd', '/lib/protocol/genesis-data.json', function(exports, module, __filename, __dirname, __meta) { module.exports = { "main": "AAAAAHZBOF4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGixguUOSBpOPjXgjeCq9uLIRpXQx6cm2pjZdjUKJM1GOTJdW/vKtEDdfNg4FYPzHWH61Ij3fjNfH4G5goRQLFQAAAAD//wAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////////AdBMV3cAAAAAABTwI3ri6Phg99eRJPxRPwEuWqqNIwAAAAAAAAQgULiTf8Xe8I+fPL2n5fCMcG7bgKuliAwAAAAAAAAAAAAgLV3lhgnUlw+1SPha0HqH20DgVONMyByVHKmVpY9nTbcgENdI7aG5xnuU0yROAhFndhiptLMp6JatkEMfn0gDS60g4sApmh5GZ3NRZlXwmmSx4WsleVMN5sSlnOVlTepFGA8=", "testnet": "AAAAAHdBOF4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGixguUOSBpOPjXgjeCq9uLIRpXQx6cm2pjZdjUKJM1GOTJdW/vKtEDdfNg4FYPzHWH61Ij3fjNfH4G5goRQLFQAAAAD//wAdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////////AdBMV3cAAAAAABTwI3ri6Phg99eRJPxRPwEuWqqNIwAAAAAAAAQgULiTf8Xe8I+fPL2n5fCMcG7bgKuliAwAAAAAAAAAAAAgLV3lhgnUlw+1SPha0HqH20DgVONMyByVHKmVpY9nTbcgENdI7aG5xnuU0yROAhFndhiptLMp6JatkEMfn0gDS60g4sApmh5GZ3NRZlXwmmSx4WsleVMN5sSlnOVlTepFGA8=", "regtest": "AAAAAHhBOF4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGixguUOSBpOPjXgjeCq9uLIRpXQx6cm2pjZdjUKJM1GOTJdW/vKtEDdfNg4FYPzHWH61Ij3fjNfH4G5goRQLFQAAAAD//38gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////////AdBMV3cAAAAAABTwI3ri6Phg99eRJPxRPwEuWqqNIwAAAAAAAAQgULiTf8Xe8I+fPL2n5fCMcG7bgKuliAwAAAAAAAAAAAAgLV3lhgnUlw+1SPha0HqH20DgVONMyByVHKmVpY9nTbcgENdI7aG5xnuU0yROAhFndhiptLMp6JatkEMfn0gDS60g4sApmh5GZ3NRZlXwmmSx4WsleVMN5sSlnOVlTepFGA8=", "simnet": "AAAAAHlBOF4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGixguUOSBpOPjXgjeCq9uLIRpXQx6cm2pjZdjUKJM1GOTJdW/vKtEDdfNg4FYPzHWH61Ij3fjNfH4G5goRQLFQAAAAD//38gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//////////AdBMV3cAAAAAABTwI3ri6Phg99eRJPxRPwEuWqqNIwAAAAAAAAQgULiTf8Xe8I+fPL2n5fCMcG7bgKuliAwAAAAAAAAAAAAgLV3lhgnUlw+1SPha0HqH20DgVONMyByVHKmVpY9nTbcgENdI7aG5xnuU0yROAhFndhiptLMp6JatkEMfn0gDS60g4sApmh5GZ3NRZlXwmmSx4WsleVMN5sSlnOVlTepFGA8=" }; }], [/* 49 */ 'hsd', '/lib/protocol/timedata.js', function(exports, module, __filename, __dirname, __meta) { /*! * timedata.js - time management for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const EventEmitter = require('events'); const util = __node_require__(50 /* '../utils/util' */); const binary = __node_require__(45 /* '../utils/binary' */); /** * Time Data * An object which handles "adjusted time". This may not * look it, but this is actually a semi-consensus-critical * piece of code. It handles version packets from peers * and calculates what to offset our system clock's time by. * @alias module:protocol.TimeData * @extends EventEmitter * @property {Array} samples * @property {Object} known * @property {Number} limit * @property {Number} offset */ class TimeData extends EventEmitter { /** * Create time data. * @constructor * @param {Number} [limit=200] */ constructor(limit) { super(); if (limit == null) limit = 200; this.samples = []; this.known = new Map(); this.limit = limit; this.offset = 0; this.checked = false; } /** * Add time data. * @param {String} id * @param {Number} time */ add(id, time) { if (this.samples.length >= this.limit) return; if (this.known.has(id)) return; const sample = time - util.now(); this.known.set(id, sample); binary.insert(this.samples, sample, compare); this.emit('sample', sample, this.samples.length); if (this.samples.length >= 5 && this.samples.length % 2 === 1) { let median = this.samples[this.samples.length >>> 1]; if (Math.abs(median) >= 70 * 60) { if (!this.checked) { let match = false; for (const offset of this.samples) { if (offset !== 0 && Math.abs(offset) < 5 * 60) { match = true; break; } } if (!match) { this.checked = true; this.emit('mismatch'); } } median = 0; } this.offset = median; this.emit('offset', this.offset); } } /** * Get the current adjusted time. * @returns {Number} Adjusted Time. */ now() { return util.now() + this.offset; } /** * Adjust a timestamp. * @param {Number} time * @returns {Number} Adjusted Time. */ adjust(time) { return time + this.offset; } /** * Unadjust a timestamp. * @param {Number} time * @returns {Number} Local Time. */ local(time) { return time - this.offset; } /** * Get the current adjusted time in milliseconds. * @returns {Number} Adjusted Time. */ ms() { return Date.now() + this.offset * 1000; } } /* * Helpers */ function compare(a, b) { return a - b; } /* * Expose */ module.exports = TimeData; }], [/* 50 */ 'hsd', '/lib/utils/util.js', function(exports, module, __filename, __dirname, __meta) { /*! * util.js - utils for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); /** * @exports utils/util */ const util = exports; /** * Return hrtime (shim for browser). * @param {Array} time * @returns {Array} [seconds, nanoseconds] */ util.bench = function bench(time) { if (!process.hrtime) { const now = Date.now(); if (time) { const [hi, lo] = time; const start = hi * 1000 + lo / 1e6; return now - start; } const ms = now % 1000; // Seconds const hi = (now - ms) / 1000; // Nanoseconds const lo = ms * 1e6; return [hi, lo]; } if (time) { const [hi, lo] = process.hrtime(time); return hi * 1000 + lo / 1e6; } return process.hrtime(); }; /** * Get current time in unix time (seconds). * @returns {Number} */ util.now = function now() { return Math.floor(Date.now() / 1000); }; /** * Get current time in unix time (milliseconds). * @returns {Number} */ util.ms = function ms() { return Date.now(); }; /** * Create a Date ISO string from time in unix time (seconds). * @param {Number?} time - Seconds in unix time. * @returns {String} */ util.date = function date(time) { if (time == null) time = util.now(); return new Date(time * 1000).toISOString().slice(0, -5) + 'Z'; }; /** * Get unix seconds from a Date string. * @param {String?} date - Date ISO String. * @returns {Number} */ util.time = function time(date) { if (date == null) return util.now(); return new Date(date) / 1000 | 0; }; /** * Convert u32 to padded hex. * @param {Number} num * @returns {String} */ util.hex32 = function hex32(num) { assert((num >>> 0) === num); num = num.toString(16); switch (num.length) { case 1: return `0000000${num}`; case 2: return `000000${num}`; case 3: return `00000${num}`; case 4: return `0000${num}`; case 5: return `000${num}`; case 6: return `00${num}`; case 7: return `0${num}`; case 8: return `${num}`; default: throw new Error(); } }; /** * Parse hex. * @param {String} str * @param {Number} size * @returns {Buffer} */ util.parseHex = function parseHex(str, size) { if (size == null) size = -1; assert(typeof str === 'string'); assert(size === -1 || (size >>> 0) === size); if (str.length & 1) throw new Error('Invalid hex string.'); if (size !== -1) { if ((str.length >>> 1) !== size) throw new Error('Invalid hex string.'); } const data = Buffer.from(str, 'hex'); if (data.length !