@noble/curves 1.9.4 → 1.9.5

package/src/abstract/edwards.ts

@@ -7,14 +7,16 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
   _validateObject,
-  abool,
-  abytes,
+  _abool2 as abool,
+  _abytes2 as abytes,
   aInRange,
   bytesToHex,
   bytesToNumberLE,
   concatBytes,
+  copyBytes,
   ensureBytes,
   memoized,
+  notImplemented,
   numberToBytesLE,
   randomBytes,
   type FHash,
@@ -27,7 +29,7 @@ import {
   wNAF,
   type AffinePoint,
   type BasicCurve,
-  type CurveInfo,
+  type CurveLengths,
   type CurvePoint,
   type CurvePointCons,
 } from './curve.ts';
@@ -39,23 +41,6 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
 
 export type UVRatio = (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
 
-// TODO: remove
-export type CurveType = BasicCurve<bigint> & {
-  a: bigint; // curve param a
-  d: bigint; // curve param d
-  /** @deprecated the property will be removed in next release */
-  hash: FHash; // Hashing
-  randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
-  uvRatio?: UVRatio; // Ratio √(u/v)
-  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
-  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
-};
-
-// TODO: remove
-export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
-
 /** Instance of Extended Point with coordinates in X, Y, Z, T. */
 export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
   /** extended X coordinate. Different from affine x. */
@@ -81,8 +66,9 @@ export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
   readonly et: bigint;
 }
 /** Static methods of Extended Point with coordinates in X, Y, Z, T. */
-export interface EdwardsPointCons extends CurvePointCons<bigint, EdwardsPoint> {
+export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
   new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
+  CURVE(): EdwardsOpts;
   fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
   fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
   /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
@@ -124,6 +110,7 @@ export type EdwardsOpts = Readonly<{
 export type EdwardsExtraOpts = Partial<{
   Fp: IField<bigint>;
   Fn: IField<bigint>;
+  FpFnLE: boolean;
   uvRatio: (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
 }>;
 
@@ -199,24 +186,9 @@ export interface EdDSA {
     /** @deprecated use `point.precompute()` */
     precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
   };
-  info: CurveInfo;
+  lengths: CurveLengths;
 }
 
-// Legacy params. TODO: remove
-export type CurveFn = {
-  /** @deprecated the property will be removed in next release */
-  CURVE: CurveType;
-  keygen: EdDSA['keygen'];
-  getPublicKey: EdDSA['getPublicKey'];
-  sign: EdDSA['sign'];
-  verify: EdDSA['verify'];
-  Point: EdwardsPointCons;
-  /** @deprecated use `Point` */
-  ExtendedPoint: EdwardsPointCons;
-  utils: EdDSA['utils'];
-  info: CurveInfo;
-};
-
 function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigint): boolean {
   const x2 = Fp.sqr(x);
   const y2 = Fp.sqr(y);
@@ -225,10 +197,12 @@ function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigin
   return Fp.eql(left, right);
 }
 
-export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
-  const { Fp, Fn } = _createCurveFields('edwards', CURVE, curveOpts);
+export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
+  const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
+  const { Fp, Fn } = validated;
+  let CURVE = validated.CURVE as EdwardsOpts;
   const { h: cofactor, n: CURVE_ORDER } = CURVE;
-  _validateObject(curveOpts, {}, { uvRatio: 'function' });
+  _validateObject(extraOpts, {}, { uvRatio: 'function' });
 
   // Important:
   // There are some places where Fp.BYTES is used instead of nByteLength.
@@ -239,7 +213,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
 
   // sqrt(u/v)
   const uvRatio =
-    curveOpts.uvRatio ||
+    extraOpts.uvRatio ||
     ((u: bigint, v: bigint) => {
       try {
         return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
@@ -307,8 +281,9 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     // zero / infinity / identity point
     static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
-    // fields
+    // math field
     static readonly Fp = Fp;
+    // scalar field
     static readonly Fn = Fn;
 
     readonly X: bigint;
@@ -324,34 +299,8 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       Object.freeze(this);
     }
 
