@noble/curves 0.3.1 → 0.4.0

package/lib/group.js

@@ -12,8 +12,6 @@ function wNAF(c, bits) {
         return condition ? neg : item;
     };
     const opts = (W) => {
-        if (256 % W)
-            throw new Error('Invalid precomputation window, must be power of 2');
         const windows = Math.ceil(bits / W) + 1; // +1, because
         const windowSize = 2 ** (W - 1); // -1 because we skip zero
         return { windows, windowSize };
@@ -62,6 +60,8 @@ function wNAF(c, bits) {
          * @returns real and fake (for const-time) points
          */
         wNAF(W, precomputes, n) {
+            // TODO: maybe check that scalar is less than group order? wNAF will fail otherwise
+            // But need to carefully remove other checks before wNAF. ORDER == bits here
             const { windows, windowSize } = opts(W);
             let p = c.ZERO;
             let f = c.BASE;

package/lib/hashToCurve.d.ts

@@ -0,0 +1,13 @@
+import { CHash } from './utils.js';
+export declare type htfOpts = {
+    DST: string;
+    p: bigint;
+    m: number;
+    k: number;
+    expand: boolean;
+    hash: CHash;
+};
+export declare function validateHTFOpts(opts: htfOpts): void;
+export declare function stringToBytes(str: string): Uint8Array;
+export declare function expand_message_xmd(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash): Uint8Array;
+export declare function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];

package/lib/hashToCurve.js

@@ -0,0 +1,112 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hash_to_field = exports.expand_message_xmd = exports.stringToBytes = exports.validateHTFOpts = void 0;
+const utils_js_1 = require("./utils.js");
+const mod = require("./modular.js");
+function validateHTFOpts(opts) {
+    if (typeof opts.DST !== 'string')
+        throw new Error('Invalid htf/DST');
+    if (typeof opts.p !== 'bigint')
+        throw new Error('Invalid htf/p');
+    if (typeof opts.m !== 'number')
+        throw new Error('Invalid htf/m');
+    if (typeof opts.k !== 'number')
+        throw new Error('Invalid htf/k');
+    if (typeof opts.expand !== 'boolean')
+        throw new Error('Invalid htf/expand');
+    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+        throw new Error('Invalid htf/hash function');
+}
+exports.validateHTFOpts = validateHTFOpts;
+// UTF8 to ui8a
+function stringToBytes(str) {
+    const bytes = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; i++)
+        bytes[i] = str.charCodeAt(i);
+    return bytes;
+}
+exports.stringToBytes = stringToBytes;
+// Octet Stream to Integer (bytesToNumberBE)
+function os2ip(bytes) {
+    let result = 0n;
+    for (let i = 0; i < bytes.length; i++) {
+        result <<= 8n;
+        result += BigInt(bytes[i]);
+    }
+    return result;
+}
+// Integer to Octet Stream
+function i2osp(value, length) {
+    if (value < 0 || value >= 1 << (8 * length)) {
+        throw new Error(`bad I2OSP call: value=${value} length=${length}`);
+    }
+    const res = Array.from({ length }).fill(0);
+    for (let i = length - 1; i >= 0; i--) {
+        res[i] = value & 0xff;
+        value >>>= 8;
+    }
+    return new Uint8Array(res);
+}
+function strxor(a, b) {
+    const arr = new Uint8Array(a.length);
+    for (let i = 0; i < a.length; i++) {
+        arr[i] = a[i] ^ b[i];
+    }
+    return arr;
+}
+// Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1
+function expand_message_xmd(msg, DST, lenInBytes, H) {
+    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
+    if (DST.length > 255)
+        DST = H((0, utils_js_1.concatBytes)(stringToBytes('H2C-OVERSIZE-DST-'), DST));
+    const b_in_bytes = H.outputLen;
+    const r_in_bytes = b_in_bytes * 2;
+    const ell = Math.ceil(lenInBytes / b_in_bytes);
+    if (ell > 255)
+        throw new Error('Invalid xmd length');
+    const DST_prime = (0, utils_js_1.concatBytes)(DST, i2osp(DST.length, 1));
+    const Z_pad = i2osp(0, r_in_bytes);
+    const l_i_b_str = i2osp(lenInBytes, 2);
+    const b = new Array(ell);
+    const b_0 = H((0, utils_js_1.concatBytes)(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
+    b[0] = H((0, utils_js_1.concatBytes)(b_0, i2osp(1, 1), DST_prime));
+    for (let i = 1; i <= ell; i++) {
+        const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
+        b[i] = H((0, utils_js_1.concatBytes)(...args));
+    }
+    const pseudo_random_bytes = (0, utils_js_1.concatBytes)(...b);
+    return pseudo_random_bytes.slice(0, lenInBytes);
+}
+exports.expand_message_xmd = expand_message_xmd;
+// hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
+// Inputs:
+// msg - a byte string containing the message to hash.
+// count - the number of elements of F to output.
+// Outputs:
+// [u_0, ..., u_(count - 1)], a list of field elements.
+function hash_to_field(msg, count, options) {
+    // if options is provided but incomplete, fill any missing fields with the
+    // value in hftDefaults (ie hash to G2).
+    const log2p = options.p.toString(2).length;
+    const L = Math.ceil((log2p + options.k) / 8); // section 5.1 of ietf draft link above
+    const len_in_bytes = count * options.m * L;
+    const DST = stringToBytes(options.DST);
+    let pseudo_random_bytes = msg;
+    if (options.expand) {
+        pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
+    }
+    const u = new Array(count);
+    for (let i = 0; i < count; i++) {
+        const e = new Array(options.m);
+        for (let j = 0; j < options.m; j++) {
+            const elm_offset = L * (j + i * options.m);
+            const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
+            e[j] = mod.mod(os2ip(tv), options.p);
+        }
+        u[i] = e;
+    }
+    return u;
+}
+exports.hash_to_field = hash_to_field;

