@noble/curves 0.2.1 → 0.3.0

package/lib/esm/definitions/secp256k1.js

@@ -0,0 +1,241 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { mod, pow2 } from '../modular';
+import { createCurve } from './_shortw_utils.js';
+import { ensureBytes, concatBytes, hexToBytes, bytesToNumberBE, randomBytes } from '../utils';
+/**
+ * secp256k1 belongs to Koblitz curves: it has
+ * efficiently computable Frobenius endomorphism.
+ * Endomorphism improves efficiency:
+ * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
+ * Should always be used for Jacobian's double-and-add multiplication.
+ * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
+ * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+ */
+const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
+const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+const divNearest = (a, b) => (a + b / _2n) / b;
+/**
+ * Allows to compute square root √y 2x faster.
+ * To calculate √y, we need to exponentiate it to a very big number:
+ * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
+ * We are unwrapping the loop and multiplying it bit-by-bit.
+ * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
+ */
+// prettier-ignore
+function sqrtMod(y) {
+    const P = secp256k1P;
+    const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11);
+    const _22n = BigInt(22);
+    const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
+    const b2 = (y * y * y) % P; // x^3, 11
+    const b3 = (b2 * b2 * y) % P; // x^7
+    const b6 = (pow2(b3, _3n, P) * b3) % P;
+    const b9 = (pow2(b6, _3n, P) * b3) % P;
+    const b11 = (pow2(b9, _2n, P) * b2) % P;
+    const b22 = (pow2(b11, _11n, P) * b11) % P;
+    const b44 = (pow2(b22, _22n, P) * b22) % P;
+    const b88 = (pow2(b44, _44n, P) * b44) % P;
+    const b176 = (pow2(b88, _88n, P) * b88) % P;
+    const b220 = (pow2(b176, _44n, P) * b44) % P;
+    const b223 = (pow2(b220, _3n, P) * b3) % P;
+    const t1 = (pow2(b223, _23n, P) * b22) % P;
+    const t2 = (pow2(t1, _6n, P) * b2) % P;
+    return pow2(t2, _2n, P);
+}
+export const secp256k1 = createCurve({
+    // Params: a, b
+    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
+    a: BigInt(0),
+    b: BigInt(7),
+    // Field over which we'll do calculations;
+    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    P: secp256k1P,
+    // Curve order, total count of valid points in the field
+    n: secp256k1N,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
+    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
+    h: BigInt(1),
+    // Alllow only low-S signatures by default in sign() and verify()
+    lowS: true,
+    sqrtMod,
+    endo: {
+        // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+        beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+        splitScalar: (k) => {
+            const n = secp256k1N;
+            const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
+            const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
+            const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
+            const b2 = a1;
+            const POW_2_128 = BigInt('0x100000000000000000000000000000000');
+            const c1 = divNearest(b2 * k, n);
+            const c2 = divNearest(-b1 * k, n);
+            let k1 = mod(k - c1 * a1 - c2 * a2, n);
+            let k2 = mod(-c1 * b1 - c2 * b2, n);
+            const k1neg = k1 > POW_2_128;
+            const k2neg = k2 > POW_2_128;
+            if (k1neg)
+                k1 = n - k1;
+            if (k2neg)
+                k2 = n - k2;
+            if (k1 > POW_2_128 || k2 > POW_2_128) {
+                throw new Error('splitScalar: Endomorphism failed, k=' + k);
+            }
+            return { k1neg, k1, k2neg, k2 };
+        },
+    },
+}, sha256);
+// Schnorr
+const _0n = BigInt(0);
+const numTo32b = secp256k1.utils._bigintToBytes;
+const numTo32bStr = secp256k1.utils._bigintToString;
+const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
+// TODO: export?
+function normalizePublicKey(publicKey) {
+    if (publicKey instanceof secp256k1.Point) {
+        publicKey.assertValidity();
+        return publicKey;
+    }
+    else {
+        const bytes = ensureBytes(publicKey);
+        // Schnorr is 32 bytes
+        if (bytes.length === 32) {
+            const x = bytesToNumberBE(bytes);
+            if (!isValidFieldElement(x))
+                throw new Error('Point is not on curve');
+            const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
+            let y = sqrtMod(y2); // y = y² ^ (p+1)/4
+            const isYOdd = (y & _1n) === _1n;
+            // Schnorr
+            if (isYOdd)
+                y = mod(-y, secp256k1.CURVE.P);
+            const point = new secp256k1.Point(x, y);
+            point.assertValidity();
+            return point;
+        }
+        // Do we need that in schnorr at all?
+        return secp256k1.Point.fromHex(publicKey);
+    }
+}
+const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
+const isValidFieldElement = secp256k1.utils._isValidFieldElement;
+const TAGS = {
+    challenge: 'BIP0340/challenge',
+    aux: 'BIP0340/aux',
+    nonce: 'BIP0340/nonce',
+};
+/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
+const TAGGED_HASH_PREFIXES = {};
+export function taggedHash(tag, ...messages) {
+    let tagP = TAGGED_HASH_PREFIXES[tag];
+    if (tagP === undefined) {
+        const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
+        tagP = concatBytes(tagH, tagH);
+        TAGGED_HASH_PREFIXES[tag] = tagP;
+    }
+    return sha256(concatBytes(tagP, ...messages));
+}
+const toRawX = (point) => point.toRawBytes(true).slice(1);
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+function schnorrChallengeFinalize(ch) {
+    return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
+}
+// Do we need this at all for Schnorr?
+class SchnorrSignature {
+    constructor(r, s) {
+        this.r = r;
+        this.s = s;
+        this.assertValidity();
+    }
+    static fromHex(hex) {
+        const bytes = ensureBytes(hex);
+        if (bytes.length !== 64)
+            throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
+        const r = bytesToNumberBE(bytes.subarray(0, 32));
+        const s = bytesToNumberBE(bytes.subarray(32, 64));
+        return new SchnorrSignature(r, s);
+    }
+    assertValidity() {
+        const { r, s } = this;
+        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
+            throw new Error('Invalid signature');
+    }
+    toHex() {
+        return numTo32bStr(this.r) + numTo32bStr(this.s);
+    }
+    toRawBytes() {
+        return hexToBytes(this.toHex());
+    }
+}
+function schnorrGetScalar(priv) {
+    const point = secp256k1.Point.fromPrivateKey(priv);
+    const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
+    return { point, scalar, x: toRawX(point) };
+}
+/**
+ * Synchronously creates Schnorr signature. Improved security: verifies itself before
+ * producing an output.
+ * @param msg message (not message hash)
+ * @param privateKey private key
+ * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
+ */
+function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
+    if (message == null)
+        throw new TypeError(`sign: Expected valid message, not "${message}"`);
+    const m = ensureBytes(message);
+    // checks for isWithinCurveOrder
+    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
+    const rand = ensureBytes(auxRand);
+    if (rand.length !== 32)
+        throw new TypeError('sign: Expected 32 bytes of aux randomness');
+    const tag = taggedHash;
+    const t0h = tag(TAGS.aux, rand);
+    const t = numTo32b(d ^ bytesToNumberBE(t0h));
+    const k0h = tag(TAGS.nonce, t, px, m);
+    const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
+    if (k0 === _0n)
+        throw new Error('sign: Creation of signature failed. k is zero');
+    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
+    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
+    const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
+    if (!schnorrVerify(sig, m, px))
+        throw new Error('sign: Invalid signature produced');
+    return sig;
+}
+/**
+ * Verifies Schnorr signature synchronously.
+ */
+function schnorrVerify(signature, message, publicKey) {
+    try {
+        const raw = signature instanceof SchnorrSignature;
+        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
+        if (raw)
+            sig.assertValidity(); // just in case
+        const { r, s } = sig;
+        const m = ensureBytes(message);
+        const P = normalizePublicKey(publicKey);
+        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
+        // Finalize
+        // R = s⋅G - e⋅P
+        // -eP == (n-e)P
+        const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), mod(-e, secp256k1.CURVE.n));
+        if (!R || !R.hasEvenY() || R.x !== r)
+            return false;
+        return true;
+    }
+    catch (error) {
+        return false;
+    }
+}
+export const schnorr = {
+    Signature: SchnorrSignature,
+    // Schnorr's pubkey is just `x` of Point (BIP340)
+    getPublicKey: (privateKey) => toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
+    sign: schnorrSign,
+    verify: schnorrVerify,
+};

package/lib/esm/definitions/stark.js

@@ -0,0 +1,227 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { keccak_256 } from '@noble/hashes/sha3';
+import { sha256 } from '@noble/hashes/sha256';
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes } from '@noble/hashes/utils';
+import { weierstrass } from '../weierstrass';
+import * as cutils from '../utils';
+// Stark-friendly elliptic curve
+// https://docs.starkware.co/starkex/stark-curve.html
+// TODO: clarify exports; it is exporting both starkCurve and sign() now, can be confusing
+function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
+    };
+}
+const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
+const nBitLength = 252;
+export const starkCurve = weierstrass({
+    // Params: a, b
+    a: BigInt(1),
+    b: BigInt('3141592653589793238462643383279502884197169399375105820974944592307816406665'),
+    // Field over which we'll do calculations; 2n**251n + 17n * 2n**192n + 1n
+    // There is no efficient sqrt for field (P%4==1)
+    P: BigInt('0x800000000000011000000000000000000000000000000000000000000000001'),
+    // Curve order, total count of valid points in the field.
+    n: CURVE_N,
+    nBitLength: nBitLength,
+    // Base point (x, y) aka generator point
+    Gx: BigInt('874739451078007766457464989774322083649278607533249481151382481072868806602'),
+    Gy: BigInt('152666792071518830868575557812948353041420400780739481342941381225525861407'),
+    h: BigInt(1),
+    // Default options
+    lowS: false,
+    ...getHash(sha256),
+    truncateHash: (hash, truncateOnly = false) => {
+        // TODO: cleanup, ugly code
+        // Fix truncation
+        if (!truncateOnly) {
+            let hashS = bytesToNumber0x(hash).toString(16);
+            if (hashS.length === 63) {
+                hashS += '0';
+                hash = hexToBytes0x(hashS);
+            }
+        }
+        // Truncate zero bytes on left (compat with elliptic)
+        while (hash[0] === 0)
+            hash = hash.subarray(1);
+        const byteLength = hash.length;
+        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
+        let h = hash.length ? bytesToNumber0x(hash) : 0n;
+        if (delta > 0)
+            h = h >> BigInt(delta);
+        if (!truncateOnly && h >= CURVE_N)
+            h -= CURVE_N;
+        return h;
+    },
+});
+// Custom Starknet type conversion functions that can handle 0x and unpadded hex
+function hexToBytes0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+    }
+    hex = strip0x(hex);
+    if (hex.length & 1)
+        hex = '0' + hex; // padding
+    if (hex.length % 2)
+        throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+    const array = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < array.length; i++) {
+        const j = i * 2;
+        const hexByte = hex.slice(j, j + 2);
+        const byte = Number.parseInt(hexByte, 16);
+        if (Number.isNaN(byte) || byte < 0)
+            throw new Error('Invalid byte sequence');
+        array[i] = byte;
+    }
+    return array;
+}
+function hexToNumber0x(hex) {
+    if (typeof hex !== 'string') {
+        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+    }
+    // Big Endian
+    // TODO: strip vs no strip?
+    return BigInt(`0x${strip0x(hex)}`);
+}
+function bytesToNumber0x(bytes) {
+    return hexToNumber0x(cutils.bytesToHex(bytes));
+}
+function ensureBytes0x(hex) {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
+}
+function normalizePrivateKey(privKey) {
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+}
+function getPublicKey0x(privKey, isCompressed) {
+    return starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
+}
+function getSharedSecret0x(privKeyA, pubKeyB) {
+    return starkCurve.getSharedSecret(normalizePrivateKey(privKeyA), pubKeyB);
+}
+function sign0x(msgHash, privKey, opts) {
+    return starkCurve.sign(ensureBytes0x(msgHash), normalizePrivateKey(privKey), opts);
+}
+function verify0x(signature, msgHash, pubKey) {
+    const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
+    return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
+}
+const { CURVE, Point, JacobianPoint, Signature } = starkCurve;
+export const utils = starkCurve.utils;
+export { CURVE, Point, Signature, JacobianPoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
+const stripLeadingZeros = (s) => s.replace(/^0+/gm, '');
+export const bytesToHexEth = (uint8a) => `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
