@noble/curves 0.6.0 → 0.6.2

package/lib/esm/abstract/edwards.js

@@ -1,32 +1,27 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 import { mod } from './modular.js';
-import { bytesToHex, bytesToNumberLE, concatBytes, ensureBytes, numberToBytesLE, } from './utils.js';
-import { wNAF, validateAbsOpts, } from './curve.js';
+import * as ut from './utils.js';
+import { ensureBytes } from './utils.js';
+import { wNAF, validateBasic } from './curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
 function validateOpts(curve) {
-    const opts = validateAbsOpts(curve);
-    if (typeof opts.hash !== 'function')
-        throw new Error('Invalid hash function');
-    for (const i of ['a', 'd']) {
-        const val = opts[i];
-        if (typeof val !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
-    }
-    for (const fn of ['randomBytes']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio', 'mapToCurve']) {
-        if (opts[fn] === undefined)
-            continue; // Optional
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
+    const opts = validateBasic(curve);
+    ut.validateObject(curve, {
+        hash: 'function',
+        a: 'bigint',
+        d: 'bigint',
+        randomBytes: 'function',
+    }, {
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        uvRatio: 'function',
+        mapToCurve: 'function',
+    });
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -111,7 +106,30 @@ export function twistedEdwards(curveDef) {
             this._WINDOW_SIZE = windowSize;
             pointPrecomputes.delete(this);
         }
-        assertValidity() { }
+        // Not required for fromHex(), which always creates valid points.
+        // Could be useful for fromAffine().
+        assertValidity() {
+            const { a, d } = CURVE;
+            if (this.is0())
+                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+            const { ex: X, ey: Y, ez: Z, et: T } = this;
+            const X2 = modP(X * X); // X²
+            const Y2 = modP(Y * Y); // Y²
+            const Z2 = modP(Z * Z); // Z²
+            const Z4 = modP(Z2 * Z2); // Z⁴
+            const aX2 = modP(X2 * a); // aX²
+            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+            if (left !== right)
+                throw new Error('bad point: equation left != right (1)');
+            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+            const XY = modP(X * Y);
+            const ZT = modP(Z * T);
+            if (XY !== ZT)
+                throw new Error('bad point: equation left != right (2)');
+        }
         // Compare one point to another.
         equals(other) {
             isPoint(other);
@@ -261,7 +279,7 @@ export function twistedEdwards(curveDef) {
             const normed = hex.slice(); // copy again, we'll manipulate it
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
-            const y = bytesToNumberLE(normed);
+            const y = ut.bytesToNumberLE(normed);
             if (y === _0n) {
                 // y=0 is allowed
             }
@@ -291,12 +309,12 @@ export function twistedEdwards(curveDef) {
         }
         toRawBytes() {
             const { x, y } = this.toAffine();
-            const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
+            const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
             bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
             return bytes; // and use the last byte to encode sign of x
         }
         toHex() {
-            return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
+            return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
         }
     }
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
@@ -308,7 +326,7 @@ export function twistedEdwards(curveDef) {
     }
     // Little-endian SHA512 with modulo n
     function modN_LE(hash) {
-        return modN(bytesToNumberLE(hash));
+        return modN(ut.bytesToNumberLE(hash));
     }
     function isHex(item, err) {
         if (typeof item !== 'string' && !(item instanceof Uint8Array))
@@ -334,7 +352,7 @@ export function twistedEdwards(curveDef) {
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
     function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
-        const msg = concatBytes(...msgs);
+        const msg = ut.concatBytes(...msgs);
         return modN_LE(cHash(domain(msg, ensureBytes(context), !!preHash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
@@ -349,7 +367,7 @@ export function twistedEdwards(curveDef) {
         const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
         assertGE0(s); // 0 <= s < l
-        const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
+        const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
         return ensureBytes(res, nByteLength * 2); // 64-byte signature
     }
     function verify(sig, msg, publicKey, context) {
@@ -362,7 +380,7 @@ export function twistedEdwards(curveDef) {
             msg = preHash(msg); // for ed25519ph, etc
         const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
         const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
-        const s = bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
+        const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
         const SB = G.multiplyUnsafe(s);
         const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));

package/lib/esm/abstract/hash-to-curve.js

@@ -16,7 +16,7 @@ export function validateOpts(opts) {
 }
 export function stringToBytes(str) {
     if (typeof str !== 'string') {
-        throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
     }
     return new TextEncoder().encode(str);
 }

