@noble/curves 1.2.0 → 1.4.0

package/src/abstract/hash-to-curve.ts

@@ -1,7 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { Group, GroupConstructor, AffinePoint } from './curve.js';
 import { mod, IField } from './modular.js';
-import { bytesToNumberBE, CHash, concatBytes, utf8ToBytes, validateObject } from './utils.js';
+import type { CHash } from './utils.js';
+import { bytesToNumberBE, abytes, concatBytes, utf8ToBytes, validateObject } from './utils.js';
 
 /**
  * * `DST` is a domain separation tag, defined in section 2.2.5
@@ -21,12 +22,6 @@ export type Opts = {
   hash: CHash;
 };
 
-function validateDST(dst: UnicodeOrBytes): Uint8Array {
-  if (dst instanceof Uint8Array) return dst;
-  if (typeof dst === 'string') return utf8ToBytes(dst);
-  throw new Error('DST must be Uint8Array or string');
-}
-
 // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
 const os2ip = bytesToNumberBE;
 
@@ -51,10 +46,7 @@ function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
   return arr;
 }
 
-function isBytes(item: unknown): void {
-  if (!(item instanceof Uint8Array)) throw new Error('Uint8Array expected');
-}
-function isNum(item: unknown): void {
+function anum(item: unknown): void {
   if (!Number.isSafeInteger(item)) throw new Error('number expected');
 }
 
@@ -66,9 +58,9 @@ export function expand_message_xmd(
   lenInBytes: number,
   H: CHash
 ): Uint8Array {
-  isBytes(msg);
-  isBytes(DST);
-  isNum(lenInBytes);
+  abytes(msg);
+  abytes(DST);
+  anum(lenInBytes);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
@@ -100,9 +92,9 @@ export function expand_message_xof(
   k: number,
   H: CHash
 ): Uint8Array {
-  isBytes(msg);
-  isBytes(DST);
-  isNum(lenInBytes);
+  abytes(msg);
+  abytes(DST);
+  anum(lenInBytes);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
   if (DST.length > 255) {
@@ -139,9 +131,9 @@ export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bi
     hash: 'hash',
   });
   const { p, k, m, hash, expand, DST: _DST } = options;
-  isBytes(msg);
-  isNum(count);
-  const DST = validateDST(_DST);
+  abytes(msg);
+  anum(count);
+  const DST = typeof _DST === 'string' ? utf8ToBytes(_DST) : _DST;
   const log2p = p.toString(2).length;
   const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
   const len_in_bytes = count * m * L;

package/src/abstract/montgomery.ts

@@ -150,17 +150,15 @@ export function montgomery(curveDef: CurveType): CurveFn {
   function decodeUCoordinate(uEnc: Hex): bigint {
     // Section 5: When receiving such an array, implementations of X25519
     // MUST mask the most significant bit in the final byte.
-    // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
-    // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
     const u = ensureBytes('u coordinate', uEnc, montgomeryBytes);
-    // u[fieldLen-1] crashes QuickJS (TypeError: out-of-bound numeric index)
-    if (fieldLen === montgomeryBytes) u[fieldLen - 1] &= 127; // 0b0111_1111
+    if (fieldLen === 32) u[31] &= 127; // 0b0111_1111
     return bytesToNumberLE(u);
   }
   function decodeScalar(n: Hex): bigint {
     const bytes = ensureBytes('scalar', n);
-    if (bytes.length !== montgomeryBytes && bytes.length !== fieldLen)
-      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
+    const len = bytes.length;
+    if (len !== montgomeryBytes && len !== fieldLen)
+      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`);
     return bytesToNumberLE(adjustScalarBytes(bytes));
   }
   function scalarMult(scalar: Hex, u: Hex): Uint8Array {

package/src/abstract/utils.ts

@@ -6,7 +6,6 @@
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
-const u8a = (a: any): a is Uint8Array => a instanceof Uint8Array;
 export type Hex = Uint8Array | string; // hex strings are accepted for simplicity
 export type PrivKey = Hex | bigint; // bigints are accepted to ease learning curve
 export type CHash = {
@@ -17,6 +16,18 @@ export type CHash = {
 };
 export type FHash = (message: Uint8Array | string) => Uint8Array;
 
