@noble/curves 1.9.5 → 2.0.0-beta.1

package/src/abstract/hash-to-curve.ts

@@ -9,13 +9,13 @@ import type { CHash } from '../utils.ts';
 import {
   _validateObject,
   abytes,
+  asciiToBytes,
   bytesToNumberBE,
   concatBytes,
   isBytes,
   isHash,
-  utf8ToBytes,
 } from '../utils.ts';
-import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
+import type { AffinePoint, PC_ANY, PC_F, PC_P } from './curve.ts';
 import { FpInvertBatch, mod, type IField } from './modular.ts';
 
 export type UnicodeOrBytes = string | Uint8Array;
@@ -40,8 +40,6 @@ export type H2CHashOpts = {
   expand: 'xmd' | 'xof';
   hash: CHash;
 };
-// todo: remove
-export type Opts = H2COpts;
 
 // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
 const os2ip = bytesToNumberBE;
@@ -71,9 +69,12 @@ function anum(item: unknown): void {
   if (!Number.isSafeInteger(item)) throw new Error('number expected');
 }
 
+// User can always use utf8 if they want, by passing Uint8Array.
+// If string is passed, we treat it as ASCII: other formats are likely a mistake.
 function normDST(DST: UnicodeOrBytes): Uint8Array {
-  if (!isBytes(DST) && typeof DST !== 'string') throw new Error('DST must be Uint8Array or string');
-  return typeof DST === 'string' ? utf8ToBytes(DST) : DST;
+  if (!isBytes(DST) && typeof DST !== 'string')
+    throw new Error('DST must be Uint8Array or ascii string');
+  return typeof DST === 'string' ? asciiToBytes(DST) : DST;
 }
 
 /**
@@ -90,7 +91,7 @@ export function expand_message_xmd(
   anum(lenInBytes);
   DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
-  if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
+  if (DST.length > 255) DST = H(concatBytes(asciiToBytes('H2C-OVERSIZE-DST-'), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
   const ell = Math.ceil(lenInBytes / b_in_bytes);
   if (lenInBytes > 65535 || ell > 255) throw new Error('expand_message_xmd: invalid lenInBytes');
@@ -129,7 +130,7 @@ export function expand_message_xof(
   // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
   if (DST.length > 255) {
     const dkLen = Math.ceil((2 * k) / 8);
-    DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
+    DST = H.create({ dkLen }).update(asciiToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
   }
   if (lenInBytes > 65535 || DST.length > 255)
     throw new Error('expand_message_xof: invalid lenInBytes');
@@ -210,30 +211,16 @@ export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): X
   };
 }
 
-/** Point interface, which curves must implement to work correctly with the module. */
-export interface H2CPoint<T> extends Group<H2CPoint<T>> {
-  add(rhs: H2CPoint<T>): H2CPoint<T>;
-  toAffine(iz?: bigint): AffinePoint<T>;
-  clearCofactor(): H2CPoint<T>;
-  assertValidity(): void;
-}
-
-export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
-  fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
-}
-
 export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
 
 // Separated from initialization opts, so users won't accidentally change per-curve parameters
 // (changing DST is ok!)
 export type htfBasicOpts = { DST: UnicodeOrBytes };
-export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
+export type H2CMethod<P> = (msg: Uint8Array, options?: htfBasicOpts) => P;
 // TODO: remove
-export type HTFMethod<T> = H2CMethod<T>;
-export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
-export type H2CHasherBase<T> = {
-  hashToCurve: H2CMethod<T>;
-  hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
+export type H2CHasherBase<P> = {
+  hashToCurve: H2CMethod<P>;
+  hashToScalar: (msg: Uint8Array, options?: htfBasicOpts) => bigint;
 };
 /**
  * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
@@ -242,44 +229,44 @@ export type H2CHasherBase<T> = {
  * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
  * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
  */
-export type H2CHasher<T> = H2CHasherBase<T> & {
-  encodeToCurve: H2CMethod<T>;
-  mapToCurve: MapMethod<T>;
+export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC_P<PC>> & {
+  Point: PC;
+  encodeToCurve: H2CMethod<PC_P<PC>>;
+  mapToCurve: MapToCurve<PC_F<PC>>;
   defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
 };
-// TODO: remove
-export type Hasher<T> = H2CHasher<T>;
 