== (str.length >>> 1)) throw new Error('Invalid hex string.'); return data; }; /** * Test whether a number is a safe uint64. * @param {Number} num * @returns {Boolean} */ util.isU64 = function isU64(num) { return Number.isSafeInteger(num) && num >= 0; }; /** * Encode a uint32. * @param {Number} num * @returns {Buffer} */ util.encodeU32 = function encodeU32(num) { assert(Number.isSafeInteger(num)); const buf = Buffer.allocUnsafe(4); buf[0] = num; num >>>= 8; buf[1] = num; num >>>= 8; buf[2] = num; num >>>= 8; buf[3] = num; return buf; }; }], [/* 51 */ 'hsd', '/lib/protocol/consensus.js', function(exports, module, __filename, __dirname, __meta) { /*! * consensus.js - consensus constants and helpers for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; /** * @module protocol/consensus */ const assert = __node_require__(2 /* 'bsert' */); const BN = __node_require__(31 /* 'bcrypto/lib/bn.js' */); /** * Coin exponent. * @const {Number} * @default */ exports.EXP = 6; /** * One handshake in dollarydoos. * @const {Amount} * @default */ exports.COIN = Math.pow(10, exports.EXP); /** * Maximum creators amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_CREATORS = 102e6 * exports.COIN; /** * Maximum sponsors amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_SPONSORS = 102e6 * exports.COIN; /** * Maximum TLD holder amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_TLD = 51e6 * exports.COIN; /** * Maximum domain holder amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_DOMAIN = 51e6 * exports.COIN; /** * Maximum CA/naming amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_CA_NAMING = 102e6 * exports.COIN; /** * Maximum airdrop amount in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_AIRDROP = 0.952e9 * exports.COIN; /** * Maximum initial supply in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_INITIAL = 1.36e9 * exports.COIN; assert(exports.MAX_CREATORS + exports.MAX_SPONSORS + exports.MAX_TLD + exports.MAX_DOMAIN + exports.MAX_CA_NAMING + exports.MAX_AIRDROP === exports.MAX_INITIAL); /** * Maximum amount of subsidies in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_SUBSIDY = 0.68e9 * exports.COIN; assert(exports.MAX_INITIAL / 2 === exports.MAX_SUBSIDY); /** * Maximum amount of money in dollarydoos (consensus). * @const {Amount} * @default */ exports.MAX_MONEY = 2.04e9 * exports.COIN; assert(exports.MAX_INITIAL + exports.MAX_SUBSIDY === exports.MAX_MONEY); /** * Base block subsidy (consensus). * @const {Amount} * @default */ exports.BASE_REWARD = 2000 * exports.COIN; assert(2 * exports.BASE_REWARD * 170000 === exports.MAX_SUBSIDY); /** * Block subsidy specifically for the genesis block. * * Explanation: * The max miner subsidy is 680000000, but due * to the halving interval it actually ends up * as 679999995.79, so add 2.21 coins to the * genesis reward output to make MAX_MONEY a * thoroughly true value. * * This, combined with the 3 1/4 year halving * interval, causes the supply to run dry * after about 100 years (around the year 2119, * or height=5,270,000). * * @const {Amount} * @default */ exports.GENESIS_REWARD = exports.BASE_REWARD + ((2.21 * exports.COIN) | 0); /** * Genesis key. * @const {Buffer} */ exports.GENESIS_KEY = Buffer.from('f0237ae2e8f860f7d79124fc513f012e5aaa8d23', 'hex'); /** * Maximum block base size (consensus). * @const {Number} * @default */ exports.MAX_BLOCK_SIZE = 1000000; /** * Maximum block serialization size (protocol). * @const {Number} * @default */ exports.MAX_RAW_BLOCK_SIZE = 4000000; /** * Maximum block weight (consensus). * @const {Number} * @default */ exports.MAX_BLOCK_WEIGHT = 4000000; /** * Maximum block sigops cost (consensus). * @const {Number} * @default */ exports.MAX_BLOCK_SIGOPS = 80000; /** * Maximum block tree opens. * @const {Number} * @default */ exports.MAX_BLOCK_OPENS = 300; /** * Maximum block tree updates. * @const {Number} * @default */ exports.MAX_BLOCK_UPDATES = 600; /** * Maximum block tree renewals. * @const {Number} * @default */ exports.MAX_BLOCK_RENEWALS = 600; /** * Size of set to pick median time from. * @const {Number} * @default */ exports.MEDIAN_TIMESPAN = 11; /** * Amount to multiply base/non-witness sizes by. * @const {Number} * @default */ exports.WITNESS_SCALE_FACTOR = 4; /** * Maximum TX base size (consensus). * @const {Number} * @default */ exports.MAX_TX_SIZE = 1000000; /** * Maximum TX weight (consensus). * @const {Number} * @default */ exports.MAX_TX_WEIGHT = 4000000; /** * Locktime flag. * @const {Number} * @default */ exports.LOCKTIME_FLAG = (1 << 31) >>> 0; /** * Locktime mask. * @const {Number} * @default */ exports.LOCKTIME_MASK = exports.LOCKTIME_FLAG - 1; /** * Locktime granularity. * @const {Number} * @default */ exports.LOCKTIME_GRANULARITY = 9; /** * Locktime multiplier. * @const {Number} * @default */ exports.LOCKTIME_MULT = 2 ** exports.LOCKTIME_GRANULARITY; /** * Highest nSequence bit -- disables * sequence locktimes (consensus). * @const {Number} */ exports.SEQUENCE_DISABLE_FLAG = (1 << 31) >>> 0; /** * Sequence time: height or time (consensus). * @const {Number} * @default */ exports.SEQUENCE_TYPE_FLAG = 1 << 22; /** * Sequence granularity for time (consensus). * @const {Number} * @default */ exports.SEQUENCE_GRANULARITY = 9; /** * Sequence mask (consensus). * @const {Number} * @default */ exports.SEQUENCE_MASK = 0x0000ffff; /** * Max serialized script size (consensus). * @const {Number} * @default */ exports.MAX_SCRIPT_SIZE = 10000; /** * Max stack size during execution (consensus). * @const {Number} * @default */ exports.MAX_SCRIPT_STACK = 1000; /** * Max script element size (consensus). * @const {Number} * @default */ exports.MAX_SCRIPT_PUSH = 520; /** * Max opcodes executed (consensus). * @const {Number} * @default */ exports.MAX_SCRIPT_OPS = 201; /** * Max `n` value for multisig (consensus). * @const {Number} * @default */ exports.MAX_MULTISIG_PUBKEYS = 20; /** * A hash of all zeroes. * @const {Buffer} * @default */ exports.ZERO_HASH = Buffer.alloc(32, 0x00); /** * Block header size. * @const {Number} * @default */ exports.HEADER_SIZE = 236; /** * Block header nonce size. * @const {Number} * @default */ exports.NONCE_SIZE = 24; /** * Block header of all zeroes. * @const {Buffer} * @default */ exports.ZERO_HEADER = Buffer.alloc(exports.HEADER_SIZE, 0x00); /** * Block header nonce of all zeroes. * @const {Buffer} * @default */ exports.ZERO_NONCE = Buffer.alloc(exports.NONCE_SIZE, 0x00); /** * Convert a compact number to a big number. * Used for `block.bits` -> `target` conversion. * @param {Number} compact * @returns {BN} */ exports.fromCompact = function fromCompact(compact) { if (compact === 0) return new BN(0); const exponent = compact >>> 24; const negative = (compact >>> 23) & 1; let mantissa = compact & 0x7fffff; let num; if (exponent <= 3) { mantissa >>>= 8 * (3 - exponent); num = new BN(mantissa); } else { num = new BN(mantissa); num.iushln(8 * (exponent - 3)); } if (negative) num.ineg(); return num; }; /** * Convert a big number to a compact number. * Used for `target` -> `block.bits` conversion. * @param {BN} num * @returns {Number} */ exports.toCompact = function toCompact(num) { if (num.isZero()) return 0; let exponent = num.byteLength(); let mantissa; if (exponent <= 3) { mantissa = num.toNumber(); mantissa <<= 8 * (3 - exponent); } else { mantissa = num.ushrn(8 * (exponent - 3)).toNumber(); } if (mantissa & 0x800000) { mantissa >>>= 8; exponent += 1; } let compact = (exponent << 24) | mantissa; if (num.isNeg()) compact |= 0x800000; compact >>>= 0; return compact; }; /** * Verify proof-of-work. * @param {Hash} hash * @param {Number} bits * @returns {Boolean} */ exports.verifyPOW = function verifyPOW(hash, bits) { const target = exports.fromCompact(bits); if (target.isNeg() || target.isZero()) return false; if (target.bitLength() > 256) return false; const num = new BN(hash, 'be'); if (num.gt(target)) return false; return true; }; /** * Calculate block subsidy. * @param {Number} height - Reward era by height. * @returns {Amount} */ exports.getReward = function getReward(height, interval) { assert((height >>> 0) === height, 'Bad height for reward.'); assert((interval >>> 0) === interval); const halvings = Math.floor(height / interval); if (halvings >= 52) return 0; return Math.floor(exports.BASE_REWARD / Math.pow(2, halvings)); }; /** * Test version bit. * @param {Number} version * @param {Number} bit * @returns {Boolean} */ exports.hasBit = function hasBit(version, bit) { return (version & (1 << bit)) !