@noble/curves 0.6.0 → 0.6.1

package/README.md

@@ -7,12 +7,11 @@ Minimal, auditable JS implementation of elliptic curve cryptography.
 - [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
   for encoding or hashing an arbitrary string to a point on an elliptic curve
 - [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash
-- Auditable
 - 🏎 [Ultra-fast](#speed), hand-optimized for caveats of JS engines
 - 🔍 Unique tests ensure correctness. Wycheproof vectors included
 - 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
 
-There are two parts of the package:
+Package consists of two parts:
 
 1. `abstract/` directory specifies zero-dependency EC algorithms
 2. root directory utilizes one dependency `@noble/hashes` and provides ready-to-use:
@@ -26,6 +25,7 @@ Curves incorporate work from previous noble packages
 [ed25519](https://github.com/paulmillr/noble-ed25519),
 [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
 which had security audits and were developed from 2019 to 2022.
+Check out [Upgrading](#upgrading) section if you've used them before.
 
 ### This library belongs to _noble_ crypto
 
@@ -445,63 +445,93 @@ We consider infrastructure attacks like rogue NPM modules very important; that's
 Benchmark results on Apple M2 with node v18.10:
 
 ```
-getPublicKey
-  secp256k1 x 5,241 ops/sec @ 190μs/op
-  P256 x 7,993 ops/sec @ 125μs/op
-  P384 x 3,819 ops/sec @ 261μs/op
-  P521 x 2,074 ops/sec @ 481μs/op
-  ed25519 x 8,390 ops/sec @ 119μs/op
-  ed448 x 3,224 ops/sec @ 310μs/op
-sign
-  secp256k1 x 3,934 ops/sec @ 254μs/op
-  P256 x 5,327 ops/sec @ 187μs/op
-  P384 x 2,728 ops/sec @ 366μs/op
-  P521 x 1,594 ops/sec @ 626μs/op
-  ed25519 x 4,233 ops/sec @ 236μs/op
-  ed448 x 1,561 ops/sec @ 640μs/op
-verify
-  secp256k1 x 731 ops/sec @ 1ms/op
-  P256 x 806 ops/sec @ 1ms/op
-  P384 x 353 ops/sec @ 2ms/op
-  P521 x 171 ops/sec @ 5ms/op
-  ed25519 x 860 ops/sec @ 1ms/op
-  ed448 x 313 ops/sec @ 3ms/op
-getSharedSecret
-  secp256k1 x 445 ops/sec @ 2ms/op
-recoverPublicKey
-  secp256k1 x 732 ops/sec @ 1ms/op
-==== bls12-381 ====
-getPublicKey x 817 ops/sec @ 1ms/op
-sign x 50 ops/sec @ 19ms/op
-verify x 34 ops/sec @ 28ms/op
-pairing x 89 ops/sec @ 11ms/op
-==== stark ====
+secp256k1
+init x 57 ops/sec @ 17ms/op
+getPublicKey x 4,946 ops/sec @ 202μs/op
+sign x 3,914 ops/sec @ 255μs/op
+verify x 682 ops/sec @ 1ms/op
+getSharedSecret x 427 ops/sec @ 2ms/op
+recoverPublicKey x 683 ops/sec @ 1ms/op
+schnorr.sign x 539 ops/sec @ 1ms/op
+schnorr.verify x 716 ops/sec @ 1ms/op
+
+P256
+init x 30 ops/sec @ 32ms/op
+getPublicKey x 5,008 ops/sec @ 199μs/op
+sign x 3,970 ops/sec @ 251μs/op
+verify x 515 ops/sec @ 1ms/op
+
+P384
+init x 14 ops/sec @ 66ms/op
+getPublicKey x 2,434 ops/sec @ 410μs/op
+sign x 1,942 ops/sec @ 514μs/op
+verify x 206 ops/sec @ 4ms/op
+
+P521
+init x 7 ops/sec @ 126ms/op
+getPublicKey x 1,282 ops/sec @ 779μs/op
+sign x 1,077 ops/sec @ 928μs/op
+verify x 110 ops/sec @ 9ms/op
+
+ed25519
+init x 37 ops/sec @ 26ms/op
+getPublicKey x 8,147 ops/sec @ 122μs/op
+sign x 3,979 ops/sec @ 251μs/op
+verify x 848 ops/sec @ 1ms/op
+
+ed448
+init x 17 ops/sec @ 58ms/op
+getPublicKey x 3,083 ops/sec @ 324μs/op
+sign x 1,473 ops/sec @ 678μs/op
+verify x 323 ops/sec @ 3ms/op
+
+bls12-381
+init x 30 ops/sec @ 33ms/op
+getPublicKey x 788 ops/sec @ 1ms/op
+sign x 45 ops/sec @ 21ms/op
+verify x 32 ops/sec @ 30ms/op
+pairing x 88 ops/sec @ 11ms/op
+
+stark
+init x 31 ops/sec @ 31ms/op
 pedersen
-  old x 85 ops/sec @ 11ms/op
-  noble x 1,216 ops/sec @ 822μs/op
+├─old x 84 ops/sec @ 11ms/op
+└─noble x 802 ops/sec @ 1ms/op
+poseidon x 7,466 ops/sec @ 133μs/op
 verify
-  old x 302 ops/sec @ 3ms/op
-  noble x 698 ops/sec @ 1ms/op
+├─old x 300 ops/sec @ 3ms/op
+└─noble x 474 ops/sec @ 2ms/op
 ```
 