+export function isBytes(a: unknown): a is Uint8Array {
+  return (
+    a instanceof Uint8Array ||
+    (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')
+  );
+}
+
+export function abytes(item: unknown): void {
+  if (!isBytes(item)) throw new Error('Uint8Array expected');
+}
+
+// Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
   i.toString(16).padStart(2, '0')
 );
@@ -24,7 +35,7 @@ const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
  * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
  */
 export function bytesToHex(bytes: Uint8Array): string {
-  if (!u8a(bytes)) throw new Error('Uint8Array expected');
+  abytes(bytes);
   // pre-caching improves the speed 6x
   let hex = '';
   for (let i = 0; i < bytes.length; i++) {
@@ -44,20 +55,32 @@ export function hexToNumber(hex: string): bigint {
   return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 
+// We use optimized technique to convert hex string to byte array
+const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 } as const;
+function asciiToBase16(char: number): number | undefined {
+  if (char >= asciis._0 && char <= asciis._9) return char - asciis._0;
+  if (char >= asciis._A && char <= asciis._F) return char - (asciis._A - 10);
+  if (char >= asciis._a && char <= asciis._f) return char - (asciis._a - 10);
+  return;
+}
+
 /**
  * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
  */
 export function hexToBytes(hex: string): Uint8Array {
   if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
-  const len = hex.length;
-  if (len % 2) throw new Error('padded hex string expected, got unpadded hex of length ' + len);
-  const array = new Uint8Array(len / 2);
-  for (let i = 0; i < array.length; i++) {
-    const j = i * 2;
-    const hexByte = hex.slice(j, j + 2);
-    const byte = Number.parseInt(hexByte, 16);
-    if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
-    array[i] = byte;
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2) throw new Error('padded hex string expected, got unpadded hex of length ' + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === undefined || n2 === undefined) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
   }
   return array;
 }
@@ -67,7 +90,7 @@ export function bytesToNumberBE(bytes: Uint8Array): bigint {
   return hexToNumber(bytesToHex(bytes));
 }
 export function bytesToNumberLE(bytes: Uint8Array): bigint {
-  if (!u8a(bytes)) throw new Error('Uint8Array expected');
+  abytes(bytes);
   return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 
@@ -99,7 +122,7 @@ export function ensureBytes(title: string, hex: Hex, expectedLength?: number): U
     } catch (e) {
       throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
     }
-  } else if (u8a(hex)) {
+  } else if (isBytes(hex)) {
     // Uint8Array.from() instead of hash.slice() because node.js Buffer
     // is instance of Uint8Array, and its slice() creates **mutable** copy
     res = Uint8Array.from(hex);
@@ -116,21 +139,27 @@ export function ensureBytes(title: string, hex: Hex, expectedLength?: number): U
  * Copies several Uint8Arrays into one.
  */
 export function concatBytes(...arrays: Uint8Array[]): Uint8Array {
-  const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
-  let pad = 0; // walk through each item, ensure they have proper type
-  arrays.forEach((a) => {
-    if (!u8a(a)) throw new Error('Uint8Array expected');
-    r.set(a, pad);
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    abytes(a);
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
     pad += a.length;
-  });
-  return r;
+  }
+  return res;
 }
 
-export function equalBytes(b1: Uint8Array, b2: Uint8Array) {
-  // We don't care about timing attacks here
-  if (b1.length !== b2.length) return false;
-  for (let i = 0; i < b1.length; i++) if (b1[i] !== b2[i]) return false;
-  return true;
+// Compares 2 u8a-s in kinda constant time
+export function equalBytes(a: Uint8Array, b: Uint8Array) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
 }
 
 // Global symbols in both browsers and Node.js since v11
@@ -169,9 +198,9 @@ export function bitGet(n: bigint, pos: number) {
 /**
  * Sets single bit at position.
  */
-export const bitSet = (n: bigint, pos: number, value: boolean) => {
+export function bitSet(n: bigint, pos: number, value: boolean) {
   return n | ((value ? _1n : _0n) << BigInt(pos));
-};
+}
 
 /**
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
@@ -248,7 +277,7 @@ const validatorFns = {
   function: (val: any) => typeof val === 'function',
   boolean: (val: any) => typeof val === 'boolean',
   string: (val: any) => typeof val === 'string',
-  stringOrUint8Array: (val: any) => typeof val === 'string' || val instanceof Uint8Array,
+  stringOrUint8Array: (val: any) => typeof val === 'string' || isBytes(val),
   isSafeInteger: (val: any) => Number.isSafeInteger(val),
   array: (val: any) => Array.isArray(val),
   field: (val: any, object: any) => (object as any).Fp.isValid(val),

package/src/abstract/weierstrass.ts

@@ -27,7 +27,7 @@ export type BasicWCurve<T> = BasicCurve<T> & {
   clearCofactor?: (c: ProjConstructor<T>, point: ProjPointType<T>) => ProjPointType<T>;
 };
 