== 0; }; }], [/* 52 */ 'hsd', '/lib/hd/common.js', function(exports, module, __filename, __dirname, __meta) { /*! * common.js - common functions for hd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); const LRU = __node_require__(53 /* 'blru' */); const common = exports; /** * Index at which hardening begins. * @const {Number} * @default */ common.HARDENED = 0x80000000; /** * Min entropy bits. * @const {Number} * @default */ common.MIN_ENTROPY = 128; /** * Max entropy bits. * @const {Number} * @default */ common.MAX_ENTROPY = 512; /** * LRU cache to avoid deriving keys twice. * @type {LRU} */ common.cache = new LRU(500); /** * Parse a derivation path and return an array of indexes. * @see https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki * @param {String} path * @param {Boolean} hard * @returns {Number[]} */ common.parsePath = function parsePath(path, hard) { assert(typeof path === 'string'); assert(typeof hard === 'boolean'); assert(path.length >= 1); assert(path.length <= 3062); const parts = path.split('/'); const root = parts[0]; if (root !== 'm' && root !== 'M' && root !== 'm\'' && root !== 'M\'') { throw new Error('Invalid path root.'); } const result = []; for (let i = 1; i < parts.length; i++) { let part = parts[i]; const hardened = part[part.length - 1] === '\''; if (hardened) part = part.slice(0, -1); if (part.length > 10) throw new Error('Path index too large.'); if (!/^\d+$/.test(part)) throw new Error('Path index is non-numeric.'); let index = parseInt(part, 10); if ((index >>> 0) !== index) throw new Error('Path index out of range.'); if (hardened) { index |= common.HARDENED; index >>>= 0; } if (!hard && (index & common.HARDENED)) throw new Error('Path index cannot be hardened.'); result.push(index); } return result; }; /** * Test whether the key is a master key. * @param {HDPrivateKey|HDPublicKey} key * @returns {Boolean} */ common.isMaster = function isMaster(key) { return key.depth === 0 && key.childIndex === 0 && key.parentFingerPrint === 0; }; /** * Test whether the key is (most likely) a BIP44 account key. * @param {HDPrivateKey|HDPublicKey} key * @param {Number?} account * @returns {Boolean} */ common.isAccount = function isAccount(key, account) { if (account != null) { const index = (common.HARDENED | account) >>> 0; if (key.childIndex !== index) return false; } return key.depth === 3 && (key.childIndex & common.HARDENED) !== 0; }; /** * A compressed pubkey of all zeroes. * @const {Buffer} * @default */ common.ZERO_KEY = Buffer.alloc(33, 0x00); }], [/* 53 */ 'blru', '/lib/blru.js', function(exports, module, __filename, __dirname, __meta) { 'use strict'; module.exports = __node_require__(54 /* './lru' */); }], [/* 54 */ 'blru', '/lib/lru.js', function(exports, module, __filename, __dirname, __meta) { /*! * lru.js - LRU cache for bcoin * Copyright (c) 2014-2018, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcoin */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); /** * LRU Cache */ class LRU { /** * Create an LRU cache. * @constructor * @param {Number} capacity * @param {Function?} getSize * @param {Function?} CustomMap */ constructor(capacity, getSize, CustomMap) { assert(typeof capacity === 'number', 'Capacity must be a number.'); assert(capacity >= 0, 'Capacity cannot be negative.'); assert(!getSize || typeof getSize === 'function', 'Bad size callback.'); assert(!CustomMap || typeof CustomMap === 'function'); this.map = CustomMap ? new CustomMap() : new Map(); this.size = 0; this.items = 0; this.head = null; this.tail = null; this.pending = null; this.capacity = capacity; this.getSize = getSize; } /** * Calculate size of an item. * @private * @param {LRUItem} item * @returns {Number} Size. */ _getSize(item) { if (this.getSize) return 120 + this.getSize(item.value, item.key); return 1; } /** * Compact the LRU linked list. * @private */ _compact() { if (this.size <= this.capacity) return; let item = null; let next = null; for (item = this.head; item; item = next) { if (this.size <= this.capacity) break; this.size -= this._getSize(item); this.items -= 1; this.map.delete(item.key); next = item.next; item.prev = null; item.next = null; } if (!item) { this.head = null; this.tail = null; return; } this.head = item; item.prev = null; } /** * Reset the cache. Clear all items. */ reset() { let item, next; for (item = this.head; item; item = next) { this.map.delete(item.key); this.items -= 1; next = item.next; item.prev = null; item.next = null; } assert(!item); this.size = 0; this.head = null; this.tail = null; } /** * Add an item to the cache. * @param {String|Number} key * @param {Object} value */ set(key, value) { if (this.capacity === 0) return; let item = this.map.get(key); if (item) { this.size -= this._getSize(item); item.value = value; this.size += this._getSize(item); this._removeList(item); this._appendList(item); this._compact(); return; } item = new LRUItem(key, value); this.map.set(key, item); this._appendList(item); this.size += this._getSize(item); this.items += 1; this._compact(); } /** * Retrieve an item from the cache. * @param {String|Number} key * @returns {Object} Item. */ get(key) { if (this.capacity === 0) return null; const item = this.map.get(key); if (!item) return null; this._removeList(item); this._appendList(item); return item.value; } /** * Test whether the cache contains a key. * @param {String|Number} key * @returns {Boolean} */ has(key) { if (this.capacity === 0) return false; return this.map.has(key); } /** * Remove an item from the cache. * @param {String|Number} key * @returns {Boolean} Whether an item was removed. */ remove(key) { if (this.capacity === 0) return false; const item = this.map.get(key); if (!item) return false; this.size -= this._getSize(item); this.items -= 1; this.map.delete(key); this._removeList(item); return true; } /** * Prepend an item to the linked list (sets new head). * @private * @param {LRUItem} */ _prependList(item) { this._insertList(null, item); } /** * Append an item to the linked list (sets new tail). * @private * @param {LRUItem} */ _appendList(item) { this._insertList(this.tail, item); } /** * Insert item into the linked list. * @private * @param {LRUItem|null} ref * @param {LRUItem} item */ _insertList(ref, item) { assert(!item.next); assert(!item.prev); if (ref == null) { if (!this.head) { this.head = item; this.tail = item; } else { this.head.prev = item; item.next = this.head; this.head = item; } return; } item.next = ref.next; item.prev = ref; ref.next = item; if (item.next) item.next.prev = item; if (ref === this.tail) this.tail = item; } /** * Remove item from the linked list. * @private * @param {LRUItem} */ _removeList(item) { if (item.prev) item.prev.next = item.next; if (item.next) item.next.prev = item.prev; if (item === this.head) this.head = item.next; if (item === this.tail) this.tail = item.prev || this.head; if (!this.head) assert(!this.tail); if (!this.tail) assert(!this.head); item.prev = null; item.next = null; } /** * Collect all keys in the cache, sorted by LRU. * @returns {String[]} */ keys() { const items = []; for (let item = this.head; item; item = item.next) { if (item === this.head) assert(!item.prev); if (!item.prev) assert(item === this.head); if (!item.next) assert(item === this.tail); items.push(item.key); } return items; } /** * Collect all values in the cache, sorted by LRU. * @returns {String[]} */ values() { const items = []; for (let item = this.head; item; item = item.next) items.push(item.value); return items; } /** * Convert the LRU cache to an array of items. * @returns {Object[]} */ toArray() { const items = []; for (let item = this.head; item; item = item.next) items.push(item); return items; } /** * Create an atomic batch for the lru * (used for caching database writes). * @returns {LRUBatch} */ batch() { return new LRUBatch(this); } /** * Start the pending batch. */ start() { assert(!this.pending); this.pending = this.batch(); } /** * Clear the pending batch. */ clear() { assert(this.pending); this.pending.clear(); } /** * Drop the pending batch. */ drop() { assert(this.pending); this.pending = null; } /** * Commit the pending batch. */ commit() { assert(this.pending); this.pending.commit(); this.pending = null; } /** * Push an item onto the pending batch. * @param {String} key * @param {Object} value */ push(key, value) { assert(this.pending); if (this.capacity === 0) return; this.pending.set(key, value); } /** * Push a removal onto the pending batch. * @param {String} key */ unpush(key) { assert(this.pending); if (this.capacity === 0) return; this.pending.remove(key); } } /** * LRU Item * @alias module:utils.LRUItem */ class LRUItem { /** * Create an LRU item. * @constructor * @private * @param {String} key * @param {Object} value */ constructor(key, value) { this.key = key; this.value = value; this.next = null; this.prev = null; } } /** * LRU Batch * @alias module:utils.LRUBatch */ class LRUBatch { /** * Create an LRU batch. * @constructor * @param {LRU} lru */ constructor(lru) { this.lru = lru; this.ops = []; } /** * Push an item onto the batch. * @param {String} key * @param {Object} value */ set(key, value) { this.ops.push(new LRUOp(false, key, value)); } /** * Push a removal onto the batch. * @param {String} key */ remove(key) { this.ops.push(new LRUOp(true, key, null)); } /** * Clear the batch. */ clear() { this.ops.length = 0; } /** * Commit the batch. */ commit() { for (const op of this.ops) { if (op.remove) { this.lru.remove(op.key); continue; } this.lru.set(op.key, op.value); } this.ops.length = 0; } } /** * LRU Op * @alias module:utils.LRUOp * @private */ class LRUOp { /** * Create an LRU op. * @constructor * @param {Boolean} remove * @param {String} key * @param {Object} value */ constructor(remove, key, value) { this.remove = remove; this.key = key; this.value = value; } } /* * Expose */ module.exports = LRU; }], [/* 55 */ 'hsd', '/lib/primitives/address.js', function(exports, module, __filename, __dirname, __meta) { /*! * address.js - address object for hsd * Copyright (c) 2017-2018, Christopher Jeffrey (MIT License). * https://github.com/handshake-org/hsd */ 'use strict'; const assert = __node_require__(2 /* 'bsert' */); const bio = __node_require__(3 /* 'bufio' */); const bech32 = __node_require__(56 /* 'bcrypto/lib/encoding/bech32' */); const blake2b = __node_require__(58 /* 'bcrypto/lib/blake2b' */); const sha3 = __node_require__(60 /* 'bcrypto/lib/sha3' */); const Network = __node_require__(44 /* '../protocol/network' */); const consensus = __node_require__(51 /* '../protocol/consensus' */); /* * Constants */ const ZERO_HASH160 = Buffer.alloc(20, 0x00); /** * Address * Represents an address. * @alias module:primitives.Address * @property {Number} version * @property {Buffer} hash */ class Address extends bio.Struct { /** * Create an address. * @constructor * @param {Object?} options */ constructor(options, network) { super(); this.version = 0; this.hash = ZERO_HASH160; if (options) this.fromOptions(options, network); } /** * Inject properties from options object. * @private * @param {Object} options */ fromOptions(options, network) { if (typeof options === 'string') return this.fromString(options, network); assert(options); const {hash, version} = options; return this.fromHash(hash, version); } /** * Count the sigops in a script, taking into account witness programs. * @param {Witness} witness * @returns {Number} sigop count */ getSigops(witness) { if (this.version === 0) { if (this.hash.length === 20) return 1; if (this.hash.length === 32 && witness.items.length > 0) { const redeem = witness.getRedeem(); return redeem.getSigops(); } } return 0; } /** * Get the address hash. * @returns {Hash} */ getHash() { return this.hash; } /** * Test whether the address is null. * @returns {Boolean} */ isNull() { if (this.hash.length === 20) return this.hash.equals(ZERO_HASH160); if (this.hash.length === 32) return this.hash.equals(consensus.ZERO_HASH); for (let i = 0; i < this.hash.length; i++) { if (this.hash[i] !== 0) return false; } return true; } /** * Test whether the address is unspendable. * @returns {Boolean} */ isUnspendable() { return this.isNulldata(); } /** * Test equality against another address. * @param {Address} addr * @returns {Boolean} */ equals(addr) { assert(addr instanceof Address); return this.version === addr.version && this.hash.equals(addr.hash); } /** * Compare against another address. * @param {Address} addr * @returns {Boolean} */ compare(addr) { assert(addr instanceof Address); const cmp = this.version - addr.version; if (cmp !== 0) return cmp; return this.hash.compare(addr.hash); } /** * Inject properties from another address. * @param {Address} addr * @returns {Boolean} */ inject(addr) { this.version = addr.version; this.hash = addr.hash; return this; } /** * Clone address. * @returns {Address} */ clone() { return new this.constructor().inject(this); } /** * Compile the address object to a bech32 address. * @param {{NetworkType|Network)?} network * @returns {String} * @throws Error on bad hash/prefix. */ toString(network) { const version = this.version; const hash = this.hash; assert(version <= 31); assert(hash.length >= 2 && hash.length <= 40); network = Network.get(network); const hrp = network.addressPrefix; return bech32.encode(hrp, version, hash); } /** * Instantiate address from pubkey. * @param {Buffer} key * @returns {Address} */ fromPubkey(key) { assert(Buffer.isBuffer(key) && key.length === 33); return this.fromHash(blake2b.digest(key, 20), 0); } /** * Instantiate address from script. * @param {Script} script * @returns {Address} */ fromScript(script) { assert(script && typeof script.encode === 'function'); return this.fromHash(sha3.digest(script.encode()), 0); } /** * Inject properties from bech32 address. * @private * @param {String} data * @param {Network?} network * @throws Parse error */ fromString(data, network) { assert(typeof data === 'string'); const [hrp, version, hash] = bech32.decode(data); Network.fromAddress(hrp, network); return this.fromHash(hash, version); } /** * Inject properties from witness. * @private * @param {Witness} witness */ fromWitness(witness) { const [, pk] = witness.getPubkeyhashInput(); if (pk) { this.hash = blake2b.digest(pk, 20); this.version = 0; return this; } const redeem = witness.getScripthashInput(); if (redeem) { this.hash = sha3.digest(redeem); this.version = 0; return this; } return null; } /** * Inject properties from a hash. * @private * @param {Buffer|Hash} hash * @param {Number} [version=-1] * @throws on bad hash size */ fromHash(hash, version) { if (version == null) version = 0; assert(Buffer.isBuffer(hash)); assert((version & 0xff) === version); assert(version >= 0 && version <= 31, 'Bad program version.'); assert(hash.length >= 2 && hash.length <= 40, 'Hash is the wrong size.'); if (version === 0) { assert(hash.length === 20 || hash.length === 32, 'Witness program hash is the wrong size.'); } this.hash = hash; this.version = version; return this; } /** * Inject properties from witness pubkeyhash. * @private * @param {Buffer} hash * @returns {Address} */ fromPubkeyhash(hash) { assert(hash && hash.length === 20, 'P2WPKH must be 20 bytes.'); return this.fromHash(hash, 0); } /** * Inject properties from witness scripthash. * @private * @param {Buffer} hash * @returns {Address} */ fromScripthash(hash) { assert(hash && hash.length === 32, 'P2WSH must be 32 bytes.'); return this.fromHash(hash, 0); } /** * Inject properties from witness program. * @private * @param {Number} version * @param {Buffer} hash * @returns {Address} */ fromProgram(version, hash) { assert(version >= 0, 'Bad version for witness program.'); return this.fromHash(hash, version); } /** * Instantiate address from nulldata. * @param {Buffer} data * @returns {Address} */ fromNulldata(data) { return this.fromHash(data, 31); } /** * Test whether the address is witness pubkeyhash. * @returns {Boolean} */ isPubkeyhash() { return this.version === 0 && this.hash.length === 20; } /** * Test whether the address is witness scripthash. * @returns {Boolean} */ isScripthash() { return this.version === 0 && this.hash.length === 32; } /** * Test whether the address is unspendable. * @returns {Boolean} */ isNulldata() { return this.version === 31; } /** * Test whether the address is an unknown witness program. * @returns {Boolean} */ isUnknown() { switch (this.version) { case 0: return this.hash.length !