@noble/curves 1.8.0 → 1.8.2

package/src/abstract/edwards.ts

@@ -5,17 +5,20 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
-  AffinePoint,
-  BasicCurve,
-  Group,
-  GroupConstructor,
+  type AffinePoint,
+  type BasicCurve,
+  type Group,
+  type GroupConstructor,
+  pippenger,
   validateBasic,
   wNAF,
-  pippenger,
-} from './curve.js';
-import { mod, Field } from './modular.js';
-import * as ut from './utils.js';
-import { ensureBytes, FHash, Hex, memoized, abool } from './utils.js';
+} from './curve.ts';
+import { Field, mod } from './modular.ts';
+// prettier-ignore
+import {
+  abool, aInRange, bytesToHex, bytesToNumberLE, concatBytes,
+  ensureBytes, type FHash, type Hex, memoized, numberToBytesLE, validateObject
+} from './utils.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -41,7 +44,7 @@ const VERIFY_DEFAULT = { zip215: true };
 
 function validateOpts(curve: CurveType): CurveTypeWithLength {
   const opts = validateBasic(curve);
-  ut.validateObject(
+  validateObject(
     curve,
     {
       hash: 'function',
@@ -162,11 +165,12 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     }); // NOOP
   // 0 <= n < MASK
   // Coordinates larger than Fp.ORDER are allowed for zip215
-  function aCoordinate(title: string, n: bigint) {
-    ut.aInRange('coordinate ' + title, n, _0n, MASK);
+  function aCoordinate(title: string, n: bigint, banZero = false) {
+    const min = banZero ? _1n : _0n;
+    aInRange('coordinate ' + title, n, min, MASK);
   }
 
-  function assertPoint(other: unknown) {
+  function aextpoint(other: unknown) {
     if (!(other instanceof Point)) throw new Error('ExtendedPoint expected');
   }
   // Converts Extended point to default (x, y) coordinates.
@@ -208,17 +212,20 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   class Point implements ExtPointType {
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
+    readonly ex: bigint;
+    readonly ey: bigint;
+    readonly ez: bigint;
+    readonly et: bigint;
 
-    constructor(
-      readonly ex: bigint,
-      readonly ey: bigint,
-      readonly ez: bigint,
-      readonly et: bigint
-    ) {
+    constructor(ex: bigint, ey: bigint, ez: bigint, et: bigint) {
       aCoordinate('x', ex);
       aCoordinate('y', ey);
-      aCoordinate('z', ez);
+      aCoordinate('z', ez, true);
       aCoordinate('t', et);
+      this.ex = ex;
+      this.ey = ey;
+      this.ez = ez;
+      this.et = et;
       Object.freeze(this);
     }
 
@@ -257,7 +264,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
     // Compare one point to another.
     equals(other: Point): boolean {
-      assertPoint(other);
+      aextpoint(other);
       const { ex: X1, ey: Y1, ez: Z1 } = this;
       const { ex: X2, ey: Y2, ez: Z2 } = other;
       const X1Z2 = modP(X1 * Z2);
@@ -302,30 +309,10 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
     // Cost: 9M + 1*a + 1*d + 7add.
     add(other: Point) {
-      assertPoint(other);
+      aextpoint(other);
       const { a, d } = CURVE;
       const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
       const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
-      // Faster algo for adding 2 Extended Points when curve's a=-1.
-      // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
-      // Cost: 8M + 8add + 2*2.
-      // Note: It does not check whether the `other` point is valid.
-      if (a === BigInt(-1)) {
-        const A = modP((Y1 - X1) * (Y2 + X2));
-        const B = modP((Y1 + X1) * (Y2 - X2));
-        const F = modP(B - A);
-        if (F === _0n) return this.double(); // Same point. Tests say it doesn't affect timing
-        const C = modP(Z1 * _2n * T2);
-        const D = modP(T1 * _2n * Z2);
-        const E = D + C;
-        const G = B + A;
-        const H = D - C;
-        const X3 = modP(E * F);
-        const Y3 = modP(G * H);
-        const T3 = modP(E * H);
-        const Z3 = modP(F * G);
-        return new Point(X3, Y3, Z3, T3);
-      }
       const A = modP(X1 * X2); // A = X1*X2
       const B = modP(Y1 * Y2); // B = Y1*Y2
       const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -338,7 +325,6 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       const Y3 = modP(G * H); // Y3 = G*H
       const T3 = modP(E * H); // T3 = E*H
       const Z3 = modP(F * G); // Z3 = F*G
-
       return new Point(X3, Y3, Z3, T3);
     }
 
