@noble/curves 0.1.0 → 0.2.0

package/lib/esm/{shortw.js → weierstrass.js}

@@ -1,30 +1,31 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Short weierstrass curve. The formula is: y² = x³ + ax + b
+// Implementation of Short Weierstrass curve. The formula is: y² = x³ + ax + b
 // TODO: sync vs async naming
 // TODO: default randomBytes
+// Differences from @noble/secp256k1 1.7:
+// 1. Different double() formula (but same addition)
+// 2. Different sqrt() function
+// 3. truncateHash() truncateOnly mode
+// 4. DRBG supports outputLen bigger than outputLen of hmac
 import * as mod from './modular.js';
-import { bytesToHex, bytesToNumber, concatBytes, ensureBytes, hexToBytes, hexToNumber, numberToHexUnpadded, } from './utils.js';
+import { bytesToHex, bytesToNumberBE, concatBytes, ensureBytes, hexToBytes, hexToNumber, numberToHexUnpadded, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js';
+import { wNAF } from './group.js';
 // Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve) {
-    if (typeof curve.hash !== 'function' || !Number.isSafeInteger(curve.hash.outputLen))
+    const opts = utilOpts(curve);
+    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid hash function');
-    if (typeof curve.hmac !== 'function')
+    if (typeof opts.hmac !== 'function')
         throw new Error('Invalid hmac function');
-    if (typeof curve.randomBytes !== 'function')
+    if (typeof opts.randomBytes !== 'function')
         throw new Error('Invalid randomBytes function');
-    for (const i of ['a', 'b', 'P', 'n', 'Gx', 'Gy']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+    for (const i of ['a', 'b']) {
+        if (typeof opts[i] !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const i of ['nBitLength', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    const endo = curve.endo;
+    const endo = opts.endo;
     if (endo) {
-        if (curve.a !== _0n) {
+        if (opts.a !== _0n) {
             throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
         }
         if (typeof endo !== 'object' ||
@@ -33,10 +34,8 @@ function validateOpts(curve) {
             throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
         }
     }
-    const nBitLength = curve.n.toString(2).length; // Bit size of CURVE.n
-    const nByteLength = Math.ceil(nBitLength / 8); // Byte size of CURVE.n
     // Set defaults
-    return Object.freeze({ lowS: true, nBitLength, nByteLength, ...curve });
+    return Object.freeze({ lowS: true, ...opts });
 }
 // TODO: convert bits to bytes aligned to 32 bits? (224 for example)
 // DER encoding utilities
@@ -63,7 +62,7 @@ function parseDERInt(data) {
     if (res[0] === 0x00 && res[1] <= 0x7f) {
         throw new DERError('Invalid signature integer: trailing length');
     }
-    return { data: bytesToNumber(res), left: data.subarray(len + 2) };
+    return { data: bytesToNumberBE(res), left: data.subarray(len + 2) };
 }
 function parseDERSignature(data) {
     if (data.length < 2 || data[0] != 0x30) {
@@ -101,8 +100,8 @@ class HmacDrbg {
         if (typeof hmacFn !== 'function')
             throw new Error('hmacFn must be a function');
         // Step B, Step C: set hashLen to 8*ceil(hlen/8)
-        this.v = new Uint8Array(this.hashLen).fill(1);
-        this.k = new Uint8Array(this.hashLen).fill(0);
+        this.v = new Uint8Array(hashLen).fill(1);
+        this.k = new Uint8Array(hashLen).fill(0);
         this.counter = 0;
     }
     hmacSync(...values) {
@@ -138,7 +137,10 @@ class HmacDrbg {
 // Use only input from curveOpts!
 export function weierstrass(curveDef) {
     const CURVE = validateOpts(curveDef);
+    const CURVE_ORDER = CURVE.n;
     // Lengths
+    // All curves has same field / group length as for now, but it can be different for other curves
+    const groupLen = CURVE.nByteLength;
     const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
     if (fieldLen > 2048)
         throw new Error('Field lengths over 2048 are not supported');
@@ -188,15 +190,15 @@ export function weierstrass(curveDef) {
             num = BigInt(key);
         }
         else if (typeof key === 'string') {
-            key = key.padStart(2 * fieldLen, '0'); // Eth-like hexes
-            if (key.length !== 2 * fieldLen)
-                throw new Error(`Expected ${fieldLen} bytes of private key`);
+            key = key.padStart(2 * groupLen, '0'); // Eth-like hexes
+            if (key.length !== 2 * groupLen)
+                throw new Error(`Expected ${groupLen} bytes of private key`);
             num = hexToNumber(key);
         }
         else if (key instanceof Uint8Array) {
-            if (key.length !== fieldLen)
-                throw new Error(`Expected ${fieldLen} bytes of private key`);