== 20 && this.hash.length !== 32; case 31: return false; } return true; } /** * Test address validity. * @returns {Boolean} */ isValid() { assert(this.version >= 0); if (this.version > 31) return false; if (this.hash.length < 2 || this.hash.length > 40) return false; return true; } /** * Calculate address size. * @returns {Number} */ getSize() { return 1 + 1 + this.hash.length; } /** * Write address to buffer writer. * @param {BufferWriter} bw * @returns {BufferWriter} */ write(bw) { bw.writeU8(this.version); bw.writeU8(this.hash.length); bw.writeBytes(this.hash); return bw; } /** * Read address from buffer reader. * @param {BufferReader} br * @returns {Address} */ read(br) { const version = br.readU8(); assert(version <= 31); const size = br.readU8(); assert(size >= 2 && size <= 40); const hash = br.readBytes(size); return this.fromHash(hash, version); } /** * Inspect the Address. * @returns {Object} */ format() { return ''; } /** * Instantiate address from pubkey. * @param {Buffer} key * @returns {Address} */ static fromPubkey(key) { return new this().fromPubkey(key); } /** * Instantiate address from script. * @param {Script} script * @returns {Address} */ static fromScript(script) { return new this().fromScript(script); } /** * Create an Address from a witness. * Attempt to extract address * properties from a witness. * @param {Witness} * @returns {Address|null} */ static fromWitness(witness) { return new this().fromWitness(witness); } /** * Create a naked address from hash/version. * @param {Hash} hash * @param {Number} [version=-1] * @returns {Address} * @throws on bad hash size */ static fromHash(hash, version) { return new this().fromHash(hash, version); } /** * Instantiate address from witness pubkeyhash. * @param {Buffer} hash * @returns {Address} */ static fromPubkeyhash(hash) { return new this().fromPubkeyhash(hash); } /** * Instantiate address from witness scripthash. * @param {Buffer} hash * @returns {Address} */ static fromScripthash(hash) { return new this().fromScripthash(hash); } /** * Instantiate address from witness program. * @param {Number} version * @param {Buffer} hash * @returns {Address} */ static fromProgram(version, hash) { return new this().fromProgram(version, hash); } /** * Instantiate address from nulldata. * @param {Buffer} data * @returns {Address} */ static fromNulldata(data) { return new this().fromNulldata(data); } /** * Get the hash of a base58 address or address-related object. * @param {String|Address|Hash} data * @param {Network?} network * @returns {Hash} */ static getHash(data, network) { if (!data) throw new Error('Object is not an address.'); if (Buffer.isBuffer(data)) { return data; } if (data instanceof Address) return data.hash; throw new Error('Object is not an address.'); } } /* * Expose */ module.exports = Address; }], [/* 56 */ 'bcrypto', '/lib/encoding/bech32-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * bech32.js - bech32 for bcrypto * Copyright (c) 2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(57 /* '../js/bech32' */); }], [/* 57 */ 'bcrypto', '/lib/js/bech32.js', function(exports, module, __filename, __dirname, __meta) { /*! * bech32.js - bech32 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on sipa/bech32: * Copyright (c) 2017, Pieter Wuille (MIT License). * https://github.com/sipa/bech32 * * Resources: * https://github.com/bitcoin/bips/blob/master/bip-0173.mediawiki * https://github.com/sipa/bech32/blob/master/ref/c/segwit_addr.c * https://github.com/bitcoin/bitcoin/blob/master/src/bech32.cpp */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); /** * Constants */ const POOL65 = Buffer.alloc(65); const CHARSET = 'qpzry9x8gf2tvdw0s3jn54khce6mua7l'; const TABLE = [ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 15, -1, 10, 17, 21, 20, 26, 30, 7, 5, -1, -1, -1, -1, -1, -1, -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1, 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1, -1, 29, -1, 24, 13, 25, 9, 8, 23, -1, 18, 22, 31, 27, 19, -1, 1, 0, 3, 16, 11, 28, 12, 14, 6, 4, 2, -1, -1, -1, -1, -1 ]; /** * Update checksum. * @ignore * @param {Number} c * @returns {Number} */ function polymod(c) { const b = c >>> 25; return ((c & 0x1ffffff) << 5) ^ (0x3b6a57b2 & -((b >> 0) & 1)) ^ (0x26508e6d & -((b >> 1) & 1)) ^ (0x1ea119fa & -((b >> 2) & 1)) ^ (0x3d4233dd & -((b >> 3) & 1)) ^ (0x2a1462b3 & -((b >> 4) & 1)); } /** * Encode hrp and data as a bech32 string. * @param {String} hrp * @param {Buffer} data * @returns {String} */ function serialize(hrp, data) { assert(typeof hrp === 'string'); assert(Buffer.isBuffer(data)); if (hrp.length === 0 || hrp.length > 83) throw new Error('Invalid bech32 human-readable part.'); if (hrp.length + 1 + data.length + 6 > 90) throw new Error('Invalid bech32 data length.'); let str = ''; let chk = 1; let i; for (i = 0; i < hrp.length; i++) { const ch = hrp.charCodeAt(i); if (ch < 33 || ch > 126) throw new Error('Invalid bech32 character.'); if (ch >= 65 && ch <= 90) throw new Error('Invalid bech32 character.'); chk = polymod(chk) ^ (ch >> 5); } chk = polymod(chk); for (let i = 0; i < hrp.length; i++) { const ch = hrp.charCodeAt(i); chk = polymod(chk) ^ (ch & 0x1f); str += hrp[i]; } str += '1'; for (let i = 0; i < data.length; i++) { const ch = data[i]; if (ch >> 5) throw new Error('Invalid bech32 value.'); chk = polymod(chk) ^ ch; str += CHARSET[ch]; } for (let i = 0; i < 6; i++) chk = polymod(chk); chk ^= 1; for (let i = 0; i < 6; i++) str += CHARSET[(chk >>> ((5 - i) * 5)) & 0x1f]; return str; } /** * Decode a bech32 string. * @param {String} str * @returns {Array} [hrp, data] */ function deserialize(str) { assert(typeof str === 'string'); if (str.length < 8 || str.length > 90) throw new Error('Invalid bech32 string length.'); let lower = false; let upper = false; let hlen = 0; for (let i = 0; i < str.length; i++) { const ch = str.charCodeAt(i); if (ch < 33 || ch > 126) throw new Error('Invalid bech32 character.'); if (ch >= 97 && ch <= 122) lower = true; else if (ch >= 65 && ch <= 90) upper = true; else if (ch === 49) hlen = i; } if (hlen === 0) throw new Error('Invalid bech32 human-readable part.'); const dlen = str.length - (hlen + 1); if (dlen < 6) throw new Error('Invalid bech32 data length.'); if (lower && upper) throw new Error('Invalid bech32 casing.'); let chk = 1; let hrp = ''; for (let i = 0; i < hlen; i++) { let ch = str.charCodeAt(i); if (ch >= 65 && ch <= 90) ch += 32; chk = polymod(chk) ^ (ch >> 5); hrp += String.fromCharCode(ch); } chk = polymod(chk); for (let i = 0; i < hlen; i++) chk = polymod(chk) ^ (str.charCodeAt(i) & 0x1f); const data = Buffer.alloc(dlen - 6); let j = 0; for (let i = hlen + 1; i < str.length; i++) { const val = TABLE[str.charCodeAt(i)]; if (val === -1) throw new Error('Invalid bech32 character.'); chk = polymod(chk) ^ val; if (i < str.length - 6) data[j++] = val; } if (chk !