-export const _DST_scalar: Uint8Array = utf8ToBytes('HashToScalar-');
+export const _DST_scalar: Uint8Array = asciiToBytes('HashToScalar-');
 
 /** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
-export function createHasher<T>(
-  Point: H2CPointConstructor<T>,
-  mapToCurve: MapToCurve<T>,
+export function createHasher<PC extends PC_ANY>(
+  Point: PC,
+  mapToCurve: MapToCurve<PC_F<PC>>,
   defaults: H2COpts & { encodeDST?: UnicodeOrBytes }
-): H2CHasher<T> {
+): H2CHasher<PC> {
   if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
-  function map(num: bigint[]) {
-    return Point.fromAffine(mapToCurve(num));
+  function map(num: bigint[]): PC_P<PC> {
+    return Point.fromAffine(mapToCurve(num)) as PC_P<PC>;
   }
-  function clear(initial: H2CPoint<T>) {
+  function clear(initial: PC_P<PC>): PC_P<PC> {
     const P = initial.clearCofactor();
-    if (P.equals(Point.ZERO)) return Point.ZERO; // zero will throw in assert
+    if (P.equals(Point.ZERO)) return Point.ZERO as PC_P<PC>; // zero will throw in assert
     P.assertValidity();
-    return P;
+    return P as PC_P<PC>;
   }
 
   return {
     defaults,
+    Point,
 
-    hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
+    hashToCurve(msg: Uint8Array, options?: htfBasicOpts): PC_P<PC> {
       const opts = Object.assign({}, defaults, options);
       const u = hash_to_field(msg, 2, opts);
       const u0 = map(u[0]);
       const u1 = map(u[1]);
-      return clear(u0.add(u1));
+      return clear(u0.add(u1) as PC_P<PC>);
     },
-    encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
+    encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): PC_P<PC> {
       const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
       const opts = Object.assign({}, defaults, optsDst, options);
       const u = hash_to_field(msg, 1, opts);
@@ -287,7 +274,7 @@ export function createHasher<T>(
       return clear(u0);
     },
     /** See {@link H2CHasher} */
-    mapToCurve(scalars: bigint[]): H2CPoint<T> {
+    mapToCurve(scalars: bigint[]): PC_P<PC> {
       if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
       for (const i of scalars)
         if (typeof i !== 'bigint') throw new Error('expected array of bigints');

package/src/abstract/modular.ts

@@ -7,17 +7,16 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
   _validateObject,
+  abytes,
   anumber,
-  bitMask,
   bytesToNumberBE,
   bytesToNumberLE,
-  ensureBytes,
   numberToBytesBE,
   numberToBytesLE,
 } from '../utils.ts';
 
