@noble/curves 0.6.0 → 0.6.2

package/README.md

@@ -7,12 +7,11 @@ Minimal, auditable JS implementation of elliptic curve cryptography.
 - [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
   for encoding or hashing an arbitrary string to a point on an elliptic curve
 - [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash
-- Auditable
 - 🏎 [Ultra-fast](#speed), hand-optimized for caveats of JS engines
 - 🔍 Unique tests ensure correctness. Wycheproof vectors included
 - 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
 
-There are two parts of the package:
+Package consists of two parts:
 
 1. `abstract/` directory specifies zero-dependency EC algorithms
 2. root directory utilizes one dependency `@noble/hashes` and provides ready-to-use:
@@ -26,6 +25,7 @@ Curves incorporate work from previous noble packages
 [ed25519](https://github.com/paulmillr/noble-ed25519),
 [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
 which had security audits and were developed from 2019 to 2022.
+Check out [Upgrading](#upgrading) section if you've used them before.
 
 ### This library belongs to _noble_ crypto
 
@@ -329,47 +329,54 @@ The module allows to hash arbitrary strings to elliptic curve points.
 
 - `expand_message_xmd` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1) produces a uniformly random byte string using a cryptographic hash function H that outputs b bits..
 
-    ```ts
-    function expand_message_xmd(
-      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash
-    ): Uint8Array;
-    function expand_message_xof(
-      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash
-    ): Uint8Array;
-    ```
+  ```ts
+  function expand_message_xmd(
+    msg: Uint8Array,
+    DST: Uint8Array,
+    lenInBytes: number,
+    H: CHash
+  ): Uint8Array;
+  function expand_message_xof(
+    msg: Uint8Array,
+    DST: Uint8Array,
+    lenInBytes: number,
+    k: number,
+    H: CHash
+  ): Uint8Array;
+  ```
 
 - `hash_to_field(msg, count, options)` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3)
-hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
-    * `msg` a byte string containing the message to hash
-    * `count` the number of elements of F to output
-    * `options` `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
-    * Returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
-
-    ```ts
-    function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
-    type htfOpts = {
-      // DST: a domain separation tag
-      // defined in section 2.2.5
-      DST: string;
-      // p: the characteristic of F
-      //    where F is a finite field of characteristic p and order q = p^m
-      p: bigint;
-      // m: the extension degree of F, m >= 1
-      //     where F is a finite field of characteristic p and order q = p^m
-      m: number;
-      // k: the target security level for the suite in bits
-      // defined in section 5.1
-      k: number;
-      // option to use a message that has already been processed by
-      // expand_message_xmd
-      expand?: 'xmd' | 'xof';
-      // Hash functions for: expand_message_xmd is appropriate for use with a
-      // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
-      // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
-      // TODO: verify that hash is shake if expand==='xof' via types
-      hash: CHash;
-    };
-    ```
+  hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
+  _ `msg` a byte string containing the message to hash
+  _ `count` the number of elements of F to output
+  _ `options` `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
+  _ Returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
+
+      ```ts
+      function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
+      type htfOpts = {
+        // DST: a domain separation tag
+        // defined in section 2.2.5
+        DST: string;
+        // p: the characteristic of F
+        //    where F is a finite field of characteristic p and order q = p^m
+        p: bigint;
+        // m: the extension degree of F, m >= 1
+        //     where F is a finite field of characteristic p and order q = p^m
+        m: number;
+        // k: the target security level for the suite in bits
+        // defined in section 5.1
+        k: number;
+        // option to use a message that has already been processed by
+        // expand_message_xmd
+        expand?: 'xmd' | 'xof';
+        // Hash functions for: expand_message_xmd is appropriate for use with a
+        // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
+        // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
+        // TODO: verify that hash is shake if expand==='xof' via types
+        hash: CHash;
+      };
+      ```
 
