@noble/[email protected] contains a few desired fixes and updates.
AIUI, updating @noble/curves to 1.4.0 implies also upgrading the rest of the @noble/ and @scure/ suites to align versions.

Related

• #105
• #106
• #107
• #108

ethereumjs/ethereumjs-monorepo#2877

Because of the introduction of exports in the package.json without extensions / wildcard

import { secp256k1 } from 'ethereum-cryptography/secp256k1.js'

no longer works

Scrypt has optional onProgress method. Very useful for progress bars. How could we expose it? Perhaps a new alternative signature that mirrors noble-hashes? ({N, r, p, onProgress} hash). BTW, Swift built-in uses {N, r, p} hash, not function arguments.

The powMod is useful for native powMod precompile https://eips.ethereum.org/EIPS/eip-198.

It is present in the dependency https://github.com/paulmillr/noble-curves

Would be much appreciated with a v2.1.3 shipping:

• #90
• #91
• #92

sha256, showed here in the documentation:

const hashn = toHex(sha256("string"));

is not working properly, because sha256 is not accepting string as type, only Uint8Array.

These is the log error message:
_assert.ts:10 Uncaught (in promise) TypeError: Expected Uint8Array
at Object.bytes (_assert.ts:10:41)
at utils.js:49:27
at transfer (Transfer.jsx:22:31)
at HTMLUnknownElement.callCallback2 (react-dom.development.js:4164:14)
at Object.invokeGuardedCallbackDev (react-dom.d

and the code in the package from npm:
export declare const sha256: (msg: Uint8Array) => Uint8Array;

When running MetaMask and attempting to create a bulk group of secp256k1 addresses, my browser is spending a lot of time computing the comb10MulTo (10 seconds on 123 addresses / ~50% total runtime) that is downstream of the getPublicKey used in the ethereum-cryptography package.

Apologies if this is the wrong place to ask but is this expected when doing this sort of computation? Running the program outside of the browser is near instant. Feel free to close this issue if it is not intended to be opened here.

CallTrace for reference:

Hey, I'm trying to get this lib working on the client side with React, Vite, Javascript & pnpm.
The library was added with pnpm i ethereum-cryptography.

A utils file looks like this:

import { keccak256 } from "ethereum-cryptography/keccak";
import { utf8ToBytes, toHex } from "ethereum-cryptography/utils";
import secp from "ethereum-cryptography/secp256k1";

//...

/**
 * @returns {string} random private key as hex string
 */
function randomPrivateKey() {
    return pipe(
        secp.utils.randomPrivateKey(),
        toHex
    )
}

export {
    //...
    randomPrivateKey,
}

I use the function randomPrivateKey inside of a react component and it fails with:

Uncaught TypeError: Cannot read properties of undefined (reading 'utils')
    at randomPrivateKey (utils.js:68:14)
    at onGenerate (KeyGen.jsx:7:24)

A project that demonstrates this issue can be found here.

Sorry to bother you but I can't find solutions online. Am I missing some configuration to get this to work, or is it not possible altogether?

I pretend to send a signature from the client and recover the public key from the server-side but is not working, just for a test I did the code above and I found, or at least I presume that, an issue...

if I implement this routine in my client app, works fine, but if I do the same thing on my server side it returns an error:

Routine:
const [signature, rec] = await secp.sign(hashMessage, privateKey, { recovered: true })
const signatureHex = bytesToHex(signature)
const recoveredKey = secp.recoverPublicKey(hashMessage, signatureHex, rec);

Error:
throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
^
TypeError: hexToBytes: expected string, got object

Hi everyone, this may or may not be an issue with js-ethereum-cryptography itself but rather an issue with @vercel/ncc and webpack builds. I'm posting it here anyways in case anyone has any ideas on what is going on.

Issue
I have a project that is using a dependency that is dependent on the keccak file from [email protected]. I then bunde my project into a single JS file using the ncc build command from this project, which uses Webpack internally.