package/lib/modular.d.ts

@@ -1,4 +1,3 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 export declare function mod(a: bigint, b: bigint): bigint;
 /**
  * Efficiently exponentiate num to power and do modular division.
@@ -9,30 +8,51 @@ export declare function mod(a: bigint, b: bigint): bigint;
 export declare function pow(num: bigint, power: bigint, modulo: bigint): bigint;
 export declare function pow2(x: bigint, power: bigint, modulo: bigint): bigint;
 export declare function invert(number: bigint, modulo: bigint): bigint;
-/**
- * Division over finite field.
- * `a/b mod p == a * invert(b) mod p`
- */
-export declare function div(numerator: bigint, denominator: bigint, modulo: bigint): bigint;
-/**
- * Takes a list of numbers, efficiently inverts all of them.
- * @param nums list of bigints
- * @param p modulo
- * @returns list of inverted bigints
- * @example
- * invertBatch([1n, 2n, 4n], 21n);
- * // => [1n, 11n, 16n]
- */
-export declare function invertBatch(nums: bigint[], modulo: bigint): bigint[];
 /**
  * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
  * * (a | p) ≡ 1    if a is a square (mod p)
  * * (a | p) ≡ -1   if a is not a square (mod p)
  * * (a | p) ≡ 0    if a ≡ 0 (mod p)
  */
-export declare function legendre(num: bigint, P: bigint): bigint;
+export declare function legendre(num: bigint, fieldPrime: bigint): bigint;
 /**
  * Calculates square root of a number in a finite field.
  */
 export declare function sqrt(number: bigint, modulo: bigint): bigint;
 export declare const isNegativeLE: (num: bigint, modulo: bigint) => boolean;
+export interface Field<T> {
+    ORDER: bigint;
+    BYTES: number;
+    BITS: number;
+    MASK: bigint;
+    ZERO: T;
+    ONE: T;
+    create: (num: T) => T;
+    isValid: (num: T) => boolean;
+    isZero: (num: T) => boolean;
+    negate(num: T): T;
+    invert(num: T): T;
+    sqrt(num: T): T;
+    square(num: T): T;
+    equals(lhs: T, rhs: T): boolean;
+    add(lhs: T, rhs: T): T;
+    subtract(lhs: T, rhs: T): T;
+    multiply(lhs: T, rhs: T | bigint): T;
+    pow(lhs: T, power: bigint): T;
+    div(lhs: T, rhs: T | bigint): T;
+    addN(lhs: T, rhs: T): T;
+    subtractN(lhs: T, rhs: T): T;
+    multiplyN(lhs: T, rhs: T | bigint): T;
+    squareN(num: T): T;
+    isOdd?(num: T): boolean;
+    legendre?(num: T): T;
+    pow(lhs: T, power: bigint): T;
+    invertBatch: (lst: T[]) => T[];
+    toBytes(num: T): Uint8Array;
+    fromBytes(bytes: Uint8Array): T;
+}
+export declare function validateField<T>(field: Field<T>): void;
+export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
+export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
+export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;
+export declare function Fp(ORDER: bigint, bitLen?: number, isLE?: boolean, redef?: Partial<Field<bigint>>): Readonly<Field<bigint>>;