 ### abstract/poseidon: Poseidon hash
 
@@ -445,63 +452,94 @@ We consider infrastructure attacks like rogue NPM modules very important; that's
 Benchmark results on Apple M2 with node v18.10:
 
 ```
-getPublicKey
-  secp256k1 x 5,241 ops/sec @ 190μs/op
-  P256 x 7,993 ops/sec @ 125μs/op
-  P384 x 3,819 ops/sec @ 261μs/op
-  P521 x 2,074 ops/sec @ 481μs/op
-  ed25519 x 8,390 ops/sec @ 119μs/op
-  ed448 x 3,224 ops/sec @ 310μs/op
-sign
-  secp256k1 x 3,934 ops/sec @ 254μs/op
-  P256 x 5,327 ops/sec @ 187μs/op
-  P384 x 2,728 ops/sec @ 366μs/op
-  P521 x 1,594 ops/sec @ 626μs/op
-  ed25519 x 4,233 ops/sec @ 236μs/op
-  ed448 x 1,561 ops/sec @ 640μs/op
-verify
-  secp256k1 x 731 ops/sec @ 1ms/op
-  P256 x 806 ops/sec @ 1ms/op
-  P384 x 353 ops/sec @ 2ms/op
-  P521 x 171 ops/sec @ 5ms/op
-  ed25519 x 860 ops/sec @ 1ms/op
-  ed448 x 313 ops/sec @ 3ms/op
-getSharedSecret
-  secp256k1 x 445 ops/sec @ 2ms/op
-recoverPublicKey
-  secp256k1 x 732 ops/sec @ 1ms/op
-==== bls12-381 ====
-getPublicKey x 817 ops/sec @ 1ms/op
-sign x 50 ops/sec @ 19ms/op
-verify x 34 ops/sec @ 28ms/op
-pairing x 89 ops/sec @ 11ms/op
-==== stark ====
+secp256k1
+init x 57 ops/sec @ 17ms/op
+getPublicKey x 4,946 ops/sec @ 202μs/op
+sign x 3,914 ops/sec @ 255μs/op
+verify x 682 ops/sec @ 1ms/op
+getSharedSecret x 427 ops/sec @ 2ms/op
+recoverPublicKey x 683 ops/sec @ 1ms/op
+schnorr.sign x 539 ops/sec @ 1ms/op
+schnorr.verify x 716 ops/sec @ 1ms/op
+
+P256
+init x 30 ops/sec @ 32ms/op
+getPublicKey x 5,008 ops/sec @ 199μs/op
+sign x 3,970 ops/sec @ 251μs/op
+verify x 515 ops/sec @ 1ms/op
+
+P384
+init x 14 ops/sec @ 66ms/op
+getPublicKey x 2,434 ops/sec @ 410μs/op
+sign x 1,942 ops/sec @ 514μs/op
+verify x 206 ops/sec @ 4ms/op
+
+P521
+init x 7 ops/sec @ 126ms/op
+getPublicKey x 1,282 ops/sec @ 779μs/op
+sign x 1,077 ops/sec @ 928μs/op
+verify x 110 ops/sec @ 9ms/op
+
+ed25519
+init x 37 ops/sec @ 26ms/op
+getPublicKey x 8,147 ops/sec @ 122μs/op
+sign x 3,979 ops/sec @ 251μs/op
+verify x 848 ops/sec @ 1ms/op
+
+ed448
+init x 17 ops/sec @ 58ms/op
+getPublicKey x 3,083 ops/sec @ 324μs/op
+sign x 1,473 ops/sec @ 678μs/op
+verify x 323 ops/sec @ 3ms/op
+
+bls12-381
+init x 30 ops/sec @ 33ms/op
+getPublicKey x 788 ops/sec @ 1ms/op
+sign x 45 ops/sec @ 21ms/op
+verify x 32 ops/sec @ 30ms/op
+pairing x 88 ops/sec @ 11ms/op
+
+stark
+init x 31 ops/sec @ 31ms/op
 pedersen
-  old x 85 ops/sec @ 11ms/op
-  noble x 1,216 ops/sec @ 822μs/op
+├─old x 84 ops/sec @ 11ms/op
+└─noble x 802 ops/sec @ 1ms/op
+poseidon x 7,466 ops/sec @ 133μs/op
 verify
-  old x 302 ops/sec @ 3ms/op
-  noble x 698 ops/sec @ 1ms/op
+├─old x 300 ops/sec @ 3ms/op
+└─noble x 474 ops/sec @ 2ms/op
 ```
 