-            num = bytesToNumber(key);
+            if (key.length !== groupLen)
+                throw new Error(`Expected ${groupLen} bytes of private key`);
+            num = bytesToNumberBE(key);
         }
         else {
             throw new TypeError('Expected valid private key');
@@ -221,11 +223,11 @@ export function weierstrass(curveDef) {
             throw new Error(`Unknown type of public key: ${publicKey}`);
     }
     function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE.n >> _1n;
+        const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
     }
     function normalizeS(s) {
-        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE.n) : s;
+        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE_ORDER) : s;
     }
     function normalizeScalar(num) {
         if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
@@ -240,7 +242,7 @@ export function weierstrass(curveDef) {
         const { n, nBitLength } = CURVE;
         const byteLength = hash.length;
         const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = bytesToNumber(hash);
+        let h = bytesToNumberBE(hash);
         if (delta > 0)
             h = h >> BigInt(delta);
         if (!truncateOnly && h >= n)
@@ -308,6 +310,22 @@ export function weierstrass(curveDef) {
         double() {
             const { x: X1, y: Y1, z: Z1 } = this;
             const { a } = CURVE;
+            // Faster algorithm: when a=0
+            // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
+            // Cost: 2M + 5S + 6add + 3*2 + 1*3 + 1*8.
+            if (a === _0n) {
+                const A = modP(X1 * X1);
+                const B = modP(Y1 * Y1);
+                const C = modP(B * B);
+                const x1b = X1 + B;
+                const D = modP(_2n * (modP(x1b * x1b) - A - C));
+                const E = modP(_3n * A);
+                const F = modP(E * E);
+                const X3 = modP(F - _2n * D);
+                const Y3 = modP(E * (D - X3) - _8n * C);
+                const Z3 = modP(_2n * Y1 * Z1);
+                return new JacobianPoint(X3, Y3, Z3);
+            }
             const XX = modP(X1 * X1);
             const YY = modP(Y1 * Y1);
             const YYYY = modP(YY * YY);
@@ -329,9 +347,6 @@ export function weierstrass(curveDef) {
         add(other) {
             if (!(other instanceof JacobianPoint))
                 throw new TypeError('JacobianPoint expected');
-            // TODO: remove
-            if (this.equals(JacobianPoint.ZERO))
-                return other;
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
             if (X2 === _0n || Y2 === _0n)
@@ -374,17 +389,8 @@ export function weierstrass(curveDef) {
             let n = normalizeScalar(scalar);
             if (n === _1n)
                 return this;
-            if (!CURVE.endo) {
-                let p = P0;
-                let d = this;
-                while (n > _0n) {
-                    if (n & _1n)
-                        p = p.add(d);
-                    d = d.double();
-                    n >>= _1n;
-                }
-                return p;
-            }
+            if (!CURVE.endo)
+                return wnaf.unsafeLadder(this, n);
             // Apply endomorphism
             let { k1neg, k1, k2neg, k2 } = CURVE.endo.splitScalar(n);
             let k1p = P0;
@@ -406,99 +412,23 @@ export function weierstrass(curveDef) {
             k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
             return k1p.add(k2p);
         }
-        /**
-         * Creates a wNAF precomputation window. Used for caching.
-         * Default window size is set by `utils.precompute()` and is equal to 8.
-         * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
-         * @returns 65K precomputed points, depending on W
-         */
-        precomputeWindow(W) {
-            const windows = CURVE.endo
-                ? Math.ceil(CURVE.nBitLength / 2) / W + 1
-                : CURVE.nBitLength / W + 1;
-            const points = [];
-            let p = this;
-            let base = p;
-            for (let window = 0; window < windows; window++) {
-                base = p;
-                points.push(base);
-                for (let i = 1; i < 2 ** (W - 1); i++) {
-                    base = base.add(p);
-                    points.push(base);
-                }
-                p = base.double();
-            }
-            return points;
-        }
         /**
          * Implements w-ary non-adjacent form for calculating ec multiplication.
-         * @param n
-         * @param affinePoint optional 2d point to save cached precompute windows on it.
-         * @returns real and fake (for const-time) points
          */
