@noble/curves 1.5.0 → 1.7.0

package/src/abstract/curve.ts

@@ -1,7 +1,7 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Abelian group utilities
 import { IField, validateField, nLength } from './modular.js';
-import { validateObject } from './utils.js';
+import { validateObject, bitLen } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 
@@ -25,11 +25,45 @@ export type GroupConstructor<T> = {
 };
 export type Mapper<T> = (i: T[]) => T[];
 
+function constTimeNegate<T extends Group<T>>(condition: boolean, item: T): T {
+  const neg = item.negate();
+  return condition ? neg : item;
+}
+
+function validateW(W: number, bits: number) {
+  if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+    throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
+}
+
+function calcWOpts(W: number, bits: number) {
+  validateW(W, bits);
+  const windows = Math.ceil(bits / W) + 1; // +1, because
+  const windowSize = 2 ** (W - 1); // -1 because we skip zero
+  return { windows, windowSize };
+}
+
+function validateMSMPoints(points: any[], c: any) {
+  if (!Array.isArray(points)) throw new Error('array expected');
+  points.forEach((p, i) => {
+    if (!(p instanceof c)) throw new Error('invalid point at index ' + i);
+  });
+}
+function validateMSMScalars(scalars: any[], field: any) {
+  if (!Array.isArray(scalars)) throw new Error('array of scalars expected');
+  scalars.forEach((s, i) => {
+    if (!field.isValid(s)) throw new Error('invalid scalar at index ' + i);
+  });
+}
+
 // Since points in different groups cannot be equal (different object constructor),
 // we can have single place to store precomputes
 const pointPrecomputes = new WeakMap<any, any[]>();
 const pointWindowSizes = new WeakMap<any, number>(); // This allows use make points immutable (nothing changes inside)
 
+function getW(P: any): number {
+  return pointWindowSizes.get(P) || 1;
+}
+
 // Elliptic curve multiplication of Point by scalar. Fragile.
 // Scalars should always be less than curve order: this should be checked inside of a curve itself.
 // Creates precomputation tables for fast multiplication:
@@ -42,25 +76,15 @@ const pointWindowSizes = new WeakMap<any, number>(); // This allows use make poi
 // TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
 // windows to be in different memory locations
 export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
-  const constTimeNegate = (condition: boolean, item: T): T => {
-    const neg = item.negate();
-    return condition ? neg : item;
-  };
-  const validateW = (W: number) => {
-    if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
-      throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
-  };
-  const opts = (W: number) => {
-    validateW(W);
-    const windows = Math.ceil(bits / W) + 1; // +1, because
-    const windowSize = 2 ** (W - 1); // -1 because we skip zero
-    return { windows, windowSize };
-  };
   return {
     constTimeNegate,
+
+    hasPrecomputes(elm: T) {
+      return getW(elm) !== 1;
+    },
+
     // non-const time multiplication ladder
-    unsafeLadder(elm: T, n: bigint) {
-      let p = c.ZERO;
+    unsafeLadder(elm: T, n: bigint, p = c.ZERO) {
       let d: T = elm;
       while (n > _0n) {
         if (n & _1n) p = p.add(d);
@@ -78,10 +102,12 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
      * - 𝑊 is the window size
      * - 𝑛 is the bitlength of the curve order.
      * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param elm Point instance
+     * @param W window size
      * @returns precomputed point tables flattened to a single array
      */
     precomputeWindow(elm: T, W: number): Group<T>[] {
-      const { windows, windowSize } = opts(W);
+      const { windows, windowSize } = calcWOpts(W, bits);
       const points: T[] = [];
       let p: T = elm;
       let base = p;
@@ -108,7 +134,7 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
     wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T } {
       // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
       // But need to carefully remove other checks before wNAF. ORDER == bits here
-      const { windows, windowSize } = opts(W);
+      const { windows, windowSize } = calcWOpts(W, bits);
 
       let p = c.ZERO;
       let f = c.BASE;
@@ -159,28 +185,207 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
       return { p, f };
     },
 