-    get x(): bigint {
-      return this.toAffine().x;
-    }
-    get y(): bigint {
-      return this.toAffine().y;
-    }
-
-    // TODO: remove
-    get ex(): bigint {
-      return this.X;
-    }
-    get ey(): bigint {
-      return this.Y;
-    }
-    get ez(): bigint {
-      return this.Z;
-    }
-    get et(): bigint {
-      return this.T;
-    }
-    static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, points);
-    }
-    static msm(points: Point[], scalars: bigint[]): Point {
-      return pippenger(Point, Fn, points, scalars);
-    }
-    _setWindowSize(windowSize: number) {
-      this.precompute(windowSize);
+    static CURVE(): EdwardsOpts {
+      return CURVE as EdwardsOpts;
     }
 
     static fromAffine(p: AffinePoint<bigint>): Point {
@@ -362,6 +311,50 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       return new Point(x, y, _1n, modP(x * y));
     }
 
+    // Uses algo from RFC8032 5.1.3.
+    static fromBytes(bytes: Uint8Array, zip215 = false): Point {
+      const len = Fp.BYTES;
+      const { a, d } = CURVE;
+      bytes = copyBytes(abytes(bytes, len, 'point'));
+      abool(zip215, 'zip215');
+      const normed = copyBytes(bytes); // copy again, we'll manipulate it
+      const lastByte = bytes[len - 1]; // select last byte
+      normed[len - 1] = lastByte & ~0x80; // clear last bit
+      const y = bytesToNumberLE(normed);
+
+      // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+      // RFC8032 prohibits >= p, but ZIP215 doesn't
+      // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+      // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+      const max = zip215 ? MASK : Fp.ORDER;
+      aInRange('pointHex.y', y, _0n, max);
+
+      // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
+      // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
+      const y2 = modP(y * y); // denominator is always non-0 mod p.
+      const u = modP(y2 - _1n); // u = y² - 1
+      const v = modP(d * y2 - a); // v = d y² + 1.
+      let { isValid, value: x } = uvRatio(u, v); // √(u/v)
+      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
+      const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
+      const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
+      if (!zip215 && x === _0n && isLastByteOdd)
+        // if x=0 and x_0 = 1, fail
+        throw new Error('Point.fromHex: x=0 and x_0=1');
+      if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
+      return Point.fromAffine({ x, y });
+    }
+    static fromHex(bytes: Uint8Array, zip215 = false): Point {
+      return Point.fromBytes(ensureBytes('point', bytes), zip215);
+    }
+
+    get x(): bigint {
+      return this.toAffine().x;
+    }
+    get y(): bigint {
+      return this.toAffine().y;
+    }
+
     precompute(windowSize: number = 8, isLazy = true) {
       wnaf.createCache(this, windowSize);
       if (!isLazy) this.multiply(_2n); // random number
@@ -489,45 +482,6 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       return this.multiplyUnsafe(cofactor);
     }
 
