@noble/curves 0.5.2 → 0.6.0

package/lib/esm/abstract/hash-to-curve.js

@@ -1,7 +1,6 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { concatBytes } from './utils.js';
-import * as mod from './modular.js';
-export function validateHTFOpts(opts) {
+import { mod } from './modular.js';
+import { concatBytes, ensureBytes } from './utils.js';
+export function validateOpts(opts) {
     if (typeof opts.DST !== 'string')
         throw new Error('Invalid htf/DST');
     if (typeof opts.p !== 'bigint')
@@ -15,13 +14,11 @@ export function validateHTFOpts(opts) {
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
 }
-// UTF8 to ui8a
-// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
 export function stringToBytes(str) {
-    const bytes = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; i++)
-        bytes[i] = str.charCodeAt(i);
-    return bytes;
+    if (typeof str !== 'string') {
+        throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
+    }
+    return new TextEncoder().encode(str);
 }
 // Octet Stream to Integer (bytesToNumberBE)
 function os2ip(bytes) {
@@ -120,7 +117,7 @@ export function hash_to_field(msg, count, options) {
         for (let j = 0; j < options.m; j++) {
             const elm_offset = L * (j + i * options.m);
             const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
-            e[j] = mod.mod(os2ip(tv), options.p);
+            e[j] = mod(os2ip(tv), options.p);
         }
         u[i] = e;
     }
@@ -136,3 +133,33 @@ export function isogenyMap(field, map) {
         return { x, y };
     };
 }
+export function hashToCurve(Point, mapToCurve, def) {
+    validateOpts(def);
+    if (typeof mapToCurve !== 'function')
+        throw new Error('hashToCurve: mapToCurve() has not been defined');
+    return {
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        hashToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0]))
+                .add(Point.fromAffine(mapToCurve(u[1])))
+                .clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        encodeToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+    };
+}