package/lib/modular.js

@@ -1,7 +1,8 @@
 "use strict";
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isNegativeLE = exports.sqrt = exports.legendre = exports.invertBatch = exports.div = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
+exports.Fp = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.sqrt = exports.legendre = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const utils = require("./utils.js");
 // Utilities for modular arithmetics
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -18,6 +19,7 @@ exports.mod = mod;
  * @example
  * powMod(2n, 6n, 11n) // 64n % 11n == 9n
  */
+// TODO: use field version && remove
 function pow(num, power, modulo) {
     if (modulo <= _0n || power < _0n)
         throw new Error('Expected power/modulo > 0');
@@ -34,6 +36,7 @@ function pow(num, power, modulo) {
 }
 exports.pow = pow;
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
+// TODO: Fp version?
 function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -67,59 +70,20 @@ function invert(number, modulo) {
     return mod(x, modulo);
 }
 exports.invert = invert;
-/**
- * Division over finite field.
- * `a/b mod p == a * invert(b) mod p`
- */
-function div(numerator, denominator, modulo) {
-    const num = mod(numerator, modulo);
-    const iden = invert(denominator, modulo);
-    return mod(num * iden, modulo);
-}
-exports.div = div;
-/**
- * Takes a list of numbers, efficiently inverts all of them.
- * @param nums list of bigints
- * @param p modulo
- * @returns list of inverted bigints
- * @example
- * invertBatch([1n, 2n, 4n], 21n);
- * // => [1n, 11n, 16n]
- */
-function invertBatch(nums, modulo) {
-    const scratch = new Array(nums.length);
-    // Walk from first to last, multiply them by each other MOD p
-    const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (num === _0n)
-            return acc;
-        scratch[i] = acc;
-        return mod(acc * num, modulo);
-    }, _1n);
-    // Invert last element
-    const inverted = invert(lastMultiplied, modulo);
-    // Walk from last to first, multiply them by inverted each other MOD p
-    nums.reduceRight((acc, num, i) => {
-        if (num === _0n)
-            return acc;
-        scratch[i] = mod(acc * scratch[i], modulo);
-        return mod(acc * num, modulo);
-    }, inverted);
-    return scratch;
-}
-exports.invertBatch = invertBatch;
 /**
  * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
  * * (a | p) ≡ 1    if a is a square (mod p)
  * * (a | p) ≡ -1   if a is not a square (mod p)
  * * (a | p) ≡ 0    if a ≡ 0 (mod p)
  */
-function legendre(num, P) {
-    return pow(num, (P - _1n) / _2n, P);
+function legendre(num, fieldPrime) {
+    return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
 }
 exports.legendre = legendre;
 /**
  * Calculates square root of a number in a finite field.
  */
+// TODO: rewrite as generic Fp function && remove bls versions
 function sqrt(number, modulo) {
     // prettier-ignore
     const _3n = BigInt(3), _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
@@ -128,8 +92,17 @@ function sqrt(number, modulo) {
     const p1div4 = (P + _1n) / _4n;
     // P ≡ 3 (mod 4)
     // sqrt n = n^((P+1)/4)
-    if (P % _4n === _3n)
-        return pow(n, p1div4, P);
+    if (P % _4n === _3n) {
+        // Not all roots possible!
+        // const ORDER =
+        //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
+        // const NUM = 72057594037927816n;
+        // TODO: fix sqrtMod in secp256k1
+        const root = pow(n, p1div4, P);
+        if (mod(root * root, modulo) !== number)
+            throw new Error('Cannot find square root');
+        return root;
+    }
     // P ≡ 5 (mod 8)
     if (P % _8n === _5n) {
         const n2 = mod(n * _2n, P);
@@ -140,7 +113,6 @@ function sqrt(number, modulo) {
         return r;
     }
     // Other cases: Tonelli-Shanks algorithm
-    // Check whether n is square
     if (legendre(n, P) !== _1n)
         throw new Error('Cannot find square root');
     let q, s, z;
@@ -174,10 +146,122 @@ exports.sqrt = sqrt;
 // Little-endian check for first LE bit (last BE bit);
 const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 exports.isNegativeLE = isNegativeLE;
-// An idea on modular arithmetic for bls12-381:
-// const FIELD = {add, pow, sqrt, mul};
-// Functions will take field elements, no need for an additional class