 ## Upgrading
 
-Differences from @noble/secp256k1 1.7:
-
-1. Different double() formula (but same addition)
-2. Different sqrt() function
-3. DRBG supports outputLen bigger than outputLen of hmac
-4. Support for different hash functions
-
-Differences from @noble/ed25519 1.7:
-
-1. Variable field element lengths between EDDSA/ECDH:
-  EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
-2. Different addition formula (doubling is same)
-3. uvRatio differs between curves (half-expected, not only pow fn changes)
-4. Point decompression code is different (unexpected), now using generalized formula
-5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
-
+If you're coming from single-curve noble packages, the following changes need to be kept in mind:
+
+- 2d affine (x, y) points have been removed to reduce complexity and improve speed
+- Removed `number` support as a type for private keys. `bigint` is still supported
+- `mod`, `invert` are no longer present in `utils`. Use `@noble/curves/abstract/modular.js` now.
+
+Upgrading from @noble/secp256k1 1.7:
+
+- Compressed (33-byte) public keys are now returned by default, instead of uncompressed
+- Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
+- `sign()`
+  - `der`, `recovered` options were removed
+  - `canonical` was renamed to `lowS`
+  - Return type is now `{ r: bigint, s: bigint, recovery: number }` instance of `Signature`
+- `verify()`
+  - `strict` was renamed to `lowS`
+- `recoverPublicKey()`: moved to sig instance `Signature#recoverPublicKey(msgHash)`
+- `Point` was removed: use `ProjectivePoint` in xyz coordinates
+- `utils`: Many methods were removed, others were moved to `schnorr` namespace
+
+Upgrading from @noble/ed25519 1.7:
+
+- Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
+- ed25519ph, ed25519ctx
+- `Point` was removed: use `ExtendedPoint` in xyzt coordinates
+- `Signature` was removed
+- `getSharedSecret` was removed: use separate x25519 sub-module
+- `bigint` is no longer allowed in `getPublicKey`, `sign`, `verify`. Reason: ed25519 is LE, can lead to bugs
 
 ## Contributing & testing
 

package/lib/_shortw_utils.d.ts

@@ -18,11 +18,11 @@ export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonl
         readonly hEff?: bigint | undefined;
         readonly Gx: bigint;
         readonly Gy: bigint;
-        readonly wrapPrivateKey?: boolean | undefined;
         readonly allowInfinityPoint?: boolean | undefined;
         readonly a: bigint;
         readonly b: bigint;
-        readonly normalizePrivateKey?: ((key: import("./abstract/utils.js").PrivKey) => import("./abstract/utils.js").PrivKey) | undefined;
+        readonly allowedPrivateKeyLengths?: readonly number[] | undefined;
+        readonly wrapPrivateKey?: boolean | undefined;
         readonly endo?: {
             beta: bigint;
             splitScalar: (k: bigint) => {
@@ -34,10 +34,10 @@ export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonl
         } | undefined;
         readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => boolean) | undefined;
         readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => import("./abstract/weierstrass.js").ProjPointType<bigint>) | undefined;
-        lowS: boolean;
         readonly hash: CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+        lowS: boolean;
         readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
         readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;

package/lib/abstract/curve.d.ts

@@ -46,7 +46,7 @@ export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: n
         f: T;
     };
 };
-export declare type AbstractCurve<T> = {
+export declare type BasicCurve<T> = {
     Fp: Field<T>;
     n: bigint;
     nBitLength?: number;
@@ -55,10 +55,9 @@ export declare type AbstractCurve<T> = {
     hEff?: bigint;
     Gx: T;
     Gy: T;
-    wrapPrivateKey?: boolean;
     allowInfinityPoint?: boolean;
 };
-export declare function validateAbsOpts<FP, T>(curve: AbstractCurve<FP> & T): Readonly<{
+export declare function validateBasic<FP, T>(curve: BasicCurve<FP> & T): Readonly<{
     readonly nBitLength: number;
     readonly nByteLength: number;
-} & AbstractCurve<FP> & T>;
+} & BasicCurve<FP> & T>;

