@noble/curves 0.6.0 → 0.6.2

package/lib/abstract/montgomery.js

@@ -7,28 +7,16 @@ const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
-    for (const i of ['a24']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const i of ['montgomeryBits', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
-        if (curve[fn] === undefined)
-            continue; // Optional
-        if (typeof curve[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const i of ['Gu']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'string')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
+    (0, utils_js_1.validateObject)(curve, {
+        a24: 'bigint',
+    }, {
+        montgomeryBits: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        powPminus2: 'function',
+        Gu: 'string',
+    });
     // Set defaults
     return Object.freeze({ ...curve });
 }
@@ -43,31 +31,7 @@ function montgomery(curveDef) {
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
     const powPminus2 = CURVE.powPminus2 || ((x) => (0, modular_js_1.pow)(x, P - BigInt(2), P));
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    // cswap from RFC7748
-    // NOTE: cswap is not from RFC7748!
+    // cswap from RFC7748. But it is not from RFC7748!
     /*
       cswap(swap, x_2, x_3):
            dummy = mask(swap) AND (x_2 XOR x_3)
@@ -83,6 +47,11 @@ function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
+    function assertFieldElement(n) {
+        if (typeof n === 'bigint' && _0n <= n && n < P)
+            return n;
+        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+    }
     // x25519 from 4
     /**
      *
@@ -91,11 +60,10 @@ function montgomery(curveDef) {
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(pointU, scalar) {
-        const { P } = CURVE;
-        const u = normalizeScalar(pointU, P);
+        const u = assertFieldElement(pointU);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = normalizeScalar(scalar, P);
+        const k = assertFieldElement(scalar);
         // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
         const a24 = CURVE.a24;
         const x_1 = u;
@@ -148,12 +116,14 @@ function montgomery(curveDef) {
         return (0, utils_js_1.numberToBytesLE)(modP(u), montgomeryBytes);
     }
     function decodeUCoordinate(uEnc) {
-        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
         // Section 5: When receiving such an array, implementations of X25519
         // MUST mask the most significant bit in the final byte.
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
-        u[fieldLen - 1] &= 127; // 0b0111_1111
+        const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
+        // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index)
+        if (fieldLen === montgomeryBytes)
+            u[fieldLen - 1] &= 127; // 0b0111_1111
         return (0, utils_js_1.bytesToNumberLE)(u);
     }
     function decodeScalar(n) {
@@ -162,13 +132,6 @@ function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return (0, utils_js_1.bytesToNumberLE)(adjustScalarBytes(bytes));
     }
-    /**
-     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
-     * We can get 'y' coordinate from 'u',
-     * but Point.fromHex also wants 'x' coordinate oddity flag,
-     * and we cannot get 'x' without knowing 'v'.
-     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
-     */
     function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
@@ -179,12 +142,7 @@ function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    /**
-     * Computes public key from private.
-     * Executes scalar multiplication of curve's base point by scalar.
-     * @param scalar private key
-     * @returns new public key
-     */
+    // Computes public key from private. By doing scalar multiplication of base point.