 ## Upgrading
 
-Differences from @noble/secp256k1 1.7:
-
-1. Different double() formula (but same addition)
-2. Different sqrt() function
-3. DRBG supports outputLen bigger than outputLen of hmac
-4. Support for different hash functions
-
-Differences from @noble/ed25519 1.7:
-
-1. Variable field element lengths between EDDSA/ECDH:
-  EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
-2. Different addition formula (doubling is same)
-3. uvRatio differs between curves (half-expected, not only pow fn changes)
-4. Point decompression code is different (unexpected), now using generalized formula
-5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
-
+If you're coming from single-curve noble packages, the following changes need to be kept in mind:
+
+- 2d affine (x, y) points have been removed to reduce complexity and improve speed
+- Removed `number` support as a type for private keys. `bigint` is still supported
+- `mod`, `invert` are no longer present in `utils`. Use `@noble/curves/abstract/modular.js` now.
+
+Upgrading from @noble/secp256k1 1.7:
+
+- Compressed (33-byte) public keys are now returned by default, instead of uncompressed
+- Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
+- `sign()`
+    - `der`, `recovered` options were removed
+    - `canonical` was renamed to `lowS`
+    - Return type is now `{ r: bigint, s: bigint, recovery: number }` instance of `Signature`
+- `verify()`
+    - `strict` was renamed to `lowS`
+- `recoverPublicKey()`: moved to sig instance `Signature#recoverPublicKey(msgHash)`
+- `Point` was removed: use `ProjectivePoint` in xyz coordinates
+- `utils`: Many methods were removed, others were moved to `schnorr` namespace
+
+Upgrading from @noble/ed25519 1.7:
+
+- Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
+- ed25519ph, ed25519ctx
+- `Point` was removed: use `ExtendedPoint` in xyzt coordinates
+- `Signature` was removed
+- `getSharedSecret` was removed: use separate x25519 sub-module
 
 ## Contributing & testing
 

package/lib/_shortw_utils.d.ts

@@ -18,11 +18,11 @@ export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonl
         readonly hEff?: bigint | undefined;
         readonly Gx: bigint;
         readonly Gy: bigint;
-        readonly wrapPrivateKey?: boolean | undefined;
         readonly allowInfinityPoint?: boolean | undefined;
         readonly a: bigint;
         readonly b: bigint;
-        readonly normalizePrivateKey?: ((key: import("./abstract/utils.js").PrivKey) => import("./abstract/utils.js").PrivKey) | undefined;
+        readonly allowedPrivateKeyLengths?: readonly number[] | undefined;
+        readonly wrapPrivateKey?: boolean | undefined;
         readonly endo?: {
             beta: bigint;
             splitScalar: (k: bigint) => {
@@ -34,10 +34,10 @@ export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonl
         } | undefined;
         readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => boolean) | undefined;
         readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => import("./abstract/weierstrass.js").ProjPointType<bigint>) | undefined;
-        lowS: boolean;
         readonly hash: CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+        lowS: boolean;
         readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
         readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;