== 1) throw new Error('Invalid bech32 checksum.'); assert(j === data.length); return [hrp, data]; } /** * Test whether a string is a bech32 string. * @param {String} str * @returns {Boolean} */ function is(str) { assert(typeof str === 'string'); try { deserialize(str); return true; } catch (e) { return false; } } /** * Convert serialized data to another base. * @param {Buffer} dst * @param {Number} dstoff * @param {Number} dstbits * @param {Buffer} src * @param {Number} srcoff * @param {Number} srcbits * @param {Boolean} pad * @returns {Buffer} */ function convert(dst, dstoff, dstbits, src, srcoff, srcbits, pad) { assert(Buffer.isBuffer(dst)); assert((dstoff >>> 0) === dstoff); assert((dstbits >>> 0) === dstbits); assert(Buffer.isBuffer(src)); assert((srcoff >>> 0) === srcoff); assert((srcbits >>> 0) === srcbits); assert(typeof pad === 'boolean'); assert(dstbits >= 1 && dstbits <= 8); assert(srcbits >= 1 && srcbits <= 8); const mask = (1 << dstbits) - 1; let acc = 0; let bits = 0; let i = srcoff; let j = dstoff; for (; i < src.length; i++) { acc = (acc << srcbits) | src[i]; bits += srcbits; while (bits >= dstbits) { bits -= dstbits; dst[j++] = (acc >>> bits) & mask; } } const left = dstbits - bits; if (pad) { if (bits) dst[j++] = (acc << left) & mask; } else { if (((acc << left) & mask) || bits >= srcbits) throw new Error('Invalid bits.'); } assert(j <= dst.length); return dst.slice(0, j); } /** * Calculate size required for bit conversion. * @param {Number} len * @param {Number} srcbits * @param {Number} dstbits * @param {Boolean} pad * @returns {Number} */ function convertSize(len, srcbits, dstbits, pad) { assert((len >>> 0) === len); assert((srcbits >>> 0) === srcbits); assert((dstbits >>> 0) === dstbits); assert(typeof pad === 'boolean'); assert(srcbits >= 1 && srcbits <= 8); assert(dstbits >= 1 && dstbits <= 8); return ((len * srcbits + (dstbits - 1) * (pad | 0)) / dstbits) >>> 0; } /** * Convert serialized data to another base. * @param {Buffer} data * @param {Number} srcbits * @param {Number} dstbits * @param {Boolean} pad * @returns {Buffer} */ function convertBits(data, srcbits, dstbits, pad) { assert(Buffer.isBuffer(data)); const size = convertSize(data.length, srcbits, dstbits, pad); const out = Buffer.alloc(size); return convert(out, 0, dstbits, data, 0, srcbits, pad); } /** * Serialize data to bech32 address. * @param {String} hrp * @param {Number} version * @param {Buffer} hash * @returns {String} */ function encode(hrp, version, hash) { assert(typeof hrp === 'string'); assert((version >>> 0) === version); assert(Buffer.isBuffer(hash)); if (version > 31) throw new Error('Invalid bech32 version.'); if (hash.length < 2 || hash.length > 40) throw new Error('Invalid bech32 data length.'); const out = POOL65; out[0] = version; const data = convert(out, 1, 5, hash, 0, 8, true); return serialize(hrp, data); } /** * Deserialize data from bech32 address. * @param {String} addr * @returns {Array} */ function decode(addr) { const [hrp, data] = deserialize(addr); if (data.length === 0 || data.length > 65) throw new Error('Invalid bech32 data length.'); const version = data[0]; if (version > 31) throw new Error('Invalid bech32 version.'); const output = data; // Works because dstbits > srcbits. const hash = convert(output, 0, 8, data, 1, 5, false); if (hash.length < 2 || hash.length > 40) throw new Error('Invalid bech32 data length.'); return [hrp, version, hash]; } /** * Test whether a string is a bech32 string. * @param {String} addr * @returns {Boolean} */ function test(addr) { assert(typeof addr === 'string'); try { decode(addr); return true; } catch (e) { return false; } } /* * Expose */ exports.native = 0; exports.serialize = serialize; exports.deserialize = deserialize; exports.is = is; exports.convertBits = convertBits; exports.encode = encode; exports.decode = decode; exports.test = test; }], [/* 58 */ 'bcrypto', '/lib/blake2b-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * blake2b.js - blake2b for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(59 /* './js/blake2b' */); }], [/* 59 */ 'bcrypto', '/lib/js/blake2b.js', function(exports, module, __filename, __dirname, __meta) { /*! * blake2b.js - BLAKE2b implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on dcposch/blakejs: * Daniel Clemens Posch (CC0) * https://github.com/dcposch/blakejs/blob/master/blake2b.js * * Resources: * https://en.wikipedia.org/wiki/BLAKE_(hash_function) * https://tools.ietf.org/html/rfc7693 */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const FINALIZED = 0x80000000; const IV = new Uint32Array([ 0xf3bcc908, 0x6a09e667, 0x84caa73b, 0xbb67ae85, 0xfe94f82b, 0x3c6ef372, 0x5f1d36f1, 0xa54ff53a, 0xade682d1, 0x510e527f, 0x2b3e6c1f, 0x9b05688c, 0xfb41bd6b, 0x1f83d9ab, 0x137e2179, 0x5be0cd19 ]); const SIGMA = new Uint8Array([ 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e, 0x1c, 0x14, 0x08, 0x10, 0x12, 0x1e, 0x1a, 0x0c, 0x02, 0x18, 0x00, 0x04, 0x16, 0x0e, 0x0a, 0x06, 0x16, 0x10, 0x18, 0x00, 0x0a, 0x04, 0x1e, 0x1a, 0x14, 0x1c, 0x06, 0x0c, 0x0e, 0x02, 0x12, 0x08, 0x0e, 0x12, 0x06, 0x02, 0x1a, 0x18, 0x16, 0x1c, 0x04, 0x0c, 0x0a, 0x14, 0x08, 0x00, 0x1e, 0x10, 0x12, 0x00, 0x0a, 0x0e, 0x04, 0x08, 0x14, 0x1e, 0x1c, 0x02, 0x16, 0x18, 0x0c, 0x10, 0x06, 0x1a, 0x04, 0x18, 0x0c, 0x14, 0x00, 0x16, 0x10, 0x06, 0x08, 0x1a, 0x0e, 0x0a, 0x1e, 0x1c, 0x02, 0x12, 0x18, 0x0a, 0x02, 0x1e, 0x1c, 0x1a, 0x08, 0x14, 0x00, 0x0e, 0x0c, 0x06, 0x12, 0x04, 0x10, 0x16, 0x1a, 0x16, 0x0e, 0x1c, 0x18, 0x02, 0x06, 0x12, 0x0a, 0x00, 0x1e, 0x08, 0x10, 0x0c, 0x04, 0x14, 0x0c, 0x1e, 0x1c, 0x12, 0x16, 0x06, 0x00, 0x10, 0x18, 0x04, 0x1a, 0x0e, 0x02, 0x08, 0x14, 0x0a, 0x14, 0x04, 0x10, 0x08, 0x0e, 0x0c, 0x02, 0x0a, 0x1e, 0x16, 0x12, 0x1c, 0x06, 0x18, 0x1a, 0x00, 0x00, 0x02, 0x04, 0x06, 0x08, 0x0a, 0x0c, 0x0e, 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e, 0x1c, 0x14, 0x08, 0x10, 0x12, 0x1e, 0x1a, 0x0c, 0x02, 0x18, 0x00, 0x04, 0x16, 0x0e, 0x0a, 0x06 ]); /** * BLAKE2b */ class BLAKE2b { constructor() { this.state = new Uint32Array(16); this.V = new Uint32Array(32); this.M = new Uint32Array(32); this.block = Buffer.alloc(128); this.size = 32; this.count = 0; this.pos = FINALIZED; } init(size, key) { if (size == null) size = 32; assert((size >>> 0) === size); assert(key == null || Buffer.isBuffer(key)); if (size === 0 || size > 64) throw new Error('Bad output length.'); if (key && key.length > 64) throw new Error('Bad key length.'); const klen = key ? key.length : 0; for (let i = 0; i < 16; i++) this.state[i] = IV[i]; this.size = size; this.count = 0; this.pos = 0; this.state[0] ^= 0x01010000 ^ (klen << 8) ^ this.size; if (klen > 0) { const block = Buffer.alloc(128, 0x00); key.copy(block, 0); this.update(block); } return this; } update(data) { assert(Buffer.isBuffer(data)); assert(!(this.pos & FINALIZED), 'Context is not initialized.'); let off = 0; let len = data.length; if (len > 0) { const left = this.pos; const fill = 128 - left; if (len > fill) { this.pos = 0; data.copy(this.block, left, off, off + fill); this.count += 128; this._compress(this.block, 0, false); off += fill; len -= fill; while (len > 128) { this.count += 128; this._compress(data, off, false); off += 128; len -= 128; } } data.copy(this.block, this.pos, off, off + len); this.pos += len; } return this; } final() { assert(!