Now the issue is that ncc transforms this code to the code below as ncc can't find the crypto package for some reason:

/***/ 84310:
/***/ ((module) => {

function webpackEmptyContext(req) {
	var e = new Error("Cannot find module '" + req + "'");
	e.code = 'MODULE_NOT_FOUND';
	throw e;
}
webpackEmptyContext.keys = () => ([]);
webpackEmptyContext.resolve = webpackEmptyContext;
webpackEmptyContext.id = 84310;
module.exports = webpackEmptyContext;
/***/ }),

This leads to my project crashing with this error when I try run it:

Error: Cannot find module 'crypto'
    at Object.webpackEmptyContext (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:183577:10)
    at /Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:83270:43
    at Object.78777 (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:83273:3)
    at __nccwpck_require__ (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:183842:43)
    at Object.35681 (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:83194:17)
    at __nccwpck_require__ (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:183842:43)
    at Object.30038 (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:169615:16)
    at __nccwpck_require__ (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:183842:43)
    at Object.55944 (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:168123:14)
    at __nccwpck_require__ (/Users/christophersastropranoto/Documents/external-adapters-js/packages/sources/layer2-sequencer-health/bundle/index.js:183842:43) {
  code: 'MODULE_NOT_FOUND'
}

I've confirmed that this issue is also happening when I try to build the ethereum-cryptography package by itself.

Steps to repro

Run from the root of the ethereum-cryptography repository.

1. Add @vercel/ncc package yarn add @vercel/ncc
2. Build the keccak.ts file. ncc build keccak.js -o bundle/index.js
3. This should have created a new directory named bundle in the root folder with an index.js file. Inspect the generated index.js file and find the code below

exports.crypto = (() => {
    const webCrypto = typeof self === "object" && "crypto" in self ? self.crypto : undefined;
    const nodeRequire =  true &&
        __nccwpck_require__(387).bind(module); ------>. The node ID might be different
    return {
        node: nodeRequire && !webCrypto ? nodeRequire("crypto") : undefined,
        web: webCrypto
    };
})();

4. The module with ID 387 resolves to the code below

/***/ 387:
/***/ ((module) => {

function webpackEmptyContext(req) {
	var e = new Error("Cannot find module '" + req + "'");
	e.code = 'MODULE_NOT_FOUND';
	throw e;
}
webpackEmptyContext.keys = () => ([]);
webpackEmptyContext.resolve = webpackEmptyContext;
webpackEmptyContext.id = 387;
module.exports = webpackEmptyContext;

Expected Behavior

Running ncc build does not generate a webpackEmptyContext function when looking for the crypto module.

Versions

@vercel/ncc: 0.34.0

Any suggestions on what to check are appreciated! Thanks in advance.

Would be much appreciated with a release incorporating these changes merged since last release 2.1.2:

• #96
• #103
• (unrelated: #94)

Given the pinning on specific versions of dependencies, defaulting users to the latest versions of noble packages without need of forcing resolutions etc seems good.

Related: #93

// Client

function signMessage(message, privateKey){
  const msgHash = keccak256(utf8ToBytes(message));
  const signature = secp256k1.sign(msgHash, privateKey); 
  console.log('signature', signature); // {r: 1234.., s:5677.., recovery: 1}
  return signature.toCompactHex();
}

The client sends the signature in hex format.

// Server

  const msgHash = keccak256(utf8ToBytes(String(amount)));
  const sig = secp256k1.Signature.fromCompact(signature);
  console.log("sig", sig); // {r: 1234.., s:5677.., recovery: undefined}
  const publicKey = sig.recoverPublicKey(msgHash).toRawBytes();

To recover the publicKey, after applying fromCompact function, the signature recovery property becomes undefined (expecting 1) and recoverPublicKey() throw error: recovery id invalid.

