@noble/curves 0.6.1 → 0.6.2

package/README.md

@@ -329,47 +329,54 @@ The module allows to hash arbitrary strings to elliptic curve points.
 
 - `expand_message_xmd` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1) produces a uniformly random byte string using a cryptographic hash function H that outputs b bits..
 
-    ```ts
-    function expand_message_xmd(
-      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash
-    ): Uint8Array;
-    function expand_message_xof(
-      msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash
-    ): Uint8Array;
-    ```
+  ```ts
+  function expand_message_xmd(
+    msg: Uint8Array,
+    DST: Uint8Array,
+    lenInBytes: number,
+    H: CHash
+  ): Uint8Array;
+  function expand_message_xof(
+    msg: Uint8Array,
+    DST: Uint8Array,
+    lenInBytes: number,
+    k: number,
+    H: CHash
+  ): Uint8Array;
+  ```
 
 - `hash_to_field(msg, count, options)` [(spec)](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3)
-hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
-    * `msg` a byte string containing the message to hash
-    * `count` the number of elements of F to output
-    * `options` `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
-    * Returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
-
-    ```ts
-    function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
-    type htfOpts = {
-      // DST: a domain separation tag
-      // defined in section 2.2.5
-      DST: string;
-      // p: the characteristic of F
-      //    where F is a finite field of characteristic p and order q = p^m
-      p: bigint;
-      // m: the extension degree of F, m >= 1
-      //     where F is a finite field of characteristic p and order q = p^m
-      m: number;
-      // k: the target security level for the suite in bits
-      // defined in section 5.1
-      k: number;
-      // option to use a message that has already been processed by
-      // expand_message_xmd
-      expand?: 'xmd' | 'xof';
-      // Hash functions for: expand_message_xmd is appropriate for use with a
-      // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
-      // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
-      // TODO: verify that hash is shake if expand==='xof' via types
-      hash: CHash;
-    };
-    ```
+  hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
+  _ `msg` a byte string containing the message to hash
+  _ `count` the number of elements of F to output
+  _ `options` `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
+  _ Returns `[u_0, ..., u_(count - 1)]`, a list of field elements.
+
+      ```ts
+      function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
+      type htfOpts = {
+        // DST: a domain separation tag
+        // defined in section 2.2.5
+        DST: string;
+        // p: the characteristic of F
+        //    where F is a finite field of characteristic p and order q = p^m
+        p: bigint;
+        // m: the extension degree of F, m >= 1
+        //     where F is a finite field of characteristic p and order q = p^m
+        m: number;
+        // k: the target security level for the suite in bits
+        // defined in section 5.1
+        k: number;
+        // option to use a message that has already been processed by
+        // expand_message_xmd
+        expand?: 'xmd' | 'xof';
+        // Hash functions for: expand_message_xmd is appropriate for use with a
+        // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
+        // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247
+        // TODO: verify that hash is shake if expand==='xof' via types
+        hash: CHash;
+      };
+      ```
 
 ### abstract/poseidon: Poseidon hash
 
@@ -516,11 +523,11 @@ Upgrading from @noble/secp256k1 1.7:
 - Compressed (33-byte) public keys are now returned by default, instead of uncompressed
 - Methods are now synchronous. Setting `secp.utils.hmacSha256` is no longer required
 - `sign()`
-    - `der`, `recovered` options were removed
-    - `canonical` was renamed to `lowS`
-    - Return type is now `{ r: bigint, s: bigint, recovery: number }` instance of `Signature`
+  - `der`, `recovered` options were removed
+  - `canonical` was renamed to `lowS`
+  - Return type is now `{ r: bigint, s: bigint, recovery: number }` instance of `Signature`
 - `verify()`
-    - `strict` was renamed to `lowS`
+  - `strict` was renamed to `lowS`
 - `recoverPublicKey()`: moved to sig instance `Signature#recoverPublicKey(msgHash)`
 - `Point` was removed: use `ProjectivePoint` in xyz coordinates
 - `utils`: Many methods were removed, others were moved to `schnorr` namespace
@@ -532,6 +539,7 @@ Upgrading from @noble/ed25519 1.7:
 - `Point` was removed: use `ExtendedPoint` in xyzt coordinates
 - `Signature` was removed
 - `getSharedSecret` was removed: use separate x25519 sub-module
+- `bigint` is no longer allowed in `getPublicKey`, `sign`, `verify`. Reason: ed25519 is LE, can lead to bugs
 
 ## Contributing & testing
 

package/lib/abstract/edwards.js

@@ -109,7 +109,30 @@ function twistedEdwards(curveDef) {
             this._WINDOW_SIZE = windowSize;
             pointPrecomputes.delete(this);
         }
-        assertValidity() { }
+        // Not required for fromHex(), which always creates valid points.
+        // Could be useful for fromAffine().
+        assertValidity() {
+            const { a, d } = CURVE;
+            if (this.is0())
+                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+            const { ex: X, ey: Y, ez: Z, et: T } = this;
+            const X2 = modP(X * X); // X²
+            const Y2 = modP(Y * Y); // Y²
+            const Z2 = modP(Z * Z); // Z²
+            const Z4 = modP(Z2 * Z2); // Z⁴
+            const aX2 = modP(X2 * a); // aX²
+            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+            if (left !== right)
+                throw new Error('bad point: equation left != right (1)');
+            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+            const XY = modP(X * Y);
+            const ZT = modP(Z * T);
+            if (XY !== ZT)
+                throw new Error('bad point: equation left != right (2)');
+        }
         // Compare one point to another.
         equals(other) {
             isPoint(other);

package/lib/abstract/modular.d.ts

@@ -42,7 +42,7 @@ export interface Field<T> {
     fromBytes(bytes: Uint8Array): T;
     cmov(a: T, b: T, c: boolean): T;
 }
-export declare function validateField<T>(field: Field<T>): object;
+export declare function validateField<T>(field: Field<T>): Field<T>;
 export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;

package/lib/abstract/montgomery.js

@@ -121,7 +121,9 @@ function montgomery(curveDef) {
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
         const u = (0, utils_js_1.ensureBytes)(uEnc, montgomeryBytes);
-        u[fieldLen - 1] &= 127; // 0b0111_1111
+        // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index)
+        if (fieldLen === montgomeryBytes)
+            u[fieldLen - 1] &= 127; // 0b0111_1111
         return (0, utils_js_1.bytesToNumberLE)(u);
     }
     function decodeScalar(n) {

package/lib/abstract/utils.d.ts

@@ -25,6 +25,19 @@ export declare function bitLen(n: bigint): number;
 export declare const bitGet: (n: bigint, pos: number) => bigint;
 export declare const bitSet: (n: bigint, pos: number, value: boolean) => bigint;
 export declare const bitMask: (n: number) => bigint;
-declare type ValMap = Record<string, string>;
-export declare function validateObject(object: object, validators: ValMap, optValidators?: ValMap): object;
+declare const validatorFns: {
+    readonly bigint: (val: any) => boolean;
+    readonly function: (val: any) => boolean;
+    readonly boolean: (val: any) => boolean;
+    readonly string: (val: any) => boolean;
+    readonly isSafeInteger: (val: any) => boolean;
+    readonly array: (val: any) => boolean;
+    readonly field: (val: any, object: any) => any;
+    readonly hash: (val: any) => boolean;
+};
+declare type Validator = keyof typeof validatorFns;
+declare type ValMap<T extends Record<string, any>> = {
+    [K in keyof T]?: Validator;
+};
+export declare function validateObject<T extends Record<string, any>>(object: T, validators: ValMap<T>, optValidators?: ValMap<T>): T;
 export {};

