Add internal curve checking, using BigInt

Author: reardencode

src/types.d.ts

@@ -1,8 +1,7 @@
 /// <reference types="node" />
 export declare const typeforce: any;
-declare function isFieldElement(c: Buffer | number | undefined | null): boolean;
-export declare const isXOnlyPoint: typeof isFieldElement;
 export declare function isPoint(p: Buffer | number | undefined | null): boolean;
+export declare function isXOnlyPoint(p: Buffer | number | undefined | null): boolean;
 export declare function UInt31(value: number): boolean;
 export declare function BIP32Path(value: string): boolean;
 export declare namespace BIP32Path {
@@ -30,7 +29,6 @@ export declare function isTapleaf(o: any): o is Tapleaf;
 export declare type Taptree = [Taptree | Tapleaf, Taptree | Tapleaf] | Tapleaf;
 export declare function isTaptree(scriptTree: any): scriptTree is Taptree;
 export interface TinySecp256k1Interface {
-    isXOnlyPoint(p: Uint8Array): boolean;
     xOnlyPointAddTweak(p: Uint8Array, tweak: Uint8Array): XOnlyPointAddTweakResult | null;
     privateAdd(d: Uint8Array, tweak: Uint8Array): Uint8Array | null;
     privateNegate(d: Uint8Array): Uint8Array;
@@ -52,4 +50,3 @@ export declare const Function: any;
 export declare const BufferN: any;
 export declare const Null: any;
 export declare const oneOf: any;
-export {};