-    wNAFCached(P: T, n: bigint, transform: Mapper<T>): { p: T; f: T } {
-      const W: number = pointWindowSizes.get(P) || 1;
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param W window size
+     * @param precomputes precomputed tables
+     * @param n scalar (we don't check here, but should be less than curve order)
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(W: number, precomputes: T[], n: bigint, acc: T = c.ZERO): T {
+      const { windows, windowSize } = calcWOpts(W, bits);
+      const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
+      const maxNumber = 2 ** W;
+      const shiftBy = BigInt(W);
+      for (let window = 0; window < windows; window++) {
+        const offset = window * windowSize;
+        if (n === _0n) break; // No need to go over empty scalar
+        // Extract W bits.
+        let wbits = Number(n & mask);
+        // Shift number by W bits.
+        n >>= shiftBy;
+        // If the bits are bigger than max size, we'll split those.
+        // +224 => 256 - 32
+        if (wbits > windowSize) {
+          wbits -= maxNumber;
+          n += _1n;
+        }
+        if (wbits === 0) continue;
+        let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
+        if (wbits < 0) curr = curr.negate();
+        // NOTE: by re-using acc, we can save a lot of additions in case of MSM
+        acc = acc.add(curr);
+      }
+      return acc;
+    },
+
+    getPrecomputes(W: number, P: T, transform: Mapper<T>): T[] {
       // Calculate precomputes on a first run, reuse them after
       let comp = pointPrecomputes.get(P);
       if (!comp) {
         comp = this.precomputeWindow(P, W) as T[];
         if (W !== 1) pointPrecomputes.set(P, transform(comp));
       }
-      return this.wNAF(W, comp, n);
+      return comp;
     },
+
+    wNAFCached(P: T, n: bigint, transform: Mapper<T>): { p: T; f: T } {
+      const W = getW(P);
+      return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
+    },
+
+    wNAFCachedUnsafe(P: T, n: bigint, transform: Mapper<T>, prev?: T): T {
+      const W = getW(P);
+      if (W === 1) return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
+      return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
+    },
+
     // We calculate precomputes for elliptic curve point multiplication
     // using windowed method. This specifies window size and
     // stores precomputed values. Usually only base point would be precomputed.
 
     setWindowSize(P: T, W: number) {
-      validateW(W);
+      validateW(W, bits);
       pointWindowSizes.set(P, W);
       pointPrecomputes.delete(P);
     },
   };
 }
 