package/lib/abstract/curve.js

@@ -1,9 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateAbsOpts = exports.wNAF = void 0;
+exports.validateBasic = exports.wNAF = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Abelian group utilities
 const modular_js_1 = require("./modular.js");
+const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 // Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
@@ -125,25 +126,18 @@ function wNAF(c, bits) {
     };
 }
 exports.wNAF = wNAF;
-function validateAbsOpts(curve) {
+function validateBasic(curve) {
     (0, modular_js_1.validateField)(curve.Fp);
-    for (const i of ['n', 'h']) {
-        const val = curve[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    if (!curve.Fp.isValid(curve.Gx))
-        throw new Error('Invalid generator X coordinate Fp element');
-    if (!curve.Fp.isValid(curve.Gy))
-        throw new Error('Invalid generator Y coordinate Fp element');
-    for (const i of ['nBitLength', 'nByteLength']) {
-        const val = curve[i];
-        if (val === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(val))
-            throw new Error(`Invalid param ${i}=${val} (${typeof val})`);
-    }
+    (0, utils_js_1.validateObject)(curve, {
+        n: 'bigint',
+        h: 'bigint',
+        Gx: 'field',
+        Gy: 'field',
+    }, {
+        nBitLength: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+    });
     // Set defaults
     return Object.freeze({ ...(0, modular_js_1.nLength)(curve.n, curve.nBitLength), ...curve });
 }
-exports.validateAbsOpts = validateAbsOpts;
+exports.validateBasic = validateBasic;

package/lib/abstract/edwards.d.ts

@@ -1,6 +1,7 @@
+import * as ut from './utils.js';
 import { FHash, Hex } from './utils.js';
-import { Group, GroupConstructor, AbstractCurve, AffinePoint } from './curve.js';
-export declare type CurveType = AbstractCurve<bigint> & {
+import { Group, GroupConstructor, BasicCurve, AffinePoint } from './curve.js';
+export declare type CurveType = BasicCurve<bigint> & {
     a: bigint;
     d: bigint;
     hash: FHash;
@@ -23,11 +24,10 @@ declare function validateOpts(curve: CurveType): Readonly<{
     readonly hEff?: bigint | undefined;
     readonly Gx: bigint;
     readonly Gy: bigint;
-    readonly wrapPrivateKey?: boolean | undefined;
     readonly allowInfinityPoint?: boolean | undefined;
     readonly a: bigint;
     readonly d: bigint;
-    readonly hash: FHash;
+    readonly hash: ut.FHash;
     readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
     readonly adjustScalarBytes?: ((bytes: Uint8Array) => Uint8Array) | undefined;
     readonly domain?: ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array) | undefined;
@@ -35,7 +35,7 @@ declare function validateOpts(curve: CurveType): Readonly<{
         isValid: boolean;
         value: bigint;
     }) | undefined;
-    readonly preHash?: FHash | undefined;
+    readonly preHash?: ut.FHash | undefined;
     readonly mapToCurve?: ((scalar: bigint[]) => AffinePoint<bigint>) | undefined;
 }>;
 export interface ExtPointType extends Group<ExtPointType> {