         wNAF(n, affinePoint) {
             if (!affinePoint && this.equals(JacobianPoint.BASE))
                 affinePoint = Point.BASE;
             const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
-            if (256 % W) {
-                throw new Error('Point#wNAF: Invalid precomputation window, must be power of 2');
-            }
             // Calculate precomputes on a first run, reuse them after
             let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
             if (!precomputes) {
-                precomputes = this.precomputeWindow(W);
+                precomputes = wnaf.precomputeWindow(this, W);
                 if (affinePoint && W !== 1) {
                     precomputes = JacobianPoint.normalizeZ(precomputes);
                     pointPrecomputes.set(affinePoint, precomputes);
                 }
             }
-            // Initialize real and fake points for const-time
-            let p = JacobianPoint.ZERO;
-            // Should be G (base) point, since otherwise f can be infinity point in the end
-            let f = JacobianPoint.BASE;
-            const nBits = CURVE.endo ? CURVE.nBitLength / 2 : CURVE.nBitLength;
-            const windows = 1 + Math.ceil(nBits / W); // W=8 17
-            const windowSize = 2 ** (W - 1); // W=8 128
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b11111111 for W=8
-            const maxNumber = 2 ** W; // W=8 256
-            const shiftBy = BigInt(W); // W=8 8
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n;
-                }
-                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-                // there is negate now: it is possible that negated element from low value
-                // would be the same as high element, which will create carry into next window.
-                // It's not obvious how this can fail, but still worth investigating later.
-                // Check if we're onto Zero point.
-                // Add random point inside current window to f.
-                const offset1 = offset;
-                const offset2 = offset + Math.abs(wbits) - 1;
-                const cond1 = window % 2 !== 0;
-                const cond2 = wbits < 0;
-                if (wbits === 0) {
-                    // The most important part for const-time getPublicKey
-                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
-                }
-                else {
-                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
-                }
-            }
-            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
-            // Even if the variable is still unused, there are some checks which will
-            // throw an exception, so compiler needs to prove they won't happen, which is hard.
-            // At this point there is a way to F be infinity-point even if p is not,
-            // which makes it less const-time: around 1 bigint multiply.
-            return { p, f };
+            return wnaf.wNAF(W, precomputes, n);
         }
         /**
          * Constant time multiplication.
@@ -518,8 +448,8 @@ export function weierstrass(curveDef) {
                 const { k1neg, k1, k2neg, k2 } = CURVE.endo.splitScalar(n);
                 let { p: k1p, f: f1p } = this.wNAF(k1, affinePoint);
                 let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
-                k1p = constTimeNegate(k1neg, k1p);
-                k2p = constTimeNegate(k2neg, k2p);
+                k1p = wnaf.constTimeNegate(k1neg, k1p);
+                k2p = wnaf.constTimeNegate(k2neg, k2p);
                 k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
                 point = k1p.add(k2p);
                 fake = f1p.add(f2p);
@@ -558,11 +488,7 @@ export function weierstrass(curveDef) {
     }
     JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n);
     JacobianPoint.ZERO = new JacobianPoint(_0n, _1n, _0n);
-    // Const-time utility for wNAF
-    function constTimeNegate(condition, item) {
-        const neg = item.negate();
-        return condition ? neg : item;
-    }
+    const wnaf = wNAF(JacobianPoint, CURVE.endo ? CURVE.nBitLength / 2 : CURVE.nBitLength);
     // Stores precomputed values for points.
     const pointPrecomputes = new WeakMap();
     /**
@@ -583,13 +509,12 @@ export function weierstrass(curveDef) {
             return this.y % _2n === _0n;
         }
         /**
-         * Supports compressed ECDSA (33-byte) points
-         * @param bytes 33 bytes
+         * Supports compressed ECDSA points
          * @returns Point instance
          */
         static fromCompressedHex(bytes) {
             const P = CURVE.P;
-            const x = bytesToNumber(bytes.subarray(1));
