@noble/curves 0.5.2 → 0.6.1

package/lib/abstract/hash-to-curve.d.ts

@@ -1,15 +1,17 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { CHash } from './utils.js';
-import * as mod from './modular.js';
-export declare type htfOpts = {
+import type { Group, GroupConstructor, AffinePoint } from './curve.js';
+import { Field } from './modular.js';
+import { CHash, Hex } from './utils.js';
+export declare type Opts = {
     DST: string;
+    encodeDST: string;
     p: bigint;
     m: number;
     k: number;
     expand?: 'xmd' | 'xof';
     hash: CHash;
 };
-export declare function validateHTFOpts(opts: htfOpts): void;
+export declare function validateOpts(opts: Opts): void;
 export declare function stringToBytes(str: string): Uint8Array;
 export declare function expand_message_xmd(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash): Uint8Array;
 export declare function expand_message_xof(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash): Uint8Array;
@@ -21,8 +23,25 @@ export declare function expand_message_xof(msg: Uint8Array, DST: Uint8Array, len
  * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
  * @returns [u_0, ..., u_(count - 1)], a list of field elements.
  */
-export declare function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
-export declare function isogenyMap<T, F extends mod.Field<T>>(field: F, map: [T[], T[], T[], T[]]): (x: T, y: T) => {
+export declare function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
+export declare function isogenyMap<T, F extends Field<T>>(field: F, map: [T[], T[], T[], T[]]): (x: T, y: T) => {
     x: T;
     y: T;
 };
+export interface H2CPoint<T> extends Group<H2CPoint<T>> {
+    add(rhs: H2CPoint<T>): H2CPoint<T>;
+    toAffine(iz?: bigint): AffinePoint<T>;
+    clearCofactor(): H2CPoint<T>;
+    assertValidity(): void;
+}
+export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
+    fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
+}
+export declare type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
+export declare type htfBasicOpts = {
+    DST: string;
+};
+export declare function hashToCurve<T>(Point: H2CPointConstructor<T>, mapToCurve: MapToCurve<T>, def: Opts): {
+    hashToCurve(msg: Hex, options?: htfBasicOpts): H2CPoint<T>;
+    encodeToCurve(msg: Hex, options?: htfBasicOpts): H2CPoint<T>;
+};

package/lib/abstract/hash-to-curve.js

@@ -1,10 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = exports.stringToBytes = exports.validateHTFOpts = void 0;
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+exports.hashToCurve = exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = exports.stringToBytes = exports.validateOpts = void 0;
+const modular_js_1 = require("./modular.js");
 const utils_js_1 = require("./utils.js");
-const mod = require("./modular.js");
-function validateHTFOpts(opts) {
+function validateOpts(opts) {
     if (typeof opts.DST !== 'string')
         throw new Error('Invalid htf/DST');
     if (typeof opts.p !== 'bigint')
@@ -18,14 +17,12 @@ function validateHTFOpts(opts) {
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
 }
-exports.validateHTFOpts = validateHTFOpts;
-// UTF8 to ui8a
-// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
+exports.validateOpts = validateOpts;
 function stringToBytes(str) {
-    const bytes = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; i++)
-        bytes[i] = str.charCodeAt(i);
-    return bytes;
+    if (typeof str !== 'string') {
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+    }
+    return new TextEncoder().encode(str);
 }
 exports.stringToBytes = stringToBytes;
 // Octet Stream to Integer (bytesToNumberBE)
@@ -127,7 +124,7 @@ function hash_to_field(msg, count, options) {
         for (let j = 0; j < options.m; j++) {
             const elm_offset = L * (j + i * options.m);
             const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
-            e[j] = mod.mod(os2ip(tv), options.p);
+            e[j] = (0, modular_js_1.mod)(os2ip(tv), options.p);
         }
         u[i] = e;
     }
@@ -145,3 +142,34 @@ function isogenyMap(field, map) {
     };
 }
 exports.isogenyMap = isogenyMap;
+function hashToCurve(Point, mapToCurve, def) {
+    validateOpts(def);
+    if (typeof mapToCurve !== 'function')
+        throw new Error('hashToCurve: mapToCurve() has not been defined');
+    return {
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        hashToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0]))
+                .add(Point.fromAffine(mapToCurve(u[1])))
+                .clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        encodeToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+    };
+}
+exports.hashToCurve = hashToCurve;

package/lib/abstract/modular.d.ts

@@ -20,12 +20,12 @@ export interface Field<T> {
     ONE: T;
     create: (num: T) => T;
     isValid: (num: T) => boolean;
-    isZero: (num: T) => boolean;
-    negate(num: T): T;
-    invert(num: T): T;
+    is0: (num: T) => boolean;
+    neg(num: T): T;
+    inv(num: T): T;
     sqrt(num: T): T;
-    square(num: T): T;
-    equals(lhs: T, rhs: T): boolean;
+    sqr(num: T): T;
+    eql(lhs: T, rhs: T): boolean;
     add(lhs: T, rhs: T): T;
     sub(lhs: T, rhs: T): T;
     mul(lhs: T, rhs: T | bigint): T;
@@ -34,22 +34,35 @@ export interface Field<T> {
     addN(lhs: T, rhs: T): T;
     subN(lhs: T, rhs: T): T;
     mulN(lhs: T, rhs: T | bigint): T;
-    squareN(num: T): T;
+    sqrN(num: T): T;
     isOdd?(num: T): boolean;
-    legendre?(num: T): T;
     pow(lhs: T, power: bigint): T;
     invertBatch: (lst: T[]) => T[];
     toBytes(num: T): Uint8Array;
     fromBytes(bytes: Uint8Array): T;
     cmov(a: T, b: T, c: boolean): T;
 }
-export declare function validateField<T>(field: Field<T>): void;
+export declare function validateField<T>(field: Field<T>): object;
 export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;
 export declare function FpIsSquare<T>(f: Field<T>): (x: T) => boolean;
+export declare function nLength(n: bigint, nBitLength?: number): {
+    nBitLength: number;
+    nByteLength: number;
+};
 declare type FpField = Field<bigint> & Required<Pick<Field<bigint>, 'isOdd'>>;
 export declare function Fp(ORDER: bigint, bitLen?: number, isLE?: boolean, redef?: Partial<Field<bigint>>): Readonly<FpField>;
 export declare function FpSqrtOdd<T>(Fp: Field<T>, elm: T): T;
 export declare function FpSqrtEven<T>(Fp: Field<T>, elm: T): T;
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+export declare function hashToPrivateScalar(hash: string | Uint8Array, groupOrder: bigint, isLE?: boolean): bigint;
 export {};

package/lib/abstract/modular.js

@@ -1,10 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FpSqrtEven = exports.FpSqrtOdd = exports.Fp = exports.FpIsSquare = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.FpSqrt = exports.tonelliShanks = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
+exports.hashToPrivateScalar = exports.FpSqrtEven = exports.FpSqrtOdd = exports.Fp = exports.nLength = exports.FpIsSquare = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.FpSqrt = exports.tonelliShanks = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: remove circular imports
-const utils = require("./utils.js");
 // Utilities for modular arithmetics and finite fields
+const utils_js_1 = require("./utils.js");
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
@@ -40,7 +39,6 @@ function pow(num, power, modulo) {
 }
 exports.pow = pow;
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
-// TODO: Fp version?
 function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -98,7 +96,7 @@ function tonelliShanks(P) {
         const p1div4 = (P + _1n) / _4n;
         return function tonelliFast(Fp, n) {
             const root = Fp.pow(n, p1div4);
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -107,26 +105,26 @@ function tonelliShanks(P) {
     const Q1div2 = (Q + _1n) / _2n;
     return function tonelliSlow(Fp, n) {
         // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-        if (Fp.pow(n, legendreC) === Fp.negate(Fp.ONE))
+        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
             throw new Error('Cannot find square root');
         let r = S;
         // TODO: will fail at Fp2/etc
         let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
         let x = Fp.pow(n, Q1div2); // first guess at the square root
         let b = Fp.pow(n, Q); // first guess at the fudge factor
-        while (!Fp.equals(b, Fp.ONE)) {
-            if (Fp.equals(b, Fp.ZERO))
+        while (!Fp.eql(b, Fp.ONE)) {
+            if (Fp.eql(b, Fp.ZERO))
                 return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
             // Find m such b^(2^m)==1
             let m = 1;
-            for (let t2 = Fp.square(b); m < r; m++) {
-                if (Fp.equals(t2, Fp.ONE))
+            for (let t2 = Fp.sqr(b); m < r; m++) {
+                if (Fp.eql(t2, Fp.ONE))
                     break;
-                t2 = Fp.square(t2); // t2 *= t2
+                t2 = Fp.sqr(t2); // t2 *= t2
             }
             // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
             const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
-            g = Fp.square(ge); // g = ge * ge
+            g = Fp.sqr(ge); // g = ge * ge
             x = Fp.mul(x, ge); // x *= ge
             b = Fp.mul(b, g); // b *= g
             r = m;
@@ -149,7 +147,7 @@ function FpSqrt(P) {
         return function sqrt3mod4(Fp, n) {
             const root = Fp.pow(n, p1div4);
             // Throw if root**2 != n
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -163,7 +161,7 @@ function FpSqrt(P) {
             const nv = Fp.mul(n, v);
             const i = Fp.mul(Fp.mul(nv, _2n), v);
             const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -199,23 +197,22 @@ const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 exports.isNegativeLE = isNegativeLE;
 // prettier-ignore
 const FIELD_FIELDS = [
-    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
-    'equals', 'add', 'sub', 'mul', 'pow', 'div',
-    'addN', 'subN', 'mulN', 'squareN'
+    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+    'eql', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'sqrN'
 ];
 function validateField(field) {
-    for (const i of ['ORDER', 'MASK']) {
-        if (typeof field[i] !== 'bigint')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of ['BYTES', 'BITS']) {
-        if (typeof field[i] !== 'number')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of FIELD_FIELDS) {
-        if (typeof field[i] !== 'function')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
+    const initial = {
+        ORDER: 'bigint',
+        MASK: 'bigint',
+        BYTES: 'isSafeInteger',
+        BITS: 'isSafeInteger',
+    };
+    const opts = FIELD_FIELDS.reduce((map, val) => {
+        map[val] = 'function';
+        return map;
+    }, initial);
+    return (0, utils_js_1.validateObject)(field, opts);
 }
 exports.validateField = validateField;
 // Generic field functions
@@ -233,7 +230,7 @@ function FpPow(f, num, power) {
     while (power > _0n) {
         if (power & _1n)
             p = f.mul(p, d);
-        d = f.square(d);
+        d = f.sqr(d);
         power >>= 1n;
     }
     return p;
@@ -243,16 +240,16 @@ function FpInvertBatch(f, nums) {
     const tmp = new Array(nums.length);
     // Walk from first to last, multiply them by each other MOD p
     const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = acc;
         return f.mul(acc, num);
     }, f.ONE);
     // Invert last element
-    const inverted = f.invert(lastMultiplied);
+    const inverted = f.inv(lastMultiplied);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = f.mul(acc, tmp[i]);
         return f.mul(acc, num);
@@ -261,7 +258,7 @@ function FpInvertBatch(f, nums) {
 }
 exports.FpInvertBatch = FpInvertBatch;
 function FpDiv(f, lhs, rhs) {
-    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 exports.FpDiv = FpDiv;
 // This function returns True whenever the value x is a square in the field F.
@@ -269,14 +266,22 @@ function FpIsSquare(f) {
     const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
     return (x) => {
         const p = f.pow(x, legendreConst);
-        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+        return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
     };
 }
 exports.FpIsSquare = FpIsSquare;
+// CURVE.n lengths
+function nLength(n, nBitLength) {
+    // Bit size, byte size of CURVE.n
+    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+    const nByteLength = Math.ceil(_nBitLength / 8);
+    return { nBitLength: _nBitLength, nByteLength };
+}
+exports.nLength = nLength;
 function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
-    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
     const sqrtP = FpSqrt(ORDER);
@@ -284,41 +289,41 @@ function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         ORDER,
         BITS,
         BYTES,
-        MASK: utils.bitMask(BITS),
+        MASK: (0, utils_js_1.bitMask)(BITS),
         ZERO: _0n,
         ONE: _1n,
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
                 throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
-            return _0n <= num && num < ORDER;
+            return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
-        isZero: (num) => num === _0n,
+        is0: (num) => num === _0n,
         isOdd: (num) => (num & _1n) === _1n,
-        negate: (num) => mod(-num, ORDER),
-        equals: (lhs, rhs) => lhs === rhs,
-        square: (num) => mod(num * num, ORDER),
+        neg: (num) => mod(-num, ORDER),
+        eql: (lhs, rhs) => lhs === rhs,
+        sqr: (num) => mod(num * num, ORDER),
         add: (lhs, rhs) => mod(lhs + rhs, ORDER),
         sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
         mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
         pow: (num, power) => FpPow(f, num, power),
         div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
         // Same as above, but doesn't normalize
-        squareN: (num) => num * num,
+        sqrN: (num) => num * num,
         addN: (lhs, rhs) => lhs + rhs,
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
-        invert: (num) => invert(num, ORDER),
+        inv: (num) => invert(num, ORDER),
         sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
         cmov: (a, b, c) => (c ? b : a),
-        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        toBytes: (num) => (isLE ? (0, utils_js_1.numberToBytesLE)(num, BYTES) : (0, utils_js_1.numberToBytesBE)(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
                 throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
-            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+            return isLE ? (0, utils_js_1.bytesToNumberLE)(bytes) : (0, utils_js_1.bytesToNumberBE)(bytes);
         },
     });
     return Object.freeze(f);
@@ -328,13 +333,32 @@ function FpSqrtOdd(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? root : Fp.negate(root);
+    return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 exports.FpSqrtOdd = FpSqrtOdd;
 function FpSqrtEven(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.negate(root) : root;
+    return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
 exports.FpSqrtEven = FpSqrtEven;
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+function hashToPrivateScalar(hash, groupOrder, isLE = false) {
+    hash = (0, utils_js_1.ensureBytes)(hash);
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+    const num = isLE ? (0, utils_js_1.bytesToNumberLE)(hash) : (0, utils_js_1.bytesToNumberBE)(hash);
+    return mod(num, groupOrder - _1n) + _1n;
+}
+exports.hashToPrivateScalar = hashToPrivateScalar;