-    static fromBytes(bytes: Uint8Array, zip215 = false): Point {
-      abytes(bytes);
-      return Point.fromHex(bytes, zip215);
-    }
-
-    // Converts hash string or Uint8Array to Point.
-    // Uses algo from RFC8032 5.1.3.
-    static fromHex(hex: Hex, zip215 = false): Point {
-      const { d, a } = CURVE;
-      const len = Fp.BYTES;
-      hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
-      abool('zip215', zip215);
-      const normed = hex.slice(); // copy again, we'll manipulate it
-      const lastByte = hex[len - 1]; // select last byte
-      normed[len - 1] = lastByte & ~0x80; // clear last bit
-      const y = bytesToNumberLE(normed);
-
-      // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
-      // RFC8032 prohibits >= p, but ZIP215 doesn't
-      // zip215=true:  0 <= y < MASK (2^256 for ed25519)
-      // zip215=false: 0 <= y < P (2^255-19 for ed25519)
-      const max = zip215 ? MASK : Fp.ORDER;
-      aInRange('pointHex.y', y, _0n, max);
-
-      // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
-      // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
-      const y2 = modP(y * y); // denominator is always non-0 mod p.
-      const u = modP(y2 - _1n); // u = y² - 1
-      const v = modP(d * y2 - a); // v = d y² + 1.
-      let { isValid, value: x } = uvRatio(u, v); // √(u/v)
-      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
-      const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
-      const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
-      if (!zip215 && x === _0n && isLastByteOdd)
-        // if x=0 and x_0 = 1, fail
-        throw new Error('Point.fromHex: x=0 and x_0=1');
-      if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
-      return Point.fromAffine({ x, y });
-    }
     toBytes(): Uint8Array {
       const { x, y } = this.toAffine();
       const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
@@ -545,6 +499,29 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     toString() {
       return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
+
+    // TODO: remove
+    get ex(): bigint {
+      return this.X;
+    }
+    get ey(): bigint {
+      return this.Y;
+    }
+    get ez(): bigint {
+      return this.Z;
+    }
+    get et(): bigint {
+      return this.T;
+    }
+    static normalizeZ(points: Point[]): Point[] {
+      return normalizeZ(Point, points);
+    }
+    static msm(points: Point[], scalars: bigint[]): Point {
+      return pippenger(Point, Fn, points, scalars);
+    }
+    _setWindowSize(windowSize: number) {
+      this.precompute(windowSize);
+    }
   }
   const wnaf = new wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
   return Point;
@@ -575,11 +552,11 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
 
   // Static methods that must be implemented by subclasses
   static fromBytes(_bytes: Uint8Array): any {
-    throw new Error('fromBytes must be implemented by subclass');
+    notImplemented();
   }
 
   static fromHex(_hex: Hex): any {
-    throw new Error('fromHex must be implemented by subclass');
+    notImplemented();
   }
 
   get x(): bigint {
@@ -663,7 +640,7 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
 /**
  * Initializes EdDSA signatures over given Edwards curve.
  */
-export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts): EdDSA {
+export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts = {}): EdDSA {
   if (typeof cHash !== 'function') throw new Error('"hash" function param is required');
   _validateObject(
     eddsaOpts,
@@ -686,7 +663,7 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   const domain =
     eddsaOpts.domain ||
     ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-      abool('phflag', phflag);
+      abool(phflag, 'phflag');
       if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
       return data;
     }); // NOOP
@@ -703,7 +680,7 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
 
   // Get the hashed private scalar per RFC8032 5.1.5
   function getPrivateScalar(key: Hex) {
-    const len = Fp.BYTES;
+    const len = lengths.secret;
     key = ensureBytes('private key', key, len);
     // Hash private key with curve's hash function to produce uniformingly random input
     // Check byte lengths: ensure(64, h(ensure(32, key)))
@@ -757,21 +734,23 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
    */
   function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
     const { context, zip215 } = options;
-    const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
-    sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
+    const len = lengths.signature; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+    sig = ensureBytes('signature', sig, len); // An extended group equation is checked.
     msg = ensureBytes('message', msg);
-    publicKey = ensureBytes('publicKey', publicKey, len);
-    if (zip215 !== undefined) abool('zip215', zip215);
+    publicKey = ensureBytes('publicKey', publicKey, lengths.public);
+    if (zip215 !== undefined) abool(zip215, 'zip215');
     if (prehash) msg = prehash(msg); // for ed25519ph, etc
 
-    const s = bytesToNumberLE(sig.slice(len, 2 * len));
+    const mid = len / 2;
+    const r = sig.subarray(0, mid);
+    const s = bytesToNumberLE(sig.subarray(mid, len));
     let A, R, SB;
     try {
       // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
       // zip215=true:  0 <= y < MASK (2^256 for ed25519)
       // zip215=false: 0 <= y < P (2^255-19 for ed25519)
-      A = Point.fromHex(publicKey, zip215);
-      R = Point.fromHex(sig.slice(0, len), zip215);
+      A = Point.fromBytes(publicKey, zip215);
+      R = Point.fromBytes(r, zip215);
       SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
     } catch (error) {
       return false;
@@ -787,27 +766,42 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
 