-// Could be faster. 1 bigint field will just do operations and mod later:
-// instead of 'r = mod(r * b, P)' we will write r = mul(r, b);
-// Could be insecure without shape check, so it needs to be done.
-// Functions could be inlined by JIT.
+// prettier-ignore
+const FIELD_FIELDS = [
+    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
+    'equals', 'add', 'subtract', 'multiply', 'pow', 'div',
+    'addN', 'subtractN', 'multiplyN', 'squareN'
+];
+function validateField(field) {
+    for (const i of ['ORDER', 'MASK']) {
+        if (typeof field[i] !== 'bigint')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of ['BYTES', 'BITS']) {
+        if (typeof field[i] !== 'number')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+    for (const i of FIELD_FIELDS) {
+        if (typeof field[i] !== 'function')
+            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
+    }
+}
+exports.validateField = validateField;
+// Generic field functions
+function FpPow(f, num, power) {
+    // Should have same speed as pow for bigints
+    // TODO: benchmark!
+    if (power < _0n)
+        throw new Error('Expected power > 0');
+    if (power === _0n)
+        return f.ONE;
+    if (power === _1n)
+        return num;
+    let p = f.ONE;
+    let d = num;
+    while (power > _0n) {
+        if (power & _1n)
+            p = f.multiply(p, d);
+        d = f.square(d);
+        power >>= 1n;
+    }
+    return p;
+}
+exports.FpPow = FpPow;
+function FpInvertBatch(f, nums) {
+    const tmp = new Array(nums.length);
+    // Walk from first to last, multiply them by each other MOD p
+    const lastMultiplied = nums.reduce((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = acc;
+        return f.multiply(acc, num);
+    }, f.ONE);
+    // Invert last element
+    const inverted = f.invert(lastMultiplied);
+    // Walk from last to first, multiply them by inverted each other MOD p
+    nums.reduceRight((acc, num, i) => {
+        if (f.isZero(num))
+            return acc;
+        tmp[i] = f.multiply(acc, tmp[i]);
+        return f.multiply(acc, num);
+    }, inverted);
+    return tmp;
+}
+exports.FpInvertBatch = FpInvertBatch;
+function FpDiv(f, lhs, rhs) {
+    return f.multiply(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+}
+exports.FpDiv = FpDiv;
+// NOTE: very fragile, always bench. Major performance points:
+// - NonNormalized ops
+// - Object.freeze
+// - same shape of object (don't add/remove keys)
+function Fp(ORDER, bitLen, isLE = false, redef = {}) {
+    if (ORDER <= _0n)
+        throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
+    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    if (BYTES > 2048)
+        throw new Error('Field lengths over 2048 bytes are not supported');
+    const sqrtP = (num) => sqrt(num, ORDER);
+    const f = Object.freeze({
+        ORDER,
+        BITS,
+        BYTES,
+        MASK: utils.bitMask(BITS),
+        ZERO: _0n,
+        ONE: _1n,
+        create: (num) => mod(num, ORDER),
+        isValid: (num) => {
+            if (typeof num !== 'bigint')
+                throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+            return _0n <= num && num < ORDER;
+        },
+        isZero: (num) => num === _0n,
+        isOdd: (num) => (num & _1n) === _1n,
+        negate: (num) => mod(-num, ORDER),
+        equals: (lhs, rhs) => lhs === rhs,
+        square: (num) => mod(num * num, ORDER),
+        add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+        subtract: (lhs, rhs) => mod(lhs - rhs, ORDER),
+        multiply: (lhs, rhs) => mod(lhs * rhs, ORDER),
+        pow: (num, power) => FpPow(f, num, power),
+        div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
+        // Same as above, but doesn't normalize
+        squareN: (num) => num * num,
+        addN: (lhs, rhs) => lhs + rhs,
+        subtractN: (lhs, rhs) => lhs - rhs,
+        multiplyN: (lhs, rhs) => lhs * rhs,
+        invert: (num) => invert(num, ORDER),
+        sqrt: redef.sqrt || sqrtP,
+        invertBatch: (lst) => FpInvertBatch(f, lst),
+        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        fromBytes: (bytes) => {
+            if (bytes.length !== BYTES)
+                throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+        },
+    });
+    return Object.freeze(f);
+}
+exports.Fp = Fp;

