@noble/curves 2.0.0-beta.1 → 2.0.0-beta.2

package/src/nist.ts

@@ -19,7 +19,7 @@ import {
 
 // p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
 // a = Fp256.create(BigInt('-3'));
-const p256_CURVE: WeierstrassOpts<bigint> = {
+const p256_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
   h: BigInt(1),
@@ -27,10 +27,10 @@ const p256_CURVE: WeierstrassOpts<bigint> = {
   b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
   Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
   Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-};
+}))();
 
 // p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-const p384_CURVE: WeierstrassOpts<bigint> = {
+const p384_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt(
     '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
   ),
@@ -50,10 +50,10 @@ const p384_CURVE: WeierstrassOpts<bigint> = {
   Gy: BigInt(
     '0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'
   ),
-};
+}))();
 
 // p = 2n**521n - 1n
-const p521_CURVE: WeierstrassOpts<bigint> = {
+const p521_CURVE: WeierstrassOpts<bigint> = /* @__PURE__ */ (() => ({
   p: BigInt(
     '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
   ),
@@ -73,21 +73,36 @@ const p521_CURVE: WeierstrassOpts<bigint> = {
   Gy: BigInt(
     '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
   ),
-};
+}))();
 
 type SwuOpts = {
   A: bigint;
   B: bigint;
   Z: bigint;
 };
+
 function createSWU(Point: WeierstrassPointCons<bigint>, opts: SwuOpts) {
   const map = mapToCurveSimpleSWU(Point.Fp, opts);
   return (scalars: bigint[]) => map(scalars[0]);
 }
 
-/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
-
+// NIST P256
 const p256_Point = /* @__PURE__ */ weierstrass(p256_CURVE);
+/**
+ * NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods.
+ * Hashes inputs with sha256 by default.
+ *
+ * @example
+ * ```js
+ * import { p256 } from '@noble/curves/nist.js';
+ * const { secretKey, publicKey } = p256.keygen();
+ * // const publicKey = p256.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
+ * const sig = p256.sign(msg, secretKey);
+ * const isValid = p256.verify(sig, msg, publicKey);
+ * // const sigKeccak = p256.sign(keccak256(msg), secretKey, { prehash: false });
+ * ```
+ */
 export const p256: ECDSA = /* @__PURE__ */ ecdsa(p256_Point, sha256);
 /** Hashing / encoding to p256 points / field. RFC 9380 methods. */
 export const p256_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
@@ -109,7 +124,7 @@ export const p256_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__
     }
   );
 })();
-
+/** p256 OPRF, defined in RFC 9497. */
 export const p256_oprf: OPRF = /* @__PURE__ */ (() =>
   createORPF({
     name: 'P256-SHA256',
@@ -119,8 +134,9 @@ export const p256_oprf: OPRF = /* @__PURE__ */ (() =>
     hashToScalar: p256_hasher.hashToScalar,
   }))();
 
+// NIST P384
 const p384_Point = /* @__PURE__ */ weierstrass(p384_CURVE);
-/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
+/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. Hashes inputs with sha384 by default. */
 export const p384: ECDSA = /* @__PURE__ */ ecdsa(p384_Point, sha384);
 /** Hashing / encoding to p384 points / field. RFC 9380 methods. */
 export const p384_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
@@ -142,7 +158,7 @@ export const p384_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__
     }
   );
 })();
-
+/** p384 OPRF, defined in RFC 9497. */
 export const p384_oprf: OPRF = /* @__PURE__ */ (() =>
   createORPF({
     name: 'P384-SHA384',
@@ -152,11 +168,11 @@ export const p384_oprf: OPRF = /* @__PURE__ */ (() =>
     hashToScalar: p384_hasher.hashToScalar,
   }))();
 
-const Fn521 = /* @__PURE__ */ Field(p521_CURVE.n, { allowedLengths: [65, 66] });
+// NIST P521
+const Fn521 = /* @__PURE__ */ (() => Field(p521_CURVE.n, { allowedLengths: [65, 66] }))();
 const p521_Point = /* @__PURE__ */ weierstrass(p521_CURVE, { Fn: Fn521 });
-/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
+/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. Hashes inputs with sha512 by default. */
 export const p521: ECDSA = /* @__PURE__ */ ecdsa(p521_Point, sha512);
-
 /** Hashing / encoding to p521 points / field. RFC 9380 methods. */
 export const p521_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
@@ -177,7 +193,7 @@ export const p521_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__
     }
   );
 })();
-
+/** p521 OPRF, defined in RFC 9497. */
 export const p521_oprf: OPRF = /* @__PURE__ */ (() =>
   createORPF({
     name: 'P521-SHA512',