In this scenario I solved the problem in the server by adding the recovery bit.

 const sig = secp256k1.Signature.fromCompact(signature).addRecoveryBit(1);

I'm really not sure if this is a problem or if the way I'm sending signatures from client to server is correct. This is my first time using the library and I'm trying to learn more about it. Can someone tell me what's going on?

By the way, I would be happy if someone could share some documentations about the library. I couldn't find it.

Provenance allows to transparently build the package on github servers and provide public log.

It's already done for js-e-c dependencies. Example: https://www.npmjs.com/package/@scure/bip32, see the bottom part of the page.

To enable provenance, we need:

• Add github CI configuration file (I can do this) such as this one
• Generate NPM publish token on npmjs.org
• Add the publish token as NPM_PUBLISH_TOKEN secret env variable to github repository settings

https://github.blog/2023-04-19-introducing-npm-package-provenance/

• noble-curves already support https://eips.ethereum.org/EIPS/eip-196
• For https://eips.ethereum.org/EIPS/eip-197, noble-curves need to implement such pairing

When I saw hexToBytes I expected it to work on 0x-prefixed strings, but found that it doesn't parse them as expected.

Current results:

> e.hexToBytes('0xab')
Uint8Array(2) [ 0, 171 ]
> e.hexToBytes('ab')
Uint8Array(1) [ 171 ]

What are your thoughts on removing the 0x prefix automatically?

This isn't really an issue so much as an FYI.

I wrote https://github.com/Zoltu/ethereum-crypto which is a native implementation of all of the Ethereum crypto mechanisms that are not available natively in web crypto. It comes with some caveats (see readme) but it is CC0 so you are free to crib the code with no attribution if you like.

The big sell of that library is that it is a single package that has everything you need for Ethereum crypto in it, and it uses native (browser) constructs/types only. This package on the other hand brings in ~32 transitive dependencies and uses NodeJS primitives (e.g., Buffer) in its types and non-native big numbers (bn.js instead of bigint).

I can appreciate that this library makes more sense for some people in some situations, but I wanted to put it out there that if you are targeting modern browsers (bigint supported), then @zoltu/ethereum-crypto may be a better option, or at least one worth investigating or cribbing code from.

For the authors of this library, I encourage you to steal any of the work I have done as I want to see the Ethereum ecosystem succeed far more than I want credit for anything.

Hello!

I see that the current version is v0.2.5. However, when I go to https://www.npmjs.com/package/ethereum-cryptography - I see that the old version 0.1.3 is published there.

Can we please get an updated NPM module release?

Using ethereum-cryptography with a SvelteKit app, I ran into some issues due to current bugs in the treatment of CommonJS modules by either SvelteKit or Vite. While this is a bug in those tools, it would be avoided if the package included ESM modules. What do you think about including that? It looks like it would also play well with ESM modules in Node.js.

On alpine linux (node:12-alpine docker image),ethereumjs-tx fails to sign transaction because the keccak function fails on alpine linux. It seems only a specific case for alpine linux. works well on ubuntu.

cryptocoinjs/keccak#15

I'm creating this issue to start discussing the migration plan.

The main things to understand and plan upon are:

• Which are the typical Ethereum development setups that use native dependencies. e.g. Truffle 4, Truffle 5, Embark, Buidler, etc

• Which libraries from those setups use native dependencies.

• Which versions of those are used in each of the setups.

• For each version: is releasing a patch version enough, or is it pinned/bundled by some of its consumers? If pinned/bundled, how do we work around this?

Feel free to add anything relevant to the list.

When using version 2.1.0. build failed

Module not found: Error: Package path ./keccak is not exported from package /opt/atlassian/pipelines/agent/build/node_modules/@toruslabs/base-controllers/node_modules/ethereum-cryptography (see exports field in /opt/atlassian/pipelines/agent/build/node_modules/@toruslabs/base-controllers/node_modules/ethereum-cryptography/package.json)

Hello,
I set "lib": ["ES2021"] at compilerOptions in my tsconfg.json and this caused the error:

node_modules/ethereum-cryptography/utils.d.ts(11,11): error TS2304: Cannot find name 'Crypto'.

