noble-secp256k1

This release comes one year after v2.0.0, following rare update schedule for easy auditability.

• Point.fromAffine: convert ZERO points properly
• au8: improve Uint8Array check to work in extension context
• Signature: add normalizeS method
• Signature: addRecoveryBit should return more precise type, SignatureWithRecovery
• randomPrivateKey: fetch 48 bytes from CSPRNG instead of 40, to reduce bias

New Contributors

• @thejoelw made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/100
• @MicahZoltu made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/102
• @legobeat made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/108
• @Elli610 made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/121

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/2.0.0...2.1.0

noble-secp256k1 v2 features improved security and smaller attack surface.
The goal of v2 is to provide minimum possible JS library which is safe and fast.

That means the library was reduced 4x, to just over 400 lines. Library size is now just 4KB gzipped.
In order to achieve the goal, some features were moved to noble-curves, which is
even safer and faster drop-in replacement library with same API.
Switch to curves if you intend to keep using these features:

• DER encoding: toDERHex, toDERRawBytes, signing / verification of DER sigs
• Schnorr signatures
• Using utils.precompute() for non-base point
• Support for environments which don't support bigint literals
• Common.js support
• Support for node.js 18 and older without shim

Other changes for upgrading from @noble/secp256k1 1.7 to 2.0:

• getPublicKey
  • now produce 33-byte compressed signatures by default
  • to use old behavior, which produced 65-byte uncompressed keys, set
    argument isCompressed to false: getPublicKey(priv, false)
• sign
  • is now sync; use signAsync for async version
  • now returns Signature instance with { r, s, recovery } properties
  • canonical option was renamed to lowS
  • recovered option has been removed because recovery bit is always returned now
  • der option has been removed. There are 2 options:
    1. Use compact encoding: fromCompact, toCompactRawBytes, toCompactHex.
       Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
    2. If you must use DER encoding, switch to noble-curves (see above).
• verify
  • strict option was renamed to lowS
• getSharedSecret
  • now produce 33-byte compressed signatures by default
  • to use old behavior, which produced 65-byte uncompressed keys, set
    argument isCompressed to false: getSharedSecret(a, b, false)
• recoverPublicKey(msg, sig, rec) was changed to sig.recoverPublicKey(msg)
• number type for private keys have been removed: use bigint instead
• Point (2d xy) has been changed to ProjectivePoint (3d xyz)
• utils were split into utils (same api as in noble-curves) and
  etc (hmacSha256Sync and others)

Pull request: https://github.com/paulmillr/noble-secp256k1/pull/92

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.7.1...2.0.0

• Add support for recovery_bit=2, 3
• JacobianPoint#fromAffine bugfix
• P.subtract(P) and JacobianPoint.ZERO.toAffine() no longer throw errors
• Refactoring backported from noble-curves

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.7.0...1.7.1

The library now works with React Native 0.70. Remove all bigint ** pow operators to improve compact w bad parsers.

• Expose Point#hasEvenY()
• Utils sha256Sync and hmacSha256Sync redefinitions cannot be re-defined after the first time
• Add experimental utils._normalizePrivateKey()
• Remove experimental utils: privateAdd, privateNegate, pointAddScalar, pointMultiply. We consider their API not optimal. If you want to keep using them, copy-paste their definition from test directory.
• Refactor schnorr

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.6.3...1.7.0

Allow 0000... hash in recoverPublicKey

Fixes tests for 0000... hash in verify()

• Make verification of 0000... msgHash a valid behavior; due to consensus failures
• Add TS types field to exports map by @jacogr in https://github.com/paulmillr/noble-secp256k1/pull/66

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.6.0...1.6.1

• Expose utils: invert, hexToBytes, concatBytes
• Refactor Schnorr/BIP340 functionality by @brandonblack in https://github.com/paulmillr/noble-secp256k1/pull/50
• Speedup non-BASE multiplyAndAddUnsafe by @brandonblack in https://github.com/paulmillr/noble-secp256k1/pull/54
• Remove viral esModuleInterop option from tsconfig.
• Change utils.hashToPrivateKey algorithm

New Contributors

• @brandonblack made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/50

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.5.5...1.6.0

• Fixed a bug in schnorr.verify when infinity point result was not checked properly
• schnorr.verify now throws less errors, instead, it returns false
• Made schnorr.sign 60% faster, schnorr.verify 90% faster

• recoverPublicKey improvements:
  • Fixed an issue where it recovered invalid points
  • Added isCompressed optional argument
  • Made it ~2x faster

• New algorithm for utils.randomPrivateKey()
• Added utils.hashToPrivateKey()
• Improved JacobianPoint#toAffine() check
• 5-10% speed-up

• Fix library compatibility with bad parsers over bigint syntax
• New exported utils.mod utility
• recoverPublicKey and Point.fromSignature now reduce msgHash modulo n
• Uint8Arrays are now always copied instead of using .slice() method of theirs
• Hex parsing improvements

• Messages in ECDSA sign() are now reduced modulo n to match RFC6979. Contributed by @kklash.
  • Note: libsecp256k1 is awaiting pull request for the same bugfix
• sign can now receive {extraEntropy: true} to auto-populate k with random data. This is strongly recommended, see README
• RFC6979 has been thoroughly refactored

• Important: signatures are now canonical: true by default. This mirrors libsecp256k1 behavior. If you'd like old (OpenSSL) behavior, use sign with canonical: false
• Important: verify() is now strict: true by default. High-s signatures are rejected, which also mirrors libsecp behavior.
• Important: removed string (hex) return type from public methods. Uint8Array is now always returned
• Added extraEntropy option to sign. It allows to specify k' as per RFC6979
• Added Signature#hasHighS() and Signature#normalizeS() methods
• Rewrite DER parsing logic
• Improve hex parsing security
• assertValidity is now done in Signature constructor, instead of a separate method
• Remove SignResult deprecated class that cloned Signature

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.3.4...1.4.0

Thanks to @hank121314 for contribution

• Add main/module fields to package.json to fix rollup/browserify

• Typescript support bugfix

What's Changed

• Improve compatibility with non-compliant JS parsers: swap n format to Bigint() in https://github.com/paulmillr/noble-secp256k1/pull/33
• ECMAScript Modules (ESM) support in https://github.com/paulmillr/noble-secp256k1/pull/32
• Do not depend on @types/dom when using Typescript
• Improve garbage collector behavior by not using array assignments that call ES6 iterator protocol

New Contributors

• @jacogr made their first contribution in https://github.com/paulmillr/noble-secp256k1/pull/33

Full Changelog: https://github.com/paulmillr/noble-secp256k1/compare/1.3.0...1.3.1

• Security improvement: moved npm package to @noble/secp256k1 (from noble-secp256k1). Namespaces cannot be used by other people, so by using @noble you can be sure it's authentic

• Fix webpack builds

• Add Signature methods: fromDER, toDER, fromCompact, toCompact; discourage fromHex, toHex since it's ambigous
• Add der: false option to sign() to output compact sig