+/**
+ * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
+ * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
+ * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @param scalars array of L scalars (aka private keys / bigints)
+ */
+export function pippenger<T extends Group<T>>(
+  c: GroupConstructor<T>,
+  fieldN: IField<bigint>,
+  points: T[],
+  scalars: bigint[]
+): T {
+  // If we split scalars by some window (let's say 8 bits), every chunk will only
+  // take 256 buckets even if there are 4096 scalars, also re-uses double.
+  // TODO:
+  // - https://eprint.iacr.org/2024/750.pdf
+  // - https://tches.iacr.org/index.php/TCHES/article/view/10287
+  // 0 is accepted in scalars
+  validateMSMPoints(points, c);
+  validateMSMScalars(scalars, fieldN);
+  if (points.length !== scalars.length)
+    throw new Error('arrays of points and scalars must have equal length');
+  const zero = c.ZERO;
+  const wbits = bitLen(BigInt(points.length));
+  const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
+  const MASK = (1 << windowSize) - 1;
+  const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
+  const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
+  let sum = zero;
+  for (let i = lastBits; i >= 0; i -= windowSize) {
+    buckets.fill(zero);
+    for (let j = 0; j < scalars.length; j++) {
+      const scalar = scalars[j];
+      const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
+      buckets[wbits] = buckets[wbits].add(points[j]);
+    }
+    let resI = zero; // not using this will do small speed-up, but will lose ct
+    // Skip first bucket, because it is zero
+    for (let j = buckets.length - 1, sumI = zero; j > 0; j--) {
+      sumI = sumI.add(buckets[j]);
+      resI = resI.add(sumI);
+    }
+    sum = sum.add(resI);
+    if (i !== 0) for (let j = 0; j < windowSize; j++) sum = sum.double();
+  }
+  return sum as T;
+}
+/**
+ * Precomputed multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
+ * @param c Curve Point constructor
+ * @param fieldN field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @returns function which multiplies points with scaars
+ */
+export function precomputeMSMUnsafe<T extends Group<T>>(
+  c: GroupConstructor<T>,
+  fieldN: IField<bigint>,
+  points: T[],
+  windowSize: number
+) {
+  /**
+   * Performance Analysis of Window-based Precomputation
+   *
+   * Base Case (256-bit scalar, 8-bit window):
+   * - Standard precomputation requires:
+   *   - 31 additions per scalar × 256 scalars = 7,936 ops
+   *   - Plus 255 summary additions = 8,191 total ops
+   *   Note: Summary additions can be optimized via accumulator
+   *
+   * Chunked Precomputation Analysis:
+   * - Using 32 chunks requires:
+   *   - 255 additions per chunk
+   *   - 256 doublings
+   *   - Total: (255 × 32) + 256 = 8,416 ops
+   *
+   * Memory Usage Comparison:
+   * Window Size | Standard Points | Chunked Points
+   * ------------|-----------------|---------------
+   *     4-bit   |     520         |      15
+   *     8-bit   |    4,224        |     255
+   *    10-bit   |   13,824        |   1,023
+   *    16-bit   |  557,056        |  65,535
+   *
+   * Key Advantages:
+   * 1. Enables larger window sizes due to reduced memory overhead
+   * 2. More efficient for smaller scalar counts:
+   *    - 16 chunks: (16 × 255) + 256 = 4,336 ops
+   *    - ~2x faster than standard 8,191 ops
+   *
+   * Limitations:
+   * - Not suitable for plain precomputes (requires 256 constant doublings)
+   * - Performance degrades with larger scalar counts:
+   *   - Optimal for ~256 scalars
+   *   - Less efficient for 4096+ scalars (Pippenger preferred)
+   */
+  validateW(windowSize, fieldN.BITS);
+  validateMSMPoints(points, c);
+  const zero = c.ZERO;
+  const tableSize = 2 ** windowSize - 1; // table size (without zero)
+  const chunks = Math.ceil(fieldN.BITS / windowSize); // chunks of item
+  const MASK = BigInt((1 << windowSize) - 1);
+  const tables = points.map((p: T) => {
+    const res = [];
+    for (let i = 0, acc = p; i < tableSize; i++) {
+      res.push(acc);
+      acc = acc.add(p);
+    }
+    return res;
+  });
+  return (scalars: bigint[]): T => {
+    validateMSMScalars(scalars, fieldN);
+    if (scalars.length > points.length)
+      throw new Error('array of scalars must be smaller than array of points');
+    let res = zero;
+    for (let i = 0; i < chunks; i++) {
+      // No need to double if accumulator is still zero.
+      if (res !== zero) for (let j = 0; j < windowSize; j++) res = res.double();
+      const shiftBy = BigInt(chunks * windowSize - (i + 1) * windowSize);
+      for (let j = 0; j < scalars.length; j++) {
+        const n = scalars[j];
+        const curr = Number((n >> shiftBy) & MASK);
+        if (!curr) continue; // skip zero scalars chunks
+        res = res.add(tables[j][curr - 1]);
+      }
+    }
+    return res;
+  };
+}
+
 // Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
 // Though generator can be different (Fp2 / Fp6 for BLS).
 export type BasicCurve<T> = {

package/src/abstract/edwards.ts

@@ -1,7 +1,15 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
-import { AffinePoint, BasicCurve, Group, GroupConstructor, validateBasic, wNAF } from './curve.js';
-import { mod } from './modular.js';
+import {
+  AffinePoint,
+  BasicCurve,
+  Group,
+  GroupConstructor,
+  validateBasic,
+  wNAF,
+  pippenger,
+} from './curve.js';
+import { mod, Field } from './modular.js';
 import * as ut from './utils.js';
 import { ensureBytes, FHash, Hex, memoized, abool } from './utils.js';
 
