paulmillr/noble-curvesPublic

NotificationsYou must be signed in to change notification settings
Fork78
Star795

Audited & minimal JS implementation of elliptic curve cryptography.

License

MIT license

795 stars 78 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 838 Commits
.github		.github
.vscode		.vscode
audit		audit
esm		esm
src		src
test		test
.gitignore		.gitignore
.gitmodules		.gitmodules
.prettierrc.json		.prettierrc.json
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
jsr.json		jsr.json
package-lock.json		package-lock.json
package.json		package.json
tsconfig.cjs.json		tsconfig.cjs.json
tsconfig.json		tsconfig.json

Repository files navigation

noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.

🔒Audited by independent security firms
🔻 Tree-shakeable: unused code is excluded from your builds
🏎 Fast: hand-optimized for caveats of JS engines
🔍 Reliable: tested against cross-library, wycheproof and acvp vectors
➰ Weierstrass, Edwards, Montgomery curves; ECDSA, EdDSA, Schnorr, BLS signatures
✍️ ECDH, hash-to-curve, OPRF, Poseidon ZK-friendly hash
🔖 Non-repudiation (SUF-CMA, SBS) & consensus-friendliness (ZIP215) in ed25519, ed448
🥈 Optional, friendly wrapper over native WebCrypto
🪶 36KB (gzipped) including bundled hashes, 11KB for single-curve build

Curves have 4KB sister projectssecp256k1 &ed25519.They have smaller attack surface, but less features.

Take a glance atGitHub Discussions for questions and support.

This library belongs tonoble cryptography

noble cryptography — high-security, easily auditable set of contained cryptographic libraries and tools.

Zero or minimal dependencies
Highly readable TypeScript / JS code
PGP-signed releases and transparent NPM builds
All libraries:ciphers,curves,hashes,post-quantum,4kbsecp256k1 /ed25519
Check out homepagefor reading resources, documentation and apps built with noble

Usage

npm install @noble/curves

deno add jsr:@noble/curves

deno doc jsr:@noble/curves # command-line documentation

We support all major platforms and runtimes.For React Native, you may need apolyfill for getRandomValues.A standalone filenoble-curves.js is also available.

// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app sizeimport{secp256k1,schnorr}from'@noble/curves/secp256k1.js';import{ed25519,ed25519ph,ed25519ctx,x25519}from'@noble/curves/ed25519.js';import{ed448,ed448ph,ed448ctx,x448}from'@noble/curves/ed448.js';import{p256,p384,p521}from'@noble/curves/nist.js';import{bls12_381}from'@noble/curves/bls12-381.js';import{bn254}from'@noble/curves/bn254.js';import{jubjub,babyjubjub}from'@noble/curves/misc.js';import{bytesToHex,hexToBytes,concatBytes,utf8ToBytes}from'@noble/curves/abstract/utils.js';

Implementations

ECDSA signatures over secp256k1 and others

import{secp256k1}from'@noble/curves/secp256k1.js';// import { p256 } from '@noble/curves/nist.js'; // or p384 / p521constpriv=secp256k1.utils.randomPrivateKey();constpub=secp256k1.getPublicKey(priv);constmsg=newUint8Array(32).fill(1);// message hash (not message) in ecdsaconstsig=secp256k1.sign(msg,priv);// `{prehash: true}` option is availableconstisValid=secp256k1.verify(sig,msg,pub)===true;// hex strings are also supported besides Uint8Array-s:constprivHex='46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236';constpub2=secp256k1.getPublicKey(privHex);// public key recovery// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex)// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der formatsig.recoverPublicKey(msg).toRawBytes();// === pub; // public key recovery

The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).

Hedged ECDSA with noise

constnoisySignature=secp256k1.sign(msg,priv,{extraEntropy:true});constent=newUint8Array(32).fill(3);// set custom entropyconstnoisySignature2=secp256k1.sign(msg,priv,{extraEntropy:ent});

Hedged ECDSA is add-on, providing improved protection against fault attacks.It adds noise to signatures. The technique is used by default in BIP340; we also implement themoptionally for ECDSA. Check out blog postDeterministic signatures are not your friendsandspec draft.

