+ a = md5_hh(a, b, c, d, x[i + 5], 4, -378558)
+ d = md5_hh(d, a, b, c, x[i + 8], 11, -2022574463)
+ c = md5_hh(c, d, a, b, x[i + 11], 16, 1839030562)
+ b = md5_hh(b, c, d, a, x[i + 14], 23, -35309556)
+ a = md5_hh(a, b, c, d, x[i + 1], 4, -1530992060)
+ d = md5_hh(d, a, b, c, x[i + 4], 11, 1272893353)
+ c = md5_hh(c, d, a, b, x[i + 7], 16, -155497632)
+ b = md5_hh(b, c, d, a, x[i + 10], 23, -1094730640)
+ a = md5_hh(a, b, c, d, x[i + 13], 4, 681279174)
+ d = md5_hh(d, a, b, c, x[i + 0], 11, -358537222)
+ c = md5_hh(c, d, a, b, x[i + 3], 16, -722521979)
+ b = md5_hh(b, c, d, a, x[i + 6], 23, 76029189)
+ a = md5_hh(a, b, c, d, x[i + 9], 4, -640364487)
+ d = md5_hh(d, a, b, c, x[i + 12], 11, -421815835)
+ c = md5_hh(c, d, a, b, x[i + 15], 16, 530742520)
+ b = md5_hh(b, c, d, a, x[i + 2], 23, -995338651)
+
+ a = md5_ii(a, b, c, d, x[i + 0], 6, -198630844)
+ d = md5_ii(d, a, b, c, x[i + 7], 10, 1126891415)
+ c = md5_ii(c, d, a, b, x[i + 14], 15, -1416354905)
+ b = md5_ii(b, c, d, a, x[i + 5], 21, -57434055)
+ a = md5_ii(a, b, c, d, x[i + 12], 6, 1700485571)
+ d = md5_ii(d, a, b, c, x[i + 3], 10, -1894986606)
+ c = md5_ii(c, d, a, b, x[i + 10], 15, -1051523)
+ b = md5_ii(b, c, d, a, x[i + 1], 21, -2054922799)
+ a = md5_ii(a, b, c, d, x[i + 8], 6, 1873313359)
+ d = md5_ii(d, a, b, c, x[i + 15], 10, -30611744)
+ c = md5_ii(c, d, a, b, x[i + 6], 15, -1560198380)
+ b = md5_ii(b, c, d, a, x[i + 13], 21, 1309151649)
+ a = md5_ii(a, b, c, d, x[i + 4], 6, -145523070)
+ d = md5_ii(d, a, b, c, x[i + 11], 10, -1120210379)
+ c = md5_ii(c, d, a, b, x[i + 2], 15, 718787259)
+ b = md5_ii(b, c, d, a, x[i + 9], 21, -343485551)
+
+ a = safe_add(a, olda)
+ b = safe_add(b, oldb)
+ c = safe_add(c, oldc)
+ d = safe_add(d, oldd)
+ }
+
+ return [a, b, c, d]
+}
+
+/*
+ * These functions implement the four basic operations the algorithm uses.
+ */
+function md5_cmn (q, a, b, x, s, t) {
+ return safe_add(bit_rol(safe_add(safe_add(a, q), safe_add(x, t)), s), b)
+}
+
+function md5_ff (a, b, c, d, x, s, t) {
+ return md5_cmn((b & c) | ((~b) & d), a, b, x, s, t)
+}
+
+function md5_gg (a, b, c, d, x, s, t) {
+ return md5_cmn((b & d) | (c & (~d)), a, b, x, s, t)
+}
+
+function md5_hh (a, b, c, d, x, s, t) {
+ return md5_cmn(b ^ c ^ d, a, b, x, s, t)
+}
+
+function md5_ii (a, b, c, d, x, s, t) {
+ return md5_cmn(c ^ (b | (~d)), a, b, x, s, t)
+}
+
+/*
+ * Add integers, wrapping at 2^32. This uses 16-bit operations internally
+ * to work around bugs in some JS interpreters.
+ */
+function safe_add (x, y) {
+ var lsw = (x & 0xFFFF) + (y & 0xFFFF)
+ var msw = (x >> 16) + (y >> 16) + (lsw >> 16)
+ return (msw << 16) | (lsw & 0xFFFF)
+}
+
+/*
+ * Bitwise rotate a 32-bit number to the left.
+ */
+function bit_rol (num, cnt) {
+ return (num << cnt) | (num >>> (32 - cnt))
+}
+
+module.exports = function md5 (buf) {
+ return makeHash(buf, core_md5)
+}
+
+},{"./make-hash":88}],90:[function(require,module,exports){
+'use strict'
+var inherits = require('inherits')
+var Legacy = require('./legacy')
+var Base = require('cipher-base')
+var Buffer = require('safe-buffer').Buffer
+var md5 = require('create-hash/md5')
+var RIPEMD160 = require('ripemd160')
+
+var sha = require('sha.js')
+
+var ZEROS = Buffer.alloc(128)
+
+function Hmac (alg, key) {
+ Base.call(this, 'digest')
+ if (typeof key === 'string') {
+ key = Buffer.from(key)
+ }
+
+ var blocksize = (alg === 'sha512' || alg === 'sha384') ? 128 : 64
+
+ this._alg = alg
+ this._key = key
+ if (key.length > blocksize) {
+ var hash = alg === 'rmd160' ? new RIPEMD160() : sha(alg)
+ key = hash.update(key).digest()
+ } else if (key.length < blocksize) {
+ key = Buffer.concat([key, ZEROS], blocksize)
+ }
+
+ var ipad = this._ipad = Buffer.allocUnsafe(blocksize)
+ var opad = this._opad = Buffer.allocUnsafe(blocksize)
+
+ for (var i = 0; i < blocksize; i++) {
+ ipad[i] = key[i] ^ 0x36
+ opad[i] = key[i] ^ 0x5C
+ }
+ this._hash = alg === 'rmd160' ? new RIPEMD160() : sha(alg)
+ this._hash.update(ipad)
+}
+
+inherits(Hmac, Base)
+
+Hmac.prototype._update = function (data) {
+ this._hash.update(data)
+}
+
+Hmac.prototype._final = function () {
+ var h = this._hash.digest()
+ var hash = this._alg === 'rmd160' ? new RIPEMD160() : sha(this._alg)
+ return hash.update(this._opad).update(h).digest()
+}
+
+module.exports = function createHmac (alg, key) {
+ alg = alg.toLowerCase()
+ if (alg === 'rmd160' || alg === 'ripemd160') {
+ return new Hmac('rmd160', key)
+ }
+ if (alg === 'md5') {
+ return new Legacy(md5, key)
+ }
+ return new Hmac(alg, key)
+}
+
+},{"./legacy":91,"cipher-base":86,"create-hash/md5":89,"inherits":121,"ripemd160":127,"safe-buffer":128,"sha.js":130}],91:[function(require,module,exports){
+'use strict'
+var inherits = require('inherits')
+var Buffer = require('safe-buffer').Buffer
+
+var Base = require('cipher-base')
+
+var ZEROS = Buffer.alloc(128)
+var blocksize = 64
+
+function Hmac (alg, key) {
+ Base.call(this, 'digest')
+ if (typeof key === 'string') {
+ key = Buffer.from(key)
+ }
+
+ this._alg = alg
+ this._key = key
+
+ if (key.length > blocksize) {
+ key = alg(key)
+ } else if (key.length < blocksize) {
+ key = Buffer.concat([key, ZEROS], blocksize)
+ }
+
+ var ipad = this._ipad = Buffer.allocUnsafe(blocksize)
+ var opad = this._opad = Buffer.allocUnsafe(blocksize)
+
+ for (var i = 0; i < blocksize; i++) {
+ ipad[i] = key[i] ^ 0x36
+ opad[i] = key[i] ^ 0x5C
+ }
+
+ this._hash = [ipad]
+}
+
+inherits(Hmac, Base)
+
+Hmac.prototype._update = function (data) {
+ this._hash.push(data)
+}
+
+Hmac.prototype._final = function () {
+ var h = this._alg(Buffer.concat(this._hash))
+ return this._alg(Buffer.concat([this._opad, h]))
+}
+module.exports = Hmac
+
+},{"cipher-base":86,"inherits":121,"safe-buffer":128}],92:[function(require,module,exports){
+var assert = require('assert')
+var BigInteger = require('bigi')
+
+var Point = require('./point')
+
+function Curve (p, a, b, Gx, Gy, n, h) {
+ this.p = p
+ this.a = a
+ this.b = b
+ this.G = Point.fromAffine(this, Gx, Gy)
+ this.n = n
+ this.h = h
+
+ this.infinity = new Point(this, null, null, BigInteger.ZERO)
+
+ // result caching
+ this.pOverFour = p.add(BigInteger.ONE).shiftRight(2)
+
+ // determine size of p in bytes
+ this.pLength = Math.floor((this.p.bitLength() + 7) / 8)
+}
+
+Curve.prototype.pointFromX = function (isOdd, x) {
+ var alpha = x.pow(3).add(this.a.multiply(x)).add(this.b).mod(this.p)
+ var beta = alpha.modPow(this.pOverFour, this.p) // XXX: not compatible with all curves
+
+ var y = beta
+ if (beta.isEven() ^ !isOdd) {
+ y = this.p.subtract(y) // -y % p
+ }
+
+ return Point.fromAffine(this, x, y)
+}
+
+Curve.prototype.isInfinity = function (Q) {
+ if (Q === this.infinity) return true
+
+ return Q.z.signum() === 0 && Q.y.signum() !== 0
+}
+
+Curve.prototype.isOnCurve = function (Q) {
+ if (this.isInfinity(Q)) return true
+
+ var x = Q.affineX
+ var y = Q.affineY
+ var a = this.a
+ var b = this.b
+ var p = this.p
+
+ // Check that xQ and yQ are integers in the interval [0, p - 1]
+ if (x.signum() < 0 || x.compareTo(p) >= 0) return false
+ if (y.signum() < 0 || y.compareTo(p) >= 0) return false
+
+ // and check that y^2 = x^3 + ax + b (mod p)
+ var lhs = y.square().mod(p)
+ var rhs = x.pow(3).add(a.multiply(x)).add(b).mod(p)
+ return lhs.equals(rhs)
+}
+
+/**
+ * Validate an elliptic curve point.
+ *
+ * See SEC 1, section 3.2.2.1: Elliptic Curve Public Key Validation Primitive
+ */
+Curve.prototype.validate = function (Q) {
+ // Check Q != O
+ assert(!this.isInfinity(Q), 'Point is at infinity')
+ assert(this.isOnCurve(Q), 'Point is not on the curve')
+
+ // Check nQ = O (where Q is a scalar multiple of G)
+ var nQ = Q.multiply(this.n)
+ assert(this.isInfinity(nQ), 'Point is not a scalar multiple of G')
+
+ return true
+}
+
+module.exports = Curve
+
+},{"./point":96,"assert":1,"bigi":39}],93:[function(require,module,exports){
+module.exports={
+ "secp128r1": {
+ "p": "fffffffdffffffffffffffffffffffff",
+ "a": "fffffffdfffffffffffffffffffffffc",
+ "b": "e87579c11079f43dd824993c2cee5ed3",
+ "n": "fffffffe0000000075a30d1b9038a115",
+ "h": "01",
+ "Gx": "161ff7528b899b2d0c28607ca52c5b86",
+ "Gy": "cf5ac8395bafeb13c02da292dded7a83"
+ },
+ "secp160k1": {
+ "p": "fffffffffffffffffffffffffffffffeffffac73",
+ "a": "00",
+ "b": "07",
+ "n": "0100000000000000000001b8fa16dfab9aca16b6b3",
+ "h": "01",
+ "Gx": "3b4c382ce37aa192a4019e763036f4f5dd4d7ebb",
+ "Gy": "938cf935318fdced6bc28286531733c3f03c4fee"
+ },
+ "secp160r1": {
+ "p": "ffffffffffffffffffffffffffffffff7fffffff",
+ "a": "ffffffffffffffffffffffffffffffff7ffffffc",
+ "b": "1c97befc54bd7a8b65acf89f81d4d4adc565fa45",
+ "n": "0100000000000000000001f4c8f927aed3ca752257",
+ "h": "01",
+ "Gx": "4a96b5688ef573284664698968c38bb913cbfc82",
+ "Gy": "23a628553168947d59dcc912042351377ac5fb32"
+ },
+ "secp192k1": {
+ "p": "fffffffffffffffffffffffffffffffffffffffeffffee37",
+ "a": "00",
+ "b": "03",
+ "n": "fffffffffffffffffffffffe26f2fc170f69466a74defd8d",
+ "h": "01",
+ "Gx": "db4ff10ec057e9ae26b07d0280b7f4341da5d1b1eae06c7d",
+ "Gy": "9b2f2f6d9c5628a7844163d015be86344082aa88d95e2f9d"
+ },
+ "secp192r1": {
+ "p": "fffffffffffffffffffffffffffffffeffffffffffffffff",
+ "a": "fffffffffffffffffffffffffffffffefffffffffffffffc",
+ "b": "64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1",
+ "n": "ffffffffffffffffffffffff99def836146bc9b1b4d22831",
+ "h": "01",
+ "Gx": "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012",
+ "Gy": "07192b95ffc8da78631011ed6b24cdd573f977a11e794811"
+ },
+ "secp256k1": {
+ "p": "fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f",
+ "a": "00",
+ "b": "07",
+ "n": "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141",
+ "h": "01",
+ "Gx": "79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798",
+ "Gy": "483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8"
+ },
+ "secp256r1": {
+ "p": "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff",
+ "a": "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc",
+ "b": "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b",
+ "n": "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551",
+ "h": "01",
+ "Gx": "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296",
+ "Gy": "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"
+ }
+}
+
+},{}],94:[function(require,module,exports){
+var Point = require('./point')
+var Curve = require('./curve')
+
+var getCurveByName = require('./names')
+
+module.exports = {
+ Curve: Curve,
+ Point: Point,
+ getCurveByName: getCurveByName
+}
+
+},{"./curve":92,"./names":95,"./point":96}],95:[function(require,module,exports){
+var BigInteger = require('bigi')
+
+var curves = require('./curves.json')
+var Curve = require('./curve')
+
+function getCurveByName (name) {
+ var curve = curves[name]
+ if (!curve) return null
+
+ var p = new BigInteger(curve.p, 16)
+ var a = new BigInteger(curve.a, 16)
+ var b = new BigInteger(curve.b, 16)
+ var n = new BigInteger(curve.n, 16)
+ var h = new BigInteger(curve.h, 16)
+ var Gx = new BigInteger(curve.Gx, 16)
+ var Gy = new BigInteger(curve.Gy, 16)
+
+ return new Curve(p, a, b, Gx, Gy, n, h)
+}
+
+module.exports = getCurveByName
+
+},{"./curve":92,"./curves.json":93,"bigi":39}],96:[function(require,module,exports){
+(function (Buffer){
+var assert = require('assert')
+var BigInteger = require('bigi')
+
+var THREE = BigInteger.valueOf(3)
+
+function Point (curve, x, y, z) {
+ assert.notStrictEqual(z, undefined, 'Missing Z coordinate')
+
+ this.curve = curve
+ this.x = x
+ this.y = y
+ this.z = z
+ this._zInv = null
+
+ this.compressed = true
+}
+
+Object.defineProperty(Point.prototype, 'zInv', {
+ get: function () {
+ if (this._zInv === null) {
+ this._zInv = this.z.modInverse(this.curve.p)
+ }
+
+ return this._zInv
+ }
+})
+
+Object.defineProperty(Point.prototype, 'affineX', {
+ get: function () {
+ return this.x.multiply(this.zInv).mod(this.curve.p)