package/lib/utils.d.ts

@@ -1,19 +1,29 @@
 /*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import * as mod from './modular.js';
 export declare type Hex = Uint8Array | string;
 export declare type PrivKey = Hex | bigint | number;
-export declare type BasicCurve = {
-    P: bigint;
+export declare type CHash = {
+    (message: Uint8Array | string): Uint8Array;
+    blockLen: number;
+    outputLen: number;
+    create(): any;
+};
+export declare type BasicCurve<T> = {
+    Fp: mod.Field<T>;
     n: bigint;
     nBitLength?: number;
     nByteLength?: number;
     h: bigint;
-    Gx: bigint;
-    Gy: bigint;
+    hEff?: bigint;
+    Gx: T;
+    Gy: T;
+    wrapPrivateKey?: boolean;
+    allowInfinityPoint?: boolean;
 };
-export declare function validateOpts<T extends BasicCurve>(curve: T): Readonly<{
+export declare function validateOpts<FP, T>(curve: BasicCurve<FP> & T): Readonly<{
     readonly nBitLength: number;
     readonly nByteLength: number;
-} & T>;
+} & BasicCurve<FP> & T>;
 export declare function bytesToHex(uint8a: Uint8Array): string;
 export declare function numberToHexUnpadded(num: number | bigint): string;
 export declare function hexToNumber(hex: string): bigint;
@@ -28,9 +38,17 @@ export declare function nLength(n: bigint, nBitLength?: number): {
     nBitLength: number;
     nByteLength: number;
 };
-export declare function hashToPrivateScalar(hash: Hex, CURVE_ORDER: bigint, isLE?: boolean): bigint;
-export declare function equalBytes(b1: Uint8Array, b2: Uint8Array): boolean;
 /**
- * Cryptographically secure PRNG
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * As per FIPS 186 B.4.1.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from sha512, or a similar function
+ * @returns valid private scalar
  */
-export declare function randomBytes(bytesLength?: number): Uint8Array;
+export declare function hashToPrivateScalar(hash: Hex, CURVE_ORDER: bigint, isLE?: boolean): bigint;
+export declare function equalBytes(b1: Uint8Array, b2: Uint8Array): boolean;
+export declare function bitLen(n: bigint): number;
+export declare const bitGet: (n: bigint, pos: number) => bigint;
+export declare const bitSet: (n: bigint, pos: number, value: boolean) => bigint;
+export declare const bitMask: (n: number) => bigint;