ECDH: Diffie-Hellman shared secrets

constsomeonesPub=secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());constshared=secp256k1.getSharedSecret(priv,someonesPub);// NOTE:// - `shared` includes parity byte: strip it using shared.slice(1)// - `shared` is not hashed: more secure way is sha256(shared) or hkdf(shared)

secp256k1 Schnorr signatures from BIP340

import{schnorr}from'@noble/curves/secp256k1.js';constpriv=schnorr.utils.randomPrivateKey();constpub=schnorr.getPublicKey(priv);constmsg=newTextEncoder().encode('hello');constsig=schnorr.sign(msg,priv);constisValid=schnorr.verify(sig,msg,pub);

ed25519

import{ed25519}from'@noble/curves/ed25519.js';constpriv=ed25519.utils.randomPrivateKey();constpub=ed25519.getPublicKey(priv);constmsg=newTextEncoder().encode('hello');constsig=ed25519.sign(msg,priv);ed25519.verify(sig,msg,pub);// Default mode: follows ZIP215ed25519.verify(sig,msg,pub,{zip215:false});// SBS / e-voting / RFC8032 / FIPS 186-5// Variants from RFC8032: with context, prehashedimport{ed25519ctx,ed25519ph}from'@noble/curves/ed25519.js';

Defaultverify behavior follows ZIP215 andcan be used in consensus-critical applications.If you need SBS (Strongly Binding Signatures) and FIPS 186-5 compliance,usezip215: false. Check outEdwards Signatures section for more info.Both options have SUF-CMA (strong unforgeability under chosen message attacks).

X25519

// X25519 aka ECDH on Curve25519 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)import{x25519}from'@noble/curves/ed25519.js';constpriv='a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';constpub='e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';x25519.getSharedSecret(priv,pub)===x25519.scalarMult(priv,pub);// aliasesx25519.getPublicKey(priv)===x25519.scalarMultBase(priv);x25519.getPublicKey(x25519.utils.randomPrivateKey());// ed25519 => x25519 conversionimport{edwardsToMontgomeryPub,edwardsToMontgomeryPriv}from'@noble/curves/ed25519.js';edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());

ristretto255

import{sha512}from'@noble/hashes/sha2.js';import{hashToCurve,encodeToCurve,RistrettoPoint,hashToRistretto255,}from'@noble/curves/ed25519.js';constmsg=newTextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');hashToCurve(msg);constrp=RistrettoPoint.fromHex('6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919');RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();RistrettoPoint.ZERO.equals(dp)===false;// pre-hashed hash-to-curveRistrettoPoint.hashToCurve(sha512(msg));// full hash-to-curve including domain separation taghashToRistretto255(msg,{DST:'ristretto255_XMD:SHA-512_R255MAP_RO_'});

Check outRFC9496 more info on ristretto255.

ed448

import{ed448}from'@noble/curves/ed448.js';constpriv=ed448.utils.randomPrivateKey();constpub=ed448.getPublicKey(priv);constmsg=newTextEncoder().encode('whatsup');constsig=ed448.sign(msg,priv);ed448.verify(sig,msg,pub);// Variants from RFC8032: prehashedimport{ed448ph}from'@noble/curves/ed448.js';

X448

// X448 aka ECDH on Curve448 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)import{x448}from'@noble/curves/ed448.js';x448.getSharedSecret(priv,pub)===x448.scalarMult(priv,pub);// aliasesx448.getPublicKey(priv)===x448.scalarMultBase(priv);// ed448 => x448 conversionimport{edwardsToMontgomeryPub}from'@noble/curves/ed448.js';edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));

decaf448

// decaf448 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)import{shake256}from'@noble/hashes/sha3.js';import{hashToCurve,encodeToCurve,DecafPoint,hashToDecaf448}from'@noble/curves/ed448.js';constmsg=newTextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');hashToCurve(msg);constdp=DecafPoint.fromHex('c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75');DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();DecafPoint.ZERO.equals(dp)===false;// pre-hashed hash-to-curveDecafPoint.hashToCurve(shake256(msg,{dkLen:112}));// full hash-to-curve including domain separation taghashToDecaf448(msg,{DST:'decaf448_XOF:SHAKE256_D448MAP_RO_'});