@@ -63,6 +71,7 @@ export interface ExtPointType extends Group<ExtPointType> {
   toAffine(iz?: bigint): AffinePoint<bigint>;
   toRawBytes(isCompressed?: boolean): Uint8Array;
   toHex(isCompressed?: boolean): string;
+  _setWindowSize(windowSize: number): void;
 }
 // Static methods of Extended Point with coordinates in X, Y, Z, T
 export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
@@ -70,6 +79,7 @@ export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
   fromAffine(p: AffinePoint<bigint>): ExtPointType;
   fromHex(hex: Hex): ExtPointType;
   fromPrivateKey(privateKey: Hex): ExtPointType;
+  msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
 }
 
 /**
@@ -96,6 +106,7 @@ export type CurveFn = {
       point: ExtPointType;
       pointBytes: Uint8Array;
     };
+    precompute: (windowSize?: number, point?: ExtPointType) => ExtPointType;
   };
 };
 
@@ -117,8 +128,13 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     nByteLength,
     h: cofactor,
   } = CURVE;
+  // Important:
+  // There are some places where Fp.BYTES is used instead of nByteLength.
+  // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
+  // TODO: test and find curves which behave otherwise.
   const MASK = _2n << (BigInt(nByteLength * 8) - _1n);
   const modP = Fp.create; // Function overrides
+  const Fn = Field(CURVE.n, CURVE.nBitLength);
 
   // sqrt(u/v)
   const uvRatio =
@@ -218,6 +234,10 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       const toInv = Fp.invertBatch(points.map((p) => p.ez));
       return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
     }
+    // Multiscalar Multiplication
+    static msm(points: Point[], scalars: bigint[]): Point {
+      return pippenger(Point, Fn, points, scalars);
+    }
 
     // "Private method", don't use it directly
     _setWindowSize(windowSize: number) {
@@ -336,13 +356,13 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // It's faster, but should only be used when you don't care about
     // an exposed private key e.g. sig verification.
     // Does NOT allow scalars higher than CURVE.n.
-    multiplyUnsafe(scalar: bigint): Point {
+    // Accepts optional accumulator to merge with multiply (important for sparse scalars)
+    multiplyUnsafe(scalar: bigint, acc = Point.ZERO): Point {
       const n = scalar;
       ut.aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
       if (n === _0n) return I;
-      if (this.equals(I) || n === _1n) return this;
-      if (this.equals(G)) return this.wNAF(n).p;
-      return wnaf.unsafeLadder(this, n);
+      if (this.is0() || n === _1n) return this;
+      return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
     }
 
     // Checks if point is of small order.
@@ -383,6 +403,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       normed[len - 1] = lastByte & ~0x80; // clear last bit
       const y = ut.bytesToNumberLE(normed);
 
+      // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
       // RFC8032 prohibits >= p, but ZIP215 doesn't
       // zip215=true:  0 <= y < MASK (2^256 for ed25519)
       // zip215=false: 0 <= y < P (2^255-19 for ed25519)
@@ -430,7 +451,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
   /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
   function getExtendedPublicKey(key: Hex) {
-    const len = nByteLength;
+    const len = Fp.BYTES;
     key = ensureBytes('private key', key, len);
     // Hash private key with curve's hash function to produce uniformingly random input
     // Check byte lengths: ensure(64, h(ensure(32, key)))
@@ -465,23 +486,30 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     const s = modN(r + k * scalar); // S = (r + k * s) mod L
     ut.aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
     const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
-    return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
+    return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
   }
 
   const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+
+  /**
+   * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+   * An extended group equation is checked.
+   */
   function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
     const { context, zip215 } = options;
     const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
     sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
     msg = ensureBytes('message', msg);
+    publicKey = ensureBytes('publicKey', publicKey, len);
     if (zip215 !== undefined) abool('zip215', zip215);
     if (prehash) msg = prehash(msg); // for ed25519ph, etc
 