package/lib/utils.js

@@ -1,15 +1,21 @@
 "use strict";
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.randomBytes = exports.equalBytes = exports.hashToPrivateScalar = exports.nLength = exports.concatBytes = exports.ensureBytes = exports.numberToBytesLE = exports.numberToBytesBE = exports.bytesToNumberLE = exports.bytesToNumberBE = exports.hexToBytes = exports.hexToNumber = exports.numberToHexUnpadded = exports.bytesToHex = exports.validateOpts = void 0;
-// The import here is via the package name. This is to ensure
-// that exports mapping/resolution does fall into place.
-const crypto_1 = require("@noble/curves/crypto");
+exports.bitMask = exports.bitSet = exports.bitGet = exports.bitLen = exports.equalBytes = exports.hashToPrivateScalar = exports.nLength = exports.concatBytes = exports.ensureBytes = exports.numberToBytesLE = exports.numberToBytesBE = exports.bytesToNumberLE = exports.bytesToNumberBE = exports.hexToBytes = exports.hexToNumber = exports.numberToHexUnpadded = exports.bytesToHex = exports.validateOpts = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const mod = require("./modular.js");
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
 function validateOpts(curve) {
-    for (const i of ['P', 'n', 'h', 'Gx', 'Gy']) {
+    mod.validateField(curve.Fp);
+    for (const i of ['n', 'h']) {
         if (typeof curve[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
+    if (!curve.Fp.isValid(curve.Gx))
+        throw new Error('Invalid generator X coordinate Fp element');
+    if (!curve.Fp.isValid(curve.Gy))
+        throw new Error('Invalid generator Y coordinate Fp element');
     for (const i of ['nBitLength', 'nByteLength']) {
         if (curve[i] === undefined)
             continue; // Optional
@@ -20,7 +26,6 @@ function validateOpts(curve) {
     return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
 }
 exports.validateOpts = validateOpts;
-const mod = require("./modular.js");
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 function bytesToHex(uint8a) {
     if (!(uint8a instanceof Uint8Array))
@@ -121,7 +126,6 @@ exports.nLength = nLength;
  * @param hash hash output from sha512, or a similar function
  * @returns valid private scalar
  */
-const _1n = BigInt(1);
 function hashToPrivateScalar(hash, CURVE_ORDER, isLE = false) {
     hash = ensureBytes(hash);
     const orderLen = nLength(CURVE_ORDER).nByteLength;
@@ -142,18 +146,23 @@ function equalBytes(b1, b2) {
     return true;
 }
 exports.equalBytes = equalBytes;
-/**
- * Cryptographically secure PRNG
- */
-function randomBytes(bytesLength = 32) {
-    if (crypto_1.crypto.web) {
-        return crypto_1.crypto.web.getRandomValues(new Uint8Array(bytesLength));
-    }
-    else if (crypto_1.crypto.node) {
-        return new Uint8Array(crypto_1.crypto.node.randomBytes(bytesLength).buffer);
-    }
-    else {
-        throw new Error("The environment doesn't have randomBytes function");
-    }
+// Bit operations
+// Amount of bits inside bigint (Same as n.toString(2).length)
+function bitLen(n) {
+    let len;
+    for (len = 0; n > 0n; n >>= _1n, len += 1)
+        ;
+    return len;
 }
-exports.randomBytes = randomBytes;
+exports.bitLen = bitLen;
+// Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
+// Same as !!+Array.from(n.toString(2)).reverse()[pos]
+const bitGet = (n, pos) => (n >> BigInt(pos)) & 1n;
+exports.bitGet = bitGet;
+// Sets single bit at position
+const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos));
+exports.bitSet = bitSet;
+// Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
+// Not using ** operator with bigints for old engines.
+const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
+exports.bitMask = bitMask;