Check outRFC9496 more info on decaf448.

bls12-381

import{bls12_381}from'@noble/curves/bls12-381.js';import{hexToBytes}from'@noble/curves/abstract/utils.js';// private keys are 32 bytesconstprivKey=hexToBytes('67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c');// const privKey = bls12_381.utils.randomPrivateKey();// Long signatures (G2), short public keys (G1)constblsl=bls12_381.longSignatures;constpublicKey=blsl.getPublicKey(privateKey);// Sign msg with custom (Ethereum) DSTconstmsg=newTextEncoder().encode('hello');constDST='BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_';constmsgp=blsl.hash(msg,DST);constsignature=blsl.sign(msgp,privateKey);constisValid=blsl.verify(signature,msgp,publicKey);console.log({ publicKey, signature, isValid});// Short signatures (G1), long public keys (G2)constblss=bls12_381.shortSignatures;constpublicKey2=blss.getPublicKey(privateKey);constmsgp2=blss.hash(newTextEncoder().encode('hello'),'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_')constsignature2=blss.sign(msgp2,privateKey);constisValid2=blss.verify(signature2,msgp2,publicKey);console.log({ publicKey2, signature2, isValid2});// AggregationconstaggregatedKey=bls12_381.longSignatures.aggregatePublicKeys([bls12_381.utils.randomPrivateKey(),bls12_381.utils.randomPrivateKey(),]);// const aggregatedSig = bls.aggregateSignatures(sigs)// Pairings, with and without final exponentiation// bls.pairing(PointG1, PointG2);// bls.pairing(PointG1, PointG2, false);// bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2));// Others// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE;// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr;

Seeabstract/bls.For example usage, check outthe implementation of BLS EVM precompiles.

bn254 aka alt_bn128

import{bn254}from'@noble/curves/bn254.js';console.log(bn254.G1,bn254.G2,bn254.pairing);

The API mirrorsBLS. The curve was previously called alt_bn128.The implementation is compatible withEIP-196 andEIP-197.

We don't implement Point methods toHex / toRawBytes.To work around this limitation, has to initialize points on their own from BigInts.Reason it's not implemented is becausethere is no standard.Points of divergence:

Endianness: LE vs BE (byte-swapped)
Flags as first hex bits (similar to BLS) vs no-flags
Imaginary part last in G2 vs first (c0, c1 vs c1, c0)

For example usage, check outthe implementation of bn254 EVM precompiles.

misc curves

import{jubjub,babyjubjub}from'@noble/curves/misc.js';

Miscellaneous, rarely used curves are contained in the module.Jubjub curves have Fp over scalar fields of other curves. They are friendly to ZK proofs.jubjub Fp = bls n. babyjubjub Fp = bn254 n.

Abstract API

Abstract API allows to define custom curves. All arithmetics is done with JSbigints over finite fields, which is defined frommodular sub-module.For scalar multiplication, we useprecomputed tables with w-ary non-adjacent form (wNAF).Precomputes are enabled for weierstrass and edwards BASE points of a curve.Implementations usenoble-hashes.It's always possible to use different hashing library.

weierstrass: Short Weierstrass curve

import{weierstrass}from'@noble/curves/abstract/weierstrass.js';// NIST secp192r1 aka p192. https://www.secg.org/sec2-v2.pdfconstp192_CURVE={p:0xfffffffffffffffffffffffffffffffeffffffffffffffffn,n:0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,h:1n,a:0xfffffffffffffffffffffffffffffffefffffffffffffffcn,b:0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,Gx:0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,Gy:0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,};constp192_Point=weierstrass(p192_CURVE);

Short Weierstrass curve's formula isy² = x³ + ax + b.weierstrassexpects argumentsa,b, field characteristicp, curve ordern,cofactorh and coordinatesGx,Gy of generator point.

Projective Weierstrass Point

// # weierstrass Point methods// projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)// const p = new Point(x, y, z);constp=Point.BASE;// arithmeticsp.add(p).equals(p.double());p.subtract(p).equals(Point.ZERO);p.negate();p.multiply(31415n);// decoding, encodingconstb=p.toBytes();constp2=Point.fromBytes(b);// affine conversionconst{ x, y}=p.toAffine();constp3=Point.fromAffine({ x, y});// Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.// It's 10-30x faster vs naive addition for large amount of points.// Pippenger algorithm is used underneath.constpoints=[Point.BASE,Point.BASE.multiply(2n),Point.BASE.multiply(4n),Point.BASE.multiply(8n)];Point.msm(points,[3n,5n,7n,11n]).equals(Point.BASE.multiply(129n));// 129*G

ECDSA signatures

import{ecdsa}from'@noble/curves/abstract/weierstrass.js';import{sha256}from'@noble/hashes/sha2.js';constp192=ecdsa(p192_Point,sha256);constpriv=p192.utils.randomPrivateKey();constpub=p192.getPublicKey(priv);constmsg=sha256(newTextEncoder().encode('custom curve'));constsig=p192.sign(msg);constisValid=p192.verify(sig,msg,pub);

ECDSA signatures:

Are represented bySignature instances withr, s and optionalrecovery properties
HaverecoverPublicKey(),toBytes() with optionalformat: 'compact' | 'der'
Can be prehashed, or non-prehashed:
- sign(msgHash, privKey) (default, prehash: false) - you did hashing before
- sign(msg, privKey, {prehash: true}) - curves will do hashing for you
Are generated deterministically, followingRFC6979.
- Considerhedged ECDSA with noise for adding randomness intofor signatures, to get improved security against fault attacks.

edwards: Twisted Edwards curve

import{edwards}from'@noble/curves/abstract/edwards.js';consted25519_CURVE={p:0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,n:0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,h:8n,a:0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,d:0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,Gx:0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,Gy:0x6666666666666666666666666666666666666666666666666666666666666658n,};consted25519_Point=edwards(ed25519_CURVE);

Twisted Edwards curve's formula isax² + y² = 1 + dx²y².You must specifya,d, field characteristicp, curve ordern (sometimes named asL),cofactorh and coordinatesGx,Gy of generator point.

Extended Edwards Point

constPoint=ed25519_Point;// extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)// const p = new Point(x, y, z, t);constp=Point.BASE;// arithmeticsp.add(p).equals(p.double());p.subtract(p).equals(Point.ZERO);p.negate();p.multiply(31415n);// decoding, encodingconstb=p.toBytes();constp2=Point.fromBytes(b);// on-curve testp.assertValidity();// affine conversionconst{ x, y}=p.toAffine();constp3=Point.fromAffine({ x, y});// miscconstpcl=p.clearCofactor();console.log(p.isTorsionFree(),p.isSmallOrder());

EdDSA signatures

consted25519=eddsa(ed25519_Point,{hash:sha512});// ed25519.getPublicKey();// ed25519.sign();// ed25519.verify();

We define ed25519, ed448; user can use custom curves with EdDSA,but EdDSA in general is not defined. Check outedwards.ts source code.

For EdDSA signatures:

zip215: true is default behavior. It has slightly looser verification logicto beconsensus-friendly, followingZIP215 rules
zip215: false switches verification criteria to strictRFC8032 /FIPS 186-5and additionally providesnon-repudiation with SBS,which is useful for:
- Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
- E-voting: malicious voters may pick keys that allow repudiation in order to deny results
- Blockchains: transaction of amount X might also be valid for a different amount Y
Both modes have SUF-CMA (strong unforgeability under chosen message attacks).

montgomery: Montgomery curve

The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.Proper Elliptic Curve Points are not implemented yet.

bls: Barreto-Lynn-Scott curves

The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.They allow to constructzk-SNARKs anduse aggregated, batch-verifiablethreshold signatures,using Boneh-Lynn-Shacham signature scheme.

The module doesn't exposeCURVE property: useG1.CURVE,G2.CURVE instead.Only BLS12-381 is currently implemented.Defining BLS12-377 and BLS24 should be straightforward.

The default BLS uses short public keys (with public keys in G1 and signatures in G2).Short signatures (public keys in G2 and signatures in G1) are also supported.

hash-to-curve: Hashing strings to curve points

The module allows to hash arbitrary strings to elliptic curve points. ImplementsRFC 9380.

Every curve has exportedhashToCurve andencodeToCurve methods. You should always preferhashToCurve for security:

import{hashToCurve,encodeToCurve}from'@noble/curves/secp256k1.js';import{randomBytes}from'@noble/hashes/utils.js';hashToCurve('0102abcd');console.log(hashToCurve(randomBytes()));console.log(encodeToCurve(randomBytes()));import{bls12_381}from'@noble/curves/bls12-381.js';bls12_381.G1.hashToCurve(randomBytes(),{DST:'another'});bls12_381.G2.hashToCurve(randomBytes(),{DST:'custom'});

Low-level methods from the spec:

// produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.functionexpand_message_xmd(msg:Uint8Array,DST:Uint8Array,lenInBytes:number,H:CHash// For CHash see abstract/weierstrass docs section):Uint8Array;// produces a uniformly random byte string using an extendable-output function (XOF) H.functionexpand_message_xof(msg:Uint8Array,DST:Uint8Array,lenInBytes:number,k:number,H:CHash):Uint8Array;// Hashes arbitrary-length byte strings to a list of one or more elements of a finite field Ffunctionhash_to_field(msg:Uint8Array,count:number,options:Opts):bigint[][];/** * * `DST` is a domain separation tag, defined in section 2.2.5 * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m * * `m` is extension degree (1 for prime fields) * * `k` is the target security target in bits (e.g. 128), from section 5.1 * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF) * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props */typeUnicodeOrBytes=string|Uint8Array;typeOpts={DST:UnicodeOrBytes;p:bigint;m:number;k:number;expand?:'xmd'|'xof';hash:CHash;};

poseidon: Poseidon hash

ImplementsPoseidon ZK-friendly hash:permutation and sponge.

There are many poseidon variants with different constants.We don't provide them: you should construct them manually.Check outscure-starknet package for a proper example.

import{poseidon,poseidonSponge}from'@noble/curves/abstract/poseidon.js';constrate=2;constcapacity=1;const{ mds, roundConstants}=poseidon.grainGenConstants({  Fp,t:rate+capacity,roundsFull:8,roundsPartial:31,});constopts={  Fp,  rate,  capacity,sboxPower:17,  mds,  roundConstants,roundsFull:8,roundsPartial:31,};constpermutation=poseidon.poseidon(opts);constsponge=poseidon.poseidonSponge(opts);// use carefully, not specced

modular: Modular arithmetics utilities

import*asmodfrom'@noble/curves/abstract/modular.js';// Finite Field utilsconstfp=mod.Field(2n**255n-19n);// Finite field over 2^255-19fp.mul(591n,932n);// multiplicationfp.pow(481n,11024858120n);// exponentiationfp.div(5n,17n);// division: 5/17 mod 2^255-19 == 5 * invert(17)fp.inv(5n);// modular inversefp.sqrt(21n);// square root// Non-Field generic utils are also availablemod.mod(21n,10n);// 21 mod 10 == 1n; fixed version of 21 % 10mod.invert(17n,10n);// invert(17) mod 10; modular multiplicative inversemod.invertBatch([1n,2n,4n],21n);// => [1n, 11n, 16n] in one inversion

Field operations are not constant-time: they are using JS bigints, seesecurity.The fact is mostly irrelevant, but the important method to keep in mind ispow,which may leak exponent bits, when used naïvely.

mod.Field is alwaysfield over prime number. Non-prime fields aren't supported for now.We don't test for prime-ness for speed and because algorithms are probabilistic anyway.Initializing a non-prime field could make your app suspectible toDoS (infilite loop) on Tonelli-Shanks square root calculation.

Unlikemod.inv,mod.invertBatch won't throw on0: make sure to throw an error yourself.

fft: Fast Fourier Transform

Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.API may change at any time. The code has not been audited. Feature requests are welcome.

import*asfftfrom'@noble/curves/abstract/fft.js';

Creating private keys from hashes

You can't simply make a 32-byte private key from a 32-byte hash.Doing so will make the keybiased.

To make the bias negligible, we followFIPS 186-5 A.2andRFC 9380.This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.

hashToPrivateScalar() that hashes toprivate key was created for this purpose.Useabstract/hash-to-curveif you need to hash topublic key.

import{p256}from'@noble/curves/nist.js';import{sha256}from'@noble/hashes/sha2.js';import{hkdf}from'@noble/hashes/hkdf.js';import*asmodfrom'@noble/curves/abstract/modular.js';constsomeKey=newUint8Array(32).fill(2);// Needs to actually be random, not .fill(2)constderived=hkdf(sha256,someKey,undefined,'application',48);// 48 bytes for 32-byte privconstvalidPrivateKey=mod.hashToPrivateScalar(derived,p256.CURVE.n);

utils: Useful utilities

import*asutilsfrom'@noble/curves/abstract/utils.js';utils.bytesToHex(Uint8Array.from([0xde,0xad,0xbe,0xef]));utils.hexToBytes('deadbeef');utils.numberToHexUnpadded(123n);utils.hexToNumber();utils.bytesToNumberBE(Uint8Array.from([0xde,0xad,0xbe,0xef]));utils.bytesToNumberLE(Uint8Array.from([0xde,0xad,0xbe,0xef]));utils.numberToBytesBE(123n,32);utils.numberToBytesLE(123n,64);utils.concatBytes(Uint8Array.from([0xde,0xad]),Uint8Array.from([0xbe,0xef]));utils.nLength(255n);utils.equalBytes(Uint8Array.from([0xde]),Uint8Array.from([0xde]));

Security

The library has been independently audited:

at version 1.6.0, in Sep 2024, byCure53
- PDFs:website,in-repo
- Changes since audit
- Scope: ed25519, ed448, their add-ons, bls12-381, bn254,hash-to-curve, low-level primitives bls, tower, edwards, montgomery.
- The audit has been funded byOpenSats
at version 1.2.0, in Sep 2023, byKudelski Security
- PDFs:in-repo
- Changes since audit
- Scope:scure-starknet and its relatedabstract modules of noble-curves:curve,modular,poseidon,weierstrass
- The audit has been funded byStarkware
at version 0.7.3, in Feb 2023, byTrail of Bits
- PDFs:website,in-repo
- Changes since audit
- Scope: abstract modulescurve,hash-to-curve,modular,poseidon,utils,weierstrass andtop-level modules_shortw_utils andsecp256k1
- The audit has been funded byRyan Shea

It is tested against property-based, cross-library and Wycheproof vectors,and is being fuzzed inthe separate repo.

If you see anything unusual: investigate and report.

Constant-timeness

We're targetting algorithmic constant time.JIT-compiler andGarbage Collector make "constant time"extremely hard to achievetiming attack resistancein a scripting language. Which meansany other JS library can't haveconstant-timeness. Even statically typed Rust, a language without GC,makes it harder to achieve constant-timefor some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.Use low-level libraries & languages.

Memory dumping

Use low-level languages instead of JS / WASM if your goal is absolute security.

The library mostly uses Uint8Arrays and bigints.

Uint8Arrays have.fill(0) which instructs to fill content with zeroesbut there are no guarantees in JS
bigints are immutable and don't have a method to zeroize their content:a user needs to wait until the next garbage collection cycle
hex strings are also immutable: there is no way to zeroize them
await fn() will write all internal variables to memory. Withasync functions there are no guarantees when the codechunk would be executed. Which means attacker can haveplenty of time to read data from memory.

This means some secrets could stay in memory longer than anticipated.However, if an attacker can read application memory, it's doomed anyway:there is no way to guarantee anything about zeroizing sensitive data withoutcomplex tests-suite which will dump process memory and verify that there isno sensitive data left. For JS it means testing all browsers (including mobile).And, of course, it will be useless without using the sametest-suite in the actual application that consumes the library.