+            const x = bytesToNumberBE(bytes.subarray(1));
             if (!isValidFieldElement(x))
                 throw new Error('Point is not on curve');
             const y2 = weierstrassEquation(x); // y² = x³ + ax + b
@@ -604,15 +529,15 @@ export function weierstrass(curveDef) {
             return point;
         }
         static fromUncompressedHex(bytes) {
-            const x = bytesToNumber(bytes.subarray(1, fieldLen + 1));
-            const y = bytesToNumber(bytes.subarray(fieldLen + 1, 2 * fieldLen + 1));
+            const x = bytesToNumberBE(bytes.subarray(1, fieldLen + 1));
+            const y = bytesToNumberBE(bytes.subarray(fieldLen + 1, 2 * fieldLen + 1));
             const point = new Point(x, y);
             point.assertValidity();
             return point;
         }
         /**
          * Converts hash string or Uint8Array to Point.
-         * @param hex 33/65-byte (ECDSA) hex
+         * @param hex short/long ECDSA hex
          */
         static fromHex(hex) {
             const bytes = ensureBytes(hex);
@@ -654,6 +579,8 @@ export function weierstrass(curveDef) {
                 throw new Error(msg);
         }
         equals(other) {
+            if (!(other instanceof Point))
+                throw new TypeError('Point#equals: expected Point');
             return this.x === other.x && this.y === other.y;
         }
         // Returns the same point with inverted `y`
@@ -781,7 +708,7 @@ export function weierstrass(curveDef) {
         }
         normalizeS() {
             return this.hasHighS()
-                ? new Signature(this.r, mod.mod(-this.s, CURVE.n), this.recovery)
+                ? new Signature(this.r, mod.mod(-this.s, CURVE_ORDER), this.recovery)
                 : this;
         }
         // DER-encoded
@@ -819,26 +746,20 @@ export function weierstrass(curveDef) {
             }
         },
         _bigintToBytes: numToField,
+        _bigintToString: numToFieldStr,
         _normalizePrivateKey: normalizePrivateKey,
+        _normalizePublicKey: normalizePublicKey,
+        _isWithinCurveOrder: isWithinCurveOrder,
+        _isValidFieldElement: isValidFieldElement,
+        _weierstrassEquation: weierstrassEquation,
         /**
-         * Can take (keyLength + 8) or more bytes of uniform input e.g. from CSPRNG or KDF
-         * and convert them into private key, with the modulo bias being neglible.
-         * As per FIPS 186 B.4.1.
-         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-         * @param hash hash output from sha512, or a similar function
-         * @returns valid private key
+         * Converts some bytes to a valid private key. Needs at least (nBitLength+64) bytes.
+         */
+        hashToPrivateKey: (hash) => numToField(hashToPrivateScalar(hash, CURVE_ORDER)),
+        /**
+         * Produces cryptographically secure private key from random of size (nBitLength+64)
+         * as per FIPS 186 B.4.1 with modulo bias being neglible.
          */
-        hashToPrivateKey: (hash) => {
-            hash = ensureBytes(hash);
-            const minLen = fieldLen + 8;
-            if (hash.length < minLen || hash.length > 1024) {
-                throw new Error(`Expected ${minLen}-1024 bytes of private key as per FIPS 186`);
-            }
-            const num = mod.mod(bytesToNumber(hash), CURVE.n - _1n) + _1n;
-            return numToField(num);
-        },
-        // Takes curve order + 64 bits from CSPRNG
-        // so that modulo bias is neglible, matches FIPS 186 B.4.1.
         randomPrivateKey: () => utils.hashToPrivateKey(CURVE.randomBytes(fieldLen + 8)),
         /**
          * 1. Returns cached point which you can use to pass to `getSharedSecret` or `#multiply` by it.
@@ -857,8 +778,8 @@ export function weierstrass(curveDef) {
     };
     /**
      * Computes public key for a private key.
-     * @param privateKey 32-byte private key
-     * @param isCompressed whether to return compact (33-byte), or full (65-byte) key
+     * @param privateKey private key
+     * @param isCompressed whether to return compact, or full key
      * @returns Public key, full by default; short when isCompressed=true
      */
     function getPublicKey(privateKey, isCompressed = false) {
@@ -900,11 +821,11 @@ export function weierstrass(curveDef) {
     // RFC6979 methods
     function bits2int(bytes) {
         const slice = bytes.length > fieldLen ? bytes.slice(0, fieldLen) : bytes;
-        return bytesToNumber(slice);
+        return bytesToNumberBE(slice);
     }
     function bits2octets(bytes) {
         const z1 = bits2int(bytes);
-        const z2 = mod.mod(z1, CURVE.n);
+        const z2 = mod.mod(z1, CURVE_ORDER);
         return int2octets(z2 < _0n ? z1 : z2);
     }
     function int2octets(num) {