+export const strip0x = (hex) => hex.replace(/^0x/i, '');
+export const numberToHexEth = (num) => `0x${num.toString(16)}`;
+// 1. seed generation
+function hashKeyWithIndex(key, index) {
+    let indexHex = cutils.numberToHexUnpadded(index);
+    if (indexHex.length & 1)
+        indexHex = '0' + indexHex;
+    return bytesToNumber0x(sha256(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+}
+export function grindKey(seed) {
+    const _seed = ensureBytes0x(seed);
+    const sha256mask = 2n ** 256n;
+    const limit = sha256mask - starkCurve.utils.mod(sha256mask, starkCurve.CURVE.n);
+    for (let i = 0;; i++) {
+        const key = hashKeyWithIndex(_seed, i);
+        // key should be in [0, limit)
+        if (key < limit)
+            return starkCurve.utils.mod(key, starkCurve.CURVE.n).toString(16);
+    }
+}
+export function getStarkKey(privateKey) {
+    return bytesToHexEth(getPublicKey0x(privateKey, true).slice(1));
+}
+export function ethSigToPrivate(signature) {
+    signature = strip0x(signature.replace(/^0x/, ''));
+    if (signature.length !== 130)
+        throw new Error('Wrong ethereum signature');
+    return grindKey(signature.substring(0, 64));
+}
+const MASK_31 = 2n ** 31n - 1n;
+const int31 = (n) => Number(n & MASK_31);
+export function getAccountPath(layer, application, ethereumAddress, index) {
+    const layerNum = int31(bytesToNumber0x(sha256(layer)));
+    const applicationNum = int31(bytesToNumber0x(sha256(application)));
+    const eth = hexToNumber0x(ethereumAddress);
+    return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
+}
+// https://docs.starkware.co/starkex/pedersen-hash-function.html
+const PEDERSEN_POINTS = [
+    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
+    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
+    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
+    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
+    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+];
+// for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
+const PEDERSEN_POINTS_JACOBIAN = PEDERSEN_POINTS.map(JacobianPoint.fromAffine);
+function pedersenPrecompute(p1, p2) {
+    const out = [];
+    let p = p1;
+    for (let i = 0; i < 248; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    p = p2;
+    for (let i = 0; i < 4; i++) {
+        out.push(p);
+        p = p.double();
+    }
+    return out;
+}
+const PEDERSEN_POINTS1 = pedersenPrecompute(PEDERSEN_POINTS_JACOBIAN[1], PEDERSEN_POINTS_JACOBIAN[2]);
+const PEDERSEN_POINTS2 = pedersenPrecompute(PEDERSEN_POINTS_JACOBIAN[3], PEDERSEN_POINTS_JACOBIAN[4]);
+function pedersenArg(arg) {
+    let value;
+    if (typeof arg === 'bigint')
+        value = arg;
+    else if (typeof arg === 'number') {
+        if (!Number.isSafeInteger(arg))
+            throw new Error(`Invalid pedersenArg: ${arg}`);
+        value = BigInt(arg);
+    }
+    else
+        value = bytesToNumber0x(ensureBytes0x(arg));
+    // [0..Fp)
+    if (!(0n <= value && value < starkCurve.CURVE.P))
+        throw new Error(`PedersenArg should be 0 <= value < CURVE.P: ${value}`);
+    return value;
+}
+function pedersenSingle(point, value, constants) {
+    let x = pedersenArg(value);
+    for (let j = 0; j < 252; j++) {
+        const pt = constants[j];
+        if (pt.x === point.x)
+            throw new Error('Same point');
+        if ((x & 1n) !== 0n)
+            point = point.add(pt);
+        x >>= 1n;
+    }
+    return point;
+}
+// shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
+export function pedersen(x, y) {
+    let point = PEDERSEN_POINTS_JACOBIAN[0];
+    point = pedersenSingle(point, x, PEDERSEN_POINTS1);
+    point = pedersenSingle(point, y, PEDERSEN_POINTS2);
+    return bytesToHexEth(point.toAffine().toRawBytes(true).slice(1));
+}
+export function hashChain(data, fn = pedersen) {
+    if (!Array.isArray(data) || data.length < 1)
+        throw new Error('data should be array of at least 1 element');
+    if (data.length === 1)
+        return numberToHexEth(pedersenArg(data[0]));
+    return Array.from(data)
+        .reverse()
+        .reduce((acc, i) => fn(i, acc));
+}
+// Same as hashChain, but computes hash even for single element and order is not revesed
+export const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
+const MASK_250 = 2n ** 250n - 1n;
+export const keccak = (data) => bytesToNumber0x(keccak_256(data)) & MASK_250;