Supply chain security

Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
Releases are transparent and built on GitHub CI. Make sure to verifyprovenance logs
- Use GitHub CLI to verify single-file builds:gh attestation verify --owner paulmillr noble-curves.js
Rare releasing is followed to ensure less re-audit need for end-users
Dependencies are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
- We make sure to use as few dependencies as possible
- Automatic dep updates are prevented by locking-down version ranges; diffs are checked withnpm-diff
Dev Dependencies are disabled for end-users; they are only used to develop / build the source code

For this package, there is 1 dependency; and a few dev dependencies:

noble-hashes provides cryptographic hashing functionality
micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size

Randomness

We're deferring to built-incrypto.getRandomValueswhich is considered cryptographically secure (CSPRNG).

In the past, browsers had bugs that made it weak: it may happen again.Implementing a userspace CSPRNG to get resilient to the weaknessis even worse: there is no reliable userspace source of quality entropy.

Quantum computers

Cryptographically relevant quantum computer, if built, will allow tobreak elliptic curve cryptography (both ECDSA / EdDSA & ECDH) using Shor's algorithm.

Consider switching to newer / hybrid algorithms, such as SPHINCS+. They are available innoble-post-quantum.

NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH)after 2035. Australian ASD prohibits itafter 2030.

Speed

npm run bench:install&& npm run bench

noble-curves spends 10+ ms to generate 20MB+ of base point precomputes.This is doneone-time per curve.

The generation is deferred until any method (pubkey, sign, verify) is called.User can force precompute generation by manually callingPoint.BASE.precompute(windowSize, false).Check out the source code.

Benchmark results on Apple M4:

# secp256k1init 10msgetPublicKey x 9,099 ops/sec @ 109μs/opsign x 7,182 ops/sec @ 139μs/opverify x 1,188 ops/sec @ 841μs/opgetSharedSecret x 735 ops/sec @ 1ms/oprecoverPublicKey x 1,265 ops/sec @ 790μs/opschnorr.sign x 957 ops/sec @ 1ms/opschnorr.verify x 1,210 ops/sec @ 825μs/op# ed25519init 14msgetPublicKey x 14,216 ops/sec @ 70μs/opsign x 6,849 ops/sec @ 145μs/opverify x 1,400 ops/sec @ 713μs/op# ed448init 37msgetPublicKey x 5,273 ops/sec @ 189μs/opsign x 2,494 ops/sec @ 400μs/opverify x 476 ops/sec @ 2ms/op# p256init 17msgetPublicKey x 8,977 ops/sec @ 111μs/opsign x 7,236 ops/sec @ 138μs/opverify x 877 ops/sec @ 1ms/op# p384init 42msgetPublicKey x 4,084 ops/sec @ 244μs/opsign x 3,247 ops/sec @ 307μs/opverify x 331 ops/sec @ 3ms/op# p521init 83msgetPublicKey x 2,049 ops/sec @ 487μs/opsign x 1,748 ops/sec @ 571μs/opverify x 170 ops/sec @ 5ms/op# ristretto255add x 931,966 ops/sec @ 1μs/opmultiply x 15,444 ops/sec @ 64μs/opencode x 21,367 ops/sec @ 46μs/opdecode x 21,715 ops/sec @ 46μs/op# decaf448add x 478,011 ops/sec @ 2μs/opmultiply x 416 ops/sec @ 2ms/opencode x 8,562 ops/sec @ 116μs/opdecode x 8,636 ops/sec @ 115μs/op# ECDHx25519 x 1,981 ops/sec @ 504μs/opx448 x 743 ops/sec @ 1ms/opsecp256k1 x 728 ops/sec @ 1ms/opp256 x 705 ops/sec @ 1ms/opp384 x 268 ops/sec @ 3ms/opp521 x 137 ops/sec @ 7ms/op# hash-to-curvehashToPrivateScalar x 1,754,385 ops/sec @ 570ns/ophash_to_field x 135,703 ops/sec @ 7μs/ophashToCurve secp256k1 x 3,194 ops/sec @ 313μs/ophashToCurve p256 x 5,962 ops/sec @ 167μs/ophashToCurve p384 x 2,230 ops/sec @ 448μs/ophashToCurve p521 x 1,063 ops/sec @ 940μs/ophashToCurve ed25519 x 4,047 ops/sec @ 247μs/ophashToCurve ed448 x 1,691 ops/sec @ 591μs/ophash_to_ristretto255 x 8,733 ops/sec @ 114μs/ophash_to_decaf448 x 3,882 ops/sec @ 257μs/op# modular over secp256k1 P fieldinvert a x 866,551 ops/sec @ 1μs/opinvert b x 693,962 ops/sec @ 1μs/opsqrt p = 3 mod 4 x 25,738 ops/sec @ 38μs/opsqrt tonneli-shanks x 847 ops/sec @ 1ms/op# bls12-381init 22msgetPublicKey x 1,325 ops/sec @ 754μs/opsign x 80 ops/sec @ 12ms/opverify x 62 ops/sec @ 15ms/oppairing x 166 ops/sec @ 6ms/oppairing10 x 54 ops/sec @ 18ms/op ± 23.48% (15ms..36ms)MSM 4096 scalars x points 3286msaggregatePublicKeys/8 x 173 ops/sec @ 5ms/opaggregatePublicKeys/32 x 46 ops/sec @ 21ms/opaggregatePublicKeys/128 x 11 ops/sec @ 84ms/opaggregatePublicKeys/512 x 2 ops/sec @ 335ms/opaggregatePublicKeys/2048 x 0 ops/sec @ 1346ms/opaggregateSignatures/8 x 82 ops/sec @ 12ms/opaggregateSignatures/32 x 21 ops/sec @ 45ms/opaggregateSignatures/128 x 5 ops/sec @ 178ms/opaggregateSignatures/512 x 1 ops/sec @ 705ms/opaggregateSignatures/2048 x 0 ops/sec @ 2823ms/op