package/src/secp256k1.ts

@@ -8,7 +8,7 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha2.js';
 import { randomBytes } from '@noble/hashes/utils.js';
-import type { CurveLengths } from './abstract/curve.ts';
+import { createKeygen, type CurveLengths } from './abstract/curve.ts';
 import { createHasher, type H2CHasher, isogenyMap } from './abstract/hash-to-curve.ts';
 import { Field, mapHashToField, pow2 } from './abstract/modular.ts';
 import {
@@ -21,7 +21,7 @@ import {
   type WeierstrassOpts,
   type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
-import { abytes, asciiToBytes, bytesToNumberBE, concatBytes, inRange } from './utils.ts';
+import { abytes, asciiToBytes, bytesToNumberBE, concatBytes } from './utils.ts';
 
 // Seems like generator was produced from some seed:
 // `Pointk1.BASE.multiply(Pointk1.Fn.inv(2n, N)).toAffine().x`
@@ -45,7 +45,6 @@ const secp256k1_ENDO: EndomorphismOpts = {
 };
 
 const _0n = /* @__PURE__ */ BigInt(0);
-const _1n = /* @__PURE__ */ BigInt(1);
 const _2n = /* @__PURE__ */ BigInt(2);
 
 /**
@@ -83,20 +82,22 @@ const Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
 });
 
 /**
- * secp256k1 curve, ECDSA and ECDH methods.
+ * secp256k1 curve: ECDSA and ECDH methods.
  *
- * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
+ * Uses sha256 to hash messages. To use a different hash,
+ * pass `{ prehash: false }` to sign / verify.
  *
  * @example
  * ```js
- * import { secp256k1 } from '@noble/curves/secp256k1';
+ * import { secp256k1 } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = secp256k1.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = secp256k1.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = secp256k1.sign(msg, secretKey);
- * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
+ * const isValid = secp256k1.verify(sig, msg, publicKey);
+ * // const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
  * ```
  */
-
 export const secp256k1: ECDSA = /* @__PURE__ */ ecdsa(Pointk1, sha256);
 