package/lib/group.d.ts

@@ -0,0 +1,33 @@
+export interface Group<T extends Group<T>> {
+    double(): T;
+    negate(): T;
+    add(other: T): T;
+    subtract(other: T): T;
+    equals(other: T): boolean;
+    multiply(scalar: number | bigint): T;
+}
+export declare type GroupConstructor<T> = {
+    BASE: T;
+    ZERO: T;
+};
+export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number): {
+    constTimeNegate: (condition: boolean, item: T) => T;
+    unsafeLadder(elm: T, n: bigint): T;
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
+     * @returns 65K precomputed points, depending on W
+     */
+    precomputeWindow(elm: T, W: number): Group<T>[];
+    /**
+     * Implements w-ary non-adjacent form for calculating ec multiplication.
+     * @param n
+     * @param affinePoint optional 2d point to save cached precompute windows on it.
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(W: number, precomputes: T[], n: bigint): {
+        p: T;
+        f: T;
+    };
+};

package/lib/group.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.wNAF = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Default group related functions
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+// Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
+function wNAF(c, bits) {
+    const constTimeNegate = (condition, item) => {
+        const neg = item.negate();
+        return condition ? neg : item;
+    };
+    const opts = (W) => {
+        if (256 % W)
+            throw new Error('Invalid precomputation window, must be power of 2');
+        const windows = Math.ceil(bits / W) + 1; // +1, because
+        const windowSize = 2 ** (W - 1); // -1 because we skip zero
+        return { windows, windowSize };
+    };
+    return {
+        constTimeNegate,
+        // non-const time multiplication ladder
+        unsafeLadder(elm, n) {
+            let p = c.ZERO;
+            let d = elm;
+            while (n > _0n) {
+                if (n & _1n)
+                    p = p.add(d);
+                d = d.double();
+                n >>= _1n;
+            }
+            return p;
+        },
+        /**
+         * Creates a wNAF precomputation window. Used for caching.
+         * Default window size is set by `utils.precompute()` and is equal to 8.
+         * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
+         * @returns 65K precomputed points, depending on W
+         */
+        precomputeWindow(elm, W) {
+            const { windows, windowSize } = opts(W);
+            const points = [];
+            let p = elm;
+            let base = p;
+            for (let window = 0; window < windows; window++) {
+                base = p;
+                points.push(base);
+                // =1, because we skip zero
+                for (let i = 1; i < windowSize; i++) {
+                    base = base.add(p);
+                    points.push(base);
+                }
+                p = base.double();
+            }
+            return points;
+        },
+        /**
+         * Implements w-ary non-adjacent form for calculating ec multiplication.
+         * @param n
+         * @param affinePoint optional 2d point to save cached precompute windows on it.
+         * @returns real and fake (for const-time) points
+         */
+        wNAF(W, precomputes, n) {
+            const { windows, windowSize } = opts(W);
+            let p = c.ZERO;
+            let f = c.BASE;
+            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
+            const maxNumber = 2 ** W;
+            const shiftBy = BigInt(W);
+            for (let window = 0; window < windows; window++) {
+                const offset = window * windowSize;
+                // Extract W bits.
+                let wbits = Number(n & mask);
+                // Shift number by W bits.
+                n >>= shiftBy;
+                // If the bits are bigger than max size, we'll split those.
+                // +224 => 256 - 32
+                if (wbits > windowSize) {
+                    wbits -= maxNumber;
+                    n += _1n;
+                }
+                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+                // there is negate now: it is possible that negated element from low value
+                // would be the same as high element, which will create carry into next window.
+                // It's not obvious how this can fail, but still worth investigating later.
+                // Check if we're onto Zero point.
+                // Add random point inside current window to f.
+                const offset1 = offset;
+                const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero
+                const cond1 = window % 2 !== 0;
+                const cond2 = wbits < 0;
+                if (wbits === 0) {
+                    // The most important part for const-time getPublicKey
+                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
+                }
+                else {
+                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
+                }
+            }
+            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
+            // Even if the variable is still unused, there are some checks which will
+            // throw an exception, so compiler needs to prove they won't happen, which is hard.
+            // At this point there is a way to F be infinity-point even if p is not,
+            // which makes it less const-time: around 1 bigint multiply.
+            return { p, f };
+        },
+    };
+}
+exports.wNAF = wNAF;