     const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
-    // zip215: true is good for consensus-critical apps and allows points < 2^256
-    // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
     let A, R, SB;
     try {
+      // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+      // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+      // zip215=false: 0 <= y < P (2^255-19 for ed25519)
       A = Point.fromHex(publicKey, zip215);
       R = Point.fromHex(sig.slice(0, len), zip215);
       SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
@@ -492,6 +520,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
     const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
+    // Extended group equation
     // [8][S]B = [8]R + [8][k]A'
     return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
   }
@@ -509,7 +538,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
      * but allows to speed-up subsequent getPublicKey() calls up to 20x.
      * @param windowSize 2, 4, 8, 16
      */
-    precompute(windowSize = 8, point = Point.BASE): typeof Point.BASE {
+    precompute(windowSize = 8, point: ExtPointType = Point.BASE): ExtPointType {
       point._setWindowSize(windowSize);
       point.multiply(BigInt(3));
       return point;

package/src/abstract/hash-to-curve.ts

@@ -27,9 +27,9 @@ const os2ip = bytesToNumberBE;
 
 // Integer to Octet Stream (numberToBytesBE)
 function i2osp(value: number, length: number): Uint8Array {
-  if (value < 0 || value >= 1 << (8 * length)) {
-    throw new Error(`bad I2OSP call: value=${value} length=${length}`);
-  }
+  anum(value);
+  anum(length);
+  if (value < 0 || value >= 1 << (8 * length)) throw new Error('invalid I2OSP input: ' + value);
   const res = Array.from({ length }).fill(0) as number[];
   for (let i = length - 1; i >= 0; i--) {
     res[i] = value & 0xff;
@@ -65,7 +65,7 @@ export function expand_message_xmd(
   if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
   const ell = Math.ceil(lenInBytes / b_in_bytes);
-  if (ell > 255) throw new Error('Invalid xmd length');
+  if (lenInBytes > 65535 || ell > 255) throw new Error('expand_message_xmd: invalid lenInBytes');
   const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
   const Z_pad = i2osp(0, r_in_bytes);
   const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
@@ -221,8 +221,7 @@ export function createHasher<T>(
     mapToCurve(scalars: bigint[]) {
       if (!Array.isArray(scalars)) throw new Error('mapToCurve: expected array of bigints');
       for (const i of scalars)
-        if (typeof i !== 'bigint')
-          throw new Error(`mapToCurve: expected array of bigints, got ${i} in array`);
+        if (typeof i !== 'bigint') throw new Error('mapToCurve: expected array of bigints');
       const P = Point.fromAffine(mapToCurve(scalars)).clearCofactor();
       P.assertValidity();
       return P;

package/src/abstract/modular.ts

@@ -10,11 +10,11 @@ import {
   validateObject,
 } from './utils.js';
 // prettier-ignore
-const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
 // prettier-ignore
-const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
+const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _8n = /* @__PURE__ */ BigInt(8);
 // prettier-ignore
-const _9n = BigInt(9), _16n = BigInt(16);
+const _9n =/* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
 
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
@@ -29,7 +29,8 @@ export function mod(a: bigint, b: bigint): bigint {
  */
 // TODO: use field version && remove
 export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
-  if (modulo <= _0n || power < _0n) throw new Error('Expected power/modulo > 0');
+  if (power < _0n) throw new Error('invalid exponent, negatives unsupported');
+  if (modulo <= _0n) throw new Error('invalid modulus');
   if (modulo === _1n) return _0n;
   let res = _1n;
   while (power > _0n) {
@@ -52,9 +53,8 @@ export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
 
 // Inverses number over modulo
 export function invert(number: bigint, modulo: bigint): bigint {
-  if (number === _0n || modulo <= _0n) {
-    throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
-  }
+  if (number === _0n) throw new Error('invert: expected non-zero number');
+  if (modulo <= _0n) throw new Error('invert: expected positive modulus, got ' + modulo);
   // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
   // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
   let a = mod(number, modulo);
@@ -97,7 +97,10 @@ export function tonelliShanks(P: bigint) {
   for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++);
 
   // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
-  for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++);
+  for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++) {
+    // Crash instead of infinity loop, we cannot reasonable count until P.
+    if (Z > 1000) throw new Error('Cannot find square root: likely non-prime P');
+  }
 