     function scalarMultBase(scalar) {
         return scalarMult(scalar, CURVE.Gu);
     }

package/lib/abstract/utils.d.ts

@@ -19,9 +19,25 @@ export declare const numberToBytesBE: (n: bigint, len: number) => Uint8Array;
 export declare const numberToBytesLE: (n: bigint, len: number) => Uint8Array;
 export declare const numberToVarBytesBE: (n: bigint) => Uint8Array;
 export declare function ensureBytes(hex: Hex, expectedLength?: number): Uint8Array;
-export declare function concatBytes(...arrays: Uint8Array[]): Uint8Array;
+export declare function concatBytes(...arrs: Uint8Array[]): Uint8Array;
 export declare function equalBytes(b1: Uint8Array, b2: Uint8Array): boolean;
 export declare function bitLen(n: bigint): number;
 export declare const bitGet: (n: bigint, pos: number) => bigint;
 export declare const bitSet: (n: bigint, pos: number, value: boolean) => bigint;
 export declare const bitMask: (n: number) => bigint;
+declare const validatorFns: {
+    readonly bigint: (val: any) => boolean;
+    readonly function: (val: any) => boolean;
+    readonly boolean: (val: any) => boolean;
+    readonly string: (val: any) => boolean;
+    readonly isSafeInteger: (val: any) => boolean;
+    readonly array: (val: any) => boolean;
+    readonly field: (val: any, object: any) => any;
+    readonly hash: (val: any) => boolean;
+};
+declare type Validator = keyof typeof validatorFns;
+declare type ValMap<T extends Record<string, any>> = {
+    [K in keyof T]?: Validator;
+};
+export declare function validateObject<T extends Record<string, any>>(object: T, validators: ValMap<T>, optValidators?: ValMap<T>): T;
+export {};

package/lib/abstract/utils.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.bitMask = exports.bitSet = exports.bitGet = exports.bitLen = exports.equalBytes = exports.concatBytes = exports.ensureBytes = exports.numberToVarBytesBE = exports.numberToBytesLE = exports.numberToBytesBE = exports.bytesToNumberLE = exports.bytesToNumberBE = exports.hexToBytes = exports.hexToNumber = exports.numberToHexUnpadded = exports.bytesToHex = void 0;
+exports.validateObject = exports.bitMask = exports.bitSet = exports.bitGet = exports.bitLen = exports.equalBytes = exports.concatBytes = exports.ensureBytes = exports.numberToVarBytesBE = exports.numberToBytesLE = exports.numberToBytesBE = exports.bytesToNumberLE = exports.bytesToNumberBE = exports.hexToBytes = exports.hexToNumber = exports.numberToHexUnpadded = exports.bytesToHex = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -9,7 +9,7 @@ const u8a = (a) => a instanceof Uint8Array;
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 function bytesToHex(bytes) {
     if (!u8a(bytes))
-        throw new Error('Expected Uint8Array');
+        throw new Error('Uint8Array expected');
     // pre-caching improves the speed 6x
     let hex = '';
     for (let i = 0; i < bytes.length; i++) {
@@ -25,24 +25,24 @@ function numberToHexUnpadded(num) {
 exports.numberToHexUnpadded = numberToHexUnpadded;
 function hexToNumber(hex) {
     if (typeof hex !== 'string')
-        throw new Error('hexToNumber: expected string, got ' + typeof hex);
+        throw new Error('string expected, got ' + typeof hex);
     // Big Endian
-    return BigInt(`0x${hex}`);
+    return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 exports.hexToNumber = hexToNumber;
 // Caching slows it down 2-3x
 function hexToBytes(hex) {
     if (typeof hex !== 'string')
-        throw new Error('hexToBytes: expected string, got ' + typeof hex);
+        throw new Error('string expected, got ' + typeof hex);
     if (hex.length % 2)
-        throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+        throw new Error('hex string is invalid: unpadded ' + hex.length);
     const array = new Uint8Array(hex.length / 2);
     for (let i = 0; i < array.length; i++) {
         const j = i * 2;
         const hexByte = hex.slice(j, j + 2);
         const byte = Number.parseInt(hexByte, 16);
         if (Number.isNaN(byte) || byte < 0)
-            throw new Error('Invalid byte sequence');
+            throw new Error('invalid byte sequence');
         array[i] = byte;
     }
     return array;
@@ -55,7 +55,7 @@ function bytesToNumberBE(bytes) {
 exports.bytesToNumberBE = bytesToNumberBE;
 function bytesToNumberLE(bytes) {
     if (!u8a(bytes))
-        throw new Error('Expected Uint8Array');
+        throw new Error('Uint8Array expected');
     return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 exports.bytesToNumberLE = bytesToNumberLE;
@@ -64,12 +64,7 @@ exports.numberToBytesBE = numberToBytesBE;
 const numberToBytesLE = (n, len) => (0, exports.numberToBytesBE)(n, len).reverse();
 exports.numberToBytesLE = numberToBytesLE;
 // Returns variable number bytes (minimal bigint encoding?)
-const numberToVarBytesBE = (n) => {
-    let hex = n.toString(16);
-    if (hex.length & 1)
-        hex = '0' + hex;
-    return hexToBytes(hex);
-};
+const numberToVarBytesBE = (n) => hexToBytes(numberToHexUnpadded(n));
 exports.numberToVarBytesBE = numberToVarBytesBE;
 function ensureBytes(hex, expectedLength) {
     // Uint8Array.from() instead of hash.slice() because node.js Buffer
@@ -81,19 +76,16 @@ function ensureBytes(hex, expectedLength) {
 }
 exports.ensureBytes = ensureBytes;
 // Copies several Uint8Arrays into one.