@@ -353,7 +339,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Constant-time multiplication.
     multiply(scalar: bigint): Point {
       const n = scalar;
-      ut.aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
+      aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
       const { p, f } = this.wNAF(n);
       return Point.normalizeZ([p, f])[0];
     }
@@ -365,7 +351,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Accepts optional accumulator to merge with multiply (important for sparse scalars)
     multiplyUnsafe(scalar: bigint, acc = Point.ZERO): Point {
       const n = scalar;
-      ut.aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
+      aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
       if (n === _0n) return I;
       if (this.is0() || n === _1n) return this;
       return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
@@ -407,14 +393,14 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       const normed = hex.slice(); // copy again, we'll manipulate it
       const lastByte = hex[len - 1]; // select last byte
       normed[len - 1] = lastByte & ~0x80; // clear last bit
-      const y = ut.bytesToNumberLE(normed);
+      const y = bytesToNumberLE(normed);
 
       // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
       // RFC8032 prohibits >= p, but ZIP215 doesn't
       // zip215=true:  0 <= y < MASK (2^256 for ed25519)
       // zip215=false: 0 <= y < P (2^255-19 for ed25519)
       const max = zip215 ? MASK : Fp.ORDER;
-      ut.aInRange('pointHex.y', y, _0n, max);
+      aInRange('pointHex.y', y, _0n, max);
 
       // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
       // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
@@ -431,17 +417,18 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
       return Point.fromAffine({ x, y });
     }
-    static fromPrivateKey(privKey: Hex) {
-      return getExtendedPublicKey(privKey).point;
+    static fromPrivateKey(privKey: Hex): Point {
+      const { scalar } = getPrivateScalar(privKey);
+      return G.multiply(scalar); // reduced one call of `toRawBytes`
     }
     toRawBytes(): Uint8Array {
       const { x, y } = this.toAffine();
-      const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
+      const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
       bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
       return bytes; // and use the last byte to encode sign of x
     }
     toHex(): string {
-      return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
+      return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
     }
   }
   const { BASE: G, ZERO: I } = Point;
@@ -452,11 +439,11 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   }
   // Little-endian SHA512 with modulo n
   function modN_LE(hash: Uint8Array): bigint {
-    return modN(ut.bytesToNumberLE(hash));
+    return modN(bytesToNumberLE(hash));
   }
 
-  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
-  function getExtendedPublicKey(key: Hex) {
+  // Get the hashed private scalar per RFC8032 5.1.5
+  function getPrivateScalar(key: Hex) {
     const len = Fp.BYTES;
     key = ensureBytes('private key', key, len);
     // Hash private key with curve's hash function to produce uniformingly random input
@@ -465,6 +452,12 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
     const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
     const scalar = modN_LE(head); // The actual private scalar
+    return { head, prefix, scalar };
+  }
+
+  // Convenience method that creates public key from scalar. RFC8032 5.1.5
+  function getExtendedPublicKey(key: Hex) {
+    const { head, prefix, scalar } = getPrivateScalar(key);
     const point = G.multiply(scalar); // Point on Edwards curve aka public key
     const pointBytes = point.toRawBytes(); // Uint8Array representation
     return { head, prefix, scalar, point, pointBytes };
@@ -477,7 +470,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
   function hashDomainToScalar(context: Hex = new Uint8Array(), ...msgs: Uint8Array[]) {
-    const msg = ut.concatBytes(...msgs);
+    const msg = concatBytes(...msgs);
     return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
   }
 