   // Fast-path
   if (S === 1) {
@@ -273,7 +276,7 @@ export function validateField<T>(field: IField<T>) {
 export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
   // Should have same speed as pow for bigints
   // TODO: benchmark!
-  if (power < _0n) throw new Error('Expected power > 0');
+  if (power < _0n) throw new Error('invalid exponent, negatives unsupported');
   if (power === _0n) return f.ONE;
   if (power === _1n) return num;
   let p = f.ONE;
@@ -360,10 +363,10 @@ export function Field(
   isLE = false,
   redef: Partial<IField<bigint>> = {}
 ): Readonly<FpField> {
-  if (ORDER <= _0n) throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
+  if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
   const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
-  if (BYTES > 2048) throw new Error('Field lengths over 2048 bytes are not supported');
-  const sqrtP = FpSqrt(ORDER);
+  if (BYTES > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+  let sqrtP: ReturnType<typeof FpSqrt>; // cached sqrtP
   const f: Readonly<FpField> = Object.freeze({
     ORDER,
     BITS,
@@ -374,7 +377,7 @@ export function Field(
     create: (num) => mod(num, ORDER),
     isValid: (num) => {
       if (typeof num !== 'bigint')
-        throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+        throw new Error('invalid field element: expected bigint, got ' + typeof num);
       return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
     },
     is0: (num) => num === _0n,
@@ -396,7 +399,12 @@ export function Field(
     mulN: (lhs, rhs) => lhs * rhs,
 
     inv: (num) => invert(num, ORDER),
-    sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
+    sqrt:
+      redef.sqrt ||
+      ((n) => {
+        if (!sqrtP) sqrtP = FpSqrt(ORDER);
+        return sqrtP(f, n);
+      }),
     invertBatch: (lst) => FpInvertBatch(f, lst),
     // TODO: do we really need constant cmov?
     // We don't have const-time bigints anyway, so probably will be not very useful
@@ -404,7 +412,7 @@ export function Field(
     toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
     fromBytes: (bytes) => {
       if (bytes.length !== BYTES)
-        throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+        throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
       return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
     },
   } as FpField);
@@ -412,13 +420,13 @@ export function Field(
 }
 
 export function FpSqrtOdd<T>(Fp: IField<T>, elm: T) {
-  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
+  if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
   const root = Fp.sqrt(elm);
   return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 
 export function FpSqrtEven<T>(Fp: IField<T>, elm: T) {
-  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
+  if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
   const root = Fp.sqrt(elm);
   return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
@@ -438,7 +446,9 @@ export function hashToPrivateScalar(
   const hashLen = hash.length;
   const minLen = nLength(groupOrder).nByteLength + 8;
   if (minLen < 24 || hashLen < minLen || hashLen > 1024)
-    throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+    throw new Error(
+      'hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen
+    );
   const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
   return mod(num, groupOrder - _1n) + _1n;
 }
@@ -486,7 +496,7 @@ export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false
   const minLen = getMinHashLength(fieldOrder);
   // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
   if (len < 16 || len < minLen || len > 1024)
-    throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
+    throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
   const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
   // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
   const reduced = mod(num, fieldOrder - _1n) + _1n;

package/src/abstract/montgomery.ts

@@ -158,8 +158,10 @@ export function montgomery(curveDef: CurveType): CurveFn {
   function decodeScalar(n: Hex): bigint {
     const bytes = ensureBytes('scalar', n);
     const len = bytes.length;
-    if (len !== montgomeryBytes && len !== fieldLen)
-      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`);
+    if (len !== montgomeryBytes && len !== fieldLen) {
+      let valid = '' + montgomeryBytes + ' or ' + fieldLen;
+      throw new Error('invalid scalar, expected ' + valid + ' bytes, got ' + len);
+    }
     return bytesToNumberLE(adjustScalarBytes(bytes));
   }
   function scalarMult(scalar: Hex, u: Hex): Uint8Array {
@@ -168,7 +170,7 @@ export function montgomery(curveDef: CurveType): CurveFn {
     const pu = montgomeryLadder(pointU, _scalar);
     // The result was not contributory
     // https://cr.yp.to/ecdh.html#validate
-    if (pu === _0n) throw new Error('Invalid private or public key received');
+    if (pu === _0n) throw new Error('invalid private or public key received');
     return encodeUCoordinate(pu);
   }
   // Computes public key from private. By doing scalar multiplication of base point.