+ }
+})
+
+Object.defineProperty(Point.prototype, 'affineY', {
+ get: function () {
+ return this.y.multiply(this.zInv).mod(this.curve.p)
+ }
+})
+
+Point.fromAffine = function (curve, x, y) {
+ return new Point(curve, x, y, BigInteger.ONE)
+}
+
+Point.prototype.equals = function (other) {
+ if (other === this) return true
+ if (this.curve.isInfinity(this)) return this.curve.isInfinity(other)
+ if (this.curve.isInfinity(other)) return this.curve.isInfinity(this)
+
+ // u = Y2 * Z1 - Y1 * Z2
+ var u = other.y.multiply(this.z).subtract(this.y.multiply(other.z)).mod(this.curve.p)
+
+ if (u.signum() !== 0) return false
+
+ // v = X2 * Z1 - X1 * Z2
+ var v = other.x.multiply(this.z).subtract(this.x.multiply(other.z)).mod(this.curve.p)
+
+ return v.signum() === 0
+}
+
+Point.prototype.negate = function () {
+ var y = this.curve.p.subtract(this.y)
+
+ return new Point(this.curve, this.x, y, this.z)
+}
+
+Point.prototype.add = function (b) {
+ if (this.curve.isInfinity(this)) return b
+ if (this.curve.isInfinity(b)) return this
+
+ var x1 = this.x
+ var y1 = this.y
+ var x2 = b.x
+ var y2 = b.y
+
+ // u = Y2 * Z1 - Y1 * Z2
+ var u = y2.multiply(this.z).subtract(y1.multiply(b.z)).mod(this.curve.p)
+ // v = X2 * Z1 - X1 * Z2
+ var v = x2.multiply(this.z).subtract(x1.multiply(b.z)).mod(this.curve.p)
+
+ if (v.signum() === 0) {
+ if (u.signum() === 0) {
+ return this.twice() // this == b, so double
+ }
+
+ return this.curve.infinity // this = -b, so infinity
+ }
+
+ var v2 = v.square()
+ var v3 = v2.multiply(v)
+ var x1v2 = x1.multiply(v2)
+ var zu2 = u.square().multiply(this.z)
+
+ // x3 = v * (z2 * (z1 * u^2 - 2 * x1 * v^2) - v^3)
+ var x3 = zu2.subtract(x1v2.shiftLeft(1)).multiply(b.z).subtract(v3).multiply(v).mod(this.curve.p)
+ // y3 = z2 * (3 * x1 * u * v^2 - y1 * v^3 - z1 * u^3) + u * v^3
+ var y3 = x1v2.multiply(THREE).multiply(u).subtract(y1.multiply(v3)).subtract(zu2.multiply(u)).multiply(b.z).add(u.multiply(v3)).mod(this.curve.p)
+ // z3 = v^3 * z1 * z2
+ var z3 = v3.multiply(this.z).multiply(b.z).mod(this.curve.p)
+
+ return new Point(this.curve, x3, y3, z3)
+}
+
+Point.prototype.twice = function () {
+ if (this.curve.isInfinity(this)) return this
+ if (this.y.signum() === 0) return this.curve.infinity
+
+ var x1 = this.x
+ var y1 = this.y
+
+ var y1z1 = y1.multiply(this.z).mod(this.curve.p)
+ var y1sqz1 = y1z1.multiply(y1).mod(this.curve.p)
+ var a = this.curve.a
+
+ // w = 3 * x1^2 + a * z1^2
+ var w = x1.square().multiply(THREE)
+
+ if (a.signum() !== 0) {
+ w = w.add(this.z.square().multiply(a))
+ }
+
+ w = w.mod(this.curve.p)
+ // x3 = 2 * y1 * z1 * (w^2 - 8 * x1 * y1^2 * z1)
+ var x3 = w.square().subtract(x1.shiftLeft(3).multiply(y1sqz1)).shiftLeft(1).multiply(y1z1).mod(this.curve.p)
+ // y3 = 4 * y1^2 * z1 * (3 * w * x1 - 2 * y1^2 * z1) - w^3
+ var y3 = w.multiply(THREE).multiply(x1).subtract(y1sqz1.shiftLeft(1)).shiftLeft(2).multiply(y1sqz1).subtract(w.pow(3)).mod(this.curve.p)
+ // z3 = 8 * (y1 * z1)^3
+ var z3 = y1z1.pow(3).shiftLeft(3).mod(this.curve.p)
+
+ return new Point(this.curve, x3, y3, z3)
+}
+
+// Simple NAF (Non-Adjacent Form) multiplication algorithm
+// TODO: modularize the multiplication algorithm
+Point.prototype.multiply = function (k) {
+ if (this.curve.isInfinity(this)) return this
+ if (k.signum() === 0) return this.curve.infinity
+
+ var e = k
+ var h = e.multiply(THREE)
+
+ var neg = this.negate()
+ var R = this
+
+ for (var i = h.bitLength() - 2; i > 0; --i) {
+ var hBit = h.testBit(i)
+ var eBit = e.testBit(i)
+
+ R = R.twice()
+
+ if (hBit !== eBit) {
+ R = R.add(hBit ? this : neg)
+ }
+ }
+
+ return R
+}
+
+// Compute this*j + x*k (simultaneous multiplication)
+Point.prototype.multiplyTwo = function (j, x, k) {
+ var i = Math.max(j.bitLength(), k.bitLength()) - 1
+ var R = this.curve.infinity
+ var both = this.add(x)
+
+ while (i >= 0) {
+ var jBit = j.testBit(i)
+ var kBit = k.testBit(i)
+
+ R = R.twice()
+
+ if (jBit) {
+ if (kBit) {
+ R = R.add(both)
+ } else {
+ R = R.add(this)
+ }
+ } else if (kBit) {
+ R = R.add(x)
+ }
+ --i
+ }
+
+ return R
+}
+
+Point.prototype.getEncoded = function (compressed) {
+ if (compressed == null) compressed = this.compressed
+ if (this.curve.isInfinity(this)) return new Buffer('00', 'hex') // Infinity point encoded is simply '00'
+
+ var x = this.affineX
+ var y = this.affineY
+ var byteLength = this.curve.pLength
+ var buffer
+
+ // 0x02/0x03 | X
+ if (compressed) {
+ buffer = new Buffer(1 + byteLength)
+ buffer.writeUInt8(y.isEven() ? 0x02 : 0x03, 0)
+
+ // 0x04 | X | Y
+ } else {
+ buffer = new Buffer(1 + byteLength + byteLength)
+ buffer.writeUInt8(0x04, 0)
+
+ y.toBuffer(byteLength).copy(buffer, 1 + byteLength)
+ }
+
+ x.toBuffer(byteLength).copy(buffer, 1)
+
+ return buffer
+}
+
+Point.decodeFrom = function (curve, buffer) {
+ var type = buffer.readUInt8(0)
+ var compressed = (type !== 4)
+
+ var byteLength = Math.floor((curve.p.bitLength() + 7) / 8)
+ var x = BigInteger.fromBuffer(buffer.slice(1, 1 + byteLength))
+
+ var Q
+ if (compressed) {
+ assert.equal(buffer.length, byteLength + 1, 'Invalid sequence length')
+ assert(type === 0x02 || type === 0x03, 'Invalid sequence tag')
+
+ var isOdd = (type === 0x03)
+ Q = curve.pointFromX(isOdd, x)
+ } else {
+ assert.equal(buffer.length, 1 + byteLength + byteLength, 'Invalid sequence length')
+
+ var y = BigInteger.fromBuffer(buffer.slice(1 + byteLength))
+ Q = Point.fromAffine(curve, x, y)
+ }
+
+ Q.compressed = compressed
+ return Q
+}
+
+Point.prototype.toString = function () {
+ if (this.curve.isInfinity(this)) return '(INFINITY)'
+
+ return '(' + this.affineX.toString() + ',' + this.affineY.toString() + ')'
+}
+
+module.exports = Point
+
+}).call(this,require("buffer").Buffer)
+},{"assert":1,"bigi":39,"buffer":5}],97:[function(require,module,exports){
+'use strict';
+
+var elliptic = exports;
+
+elliptic.version = require('../package.json').version;
+elliptic.utils = require('./elliptic/utils');
+elliptic.rand = require('brorand');
+elliptic.curve = require('./elliptic/curve');
+elliptic.curves = require('./elliptic/curves');
+
+// Protocols
+elliptic.ec = require('./elliptic/ec');
+elliptic.eddsa = require('./elliptic/eddsa');
+
+},{"../package.json":112,"./elliptic/curve":100,"./elliptic/curves":103,"./elliptic/ec":104,"./elliptic/eddsa":107,"./elliptic/utils":111,"brorand":82}],98:[function(require,module,exports){
+'use strict';
+
+var BN = require('bn.js');
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var getNAF = utils.getNAF;
+var getJSF = utils.getJSF;
+var assert = utils.assert;
+
+function BaseCurve(type, conf) {
+ this.type = type;
+ this.p = new BN(conf.p, 16);
+
+ // Use Montgomery, when there is no fast reduction for the prime
+ this.red = conf.prime ? BN.red(conf.prime) : BN.mont(this.p);
+
+ // Useful for many curves
+ this.zero = new BN(0).toRed(this.red);
+ this.one = new BN(1).toRed(this.red);
+ this.two = new BN(2).toRed(this.red);
+
+ // Curve configuration, optional
+ this.n = conf.n && new BN(conf.n, 16);
+ this.g = conf.g && this.pointFromJSON(conf.g, conf.gRed);
+
+ // Temporary arrays
+ this._wnafT1 = new Array(4);
+ this._wnafT2 = new Array(4);
+ this._wnafT3 = new Array(4);
+ this._wnafT4 = new Array(4);
+
+ // Generalized Greg Maxwell's trick
+ var adjustCount = this.n && this.p.div(this.n);
+ if (!adjustCount || adjustCount.cmpn(100) > 0) {
+ this.redN = null;
+ } else {
+ this._maxwellTrick = true;
+ this.redN = this.n.toRed(this.red);
+ }
+}
+module.exports = BaseCurve;
+
+BaseCurve.prototype.point = function point() {
+ throw new Error('Not implemented');
+};
+
+BaseCurve.prototype.validate = function validate() {
+ throw new Error('Not implemented');
+};
+
+BaseCurve.prototype._fixedNafMul = function _fixedNafMul(p, k) {
+ assert(p.precomputed);
+ var doubles = p._getDoubles();
+
+ var naf = getNAF(k, 1);
+ var I = (1 << (doubles.step + 1)) - (doubles.step % 2 === 0 ? 2 : 1);
+ I /= 3;
+
+ // Translate into more windowed form
+ var repr = [];
+ for (var j = 0; j < naf.length; j += doubles.step) {
+ var nafW = 0;
+ for (var k = j + doubles.step - 1; k >= j; k--)
+ nafW = (nafW << 1) + naf[k];
+ repr.push(nafW);
+ }
+
+ var a = this.jpoint(null, null, null);
+ var b = this.jpoint(null, null, null);
+ for (var i = I; i > 0; i--) {
+ for (var j = 0; j < repr.length; j++) {
+ var nafW = repr[j];
+ if (nafW === i)
+ b = b.mixedAdd(doubles.points[j]);
+ else if (nafW === -i)
+ b = b.mixedAdd(doubles.points[j].neg());
+ }
+ a = a.add(b);
+ }
+ return a.toP();
+};
+
+BaseCurve.prototype._wnafMul = function _wnafMul(p, k) {
+ var w = 4;
+
+ // Precompute window
+ var nafPoints = p._getNAFPoints(w);
+ w = nafPoints.wnd;
+ var wnd = nafPoints.points;
+
+ // Get NAF form
+ var naf = getNAF(k, w);
+
+ // Add `this`*(N+1) for every w-NAF index
+ var acc = this.jpoint(null, null, null);
+ for (var i = naf.length - 1; i >= 0; i--) {
+ // Count zeroes
+ for (var k = 0; i >= 0 && naf[i] === 0; i--)
+ k++;
+ if (i >= 0)
+ k++;
+ acc = acc.dblp(k);
+
+ if (i < 0)
+ break;
+ var z = naf[i];
+ assert(z !== 0);
+ if (p.type === 'affine') {
+ // J +- P
+ if (z > 0)
+ acc = acc.mixedAdd(wnd[(z - 1) >> 1]);
+ else
+ acc = acc.mixedAdd(wnd[(-z - 1) >> 1].neg());
+ } else {
+ // J +- J
+ if (z > 0)
+ acc = acc.add(wnd[(z - 1) >> 1]);
+ else
+ acc = acc.add(wnd[(-z - 1) >> 1].neg());
+ }
+ }
+ return p.type === 'affine' ? acc.toP() : acc;
+};
+
+BaseCurve.prototype._wnafMulAdd = function _wnafMulAdd(defW,
+ points,
+ coeffs,
+ len,
+ jacobianResult) {
+ var wndWidth = this._wnafT1;
+ var wnd = this._wnafT2;
+ var naf = this._wnafT3;
+
+ // Fill all arrays
+ var max = 0;
+ for (var i = 0; i < len; i++) {
+ var p = points[i];
+ var nafPoints = p._getNAFPoints(defW);
+ wndWidth[i] = nafPoints.wnd;
+ wnd[i] = nafPoints.points;
+ }
+
+ // Comb small window NAFs
+ for (var i = len - 1; i >= 1; i -= 2) {
+ var a = i - 1;
+ var b = i;
+ if (wndWidth[a] !== 1 || wndWidth[b] !== 1) {
+ naf[a] = getNAF(coeffs[a], wndWidth[a]);
+ naf[b] = getNAF(coeffs[b], wndWidth[b]);
+ max = Math.max(naf[a].length, max);
+ max = Math.max(naf[b].length, max);
+ continue;
+ }
+
+ var comb = [
+ points[a], /* 1 */
+ null, /* 3 */
+ null, /* 5 */
+ points[b] /* 7 */
+ ];
+
+ // Try to avoid Projective points, if possible
+ if (points[a].y.cmp(points[b].y) === 0) {
+ comb[1] = points[a].add(points[b]);
+ comb[2] = points[a].toJ().mixedAdd(points[b].neg());
+ } else if (points[a].y.cmp(points[b].y.redNeg()) === 0) {
+ comb[1] = points[a].toJ().mixedAdd(points[b]);
+ comb[2] = points[a].add(points[b].neg());
+ } else {
+ comb[1] = points[a].toJ().mixedAdd(points[b]);
+ comb[2] = points[a].toJ().mixedAdd(points[b].neg());
+ }
+
+ var index = [
+ -3, /* -1 -1 */
+ -1, /* -1 0 */
+ -5, /* -1 1 */
+ -7, /* 0 -1 */
+ 0, /* 0 0 */
+ 7, /* 0 1 */
+ 5, /* 1 -1 */
+ 1, /* 1 0 */
+ 3 /* 1 1 */
+ ];
+
+ var jsf = getJSF(coeffs[a], coeffs[b]);
+ max = Math.max(jsf[0].length, max);
+ naf[a] = new Array(max);
+ naf[b] = new Array(max);
+ for (var j = 0; j < max; j++) {
+ var ja = jsf[0][j] | 0;
+ var jb = jsf[1][j] | 0;
+
+ naf[a][j] = index[(ja + 1) * 3 + (jb + 1)];
+ naf[b][j] = 0;
+ wnd[a] = comb;
+ }
+ }
+
+ var acc = this.jpoint(null, null, null);
+ var tmp = this._wnafT4;
+ for (var i = max; i >= 0; i--) {
+ var k = 0;
+
+ while (i >= 0) {
+ var zero = true;
+ for (var j = 0; j < len; j++) {
+ tmp[j] = naf[j][i] | 0;
+ if (tmp[j] !== 0)
+ zero = false;
+ }
+ if (!zero)
+ break;
+ k++;
+ i--;
+ }
+ if (i >= 0)
+ k++;
+ acc = acc.dblp(k);
+ if (i < 0)
+ break;
+
+ for (var j = 0; j < len; j++) {
+ var z = tmp[j];
+ var p;
+ if (z === 0)
+ continue;
+ else if (z > 0)
+ p = wnd[j][(z - 1) >> 1];
+ else if (z < 0)
+ p = wnd[j][(-z - 1) >> 1].neg();
+
+ if (p.type === 'affine')
+ acc = acc.mixedAdd(p);
+ else
+ acc = acc.add(p);
+ }
+ }
+ // Zeroify references
+ for (var i = 0; i < len; i++)
+ wnd[i] = null;
+
+ if (jacobianResult)