package/lib/esm/abstract/modular.js

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Utilities for modular arithmetics and finite fields
-import { bitMask, numberToBytesBE, numberToBytesLE, bytesToNumberBE, bytesToNumberLE, ensureBytes, } from './utils.js';
+import { bitMask, numberToBytesBE, numberToBytesLE, bytesToNumberBE, bytesToNumberLE, ensureBytes, validateObject, } from './utils.js';
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
@@ -34,7 +34,6 @@ export function pow(num, power, modulo) {
     return res;
 }
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
-// TODO: Fp version?
 export function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -193,18 +192,17 @@ const FIELD_FIELDS = [
     'addN', 'subN', 'mulN', 'sqrN'
 ];
 export function validateField(field) {
-    for (const i of ['ORDER', 'MASK']) {
-        if (typeof field[i] !== 'bigint')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of ['BYTES', 'BITS']) {
-        if (typeof field[i] !== 'number')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of FIELD_FIELDS) {
-        if (typeof field[i] !== 'function')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
+    const initial = {
+        ORDER: 'bigint',
+        MASK: 'bigint',
+        BYTES: 'isSafeInteger',
+        BITS: 'isSafeInteger',
+    };
+    const opts = FIELD_FIELDS.reduce((map, val) => {
+        map[val] = 'function';
+        return map;
+    }, initial);
+    return validateObject(field, opts);
 }
 // Generic field functions
 export function FpPow(f, num, power) {

package/lib/esm/abstract/montgomery.js

@@ -1,31 +1,19 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { mod, pow } from './modular.js';
-import { ensureBytes, numberToBytesLE, bytesToNumberLE } from './utils.js';
+import { bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
-    for (const i of ['a24']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const i of ['montgomeryBits', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!Number.isSafeInteger(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
-        if (curve[fn] === undefined)
-            continue; // Optional
-        if (typeof curve[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const i of ['Gu']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'string')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
+    validateObject(curve, {
+        a24: 'bigint',
+    }, {
+        montgomeryBits: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        powPminus2: 'function',
+        Gu: 'string',
+    });
     // Set defaults
     return Object.freeze({ ...curve });
 }
@@ -40,31 +28,7 @@ export function montgomery(curveDef) {
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
     const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    // cswap from RFC7748
-    // NOTE: cswap is not from RFC7748!
+    // cswap from RFC7748. But it is not from RFC7748!
     /*
       cswap(swap, x_2, x_3):
            dummy = mask(swap) AND (x_2 XOR x_3)
@@ -80,6 +44,11 @@ export function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
+    function assertFieldElement(n) {
+        if (typeof n === 'bigint' && _0n <= n && n < P)
+            return n;
+        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+    }
     // x25519 from 4
     /**
      *
@@ -88,11 +57,10 @@ export function montgomery(curveDef) {
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(pointU, scalar) {
-        const { P } = CURVE;
-        const u = normalizeScalar(pointU, P);
+        const u = assertFieldElement(pointU);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = normalizeScalar(scalar, P);
+        const k = assertFieldElement(scalar);
         // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
         const a24 = CURVE.a24;
         const x_1 = u;
@@ -145,12 +113,14 @@ export function montgomery(curveDef) {
         return numberToBytesLE(modP(u), montgomeryBytes);
     }
     function decodeUCoordinate(uEnc) {
-        const u = ensureBytes(uEnc, montgomeryBytes);
         // Section 5: When receiving such an array, implementations of X25519
         // MUST mask the most significant bit in the final byte.
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
-        u[fieldLen - 1] &= 127; // 0b0111_1111
+        const u = ensureBytes(uEnc, montgomeryBytes);
+        // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index)
+        if (fieldLen === montgomeryBytes)
+            u[fieldLen - 1] &= 127; // 0b0111_1111
         return bytesToNumberLE(u);
     }
     function decodeScalar(n) {
@@ -159,13 +129,6 @@ export function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return bytesToNumberLE(adjustScalarBytes(bytes));
     }
-    /**
-     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
-     * We can get 'y' coordinate from 'u',
-     * but Point.fromHex also wants 'x' coordinate oddity flag,
-     * and we cannot get 'x' without knowing 'v'.
-     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
-     */
     function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
@@ -176,12 +139,7 @@ export function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    /**
-     * Computes public key from private.
-     * Executes scalar multiplication of curve's base point by scalar.
-     * @param scalar private key
-     * @returns new public key
-     */
+    // Computes public key from private. By doing scalar multiplication of base point.
     function scalarMultBase(scalar) {
         return scalarMult(scalar, CURVE.Gu);
     }

package/lib/esm/abstract/poseidon.js

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
-import { validateField, FpPow } from './modular.js';
+import { FpPow, validateField } from './modular.js';
 export function validateOpts(opts) {
     const { Fp } = opts;
     validateField(Fp);