(this.pos & FINALIZED), 'Context is not initialized.'); this.count += this.pos; this.block.fill(0, this.pos, 128); this._compress(this.block, 0, true); this.pos = FINALIZED; const out = Buffer.alloc(this.size); for (let i = 0; i < this.size; i++) out[i] = this.state[i >>> 2] >>> (8 * (i & 3)); for (let i = 0; i < 16; i++) this.state[i] = 0; for (let i = 0; i < 32; i++) { this.V[i] = 0; this.M[i] = 0; } for (let i = 0; i < 128; i++) this.block[i] = 0; return out; } _compress(block, off, last) { const {V, M} = this; for (let i = 0; i < 16; i++) { V[i] = this.state[i]; V[i + 16] = IV[i]; } // uint128 V[24] ^= this.count; V[25] ^= this.count * (1 / 0x100000000); V[26] ^= 0; V[27] ^= 0; if (last) { // last block V[28] ^= -1; V[29] ^= -1; // last node V[29] ^= 0; V[30] ^= 0; } for (let i = 0; i < 32; i++) { M[i] = readU32(block, off); off += 4; } for (let i = 0; i < 12; i++) { G(V, M, 0, 8, 16, 24, SIGMA[i * 16 + 0], SIGMA[i * 16 + 1]); G(V, M, 2, 10, 18, 26, SIGMA[i * 16 + 2], SIGMA[i * 16 + 3]); G(V, M, 4, 12, 20, 28, SIGMA[i * 16 + 4], SIGMA[i * 16 + 5]); G(V, M, 6, 14, 22, 30, SIGMA[i * 16 + 6], SIGMA[i * 16 + 7]); G(V, M, 0, 10, 20, 30, SIGMA[i * 16 + 8], SIGMA[i * 16 + 9]); G(V, M, 2, 12, 22, 24, SIGMA[i * 16 + 10], SIGMA[i * 16 + 11]); G(V, M, 4, 14, 16, 26, SIGMA[i * 16 + 12], SIGMA[i * 16 + 13]); G(V, M, 6, 8, 18, 28, SIGMA[i * 16 + 14], SIGMA[i * 16 + 15]); } for (let i = 0; i < 16; i++) this.state[i] ^= V[i] ^ V[i + 16]; } static hash() { return new BLAKE2b(); } static hmac(size) { return new HMAC(BLAKE2b, 128, [size]); } static digest(data, size, key) { const {ctx} = BLAKE2b; ctx.init(size, key); ctx.update(data); return ctx.final(); } static root(left, right, size, key) { if (size == null) size = 32; assert(Buffer.isBuffer(left) && left.length === size); assert(Buffer.isBuffer(right) && right.length === size); const {ctx} = BLAKE2b; ctx.init(size, key); ctx.update(left); ctx.update(right); return ctx.final(); } static multi(x, y, z, size, key) { const {ctx} = BLAKE2b; ctx.init(size, key); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(); } static mac(data, key, size) { return BLAKE2b.hmac(size).init(key).update(data).final(); } } /* * Static */ BLAKE2b.native = 0; BLAKE2b.id = 'BLAKE2B256'; BLAKE2b.size = 32; BLAKE2b.bits = 256; BLAKE2b.blockSize = 128; BLAKE2b.zero = Buffer.alloc(32, 0x00); BLAKE2b.ctx = new BLAKE2b(); /* * Helpers */ function sum64i(v, a, b) { const o0 = v[a + 0] + v[b + 0]; const o1 = v[a + 1] + v[b + 1]; const c = (o0 >= 0x100000000) | 0; v[a + 0] = o0; v[a + 1] = o1 + c; } function sum64w(v, a, b0, b1) { const o0 = v[a + 0] + b0; const o1 = v[a + 1] + b1; const c = (o0 >= 0x100000000) | 0; v[a + 0] = o0; v[a + 1] = o1 + c; } function G(v, m, a, b, c, d, ix, iy) { const x0 = m[ix + 0]; const x1 = m[ix + 1]; const y0 = m[iy + 0]; const y1 = m[iy + 1]; sum64i(v, a, b); sum64w(v, a, x0, x1); const xor0 = v[d + 0] ^ v[a + 0]; const xor1 = v[d + 1] ^ v[a + 1]; v[d + 0] = xor1; v[d + 1] = xor0; sum64i(v, c, d); const xor2 = v[b + 0] ^ v[c + 0]; const xor3 = v[b + 1] ^ v[c + 1]; v[b + 0] = (xor2 >>> 24) ^ (xor3 << 8); v[b + 1] = (xor3 >>> 24) ^ (xor2 << 8); sum64i(v, a, b); sum64w(v, a, y0, y1); const xor4 = v[d + 0] ^ v[a + 0]; const xor5 = v[d + 1] ^ v[a + 1]; v[d + 0] = (xor4 >>> 16) ^ (xor5 << 16); v[d + 1] = (xor5 >>> 16) ^ (xor4 << 16); sum64i(v, c, d); const xor6 = v[b + 0] ^ v[c + 0]; const xor7 = v[b + 1] ^ v[c + 1]; v[b + 0] = (xor7 >>> 31) ^ (xor6 << 1); v[b + 1] = (xor6 >>> 31) ^ (xor7 << 1); } function readU32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000); } /* * Expose */ module.exports = BLAKE2b; }], [/* 60 */ 'bcrypto', '/lib/sha3-browser.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha3.js - sha3 for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto */ 'use strict'; module.exports = __node_require__(61 /* './js/sha3' */); }], [/* 61 */ 'bcrypto', '/lib/js/sha3.js', function(exports, module, __filename, __dirname, __meta) { /*! * sha3.js - SHA3 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Resources: * https://en.wikipedia.org/wiki/SHA-3 * https://keccak.team/specifications.html * https://csrc.nist.gov/projects/hash-functions/sha-3-project/sha-3-standardization * http://dx.doi.org/10.6028/NIST.FIPS.202 */ 'use strict'; const Keccak = __node_require__(62 /* './keccak' */); /** * SHA3 */ class SHA3 extends Keccak { constructor() { super(); } final() { return super.final(0x06, null); } static hash() { return new SHA3(); } static hmac(bits) { return super.hmac(bits, 0x06, null); } static digest(data, bits) { return super.digest(data, bits, 0x06, null); } static root(left, right, bits) { return super.root(left, right, bits, 0x06, null); } static multi(x, y, z, bits) { return super.multi(x, y, z, bits, 0x06, null); } static mac(data, key, bits) { return super.mac(data, key, bits, 0x06, null); } } /* * Static */ SHA3.native = 0; SHA3.id = 'SHA3_256'; SHA3.size = 32; SHA3.bits = 256; SHA3.blockSize = 136; SHA3.zero = Buffer.alloc(32, 0x00); SHA3.ctx = new SHA3(); /* * Expose */ module.exports = SHA3; }], [/* 62 */ 'bcrypto', '/lib/js/keccak.js', function(exports, module, __filename, __dirname, __meta) { /*! * keccak.js - Keccak/SHA3 implementation for bcrypto * Copyright (c) 2017-2019, Christopher Jeffrey (MIT License). * https://github.com/bcoin-org/bcrypto * * Parts of this software are based on emn178/js-sha3: * Copyright (c) 2015-2017, Chen, Yi-Cyuan (MIT License). * https://github.com/emn178/js-sha3 * * Parts of this software are based on rhash/RHash: * Copyright (c) 2005-2014, Aleksey Kravchenko * https://github.com/rhash/RHash * * Resources: * https://en.wikipedia.org/wiki/SHA-3 * https://keccak.team/specifications.html * https://csrc.nist.gov/projects/hash-functions/sha-3-project/sha-3-standardization * http://dx.doi.org/10.6028/NIST.FIPS.202 * https://github.com/rhash/RHash/blob/master/librhash/sha3.c * https://github.com/emn178/js-sha3/blob/master/src/sha3.js */ 'use strict'; const assert = __node_require__(14 /* '../internal/assert' */); const HMAC = __node_require__(17 /* '../internal/hmac' */); /* * Constants */ const FINALIZED = 0x80000000; const ROUND_CONST = new Uint32Array([ 0x00000001, 0x00000000, 0x00008082, 0x00000000, 0x0000808a, 0x80000000, 0x80008000, 0x80000000, 0x0000808b, 0x00000000, 0x80000001, 0x00000000, 0x80008081, 0x80000000, 0x00008009, 0x80000000, 0x0000008a, 0x00000000, 0x00000088, 0x00000000, 0x80008009, 0x00000000, 0x8000000a, 0x00000000, 0x8000808b, 0x00000000, 0x0000008b, 0x80000000, 0x00008089, 0x80000000, 0x00008003, 0x80000000, 0x00008002, 0x80000000, 0x00000080, 0x80000000, 0x0000800a, 0x00000000, 0x8000000a, 0x80000000, 0x80008081, 0x80000000, 0x00008080, 0x80000000, 0x80000001, 0x00000000, 0x80008008, 0x80000000 ]); /** * Keccak */ class Keccak { constructor() { this.state = new Uint32Array(50); this.block = Buffer.alloc(200); this.bs = 136; this.pos = FINALIZED; } init(bits) { if (bits == null) bits = 256; assert((bits >>> 0) === bits); assert(bits >= 128); assert(bits <= 512); const rate = 1600 - bits * 2; assert(rate >= 0 && (rate & 63) === 0); this.bs = rate >>> 3; this.pos = 0; return this; } update(data) { assert(Buffer.isBuffer(data)); assert(!(this.pos & FINALIZED), 'Context is not initialized.'); let len = data.length; let pos = this.pos; let off = 0; this.pos = (this.pos + len) % this.bs; if (pos > 0) { let want = this.bs - pos; if (want > len) want = len; data.copy(this.block, pos, off, off + want); pos += want; len -= want; off += want; if (pos < this.bs) return this; this._transform(this.block, 0); } while (len >= this.bs) { this._transform(data, off); off += this.bs; len -= this.bs; } if (len > 0) data.copy(this.block, 0, off, off + len); return this; } final(pad, len) { if (pad == null) pad = 0x01; if (len == null || len === 0) len = 100 - (this.bs >>> 1); assert((pad & 0xff) === pad); assert((len >>> 0) === len); assert(!