-type Entropy = Hex | true;
+type Entropy = Hex | boolean;
 export type SignOpts = { lowS?: boolean; extraEntropy?: Entropy; prehash?: boolean };
 export type VerOpts = { lowS?: boolean; prehash?: boolean };
 
@@ -123,6 +123,7 @@ function validatePointOpts<T>(curve: CurvePointsType<T>) {
 }
 
 export type CurvePointsRes<T> = {
+  CURVE: ReturnType<typeof validatePointOpts<T>>;
   ProjectivePoint: ProjConstructor<T>;
   normPrivateKeyToScalar: (key: PrivKey) => bigint;
   weierstrassEquation: (x: T) => T;
@@ -157,7 +158,7 @@ export const DER = {
     // parse DER signature
     const { Err: E } = DER;
     const data = typeof hex === 'string' ? h2b(hex) : hex;
-    if (!(data instanceof Uint8Array)) throw new Error('ui8a expected');
+    ut.abytes(data);
     let l = data.length;
     if (l < 2 || data[0] != 0x30) throw new E('Invalid signature tag');
     if (data[1] !== l - 2) throw new E('Invalid signature: incorrect length');
@@ -187,7 +188,7 @@ export const DER = {
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
-export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
+export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T> {
   const CURVE = validatePointOpts(opts);
   const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
 
@@ -237,7 +238,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   function normPrivateKeyToScalar(key: PrivKey): bigint {
     const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
     if (lengths && typeof key !== 'bigint') {
-      if (key instanceof Uint8Array) key = ut.bytesToHex(key);
+      if (ut.isBytes(key)) key = ut.bytesToHex(key);
       // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
       if (typeof key !== 'string' || !lengths.includes(key.length)) throw new Error('Invalid key');
       key = key.padStart(nByteLength * 2, '0');
@@ -269,7 +270,11 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
 
-    constructor(readonly px: T, readonly py: T, readonly pz: T) {
+    constructor(
+      readonly px: T,
+      readonly py: T,
+      readonly pz: T
+    ) {
       if (px == null || !Fp.isValid(px)) throw new Error('x required');
       if (py == null || !Fp.isValid(py)) throw new Error('y required');
       if (pz == null || !Fp.isValid(pz)) throw new Error('z required');
@@ -728,7 +733,13 @@ export function weierstrass(curveDef: CurveType): CurveFn {
         const x = ut.bytesToNumberBE(tail);
         if (!isValidFieldElement(x)) throw new Error('Point is not on curve');
         const y2 = weierstrassEquation(x); // y² = x³ + ax + b
-        let y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
+        let y: bigint;
+        try {
+          y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
+        } catch (sqrtError) {
+          const suffix = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
+          throw new Error('Point is not on curve' + suffix);
+        }
         const isYOdd = (y & _1n) === _1n;
         // ECDSA
         const isHeadOdd = (head & 1) === 1;
@@ -763,7 +774,11 @@ export function weierstrass(curveDef: CurveType): CurveFn {
    * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
    */
   class Signature implements SignatureType {
-    constructor(readonly r: bigint, readonly s: bigint, readonly recovery?: number) {
+    constructor(
+      readonly r: bigint,
+      readonly s: bigint,
+      readonly recovery?: number
+    ) {
       this.assertValidity();
     }
 
@@ -884,7 +899,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
    * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
    */
   function isProbPub(item: PrivKey | PubKey): boolean {
-    const arr = item instanceof Uint8Array;
+    const arr = ut.isBytes(item);
     const str = typeof item === 'string';
     const len = (arr || str) && (item as Hex).length;
     if (arr) return len === compressedLen || len === uncompressedLen;
@@ -962,7 +977,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
     const seedArgs = [int2octets(d), int2octets(h1int)];
     // extraEntropy. RFC6979 3.6: additional k' (optional).
-    if (ent != null) {
+    if (ent != null && ent !== false) {
       // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
       const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
@@ -1048,7 +1063,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     let _sig: Signature | undefined = undefined;
     let P: ProjPointType<bigint>;
     try {
-      if (typeof sg === 'string' || sg instanceof Uint8Array) {
+      if (typeof sg === 'string' || ut.isBytes(sg)) {
         // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
         // Since DER can also be 2*nByteLength bytes, we check for it first.
         try {