 // prettier-ignore
-const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
+const _0n = BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
 // prettier-ignore
 const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
 // prettier-ignore
@@ -227,10 +226,9 @@ export const isNegativeLE = (num: bigint, modulo: bigint): boolean =>
 /** Field is not always over prime: for example, Fp2 has ORDER(q)=p^m. */
 export interface IField<T> {
   ORDER: bigint;
-  isLE: boolean;
   BYTES: number;
   BITS: number;
-  MASK: bigint;
+  isLE: boolean;
   ZERO: T;
   ONE: T;
   // 1-arg
@@ -260,7 +258,6 @@ export interface IField<T> {
   // [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
   // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
   isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
-  allowedLengths?: number[];
   // legendre?(num: T): T;
   invertBatch: (lst: T[]) => T[];
   toBytes(num: T): Uint8Array;
@@ -277,7 +274,6 @@ const FIELD_FIELDS = [
 export function validateField<T>(field: IField<T>): IField<T> {
   const initial = {
     ORDER: 'bigint',
-    MASK: 'bigint',
     BYTES: 'number',
     BITS: 'number',
   } as Record<string, string>;
@@ -381,12 +377,147 @@ export function nLength(n: bigint, nBitLength?: number): NLength {
 type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
 type SqrtFn = (n: bigint) => bigint;
 type FieldOpts = Partial<{
-  sqrt: SqrtFn;
   isLE: boolean;
   BITS: number;
-  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+  sqrt: SqrtFn;
   allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
+  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
 }>;
+class _Field implements IField<bigint> {
+  readonly ORDER: bigint;
+  readonly BITS: number;
+  readonly BYTES: number;
+  readonly isLE: boolean;
+  readonly ZERO = _0n;
+  readonly ONE = _1n;
+  readonly _lengths?: number[];
+  private _sqrt: ReturnType<typeof FpSqrt> | undefined; // cached sqrt
+  private readonly _mod?: boolean;
+  constructor(ORDER: bigint, opts: FieldOpts = {}) {
+    if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
+    let _nbitLength: number | undefined = undefined;
+    this.isLE = false;
+    if (opts != null && typeof opts === 'object') {
+      if (typeof opts.BITS === 'number') _nbitLength = opts.BITS;
+      if (typeof opts.sqrt === 'function') this.sqrt = opts.sqrt;
+      if (typeof opts.isLE === 'boolean') this.isLE = opts.isLE;
+      if (opts.allowedLengths) this._lengths = opts.allowedLengths?.slice();
+      if (typeof opts.modFromBytes === 'boolean') this._mod = opts.modFromBytes;
+    }
+    const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+    if (nByteLength > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+    this.ORDER = ORDER;
+    this.BITS = nBitLength;
+    this.BYTES = nByteLength;
+    this._sqrt = undefined;
+    Object.preventExtensions(this);
+  }
+
+  create(num: bigint) {
+    return mod(num, this.ORDER);
+  }
+  isValid(num: bigint) {
+    if (typeof num !== 'bigint')
+      throw new Error('invalid field element: expected bigint, got ' + typeof num);
+    return _0n <= num && num < this.ORDER; // 0 is valid element, but it's not invertible
+  }
+  is0(num: bigint) {
+    return num === _0n;
+  }
+  // is valid and invertible
+  isValidNot0(num: bigint) {
+    return !this.is0(num) && this.isValid(num);
+  }
+  isOdd(num: bigint) {
+    return (num & _1n) === _1n;
+  }
+  neg(num: bigint) {
+    return mod(-num, this.ORDER);
+  }
+  eql(lhs: bigint, rhs: bigint) {
+    return lhs === rhs;
+  }
+
+  sqr(num: bigint) {
+    return mod(num * num, this.ORDER);
+  }
+  add(lhs: bigint, rhs: bigint) {
+    return mod(lhs + rhs, this.ORDER);
+  }
+  sub(lhs: bigint, rhs: bigint) {
+    return mod(lhs - rhs, this.ORDER);
+  }
+  mul(lhs: bigint, rhs: bigint) {
+    return mod(lhs * rhs, this.ORDER);
+  }
+  pow(num: bigint, power: bigint): bigint {
+    return FpPow(this, num, power);
+  }
+  div(lhs: bigint, rhs: bigint) {
+    return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
+  }
+
+  // Same as above, but doesn't normalize
+  sqrN(num: bigint) {
+    return num * num;
+  }
+  addN(lhs: bigint, rhs: bigint) {
+    return lhs + rhs;
+  }
+  subN(lhs: bigint, rhs: bigint) {
+    return lhs - rhs;
+  }
+  mulN(lhs: bigint, rhs: bigint) {
+    return lhs * rhs;
+  }
+
+  inv(num: bigint) {
+    return invert(num, this.ORDER);
+  }
+  sqrt(num: bigint): bigint {
+    // Caching _sqrt speeds up sqrt9mod16 by 5x and tonneli-shanks by 10%
+    if (!this._sqrt) this._sqrt = FpSqrt(this.ORDER);
+    return this._sqrt(this, num);
+  }
+  toBytes(num: bigint) {
+    return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+  }
+  fromBytes(bytes: Uint8Array, skipValidation = false) {
+    abytes(bytes);
+    const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
+    if (allowedLengths) {
+      if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+        throw new Error(
+          'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
+        );
+      }
+      const padded = new Uint8Array(BYTES);
+      // isLE add 0 to right, !isLE to the left.
+      padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+      bytes = padded;