package/lib/abstract/curve.d.ts

@@ -46,7 +46,7 @@ export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: n
         f: T;
     };
 };
-export declare type AbstractCurve<T> = {
+export declare type BasicCurve<T> = {
     Fp: Field<T>;
     n: bigint;
     nBitLength?: number;
@@ -55,10 +55,9 @@ export declare type AbstractCurve<T> = {
     hEff?: bigint;
     Gx: T;
     Gy: T;
-    wrapPrivateKey?: boolean;
     allowInfinityPoint?: boolean;
 };
-export declare function validateAbsOpts<FP, T>(curve: AbstractCurve<FP> & T): Readonly<{
+export declare function validateBasic<FP, T>(curve: BasicCurve<FP> & T): Readonly<{
     readonly nBitLength: number;
     readonly nByteLength: number;
-} & AbstractCurve<FP> & T>;
+} & BasicCurve<FP> & T>;

package/lib/abstract/curve.js

@@ -1,9 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateAbsOpts = exports.wNAF = void 0;
+exports.validateBasic = exports.wNAF = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Abelian group utilities
 const modular_js_1 = require("./modular.js");
+const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 // Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
@@ -125,25 +126,18 @@ function wNAF(c, bits) {
     };
 }
 exports.wNAF = wNAF;
-function validateAbsOpts(curve) {
+function validateBasic(curve) {
     (0, modular_js_1.validateField)(curve.Fp);
-    for (const i of ['n', 'h']) {
-        const val = curve[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    if (!curve.Fp.isValid(curve.Gx))
-        throw new Error('Invalid generator X coordinate Fp element');
-    if (!curve.Fp.isValid(curve.Gy))
-        throw new Error('Invalid generator Y coordinate Fp element');
-    for (const i of ['nBitLength', 'nByteLength']) {
-        const val = curve[i];
-        if (val === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(val))
-            throw new Error(`Invalid param ${i}=${val} (${typeof val})`);
-    }
+    (0, utils_js_1.validateObject)(curve, {
+        n: 'bigint',
+        h: 'bigint',
+        Gx: 'field',
+        Gy: 'field',
+    }, {
+        nBitLength: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+    });
     // Set defaults
     return Object.freeze({ ...(0, modular_js_1.nLength)(curve.n, curve.nBitLength), ...curve });
 }
-exports.validateAbsOpts = validateAbsOpts;
+exports.validateBasic = validateBasic;

package/lib/abstract/edwards.d.ts

@@ -1,6 +1,7 @@
+import * as ut from './utils.js';
 import { FHash, Hex } from './utils.js';
-import { Group, GroupConstructor, AbstractCurve, AffinePoint } from './curve.js';
-export declare type CurveType = AbstractCurve<bigint> & {
+import { Group, GroupConstructor, BasicCurve, AffinePoint } from './curve.js';
+export declare type CurveType = BasicCurve<bigint> & {
     a: bigint;
     d: bigint;
     hash: FHash;
@@ -23,11 +24,10 @@ declare function validateOpts(curve: CurveType): Readonly<{
     readonly hEff?: bigint | undefined;
     readonly Gx: bigint;
     readonly Gy: bigint;
-    readonly wrapPrivateKey?: boolean | undefined;
     readonly allowInfinityPoint?: boolean | undefined;
     readonly a: bigint;
     readonly d: bigint;
-    readonly hash: FHash;
+    readonly hash: ut.FHash;
     readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
     readonly adjustScalarBytes?: ((bytes: Uint8Array) => Uint8Array) | undefined;
     readonly domain?: ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array) | undefined;
@@ -35,7 +35,7 @@ declare function validateOpts(curve: CurveType): Readonly<{
         isValid: boolean;
         value: bigint;
     }) | undefined;
-    readonly preHash?: FHash | undefined;
+    readonly preHash?: ut.FHash | undefined;
     readonly mapToCurve?: ((scalar: bigint[]) => AffinePoint<bigint>) | undefined;
 }>;
 export interface ExtPointType extends Group<ExtPointType> {