(this.pos & FINALIZED), 'Context is not initialized.'); this.block.fill(0, this.pos, this.bs); this.block[this.pos] |= pad; this.block[this.bs - 1] |= 0x80; this._transform(this.block, 0); this.pos = FINALIZED; assert(len <= this.bs); const out = Buffer.alloc(len); for (let i = 0; i < len; i++) out[i] = this.state[i >>> 2] >>> (8 * (i & 3)); for (let i = 0; i < 50; i++) this.state[i] = 0; for (let i = 0; i < this.bs; i++) this.block[i] = 0; return out; } _transform(block, off) { const count = this.bs >>> 2; const s = this.state; for (let i = 0; i < count; i++) s[i] ^= readU32(block, off + i * 4); for (let n = 0; n < 48; n += 2) { const c0 = s[0] ^ s[10] ^ s[20] ^ s[30] ^ s[40]; const c1 = s[1] ^ s[11] ^ s[21] ^ s[31] ^ s[41]; const c2 = s[2] ^ s[12] ^ s[22] ^ s[32] ^ s[42]; const c3 = s[3] ^ s[13] ^ s[23] ^ s[33] ^ s[43]; const c4 = s[4] ^ s[14] ^ s[24] ^ s[34] ^ s[44]; const c5 = s[5] ^ s[15] ^ s[25] ^ s[35] ^ s[45]; const c6 = s[6] ^ s[16] ^ s[26] ^ s[36] ^ s[46]; const c7 = s[7] ^ s[17] ^ s[27] ^ s[37] ^ s[47]; const c8 = s[8] ^ s[18] ^ s[28] ^ s[38] ^ s[48]; const c9 = s[9] ^ s[19] ^ s[29] ^ s[39] ^ s[49]; const h0 = c8 ^ ((c2 << 1) | (c3 >>> 31)); const l0 = c9 ^ ((c3 << 1) | (c2 >>> 31)); const h1 = c0 ^ ((c4 << 1) | (c5 >>> 31)); const l1 = c1 ^ ((c5 << 1) | (c4 >>> 31)); const h2 = c2 ^ ((c6 << 1) | (c7 >>> 31)); const l2 = c3 ^ ((c7 << 1) | (c6 >>> 31)); const h3 = c4 ^ ((c8 << 1) | (c9 >>> 31)); const l3 = c5 ^ ((c9 << 1) | (c8 >>> 31)); const h4 = c6 ^ ((c0 << 1) | (c1 >>> 31)); const l4 = c7 ^ ((c1 << 1) | (c0 >>> 31)); s[0] ^= h0; s[1] ^= l0; s[10] ^= h0; s[11] ^= l0; s[20] ^= h0; s[21] ^= l0; s[30] ^= h0; s[31] ^= l0; s[40] ^= h0; s[41] ^= l0; s[2] ^= h1; s[3] ^= l1; s[12] ^= h1; s[13] ^= l1; s[22] ^= h1; s[23] ^= l1; s[32] ^= h1; s[33] ^= l1; s[42] ^= h1; s[43] ^= l1; s[4] ^= h2; s[5] ^= l2; s[14] ^= h2; s[15] ^= l2; s[24] ^= h2; s[25] ^= l2; s[34] ^= h2; s[35] ^= l2; s[44] ^= h2; s[45] ^= l2; s[6] ^= h3; s[7] ^= l3; s[16] ^= h3; s[17] ^= l3; s[26] ^= h3; s[27] ^= l3; s[36] ^= h3; s[37] ^= l3; s[46] ^= h3; s[47] ^= l3; s[8] ^= h4; s[9] ^= l4; s[18] ^= h4; s[19] ^= l4; s[28] ^= h4; s[29] ^= l4; s[38] ^= h4; s[39] ^= l4; s[48] ^= h4; s[49] ^= l4; const b0 = s[0]; const b1 = s[1]; const b32 = (s[11] << 4) | (s[10] >>> 28); const b33 = (s[10] << 4) | (s[11] >>> 28); const b14 = (s[20] << 3) | (s[21] >>> 29); const b15 = (s[21] << 3) | (s[20] >>> 29); const b46 = (s[31] << 9) | (s[30] >>> 23); const b47 = (s[30] << 9) | (s[31] >>> 23); const b28 = (s[40] << 18) | (s[41] >>> 14); const b29 = (s[41] << 18) | (s[40] >>> 14); const b20 = (s[2] << 1) | (s[3] >>> 31); const b21 = (s[3] << 1) | (s[2] >>> 31); const b2 = (s[13] << 12) | (s[12] >>> 20); const b3 = (s[12] << 12) | (s[13] >>> 20); const b34 = (s[22] << 10) | (s[23] >>> 22); const b35 = (s[23] << 10) | (s[22] >>> 22); const b16 = (s[33] << 13) | (s[32] >>> 19); const b17 = (s[32] << 13) | (s[33] >>> 19); const b48 = (s[42] << 2) | (s[43] >>> 30); const b49 = (s[43] << 2) | (s[42] >>> 30); const b40 = (s[5] << 30) | (s[4] >>> 2); const b41 = (s[4] << 30) | (s[5] >>> 2); const b22 = (s[14] << 6) | (s[15] >>> 26); const b23 = (s[15] << 6) | (s[14] >>> 26); const b4 = (s[25] << 11) | (s[24] >>> 21); const b5 = (s[24] << 11) | (s[25] >>> 21); const b36 = (s[34] << 15) | (s[35] >>> 17); const b37 = (s[35] << 15) | (s[34] >>> 17); const b18 = (s[45] << 29) | (s[44] >>> 3); const b19 = (s[44] << 29) | (s[45] >>> 3); const b10 = (s[6] << 28) | (s[7] >>> 4); const b11 = (s[7] << 28) | (s[6] >>> 4); const b42 = (s[17] << 23) | (s[16] >>> 9); const b43 = (s[16] << 23) | (s[17] >>> 9); const b24 = (s[26] << 25) | (s[27] >>> 7); const b25 = (s[27] << 25) | (s[26] >>> 7); const b6 = (s[36] << 21) | (s[37] >>> 11); const b7 = (s[37] << 21) | (s[36] >>> 11); const b38 = (s[47] << 24) | (s[46] >>> 8); const b39 = (s[46] << 24) | (s[47] >>> 8); const b30 = (s[8] << 27) | (s[9] >>> 5); const b31 = (s[9] << 27) | (s[8] >>> 5); const b12 = (s[18] << 20) | (s[19] >>> 12); const b13 = (s[19] << 20) | (s[18] >>> 12); const b44 = (s[29] << 7) | (s[28] >>> 25); const b45 = (s[28] << 7) | (s[29] >>> 25); const b26 = (s[38] << 8) | (s[39] >>> 24); const b27 = (s[39] << 8) | (s[38] >>> 24); const b8 = (s[48] << 14) | (s[49] >>> 18); const b9 = (s[49] << 14) | (s[48] >>> 18); s[0] = b0 ^ (~b2 & b4); s[1] = b1 ^ (~b3 & b5); s[10] = b10 ^ (~b12 & b14); s[11] = b11 ^ (~b13 & b15); s[20] = b20 ^ (~b22 & b24); s[21] = b21 ^ (~b23 & b25); s[30] = b30 ^ (~b32 & b34); s[31] = b31 ^ (~b33 & b35); s[40] = b40 ^ (~b42 & b44); s[41] = b41 ^ (~b43 & b45); s[2] = b2 ^ (~b4 & b6); s[3] = b3 ^ (~b5 & b7); s[12] = b12 ^ (~b14 & b16); s[13] = b13 ^ (~b15 & b17); s[22] = b22 ^ (~b24 & b26); s[23] = b23 ^ (~b25 & b27); s[32] = b32 ^ (~b34 & b36); s[33] = b33 ^ (~b35 & b37); s[42] = b42 ^ (~b44 & b46); s[43] = b43 ^ (~b45 & b47); s[4] = b4 ^ (~b6 & b8); s[5] = b5 ^ (~b7 & b9); s[14] = b14 ^ (~b16 & b18); s[15] = b15 ^ (~b17 & b19); s[24] = b24 ^ (~b26 & b28); s[25] = b25 ^ (~b27 & b29); s[34] = b34 ^ (~b36 & b38); s[35] = b35 ^ (~b37 & b39); s[44] = b44 ^ (~b46 & b48); s[45] = b45 ^ (~b47 & b49); s[6] = b6 ^ (~b8 & b0); s[7] = b7 ^ (~b9 & b1); s[16] = b16 ^ (~b18 & b10); s[17] = b17 ^ (~b19 & b11); s[26] = b26 ^ (~b28 & b20); s[27] = b27 ^ (~b29 & b21); s[36] = b36 ^ (~b38 & b30); s[37] = b37 ^ (~b39 & b31); s[46] = b46 ^ (~b48 & b40); s[47] = b47 ^ (~b49 & b41); s[8] = b8 ^ (~b0 & b2); s[9] = b9 ^ (~b1 & b3); s[18] = b18 ^ (~b10 & b12); s[19] = b19 ^ (~b11 & b13); s[28] = b28 ^ (~b20 & b22); s[29] = b29 ^ (~b21 & b23); s[38] = b38 ^ (~b30 & b32); s[39] = b39 ^ (~b31 & b33); s[48] = b48 ^ (~b40 & b42); s[49] = b49 ^ (~b41 & b43); s[0] ^= ROUND_CONST[n + 0]; s[1] ^= ROUND_CONST[n + 1]; } } static hash() { return new Keccak(); } static hmac(bits, pad, len) { if (bits == null) bits = 256; assert((bits >>> 0) === bits); const rate = 1600 - bits * 2; assert(rate >= 0 && (rate & 63) === 0); return new HMAC(Keccak, rate >>> 3, [bits], [pad, len]); } static digest(data, bits, pad, len) { return Keccak.ctx.init(bits).update(data).final(pad, len); } static root(left, right, bits, pad, len) { if (bits == null) bits = 256; if (len == null) len = 0; if (len === 0) len = bits >>> 3; assert((bits >>> 0) === bits); assert((bits & 7) === 0); assert((len >>> 0) === len); assert(Buffer.isBuffer(left) && left.length === len); assert(Buffer.isBuffer(right) && right.length === len); return Keccak.ctx.init(bits).update(left).update(right).final(pad, len); } static multi(x, y, z, bits, pad, len) { const {ctx} = Keccak; ctx.init(bits); ctx.update(x); ctx.update(y); if (z) ctx.update(z); return ctx.final(pad, len); } static mac(data, key, bits, pad, len) { return Keccak.hmac(bits, pad, len).init(key).update(data).final(); } } /* * Static */ Keccak.native = 0; Keccak.id = 'KECCAK256'; Keccak.size = 32; Keccak.bits = 256; Keccak.blockSize = 136; Keccak.zero = Buffer.alloc(32, 0x00); Keccak.ctx = new Keccak(); /* * Helpers */ function readU32(data, off) { return (data[off++] + data[off++] * 0x100 + data[off++] * 0x10000 + data[off] * 0x1000000); } /* * Expose */ module.exports = Keccak; }] ]; var __node_cache__ = []; function __node_error__(location) { var err = new Error('Cannot find module \'' + location + '\''); err.code = 'MODULE_NOT_FOUND'; throw err; } function __node_require__(id) { if ((id >>> 0) !== id || id > __node_modules__.length) return __node_error__(id); while (__node_cache__.length <= id) __node_cache__.push(null); var cache = __node_cache__[id]; if (cache) return cache.exports; var mod = __node_modules__[id]; var name = mod[0]; var path = mod[1]; var func = mod[2]; var meta; var _exports = exports; var _module = module; if (id !== 0) { _exports = {}; _module = { id: '/' + name + path, exports: _exports, parent: module.parent, filename: module.filename, loaded: false, children: module.children, paths: module.paths }; } __node_cache__[id] = _module; try { func.call(_exports, _exports, _module, __filename, __dirname, meta); } catch (e) { __node_cache__[id] = null; throw e; } __node_modules__[id] = null; if (id !== 0) _module.loaded = true; return _module.exports; } __node_require__(0);