+ return acc;
+ else
+ return acc.toP();
+};
+
+function BasePoint(curve, type) {
+ this.curve = curve;
+ this.type = type;
+ this.precomputed = null;
+}
+BaseCurve.BasePoint = BasePoint;
+
+BasePoint.prototype.eq = function eq(/*other*/) {
+ throw new Error('Not implemented');
+};
+
+BasePoint.prototype.validate = function validate() {
+ return this.curve.validate(this);
+};
+
+BaseCurve.prototype.decodePoint = function decodePoint(bytes, enc) {
+ bytes = utils.toArray(bytes, enc);
+
+ var len = this.p.byteLength();
+
+ // uncompressed, hybrid-odd, hybrid-even
+ if ((bytes[0] === 0x04 || bytes[0] === 0x06 || bytes[0] === 0x07) &&
+ bytes.length - 1 === 2 * len) {
+ if (bytes[0] === 0x06)
+ assert(bytes[bytes.length - 1] % 2 === 0);
+ else if (bytes[0] === 0x07)
+ assert(bytes[bytes.length - 1] % 2 === 1);
+
+ var res = this.point(bytes.slice(1, 1 + len),
+ bytes.slice(1 + len, 1 + 2 * len));
+
+ return res;
+ } else if ((bytes[0] === 0x02 || bytes[0] === 0x03) &&
+ bytes.length - 1 === len) {
+ return this.pointFromX(bytes.slice(1, 1 + len), bytes[0] === 0x03);
+ }
+ throw new Error('Unknown point format');
+};
+
+BasePoint.prototype.encodeCompressed = function encodeCompressed(enc) {
+ return this.encode(enc, true);
+};
+
+BasePoint.prototype._encode = function _encode(compact) {
+ var len = this.curve.p.byteLength();
+ var x = this.getX().toArray('be', len);
+
+ if (compact)
+ return [ this.getY().isEven() ? 0x02 : 0x03 ].concat(x);
+
+ return [ 0x04 ].concat(x, this.getY().toArray('be', len)) ;
+};
+
+BasePoint.prototype.encode = function encode(enc, compact) {
+ return utils.encode(this._encode(compact), enc);
+};
+
+BasePoint.prototype.precompute = function precompute(power) {
+ if (this.precomputed)
+ return this;
+
+ var precomputed = {
+ doubles: null,
+ naf: null,
+ beta: null
+ };
+ precomputed.naf = this._getNAFPoints(8);
+ precomputed.doubles = this._getDoubles(4, power);
+ precomputed.beta = this._getBeta();
+ this.precomputed = precomputed;
+
+ return this;
+};
+
+BasePoint.prototype._hasDoubles = function _hasDoubles(k) {
+ if (!this.precomputed)
+ return false;
+
+ var doubles = this.precomputed.doubles;
+ if (!doubles)
+ return false;
+
+ return doubles.points.length >= Math.ceil((k.bitLength() + 1) / doubles.step);
+};
+
+BasePoint.prototype._getDoubles = function _getDoubles(step, power) {
+ if (this.precomputed && this.precomputed.doubles)
+ return this.precomputed.doubles;
+
+ var doubles = [ this ];
+ var acc = this;
+ for (var i = 0; i < power; i += step) {
+ for (var j = 0; j < step; j++)
+ acc = acc.dbl();
+ doubles.push(acc);
+ }
+ return {
+ step: step,
+ points: doubles
+ };
+};
+
+BasePoint.prototype._getNAFPoints = function _getNAFPoints(wnd) {
+ if (this.precomputed && this.precomputed.naf)
+ return this.precomputed.naf;
+
+ var res = [ this ];
+ var max = (1 << wnd) - 1;
+ var dbl = max === 1 ? null : this.dbl();
+ for (var i = 1; i < max; i++)
+ res[i] = res[i - 1].add(dbl);
+ return {
+ wnd: wnd,
+ points: res
+ };
+};
+
+BasePoint.prototype._getBeta = function _getBeta() {
+ return null;
+};
+
+BasePoint.prototype.dblp = function dblp(k) {
+ var r = this;
+ for (var i = 0; i < k; i++)
+ r = r.dbl();
+ return r;
+};
+
+},{"../../elliptic":97,"bn.js":81}],99:[function(require,module,exports){
+'use strict';
+
+var curve = require('../curve');
+var elliptic = require('../../elliptic');
+var BN = require('bn.js');
+var inherits = require('inherits');
+var Base = curve.base;
+
+var assert = elliptic.utils.assert;
+
+function EdwardsCurve(conf) {
+ // NOTE: Important as we are creating point in Base.call()
+ this.twisted = (conf.a | 0) !== 1;
+ this.mOneA = this.twisted && (conf.a | 0) === -1;
+ this.extended = this.mOneA;
+
+ Base.call(this, 'edwards', conf);
+
+ this.a = new BN(conf.a, 16).umod(this.red.m);
+ this.a = this.a.toRed(this.red);
+ this.c = new BN(conf.c, 16).toRed(this.red);
+ this.c2 = this.c.redSqr();
+ this.d = new BN(conf.d, 16).toRed(this.red);
+ this.dd = this.d.redAdd(this.d);
+
+ assert(!this.twisted || this.c.fromRed().cmpn(1) === 0);
+ this.oneC = (conf.c | 0) === 1;
+}
+inherits(EdwardsCurve, Base);
+module.exports = EdwardsCurve;
+
+EdwardsCurve.prototype._mulA = function _mulA(num) {
+ if (this.mOneA)
+ return num.redNeg();
+ else
+ return this.a.redMul(num);
+};
+
+EdwardsCurve.prototype._mulC = function _mulC(num) {
+ if (this.oneC)
+ return num;
+ else
+ return this.c.redMul(num);
+};
+
+// Just for compatibility with Short curve
+EdwardsCurve.prototype.jpoint = function jpoint(x, y, z, t) {
+ return this.point(x, y, z, t);
+};
+
+EdwardsCurve.prototype.pointFromX = function pointFromX(x, odd) {
+ x = new BN(x, 16);
+ if (!x.red)
+ x = x.toRed(this.red);
+
+ var x2 = x.redSqr();
+ var rhs = this.c2.redSub(this.a.redMul(x2));
+ var lhs = this.one.redSub(this.c2.redMul(this.d).redMul(x2));
+
+ var y2 = rhs.redMul(lhs.redInvm());
+ var y = y2.redSqrt();
+ if (y.redSqr().redSub(y2).cmp(this.zero) !== 0)
+ throw new Error('invalid point');
+
+ var isOdd = y.fromRed().isOdd();
+ if (odd && !isOdd || !odd && isOdd)
+ y = y.redNeg();
+
+ return this.point(x, y);
+};
+
+EdwardsCurve.prototype.pointFromY = function pointFromY(y, odd) {
+ y = new BN(y, 16);
+ if (!y.red)
+ y = y.toRed(this.red);
+
+ // x^2 = (y^2 - 1) / (d y^2 + 1)
+ var y2 = y.redSqr();
+ var lhs = y2.redSub(this.one);
+ var rhs = y2.redMul(this.d).redAdd(this.one);
+ var x2 = lhs.redMul(rhs.redInvm());
+
+ if (x2.cmp(this.zero) === 0) {
+ if (odd)
+ throw new Error('invalid point');
+ else
+ return this.point(this.zero, y);
+ }
+
+ var x = x2.redSqrt();
+ if (x.redSqr().redSub(x2).cmp(this.zero) !== 0)
+ throw new Error('invalid point');
+
+ if (x.isOdd() !== odd)
+ x = x.redNeg();
+
+ return this.point(x, y);
+};
+
+EdwardsCurve.prototype.validate = function validate(point) {
+ if (point.isInfinity())
+ return true;
+
+ // Curve: A * X^2 + Y^2 = C^2 * (1 + D * X^2 * Y^2)
+ point.normalize();
+
+ var x2 = point.x.redSqr();
+ var y2 = point.y.redSqr();
+ var lhs = x2.redMul(this.a).redAdd(y2);
+ var rhs = this.c2.redMul(this.one.redAdd(this.d.redMul(x2).redMul(y2)));
+
+ return lhs.cmp(rhs) === 0;
+};
+
+function Point(curve, x, y, z, t) {
+ Base.BasePoint.call(this, curve, 'projective');
+ if (x === null && y === null && z === null) {
+ this.x = this.curve.zero;
+ this.y = this.curve.one;
+ this.z = this.curve.one;
+ this.t = this.curve.zero;
+ this.zOne = true;
+ } else {
+ this.x = new BN(x, 16);
+ this.y = new BN(y, 16);
+ this.z = z ? new BN(z, 16) : this.curve.one;
+ this.t = t && new BN(t, 16);
+ if (!this.x.red)
+ this.x = this.x.toRed(this.curve.red);
+ if (!this.y.red)
+ this.y = this.y.toRed(this.curve.red);
+ if (!this.z.red)
+ this.z = this.z.toRed(this.curve.red);
+ if (this.t && !this.t.red)
+ this.t = this.t.toRed(this.curve.red);
+ this.zOne = this.z === this.curve.one;
+
+ // Use extended coordinates
+ if (this.curve.extended && !this.t) {
+ this.t = this.x.redMul(this.y);
+ if (!this.zOne)
+ this.t = this.t.redMul(this.z.redInvm());
+ }
+ }
+}
+inherits(Point, Base.BasePoint);
+
+EdwardsCurve.prototype.pointFromJSON = function pointFromJSON(obj) {
+ return Point.fromJSON(this, obj);
+};
+
+EdwardsCurve.prototype.point = function point(x, y, z, t) {
+ return new Point(this, x, y, z, t);
+};
+
+Point.fromJSON = function fromJSON(curve, obj) {
+ return new Point(curve, obj[0], obj[1], obj[2]);
+};
+
+Point.prototype.inspect = function inspect() {
+ if (this.isInfinity())
+ return '<EC Point Infinity>';
+ return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
+ ' y: ' + this.y.fromRed().toString(16, 2) +
+ ' z: ' + this.z.fromRed().toString(16, 2) + '>';
+};
+
+Point.prototype.isInfinity = function isInfinity() {
+ // XXX This code assumes that zero is always zero in red
+ return this.x.cmpn(0) === 0 &&
+ this.y.cmp(this.z) === 0;
+};
+
+Point.prototype._extDbl = function _extDbl() {
+ // hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+ // #doubling-dbl-2008-hwcd
+ // 4M + 4S
+
+ // A = X1^2
+ var a = this.x.redSqr();
+ // B = Y1^2
+ var b = this.y.redSqr();
+ // C = 2 * Z1^2
+ var c = this.z.redSqr();
+ c = c.redIAdd(c);
+ // D = a * A
+ var d = this.curve._mulA(a);
+ // E = (X1 + Y1)^2 - A - B
+ var e = this.x.redAdd(this.y).redSqr().redISub(a).redISub(b);
+ // G = D + B
+ var g = d.redAdd(b);
+ // F = G - C
+ var f = g.redSub(c);
+ // H = D - B
+ var h = d.redSub(b);
+ // X3 = E * F
+ var nx = e.redMul(f);
+ // Y3 = G * H
+ var ny = g.redMul(h);
+ // T3 = E * H
+ var nt = e.redMul(h);
+ // Z3 = F * G
+ var nz = f.redMul(g);
+ return this.curve.point(nx, ny, nz, nt);
+};
+
+Point.prototype._projDbl = function _projDbl() {
+ // hyperelliptic.org/EFD/g1p/auto-twisted-projective.html
+ // #doubling-dbl-2008-bbjlp
+ // #doubling-dbl-2007-bl
+ // and others
+ // Generally 3M + 4S or 2M + 4S
+
+ // B = (X1 + Y1)^2
+ var b = this.x.redAdd(this.y).redSqr();
+ // C = X1^2
+ var c = this.x.redSqr();
+ // D = Y1^2
+ var d = this.y.redSqr();
+
+ var nx;
+ var ny;
+ var nz;
+ if (this.curve.twisted) {
+ // E = a * C
+ var e = this.curve._mulA(c);
+ // F = E + D
+ var f = e.redAdd(d);
+ if (this.zOne) {
+ // X3 = (B - C - D) * (F - 2)
+ nx = b.redSub(c).redSub(d).redMul(f.redSub(this.curve.two));
+ // Y3 = F * (E - D)
+ ny = f.redMul(e.redSub(d));
+ // Z3 = F^2 - 2 * F
+ nz = f.redSqr().redSub(f).redSub(f);
+ } else {
+ // H = Z1^2
+ var h = this.z.redSqr();
+ // J = F - 2 * H
+ var j = f.redSub(h).redISub(h);
+ // X3 = (B-C-D)*J
+ nx = b.redSub(c).redISub(d).redMul(j);
+ // Y3 = F * (E - D)
+ ny = f.redMul(e.redSub(d));
+ // Z3 = F * J
+ nz = f.redMul(j);
+ }
+ } else {
+ // E = C + D
+ var e = c.redAdd(d);
+ // H = (c * Z1)^2
+ var h = this.curve._mulC(this.c.redMul(this.z)).redSqr();
+ // J = E - 2 * H
+ var j = e.redSub(h).redSub(h);
+ // X3 = c * (B - E) * J
+ nx = this.curve._mulC(b.redISub(e)).redMul(j);
+ // Y3 = c * E * (C - D)
+ ny = this.curve._mulC(e).redMul(c.redISub(d));
+ // Z3 = E * J
+ nz = e.redMul(j);
+ }
+ return this.curve.point(nx, ny, nz);
+};
+
+Point.prototype.dbl = function dbl() {
+ if (this.isInfinity())
+ return this;
+
+ // Double in extended coordinates
+ if (this.curve.extended)
+ return this._extDbl();
+ else
+ return this._projDbl();
+};
+
+Point.prototype._extAdd = function _extAdd(p) {
+ // hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html
+ // #addition-add-2008-hwcd-3
+ // 8M
+
+ // A = (Y1 - X1) * (Y2 - X2)
+ var a = this.y.redSub(this.x).redMul(p.y.redSub(p.x));
+ // B = (Y1 + X1) * (Y2 + X2)
+ var b = this.y.redAdd(this.x).redMul(p.y.redAdd(p.x));
+ // C = T1 * k * T2
+ var c = this.t.redMul(this.curve.dd).redMul(p.t);
+ // D = Z1 * 2 * Z2
+ var d = this.z.redMul(p.z.redAdd(p.z));
+ // E = B - A
+ var e = b.redSub(a);
+ // F = D - C
+ var f = d.redSub(c);
+ // G = D + C
+ var g = d.redAdd(c);
+ // H = B + A
+ var h = b.redAdd(a);
+ // X3 = E * F
+ var nx = e.redMul(f);
+ // Y3 = G * H
+ var ny = g.redMul(h);
+ // T3 = E * H
+ var nt = e.redMul(h);
+ // Z3 = F * G
+ var nz = f.redMul(g);
+ return this.curve.point(nx, ny, nz, nt);
+};
+
+Point.prototype._projAdd = function _projAdd(p) {
+ // hyperelliptic.org/EFD/g1p/auto-twisted-projective.html
+ // #addition-add-2008-bbjlp
+ // #addition-add-2007-bl
+ // 10M + 1S
+
+ // A = Z1 * Z2
+ var a = this.z.redMul(p.z);
+ // B = A^2
+ var b = a.redSqr();
+ // C = X1 * X2
+ var c = this.x.redMul(p.x);
+ // D = Y1 * Y2
+ var d = this.y.redMul(p.y);
+ // E = d * C * D
+ var e = this.curve.d.redMul(c).redMul(d);
+ // F = B - E
+ var f = b.redSub(e);
+ // G = B + E
+ var g = b.redAdd(e);
+ // X3 = A * F * ((X1 + Y1) * (X2 + Y2) - C - D)
+ var tmp = this.x.redAdd(this.y).redMul(p.x.redAdd(p.y)).redISub(c).redISub(d);
+ var nx = a.redMul(f).redMul(tmp);
+ var ny;
+ var nz;
+ if (this.curve.twisted) {
+ // Y3 = A * G * (D - a * C)
+ ny = a.redMul(g).redMul(d.redSub(this.curve._mulA(c)));
+ // Z3 = F * G
+ nz = f.redMul(g);
+ } else {
+ // Y3 = A * G * (D - C)
+ ny = a.redMul(g).redMul(d.redSub(c));
+ // Z3 = c * F * G
+ nz = this.curve._mulC(f).redMul(g);
+ }
+ return this.curve.point(nx, ny, nz);
+};
+
+Point.prototype.add = function add(p) {
+ if (this.isInfinity())
+ return p;
+ if (p.isInfinity())
+ return this;
+
+ if (this.curve.extended)
+ return this._extAdd(p);
+ else
+ return this._projAdd(p);
+};
+
+Point.prototype.mul = function mul(k) {
+ if (this._hasDoubles(k))
+ return this.curve._fixedNafMul(this, k);
+ else
+ return this.curve._wnafMul(this, k);
+};
+
+Point.prototype.mulAdd = function mulAdd(k1, p, k2) {
+ return this.curve._wnafMulAdd(1, [ this, p ], [ k1, k2 ], 2, false);
+};
+
+Point.prototype.jmulAdd = function jmulAdd(k1, p, k2) {
+ return this.curve._wnafMulAdd(1, [ this, p ], [ k1, k2 ], 2, true);
+};
+
+Point.prototype.normalize = function normalize() {
+ if (this.zOne)
+ return this;
+
+ // Normalize coordinates
+ var zi = this.z.redInvm();
+ this.x = this.x.redMul(zi);
+ this.y = this.y.redMul(zi);
+ if (this.t)
+ this.t = this.t.redMul(zi);
+ this.z = this.curve.one;
+ this.zOne = true;
+ return this;
+};
+
+Point.prototype.neg = function neg() {
+ return this.curve.point(this.x.redNeg(),
+ this.y,
+ this.z,
+ this.t && this.t.redNeg());
+};
+
+Point.prototype.getX = function getX() {
+ this.normalize();
+ return this.x.fromRed();
+};
+
+Point.prototype.getY = function getY() {
+ this.normalize();
+ return this.y.fromRed();
+};
+
+Point.prototype.eq = function eq(other) {
+ return this === other ||
+ this.getX().cmp(other.getX()) === 0 &&
+ this.getY().cmp(other.getY()) === 0;
+};
+
+Point.prototype.eqXToP = function eqXToP(x) {
+ var rx = x.toRed(this.curve.red).redMul(this.z);
+ if (this.x.cmp(rx) === 0)
+ return true;
+
+ var xc = x.clone();
+ var t = this.curve.redN.redMul(this.z);
+ for (;;) {
+ xc.iadd(this.curve.n);
+ if (xc.cmp(this.curve.p) >= 0)
+ return false;
+
+ rx.redIAdd(t);
+ if (this.x.cmp(rx) === 0)
+ return true;
+ }
+ return false;
+};
+
+// Compatibility with BaseCurve
+Point.prototype.toP = Point.prototype.normalize;
+Point.prototype.mixedAdd = Point.prototype.add;
+
+},{"../../elliptic":97,"../curve":100,"bn.js":81,"inherits":121}],100:[function(require,module,exports){
+'use strict';
+
+var curve = exports;
+
+curve.base = require('./base');
+curve.short = require('./short');
+curve.mont = require('./mont');
+curve.edwards = require('./edwards');
+
+},{"./base":98,"./edwards":99,"./mont":101,"./short":102}],101:[function(require,module,exports){
+'use strict';
+
+var curve = require('../curve');
+var BN = require('bn.js');
+var inherits = require('inherits');
+var Base = curve.base;
+
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+
+function MontCurve(conf) {
+ Base.call(this, 'mont', conf);
+
+ this.a = new BN(conf.a, 16).toRed(this.red);
+ this.b = new BN(conf.b, 16).toRed(this.red);
+ this.i4 = new BN(4).toRed(this.red).redInvm();
+ this.two = new BN(2).toRed(this.red);
+ this.a24 = this.i4.redMul(this.a.redAdd(this.two));
+}
+inherits(MontCurve, Base);
+module.exports = MontCurve;
+
+MontCurve.prototype.validate = function validate(point) {
+ var x = point.normalize().x;
+ var x2 = x.redSqr();
+ var rhs = x2.redMul(x).redAdd(x2.redMul(this.a)).redAdd(x);
+ var y = rhs.redSqrt();
+
+ return y.redSqr().cmp(rhs) === 0;
+};
+
+function Point(curve, x, z) {
+ Base.BasePoint.call(this, curve, 'projective');
+ if (x === null && z === null) {
+ this.x = this.curve.one;
+ this.z = this.curve.zero;
+ } else {
+ this.x = new BN(x, 16);
+ this.z = new BN(z, 16);
+ if (!this.x.red)
+ this.x = this.x.toRed(this.curve.red);
+ if (!this.z.red)
+ this.z = this.z.toRed(this.curve.red);
+ }
+}
+inherits(Point, Base.BasePoint);
+
+MontCurve.prototype.decodePoint = function decodePoint(bytes, enc) {
+ return this.point(utils.toArray(bytes, enc), 1);
+};
+
+MontCurve.prototype.point = function point(x, z) {
+ return new Point(this, x, z);
+};
+
+MontCurve.prototype.pointFromJSON = function pointFromJSON(obj) {
+ return Point.fromJSON(this, obj);
+};
+
+Point.prototype.precompute = function precompute() {
+ // No-op
+};
+
+Point.prototype._encode = function _encode() {
+ return this.getX().toArray('be', this.curve.p.byteLength());
+};
+
+Point.fromJSON = function fromJSON(curve, obj) {
+ return new Point(curve, obj[0], obj[1] || curve.one);
+};
+
+Point.prototype.inspect = function inspect() {
+ if (this.isInfinity())
+ return '<EC Point Infinity>';
+ return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
+ ' z: ' + this.z.fromRed().toString(16, 2) + '>';
+};
+
+Point.prototype.isInfinity = function isInfinity() {
+ // XXX This code assumes that zero is always zero in red
+ return this.z.cmpn(0) === 0;
+};
+
+Point.prototype.dbl = function dbl() {
+ // http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3
+ // 2M + 2S + 4A
+
+ // A = X1 + Z1
+ var a = this.x.redAdd(this.z);
+ // AA = A^2
+ var aa = a.redSqr();
+ // B = X1 - Z1
+ var b = this.x.redSub(this.z);
+ // BB = B^2
+ var bb = b.redSqr();
+ // C = AA - BB
+ var c = aa.redSub(bb);
+ // X3 = AA * BB
+ var nx = aa.redMul(bb);
+ // Z3 = C * (BB + A24 * C)
+ var nz = c.redMul(bb.redAdd(this.curve.a24.redMul(c)));
+ return this.curve.point(nx, nz);
+};
+
+Point.prototype.add = function add() {
+ throw new Error('Not supported on Montgomery curve');
+};
+
+Point.prototype.diffAdd = function diffAdd(p, diff) {
+ // http://hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#diffadd-dadd-1987-m-3
+ // 4M + 2S + 6A
+
+ // A = X2 + Z2
+ var a = this.x.redAdd(this.z);
+ // B = X2 - Z2
+ var b = this.x.redSub(this.z);
+ // C = X3 + Z3
+ var c = p.x.redAdd(p.z);
+ // D = X3 - Z3
+ var d = p.x.redSub(p.z);
+ // DA = D * A
+ var da = d.redMul(a);
+ // CB = C * B
+ var cb = c.redMul(b);
+ // X5 = Z1 * (DA + CB)^2
+ var nx = diff.z.redMul(da.redAdd(cb).redSqr());
+ // Z5 = X1 * (DA - CB)^2
+ var nz = diff.x.redMul(da.redISub(cb).redSqr());
+ return this.curve.point(nx, nz);
+};
+
+Point.prototype.mul = function mul(k) {
+ var t = k.clone();
+ var a = this; // (N / 2) * Q + Q
+ var b = this.curve.point(null, null); // (N / 2) * Q
+ var c = this; // Q
+
+ for (var bits = []; t.cmpn(0) !== 0; t.iushrn(1))
+ bits.push(t.andln(1));
+
+ for (var i = bits.length - 1; i >= 0; i--) {
+ if (bits[i] === 0) {
+ // N * Q + Q = ((N / 2) * Q + Q)) + (N / 2) * Q
+ a = a.diffAdd(b, c);
+ // N * Q = 2 * ((N / 2) * Q + Q))
+ b = b.dbl();
+ } else {
+ // N * Q = ((N / 2) * Q + Q) + ((N / 2) * Q)
+ b = a.diffAdd(b, c);
+ // N * Q + Q = 2 * ((N / 2) * Q + Q)
+ a = a.dbl();
+ }
+ }
+ return b;
+};
+
+Point.prototype.mulAdd = function mulAdd() {
+ throw new Error('Not supported on Montgomery curve');
+};
+
+Point.prototype.jumlAdd = function jumlAdd() {
+ throw new Error('Not supported on Montgomery curve');
+};
+
+Point.prototype.eq = function eq(other) {
+ return this.getX().cmp(other.getX()) === 0;
+};
+
+Point.prototype.normalize = function normalize() {
+ this.x = this.x.redMul(this.z.redInvm());
+ this.z = this.curve.one;
+ return this;
+};
+
+Point.prototype.getX = function getX() {
+ // Normalize coordinates
+ this.normalize();
+
+ return this.x.fromRed();
+};
+
+},{"../../elliptic":97,"../curve":100,"bn.js":81,"inherits":121}],102:[function(require,module,exports){
+'use strict';
+
+var curve = require('../curve');
+var elliptic = require('../../elliptic');
+var BN = require('bn.js');
+var inherits = require('inherits');
+var Base = curve.base;
+
+var assert = elliptic.utils.assert;
+
+function ShortCurve(conf) {
+ Base.call(this, 'short', conf);
+
+ this.a = new BN(conf.a, 16).toRed(this.red);
+ this.b = new BN(conf.b, 16).toRed(this.red);
+ this.tinv = this.two.redInvm();
+
+ this.zeroA = this.a.fromRed().cmpn(0) === 0;
+ this.threeA = this.a.fromRed().sub(this.p).cmpn(-3) === 0;
+
+ // If the curve is endomorphic, precalculate beta and lambda
+ this.endo = this._getEndomorphism(conf);
+ this._endoWnafT1 = new Array(4);
+ this._endoWnafT2 = new Array(4);
+}
+inherits(ShortCurve, Base);
+module.exports = ShortCurve;
+
+ShortCurve.prototype._getEndomorphism = function _getEndomorphism(conf) {
+ // No efficient endomorphism
+ if (!this.zeroA || !this.g || !this.n || this.p.modn(3) !== 1)
+ return;
+
+ // Compute beta and lambda, that lambda * P = (beta * Px; Py)
+ var beta;
+ var lambda;
+ if (conf.beta) {
+ beta = new BN(conf.beta, 16).toRed(this.red);
+ } else {
+ var betas = this._getEndoRoots(this.p);
+ // Choose the smallest beta
+ beta = betas[0].cmp(betas[1]) < 0 ? betas[0] : betas[1];
+ beta = beta.toRed(this.red);
+ }
+ if (conf.lambda) {
+ lambda = new BN(conf.lambda, 16);
+ } else {
+ // Choose the lambda that is matching selected beta
+ var lambdas = this._getEndoRoots(this.n);
+ if (this.g.mul(lambdas[0]).x.cmp(this.g.x.redMul(beta)) === 0) {
+ lambda = lambdas[0];
+ } else {
+ lambda = lambdas[1];
+ assert(this.g.mul(lambda).x.cmp(this.g.x.redMul(beta)) === 0);
+ }
+ }
+
+ // Get basis vectors, used for balanced length-two representation
+ var basis;
+ if (conf.basis) {
+ basis = conf.basis.map(function(vec) {
+ return {
+ a: new BN(vec.a, 16),
+ b: new BN(vec.b, 16)
+ };
+ });
+ } else {
+ basis = this._getEndoBasis(lambda);
+ }
+
+ return {
+ beta: beta,
+ lambda: lambda,
+ basis: basis
+ };
+};
+
+ShortCurve.prototype._getEndoRoots = function _getEndoRoots(num) {
+ // Find roots of for x^2 + x + 1 in F
+ // Root = (-1 +- Sqrt(-3)) / 2
+ //
+ var red = num === this.p ? this.red : BN.mont(num);
+ var tinv = new BN(2).toRed(red).redInvm();
+ var ntinv = tinv.redNeg();
+
+ var s = new BN(3).toRed(red).redNeg().redSqrt().redMul(tinv);
+
+ var l1 = ntinv.redAdd(s).fromRed();
+ var l2 = ntinv.redSub(s).fromRed();
+ return [ l1, l2 ];
+};
+
+ShortCurve.prototype._getEndoBasis = function _getEndoBasis(lambda) {
+ // aprxSqrt >= sqrt(this.n)
+ var aprxSqrt = this.n.ushrn(Math.floor(this.n.bitLength() / 2));
+
+ // 3.74
+ // Run EGCD, until r(L + 1) < aprxSqrt
+ var u = lambda;
+ var v = this.n.clone();
+ var x1 = new BN(1);
+ var y1 = new BN(0);
+ var x2 = new BN(0);
+ var y2 = new BN(1);
+
+ // NOTE: all vectors are roots of: a + b * lambda = 0 (mod n)
+ var a0;
+ var b0;
+ // First vector
+ var a1;
+ var b1;
+ // Second vector
+ var a2;
+ var b2;
+
+ var prevR;
+ var i = 0;
+ var r;
+ var x;
+ while (u.cmpn(0) !== 0) {
+ var q = v.div(u);
+ r = v.sub(q.mul(u));
+ x = x2.sub(q.mul(x1));
+ var y = y2.sub(q.mul(y1));
+
+ if (!a1 && r.cmp(aprxSqrt) < 0) {
+ a0 = prevR.neg();
+ b0 = x1;
+ a1 = r.neg();
+ b1 = x;
+ } else if (a1 && ++i === 2) {
+ break;
+ }
+ prevR = r;
+
+ v = u;
+ u = r;
+ x2 = x1;
+ x1 = x;
+ y2 = y1;
+ y1 = y;
+ }
+ a2 = r.neg();
+ b2 = x;
+
+ var len1 = a1.sqr().add(b1.sqr());
+ var len2 = a2.sqr().add(b2.sqr());
+ if (len2.cmp(len1) >= 0) {
+ a2 = a0;
+ b2 = b0;
+ }
+
+ // Normalize signs
+ if (a1.negative) {
+ a1 = a1.neg();
+ b1 = b1.neg();
+ }
+ if (a2.negative) {
+ a2 = a2.neg();
+ b2 = b2.neg();
+ }
+
+ return [
+ { a: a1, b: b1 },
+ { a: a2, b: b2 }
+ ];
+};
+
+ShortCurve.prototype._endoSplit = function _endoSplit(k) {
+ var basis = this.endo.basis;
+ var v1 = basis[0];
+ var v2 = basis[1];
+
+ var c1 = v2.b.mul(k).divRound(this.n);
+ var c2 = v1.b.neg().mul(k).divRound(this.n);
+
+ var p1 = c1.mul(v1.a);
+ var p2 = c2.mul(v2.a);
+ var q1 = c1.mul(v1.b);
+ var q2 = c2.mul(v2.b);
+
+ // Calculate answer
+ var k1 = k.sub(p1).sub(p2);
+ var k2 = q1.add(q2).neg();
+ return { k1: k1, k2: k2 };
+};
+
+ShortCurve.prototype.pointFromX = function pointFromX(x, odd) {
+ x = new BN(x, 16);
+ if (!x.red)
+ x = x.toRed(this.red);
+
+ var y2 = x.redSqr().redMul(x).redIAdd(x.redMul(this.a)).redIAdd(this.b);
+ var y = y2.redSqrt();
+ if (y.redSqr().redSub(y2).cmp(this.zero) !== 0)
+ throw new Error('invalid point');
+
+ // XXX Is there any way to tell if the number is odd without converting it
+ // to non-red form?
+ var isOdd = y.fromRed().isOdd();
+ if (odd && !isOdd || !odd && isOdd)
+ y = y.redNeg();
+
+ return this.point(x, y);
+};
+
+ShortCurve.prototype.validate = function validate(point) {
+ if (point.inf)
+ return true;
+
+ var x = point.x;
+ var y = point.y;
+
+ var ax = this.a.redMul(x);
+ var rhs = x.redSqr().redMul(x).redIAdd(ax).redIAdd(this.b);
+ return y.redSqr().redISub(rhs).cmpn(0) === 0;
+};
+
+ShortCurve.prototype._endoWnafMulAdd =
+ function _endoWnafMulAdd(points, coeffs, jacobianResult) {
+ var npoints = this._endoWnafT1;
+ var ncoeffs = this._endoWnafT2;
+ for (var i = 0; i < points.length; i++) {
+ var split = this._endoSplit(coeffs[i]);
+ var p = points[i];
+ var beta = p._getBeta();
+
+ if (split.k1.negative) {
+ split.k1.ineg();
+ p = p.neg(true);
+ }
+ if (split.k2.negative) {
+ split.k2.ineg();
+ beta = beta.neg(true);
+ }
+
+ npoints[i * 2] = p;
+ npoints[i * 2 + 1] = beta;
+ ncoeffs[i * 2] = split.k1;
+ ncoeffs[i * 2 + 1] = split.k2;
+ }
+ var res = this._wnafMulAdd(1, npoints, ncoeffs, i * 2, jacobianResult);
+
+ // Clean-up references to points and coefficients
+ for (var j = 0; j < i * 2; j++) {
+ npoints[j] = null;
+ ncoeffs[j] = null;
+ }
+ return res;
+};
+
+function Point(curve, x, y, isRed) {
+ Base.BasePoint.call(this, curve, 'affine');
+ if (x === null && y === null) {
+ this.x = null;
+ this.y = null;
+ this.inf = true;
+ } else {
+ this.x = new BN(x, 16);
+ this.y = new BN(y, 16);
+ // Force redgomery representation when loading from JSON
+ if (isRed) {
+ this.x.forceRed(this.curve.red);
+ this.y.forceRed(this.curve.red);
+ }
+ if (!this.x.red)
+ this.x = this.x.toRed(this.curve.red);
+ if (!this.y.red)
+ this.y = this.y.toRed(this.curve.red);
+ this.inf = false;
+ }
+}
+inherits(Point, Base.BasePoint);
+
+ShortCurve.prototype.point = function point(x, y, isRed) {
+ return new Point(this, x, y, isRed);
+};
+
+ShortCurve.prototype.pointFromJSON = function pointFromJSON(obj, red) {
+ return Point.fromJSON(this, obj, red);
+};
+
+Point.prototype._getBeta = function _getBeta() {
+ if (!this.curve.endo)
+ return;
+
+ var pre = this.precomputed;
+ if (pre && pre.beta)
+ return pre.beta;
+
+ var beta = this.curve.point(this.x.redMul(this.curve.endo.beta), this.y);
+ if (pre) {
+ var curve = this.curve;
+ var endoMul = function(p) {
+ return curve.point(p.x.redMul(curve.endo.beta), p.y);
+ };
+ pre.beta = beta;
+ beta.precomputed = {
+ beta: null,
+ naf: pre.naf && {
+ wnd: pre.naf.wnd,
+ points: pre.naf.points.map(endoMul)
+ },
+ doubles: pre.doubles && {
+ step: pre.doubles.step,
+ points: pre.doubles.points.map(endoMul)
+ }
+ };
+ }
+ return beta;
+};
+
+Point.prototype.toJSON = function toJSON() {
+ if (!this.precomputed)
+ return [ this.x, this.y ];
+
+ return [ this.x, this.y, this.precomputed && {
+ doubles: this.precomputed.doubles && {
+ step: this.precomputed.doubles.step,
+ points: this.precomputed.doubles.points.slice(1)
+ },
+ naf: this.precomputed.naf && {
+ wnd: this.precomputed.naf.wnd,
+ points: this.precomputed.naf.points.slice(1)
+ }
+ } ];
+};
+
+Point.fromJSON = function fromJSON(curve, obj, red) {
+ if (typeof obj === 'string')
+ obj = JSON.parse(obj);
+ var res = curve.point(obj[0], obj[1], red);
+ if (!obj[2])
+ return res;
+
+ function obj2point(obj) {
+ return curve.point(obj[0], obj[1], red);
+ }
+
+ var pre = obj[2];
+ res.precomputed = {
+ beta: null,
+ doubles: pre.doubles && {
+ step: pre.doubles.step,
+ points: [ res ].concat(pre.doubles.points.map(obj2point))
+ },
+ naf: pre.naf && {
+ wnd: pre.naf.wnd,
+ points: [ res ].concat(pre.naf.points.map(obj2point))
+ }
+ };
+ return res;
+};
+
+Point.prototype.inspect = function inspect() {
+ if (this.isInfinity())
+ return '<EC Point Infinity>';
+ return '<EC Point x: ' + this.x.fromRed().toString(16, 2) +
+ ' y: ' + this.y.fromRed().toString(16, 2) + '>';
+};
+
+Point.prototype.isInfinity = function isInfinity() {
+ return this.inf;
+};
+
+Point.prototype.add = function add(p) {
+ // O + P = P
+ if (this.inf)
+ return p;
+
+ // P + O = P
+ if (p.inf)
+ return this;
+
+ // P + P = 2P
+ if (this.eq(p))
+ return this.dbl();
+
+ // P + (-P) = O
+ if (this.neg().eq(p))
+ return this.curve.point(null, null);
+
+ // P + Q = O
+ if (this.x.cmp(p.x) === 0)
+ return this.curve.point(null, null);
+
+ var c = this.y.redSub(p.y);
+ if (c.cmpn(0) !== 0)
+ c = c.redMul(this.x.redSub(p.x).redInvm());
+ var nx = c.redSqr().redISub(this.x).redISub(p.x);
+ var ny = c.redMul(this.x.redSub(nx)).redISub(this.y);
+ return this.curve.point(nx, ny);
+};
+
+Point.prototype.dbl = function dbl() {
+ if (this.inf)
+ return this;
+
+ // 2P = O
+ var ys1 = this.y.redAdd(this.y);
+ if (ys1.cmpn(0) === 0)
+ return this.curve.point(null, null);
+
+ var a = this.curve.a;
+
+ var x2 = this.x.redSqr();
+ var dyinv = ys1.redInvm();
+ var c = x2.redAdd(x2).redIAdd(x2).redIAdd(a).redMul(dyinv);
+
+ var nx = c.redSqr().redISub(this.x.redAdd(this.x));
+ var ny = c.redMul(this.x.redSub(nx)).redISub(this.y);
+ return this.curve.point(nx, ny);
+};
+
+Point.prototype.getX = function getX() {
+ return this.x.fromRed();
+};
+
+Point.prototype.getY = function getY() {
+ return this.y.fromRed();
+};
+
+Point.prototype.mul = function mul(k) {
+ k = new BN(k, 16);
+
+ if (this._hasDoubles(k))
+ return this.curve._fixedNafMul(this, k);
+ else if (this.curve.endo)
+ return this.curve._endoWnafMulAdd([ this ], [ k ]);
+ else
+ return this.curve._wnafMul(this, k);
+};
+
+Point.prototype.mulAdd = function mulAdd(k1, p2, k2) {
+ var points = [ this, p2 ];
+ var coeffs = [ k1, k2 ];
+ if (this.curve.endo)
+ return this.curve._endoWnafMulAdd(points, coeffs);
+ else
+ return this.curve._wnafMulAdd(1, points, coeffs, 2);
+};
+
+Point.prototype.jmulAdd = function jmulAdd(k1, p2, k2) {
+ var points = [ this, p2 ];
+ var coeffs = [ k1, k2 ];
+ if (this.curve.endo)
+ return this.curve._endoWnafMulAdd(points, coeffs, true);
+ else
+ return this.curve._wnafMulAdd(1, points, coeffs, 2, true);
+};
+
+Point.prototype.eq = function eq(p) {
+ return this === p ||
+ this.inf === p.inf &&
+ (this.inf || this.x.cmp(p.x) === 0 && this.y.cmp(p.y) === 0);
+};
+
+Point.prototype.neg = function neg(_precompute) {
+ if (this.inf)
+ return this;
+
+ var res = this.curve.point(this.x, this.y.redNeg());
+ if (_precompute && this.precomputed) {
+ var pre = this.precomputed;
+ var negate = function(p) {
+ return p.neg();
+ };
+ res.precomputed = {
+ naf: pre.naf && {
+ wnd: pre.naf.wnd,
+ points: pre.naf.points.map(negate)
+ },
+ doubles: pre.doubles && {
+ step: pre.doubles.step,
+ points: pre.doubles.points.map(negate)
+ }
+ };
+ }
+ return res;
+};
+
+Point.prototype.toJ = function toJ() {
+ if (this.inf)
+ return this.curve.jpoint(null, null, null);
+
+ var res = this.curve.jpoint(this.x, this.y, this.curve.one);
+ return res;
+};
+
+function JPoint(curve, x, y, z) {
+ Base.BasePoint.call(this, curve, 'jacobian');
+ if (x === null && y === null && z === null) {
+ this.x = this.curve.one;
+ this.y = this.curve.one;
+ this.z = new BN(0);
+ } else {
+ this.x = new BN(x, 16);
+ this.y = new BN(y, 16);
+ this.z = new BN(z, 16);
+ }
+ if (!this.x.red)
+ this.x = this.x.toRed(this.curve.red);
+ if (!this.y.red)
+ this.y = this.y.toRed(this.curve.red);
+ if (!this.z.red)
+ this.z = this.z.toRed(this.curve.red);
+
+ this.zOne = this.z === this.curve.one;
+}
+inherits(JPoint, Base.BasePoint);
+
+ShortCurve.prototype.jpoint = function jpoint(x, y, z) {
+ return new JPoint(this, x, y, z);
+};
+
+JPoint.prototype.toP = function toP() {
+ if (this.isInfinity())
+ return this.curve.point(null, null);
+
+ var zinv = this.z.redInvm();
+ var zinv2 = zinv.redSqr();
+ var ax = this.x.redMul(zinv2);
+ var ay = this.y.redMul(zinv2).redMul(zinv);
+
+ return this.curve.point(ax, ay);
+};
+
+JPoint.prototype.neg = function neg() {
+ return this.curve.jpoint(this.x, this.y.redNeg(), this.z);
+};
+
+JPoint.prototype.add = function add(p) {
+ // O + P = P
+ if (this.isInfinity())
+ return p;
+
+ // P + O = P
+ if (p.isInfinity())
+ return this;
+
+ // 12M + 4S + 7A
+ var pz2 = p.z.redSqr();
+ var z2 = this.z.redSqr();
+ var u1 = this.x.redMul(pz2);
+ var u2 = p.x.redMul(z2);
+ var s1 = this.y.redMul(pz2.redMul(p.z));
+ var s2 = p.y.redMul(z2.redMul(this.z));
+
+ var h = u1.redSub(u2);
+ var r = s1.redSub(s2);
+ if (h.cmpn(0) === 0) {
+ if (r.cmpn(0) !== 0)
+ return this.curve.jpoint(null, null, null);
+ else
+ return this.dbl();
+ }
+
+ var h2 = h.redSqr();
+ var h3 = h2.redMul(h);
+ var v = u1.redMul(h2);
+
+ var nx = r.redSqr().redIAdd(h3).redISub(v).redISub(v);
+ var ny = r.redMul(v.redISub(nx)).redISub(s1.redMul(h3));
+ var nz = this.z.redMul(p.z).redMul(h);
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype.mixedAdd = function mixedAdd(p) {
+ // O + P = P
+ if (this.isInfinity())
+ return p.toJ();
+
+ // P + O = P
+ if (p.isInfinity())
+ return this;
+
+ // 8M + 3S + 7A
+ var z2 = this.z.redSqr();
+ var u1 = this.x;
+ var u2 = p.x.redMul(z2);
+ var s1 = this.y;
+ var s2 = p.y.redMul(z2).redMul(this.z);
+
+ var h = u1.redSub(u2);
+ var r = s1.redSub(s2);
+ if (h.cmpn(0) === 0) {
+ if (r.cmpn(0) !== 0)
+ return this.curve.jpoint(null, null, null);
+ else
+ return this.dbl();
+ }
+
+ var h2 = h.redSqr();
+ var h3 = h2.redMul(h);
+ var v = u1.redMul(h2);
+
+ var nx = r.redSqr().redIAdd(h3).redISub(v).redISub(v);
+ var ny = r.redMul(v.redISub(nx)).redISub(s1.redMul(h3));
+ var nz = this.z.redMul(h);
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype.dblp = function dblp(pow) {
+ if (pow === 0)
+ return this;
+ if (this.isInfinity())
+ return this;
+ if (!pow)
+ return this.dbl();
+
+ if (this.curve.zeroA || this.curve.threeA) {
+ var r = this;
+ for (var i = 0; i < pow; i++)
+ r = r.dbl();
+ return r;
+ }
+
+ // 1M + 2S + 1A + N * (4S + 5M + 8A)
+ // N = 1 => 6M + 6S + 9A
+ var a = this.curve.a;
+ var tinv = this.curve.tinv;
+
+ var jx = this.x;
+ var jy = this.y;
+ var jz = this.z;
+ var jz4 = jz.redSqr().redSqr();
+
+ // Reuse results
+ var jyd = jy.redAdd(jy);
+ for (var i = 0; i < pow; i++) {
+ var jx2 = jx.redSqr();
+ var jyd2 = jyd.redSqr();
+ var jyd4 = jyd2.redSqr();
+ var c = jx2.redAdd(jx2).redIAdd(jx2).redIAdd(a.redMul(jz4));
+
+ var t1 = jx.redMul(jyd2);
+ var nx = c.redSqr().redISub(t1.redAdd(t1));
+ var t2 = t1.redISub(nx);
+ var dny = c.redMul(t2);
+ dny = dny.redIAdd(dny).redISub(jyd4);
+ var nz = jyd.redMul(jz);
+ if (i + 1 < pow)
+ jz4 = jz4.redMul(jyd4);
+
+ jx = nx;
+ jz = nz;
+ jyd = dny;
+ }
+
+ return this.curve.jpoint(jx, jyd.redMul(tinv), jz);
+};
+
+JPoint.prototype.dbl = function dbl() {
+ if (this.isInfinity())
+ return this;
+
+ if (this.curve.zeroA)
+ return this._zeroDbl();
+ else if (this.curve.threeA)
+ return this._threeDbl();
+ else
+ return this._dbl();
+};
+
+JPoint.prototype._zeroDbl = function _zeroDbl() {
+ var nx;
+ var ny;
+ var nz;
+ // Z = 1
+ if (this.zOne) {
+ // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html
+ // #doubling-mdbl-2007-bl
+ // 1M + 5S + 14A
+
+ // XX = X1^2
+ var xx = this.x.redSqr();
+ // YY = Y1^2
+ var yy = this.y.redSqr();
+ // YYYY = YY^2
+ var yyyy = yy.redSqr();
+ // S = 2 * ((X1 + YY)^2 - XX - YYYY)
+ var s = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
+ s = s.redIAdd(s);
+ // M = 3 * XX + a; a = 0
+ var m = xx.redAdd(xx).redIAdd(xx);
+ // T = M ^ 2 - 2*S
+ var t = m.redSqr().redISub(s).redISub(s);
+
+ // 8 * YYYY
+ var yyyy8 = yyyy.redIAdd(yyyy);
+ yyyy8 = yyyy8.redIAdd(yyyy8);
+ yyyy8 = yyyy8.redIAdd(yyyy8);
+
+ // X3 = T
+ nx = t;
+ // Y3 = M * (S - T) - 8 * YYYY
+ ny = m.redMul(s.redISub(t)).redISub(yyyy8);
+ // Z3 = 2*Y1
+ nz = this.y.redAdd(this.y);
+ } else {
+ // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html
+ // #doubling-dbl-2009-l
+ // 2M + 5S + 13A
+
+ // A = X1^2
+ var a = this.x.redSqr();
+ // B = Y1^2
+ var b = this.y.redSqr();
+ // C = B^2
+ var c = b.redSqr();
+ // D = 2 * ((X1 + B)^2 - A - C)
+ var d = this.x.redAdd(b).redSqr().redISub(a).redISub(c);
+ d = d.redIAdd(d);
+ // E = 3 * A
+ var e = a.redAdd(a).redIAdd(a);
+ // F = E^2
+ var f = e.redSqr();
+
+ // 8 * C
+ var c8 = c.redIAdd(c);
+ c8 = c8.redIAdd(c8);
+ c8 = c8.redIAdd(c8);
+
+ // X3 = F - 2 * D
+ nx = f.redISub(d).redISub(d);
+ // Y3 = E * (D - X3) - 8 * C
+ ny = e.redMul(d.redISub(nx)).redISub(c8);
+ // Z3 = 2 * Y1 * Z1
+ nz = this.y.redMul(this.z);
+ nz = nz.redIAdd(nz);
+ }
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype._threeDbl = function _threeDbl() {
+ var nx;
+ var ny;
+ var nz;
+ // Z = 1
+ if (this.zOne) {
+ // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html
+ // #doubling-mdbl-2007-bl
+ // 1M + 5S + 15A
+
+ // XX = X1^2
+ var xx = this.x.redSqr();
+ // YY = Y1^2
+ var yy = this.y.redSqr();
+ // YYYY = YY^2
+ var yyyy = yy.redSqr();
+ // S = 2 * ((X1 + YY)^2 - XX - YYYY)
+ var s = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
+ s = s.redIAdd(s);
+ // M = 3 * XX + a
+ var m = xx.redAdd(xx).redIAdd(xx).redIAdd(this.curve.a);
+ // T = M^2 - 2 * S
+ var t = m.redSqr().redISub(s).redISub(s);
+ // X3 = T
+ nx = t;
+ // Y3 = M * (S - T) - 8 * YYYY
+ var yyyy8 = yyyy.redIAdd(yyyy);
+ yyyy8 = yyyy8.redIAdd(yyyy8);
+ yyyy8 = yyyy8.redIAdd(yyyy8);
+ ny = m.redMul(s.redISub(t)).redISub(yyyy8);
+ // Z3 = 2 * Y1
+ nz = this.y.redAdd(this.y);
+ } else {
+ // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+ // 3M + 5S
+
+ // delta = Z1^2
+ var delta = this.z.redSqr();
+ // gamma = Y1^2
+ var gamma = this.y.redSqr();
+ // beta = X1 * gamma
+ var beta = this.x.redMul(gamma);
+ // alpha = 3 * (X1 - delta) * (X1 + delta)
+ var alpha = this.x.redSub(delta).redMul(this.x.redAdd(delta));
+ alpha = alpha.redAdd(alpha).redIAdd(alpha);
+ // X3 = alpha^2 - 8 * beta
+ var beta4 = beta.redIAdd(beta);
+ beta4 = beta4.redIAdd(beta4);
+ var beta8 = beta4.redAdd(beta4);
+ nx = alpha.redSqr().redISub(beta8);
+ // Z3 = (Y1 + Z1)^2 - gamma - delta
+ nz = this.y.redAdd(this.z).redSqr().redISub(gamma).redISub(delta);
+ // Y3 = alpha * (4 * beta - X3) - 8 * gamma^2
+ var ggamma8 = gamma.redSqr();
+ ggamma8 = ggamma8.redIAdd(ggamma8);
+ ggamma8 = ggamma8.redIAdd(ggamma8);
+ ggamma8 = ggamma8.redIAdd(ggamma8);
+ ny = alpha.redMul(beta4.redISub(nx)).redISub(ggamma8);
+ }
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype._dbl = function _dbl() {
+ var a = this.curve.a;
+
+ // 4M + 6S + 10A
+ var jx = this.x;
+ var jy = this.y;
+ var jz = this.z;
+ var jz4 = jz.redSqr().redSqr();
+
+ var jx2 = jx.redSqr();
+ var jy2 = jy.redSqr();
+
+ var c = jx2.redAdd(jx2).redIAdd(jx2).redIAdd(a.redMul(jz4));
+
+ var jxd4 = jx.redAdd(jx);
+ jxd4 = jxd4.redIAdd(jxd4);
+ var t1 = jxd4.redMul(jy2);
+ var nx = c.redSqr().redISub(t1.redAdd(t1));
+ var t2 = t1.redISub(nx);
+
+ var jyd8 = jy2.redSqr();
+ jyd8 = jyd8.redIAdd(jyd8);
+ jyd8 = jyd8.redIAdd(jyd8);
+ jyd8 = jyd8.redIAdd(jyd8);
+ var ny = c.redMul(t2).redISub(jyd8);
+ var nz = jy.redAdd(jy).redMul(jz);
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype.trpl = function trpl() {
+ if (!this.curve.zeroA)
+ return this.dbl().add(this);
+
+ // hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#tripling-tpl-2007-bl
+ // 5M + 10S + ...
+
+ // XX = X1^2
+ var xx = this.x.redSqr();
+ // YY = Y1^2
+ var yy = this.y.redSqr();
+ // ZZ = Z1^2
+ var zz = this.z.redSqr();
+ // YYYY = YY^2
+ var yyyy = yy.redSqr();
+ // M = 3 * XX + a * ZZ2; a = 0
+ var m = xx.redAdd(xx).redIAdd(xx);
+ // MM = M^2
+ var mm = m.redSqr();
+ // E = 6 * ((X1 + YY)^2 - XX - YYYY) - MM
+ var e = this.x.redAdd(yy).redSqr().redISub(xx).redISub(yyyy);
+ e = e.redIAdd(e);
+ e = e.redAdd(e).redIAdd(e);
+ e = e.redISub(mm);
+ // EE = E^2
+ var ee = e.redSqr();
+ // T = 16*YYYY
+ var t = yyyy.redIAdd(yyyy);
+ t = t.redIAdd(t);
+ t = t.redIAdd(t);
+ t = t.redIAdd(t);
+ // U = (M + E)^2 - MM - EE - T
+ var u = m.redIAdd(e).redSqr().redISub(mm).redISub(ee).redISub(t);
+ // X3 = 4 * (X1 * EE - 4 * YY * U)
+ var yyu4 = yy.redMul(u);
+ yyu4 = yyu4.redIAdd(yyu4);
+ yyu4 = yyu4.redIAdd(yyu4);
+ var nx = this.x.redMul(ee).redISub(yyu4);
+ nx = nx.redIAdd(nx);
+ nx = nx.redIAdd(nx);
+ // Y3 = 8 * Y1 * (U * (T - U) - E * EE)
+ var ny = this.y.redMul(u.redMul(t.redISub(u)).redISub(e.redMul(ee)));
+ ny = ny.redIAdd(ny);
+ ny = ny.redIAdd(ny);
+ ny = ny.redIAdd(ny);
+ // Z3 = (Z1 + E)^2 - ZZ - EE
+ var nz = this.z.redAdd(e).redSqr().redISub(zz).redISub(ee);
+
+ return this.curve.jpoint(nx, ny, nz);
+};
+
+JPoint.prototype.mul = function mul(k, kbase) {
+ k = new BN(k, kbase);
+
+ return this.curve._wnafMul(this, k);
+};
+
+JPoint.prototype.eq = function eq(p) {
+ if (p.type === 'affine')
+ return this.eq(p.toJ());
+
+ if (this === p)
+ return true;
+
+ // x1 * z2^2 == x2 * z1^2
+ var z2 = this.z.redSqr();
+ var pz2 = p.z.redSqr();
+ if (this.x.redMul(pz2).redISub(p.x.redMul(z2)).cmpn(0) !== 0)
+ return false;
+
+ // y1 * z2^3 == y2 * z1^3
+ var z3 = z2.redMul(this.z);
+ var pz3 = pz2.redMul(p.z);
+ return this.y.redMul(pz3).redISub(p.y.redMul(z3)).cmpn(0) === 0;
+};
+
+JPoint.prototype.eqXToP = function eqXToP(x) {
+ var zs = this.z.redSqr();
+ var rx = x.toRed(this.curve.red).redMul(zs);
+ if (this.x.cmp(rx) === 0)
+ return true;
+
+ var xc = x.clone();
+ var t = this.curve.redN.redMul(zs);
+ for (;;) {
+ xc.iadd(this.curve.n);
+ if (xc.cmp(this.curve.p) >= 0)
+ return false;
+
+ rx.redIAdd(t);
+ if (this.x.cmp(rx) === 0)
+ return true;
+ }
+ return false;
+};
+
+JPoint.prototype.inspect = function inspect() {
+ if (this.isInfinity())
+ return '<EC JPoint Infinity>';
+ return '<EC JPoint x: ' + this.x.toString(16, 2) +
+ ' y: ' + this.y.toString(16, 2) +
+ ' z: ' + this.z.toString(16, 2) + '>';
+};
+
+JPoint.prototype.isInfinity = function isInfinity() {
+ // XXX This code assumes that zero is always zero in red
+ return this.z.cmpn(0) === 0;
+};
+
+},{"../../elliptic":97,"../curve":100,"bn.js":81,"inherits":121}],103:[function(require,module,exports){
+'use strict';
+
+var curves = exports;
+
+var hash = require('hash.js');
+var elliptic = require('../elliptic');
+
+var assert = elliptic.utils.assert;
+
+function PresetCurve(options) {
+ if (options.type === 'short')
+ this.curve = new elliptic.curve.short(options);
+ else if (options.type === 'edwards')
+ this.curve = new elliptic.curve.edwards(options);
+ else
+ this.curve = new elliptic.curve.mont(options);
+ this.g = this.curve.g;
+ this.n = this.curve.n;
+ this.hash = options.hash;
+
+ assert(this.g.validate(), 'Invalid curve');
+ assert(this.g.mul(this.n).isInfinity(), 'Invalid curve, G*N != O');
+}
+curves.PresetCurve = PresetCurve;
+
+function defineCurve(name, options) {
+ Object.defineProperty(curves, name, {
+ configurable: true,
+ enumerable: true,
+ get: function() {
+ var curve = new PresetCurve(options);
+ Object.defineProperty(curves, name, {
+ configurable: true,
+ enumerable: true,
+ value: curve
+ });
+ return curve;
+ }
+ });
+}
+
+defineCurve('p192', {
+ type: 'short',
+ prime: 'p192',
+ p: 'ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff',
+ a: 'ffffffff ffffffff ffffffff fffffffe ffffffff fffffffc',
+ b: '64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1',
+ n: 'ffffffff ffffffff ffffffff 99def836 146bc9b1 b4d22831',
+ hash: hash.sha256,
+ gRed: false,
+ g: [
+ '188da80e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012',
+ '07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811'
+ ]
+});
+
+defineCurve('p224', {
+ type: 'short',
+ prime: 'p224',
+ p: 'ffffffff ffffffff ffffffff ffffffff 00000000 00000000 00000001',
+ a: 'ffffffff ffffffff ffffffff fffffffe ffffffff ffffffff fffffffe',
+ b: 'b4050a85 0c04b3ab f5413256 5044b0b7 d7bfd8ba 270b3943 2355ffb4',