Could you please help with this? (I do not want to use skipLibCheck as I do not want to force the users of the library I am working on to use the same.)

Thanks,

I checked the util package and don't find the base64 util, I guess this is a common feature that we can support.
For example, when we use AES to encode something to hex, then commonly we use base64 to encode the string and store in disk.
If you add this feature, I guess that will help a lot of people, thank you

Hi! I've created noble-secp256k1 one year ago. The goal was to create an extremely simple zero-dependency library. With all the optimizations, even though it's just <1kloc, it's actually faster than elliptic — which you're using right now:

noble#sign x 3,952 ops/sec
elliptic#sign x 1,808 ops/sec
noble#verify x 851 ops/sec
elliptic#verify x 812 ops/sec

The reasoning behind the creation was that more and more dependencies are used in all kinds of projects, and there is a huge need in reducing the number — because any dep could get hacked, and it becomes complex to verify the source code by hand. Check out the blog post: https://paulmillr.com/posts/noble-secp256k1-fast-ecc/

• noble secp is 10kb minified, while your current elliptic + bn.js is ~100kb, you'll save 90kb — which is a lot
• noble was audited by Cure53. Elliptic was not audited, so noble should be considered more secure
• elliptic does not seem to be maintained. Elliptic recently had terrible private key leak (CVE-2020-28498)
• you'll receive faster signatures and verification

I strongly recommend switching to noble. I can prepare a pull request.

I'm sorry my reproduction steps are so horrible... but I just haven't been able to figure out how to reliably trigger the error.

To reproduce:

0. git clone https://github.com/trufflesuite/ganache-core.git
1. cd ganache-core
2. git checkout 8a4fb09c970d2ded061c1b1e1fd912cd7ae0229a
3. nvm use 14
4. npm ci
5. npm test (you may have to run this many times until you trigger the segfault)

You should see something like:

Segmentation fault (core dumped)
npm ERR! code 139
npm ERR! path /home/david/work/ganache-core
npm ERR! command failed
npm ERR! command sh -c mocha --check-leaks --recursive "./test/local"

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/david/.npm/_logs/2020-10-07T15_21_43_948Z-debug.log

(The debug log isn't helpful)

I've somewhat "fixed" this in ganache-core by patching keccak so it never loads the native modules.

To reproduce my workaround:

1. git checkout c26ba24ebf24d1c09b328a76baf0cf43e82fba04
2. npm ci (if you are using npm 7.0.0-rc.0 you'll need to also run npm run postinstall)
3. npm test (run it as many times as you'd like; it doesn't crash anymore... I ran the tests for over an hour via while npm test; do :; done without a crash)

Here is the patch, if you're curious: https://github.com/trufflesuite/ganache-core/blob/c26ba24ebf24d1c09b328a76baf0cf43e82fba04/patches/keccak%2B3.0.1.patch#L1-L11

The biggest issue with my workaround is that patch-package isn't safe to use in published npm modules. :-(

I've also opened the issue in keccak, but I figured it might be faster/easier to update this package to do something like const keccak = require("keccack/js"); (untested) than it would be to get keccak to find and fix this in the native code.

Note: removing nyc from the test command reduces the likelihood of the crash, however, it does still occur when running with mocha only.

Containing (as of posting):

• #109
• #111

aes is pretty bad. I know it's there for compatibility, but we should be also exposing GCM (+50-100 loc):

• CBC Padding is easy to misuse. CTR or GCM should be preferred to it
• GCM is better than CTR/CBC+HMAC (can be parallel; harder to misuse)
• GCM has AAD
• GCM is the only mode included in TLS v1.3. They've dropped all CTR/CBC ciphers!
• If ETH non-wallet apps are using encryption, they should definitely be using GCM, not CTR/CBC

We already depend on noble-curves, which has bls12-381.

It would be great to expose the curve and its basic operations: getPublicKey, sign, verify, pairing