@@ -490,8 +483,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     const R = G.multiply(r).toRawBytes(); // R = rG
     const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
     const s = modN(r + k * scalar); // S = (r + k * s) mod L
-    ut.aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
-    const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
+    aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
+    const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
     return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
   }
 
@@ -510,7 +503,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     if (zip215 !== undefined) abool('zip215', zip215);
     if (prehash) msg = prehash(msg); // for ed25519ph, etc
 
-    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
+    const s = bytesToNumberLE(sig.slice(len, 2 * len));
     let A, R, SB;
     try {
       // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
@@ -535,7 +528,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
   const utils = {
     getExtendedPublicKey,
-    // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
+    /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
     randomPrivateKey: (): Uint8Array => randomBytes(Fp.BYTES),
 
     /**

package/src/abstract/hash-to-curve.ts

@@ -1,13 +1,14 @@
 /**
- * hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
+ * hash-to-curve from RFC 9380.
  * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F.
+ * https://www.rfc-editor.org/rfc/rfc9380
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import type { AffinePoint, Group, GroupConstructor } from './curve.js';
-import { IField, mod } from './modular.js';
-import type { CHash } from './utils.js';
-import { abytes, bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.js';
+import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
+import { type IField, mod } from './modular.ts';
+import type { CHash } from './utils.ts';
+import { abytes, bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.ts';
 
 export type UnicodeOrBytes = string | Uint8Array;
 
@@ -185,6 +186,7 @@ export function isogenyMap<T, F extends IField<T>>(field: F, map: [T[], T[], T[]
     const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
       val.reduce((acc, i) => field.add(field.mul(acc, x), i))
     );
+    if (field.is0(xDen) || field.is0(yDen)) throw new Error('bad point: ZERO');
     x = field.div(xNum, xDen); // xNum / xDen
     y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
     return { x: x, y: y };

package/src/abstract/modular.ts

@@ -13,7 +13,7 @@ import {
   numberToBytesBE,
   numberToBytesLE,
   validateObject,
-} from './utils.js';
+} from './utils.ts';
 
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);

package/src/abstract/montgomery.ts

@@ -5,14 +5,14 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { mod, pow } from './modular.js';
+import { mod, pow } from './modular.ts';
 import {
   aInRange,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesLE,
   validateObject,
-} from './utils.js';
+} from './utils.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);

package/src/abstract/poseidon.ts

@@ -7,7 +7,7 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { FpPow, IField, validateField } from './modular.js';
+import { FpPow, type IField, validateField } from './modular.ts';
 
 export type PoseidonOpts = {
   Fp: IField<bigint>;

package/src/abstract/tower.ts

@@ -10,9 +10,9 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import * as mod from './modular.js';
-import { bitLen, bitMask, concatBytes, notImplemented } from './utils.js';
-import type { ProjConstructor, ProjPointType } from './weierstrass.js';
+import * as mod from './modular.ts';
+import { bitLen, bitMask, concatBytes, notImplemented } from './utils.ts';
+import type { ProjConstructor, ProjPointType } from './weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -540,9 +540,9 @@ export function tower12(opts: Tower12Opts): {
   const Fp12: mod.IField<Fp12> & Fp12Utils = {
     ORDER: Fp2.ORDER, // TODO: unused, but need to verify
     isLE: Fp6.isLE,
-    BITS: 2 * Fp2.BITS,
-    BYTES: 2 * Fp2.BYTES,
-    MASK: bitMask(2 * Fp2.BITS),
+    BITS: 2 * Fp6.BITS,
+    BYTES: 2 * Fp6.BYTES,
+    MASK: bitMask(2 * Fp6.BITS),
     ZERO: { c0: Fp6.ZERO, c1: Fp6.ZERO },
     ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
     create: (num) => num,