   G.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
 
-  const size = Fp.BYTES;
+  const _size = Fp.BYTES;
   const lengths = {
-    secret: size,
-    public: size,
-    signature: 2 * size,
-    seed: size,
+    secret: _size,
+    public: _size,
+    signature: 2 * _size,
+    seed: _size,
   };
   function randomSecretKey(seed = randomBytes_!(lengths.seed)): Uint8Array {
-    return seed;
+    return abytes(seed, lengths.seed, 'seed');
+  }
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  }
+
+  function isValidSecretKey(key: Uint8Array): boolean {
+    try {
+      return !!Fn.fromBytes(key, false);
+    } catch (error) {
+      return false;
+    }
+  }
+
+  function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
+    try {
+      return !!Point.fromBytes(key, zip215);
+    } catch (error) {
+      return false;
+    }
   }
 
   const utils = {
     getExtendedPublicKey,
-    /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
     randomSecretKey,
-
     isValidSecretKey,
     isValidPublicKey,
-
-    randomPrivateKey: randomSecretKey,
-
     /**
      * Converts ed public key to x public key. Uses formula:
      * - ed25519:
@@ -824,50 +818,28 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
      */
     toMontgomery(publicKey: Uint8Array): Uint8Array {
       const { y } = Point.fromBytes(publicKey);
+      const size = lengths.public;
       const is25519 = size === 32;
       if (!is25519 && size !== 57) throw new Error('only defined for 25519 and 448');
       const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
       return Fp.toBytes(u);
     },
 
-    toMontgomeryPriv(privateKey: Uint8Array): Uint8Array {
-      abytes(privateKey, size);
-      const hashed = cHash(privateKey.subarray(0, size));
+    toMontgomeryPriv(secretKey: Uint8Array): Uint8Array {
+      const size = lengths.secret;
+      abytes(secretKey, size);
+      const hashed = cHash(secretKey.subarray(0, size));
       return adjustScalarBytes(hashed).subarray(0, size);
     },
 
-    /**
-     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
-     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
-     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
-     * @param windowSize 2, 4, 8, 16
-     */
+    /** @deprecated */
+    randomPrivateKey: randomSecretKey,
+    /** @deprecated */
     precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
       return point.precompute(windowSize, false);
     },
   };
 
-  function keygen(seed?: Uint8Array) {
-    const secretKey = utils.randomSecretKey(seed);
-    return { secretKey, publicKey: getPublicKey(secretKey) };
-  }
-
-  function isValidSecretKey(key: Uint8Array): boolean {
-    try {
-      return !!Fn.fromBytes(key, false);
-    } catch (error) {
-      return false;
-    }
-  }
-
-  function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
-    try {
-      return !!Point.fromBytes(key, zip215);
-    } catch (error) {
-      return false;
-    }
-  }
-
   return Object.freeze({
     keygen,
     getPublicKey,
@@ -875,18 +847,43 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
     verify,
     utils,
     Point,
-    info: { type: 'edwards' as const, lengths },
+    lengths,
   });
 }
 
-// TODO: remove
+// TODO: remove everything below
+export type CurveType = BasicCurve<bigint> & {
+  a: bigint; // curve param a
+  d: bigint; // curve param d
+  /** @deprecated the property will be removed in next release */
+  hash: FHash; // Hashing
+  randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
+  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
+  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
+  uvRatio?: UVRatio; // Ratio √(u/v)
+  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
+  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
+};
+export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
+export type CurveFn = {
+  /** @deprecated the property will be removed in next release */
+  CURVE: CurveType;
+  keygen: EdDSA['keygen'];
+  getPublicKey: EdDSA['getPublicKey'];
+  sign: EdDSA['sign'];
+  verify: EdDSA['verify'];
+  Point: EdwardsPointCons;
+  /** @deprecated use `Point` */
+  ExtendedPoint: EdwardsPointCons;
+  utils: EdDSA['utils'];
+  lengths: CurveLengths;
+};
 export type EdComposed = {
   CURVE: EdwardsOpts;
   curveOpts: EdwardsExtraOpts;
   hash: FHash;
   eddsaOpts: EdDSAOpts;
 };
-// TODO: remove
 function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
   const CURVE: EdwardsOpts = {
     a: c.a,
@@ -909,7 +906,6 @@ function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
   };
   return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
 }
-// TODO: remove
 function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
   const legacy = Object.assign({}, eddsa, { ExtendedPoint: eddsa.Point, CURVE: c });
   return legacy;