+    }
+    if (bytes.length !== BYTES)
+      throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
+    let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    if (modFromBytes) scalar = mod(scalar, ORDER);
+    if (!skipValidation)
+      if (!this.isValid(scalar))
+        throw new Error('invalid field element: outside of range 0..ORDER');
+    // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+    // protocol may allow non-reduced scalar that reduced later or changed some other way.
+    return scalar;
+  }
+  // TODO: we don't need it here, move out to separate fn
+  invertBatch(lst: bigint[]): bigint[] {
+    return FpInvertBatch(this, lst);
+  }
+  // We can't move this out because Fp6, Fp12 implement it
+  // and it's unclear what to return in there.
+  cmov(a: bigint, b: bigint, condition: boolean) {
+    return condition ? b : a;
+  }
+}
+
 /**
  * Creates a finite field. Major performance optimizations:
  * * 1. Denormalized operations like mulN instead of mul.
@@ -406,104 +537,8 @@ type FieldOpts = Partial<{
  * @param isLE (default: false) if encoding / decoding should be in little-endian
  * @param redef optional faster redefinitions of sqrt and other methods
  */
-export function Field(
-  ORDER: bigint,
-  bitLenOrOpts?: number | FieldOpts, // TODO: use opts only in v2?
-  isLE = false,
-  opts: { sqrt?: SqrtFn } = {}
-): Readonly<FpField> {
-  if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-  let _nbitLength: number | undefined = undefined;
-  let _sqrt: SqrtFn | undefined = undefined;
-  let modFromBytes: boolean = false;
-  let allowedLengths: undefined | readonly number[] = undefined;
-  if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
-    if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
-    const _opts = bitLenOrOpts;
-    if (_opts.BITS) _nbitLength = _opts.BITS;
-    if (_opts.sqrt) _sqrt = _opts.sqrt;
-    if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
-    if (typeof _opts.modFromBytes === 'boolean') modFromBytes = _opts.modFromBytes;
-    allowedLengths = _opts.allowedLengths;
-  } else {
-    if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
-    if (opts.sqrt) _sqrt = opts.sqrt;
-  }
-  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
-  if (BYTES > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
-  let sqrtP: ReturnType<typeof FpSqrt>; // cached sqrtP
-  const f: Readonly<FpField> = Object.freeze({
-    ORDER,
-    isLE,
-    BITS,
-    BYTES,
-    MASK: bitMask(BITS),
-    ZERO: _0n,
-    ONE: _1n,
-    allowedLengths: allowedLengths,
-    create: (num) => mod(num, ORDER),
-    isValid: (num) => {
-      if (typeof num !== 'bigint')
-        throw new Error('invalid field element: expected bigint, got ' + typeof num);
-      return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
-    },
-    is0: (num) => num === _0n,
-    // is valid and invertible
-    isValidNot0: (num: bigint) => !f.is0(num) && f.isValid(num),
-    isOdd: (num) => (num & _1n) === _1n,
-    neg: (num) => mod(-num, ORDER),
-    eql: (lhs, rhs) => lhs === rhs,
-
-    sqr: (num) => mod(num * num, ORDER),
-    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
-    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-    pow: (num, power) => FpPow(f, num, power),
-    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
-
-    // Same as above, but doesn't normalize
-    sqrN: (num) => num * num,
-    addN: (lhs, rhs) => lhs + rhs,
-    subN: (lhs, rhs) => lhs - rhs,
-    mulN: (lhs, rhs) => lhs * rhs,
-
-    inv: (num) => invert(num, ORDER),
-    sqrt:
-      _sqrt ||
-      ((n) => {
-        if (!sqrtP) sqrtP = FpSqrt(ORDER);
-        return sqrtP(f, n);
-      }),
-    toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-    fromBytes: (bytes, skipValidation = true) => {
-      if (allowedLengths) {
-        if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
-          throw new Error(
-            'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
-          );
-        }
-        const padded = new Uint8Array(BYTES);
-        // isLE add 0 to right, !isLE to the left.
-        padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
-        bytes = padded;
-      }
-      if (bytes.length !== BYTES)
-        throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-      let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
-      if (modFromBytes) scalar = mod(scalar, ORDER);
-      if (!skipValidation)
-        if (!f.isValid(scalar)) throw new Error('invalid field element: outside of range 0..ORDER');
-      // NOTE: we don't validate scalar here, please use isValid. This done such way because some
-      // protocol may allow non-reduced scalar that reduced later or changed some other way.
-      return scalar;
-    },
-    // TODO: we don't need it here, move out to separate fn
-    invertBatch: (lst) => FpInvertBatch(f, lst),
-    // We can't move this out because Fp6, Fp12 implement it
-    // and it's unclear what to return in there.
-    cmov: (a, b, c) => (c ? b : a),
-  } as FpField);
-  return Object.freeze(f);
+export function Field(ORDER: bigint, opts: FieldOpts = {}): Readonly<FpField> {
+  return new _Field(ORDER, opts);
 }
 
 // Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
@@ -532,28 +567,6 @@ export function FpSqrtEven<T>(Fp: IField<T>, elm: T): T {
   return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
 
-/**
- * "Constant-time" private key generation utility.
- * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
- * Which makes it slightly more biased, less secure.
- * @deprecated use `mapKeyToField` instead
- */
-export function hashToPrivateScalar(
-  hash: string | Uint8Array,
-  groupOrder: bigint,
-  isLE = false
-): bigint {
-  hash = ensureBytes('privateHash', hash);
-  const hashLen = hash.length;
-  const minLen = nLength(groupOrder).nByteLength + 8;
-  if (minLen < 24 || hashLen < minLen || hashLen > 1024)
-    throw new Error(
-      'hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen
-    );
-  const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-  return mod(num, groupOrder - _1n) + _1n;
-}
-
 /**
  * Returns total number of bytes consumed by the field element.
  * For example, 32 bytes for usual 256-bit weierstrass curve.
@@ -587,11 +600,12 @@ export function getMinHashLength(fieldOrder: bigint): number {
  * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
  * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
  * @param hash hash output from SHA3 or a similar function
- * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
+ * @param groupOrder size of subgroup - (e.g. secp256k1.Point.Fn.ORDER)
  * @param isLE interpret hash bytes as LE num
  * @returns valid private scalar
  */
 export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false): Uint8Array {
+  abytes(key);
   const len = key.length;
   const fieldLen = getFieldBytesLength(fieldOrder);
   const minLen = getMinHashLength(fieldOrder);

package/src/abstract/montgomery.ts

@@ -10,9 +10,10 @@ import {
   abytes,
   aInRange,
   bytesToNumberLE,
-  ensureBytes,
+  copyBytes,
   numberToBytesLE,
   randomBytes,
+  type CryptoKeys,
 } from '../utils.ts';
 import type { CurveLengths } from './curve.ts';
 import { mod } from './modular.ts';
@@ -20,7 +21,6 @@ import { mod } from './modular.ts';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
-type Hex = string | Uint8Array;
 
 export type CurveType = {
   P: bigint; // finite field prime
@@ -31,20 +31,17 @@ export type CurveType = {
 };
 