package/lib/esm/edwards.js

@@ -8,7 +8,7 @@
 // 4. Point decompression code is different too (unexpected), now using generalized formula
 // 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
 import * as mod from './modular.js';
-import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js'; // TODO: import * as u from './utils.js'?
+import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, randomBytes as utilRandomBytes } from './utils.js'; // TODO: import * as u from './utils.js'?
 import { wNAF } from './group.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
@@ -24,18 +24,14 @@ function validateOpts(curve) {
         if (typeof opts[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const fn of ['randomBytes']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
+    for (const fn of ['adjustScalarBytes', 'domain', 'randomBytes', 'uvRatio']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
     // Set defaults
-    return Object.freeze({ ...opts });
+    return Object.freeze({ randomBytes: utilRandomBytes, ...opts });
 }
 // NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef) {

package/lib/esm/modular.js

@@ -3,10 +3,6 @@
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
-const _3n = BigInt(3);
-const _4n = BigInt(4);
-const _5n = BigInt(5);
-const _8n = BigInt(8);
 // Calculates a modulo b
 export function mod(a, b) {
     const result = a % b;
@@ -14,6 +10,7 @@ export function mod(a, b) {
 }
 /**
  * Efficiently exponentiate num to power and do modular division.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
  * @example
  * powMod(2n, 6n, 11n) // 64n % 11n == 9n
  */
@@ -101,22 +98,29 @@ export function invertBatch(nums, modulo) {
     }, inverted);
     return scratch;
 }
-// Calculates Legendre symbol: num^((P-1)/2)
-export function legendre(num, fieldPrime) {
-    return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
+/**
+ * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
+ * * (a | p) ≡ 1    if a is a square (mod p)
+ * * (a | p) ≡ -1   if a is not a square (mod p)
+ * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+ */
+export function legendre(num, P) {
+    return pow(num, (P - _1n) / _2n, P);
 }
 /**
  * Calculates square root of a number in a finite field.
  */
 export function sqrt(number, modulo) {
+    // prettier-ignore
+    const _3n = BigInt(3), _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
     const n = number;
     const P = modulo;
     const p1div4 = (P + _1n) / _4n;
-    // P = 3 (mod 4)
+    // P ≡ 3 (mod 4)
     // sqrt n = n^((P+1)/4)
     if (P % _4n === _3n)
         return pow(n, p1div4, P);
-    // P = 5 (mod 8)
+    // P ≡ 5 (mod 8)
     if (P % _8n === _5n) {
         const n2 = mod(n * _2n, P);
         const v = pow(n2, (P - _5n) / _8n, P);
@@ -126,6 +130,7 @@ export function sqrt(number, modulo) {
         return r;
     }
     // Other cases: Tonelli-Shanks algorithm
+    // Check whether n is square
     if (legendre(n, P) !== _1n)
         throw new Error('Cannot find square root');
     let q, s, z;

package/lib/esm/utils.js

@@ -1,4 +1,7 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// The import here is via the package name. This is to ensure
+// that exports mapping/resolution does fall into place.
+import { crypto } from '@noble/curves/crypto';
 export function validateOpts(curve) {
     for (const i of ['P', 'n', 'h', 'Gx', 'Gy']) {
         if (typeof curve[i] !== 'bigint')
@@ -122,3 +125,17 @@ export function equalBytes(b1, b2) {
             return false;
     return true;
 }
+/**
+ * Cryptographically secure PRNG
+ */
+export function randomBytes(bytesLength = 32) {
+    if (crypto.web) {
+        return crypto.web.getRandomValues(new Uint8Array(bytesLength));
+    }
+    else if (crypto.node) {
+        return new Uint8Array(crypto.node.randomBytes(bytesLength).buffer);
+    }
+    else {
+        throw new Error("The environment doesn't have randomBytes function");
+    }
+}

package/lib/esm/weierstrass.js

@@ -8,21 +8,27 @@
 // 3. truncateHash() truncateOnly mode
 // 4. DRBG supports outputLen bigger than outputLen of hmac
 import * as mod from './modular.js';
-import { bytesToHex, bytesToNumberBE, concatBytes, ensureBytes, hexToBytes, hexToNumber, numberToHexUnpadded, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js';
+import { bytesToHex, bytesToNumberBE, concatBytes, ensureBytes, hexToBytes, hexToNumber, numberToHexUnpadded, hashToPrivateScalar, validateOpts as utilOpts, randomBytes as utilRandomBytes, } from './utils.js';
 import { wNAF } from './group.js';
 // Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve) {
     const opts = utilOpts(curve);
-    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
-        throw new Error('Invalid hash function');
-    if (typeof opts.hmac !== 'function')
-        throw new Error('Invalid hmac function');
-    if (typeof opts.randomBytes !== 'function')
-        throw new Error('Invalid randomBytes function');
     for (const i of ['a', 'b']) {
         if (typeof opts[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
+    for (const fn of ['hash', 'hmac']) {
+        if (typeof opts[fn] !== 'function')
+            throw new Error(`Invalid ${fn} function`);
+    }
+    for (const fn of ['randomBytes']) {
+        if (opts[fn] === undefined)
+            continue; // Optional
+        if (typeof opts[fn] !== 'function')
+            throw new Error(`Invalid ${fn} function`);
+    }
+    if (!Number.isSafeInteger(opts.hash.outputLen))
+        throw new Error('Invalid hash function');
     const endo = opts.endo;
     if (endo) {
         if (opts.a !== _0n) {
@@ -35,7 +41,7 @@ function validateOpts(curve) {
         }
     }
     // Set defaults
-    return Object.freeze({ lowS: true, ...opts });
+    return Object.freeze({ lowS: true, randomBytes: utilRandomBytes, ...opts });
 }
 // TODO: convert bits to bytes aligned to 32 bits? (224 for example)
 // DER encoding utilities
@@ -183,6 +189,9 @@ export function weierstrass(curveDef) {
     }
     function normalizePrivateKey(key) {
         let num;
+        if (typeof CURVE.normalizePrivateKey === 'function') {
+            key = CURVE.normalizePrivateKey(key);
+        }
         if (typeof key === 'bigint') {
             num = key;
         }
@@ -190,7 +199,7 @@ export function weierstrass(curveDef) {
             num = BigInt(key);
         }
         else if (typeof key === 'string') {
-            key = key.padStart(2 * groupLen, '0'); // Eth-like hexes
+            // key = key.padStart(2 * groupLen, '0'); // Eth-like hexes
             if (key.length !== 2 * groupLen)
                 throw new Error(`Expected ${groupLen} bytes of private key`);
             num = hexToNumber(key);

package/lib/modular.d.ts

@@ -2,6 +2,7 @@
 export declare function mod(a: bigint, b: bigint): bigint;
 /**
  * Efficiently exponentiate num to power and do modular division.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
  * @example
  * powMod(2n, 6n, 11n) // 64n % 11n == 9n
  */
@@ -23,7 +24,13 @@ export declare function div(numerator: bigint, denominator: bigint, modulo: bigi
  * // => [1n, 11n, 16n]
  */
 export declare function invertBatch(nums: bigint[], modulo: bigint): bigint[];
-export declare function legendre(num: bigint, fieldPrime: bigint): bigint;
+/**
+ * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
+ * * (a | p) ≡ 1    if a is a square (mod p)
+ * * (a | p) ≡ -1   if a is not a square (mod p)
+ * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+ */
+export declare function legendre(num: bigint, P: bigint): bigint;
 /**
  * Calculates square root of a number in a finite field.
  */