package/src/abstract/modular.ts

@@ -384,7 +384,7 @@ type FieldOpts = Partial<{
   sqrt: SqrtFn;
   isLE: boolean;
   BITS: number;
-  modOnDecode: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
   allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
 }>;
 /**
@@ -415,7 +415,7 @@ export function Field(
   if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
   let _nbitLength: number | undefined = undefined;
   let _sqrt: SqrtFn | undefined = undefined;
-  let modOnDecode: boolean = false;
+  let modFromBytes: boolean = false;
   let allowedLengths: undefined | readonly number[] = undefined;
   if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
     if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
@@ -423,7 +423,7 @@ export function Field(
     if (_opts.BITS) _nbitLength = _opts.BITS;
     if (_opts.sqrt) _sqrt = _opts.sqrt;
     if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
-    if (typeof _opts.modOnDecode === 'boolean') modOnDecode = _opts.modOnDecode;
+    if (typeof _opts.modFromBytes === 'boolean') modFromBytes = _opts.modFromBytes;
     allowedLengths = _opts.allowedLengths;
   } else {
     if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
@@ -490,7 +490,7 @@ export function Field(
       if (bytes.length !== BYTES)
         throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
       let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
-      if (modOnDecode) scalar = mod(scalar, ORDER);
+      if (modFromBytes) scalar = mod(scalar, ORDER);
       if (!skipValidation)
         if (!f.isValid(scalar)) throw new Error('invalid field element: outside of range 0..ORDER');
       // NOTE: we don't validate scalar here, please use isValid. This done such way because some

package/src/abstract/montgomery.ts

@@ -7,13 +7,14 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
   _validateObject,
+  abytes,
   aInRange,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesLE,
   randomBytes,
 } from '../utils.ts';
-import type { CurveInfo } from './curve.ts';
+import type { CurveLengths } from './curve.ts';
 import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
@@ -40,11 +41,7 @@ export type MontgomeryECDH = {
     randomPrivateKey: () => Uint8Array;
   };
   GuBytes: Uint8Array;
-  info: {
-    type: 'montgomery';
-    lengths: Omit<CurveInfo['lengths'], 'signature'>;
-    publicKeyHasPrefix?: boolean;
-  };
+  lengths: CurveLengths;
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
 };
 export type CurveFn = MontgomeryECDH;
@@ -167,20 +164,23 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
     return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
-  const randomSecretKey = (seed = randomBytes_(fieldLen)) => seed;
-  const utils = {
-    randomSecretKey,
-    randomPrivateKey: randomSecretKey,
-  };
-  function keygen(seed?: Uint8Array) {
-    const secretKey = utils.randomSecretKey(seed);
-    return { secretKey, publicKey: scalarMultBase(secretKey) };
-  }
   const lengths = {
     secret: fieldLen,
     public: fieldLen,
     seed: fieldLen,
   };
+  const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
+    abytes(seed, lengths.seed);
+    return seed;
+  };
+  function keygen(seed?: Uint8Array) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: scalarMultBase(secretKey) };
+  }
+  const utils = {
+    randomSecretKey,
+    randomPrivateKey: randomSecretKey,
+  };
   return {
     keygen,
     getSharedSecret: (secretKey: Hex, publicKey: Hex) => scalarMult(secretKey, publicKey),
@@ -189,6 +189,6 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     scalarMultBase,
     utils,
     GuBytes: GuBytes.slice(),
-    info: { type: 'montgomery' as const, lengths },
+    lengths,
   };
 }