 export type MontgomeryECDH = {
-  scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
-  scalarMultBase: (scalar: Hex) => Uint8Array;
-  getSharedSecret: (secretKeyA: Hex, publicKeyB: Hex) => Uint8Array;
-  getPublicKey: (secretKey: Hex) => Uint8Array;
+  scalarMult: (scalar: Uint8Array, u: Uint8Array) => Uint8Array;
+  scalarMultBase: (scalar: Uint8Array) => Uint8Array;
+  getSharedSecret: (secretKeyA: Uint8Array, publicKeyB: Uint8Array) => Uint8Array;
+  getPublicKey: (secretKey: Uint8Array) => Uint8Array;
   utils: {
     randomSecretKey: () => Uint8Array;
-    /** @deprecated use `randomSecretKey` */
-    randomPrivateKey: () => Uint8Array;
   };
   GuBytes: Uint8Array;
   lengths: CurveLengths;
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
 };
-export type CurveFn = MontgomeryECDH;
 
 function validateOpts(curve: CurveType) {
   _validateObject(curve, {
@@ -82,8 +79,8 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
   function encodeU(u: bigint): Uint8Array {
     return numberToBytesLE(modP(u), fieldLen);
   }
-  function decodeU(u: Hex): bigint {
-    const _u = ensureBytes('u coordinate', u, fieldLen);
+  function decodeU(u: Uint8Array): bigint {
+    const _u = copyBytes(abytes(u, fieldLen, 'uCoordinate'));
     // RFC: When receiving such an array, implementations of X25519
     // (but not X448) MUST mask the most significant bit in the final byte.
     if (is25519) _u[31] &= 127; // 0b0111_1111
@@ -93,10 +90,10 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     // - 1 through 2^448 - 1 for X448.
     return modP(bytesToNumberLE(_u));
   }
-  function decodeScalar(scalar: Hex): bigint {
-    return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
+  function decodeScalar(scalar: Uint8Array): bigint {
+    return bytesToNumberLE(adjustScalarBytes(copyBytes(abytes(scalar, fieldLen, 'scalar'))));
   }
-  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
+  function scalarMult(scalar: Uint8Array, u: Uint8Array): Uint8Array {
     const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
     // Some public keys are useless, of low-order. Curve author doesn't think
     // it needs to be validated, but we do it nonetheless.
@@ -105,7 +102,7 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     return encodeU(pu);
   }
   // Computes public key from private. By doing scalar multiplication of base point.
-  function scalarMultBase(scalar: Hex): Uint8Array {
+  function scalarMultBase(scalar: Uint8Array): Uint8Array {
     return scalarMult(scalar, GuBytes);
   }
 
@@ -165,12 +162,12 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
   const lengths = {
-    secret: fieldLen,
-    public: fieldLen,
+    secretKey: fieldLen,
+    publicKey: fieldLen,
     seed: fieldLen,
   };
   const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
-    abytes(seed, lengths.seed);
+    abytes(seed, lengths.seed, 'seed');
     return seed;
   };
   function keygen(seed?: Uint8Array) {
@@ -181,14 +178,16 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     randomSecretKey,
     randomPrivateKey: randomSecretKey,
   };
-  return {
+
+  return Object.freeze({
     keygen,
-    getSharedSecret: (secretKey: Hex, publicKey: Hex) => scalarMult(secretKey, publicKey),
-    getPublicKey: (secretKey: Hex): Uint8Array => scalarMultBase(secretKey),
+    getSharedSecret: (secretKey: Uint8Array, publicKey: Uint8Array) =>
+      scalarMult(secretKey, publicKey),
+    getPublicKey: (secretKey: Uint8Array): Uint8Array => scalarMultBase(secretKey),
     scalarMult,
     scalarMultBase,
     utils,
     GuBytes: GuBytes.slice(),
     lengths,
-  };
+  }) satisfies CryptoKeys;
 }