package/lib/abstract/edwards.js

@@ -4,6 +4,7 @@ exports.twistedEdwards = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 const modular_js_1 = require("./modular.js");
+const ut = require("./utils.js");
 const utils_js_1 = require("./utils.js");
 const curve_js_1 = require("./curve.js");
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
@@ -12,24 +13,18 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
 function validateOpts(curve) {
-    const opts = (0, curve_js_1.validateAbsOpts)(curve);
-    if (typeof opts.hash !== 'function')
-        throw new Error('Invalid hash function');
-    for (const i of ['a', 'd']) {
-        const val = opts[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    for (const fn of ['randomBytes']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio', 'mapToCurve']) {
-        if (opts[fn] === undefined)
-            continue; // Optional
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
+    const opts = (0, curve_js_1.validateBasic)(curve);
+    ut.validateObject(curve, {
+        hash: 'function',
+        a: 'bigint',
+        d: 'bigint',
+        randomBytes: 'function',
+    }, {
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        uvRatio: 'function',
+        mapToCurve: 'function',
+    });
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -264,7 +259,7 @@ function twistedEdwards(curveDef) {
             const normed = hex.slice(); // copy again, we'll manipulate it
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
-            const y = (0, utils_js_1.bytesToNumberLE)(normed);
+            const y = ut.bytesToNumberLE(normed);
             if (y === _0n) {
                 // y=0 is allowed
             }
@@ -294,12 +289,12 @@ function twistedEdwards(curveDef) {
         }
         toRawBytes() {
             const { x, y } = this.toAffine();
-            const bytes = (0, utils_js_1.numberToBytesLE)(y, Fp.BYTES); // each y has 2 x values (x, -y)
+            const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
             bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
             return bytes; // and use the last byte to encode sign of x
         }
         toHex() {
-            return (0, utils_js_1.bytesToHex)(this.toRawBytes()); // Same as toRawBytes, but returns string.
+            return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
         }
     }
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
@@ -311,7 +306,7 @@ function twistedEdwards(curveDef) {
     }
     // Little-endian SHA512 with modulo n
     function modN_LE(hash) {
-        return modN((0, utils_js_1.bytesToNumberLE)(hash));
+        return modN(ut.bytesToNumberLE(hash));
     }
     function isHex(item, err) {
         if (typeof item !== 'string' && !(item instanceof Uint8Array))
@@ -337,7 +332,7 @@ function twistedEdwards(curveDef) {
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
     function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
-        const msg = (0, utils_js_1.concatBytes)(...msgs);
+        const msg = ut.concatBytes(...msgs);
         return modN_LE(cHash(domain(msg, (0, utils_js_1.ensureBytes)(context), !!preHash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
@@ -352,7 +347,7 @@ function twistedEdwards(curveDef) {
         const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
         assertGE0(s); // 0 <= s < l
-        const res = (0, utils_js_1.concatBytes)(R, (0, utils_js_1.numberToBytesLE)(s, Fp.BYTES));
+        const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
         return (0, utils_js_1.ensureBytes)(res, nByteLength * 2); // 64-byte signature
     }
     function verify(sig, msg, publicKey, context) {
@@ -365,7 +360,7 @@ function twistedEdwards(curveDef) {
             msg = preHash(msg); // for ed25519ph, etc
         const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
         const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
-        const s = (0, utils_js_1.bytesToNumberLE)(sig.slice(len, 2 * len)); // 0 <= s < l
+        const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
         const SB = G.multiplyUnsafe(s);
         const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));

package/lib/abstract/hash-to-curve.js

@@ -20,7 +20,7 @@ function validateOpts(opts) {
 exports.validateOpts = validateOpts;
 function stringToBytes(str) {
     if (typeof str !== 'string') {
-        throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
     }
     return new TextEncoder().encode(str);
 }

package/lib/abstract/modular.d.ts

@@ -42,7 +42,7 @@ export interface Field<T> {
     fromBytes(bytes: Uint8Array): T;
     cmov(a: T, b: T, c: boolean): T;
 }
-export declare function validateField<T>(field: Field<T>): void;
+export declare function validateField<T>(field: Field<T>): object;
 export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;

package/lib/abstract/modular.js

@@ -39,7 +39,6 @@ function pow(num, power, modulo) {
 }
 exports.pow = pow;
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
-// TODO: Fp version?
 function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -203,18 +202,17 @@ const FIELD_FIELDS = [
     'addN', 'subN', 'mulN', 'sqrN'
 ];
 function validateField(field) {
-    for (const i of ['ORDER', 'MASK']) {
-        if (typeof field[i] !== 'bigint')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of ['BYTES', 'BITS']) {
-        if (typeof field[i] !== 'number')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of FIELD_FIELDS) {
-        if (typeof field[i] !== 'function')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
+    const initial = {
+        ORDER: 'bigint',
+        MASK: 'bigint',
+        BYTES: 'isSafeInteger',
+        BITS: 'isSafeInteger',
+    };
+    const opts = FIELD_FIELDS.reduce((map, val) => {
+        map[val] = 'function';
+        return map;
+    }, initial);
+    return (0, utils_js_1.validateObject)(field, opts);
 }
 exports.validateField = validateField;
 // Generic field functions