package/lib/modular.d.ts

@@ -1,3 +1,4 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 export declare function mod(a: bigint, b: bigint): bigint;
 /**
  * Efficiently exponentiate num to power and do modular division.
@@ -20,6 +21,6 @@ export declare function invertBatch(nums: bigint[], modulo: bigint): bigint[];
 export declare function legendre(num: bigint, fieldPrime: bigint): bigint;
 /**
  * Calculates square root of a number in a finite field.
- * Used to calculate y - the square root of y².
  */
 export declare function sqrt(number: bigint, modulo: bigint): bigint;
+export declare const isNegativeLE: (num: bigint, modulo: bigint) => boolean;

package/lib/modular.js

@@ -1,7 +1,8 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sqrt = exports.legendre = exports.invertBatch = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNegativeLE = exports.sqrt = exports.legendre = exports.invertBatch = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
+// Utilities for modular arithmetics
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
@@ -106,7 +107,6 @@ function legendre(num, fieldPrime) {
 exports.legendre = legendre;
 /**
  * Calculates square root of a number in a finite field.
- * Used to calculate y - the square root of y².
  */
 function sqrt(number, modulo) {
     const n = number;
@@ -156,3 +156,13 @@ function sqrt(number, modulo) {
     return r;
 }
 exports.sqrt = sqrt;
+// Little-endian check for first LE bit (last BE bit);
+const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
+exports.isNegativeLE = isNegativeLE;
+// An idea on modular arithmetic for bls12-381:
+// const FIELD = {add, pow, sqrt, mul};
+// Functions will take field elements, no need for an additional class
+// Could be faster. 1 bigint field will just do operations and mod later:
+// instead of 'r = mod(r * b, P)' we will write r = mul(r, b);
+// Could be insecure without shape check, so it needs to be done.
+// Functions could be inlined by JIT.

package/lib/montgomery.d.ts

@@ -0,0 +1,20 @@
+declare type Hex = string | Uint8Array;
+export declare type CurveType = {
+    P: bigint;
+    nByteLength: number;
+    adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
+    domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
+    a24: bigint;
+    montgomeryBits: number;
+    powPminus2?: (x: bigint) => bigint;
+    xyToU?: (x: bigint, y: bigint) => bigint;
+    Gu: string;
+};
+export declare type CurveFn = {
+    scalarMult: (u: Hex, scalar: Hex) => Uint8Array;
+    scalarMultBase: (scalar: Hex) => Uint8Array;
+    getPublicKey: (privateKey: Hex) => Uint8Array;
+    Gu: string;
+};
+export declare function montgomery(curveDef: CurveType): CurveFn;
+export {};