package/lib/esm/abstract/modular.js

@@ -1,7 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: remove circular imports
-import * as utils from './utils.js';
 // Utilities for modular arithmetics and finite fields
+import { bitMask, numberToBytesBE, numberToBytesLE, bytesToNumberBE, bytesToNumberLE, ensureBytes, } from './utils.js';
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
@@ -91,7 +90,7 @@ export function tonelliShanks(P) {
         const p1div4 = (P + _1n) / _4n;
         return function tonelliFast(Fp, n) {
             const root = Fp.pow(n, p1div4);
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -100,26 +99,26 @@ export function tonelliShanks(P) {
     const Q1div2 = (Q + _1n) / _2n;
     return function tonelliSlow(Fp, n) {
         // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-        if (Fp.pow(n, legendreC) === Fp.negate(Fp.ONE))
+        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
             throw new Error('Cannot find square root');
         let r = S;
         // TODO: will fail at Fp2/etc
         let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
         let x = Fp.pow(n, Q1div2); // first guess at the square root
         let b = Fp.pow(n, Q); // first guess at the fudge factor
-        while (!Fp.equals(b, Fp.ONE)) {
-            if (Fp.equals(b, Fp.ZERO))
+        while (!Fp.eql(b, Fp.ONE)) {
+            if (Fp.eql(b, Fp.ZERO))
                 return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
             // Find m such b^(2^m)==1
             let m = 1;
-            for (let t2 = Fp.square(b); m < r; m++) {
-                if (Fp.equals(t2, Fp.ONE))
+            for (let t2 = Fp.sqr(b); m < r; m++) {
+                if (Fp.eql(t2, Fp.ONE))
                     break;
-                t2 = Fp.square(t2); // t2 *= t2
+                t2 = Fp.sqr(t2); // t2 *= t2
             }
             // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
             const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
-            g = Fp.square(ge); // g = ge * ge
+            g = Fp.sqr(ge); // g = ge * ge
             x = Fp.mul(x, ge); // x *= ge
             b = Fp.mul(b, g); // b *= g
             r = m;
@@ -141,7 +140,7 @@ export function FpSqrt(P) {
         return function sqrt3mod4(Fp, n) {
             const root = Fp.pow(n, p1div4);
             // Throw if root**2 != n
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -155,7 +154,7 @@ export function FpSqrt(P) {
             const nv = Fp.mul(n, v);
             const i = Fp.mul(Fp.mul(nv, _2n), v);
             const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -189,9 +188,9 @@ export function FpSqrt(P) {
 export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 // prettier-ignore
 const FIELD_FIELDS = [
-    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
-    'equals', 'add', 'sub', 'mul', 'pow', 'div',
-    'addN', 'subN', 'mulN', 'squareN'
+    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+    'eql', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'sqrN'
 ];
 export function validateField(field) {
     for (const i of ['ORDER', 'MASK']) {
@@ -222,7 +221,7 @@ export function FpPow(f, num, power) {
     while (power > _0n) {
         if (power & _1n)
             p = f.mul(p, d);
-        d = f.square(d);
+        d = f.sqr(d);
         power >>= 1n;
     }
     return p;
@@ -231,16 +230,16 @@ export function FpInvertBatch(f, nums) {
     const tmp = new Array(nums.length);
     // Walk from first to last, multiply them by each other MOD p
     const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = acc;
         return f.mul(acc, num);
     }, f.ONE);
     // Invert last element
-    const inverted = f.invert(lastMultiplied);
+    const inverted = f.inv(lastMultiplied);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = f.mul(acc, tmp[i]);
         return f.mul(acc, num);
@@ -248,20 +247,27 @@ export function FpInvertBatch(f, nums) {
     return tmp;
 }
 export function FpDiv(f, lhs, rhs) {
-    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 // This function returns True whenever the value x is a square in the field F.
 export function FpIsSquare(f) {
     const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
     return (x) => {
         const p = f.pow(x, legendreConst);
-        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+        return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
     };
 }
+// CURVE.n lengths
+export function nLength(n, nBitLength) {
+    // Bit size, byte size of CURVE.n
+    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+    const nByteLength = Math.ceil(_nBitLength / 8);
+    return { nBitLength: _nBitLength, nByteLength };
+}
 export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
-    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
     const sqrtP = FpSqrt(ORDER);
@@ -269,41 +275,41 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         ORDER,
         BITS,
         BYTES,
-        MASK: utils.bitMask(BITS),
+        MASK: bitMask(BITS),
         ZERO: _0n,
         ONE: _1n,
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
                 throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
-            return _0n <= num && num < ORDER;
+            return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
-        isZero: (num) => num === _0n,
+        is0: (num) => num === _0n,
         isOdd: (num) => (num & _1n) === _1n,
-        negate: (num) => mod(-num, ORDER),
-        equals: (lhs, rhs) => lhs === rhs,
-        square: (num) => mod(num * num, ORDER),
+        neg: (num) => mod(-num, ORDER),
+        eql: (lhs, rhs) => lhs === rhs,
+        sqr: (num) => mod(num * num, ORDER),
         add: (lhs, rhs) => mod(lhs + rhs, ORDER),
         sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
         mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
         pow: (num, power) => FpPow(f, num, power),
         div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
         // Same as above, but doesn't normalize
-        squareN: (num) => num * num,
+        sqrN: (num) => num * num,
         addN: (lhs, rhs) => lhs + rhs,
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
-        invert: (num) => invert(num, ORDER),
+        inv: (num) => invert(num, ORDER),
         sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
         cmov: (a, b, c) => (c ? b : a),
-        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
                 throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
-            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+            return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
         },
     });
     return Object.freeze(f);
@@ -312,11 +318,29 @@ export function FpSqrtOdd(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? root : Fp.negate(root);
+    return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 export function FpSqrtEven(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.negate(root) : root;
+    return Fp.isOdd(root) ? Fp.neg(root) : root;
+}
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
+    hash = ensureBytes(hash);
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+    const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
+    return mod(num, groupOrder - _1n) + _1n;
 }

package/lib/esm/abstract/montgomery.js

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import * as mod from './modular.js';
-import { ensureBytes, numberToBytesLE, bytesToNumberLE, isPositiveInt } from './utils.js';
+import { mod, pow } from './modular.js';
+import { ensureBytes, numberToBytesLE, bytesToNumberLE } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
@@ -11,7 +11,7 @@ function validateOpts(curve) {
     for (const i of ['montgomeryBits', 'nByteLength']) {
         if (curve[i] === undefined)
             continue; // Optional
-        if (!isPositiveInt(curve[i]))
+        if (!Number.isSafeInteger(curve[i]))
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
     for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
@@ -27,7 +27,6 @@ function validateOpts(curve) {
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
     // Set defaults
-    // ...nLength(curve.n, curve.nBitLength),
     return Object.freeze({ ...curve });
 }
 // NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)
@@ -35,12 +34,12 @@ function validateOpts(curve) {
 export function montgomery(curveDef) {
     const CURVE = validateOpts(curveDef);
     const { P } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const modP = (a) => mod(a, P);
     const montgomeryBits = CURVE.montgomeryBits;
     const montgomeryBytes = Math.ceil(montgomeryBits / 8);
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
-    const powPminus2 = CURVE.powPminus2 || ((x) => mod.pow(x, P - BigInt(2), P));
+    const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
     /**
      * Checks for num to be in range:
      * For strict == true:  `0 <  num < max`.