+ n: 'ffffffff ffffffff ffffffff ffff16a2 e0b8f03e 13dd2945 5c5c2a3d',
+ hash: hash.sha256,
+ gRed: false,
+ g: [
+ 'b70e0cbd 6bb4bf7f 321390b9 4a03c1d3 56c21122 343280d6 115c1d21',
+ 'bd376388 b5f723fb 4c22dfe6 cd4375a0 5a074764 44d58199 85007e34'
+ ]
+});
+
+defineCurve('p256', {
+ type: 'short',
+ prime: null,
+ p: 'ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff ffffffff',
+ a: 'ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff fffffffc',
+ b: '5ac635d8 aa3a93e7 b3ebbd55 769886bc 651d06b0 cc53b0f6 3bce3c3e 27d2604b',
+ n: 'ffffffff 00000000 ffffffff ffffffff bce6faad a7179e84 f3b9cac2 fc632551',
+ hash: hash.sha256,
+ gRed: false,
+ g: [
+ '6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296',
+ '4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5'
+ ]
+});
+
+defineCurve('p384', {
+ type: 'short',
+ prime: null,
+ p: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'fffffffe ffffffff 00000000 00000000 ffffffff',
+ a: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'fffffffe ffffffff 00000000 00000000 fffffffc',
+ b: 'b3312fa7 e23ee7e4 988e056b e3f82d19 181d9c6e fe814112 0314088f ' +
+ '5013875a c656398d 8a2ed19d 2a85c8ed d3ec2aef',
+ n: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff c7634d81 ' +
+ 'f4372ddf 581a0db2 48b0a77a ecec196a ccc52973',
+ hash: hash.sha384,
+ gRed: false,
+ g: [
+ 'aa87ca22 be8b0537 8eb1c71e f320ad74 6e1d3b62 8ba79b98 59f741e0 82542a38 ' +
+ '5502f25d bf55296c 3a545e38 72760ab7',
+ '3617de4a 96262c6f 5d9e98bf 9292dc29 f8f41dbd 289a147c e9da3113 b5f0b8c0 ' +
+ '0a60b1ce 1d7e819d 7a431d7c 90ea0e5f'
+ ]
+});
+
+defineCurve('p521', {
+ type: 'short',
+ prime: null,
+ p: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'ffffffff ffffffff ffffffff ffffffff ffffffff',
+ a: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'ffffffff ffffffff ffffffff ffffffff fffffffc',
+ b: '00000051 953eb961 8e1c9a1f 929a21a0 b68540ee a2da725b ' +
+ '99b315f3 b8b48991 8ef109e1 56193951 ec7e937b 1652c0bd ' +
+ '3bb1bf07 3573df88 3d2c34f1 ef451fd4 6b503f00',
+ n: '000001ff ffffffff ffffffff ffffffff ffffffff ffffffff ' +
+ 'ffffffff ffffffff fffffffa 51868783 bf2f966b 7fcc0148 ' +
+ 'f709a5d0 3bb5c9b8 899c47ae bb6fb71e 91386409',
+ hash: hash.sha512,
+ gRed: false,
+ g: [
+ '000000c6 858e06b7 0404e9cd 9e3ecb66 2395b442 9c648139 ' +
+ '053fb521 f828af60 6b4d3dba a14b5e77 efe75928 fe1dc127 ' +
+ 'a2ffa8de 3348b3c1 856a429b f97e7e31 c2e5bd66',
+ '00000118 39296a78 9a3bc004 5c8a5fb4 2c7d1bd9 98f54449 ' +
+ '579b4468 17afbd17 273e662c 97ee7299 5ef42640 c550b901 ' +
+ '3fad0761 353c7086 a272c240 88be9476 9fd16650'
+ ]
+});
+
+defineCurve('curve25519', {
+ type: 'mont',
+ prime: 'p25519',
+ p: '7fffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffed',
+ a: '76d06',
+ b: '1',
+ n: '1000000000000000 0000000000000000 14def9dea2f79cd6 5812631a5cf5d3ed',
+ hash: hash.sha256,
+ gRed: false,
+ g: [
+ '9'
+ ]
+});
+
+defineCurve('ed25519', {
+ type: 'edwards',
+ prime: 'p25519',
+ p: '7fffffffffffffff ffffffffffffffff ffffffffffffffff ffffffffffffffed',
+ a: '-1',
+ c: '1',
+ // -121665 * (121666^(-1)) (mod P)
+ d: '52036cee2b6ffe73 8cc740797779e898 00700a4d4141d8ab 75eb4dca135978a3',
+ n: '1000000000000000 0000000000000000 14def9dea2f79cd6 5812631a5cf5d3ed',
+ hash: hash.sha256,
+ gRed: false,
+ g: [
+ '216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a',
+
+ // 4/5
+ '6666666666666666666666666666666666666666666666666666666666666658'
+ ]
+});
+
+var pre;
+try {
+ pre = require('./precomputed/secp256k1');
+} catch (e) {
+ pre = undefined;
+}
+
+defineCurve('secp256k1', {
+ type: 'short',
+ prime: 'k256',
+ p: 'ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f',
+ a: '0',
+ b: '7',
+ n: 'ffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141',
+ h: '1',
+ hash: hash.sha256,
+
+ // Precomputed endomorphism
+ beta: '7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee',
+ lambda: '5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72',
+ basis: [
+ {
+ a: '3086d221a7d46bcde86c90e49284eb15',
+ b: '-e4437ed6010e88286f547fa90abfe4c3'
+ },
+ {
+ a: '114ca50f7a8e2f3f657c1108d9d44cfd8',
+ b: '3086d221a7d46bcde86c90e49284eb15'
+ }
+ ],
+
+ gRed: false,
+ g: [
+ '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798',
+ '483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8',
+ pre
+ ]
+});
+
+},{"../elliptic":97,"./precomputed/secp256k1":110,"hash.js":114}],104:[function(require,module,exports){
+'use strict';
+
+var BN = require('bn.js');
+var HmacDRBG = require('hmac-drbg');
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var assert = utils.assert;
+
+var KeyPair = require('./key');
+var Signature = require('./signature');
+
+function EC(options) {
+ if (!(this instanceof EC))
+ return new EC(options);
+
+ // Shortcut `elliptic.ec(curve-name)`
+ if (typeof options === 'string') {
+ assert(elliptic.curves.hasOwnProperty(options), 'Unknown curve ' + options);
+
+ options = elliptic.curves[options];
+ }
+
+ // Shortcut for `elliptic.ec(elliptic.curves.curveName)`
+ if (options instanceof elliptic.curves.PresetCurve)
+ options = { curve: options };
+
+ this.curve = options.curve.curve;
+ this.n = this.curve.n;
+ this.nh = this.n.ushrn(1);
+ this.g = this.curve.g;
+
+ // Point on curve
+ this.g = options.curve.g;
+ this.g.precompute(options.curve.n.bitLength() + 1);
+
+ // Hash for function for DRBG
+ this.hash = options.hash || options.curve.hash;
+}
+module.exports = EC;
+
+EC.prototype.keyPair = function keyPair(options) {
+ return new KeyPair(this, options);
+};
+
+EC.prototype.keyFromPrivate = function keyFromPrivate(priv, enc) {
+ return KeyPair.fromPrivate(this, priv, enc);
+};
+
+EC.prototype.keyFromPublic = function keyFromPublic(pub, enc) {
+ return KeyPair.fromPublic(this, pub, enc);
+};
+
+EC.prototype.genKeyPair = function genKeyPair(options) {
+ if (!options)
+ options = {};
+
+ // Instantiate Hmac_DRBG
+ var drbg = new HmacDRBG({
+ hash: this.hash,
+ pers: options.pers,
+ persEnc: options.persEnc || 'utf8',
+ entropy: options.entropy || elliptic.rand(this.hash.hmacStrength),
+ entropyEnc: options.entropy && options.entropyEnc || 'utf8',
+ nonce: this.n.toArray()
+ });
+
+ var bytes = this.n.byteLength();
+ var ns2 = this.n.sub(new BN(2));
+ do {
+ var priv = new BN(drbg.generate(bytes));
+ if (priv.cmp(ns2) > 0)
+ continue;
+
+ priv.iaddn(1);
+ return this.keyFromPrivate(priv);
+ } while (true);
+};
+
+EC.prototype._truncateToN = function truncateToN(msg, truncOnly) {
+ var delta = msg.byteLength() * 8 - this.n.bitLength();
+ if (delta > 0)
+ msg = msg.ushrn(delta);
+ if (!truncOnly && msg.cmp(this.n) >= 0)
+ return msg.sub(this.n);
+ else
+ return msg;
+};
+
+EC.prototype.sign = function sign(msg, key, enc, options) {
+ if (typeof enc === 'object') {
+ options = enc;
+ enc = null;
+ }
+ if (!options)
+ options = {};
+
+ key = this.keyFromPrivate(key, enc);
+ msg = this._truncateToN(new BN(msg, 16));
+
+ // Zero-extend key to provide enough entropy
+ var bytes = this.n.byteLength();
+ var bkey = key.getPrivate().toArray('be', bytes);
+
+ // Zero-extend nonce to have the same byte size as N
+ var nonce = msg.toArray('be', bytes);
+
+ // Instantiate Hmac_DRBG
+ var drbg = new HmacDRBG({
+ hash: this.hash,
+ entropy: bkey,
+ nonce: nonce,
+ pers: options.pers,
+ persEnc: options.persEnc || 'utf8'
+ });
+
+ // Number of bytes to generate
+ var ns1 = this.n.sub(new BN(1));
+
+ for (var iter = 0; true; iter++) {
+ var k = options.k ?
+ options.k(iter) :
+ new BN(drbg.generate(this.n.byteLength()));
+ k = this._truncateToN(k, true);
+ if (k.cmpn(1) <= 0 || k.cmp(ns1) >= 0)
+ continue;
+
+ var kp = this.g.mul(k);
+ if (kp.isInfinity())
+ continue;
+
+ var kpX = kp.getX();
+ var r = kpX.umod(this.n);
+ if (r.cmpn(0) === 0)
+ continue;
+
+ var s = k.invm(this.n).mul(r.mul(key.getPrivate()).iadd(msg));
+ s = s.umod(this.n);
+ if (s.cmpn(0) === 0)
+ continue;
+
+ var recoveryParam = (kp.getY().isOdd() ? 1 : 0) |
+ (kpX.cmp(r) !== 0 ? 2 : 0);
+
+ // Use complement of `s`, if it is > `n / 2`
+ if (options.canonical && s.cmp(this.nh) > 0) {
+ s = this.n.sub(s);
+ recoveryParam ^= 1;
+ }
+
+ return new Signature({ r: r, s: s, recoveryParam: recoveryParam });
+ }
+};
+
+EC.prototype.verify = function verify(msg, signature, key, enc) {
+ msg = this._truncateToN(new BN(msg, 16));
+ key = this.keyFromPublic(key, enc);
+ signature = new Signature(signature, 'hex');
+
+ // Perform primitive values validation
+ var r = signature.r;
+ var s = signature.s;
+ if (r.cmpn(1) < 0 || r.cmp(this.n) >= 0)
+ return false;
+ if (s.cmpn(1) < 0 || s.cmp(this.n) >= 0)
+ return false;
+
+ // Validate signature
+ var sinv = s.invm(this.n);
+ var u1 = sinv.mul(msg).umod(this.n);
+ var u2 = sinv.mul(r).umod(this.n);
+
+ if (!this.curve._maxwellTrick) {
+ var p = this.g.mulAdd(u1, key.getPublic(), u2);
+ if (p.isInfinity())
+ return false;
+
+ return p.getX().umod(this.n).cmp(r) === 0;
+ }
+
+ // NOTE: Greg Maxwell's trick, inspired by:
+ // https://git.io/vad3K
+
+ var p = this.g.jmulAdd(u1, key.getPublic(), u2);
+ if (p.isInfinity())
+ return false;
+
+ // Compare `p.x` of Jacobian point with `r`,
+ // this will do `p.x == r * p.z^2` instead of multiplying `p.x` by the
+ // inverse of `p.z^2`
+ return p.eqXToP(r);
+};
+
+EC.prototype.recoverPubKey = function(msg, signature, j, enc) {
+ assert((3 & j) === j, 'The recovery param is more than two bits');
+ signature = new Signature(signature, enc);
+
+ var n = this.n;
+ var e = new BN(msg);
+ var r = signature.r;
+ var s = signature.s;
+
+ // A set LSB signifies that the y-coordinate is odd
+ var isYOdd = j & 1;
+ var isSecondKey = j >> 1;
+ if (r.cmp(this.curve.p.umod(this.curve.n)) >= 0 && isSecondKey)
+ throw new Error('Unable to find sencond key candinate');
+
+ // 1.1. Let x = r + jn.