-function concatBytes(...arrays) {
-    if (!arrays.every((b) => u8a(b)))
-        throw new Error('Uint8Array list expected');
-    if (arrays.length === 1)
-        return arrays[0];
-    const length = arrays.reduce((a, arr) => a + arr.length, 0);
-    const result = new Uint8Array(length);
-    for (let i = 0, pad = 0; i < arrays.length; i++) {
-        const arr = arrays[i];
-        result.set(arr, pad);
-        pad += arr.length;
-    }
-    return result;
+function concatBytes(...arrs) {
+    const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0));
+    let pad = 0; // walk through each item, ensure they have proper type
+    arrs.forEach((a) => {
+        if (!u8a(a))
+            throw new Error('Uint8Array expected');
+        r.set(a, pad);
+        pad += a.length;
+    });
+    return r;
 }
 exports.concatBytes = concatBytes;
 function equalBytes(b1, b2) {
@@ -126,3 +118,41 @@ exports.bitSet = bitSet;
 // Not using ** operator with bigints for old engines.
 const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
 exports.bitMask = bitMask;
+const validatorFns = {
+    bigint: (val) => typeof val === 'bigint',
+    function: (val) => typeof val === 'function',
+    boolean: (val) => typeof val === 'boolean',
+    string: (val) => typeof val === 'string',
+    isSafeInteger: (val) => Number.isSafeInteger(val),
+    array: (val) => Array.isArray(val),
+    field: (val, object) => object.Fp.isValid(val),
+    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+};
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
+function validateObject(object, validators, optValidators = {}) {
+    const checkField = (fieldName, type, isOptional) => {
+        const checkVal = validatorFns[type];
+        if (typeof checkVal !== 'function')
+            throw new Error(`Invalid validator "${type}", expected function`);
+        const val = object[fieldName];
+        if (isOptional && val === undefined)
+            return;
+        if (!checkVal(val, object)) {
+            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
+        }
+    };
+    for (const [fieldName, type] of Object.entries(validators))
+        checkField(fieldName, type, false);
+    for (const [fieldName, type] of Object.entries(optValidators))
+        checkField(fieldName, type, true);
+    return object;
+}
+exports.validateObject = validateObject;
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });

package/lib/abstract/weierstrass.d.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 import * as ut from './utils.js';
-import { Hex, PrivKey, CHash } from './utils.js';
-import { Group, GroupConstructor, AbstractCurve, AffinePoint } from './curve.js';
+import { CHash, Hex, PrivKey } from './utils.js';
+import { Group, GroupConstructor, BasicCurve, AffinePoint } from './curve.js';
 export type { AffinePoint };
 declare type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
 declare type EndomorphismOpts = {
@@ -14,10 +14,10 @@ declare type EndomorphismOpts = {
         k2: bigint;
     };
 };
-export declare type BasicCurve<T> = AbstractCurve<T> & {
+export declare type BasicWCurve<T> = BasicCurve<T> & {
     a: T;
     b: T;
-    normalizePrivateKey?: (key: PrivKey) => PrivKey;
+    allowedPrivateKeyLengths?: readonly number[];
     wrapPrivateKey?: boolean;
     endo?: EndomorphismOpts;
     isTorsionFree?: (c: ProjConstructor<T>, point: ProjPointType<T>) => boolean;
@@ -77,7 +77,7 @@ export interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
     fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
     normalizeZ(points: ProjPointType<T>[]): ProjPointType<T>[];
 }
-export declare type CurvePointsType<T> = BasicCurve<T> & {
+export declare type CurvePointsType<T> = BasicWCurve<T> & {
     fromBytes: (bytes: Uint8Array) => AffinePoint<T>;
     toBytes: (c: ProjConstructor<T>, point: ProjPointType<T>, compressed: boolean) => Uint8Array;
 };
@@ -117,11 +117,11 @@ declare type SignatureLike = {
     s: bigint;
 };
 export declare type PubKey = Hex | ProjPointType<bigint>;
-export declare type CurveType = BasicCurve<bigint> & {
-    lowS?: boolean;
+export declare type CurveType = BasicWCurve<bigint> & {
     hash: CHash;
     hmac: HmacFnSync;
     randomBytes: (bytesLength?: number) => Uint8Array;
+    lowS?: boolean;
     bits2int?: (bytes: Uint8Array) => bigint;
     bits2int_modN?: (bytes: Uint8Array) => bigint;
 };
@@ -134,18 +134,18 @@ declare function validateOpts(curve: CurveType): Readonly<{
     readonly hEff?: bigint | undefined;
     readonly Gx: bigint;
     readonly Gy: bigint;
-    readonly wrapPrivateKey?: boolean | undefined;
     readonly allowInfinityPoint?: boolean | undefined;
     readonly a: bigint;
     readonly b: bigint;
-    readonly normalizePrivateKey?: ((key: ut.PrivKey) => ut.PrivKey) | undefined;
+    readonly allowedPrivateKeyLengths?: readonly number[] | undefined;
+    readonly wrapPrivateKey?: boolean | undefined;
     readonly endo?: EndomorphismOpts | undefined;
     readonly isTorsionFree?: ((c: ProjConstructor<bigint>, point: ProjPointType<bigint>) => boolean) | undefined;
     readonly clearCofactor?: ((c: ProjConstructor<bigint>, point: ProjPointType<bigint>) => ProjPointType<bigint>) | undefined;
-    lowS: boolean;
     readonly hash: ut.CHash;
     readonly hmac: HmacFnSync;
     readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+    lowS: boolean;
     readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
     readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
 }>;

package/lib/abstract/weierstrass.js

@@ -8,21 +8,22 @@ const ut = require("./utils.js");
 const utils_js_1 = require("./utils.js");
 const curve_js_1 = require("./curve.js");
 function validatePointOpts(curve) {
-    const opts = (0, curve_js_1.validateAbsOpts)(curve);
-    const Fp = opts.Fp;
-    for (const i of ['a', 'b']) {
-        if (!Fp.isValid(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
-    }
-    for (const i of ['isTorsionFree', 'clearCofactor']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'function')
-            throw new Error(`Invalid ${i} function`);
-    }
-    const endo = opts.endo;
+    const opts = (0, curve_js_1.validateBasic)(curve);
+    ut.validateObject(opts, {
+        a: 'field',
+        b: 'field',
+        fromBytes: 'function',
+        toBytes: 'function',
+    }, {
+        allowedPrivateKeyLengths: 'array',
+        wrapPrivateKey: 'boolean',
+        isTorsionFree: 'function',
+        clearCofactor: 'function',
+        allowInfinityPoint: 'boolean',
+    });
+    const { endo, Fp, a } = opts;
     if (endo) {
-        if (!Fp.eql(opts.a, Fp.ZERO)) {
+        if (!Fp.eql(a, Fp.ZERO)) {
             throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
         }
         if (typeof endo !== 'object' ||
@@ -31,11 +32,6 @@ function validatePointOpts(curve) {
             throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
         }
     }
-    if (typeof opts.fromBytes !== 'function')
-        throw new Error('Invalid fromBytes function');
-    if (typeof opts.toBytes !== 'function')
-        throw new Error('Invalid fromBytes function');
-    // Set defaults
     return Object.freeze({ ...opts });
 }
 // ASN.1 DER encoding utilities
@@ -116,39 +112,28 @@ function weierstrassPoints(opts) {
         if (!isWithinCurveOrder(num))
             throw new Error('Expected valid bigint: 0 < bigint < curve.n');
     }
-    /**
-     * Validates if a private key is valid and converts it to bigint form.
-     * Supports two options, that are passed when CURVE is initialized:
-     * - `normalizePrivateKey()` executed before all checks
-     * - `wrapPrivateKey` when true, executed after most checks, but before `0 < key < n`
-     */
+    // Validates if priv key is valid and converts it to bigint.