package/lib/abstract/montgomery.js

@@ -2,35 +2,22 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.montgomery = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const mod = require("./modular.js");
+const modular_js_1 = require("./modular.js");
 const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
-    for (const i of ['a24']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const i of ['montgomeryBits', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!(0, utils_js_1.isPositiveInt)(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
-        if (curve[fn] === undefined)
-            continue; // Optional
-        if (typeof curve[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const i of ['Gu']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'string')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
+    (0, utils_js_1.validateObject)(curve, {
+        a24: 'bigint',
+    }, {
+        montgomeryBits: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        powPminus2: 'function',
+        Gu: 'string',
+    });
     // Set defaults
-    // ...nLength(curve.n, curve.nBitLength),
     return Object.freeze({ ...curve });
 }
 // NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)
@@ -38,37 +25,13 @@ function validateOpts(curve) {
 function montgomery(curveDef) {
     const CURVE = validateOpts(curveDef);
     const { P } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const modP = (a) => (0, modular_js_1.mod)(a, P);
     const montgomeryBits = CURVE.montgomeryBits;
     const montgomeryBytes = Math.ceil(montgomeryBits / 8);
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
-    const powPminus2 = CURVE.powPminus2 || ((x) => mod.pow(x, P - BigInt(2), P));
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    // cswap from RFC7748
-    // NOTE: cswap is not from RFC7748!
+    const powPminus2 = CURVE.powPminus2 || ((x) => (0, modular_js_1.pow)(x, P - BigInt(2), P));
+    // cswap from RFC7748. But it is not from RFC7748!
     /*
       cswap(swap, x_2, x_3):
            dummy = mask(swap) AND (x_2 XOR x_3)
@@ -84,6 +47,11 @@ function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
+    function assertFieldElement(n) {
+        if (typeof n === 'bigint' && _0n <= n && n < P)
+            return n;
+        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+    }
     // x25519 from 4
     /**
      *
@@ -92,11 +60,10 @@ function montgomery(curveDef) {
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(pointU, scalar) {
-        const { P } = CURVE;
-        const u = normalizeScalar(pointU, P);
+        const u = assertFieldElement(pointU);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = normalizeScalar(scalar, P);
+        const k = assertFieldElement(scalar);
         // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
         const a24 = CURVE.a24;
         const x_1 = u;
@@ -149,11 +116,11 @@ function montgomery(curveDef) {
         return (0, utils_js_1.numberToBytesLE)(modP(u), montgomeryBytes);
     }
     function decodeUCoordinate(uEnc) {
-        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
         // Section 5: When receiving such an array, implementations of X25519
         // MUST mask the most significant bit in the final byte.
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
+        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
         u[fieldLen - 1] &= 127; // 0b0111_1111
         return (0, utils_js_1.bytesToNumberLE)(u);
     }
@@ -163,13 +130,6 @@ function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return (0, utils_js_1.bytesToNumberLE)(adjustScalarBytes(bytes));
     }
-    /**
-     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
-     * We can get 'y' coordinate from 'u',
-     * but Point.fromHex also wants 'x' coordinate oddity flag,
-     * and we cannot get 'x' without knowing 'v'.
-     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
-     */
     function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
@@ -180,12 +140,7 @@ function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    /**
-     * Computes public key from private.
-     * Executes scalar multiplication of curve's base point by scalar.
-     * @param scalar private key
-     * @returns new public key
-     */
+    // Computes public key from private. By doing scalar multiplication of base point.
     function scalarMultBase(scalar) {
         return scalarMult(scalar, CURVE.Gu);
     }

package/lib/abstract/poseidon.d.ts

@@ -0,0 +1,29 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { Field } from './modular.js';
+export declare type PoseidonOpts = {
+    Fp: Field<bigint>;
+    t: number;
+    roundsFull: number;
+    roundsPartial: number;
+    sboxPower?: number;
+    reversePartialPowIdx?: boolean;
+    mds: bigint[][];
+    roundConstants: bigint[][];
+};
+export declare function validateOpts(opts: PoseidonOpts): Readonly<{
+    rounds: number;
+    sboxFn: (n: bigint) => bigint;
+    roundConstants: bigint[][];
+    mds: bigint[][];
+    Fp: Field<bigint>;
+    t: number;
+    roundsFull: number;
+    roundsPartial: number;
+    sboxPower?: number | undefined;
+    reversePartialPowIdx?: boolean | undefined;
+}>;
+export declare function splitConstants(rc: bigint[], t: number): bigint[][];
+export declare function poseidon(opts: PoseidonOpts): {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+};