package/lib/abstract/utils.js

@@ -27,7 +27,7 @@ function hexToNumber(hex) {
     if (typeof hex !== 'string')
         throw new Error('string expected, got ' + typeof hex);
     // Big Endian
-    return BigInt(`0x${hex}`);
+    return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 exports.hexToNumber = hexToNumber;
 // Caching slows it down 2-3x
@@ -118,18 +118,18 @@ exports.bitSet = bitSet;
 // Not using ** operator with bigints for old engines.
 const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
 exports.bitMask = bitMask;
+const validatorFns = {
+    bigint: (val) => typeof val === 'bigint',
+    function: (val) => typeof val === 'function',
+    boolean: (val) => typeof val === 'boolean',
+    string: (val) => typeof val === 'string',
+    isSafeInteger: (val) => Number.isSafeInteger(val),
+    array: (val) => Array.isArray(val),
+    field: (val, object) => object.Fp.isValid(val),
+    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+};
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
 function validateObject(object, validators, optValidators = {}) {
-    const validatorFns = {
-        bigint: (val) => typeof val === 'bigint',
-        function: (val) => typeof val === 'function',
-        boolean: (val) => typeof val === 'boolean',
-        string: (val) => typeof val === 'string',
-        isSafeInteger: (val) => Number.isSafeInteger(val),
-        array: (val) => Array.isArray(val),
-        field: (val) => object.Fp.isValid(val),
-        hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
-    };
-    // type Key = keyof typeof validators;
     const checkField = (fieldName, type, isOptional) => {
         const checkVal = validatorFns[type];
         if (typeof checkVal !== 'function')
@@ -137,14 +137,22 @@ function validateObject(object, validators, optValidators = {}) {
         const val = object[fieldName];
         if (isOptional && val === undefined)
             return;
-        if (!checkVal(val)) {
-            throw new Error(`Invalid param ${fieldName}=${val} (${typeof val}), expected ${type}`);
+        if (!checkVal(val, object)) {
+            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
         }
     };
-    for (let [fieldName, type] of Object.entries(validators))
+    for (const [fieldName, type] of Object.entries(validators))
         checkField(fieldName, type, false);
-    for (let [fieldName, type] of Object.entries(optValidators))
+    for (const [fieldName, type] of Object.entries(optValidators))
         checkField(fieldName, type, true);
     return object;
 }
 exports.validateObject = validateObject;
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });

package/lib/abstract/weierstrass.js

@@ -19,6 +19,7 @@ function validatePointOpts(curve) {
         wrapPrivateKey: 'boolean',
         isTorsionFree: 'function',
         clearCofactor: 'function',
+        allowInfinityPoint: 'boolean',
     });
     const { endo, Fp, a } = opts;
     if (endo) {
@@ -157,6 +158,8 @@ function weierstrassPoints(opts) {
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
         }
+        // Does not validate if the point is on-curve.
+        // Use fromHex instead, or call assertValidity() later.
         static fromAffine(p) {
             const { x, y } = p || {};
             if (!p || !Fp.isValid(x) || !Fp.isValid(y))

package/lib/esm/abstract/edwards.js

@@ -106,7 +106,30 @@ export function twistedEdwards(curveDef) {
             this._WINDOW_SIZE = windowSize;
             pointPrecomputes.delete(this);
         }
-        assertValidity() { }
+        // Not required for fromHex(), which always creates valid points.
+        // Could be useful for fromAffine().
+        assertValidity() {
+            const { a, d } = CURVE;
+            if (this.is0())
+                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+            const { ex: X, ey: Y, ez: Z, et: T } = this;
+            const X2 = modP(X * X); // X²
+            const Y2 = modP(Y * Y); // Y²
+            const Z2 = modP(Z * Z); // Z²
+            const Z4 = modP(Z2 * Z2); // Z⁴
+            const aX2 = modP(X2 * a); // aX²
+            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+            if (left !== right)
+                throw new Error('bad point: equation left != right (1)');
+            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+            const XY = modP(X * Y);
+            const ZT = modP(Z * T);
+            if (XY !== ZT)
+                throw new Error('bad point: equation left != right (2)');
+        }
         // Compare one point to another.
         equals(other) {
             isPoint(other);