+    // Supports options CURVE.normalizePrivateKey and CURVE.wrapPrivateKey.
     function normalizePrivateKey(key) {
-        const { normalizePrivateKey: custom, nByteLength: groupLen, wrapPrivateKey, n } = CURVE;
-        if (typeof custom === 'function')
-            key = custom(key);
-        let num;
-        if (typeof key === 'bigint') {
-            // Curve order check is done below
-            num = key;
+        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
+        if (lengths && typeof key !== 'bigint') {
+            if (key instanceof Uint8Array)
+                key = ut.bytesToHex(key);
+            // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
+            if (typeof key !== 'string' || !lengths.includes(key.length))
+                throw new Error('Invalid key');
+            key = key.padStart(nByteLength * 2, '0');
         }
-        else if (typeof key === 'string') {
-            if (key.length !== 2 * groupLen)
-                throw new Error(`must be ${groupLen} bytes`);
-            // Validates individual octets
-            num = ut.bytesToNumberBE((0, utils_js_1.ensureBytes)(key));
-        }
-        else if (key instanceof Uint8Array) {
-            if (key.length !== groupLen)
-                throw new Error(`must be ${groupLen} bytes`);
-            num = ut.bytesToNumberBE(key);
+        let num;
+        try {
+            num = typeof key === 'bigint' ? key : ut.bytesToNumberBE((0, utils_js_1.ensureBytes)(key, nByteLength));
         }
-        else {
-            throw new Error('private key must be bytes, hex or bigint, not ' + typeof key);
+        catch (error) {
+            throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
         }
-        // Useful for curves with cofactor != 1
         if (wrapPrivateKey)
-            num = mod.mod(num, n);
-        assertGE(num);
+            num = mod.mod(num, n); // disabled by default, enabled for BLS
+        assertGE(num); // num in range [1..N-1]
         return num;
     }
     const pointPrecomputes = new Map();
@@ -173,6 +158,8 @@ function weierstrassPoints(opts) {
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
         }
+        // Does not validate if the point is on-curve.
+        // Use fromHex instead, or call assertValidity() later.
         static fromAffine(p) {
             const { x, y } = p || {};
             if (!p || !Fp.isValid(x) || !Fp.isValid(y))
@@ -503,14 +490,16 @@ function weierstrassPoints(opts) {
 }
 exports.weierstrassPoints = weierstrassPoints;
 function validateOpts(curve) {
-    const opts = (0, curve_js_1.validateAbsOpts)(curve);
-    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
-        throw new Error('Invalid hash function');
-    if (typeof opts.hmac !== 'function')
-        throw new Error('Invalid hmac function');
-    if (typeof opts.randomBytes !== 'function')
-        throw new Error('Invalid randomBytes function');
-    // Set defaults
+    const opts = (0, curve_js_1.validateBasic)(curve);
+    ut.validateObject(opts, {
+        hash: 'hash',
+        hmac: 'function',
+        randomBytes: 'function',
+    }, {
+        bits2int: 'function',
+        bits2int_modN: 'function',
+        lowS: 'boolean',
+    });
     return Object.freeze({ lowS: true, ...opts });
 }
 const u8n = (data) => new Uint8Array(data); // creates Uint8Array
@@ -619,7 +608,7 @@ function weierstrass(curveDef) {
                 return { x, y };
             }
             else {
-                throw new Error(`Point.fromHex: received invalid point. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes, not ${len}`);
+                throw new Error(`Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`);
             }
         },
     });
@@ -681,7 +670,7 @@ function weierstrass(curveDef) {
             const ir = invN(radj); // r^-1
             const u1 = modN(-h * ir); // -hr^-1
             const u2 = modN(s * ir); // sr^-1
-            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); //  (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)
+            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)
             if (!Q)
                 throw new Error('point at infinify'); // unsafe is fine: no priv data leaked
             Q.assertValidity();
@@ -804,9 +793,10 @@ function weierstrass(curveDef) {
     const ORDER_MASK = ut.bitMask(CURVE.nBitLength);
     function int2octets(num) {
         if (typeof num !== 'bigint')
-            throw new Error('Expected bigint');
+            throw new Error('bigint expected');
         if (!(_0n <= num && num < ORDER_MASK))
-            throw new Error(`Expected number < 2^${CURVE.nBitLength}`);
+            // n in [0..ORDER_MASK-1]
+            throw new Error(`bigint expected < 2^${CURVE.nBitLength}`);
         // works with order, can have different size than numToField!
         return ut.numberToBytesBE(num, CURVE.nByteLength);
     }
@@ -816,6 +806,7 @@ function weierstrass(curveDef) {
     // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order, this will be wrong at least for P521.
     // Also it can be bigger for P224 + SHA256
     function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
+        const { hash, randomBytes } = CURVE;
         if (msgHash == null)
             throw new Error(`sign: expected valid message hash, not "${msgHash}"`);
         if (['recovered', 'canonical'].some((k) => k in opts))
@@ -823,28 +814,20 @@ function weierstrass(curveDef) {
             throw new Error('sign() legacy options not supported');
         let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
         if (prehash)
-            msgHash = CURVE.hash((0, utils_js_1.ensureBytes)(msgHash));
+            msgHash = hash((0, utils_js_1.ensureBytes)(msgHash));
         if (lowS == null)
-            lowS = true; // RFC6979 3.2: we skip step A, because
-        // Step A is ignored, since we already provide hash instead of msg
-        // NOTE: instead of bits2int, we calling here truncateHash, since we need
-        // custom truncation for stark. For other curves it is essentially same as calling bits2int + mod
-        // However, we cannot later call bits2octets (which is truncateHash + int2octets), since nested bits2int is broken
-        // for curves where nBitLength % 8 !== 0, so we unwrap it here as int2octets call.
-        // const bits2octets = (bits)=>int2octets(bytesToNumberBE(truncateHash(bits)))
+            lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
+        // We can't later call bits2octets, since nested bits2int is broken for curves
+        // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call.
+        // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
         const h1int = bits2int_modN((0, utils_js_1.ensureBytes)(msgHash));
-        const h1octets = int2octets(h1int);
-        const d = normalizePrivateKey(privateKey);
-        // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-        const seedArgs = [int2octets(d), h1octets];
+        const d = normalizePrivateKey(privateKey); // validate private key, convert to bigint
+        const seedArgs = [int2octets(d), int2octets(h1int)];
+        // extraEntropy. RFC6979 3.6: additional k' (optional).
         if (ent != null) {
-            // RFC6979 3.6: additional k' (optional)
-            if (ent === true)
-                ent = CURVE.randomBytes(Fp.BYTES);
-            const e = (0, utils_js_1.ensureBytes)(ent);
-            if (e.length !== Fp.BYTES)
-                throw new Error(`sign: Expected ${Fp.BYTES} bytes of extra data`);
-            seedArgs.push(e);
+            // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
+            // Either pass as-is, or generate random bytes. Then validate for being ui8a of size BYTES
+            seedArgs.push((0, utils_js_1.ensureBytes)(ent === true ? randomBytes(Fp.BYTES) : ent, Fp.BYTES));
         }
         const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
@@ -954,7 +937,6 @@ function weierstrass(curveDef) {
         getSharedSecret,
         sign,
         verify,
-        // Point,
         ProjectivePoint: Point,
         Signature,
         utils,

package/lib/esm/abstract/curve.js

@@ -1,6 +1,7 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Abelian group utilities
 import { validateField, nLength } from './modular.js';
+import { validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 // Elliptic curve multiplication of Point by scalar. Complicated and fragile. Uses wNAF method.
@@ -121,24 +122,17 @@ export function wNAF(c, bits) {
         },
     };
 }
-export function validateAbsOpts(curve) {
+export function validateBasic(curve) {
     validateField(curve.Fp);
-    for (const i of ['n', 'h']) {
-        const val = curve[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    if (!curve.Fp.isValid(curve.Gx))
-        throw new Error('Invalid generator X coordinate Fp element');
-    if (!curve.Fp.isValid(curve.Gy))
-        throw new Error('Invalid generator Y coordinate Fp element');
-    for (const i of ['nBitLength', 'nByteLength']) {
-        const val = curve[i];
-        if (val === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(val))
-            throw new Error(`Invalid param ${i}=${val} (${typeof val})`);
-    }
+    validateObject(curve, {
+        n: 'bigint',
+        h: 'bigint',
+        Gx: 'field',
+        Gy: 'field',
+    }, {
+        nBitLength: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+    });
     // Set defaults
     return Object.freeze({ ...nLength(curve.n, curve.nBitLength), ...curve });
 }