package/lib/esm/abstract/poseidon.js

@@ -0,0 +1,109 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
+import { validateField, FpPow } from './modular.js';
+export function validateOpts(opts) {
+    const { Fp } = opts;
+    validateField(Fp);
+    for (const i of ['t', 'roundsFull', 'roundsPartial']) {
+        if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+            throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
+    }
+    if (opts.reversePartialPowIdx !== undefined && typeof opts.reversePartialPowIdx !== 'boolean')
+        throw new Error(`Poseidon: invalid param reversePartialPowIdx=${opts.reversePartialPowIdx}`);
+    // Default is 5, but by some reasons stark uses 3
+    let sboxPower = opts.sboxPower;
+    if (sboxPower === undefined)
+        sboxPower = 5;
+    if (typeof sboxPower !== 'number' || !Number.isSafeInteger(sboxPower))
+        throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
+    const _sboxPower = BigInt(sboxPower);
+    let sboxFn = (n) => FpPow(Fp, n, _sboxPower);
+    // Unwrapped sbox power for common cases (195->142μs)
+    if (sboxPower === 3)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(n), n);
+    else if (sboxPower === 5)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
+    if (opts.roundsFull % 2 !== 0)
+        throw new Error(`Poseidon roundsFull is not even: ${opts.roundsFull}`);
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    if (!Array.isArray(opts.roundConstants) || opts.roundConstants.length !== rounds)
+        throw new Error('Poseidon: wrong round constants');
+    const roundConstants = opts.roundConstants.map((rc) => {
+        if (!Array.isArray(rc) || rc.length !== opts.t)
+            throw new Error(`Poseidon wrong round constants: ${rc}`);
+        return rc.map((i) => {
+            if (typeof i !== 'bigint' || !Fp.isValid(i))
+                throw new Error(`Poseidon wrong round constant=${i}`);
+            return Fp.create(i);
+        });
+    });
+    // MDS is TxT matrix
+    if (!Array.isArray(opts.mds) || opts.mds.length !== opts.t)
+        throw new Error('Poseidon: wrong MDS matrix');
+    const mds = opts.mds.map((mdsRow) => {
+        if (!Array.isArray(mdsRow) || mdsRow.length !== opts.t)
+            throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
+        return mdsRow.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon MDS matrix value=${i}`);
+            return Fp.create(i);
+        });
+    });
+    return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds });
+}
+export function splitConstants(rc, t) {
+    if (typeof t !== 'number')
+        throw new Error('poseidonSplitConstants: wrong t');
+    if (!Array.isArray(rc) || rc.length % t)
+        throw new Error('poseidonSplitConstants: wrong rc');
+    const res = [];
+    let tmp = [];
+    for (let i = 0; i < rc.length; i++) {
+        tmp.push(rc[i]);
+        if (tmp.length === t) {
+            res.push(tmp);
+            tmp = [];
+        }
+    }
+    return res;
+}
+export function poseidon(opts) {
+    const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts);
+    const halfRoundsFull = Math.floor(opts.roundsFull / 2);
+    const partialIdx = reversePartialPowIdx ? t - 1 : 0;
+    const poseidonRound = (values, isFull, idx) => {
+        values = values.map((i, j) => Fp.add(i, opts.roundConstants[idx][j]));
+        if (isFull)
+            values = values.map((i) => sboxFn(i));
+        else
+            values[partialIdx] = sboxFn(values[partialIdx]);
+        // Matrix multiplication
+        values = opts.mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
+        return values;
+    };
+    const poseidonHash = function poseidonHash(values) {
+        if (!Array.isArray(values) || values.length !== t)
+            throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
+        values = values.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
+            return Fp.create(i);
+        });
+        let round = 0;
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        // Apply r_p partial rounds.
+        for (let i = 0; i < opts.roundsPartial; i++)
+            values = poseidonRound(values, false, round++);
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        if (round !== rounds)
+            throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
+        return values;
+    };
+    // For verification in tests
+    poseidonHash.roundConstants = opts.roundConstants;
+    return poseidonHash;
+}