Upgrading

Supported node.js versions:

v2: v20.19+ (ESM-only)
v1: v14.21+ (ESM & CJS)

curves v1 => curves v2

WIP. Changelog of v2, when upgrading from curves v1.

noble-secp256k1 v1 => curves v1

Previously, the library was split into single-feature packagesnoble-secp256k1,noble-ed25519 andnoble-bls12-381.

Curves continue their original work. The single-feature packages changed theirdirection towards providing minimal 4kb implementations of cryptography,which means they have less features.

getPublicKey
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, setargumentisCompressed tofalse:getPublicKey(priv, false)
sign
- is now sync
- now returnsSignature instance with{ r, s, recovery } properties
- canonical option was renamed tolowS
- recovered option has been removed because recovery bit is always returned now
- der option has been removed. There are 2 options:
  1. Use compact encoding:fromCompact,toCompactRawBytes,toCompactHex.Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
  2. If you must use DER encoding, switch to noble-curves (see above).
verify
- is now sync
- strict option was renamed tolowS
getSharedSecret
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, setargumentisCompressed tofalse:getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec) was changed tosig.recoverPublicKey(msg)
number type for private keys have been removed: usebigint instead
Point (2d xy) has been changed toProjectivePoint (3d xyz)
utils were split intoutils (same api as in noble-curves) andetc (hmacSha256Sync and others)

noble-ed25519 v1 => curves v1

Upgrading from@noble/ed25519 1.7:

Methods are now sync by default
bigint is no longer allowed ingetPublicKey,sign,verify. Reason: ed25519 is LE, can lead to bugs
Point (2d xy) has been changed toExtendedPoint (xyzt)
Signature was removed: just use raw bytes or hex now
utils were split intoutils (same api as in noble-curves) andetc (sha512Sync and others)
getSharedSecret was moved tox25519 module
toX25519 has been moved toedwardsToMontgomeryPub andedwardsToMontgomeryPriv methods

noble-bls12-381 => curves v1

Upgrading from@noble/bls12-381:

Methods and classes were renamed:
- PointG1 -> G1.Point, PointG2 -> G2.Point
- PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
Fp2 ORDER was corrected

Contributing & testing

npm install && npm run build && npm test will build the code and run tests.
npm run lint /npm run format will run linter / fix linter issues.
npm run bench will run benchmarks, which may need their deps first (npm run bench:install)
npm run build:release will build single file

Check outgithub.com/paulmillr/guidelinesfor general coding practices and rules.

Seepaulmillr.com/noblefor useful resources, articles, documentation and demosrelated to the library.

MuSig2 signature scheme and BIP324 ElligatorSwift mapping for secp256k1are availablein a separate package.