package/lib/esm/abstract/montgomery.js

@@ -118,7 +118,9 @@ export function montgomery(curveDef) {
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
         const u = ensureBytes(uEnc, montgomeryBytes);
-        u[fieldLen - 1] &= 127; // 0b0111_1111
+        // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index)
+        if (fieldLen === montgomeryBytes)
+            u[fieldLen - 1] &= 127; // 0b0111_1111
         return bytesToNumberLE(u);
     }
     function decodeScalar(n) {

package/lib/esm/abstract/utils.js

@@ -22,7 +22,7 @@ export function hexToNumber(hex) {
     if (typeof hex !== 'string')
         throw new Error('string expected, got ' + typeof hex);
     // Big Endian
-    return BigInt(`0x${hex}`);
+    return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 // Caching slows it down 2-3x
 export function hexToBytes(hex) {
@@ -99,18 +99,18 @@ export const bitSet = (n, pos, value) => n | ((value ? _1n : _0n) << BigInt(pos)
 // Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
 // Not using ** operator with bigints for old engines.
 export const bitMask = (n) => (_2n << BigInt(n - 1)) - _1n;
+const validatorFns = {
+    bigint: (val) => typeof val === 'bigint',
+    function: (val) => typeof val === 'function',
+    boolean: (val) => typeof val === 'boolean',
+    string: (val) => typeof val === 'string',
+    isSafeInteger: (val) => Number.isSafeInteger(val),
+    array: (val) => Array.isArray(val),
+    field: (val, object) => object.Fp.isValid(val),
+    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+};
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
 export function validateObject(object, validators, optValidators = {}) {
-    const validatorFns = {
-        bigint: (val) => typeof val === 'bigint',
-        function: (val) => typeof val === 'function',
-        boolean: (val) => typeof val === 'boolean',
-        string: (val) => typeof val === 'string',
-        isSafeInteger: (val) => Number.isSafeInteger(val),
-        array: (val) => Array.isArray(val),
-        field: (val) => object.Fp.isValid(val),
-        hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
-    };
-    // type Key = keyof typeof validators;
     const checkField = (fieldName, type, isOptional) => {
         const checkVal = validatorFns[type];
         if (typeof checkVal !== 'function')
@@ -118,13 +118,21 @@ export function validateObject(object, validators, optValidators = {}) {
         const val = object[fieldName];
         if (isOptional && val === undefined)
             return;
-        if (!checkVal(val)) {
-            throw new Error(`Invalid param ${fieldName}=${val} (${typeof val}), expected ${type}`);
+        if (!checkVal(val, object)) {
+            throw new Error(`Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`);
         }
     };
-    for (let [fieldName, type] of Object.entries(validators))
+    for (const [fieldName, type] of Object.entries(validators))
         checkField(fieldName, type, false);
-    for (let [fieldName, type] of Object.entries(optValidators))
+    for (const [fieldName, type] of Object.entries(optValidators))
         checkField(fieldName, type, true);
     return object;
 }
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });

package/lib/esm/abstract/weierstrass.js

@@ -16,6 +16,7 @@ function validatePointOpts(curve) {
         wrapPrivateKey: 'boolean',
         isTorsionFree: 'function',
         clearCofactor: 'function',
+        allowInfinityPoint: 'boolean',
     });
     const { endo, Fp, a } = opts;
     if (endo) {
@@ -154,6 +155,8 @@ export function weierstrassPoints(opts) {
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
         }
+        // Does not validate if the point is on-curve.
+        // Use fromHex instead, or call assertValidity() later.
         static fromAffine(p) {
             const { x, y } = p || {};
             if (!p || !Fp.isValid(x) || !Fp.isValid(y))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@noble/curves",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "lib"