package/lib/esm/abstract/utils.js

@@ -6,7 +6,7 @@ const u8a = (a) => a instanceof Uint8Array;
 const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
 export function bytesToHex(bytes) {
     if (!u8a(bytes))
-        throw new Error('Expected Uint8Array');
+        throw new Error('Uint8Array expected');
     // pre-caching improves the speed 6x
     let hex = '';
     for (let i = 0; i < bytes.length; i++) {
@@ -20,23 +20,23 @@ export function numberToHexUnpadded(num) {
 }
 export function hexToNumber(hex) {
     if (typeof hex !== 'string')
-        throw new Error('hexToNumber: expected string, got ' + typeof hex);
+        throw new Error('string expected, got ' + typeof hex);
     // Big Endian
-    return BigInt(`0x${hex}`);
+    return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 // Caching slows it down 2-3x
 export function hexToBytes(hex) {
     if (typeof hex !== 'string')
-        throw new Error('hexToBytes: expected string, got ' + typeof hex);
+        throw new Error('string expected, got ' + typeof hex);
     if (hex.length % 2)
-        throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
+        throw new Error('hex string is invalid: unpadded ' + hex.length);
     const array = new Uint8Array(hex.length / 2);
     for (let i = 0; i < array.length; i++) {
         const j = i * 2;
         const hexByte = hex.slice(j, j + 2);
         const byte = Number.parseInt(hexByte, 16);
         if (Number.isNaN(byte) || byte < 0)
-            throw new Error('Invalid byte sequence');
+            throw new Error('invalid byte sequence');
         array[i] = byte;
     }
     return array;
@@ -47,18 +47,13 @@ export function bytesToNumberBE(bytes) {
 }
 export function bytesToNumberLE(bytes) {
     if (!u8a(bytes))
-        throw new Error('Expected Uint8Array');
+        throw new Error('Uint8Array expected');
     return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 export const numberToBytesBE = (n, len) => hexToBytes(n.toString(16).padStart(len * 2, '0'));
 export const numberToBytesLE = (n, len) => numberToBytesBE(n, len).reverse();
 // Returns variable number bytes (minimal bigint encoding?)
-export const numberToVarBytesBE = (n) => {
-    let hex = n.toString(16);
-    if (hex.length & 1)
-        hex = '0' + hex;
-    return hexToBytes(hex);
-};
+export const numberToVarBytesBE = (n) => hexToBytes(numberToHexUnpadded(n));
 export function ensureBytes(hex, expectedLength) {
     // Uint8Array.from() instead of hash.slice() because node.js Buffer
     // is instance of Uint8Array, and its slice() creates **mutable** copy
@@ -68,19 +63,16 @@ export function ensureBytes(hex, expectedLength) {
     return bytes;
 }
 // Copies several Uint8Arrays into one.
-export function concatBytes(...arrays) {
-    if (!arrays.every((b) => u8a(b)))
-        throw new Error('Uint8Array list expected');
-    if (arrays.length === 1)
-        return arrays[0];
-    const length = arrays.reduce((a, arr) => a + arr.length, 0);
-    const result = new Uint8Array(length);
-    for (let i = 0, pad = 0; i < arrays.length; i++) {
-        const arr = arrays[i];
-        result.set(arr, pad);
-        pad += arr.length;
-    }
-    return result;
+export function concatBytes(...arrs) {
+    const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0));
+    let pad = 0; // walk through each item, ensure they have proper type
+    arrs.forEach((a) => {
+        if (!u8a(a))
+            throw new Error('Uint8Array expected');
+        r.set(a, pad);
+        pad += a.length;
+    });
+    return r;
 }
 export function equalBytes(b1, b2) {
     // We don't care about timing attacks here
@@ -107,3 +99,40 @@ export const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos)
 // Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
 // Not using ** operator with bigints for old engines.
 export const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
+const validatorFns = {
+    bigint: (val) => typeof val === 'bigint',
+    function: (val) => typeof val === 'function',
+    boolean: (val) => typeof val === 'boolean',
+    string: (val) => typeof val === 'string',
+    isSafeInteger: (val) => Number.isSafeInteger(val),
+    array: (val) => Array.isArray(val),
+    field: (val, object) => object.Fp.isValid(val),
+    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+};
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
+export function validateObject(object, validators, optValidators = {}) {
+    const checkField = (fieldName, type, isOptional) => {
+        const checkVal = validatorFns[type];
+        if (typeof checkVal !== 'function')
+            throw new Error(`Invalid validator "${type}", expected function`);
+        const val = object[fieldName];
+        if (isOptional && val === undefined)
+            return;
+        if (!checkVal(val, object)) {
+            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
+        }
+    };
+    for (const [fieldName, type] of Object.entries(validators))
+        checkField(fieldName, type, false);
+    for (const [fieldName, type] of Object.entries(optValidators))
+        checkField(fieldName, type, true);
+    return object;
+}
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });