@noble/curves 1.9.2 → 1.9.3

package/src/abstract/hash-to-curve.ts

@@ -16,7 +16,7 @@ import {
   utf8ToBytes,
 } from '../utils.ts';
 import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
-import { FpInvertBatch, type IField, mod } from './modular.ts';
+import { FpInvertBatch, mod, type IField } from './modular.ts';
 
 export type UnicodeOrBytes = string | Uint8Array;
 
@@ -71,19 +71,24 @@ function anum(item: unknown): void {
   if (!Number.isSafeInteger(item)) throw new Error('number expected');
 }
 
+function normDST(DST: UnicodeOrBytes): Uint8Array {
+  if (!isBytes(DST) && typeof DST !== 'string') throw new Error('DST must be Uint8Array or string');
+  return typeof DST === 'string' ? utf8ToBytes(DST) : DST;
+}
+
 /**
  * Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
  * [RFC 9380 5.3.1](https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1).
  */
 export function expand_message_xmd(
   msg: Uint8Array,
-  DST: Uint8Array,
+  DST: UnicodeOrBytes,
   lenInBytes: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  abytes(DST);
   anum(lenInBytes);
+  DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
@@ -112,14 +117,14 @@ export function expand_message_xmd(
  */
 export function expand_message_xof(
   msg: Uint8Array,
-  DST: Uint8Array,
+  DST: UnicodeOrBytes,
   lenInBytes: number,
   k: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  abytes(DST);
   anum(lenInBytes);
+  DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
   if (DST.length > 255) {
@@ -154,13 +159,10 @@ export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts):
     k: 'number',
     hash: 'function',
   });
-  const { p, k, m, hash, expand, DST: _DST } = options;
-  if (!isBytes(_DST) && typeof _DST !== 'string')
-    throw new Error('DST must be string or uint8array');
+  const { p, k, m, hash, expand, DST } = options;
   if (!isHash(options.hash)) throw new Error('expected valid hash');
   abytes(msg);
   anum(count);
-  const DST = typeof _DST === 'string' ? utf8ToBytes(_DST) : _DST;
   const log2p = p.toString(2).length;
   const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
   const len_in_bytes = count * m * L;
@@ -229,6 +231,10 @@ export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint
 // TODO: remove
 export type HTFMethod<T> = H2CMethod<T>;
 export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
+export type H2CHasherBase<T> = {
+  hashToCurve: H2CMethod<T>;
+  hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
+};
 /**
  * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
  *
@@ -236,8 +242,7 @@ export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
  * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
  * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
  */
-export type H2CHasher<T> = {
-  hashToCurve: H2CMethod<T>;
+export type H2CHasher<T> = H2CHasherBase<T> & {
   encodeToCurve: H2CMethod<T>;
   mapToCurve: MapMethod<T>;
   defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
@@ -245,6 +250,8 @@ export type H2CHasher<T> = {
 // TODO: remove
 export type Hasher<T> = H2CHasher<T>;
 
+export const _DST_scalar: Uint8Array = utf8ToBytes('HashToScalar-');
+
 /** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
 export function createHasher<T>(
   Point: H2CPointConstructor<T>,
@@ -264,19 +271,20 @@ export function createHasher<T>(
 
   return {
     defaults,
+
     hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const dst = defaults.DST ? defaults.DST : {};
-      const opts = Object.assign({}, defaults, dst, options);
+      const opts = Object.assign({}, defaults, options);
       const u = hash_to_field(msg, 2, opts);
       const u0 = map(u[0]);
       const u1 = map(u[1]);
       return clear(u0.add(u1));
     },
     encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const dst = defaults.encodeDST ? defaults.encodeDST : {};
-      const opts = Object.assign({}, defaults, dst, options);
+      const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
+      const opts = Object.assign({}, defaults, optsDst, options);
       const u = hash_to_field(msg, 1, opts);
-      return clear(map(u[0]));
+      const u0 = map(u[0]);
+      return clear(u0);
     },
     /** See {@link H2CHasher} */
     mapToCurve(scalars: bigint[]): H2CPoint<T> {
@@ -285,5 +293,14 @@ export function createHasher<T>(
         if (typeof i !== 'bigint') throw new Error('expected array of bigints');
       return clear(map(scalars));
     },
+
+    // hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
+    // RFC 9380, draft-irtf-cfrg-bbs-signatures-08
+    hashToScalar(msg: Uint8Array, options?: htfBasicOpts): bigint {
+      // @ts-ignore
+      const N = Point.Fn.ORDER;
+      const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);
+      return hash_to_field(msg, 1, opts)[0][0];
+    },
   };
 }

package/src/abstract/modular.ts

@@ -19,8 +19,9 @@ import {
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
 // prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
-const _8n = /* @__PURE__ */ BigInt(8);
+const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
+// prettier-ignore
+const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
 
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
@@ -73,6 +74,10 @@ export function invert(number: bigint, modulo: bigint): bigint {
   return mod(x, modulo);
 }
 
+function assertIsSquare<T>(Fp: IField<T>, root: T, n: T): void {
+  if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+}
+
 // Not all roots are possible! Example which will throw:
 // const NUM =
 // n = 72057594037927816n;
@@ -80,8 +85,7 @@ export function invert(number: bigint, modulo: bigint): bigint {
 function sqrt3mod4<T>(Fp: IField<T>, n: T) {
   const p1div4 = (Fp.ORDER + _1n) / _4n;
   const root = Fp.pow(n, p1div4);
-  // Throw if root^2 != n
-  if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+  assertIsSquare(Fp, root, n);
   return root;
 }
 
@@ -92,32 +96,34 @@ function sqrt5mod8<T>(Fp: IField<T>, n: T) {
   const nv = Fp.mul(n, v);
   const i = Fp.mul(Fp.mul(nv, _2n), v);
   const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-  if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+  assertIsSquare(Fp, root, n);
   return root;
 }
 
-// TODO: Commented-out for now. Provide test vectors.
-// Tonelli is too slow for extension fields Fp2.
-// That means we can't use sqrt (c1, c2...) even for initialization constants.
-// if (P % _16n === _9n) return sqrt9mod16;
-// // prettier-ignore
-// function sqrt9mod16<T>(Fp: IField<T>, n: T, p7div16?: bigint) {
-//   if (p7div16 === undefined) p7div16 = (Fp.ORDER + BigInt(7)) / _16n;
-//   const c1 = Fp.sqrt(Fp.neg(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-//   const c2 = Fp.sqrt(c1);             //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
-//   const c3 = Fp.sqrt(Fp.neg(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
-//   const c4 = p7div16;                 //  4. c4 = (q + 7) / 16        # Integer arithmetic
-//   let tv1 = Fp.pow(n, c4);            //  1. tv1 = x^c4
-//   let tv2 = Fp.mul(c1, tv1);          //  2. tv2 = c1 * tv1
-//   const tv3 = Fp.mul(c2, tv1);        //  3. tv3 = c2 * tv1
-//   let tv4 = Fp.mul(c3, tv1);          //  4. tv4 = c3 * tv1
-//   const e1 = Fp.eql(Fp.sqr(tv2), n);  //  5.  e1 = (tv2^2) == x
-//   const e2 = Fp.eql(Fp.sqr(tv3), n);  //  6.  e2 = (tv3^2) == x
-//   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
-//   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
-//   const e3 = Fp.eql(Fp.sqr(tv2), n);  //  9.  e3 = (tv2^2) == x
-//   return Fp.cmov(tv1, tv2, e3); // 10.  z = CMOV(tv1, tv2, e3) # Select the sqrt from tv1 and tv2
-// }
+// Based on RFC9380, Kong algorithm
+// prettier-ignore
+function sqrt9mod16(P: bigint): <T>(Fp: IField<T>, n: T) => T {
+  const Fp_ = Field(P);
+  const tn = tonelliShanks(P);
+  const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));//  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+  const c2 = tn(Fp_, c1);              //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+  const c3 = tn(Fp_, Fp_.neg(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+  const c4 = (P + _7n) / _16n;         //  4. c4 = (q + 7) / 16        # Integer arithmetic
+  return <T>(Fp: IField<T>, n: T) => {
+    let tv1 = Fp.pow(n, c4);           //  1. tv1 = x^c4
+    let tv2 = Fp.mul(tv1, c1);         //  2. tv2 = c1 * tv1
+    const tv3 = Fp.mul(tv1, c2);       //  3. tv3 = c2 * tv1
+    const tv4 = Fp.mul(tv1, c3);       //  4. tv4 = c3 * tv1
+    const e1 = Fp.eql(Fp.sqr(tv2), n); //  5.  e1 = (tv2^2) == x
+    const e2 = Fp.eql(Fp.sqr(tv3), n); //  6.  e2 = (tv3^2) == x
+    tv1 = Fp.cmov(tv1, tv2, e1);       //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+    tv2 = Fp.cmov(tv4, tv3, e2);       //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+    const e3 = Fp.eql(Fp.sqr(tv2), n); //  9.  e3 = (tv2^2) == x
+    const root = Fp.cmov(tv1, tv2, e3);// 10.  z = CMOV(tv1, tv2, e3)   # Select sqrt from tv1 & tv2
+    assertIsSquare(Fp, root, n);
+    return root;
+  };
+}
 
 /**
  * Tonelli-Shanks square root search algorithm.
@@ -129,7 +135,7 @@ function sqrt5mod8<T>(Fp: IField<T>, n: T) {
 export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
   // Initialization (precomputation).
   // Caching initialization could boost perf by 7%.
-  if (P < BigInt(3)) throw new Error('sqrt is not defined for small field');
+  if (P < _3n) throw new Error('sqrt is not defined for small field');
   // Factor P - 1 = Q * 2^S, where Q is odd
   let Q = P - _1n;
   let S = 0;
@@ -197,7 +203,8 @@ export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
  *
  * 1. P ≡ 3 (mod 4)
  * 2. P ≡ 5 (mod 8)
- * 3. Tonelli-Shanks algorithm
+ * 3. P ≡ 9 (mod 16)
+ * 4. Tonelli-Shanks algorithm
  *
  * Different algorithms can give different roots, it is up to user to decide which one they want.
  * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
@@ -207,7 +214,8 @@ export function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T {
   if (P % _4n === _3n) return sqrt3mod4;
   // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
   if (P % _8n === _5n) return sqrt5mod8;
-  // P ≡ 9 (mod 16) not implemented, see above
+  // P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
+  if (P % _16n === _9n) return sqrt9mod16(P);
   // Tonelli-Shanks algorithm
   return tonelliShanks(P);
 }
@@ -252,10 +260,11 @@ export interface IField<T> {
   // [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
   // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
   isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
+  allowedLengths?: number[];
   // legendre?(num: T): T;
   invertBatch: (lst: T[]) => T[];
   toBytes(num: T): Uint8Array;
-  fromBytes(bytes: Uint8Array): T;
+  fromBytes(bytes: Uint8Array, skipValidation?: boolean): T;
   // If c is False, CMOV returns a, otherwise it returns b.
   cmov(a: T, b: T, c: boolean): T;
 }
@@ -371,7 +380,13 @@ export function nLength(n: bigint, nBitLength?: number): NLength {
 
 type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
 type SqrtFn = (n: bigint) => bigint;
-type FieldOpts = Partial<{ sqrt: SqrtFn; isLE: boolean; BITS: number }>;
+type FieldOpts = Partial<{
+  sqrt: SqrtFn;
+  isLE: boolean;
+  BITS: number;
+  modOnDecode: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+  allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
+}>;
 /**
  * Creates a finite field. Major performance optimizations:
  * * 1. Denormalized operations like mulN instead of mul.
@@ -393,19 +408,23 @@ type FieldOpts = Partial<{ sqrt: SqrtFn; isLE: boolean; BITS: number }>;
  */
 export function Field(
   ORDER: bigint,
-  bitLenOrOpts?: number | FieldOpts,
+  bitLenOrOpts?: number | FieldOpts, // TODO: use opts only in v2?
   isLE = false,
   opts: { sqrt?: SqrtFn } = {}
 ): Readonly<FpField> {
   if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
   let _nbitLength: number | undefined = undefined;
   let _sqrt: SqrtFn | undefined = undefined;
+  let modOnDecode: boolean = false;
+  let allowedLengths: undefined | readonly number[] = undefined;
   if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
     if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
     const _opts = bitLenOrOpts;
     if (_opts.BITS) _nbitLength = _opts.BITS;
     if (_opts.sqrt) _sqrt = _opts.sqrt;
     if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
+    if (typeof _opts.modOnDecode === 'boolean') modOnDecode = _opts.modOnDecode;
+    allowedLengths = _opts.allowedLengths;
   } else {
     if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
     if (opts.sqrt) _sqrt = opts.sqrt;
@@ -421,6 +440,7 @@ export function Field(
     MASK: bitMask(BITS),
     ZERO: _0n,
     ONE: _1n,
+    allowedLengths: allowedLengths,
     create: (num) => mod(num, ORDER),
     isValid: (num) => {
       if (typeof num !== 'bigint')
@@ -455,10 +475,27 @@ export function Field(
         return sqrtP(f, n);
       }),
     toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-    fromBytes: (bytes) => {
+    fromBytes: (bytes, skipValidation = true) => {
+      if (allowedLengths) {
+        if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+          throw new Error(
+            'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
+          );
+        }
+        const padded = new Uint8Array(BYTES);
+        // isLE add 0 to right, !isLE to the left.
+        padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+        bytes = padded;
+      }
       if (bytes.length !== BYTES)
         throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-      return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+      let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+      if (modOnDecode) scalar = mod(scalar, ORDER);
+      if (!skipValidation)
+        if (!f.isValid(scalar)) throw new Error('invalid field element: outside of range 0..ORDER');
+      // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+      // protocol may allow non-reduced scalar that reduced later or changed some other way.
+      return scalar;
     },
     // TODO: we don't need it here, move out to separate fn
     invertBatch: (lst) => FpInvertBatch(f, lst),
@@ -469,6 +506,20 @@ export function Field(
   return Object.freeze(f);
 }
 
+// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
+// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
+// which mean we cannot force this via opts.
+// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
+// Probably need to export getMinHashLength somewhere?
+// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
+//   const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
+//   if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
+//   const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+//   // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
+//   const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
+//   return reduced;
+// },
+
 export function FpSqrtOdd<T>(Fp: IField<T>, elm: T): T {
   if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
   const root = Fp.sqrt(elm);

package/src/abstract/montgomery.ts

@@ -13,6 +13,7 @@ import {
   numberToBytesLE,
   randomBytes,
 } from '../utils.ts';
+import type { CurveInfo } from './curve.ts';
 import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
@@ -28,14 +29,25 @@ export type CurveType = {
   randomBytes?: (bytesLength?: number) => Uint8Array;
 };
 
-export type CurveFn = {
+export type MontgomeryECDH = {
   scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
   scalarMultBase: (scalar: Hex) => Uint8Array;
-  getSharedSecret: (privateKeyA: Hex, publicKeyB: Hex) => Uint8Array;
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  utils: { randomPrivateKey: () => Uint8Array };
+  getSharedSecret: (secretKeyA: Hex, publicKeyB: Hex) => Uint8Array;
+  getPublicKey: (secretKey: Hex) => Uint8Array;
+  utils: {
+    randomSecretKey: () => Uint8Array;
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: () => Uint8Array;
+  };
   GuBytes: Uint8Array;
+  info: {
+    type: 'montgomery';
+    lengths: Omit<CurveInfo['lengths'], 'signature'>;
+    publicKeyHasPrefix?: boolean;
+  };
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
 };
+export type CurveFn = MontgomeryECDH;
 
 function validateOpts(curve: CurveType) {
   _validateObject(curve, {
@@ -45,7 +57,7 @@ function validateOpts(curve: CurveType) {
   return Object.freeze({ ...curve } as const);
 }
 
-export function montgomery(curveDef: CurveType): CurveFn {
+export function montgomery(curveDef: CurveType): MontgomeryECDH {
   const CURVE = validateOpts(curveDef);
   const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
   const is25519 = type === 'x25519';
@@ -155,13 +167,28 @@ export function montgomery(curveDef: CurveType): CurveFn {
     const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
     return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
-
+  const randomSecretKey = (seed = randomBytes_(fieldLen)) => seed;
+  const utils = {
+    randomSecretKey,
+    randomPrivateKey: randomSecretKey,
+  };
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: scalarMultBase(secretKey) };
+  }
+  const lengths = {
+    secret: fieldLen,
+    public: fieldLen,
+    seed: fieldLen,
+  };
   return {
+    keygen,
+    getSharedSecret: (secretKey: Hex, publicKey: Hex) => scalarMult(secretKey, publicKey),
+    getPublicKey: (secretKey: Hex): Uint8Array => scalarMultBase(secretKey),
     scalarMult,
     scalarMultBase,
-    getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
-    getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    utils: { randomPrivateKey: () => randomBytes_(fieldLen) },
+    utils,
     GuBytes: GuBytes.slice(),
+    info: { type: 'montgomery' as const, lengths },
   };
 }

package/src/abstract/tower.ts

@@ -12,7 +12,7 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { bitLen, bitMask, concatBytes, notImplemented } from '../utils.ts';
 import * as mod from './modular.ts';
-import type { ProjConstructor, ProjPointType } from './weierstrass.ts';
+import type { WeierstrassPoint, WeierstrassPointCons } from './weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -95,8 +95,8 @@ export function psiFrobenius(
 ): {
   psi: (x: Fp2, y: Fp2) => [Fp2, Fp2];
   psi2: (x: Fp2, y: Fp2) => [Fp2, Fp2];
-  G2psi: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
-  G2psi2: (c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) => ProjPointType<Fp2>;
+  G2psi: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
+  G2psi2: (c: WeierstrassPointCons<Fp2>, P: WeierstrassPoint<Fp2>) => WeierstrassPoint<Fp2>;
   PSI_X: Fp2;
   PSI_Y: Fp2;
   PSI2_X: Fp2;
@@ -123,7 +123,7 @@ export function psiFrobenius(
   // Map points
   const mapAffine =
     <T>(fn: (x: T, y: T) => [T, T]) =>
-    (c: ProjConstructor<T>, P: ProjPointType<T>) => {
+    (c: WeierstrassPointCons<T>, P: WeierstrassPoint<T>) => {
       const affine = P.toAffine();
       const p = fn(affine.x, affine.y);
       return c.fromAffine({ x: p[0], y: p[1] });