package/lib/abstract/edwards.js

@@ -4,6 +4,7 @@ exports.twistedEdwards = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 const modular_js_1 = require("./modular.js");
+const ut = require("./utils.js");
 const utils_js_1 = require("./utils.js");
 const curve_js_1 = require("./curve.js");
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
@@ -12,24 +13,18 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
 function validateOpts(curve) {
-    const opts = (0, curve_js_1.validateAbsOpts)(curve);
-    if (typeof opts.hash !== 'function')
-        throw new Error('Invalid hash function');
-    for (const i of ['a', 'd']) {
-        const val = opts[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    for (const fn of ['randomBytes']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio', 'mapToCurve']) {
-        if (opts[fn] === undefined)
-            continue; // Optional
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
+    const opts = (0, curve_js_1.validateBasic)(curve);
+    ut.validateObject(curve, {
+        hash: 'function',
+        a: 'bigint',
+        d: 'bigint',
+        randomBytes: 'function',
+    }, {
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        uvRatio: 'function',
+        mapToCurve: 'function',
+    });
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -114,7 +109,30 @@ function twistedEdwards(curveDef) {
             this._WINDOW_SIZE = windowSize;
             pointPrecomputes.delete(this);
         }
-        assertValidity() { }
+        // Not required for fromHex(), which always creates valid points.
+        // Could be useful for fromAffine().
+        assertValidity() {
+            const { a, d } = CURVE;
+            if (this.is0())
+                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+            const { ex: X, ey: Y, ez: Z, et: T } = this;
+            const X2 = modP(X * X); // X²
+            const Y2 = modP(Y * Y); // Y²
+            const Z2 = modP(Z * Z); // Z²
+            const Z4 = modP(Z2 * Z2); // Z⁴
+            const aX2 = modP(X2 * a); // aX²
+            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+            if (left !== right)
+                throw new Error('bad point: equation left != right (1)');
+            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+            const XY = modP(X * Y);
+            const ZT = modP(Z * T);
+            if (XY !== ZT)
+                throw new Error('bad point: equation left != right (2)');
+        }
         // Compare one point to another.
         equals(other) {
             isPoint(other);
@@ -264,7 +282,7 @@ function twistedEdwards(curveDef) {
             const normed = hex.slice(); // copy again, we'll manipulate it
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
-            const y = (0, utils_js_1.bytesToNumberLE)(normed);
+            const y = ut.bytesToNumberLE(normed);
             if (y === _0n) {
                 // y=0 is allowed
             }
@@ -294,12 +312,12 @@ function twistedEdwards(curveDef) {
         }
         toRawBytes() {
             const { x, y } = this.toAffine();
-            const bytes = (0, utils_js_1.numberToBytesLE)(y, Fp.BYTES); // each y has 2 x values (x, -y)
+            const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
             bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
             return bytes; // and use the last byte to encode sign of x
         }
         toHex() {
-            return (0, utils_js_1.bytesToHex)(this.toRawBytes()); // Same as toRawBytes, but returns string.
+            return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
         }
     }
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
@@ -311,7 +329,7 @@ function twistedEdwards(curveDef) {
     }
     // Little-endian SHA512 with modulo n
     function modN_LE(hash) {
-        return modN((0, utils_js_1.bytesToNumberLE)(hash));
+        return modN(ut.bytesToNumberLE(hash));
     }
     function isHex(item, err) {
         if (typeof item !== 'string' && !(item instanceof Uint8Array))
@@ -337,7 +355,7 @@ function twistedEdwards(curveDef) {
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
     function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
-        const msg = (0, utils_js_1.concatBytes)(...msgs);
+        const msg = ut.concatBytes(...msgs);
         return modN_LE(cHash(domain(msg, (0, utils_js_1.ensureBytes)(context), !!preHash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
@@ -352,7 +370,7 @@ function twistedEdwards(curveDef) {
         const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
         assertGE0(s); // 0 <= s < l
-        const res = (0, utils_js_1.concatBytes)(R, (0, utils_js_1.numberToBytesLE)(s, Fp.BYTES));
+        const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
         return (0, utils_js_1.ensureBytes)(res, nByteLength * 2); // 64-byte signature
     }
     function verify(sig, msg, publicKey, context) {
@@ -365,7 +383,7 @@ function twistedEdwards(curveDef) {
             msg = preHash(msg); // for ed25519ph, etc
         const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
         const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
-        const s = (0, utils_js_1.bytesToNumberLE)(sig.slice(len, 2 * len)); // 0 <= s < l
+        const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
         const SB = G.multiplyUnsafe(s);
         const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));

package/lib/abstract/hash-to-curve.js

@@ -20,7 +20,7 @@ function validateOpts(opts) {
 exports.validateOpts = validateOpts;
 function stringToBytes(str) {
     if (typeof str !== 'string') {
-        throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
     }
     return new TextEncoder().encode(str);
 }

package/lib/abstract/modular.d.ts

@@ -42,7 +42,7 @@ export interface Field<T> {
     fromBytes(bytes: Uint8Array): T;
     cmov(a: T, b: T, c: boolean): T;
 }
-export declare function validateField<T>(field: Field<T>): void;
+export declare function validateField<T>(field: Field<T>): Field<T>;
 export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;

package/lib/abstract/modular.js

@@ -39,7 +39,6 @@ function pow(num, power, modulo) {
 }
 exports.pow = pow;
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
-// TODO: Fp version?
 function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -203,18 +202,17 @@ const FIELD_FIELDS = [
     'addN', 'subN', 'mulN', 'sqrN'
 ];
 function validateField(field) {
-    for (const i of ['ORDER', 'MASK']) {
-        if (typeof field[i] !== 'bigint')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of ['BYTES', 'BITS']) {
-        if (typeof field[i] !== 'number')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of FIELD_FIELDS) {
-        if (typeof field[i] !== 'function')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
+    const initial = {
+        ORDER: 'bigint',
+        MASK: 'bigint',
+        BYTES: 'isSafeInteger',
+        BITS: 'isSafeInteger',
+    };
+    const opts = FIELD_FIELDS.reduce((map, val) => {
+        map[val] = 'function';
+        return map;
+    }, initial);
+    return (0, utils_js_1.validateObject)(field, opts);
 }
 exports.validateField = validateField;
 // Generic field functions