src/types.js

@@ -1,32 +1,69 @@
 'use strict';
 Object.defineProperty(exports, '__esModule', { value: true });
-exports.oneOf = exports.Null = exports.BufferN = exports.Function = exports.UInt32 = exports.UInt8 = exports.tuple = exports.maybe = exports.Hex = exports.Buffer = exports.String = exports.Boolean = exports.Array = exports.Number = exports.Hash256bit = exports.Hash160bit = exports.Buffer256bit = exports.isTaptree = exports.isTapleaf = exports.TAPLEAF_VERSION_MASK = exports.Network = exports.ECPoint = exports.Satoshi = exports.Signer = exports.BIP32Path = exports.UInt31 = exports.isPoint = exports.isXOnlyPoint = exports.typeforce = void 0;
+exports.oneOf = exports.Null = exports.BufferN = exports.Function = exports.UInt32 = exports.UInt8 = exports.tuple = exports.maybe = exports.Hex = exports.Buffer = exports.String = exports.Boolean = exports.Array = exports.Number = exports.Hash256bit = exports.Hash160bit = exports.Buffer256bit = exports.isTaptree = exports.isTapleaf = exports.TAPLEAF_VERSION_MASK = exports.Network = exports.ECPoint = exports.Satoshi = exports.Signer = exports.BIP32Path = exports.UInt31 = exports.isXOnlyPoint = exports.isPoint = exports.typeforce = void 0;
 const buffer_1 = require('buffer');
 exports.typeforce = require('typeforce');
-const ZERO32 = buffer_1.Buffer.alloc(32, 0);
-const EC_P = buffer_1.Buffer.from(
-  'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f',
-  'hex',
+const EC_P = BigInt(
+  `0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f`,
 );
-function isFieldElement(c) {
-  if (!buffer_1.Buffer.isBuffer(c)) return false;
-  if (c.length !== 32) return false;
-  if (c.compare(ZERO32) === 0) return false;
-  if (c.compare(EC_P) >= 0) return false;
-  return true;
+const EC_B = BigInt(7);
+// Idea from noble-secp256k1, to be nice to bad JS parsers
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const _3n = BigInt(3);
+const _4n = BigInt(4);
+const _5n = BigInt(5);
+const _8n = BigInt(8);
+function weistrass(x) {
+  const x2 = (x * x) % EC_P;
+  const x3 = (x2 * x) % EC_P;
+  return (x3 /* + a=0 a*x */ + EC_B) % EC_P;
+}
+// For prime P, the Jacobi symbol is 1 iff a is a quadratic residue mod P
+function jacobiSymbol(a) {
+  let p = EC_P;
+  let sign = 1;
+  while (a > _1n) {
+    if (_0n === a % _2n) {
+      if (_3n === p % _8n || _5n === p % _8n) sign = -sign;
+      a >>= _1n;
+    } else {
+      if (_3n === p % _4n && _3n === a % _4n) sign = -sign;
+      [a, p] = [p % a, a];
+    }
+  }
+  return a === _0n ? 0 : sign > 0 ? 1 : -1;
 }
-exports.isXOnlyPoint = isFieldElement;
 function isPoint(p) {
   if (!buffer_1.Buffer.isBuffer(p)) return false;
   if (p.length < 33) return false;
   const t = p[0];
-  if (!isFieldElement(p.slice(1, 33))) return false;
-  if ((t === 0x02 || t === 0x03) && p.length === 33) return true;
-  if (!isFieldElement(p.slice(33))) return false;
-  if (t === 0x04 && p.length === 65) return true;
-  return false;
+  if (p.length === 33) {
+    return (t === 0x02 || t === 0x03) && isXOnlyPoint(p.slice(1));
+  }
+  if (t !== 0x04 || p.length !== 65) return false;
+  const x = BigInt(`0x${p.slice(1, 33).toString('hex')}`);
+  if (x === _0n) return false;
+  if (x >= EC_P) return false;
+  const y = BigInt(`0x${p.slice(33).toString('hex')}`);
+  if (y === _0n) return false;
+  if (y >= EC_P) return false;
+  const left = (y * y) % EC_P;
+  const right = weistrass(x);
+  return (left - right) % EC_P === _0n;
 }
 exports.isPoint = isPoint;
+function isXOnlyPoint(p) {
+  if (!buffer_1.Buffer.isBuffer(p)) return false;
+  if (p.length !== 32) return false;
+  const x = BigInt(`0x${p.toString('hex')}`);
+  if (x === _0n) return false;
+  if (x >= EC_P) return false;
+  const y2 = weistrass(x);
+  return jacobiSymbol(y2) === 1;
+}
+exports.isXOnlyPoint = isXOnlyPoint;
 const UINT31_MAX = Math.pow(2, 31) - 1;
 function UInt31(value) {
   return exports.typeforce.UInt32(value) && value <= UINT31_MAX;

test/fixtures/p2tr.json

@@ -863,21 +863,21 @@
       "description": "Invalid x coordinate for pubkey in pubkey",
       "exception": "Invalid pubkey for p2tr",
       "arguments": {
-        "pubkey": "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        "pubkey": "f136e956540197c21ff3c075d32a6e3c82f1ee1e646cc0f08f51b0b5edafa762"
       }
     },
     {
       "description": "Invalid x coordinate for pubkey in output",
       "exception": "Invalid pubkey for p2tr",
       "arguments": {
-        "output": "OP_1 ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+        "output": "OP_1 f136e956540197c21ff3c075d32a6e3c82f1ee1e646cc0f08f51b0b5edafa762"
       }
     },
     {
       "description": "Invalid x coordinate for pubkey in address",
       "exception": "Invalid pubkey for p2tr",
       "arguments": {
-        "address": "bc1plllllllllllllllllllllllllllllllllllllllllllllllllllsr7rg6v"
+        "address": "bc1p7ymwj4j5qxtuy8lncp6ax2nw8jp0rms7v3kvpuy02xcttmd05a3qmwlnez"
       }
     },
     {
@@ -1007,7 +1007,7 @@
           "9675a9982c6398ea9d441cb7a943bcd6ff033cc3a2e01a0178a7d3be4575be863871c6bf3eef5ecd34721c784259385ca9101c3a313e010ac942c99de05aaaa602",
           "5799cf4b193b730fb99580b186f7477c2cca4d28957326f6f1a5d14116438530e7ec0ce1cd465ad96968ae8a6a09d4d37a060a115919f56fcfebe7b2277cc2df5cc08fb6cda9105ee2512b2e22635aba",
           "7520c7b5db9562078049719228db2ac80cb9643ec96c8055aa3b29c2c03d4d99edb0ac",
-          "c1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff68f9a4ccdffcf778da624dca2dda0b08e763ec52fd4ad403ec7563a3504d0cc168b9a77a410029e01dac89567c9b2e6cd726e840351df3f2f58fefe976200a19244150d04153909f660184d656ee95fa7bf8e1d4ec83da1fca34f64bc279b76d257ec623e08baba2cfa4ea9e99646e88f1eb1668c00c0f15b7443c8ab83481611cc3ae85eb89a7bfc40067eb1d2e6354a32426d0ce710e88bc4cc0718b99c325509c9d02a6a980d675a8969be10ee9bef82cafee2fc913475667ccda37b1bc7f13f64e56c449c532658ba8481631c02ead979754c809584a875951619cec8fb040c33f06468ae0266cd8693d6a64cea5912be32d8de95a6da6300b0c50fdcd6001ea41126e7b7e5280d455054a816560028f5ca53c9a50ee52f10e15c5337315bad1f5277acb109a1418649dc6ead2fe14699742fee7182f2f15e54279c7d932ed2799d01d73c97e68bbc94d6f7f56ee0a80efd7c76e3169e10d1a1ba3b5f1eb02369dc43af687461c7a2a3344d13eb5485dca29a67f16b4cb988923060fd3b65d0f0352bb634bcc44f2fe668836dcd0f604150049835135dc4b4fbf90fb334b3938a1f137eb32f047c65b85e6c1173b890b6d0162b48b186d1f1af8521945924ac8ac8efec321bf34f1d4b3d4a304a10313052c652d53f6ecb8a55586614e8950cde9ab6fe8e22802e93b3b9139112250b80ebc589aba231af535bb20f7eeec2e412f698c17f3fdc0a2e20924a5e38b21a628a9e3b2a61e35958e60c7f5087c"
+          "c14444444444444444453d9e0c9436e8a8a3247fd515095d66ddf6201918b40a3668f9a4ccdffcf778da624dca2dda0b08e763ec52fd4ad403ec7563a3504d0cc168b9a77a410029e01dac89567c9b2e6cd726e840351df3f2f58fefe976200a19244150d04153909f660184d656ee95fa7bf8e1d4ec83da1fca34f64bc279b76d257ec623e08baba2cfa4ea9e99646e88f1eb1668c00c0f15b7443c8ab83481611cc3ae85eb89a7bfc40067eb1d2e6354a32426d0ce710e88bc4cc0718b99c325509c9d02a6a980d675a8969be10ee9bef82cafee2fc913475667ccda37b1bc7f13f64e56c449c532658ba8481631c02ead979754c809584a875951619cec8fb040c33f06468ae0266cd8693d6a64cea5912be32d8de95a6da6300b0c50fdcd6001ea41126e7b7e5280d455054a816560028f5ca53c9a50ee52f10e15c5337315bad1f5277acb109a1418649dc6ead2fe14699742fee7182f2f15e54279c7d932ed2799d01d73c97e68bbc94d6f7f56ee0a80efd7c76e3169e10d1a1ba3b5f1eb02369dc43af687461c7a2a3344d13eb5485dca29a67f16b4cb988923060fd3b65d0f0352bb634bcc44f2fe668836dcd0f604150049835135dc4b4fbf90fb334b3938a1f137eb32f047c65b85e6c1173b890b6d0162b48b186d1f1af8521945924ac8ac8efec321bf34f1d4b3d4a304a10313052c652d53f6ecb8a55586614e8950cde9ab6fe8e22802e93b3b9139112250b80ebc589aba231af535bb20f7eeec2e412f698c17f3fdc0a2e20924a5e38b21a628a9e3b2a61e35958e60c7f5087c"
         ]
       }
     },

ts_src/types.ts

@@ -2,35 +2,73 @@ import { Buffer as NBuffer } from 'buffer';
 
 export const typeforce = require('typeforce');
 
-const ZERO32 = NBuffer.alloc(32, 0);
-const EC_P = NBuffer.from(
-  'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f',
-  'hex',
+const EC_P = BigInt(
+  `0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f`,
 );
-
-function isFieldElement(c: Buffer | number | undefined | null): boolean {
-  if (!NBuffer.isBuffer(c)) return false;
-  if (c.length !== 32) return false;
-  if (c.compare(ZERO32) === 0) return false;
-  if (c.compare(EC_P) >= 0) return false;
-  return true;
+const EC_B = BigInt(7);
+// Idea from noble-secp256k1, to be nice to bad JS parsers
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const _3n = BigInt(3);
+const _4n = BigInt(4);
+const _5n = BigInt(5);
+const _8n = BigInt(8);
+
+function weistrass(x: bigint): bigint {
+  const x2 = (x * x) % EC_P;
+  const x3 = (x2 * x) % EC_P;
+  return (x3 /* + a=0 a*x */ + EC_B) % EC_P;
 }
 
-export const isXOnlyPoint = isFieldElement;
+// For prime P, the Jacobi symbol is 1 iff a is a quadratic residue mod P
+function jacobiSymbol(a: bigint): -1 | 0 | 1 {
+  let p = EC_P;
+  let sign = 1;
+  while (a > _1n) {
+    if (_0n === a % _2n) {
+      if (_3n === p % _8n || _5n === p % _8n) sign = -sign;
+      a >>= _1n;
+    } else {
+      if (_3n === p % _4n && _3n === a % _4n) sign = -sign;
+      [a, p] = [p % a, a];
+    }
+  }
+  return a === _0n ? 0 : sign > 0 ? 1 : -1;
+}
 
 export function isPoint(p: Buffer | number | undefined | null): boolean {
   if (!NBuffer.isBuffer(p)) return false;
   if (p.length < 33) return false;
 
   const t = p[0];
+  if (p.length === 33) {
+    return (t === 0x02 || t === 0x03) && isXOnlyPoint(p.slice(1));
+  }
+
+  if (t !== 0x04 || p.length !== 65) return false;
 
-  if (!isFieldElement(p.slice(1, 33))) return false;
-  if ((t === 0x02 || t === 0x03) && p.length === 33) return true;
+  const x = BigInt(`0x${p.slice(1, 33).toString('hex')}`);
+  if (x === _0n) return false;
+  if (x >= EC_P) return false;
 
-  if (!isFieldElement(p.slice(33))) return false;
-  if (t === 0x04 && p.length === 65) return true;
+  const y = BigInt(`0x${p.slice(33).toString('hex')}`);
+  if (y === _0n) return false;
+  if (y >= EC_P) return false;
 
-  return false;
+  const left = (y * y) % EC_P;
+  const right = weistrass(x);
+  return (left - right) % EC_P === _0n;
+}
+
+export function isXOnlyPoint(p: Buffer | number | undefined | null): boolean {
+  if (!NBuffer.isBuffer(p)) return false;
+  if (p.length !== 32) return false;
+  const x = BigInt(`0x${p.toString('hex')}`);
+  if (x === _0n) return false;
+  if (x >= EC_P) return false;
+  const y2 = weistrass(x);
+  return jacobiSymbol(y2) === 1;
 }
 
 const UINT31_MAX: number = Math.pow(2, 31) - 1;
@@ -106,7 +144,6 @@ export function isTaptree(scriptTree: any): scriptTree is Taptree {
 }
 
 export interface TinySecp256k1Interface {
-  isXOnlyPoint(p: Uint8Array): boolean;
   xOnlyPointAddTweak(
     p: Uint8Array,
     tweak: Uint8Array,