package/src/abstract/utils.ts

@@ -10,7 +10,6 @@
 // won't be included into their bundle.
 const _0n = /* @__PURE__ */ BigInt(0);
 const _1n = /* @__PURE__ */ BigInt(1);
-const _2n = /* @__PURE__ */ BigInt(2);
 export type Hex = Uint8Array | string; // hex strings are accepted for simplicity
 export type PrivKey = Hex | bigint; // bigints are accepted to ease learning curve
 export type CHash = {
@@ -33,15 +32,34 @@ export function abool(title: string, value: boolean): void {
   if (typeof value !== 'boolean') throw new Error(title + ' boolean expected, got ' + value);
 }
 
+export function numberToHexUnpadded(num: number | bigint): string {
+  const hex = num.toString(16);
+  return hex.length & 1 ? '0' + hex : hex;
+}
+
+export function hexToNumber(hex: string): bigint {
+  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian
+}
+
+// Built-in hex conversion https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex
+const hasHexBuiltin: boolean =
+  // @ts-ignore
+  typeof Uint8Array.from([]).toHex === 'function' && typeof Uint8Array.fromHex === 'function';
+
 // Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
   i.toString(16).padStart(2, '0')
 );
+
 /**
+ * Convert byte array to hex string. Uses built-in function, when available.
  * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
  */
 export function bytesToHex(bytes: Uint8Array): string {
   abytes(bytes);
+  // @ts-ignore
+  if (hasHexBuiltin) return bytes.toHex();
   // pre-caching improves the speed 6x
   let hex = '';
   for (let i = 0; i < bytes.length; i++) {
@@ -50,16 +68,6 @@ export function bytesToHex(bytes: Uint8Array): string {
   return hex;
 }
 
-export function numberToHexUnpadded(num: number | bigint): string {
-  const hex = num.toString(16);
-  return hex.length & 1 ? '0' + hex : hex;
-}
-
-export function hexToNumber(hex: string): bigint {
-  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
-  return hex === '' ? _0n : BigInt('0x' + hex); // Big Endian
-}
-
 // We use optimized technique to convert hex string to byte array
 const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 } as const;
 function asciiToBase16(ch: number): number | undefined {
@@ -70,10 +78,13 @@ function asciiToBase16(ch: number): number | undefined {
 }
 
 /**
+ * Convert hex string to byte array. Uses built-in function, when available.
  * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
  */
 export function hexToBytes(hex: string): Uint8Array {
   if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  // @ts-ignore
+  if (hasHexBuiltin) return Uint8Array.fromHex(hex);
   const hl = hex.length;
   const al = hl / 2;
   if (hl % 2) throw new Error('hex string expected, got unpadded hex of length ' + hl);
@@ -233,12 +244,12 @@ export function bitSet(n: bigint, pos: number, value: boolean): bigint {
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
  * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
  */
-export const bitMask = (n: number): bigint => (_2n << BigInt(n - 1)) - _1n;
+export const bitMask = (n: number): bigint => (_1n << BigInt(n)) - _1n;
 
 // DRBG
 
-const u8n = (data?: any) => new Uint8Array(data); // creates Uint8Array
-const u8fr = (arr: any) => Uint8Array.from(arr); // another shortcut
+const u8n = (len: number) => new Uint8Array(len); // creates Uint8Array
+const u8fr = (arr: ArrayLike<number>) => Uint8Array.from(arr); // another shortcut
 type Pred<T> = (v: Uint8Array) => T | undefined;
 /**
  * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
@@ -265,7 +276,7 @@ export function createHmacDrbg<T>(
     i = 0;
   };
   const h = (...b: Uint8Array[]) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-  const reseed = (seed = u8n()) => {
+  const reseed = (seed = u8n(0)) => {
     // HMAC-DRBG reseed() function. Steps D-G
     k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)
     v = h(); // v = hmac(k || v)