package/lib/esm/abstract/utils.js

@@ -1,41 +1,16 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import * as mod from './modular.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
-// Bans floats and integers above 2^53-1
-export function isPositiveInt(num) {
-    return typeof num === 'number' && Number.isSafeInteger(num) && num > 0;
-}
-export function validateOpts(curve) {
-    mod.validateField(curve.Fp);
-    for (const i of ['n', 'h']) {
-        const val = curve[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    if (!curve.Fp.isValid(curve.Gx))
-        throw new Error('Invalid generator X coordinate Fp element');
-    if (!curve.Fp.isValid(curve.Gy))
-        throw new Error('Invalid generator Y coordinate Fp element');
-    for (const i of ['nBitLength', 'nByteLength']) {
-        const val = curve[i];
-        if (val === undefined)
-            continue; // Optional
-        if (!isPositiveInt(val))
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    // Set defaults
-    return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
-}
+const u8a = (a) => a instanceof Uint8Array;
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
-export function bytesToHex(uint8a) {
-    if (!(uint8a instanceof Uint8Array))
+export function bytesToHex(bytes) {
+    if (!u8a(bytes))
         throw new Error('Expected Uint8Array');
     // pre-caching improves the speed 6x
     let hex = '';
-    for (let i = 0; i < uint8a.length; i++) {
-        hex += hexes[uint8a[i]];
+    for (let i = 0; i < bytes.length; i++) {
+        hex += hexes[bytes[i]];
     }
     return hex;
 }
@@ -44,17 +19,15 @@ export function numberToHexUnpadded(num) {
     return hex.length & 1 ? `0${hex}` : hex;
 }
 export function hexToNumber(hex) {
-    if (typeof hex !== 'string') {
-        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
-    }
+    if (typeof hex !== 'string')
+        throw new Error('hexToNumber: expected string, got ' + typeof hex);
     // Big Endian
     return BigInt(`0x${hex}`);
 }
 // Caching slows it down 2-3x
 export function hexToBytes(hex) {
-    if (typeof hex !== 'string') {
-        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
-    }
+    if (typeof hex !== 'string')
+        throw new Error('hexToBytes: expected string, got ' + typeof hex);
     if (hex.length % 2)
         throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
     const array = new Uint8Array(hex.length / 2);
@@ -72,24 +45,31 @@ export function hexToBytes(hex) {
 export function bytesToNumberBE(bytes) {
     return hexToNumber(bytesToHex(bytes));
 }
-export function bytesToNumberLE(uint8a) {
-    if (!(uint8a instanceof Uint8Array))
+export function bytesToNumberLE(bytes) {
+    if (!u8a(bytes))
         throw new Error('Expected Uint8Array');
-    return BigInt('0x' + bytesToHex(Uint8Array.from(uint8a).reverse()));
+    return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 export const numberToBytesBE = (n, len) => hexToBytes(n.toString(16).padStart(len * 2, '0'));
 export const numberToBytesLE = (n, len) => numberToBytesBE(n, len).reverse();
+// Returns variable number bytes (minimal bigint encoding?)
+export const numberToVarBytesBE = (n) => {
+    let hex = n.toString(16);
+    if (hex.length & 1)
+        hex = '0' + hex;
+    return hexToBytes(hex);
+};
 export function ensureBytes(hex, expectedLength) {
     // Uint8Array.from() instead of hash.slice() because node.js Buffer
     // is instance of Uint8Array, and its slice() creates **mutable** copy
-    const bytes = hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes(hex);
+    const bytes = u8a(hex) ? Uint8Array.from(hex) : hexToBytes(hex);
     if (typeof expectedLength === 'number' && bytes.length !== expectedLength)
         throw new Error(`Expected ${expectedLength} bytes`);
     return bytes;
 }
 // Copies several Uint8Arrays into one.
 export function concatBytes(...arrays) {
-    if (!arrays.every((b) => b instanceof Uint8Array))
+    if (!arrays.every((b) => u8a(b)))
         throw new Error('Uint8Array list expected');
     if (arrays.length === 1)
         return arrays[0];
@@ -102,31 +82,6 @@ export function concatBytes(...arrays) {
     }
     return result;
 }
-// CURVE.n lengths
-export function nLength(n, nBitLength) {
-    // Bit size, byte size of CURVE.n
-    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
-    const nByteLength = Math.ceil(_nBitLength / 8);
-    return { nBitLength: _nBitLength, nByteLength };
-}
-/**
- * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
- * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
- * and convert them into private scalar, with the modulo bias being neglible.
- * Needs at least 40 bytes of input for 32-byte private key.
- * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
- * @param hash hash output from SHA3 or a similar function
- * @returns valid private scalar
- */
-export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
-    hash = ensureBytes(hash);
-    const hashLen = hash.length;
-    const minLen = nLength(groupOrder).nByteLength + 8;
-    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
-        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
-    const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-    return mod.mod(num, groupOrder - _1n) + _1n;
-}
 export function equalBytes(b1, b2) {
     // We don't care about timing attacks here
     if (b1.length !== b2.length)