package/lib/abstract/montgomery.js

@@ -7,28 +7,16 @@ const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
-    for (const i of ['a24']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const i of ['montgomeryBits', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
-        if (curve[fn] === undefined)
-            continue; // Optional
-        if (typeof curve[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const i of ['Gu']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'string')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
+    (0, utils_js_1.validateObject)(curve, {
+        a24: 'bigint',
+    }, {
+        montgomeryBits: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        powPminus2: 'function',
+        Gu: 'string',
+    });
     // Set defaults
     return Object.freeze({ ...curve });
 }
@@ -43,31 +31,7 @@ function montgomery(curveDef) {
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
     const powPminus2 = CURVE.powPminus2 || ((x) => (0, modular_js_1.pow)(x, P - BigInt(2), P));
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    // cswap from RFC7748
-    // NOTE: cswap is not from RFC7748!
+    // cswap from RFC7748. But it is not from RFC7748!
     /*
       cswap(swap, x_2, x_3):
            dummy = mask(swap) AND (x_2 XOR x_3)
@@ -83,6 +47,11 @@ function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
+    function assertFieldElement(n) {
+        if (typeof n === 'bigint' && _0n <= n && n < P)
+            return n;
+        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+    }
     // x25519 from 4
     /**
      *
@@ -91,11 +60,10 @@ function montgomery(curveDef) {
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(pointU, scalar) {
-        const { P } = CURVE;
-        const u = normalizeScalar(pointU, P);
+        const u = assertFieldElement(pointU);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = normalizeScalar(scalar, P);
+        const k = assertFieldElement(scalar);
         // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
         const a24 = CURVE.a24;
         const x_1 = u;
@@ -148,11 +116,11 @@ function montgomery(curveDef) {
         return (0, utils_js_1.numberToBytesLE)(modP(u), montgomeryBytes);
     }
     function decodeUCoordinate(uEnc) {
-        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
         // Section 5: When receiving such an array, implementations of X25519
         // MUST mask the most significant bit in the final byte.
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
+        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
         u[fieldLen - 1] &= 127; // 0b0111_1111
         return (0, utils_js_1.bytesToNumberLE)(u);
     }
@@ -162,13 +130,6 @@ function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return (0, utils_js_1.bytesToNumberLE)(adjustScalarBytes(bytes));
     }
-    /**
-     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
-     * We can get 'y' coordinate from 'u',
-     * but Point.fromHex also wants 'x' coordinate oddity flag,
-     * and we cannot get 'x' without knowing 'v'.
-     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
-     */
     function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
@@ -179,12 +140,7 @@ function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    /**
-     * Computes public key from private.
-     * Executes scalar multiplication of curve's base point by scalar.
-     * @param scalar private key
-     * @returns new public key
-     */
+    // Computes public key from private. By doing scalar multiplication of base point.
     function scalarMultBase(scalar) {
         return scalarMult(scalar, CURVE.Gu);
     }

package/lib/abstract/utils.d.ts

@@ -19,9 +19,12 @@ export declare const numberToBytesBE: (n: bigint, len: number) => Uint8Array;
 export declare const numberToBytesLE: (n: bigint, len: number) => Uint8Array;
 export declare const numberToVarBytesBE: (n: bigint) => Uint8Array;
 export declare function ensureBytes(hex: Hex, expectedLength?: number): Uint8Array;
-export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
+export declare function concatBytes(...arrs: Uint8Array[]): Uint8Array;
 export declare function equalBytes(b1: Uint8Array, b2: Uint8Array): boolean;
 export declare function bitLen(n: bigint): number;
 export declare const bitGet: (n: bigint, pos: number) => bigint;
 export declare const bitSet: (n: bigint, pos: number, value: boolean) => bigint;
 export declare const bitMask: (n: number) => bigint;
+declare type ValMap = Record<string, string>;
+export declare function validateObject(object: object, validators: ValMap, optValidators?: ValMap): object;
+export {};