+ if (isSecondKey)
+ r = this.curve.pointFromX(r.add(this.curve.n), isYOdd);
+ else
+ r = this.curve.pointFromX(r, isYOdd);
+
+ var rInv = signature.r.invm(n);
+ var s1 = n.sub(e).mul(rInv).umod(n);
+ var s2 = s.mul(rInv).umod(n);
+
+ // 1.6.1 Compute Q = r^-1 (sR - eG)
+ // Q = r^-1 (sR + -eG)
+ return this.g.mulAdd(s1, r, s2);
+};
+
+EC.prototype.getKeyRecoveryParam = function(e, signature, Q, enc) {
+ signature = new Signature(signature, enc);
+ if (signature.recoveryParam !== null)
+ return signature.recoveryParam;
+
+ for (var i = 0; i < 4; i++) {
+ var Qprime;
+ try {
+ Qprime = this.recoverPubKey(e, signature, i);
+ } catch (e) {
+ continue;
+ }
+
+ if (Qprime.eq(Q))
+ return i;
+ }
+ throw new Error('Unable to find valid recovery factor');
+};
+
+},{"../../elliptic":97,"./key":105,"./signature":106,"bn.js":81,"hmac-drbg":120}],105:[function(require,module,exports){
+'use strict';
+
+var BN = require('bn.js');
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var assert = utils.assert;
+
+function KeyPair(ec, options) {
+ this.ec = ec;
+ this.priv = null;
+ this.pub = null;
+
+ // KeyPair(ec, { priv: ..., pub: ... })
+ if (options.priv)
+ this._importPrivate(options.priv, options.privEnc);
+ if (options.pub)
+ this._importPublic(options.pub, options.pubEnc);
+}
+module.exports = KeyPair;
+
+KeyPair.fromPublic = function fromPublic(ec, pub, enc) {
+ if (pub instanceof KeyPair)
+ return pub;
+
+ return new KeyPair(ec, {
+ pub: pub,
+ pubEnc: enc
+ });
+};
+
+KeyPair.fromPrivate = function fromPrivate(ec, priv, enc) {
+ if (priv instanceof KeyPair)
+ return priv;
+
+ return new KeyPair(ec, {
+ priv: priv,
+ privEnc: enc
+ });
+};
+
+KeyPair.prototype.validate = function validate() {
+ var pub = this.getPublic();
+
+ if (pub.isInfinity())
+ return { result: false, reason: 'Invalid public key' };
+ if (!pub.validate())
+ return { result: false, reason: 'Public key is not a point' };
+ if (!pub.mul(this.ec.curve.n).isInfinity())
+ return { result: false, reason: 'Public key * N != O' };
+
+ return { result: true, reason: null };
+};
+
+KeyPair.prototype.getPublic = function getPublic(compact, enc) {
+ // compact is optional argument
+ if (typeof compact === 'string') {
+ enc = compact;
+ compact = null;
+ }
+
+ if (!this.pub)
+ this.pub = this.ec.g.mul(this.priv);
+
+ if (!enc)
+ return this.pub;
+
+ return this.pub.encode(enc, compact);
+};
+
+KeyPair.prototype.getPrivate = function getPrivate(enc) {
+ if (enc === 'hex')
+ return this.priv.toString(16, 2);
+ else
+ return this.priv;
+};
+
+KeyPair.prototype._importPrivate = function _importPrivate(key, enc) {
+ this.priv = new BN(key, enc || 16);
+
+ // Ensure that the priv won't be bigger than n, otherwise we may fail
+ // in fixed multiplication method
+ this.priv = this.priv.umod(this.ec.curve.n);
+};
+
+KeyPair.prototype._importPublic = function _importPublic(key, enc) {
+ if (key.x || key.y) {
+ // Montgomery points only have an `x` coordinate.
+ // Weierstrass/Edwards points on the other hand have both `x` and
+ // `y` coordinates.
+ if (this.ec.curve.type === 'mont') {
+ assert(key.x, 'Need x coordinate');
+ } else if (this.ec.curve.type === 'short' ||
+ this.ec.curve.type === 'edwards') {
+ assert(key.x && key.y, 'Need both x and y coordinate');
+ }
+ this.pub = this.ec.curve.point(key.x, key.y);
+ return;
+ }
+ this.pub = this.ec.curve.decodePoint(key, enc);
+};
+
+// ECDH
+KeyPair.prototype.derive = function derive(pub) {
+ return pub.mul(this.priv).getX();
+};
+
+// ECDSA
+KeyPair.prototype.sign = function sign(msg, enc, options) {
+ return this.ec.sign(msg, this, enc, options);
+};
+
+KeyPair.prototype.verify = function verify(msg, signature) {
+ return this.ec.verify(msg, signature, this);
+};
+
+KeyPair.prototype.inspect = function inspect() {
+ return '<Key priv: ' + (this.priv && this.priv.toString(16, 2)) +
+ ' pub: ' + (this.pub && this.pub.inspect()) + ' >';
+};
+
+},{"../../elliptic":97,"bn.js":81}],106:[function(require,module,exports){
+'use strict';
+
+var BN = require('bn.js');
+
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var assert = utils.assert;
+
+function Signature(options, enc) {
+ if (options instanceof Signature)
+ return options;
+
+ if (this._importDER(options, enc))
+ return;
+
+ assert(options.r && options.s, 'Signature without r or s');
+ this.r = new BN(options.r, 16);
+ this.s = new BN(options.s, 16);
+ if (options.recoveryParam === undefined)
+ this.recoveryParam = null;
+ else
+ this.recoveryParam = options.recoveryParam;
+}
+module.exports = Signature;
+
+function Position() {
+ this.place = 0;
+}
+
+function getLength(buf, p) {
+ var initial = buf[p.place++];
+ if (!(initial & 0x80)) {
+ return initial;
+ }
+ var octetLen = initial & 0xf;
+ var val = 0;
+ for (var i = 0, off = p.place; i < octetLen; i++, off++) {
+ val <<= 8;
+ val |= buf[off];
+ }
+ p.place = off;
+ return val;
+}
+
+function rmPadding(buf) {
+ var i = 0;
+ var len = buf.length - 1;
+ while (!buf[i] && !(buf[i + 1] & 0x80) && i < len) {
+ i++;
+ }
+ if (i === 0) {
+ return buf;
+ }
+ return buf.slice(i);
+}
+
+Signature.prototype._importDER = function _importDER(data, enc) {
+ data = utils.toArray(data, enc);
+ var p = new Position();
+ if (data[p.place++] !== 0x30) {
+ return false;
+ }
+ var len = getLength(data, p);
+ if ((len + p.place) !== data.length) {
+ return false;
+ }
+ if (data[p.place++] !== 0x02) {
+ return false;
+ }
+ var rlen = getLength(data, p);
+ var r = data.slice(p.place, rlen + p.place);
+ p.place += rlen;
+ if (data[p.place++] !== 0x02) {
+ return false;
+ }
+ var slen = getLength(data, p);
+ if (data.length !== slen + p.place) {
+ return false;
+ }
+ var s = data.slice(p.place, slen + p.place);
+ if (r[0] === 0 && (r[1] & 0x80)) {
+ r = r.slice(1);
+ }
+ if (s[0] === 0 && (s[1] & 0x80)) {
+ s = s.slice(1);
+ }
+
+ this.r = new BN(r);
+ this.s = new BN(s);
+ this.recoveryParam = null;
+
+ return true;
+};
+
+function constructLength(arr, len) {
+ if (len < 0x80) {
+ arr.push(len);
+ return;
+ }
+ var octets = 1 + (Math.log(len) / Math.LN2 >>> 3);
+ arr.push(octets | 0x80);
+ while (--octets) {
+ arr.push((len >>> (octets << 3)) & 0xff);
+ }
+ arr.push(len);
+}
+
+Signature.prototype.toDER = function toDER(enc) {
+ var r = this.r.toArray();
+ var s = this.s.toArray();
+
+ // Pad values
+ if (r[0] & 0x80)
+ r = [ 0 ].concat(r);
+ // Pad values
+ if (s[0] & 0x80)
+ s = [ 0 ].concat(s);
+
+ r = rmPadding(r);
+ s = rmPadding(s);
+
+ while (!s[0] && !(s[1] & 0x80)) {
+ s = s.slice(1);
+ }
+ var arr = [ 0x02 ];
+ constructLength(arr, r.length);
+ arr = arr.concat(r);
+ arr.push(0x02);
+ constructLength(arr, s.length);
+ var backHalf = arr.concat(s);
+ var res = [ 0x30 ];
+ constructLength(res, backHalf.length);
+ res = res.concat(backHalf);
+ return utils.encode(res, enc);
+};
+
+},{"../../elliptic":97,"bn.js":81}],107:[function(require,module,exports){
+'use strict';
+
+var hash = require('hash.js');
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var assert = utils.assert;
+var parseBytes = utils.parseBytes;
+var KeyPair = require('./key');
+var Signature = require('./signature');
+
+function EDDSA(curve) {
+ assert(curve === 'ed25519', 'only tested with ed25519 so far');
+
+ if (!(this instanceof EDDSA))
+ return new EDDSA(curve);
+
+ var curve = elliptic.curves[curve].curve;
+ this.curve = curve;
+ this.g = curve.g;
+ this.g.precompute(curve.n.bitLength() + 1);
+
+ this.pointClass = curve.point().constructor;
+ this.encodingLength = Math.ceil(curve.n.bitLength() / 8);
+ this.hash = hash.sha512;
+}
+
+module.exports = EDDSA;
+
+/**
+* @param {Array|String} message - message bytes
+* @param {Array|String|KeyPair} secret - secret bytes or a keypair
+* @returns {Signature} - signature
+*/
+EDDSA.prototype.sign = function sign(message, secret) {
+ message = parseBytes(message);
+ var key = this.keyFromSecret(secret);
+ var r = this.hashInt(key.messagePrefix(), message);
+ var R = this.g.mul(r);
+ var Rencoded = this.encodePoint(R);
+ var s_ = this.hashInt(Rencoded, key.pubBytes(), message)
+ .mul(key.priv());
+ var S = r.add(s_).umod(this.curve.n);
+ return this.makeSignature({ R: R, S: S, Rencoded: Rencoded });
+};
+
+/**
+* @param {Array} message - message bytes
+* @param {Array|String|Signature} sig - sig bytes
+* @param {Array|String|Point|KeyPair} pub - public key
+* @returns {Boolean} - true if public key matches sig of message
+*/
+EDDSA.prototype.verify = function verify(message, sig, pub) {
+ message = parseBytes(message);
+ sig = this.makeSignature(sig);
+ var key = this.keyFromPublic(pub);
+ var h = this.hashInt(sig.Rencoded(), key.pubBytes(), message);
+ var SG = this.g.mul(sig.S());
+ var RplusAh = sig.R().add(key.pub().mul(h));
+ return RplusAh.eq(SG);
+};
+
+EDDSA.prototype.hashInt = function hashInt() {
+ var hash = this.hash();
+ for (var i = 0; i < arguments.length; i++)
+ hash.update(arguments[i]);
+ return utils.intFromLE(hash.digest()).umod(this.curve.n);
+};
+
+EDDSA.prototype.keyFromPublic = function keyFromPublic(pub) {
+ return KeyPair.fromPublic(this, pub);
+};
+
+EDDSA.prototype.keyFromSecret = function keyFromSecret(secret) {
+ return KeyPair.fromSecret(this, secret);
+};
+
+EDDSA.prototype.makeSignature = function makeSignature(sig) {
+ if (sig instanceof Signature)
+ return sig;
+ return new Signature(this, sig);
+};
+
+/**
+* * https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-03#section-5.2
+*
+* EDDSA defines methods for encoding and decoding points and integers. These are
+* helper convenience methods, that pass along to utility functions implied
+* parameters.
+*
+*/
+EDDSA.prototype.encodePoint = function encodePoint(point) {
+ var enc = point.getY().toArray('le', this.encodingLength);
+ enc[this.encodingLength - 1] |= point.getX().isOdd() ? 0x80 : 0;
+ return enc;
+};
+
+EDDSA.prototype.decodePoint = function decodePoint(bytes) {
+ bytes = utils.parseBytes(bytes);
+
+ var lastIx = bytes.length - 1;
+ var normed = bytes.slice(0, lastIx).concat(bytes[lastIx] & ~0x80);
+ var xIsOdd = (bytes[lastIx] & 0x80) !== 0;
+
+ var y = utils.intFromLE(normed);
+ return this.curve.pointFromY(y, xIsOdd);
+};
+
+EDDSA.prototype.encodeInt = function encodeInt(num) {
+ return num.toArray('le', this.encodingLength);
+};
+
+EDDSA.prototype.decodeInt = function decodeInt(bytes) {
+ return utils.intFromLE(bytes);
+};
+
+EDDSA.prototype.isPoint = function isPoint(val) {
+ return val instanceof this.pointClass;
+};
+
+},{"../../elliptic":97,"./key":108,"./signature":109,"hash.js":114}],108:[function(require,module,exports){
+'use strict';
+
+var elliptic = require('../../elliptic');
+var utils = elliptic.utils;
+var assert = utils.assert;
+var parseBytes = utils.parseBytes;
+var cachedProperty = utils.cachedProperty;
+
+/**
+* @param {EDDSA} eddsa - instance
+* @param {Object} params - public/private key parameters
+*
+* @param {Array<Byte>} [params.secret] - secret seed bytes
+* @param {Point} [params.pub] - public key point (aka `A` in eddsa terms)
+* @param {Array<Byte>} [params.pub] - public key point encoded as bytes
+*
+*/
+function KeyPair(eddsa, params) {
+ this.eddsa = eddsa;
+ this._secret = parseBytes(params.secret);
+ if (eddsa.isPoint(params.pub))
+ this._pub = params.pub;
+ else
+ this._pubBytes = parseBytes(params.pub);
+}
+
+KeyPair.fromPublic = function fromPublic(eddsa, pub) {
+ if (pub instanceof KeyPair)
+ return pub;
+ return new KeyPair(eddsa, { pub: pub });
+};
+
+KeyPair.fromSecret = function fromSecret(eddsa, secret) {
+ if (secret instanceof KeyPair)
+ return secret;
+ return new KeyPair(eddsa, { secret: secret });
+};
+
+KeyPair.prototype.secret = function secret() {
+ return this._secret;
+};
+
+cachedProperty(KeyPair, 'pubBytes', function pubBytes() {
+ return this.eddsa.encodePoint(this.pub());
+});
+
+cachedProperty(KeyPair, 'pub', function pub() {
+ if (this._pubBytes)
+ return this.eddsa.decodePoint(this._pubBytes);
+ return this.eddsa.g.mul(this.priv());
+});
+
+cachedProperty(KeyPair, 'privBytes', function privBytes() {
+ var eddsa = this.eddsa;
+ var hash = this.hash();
+ var lastIx = eddsa.encodingLength - 1;
+
+ var a = hash.slice(0, eddsa.encodingLength);
+ a[0] &= 248;
+ a[lastIx] &= 127;
+ a[lastIx] |= 64;
+
+ return a;
+});
+
+cachedProperty(KeyPair, 'priv', function priv() {
+ return this.eddsa.decodeInt(this.privBytes());
+});
+
+cachedProperty(KeyPair, 'hash', function hash() {
+ return this.eddsa.hash().update(this.secret()).digest();
+});
+
+cachedProperty(KeyPair, 'messagePrefix', function messagePrefix() {
+ return this.hash().slice(this.eddsa.encodingLength);
+});
+
+KeyPair.prototype.sign = function sign(message) {
+ assert(this._secret, 'KeyPair can only verify');
+ return this.eddsa.sign(message, this);
+};
+
+KeyPair.prototype.verify = function verify(message, sig) {
+ return this.eddsa.verify(message, sig, this);
+};
+
+KeyPair.prototype.getSecret = function getSecret(enc) {
+ assert(this._secret, 'KeyPair is public only');
+ return utils.encode(this.secret(), enc);
+};