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
@@ -188,16 +189,17 @@ function schnorrSign(
  * Will swallow errors & return false except for initial type validation of arguments.
  */
 function schnorrVerify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): boolean {
-  const { Fn, BASE } = Pointk1;
+  const { Fp, Fn, BASE } = Pointk1;
   const sig = abytes(signature, 64, 'signature');
   const m = abytes(message, undefined, 'message');
   const pub = abytes(publicKey, 32, 'publicKey');
   try {
     const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
     const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
-    if (!inRange(r, _1n, secp256k1_CURVE.p)) return false;
+    if (!Fp.isValidNot0(r)) return false;
     const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
-    if (!inRange(s, _1n, secp256k1_CURVE.n)) return false;
+    if (!Fn.isValidNot0(s)) return false;
+
     const e = challenge(Fn.toBytes(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
     // R = s⋅G - e⋅P, where -eP == (n-e)P
     const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
@@ -229,7 +231,7 @@ export type SecpSchnorr = {
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
  * ```js
- * import { schnorr } from '@noble/curves/secp256k1';
+ * import { schnorr } from '@noble/curves/secp256k1.js';
  * const { secretKey, publicKey } = schnorr.keygen();
  * // const publicKey = schnorr.getPublicKey(secretKey);
  * const msg = new TextEncoder().encode('hello');
@@ -243,12 +245,8 @@ export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
   const randomSecretKey = (seed = randomBytes(seedLength)): Uint8Array => {
     return mapHashToField(seed, secp256k1_CURVE.n);
   };
-  function keygen(seed?: Uint8Array) {
-    const secretKey = randomSecretKey(seed);
-    return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
-  }
   return {
-    keygen,
+    keygen: createKeygen(randomSecretKey, schnorrGetPublicKey),
     getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,

package/src/utils.ts

@@ -9,18 +9,15 @@ import {
   bytesToHex as bytesToHex_,
   concatBytes as concatBytes_,
   hexToBytes as hexToBytes_,
-  isBytes as isBytes_,
 } from '@noble/hashes/utils.js';
 export {
   abytes,
   anumber,
   bytesToHex,
-  bytesToUtf8,
   concatBytes,
   hexToBytes,
   isBytes,
   randomBytes,
-  utf8ToBytes
 } from '@noble/hashes/utils.js';
 const _0n = /* @__PURE__ */ BigInt(0);
 const _1n = /* @__PURE__ */ BigInt(1);
@@ -34,22 +31,29 @@ export type CHash = {
 export type FHash = (message: Uint8Array) => Uint8Array;
 export function abool(value: boolean, title: string = ''): boolean {
   if (typeof value !== 'boolean') {
-    const prefix = title && `"${title}"`;
+    const prefix = title && `"${title}" `;
     throw new Error(prefix + 'expected boolean, got type=' + typeof value);
   }
   return value;
 }
 
 // Used in weierstrass, der
-function abignumer(n: number | bigint) {
+function abignumber(n: number | bigint) {
   if (typeof n === 'bigint') {
     if (!isPosBig(n)) throw new Error('positive bigint expected, got ' + n);
   } else anumber(n);
   return n;
 }
 
+export function asafenumber(value: number, title: string = ''): void {
+  if (!Number.isSafeInteger(value)) {
+    const prefix = title && `"${title}" `;
+    throw new Error(prefix + 'expected safe integer, got type=' + typeof value);
+  }
+}
+
 export function numberToHexUnpadded(num: number | bigint): string {
-  const hex = abignumer(num).toString(16);
+  const hex = abignumber(num).toString(16);
   return hex.length & 1 ? '0' + hex : hex;
 }
 
@@ -68,7 +72,7 @@ export function bytesToNumberLE(bytes: Uint8Array): bigint {
 
 export function numberToBytesBE(n: number | bigint, len: number): Uint8Array {
   anumber(len);
-  n = abignumer(n);
+  n = abignumber(n);
   const res = hexToBytes_(n.toString(16).padStart(len * 2, '0'));
   if (res.length !== len) throw new Error('number too large');
   return res;
@@ -78,7 +82,7 @@ export function numberToBytesLE(n: number | bigint, len: number): Uint8Array {
 }
 // Unpadded, rarely used
 export function numberToVarBytesBE(n: number | bigint): Uint8Array {
-  return hexToBytes_(numberToHexUnpadded(abignumer(n)));
+  return hexToBytes_(numberToHexUnpadded(abignumber(n)));
 }
 
 // Compares 2 u8a-s in kinda constant time
@@ -114,16 +118,6 @@ export function asciiToBytes(ascii: string): Uint8Array {
   });
 }
 
-/**
- * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
- */
-// export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_;
-/**
- * Converts bytes to string using UTF8 encoding.
- * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'
- */
-// export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_;
-
 // Is positive bigint
 const isPosBig = (n: bigint) => typeof n === 'bigint' && _0n <= n;
 
@@ -194,14 +188,18 @@ type Pred<T> = (v: Uint8Array) => T | undefined;
 export function createHmacDrbg<T>(
   hashLen: number,
   qByteLen: number,
-  hmacFn: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array
+  hmacFn: (key: Uint8Array, message: Uint8Array) => Uint8Array
 ): (seed: Uint8Array, predicate: Pred<T>) => T {
-  if (typeof hashLen !== 'number' || hashLen < 2) throw new Error('hashLen must be a number');
-  if (typeof qByteLen !== 'number' || qByteLen < 2) throw new Error('qByteLen must be a number');
+  anumber(hashLen, 'hashLen');
+  anumber(qByteLen, 'qByteLen');
   if (typeof hmacFn !== 'function') throw new Error('hmacFn must be a function');
+  const u8n = (len: number): Uint8Array => new Uint8Array(len); // creates Uint8Array
+  const NULL = u8n(0);
+  const byte0 = Uint8Array.of(0x00);
+  const byte1 = Uint8Array.of(0x01);
+  const _maxDrbgIters = 1000;
+
   // Step B, Step C: set hashLen to 8*ceil(hlen/8)
-  const u8n = (len: number) => new Uint8Array(len); // creates Uint8Array
-  const u8of = (byte: number) => Uint8Array.of(byte); // another shortcut
   let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
   let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
   let i = 0; // Iterations counter, will throw when over 1000
@@ -210,18 +208,18 @@ export function createHmacDrbg<T>(
     k.fill(0);
     i = 0;
   };
-  const h = (...b: Uint8Array[]) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-  const reseed = (seed = u8n(0)) => {
+  const h = (...msgs: Uint8Array[]) => hmacFn(k, concatBytes_(v, ...msgs)); // hmac(k)(v, ...values)
+  const reseed = (seed = NULL) => {
     // HMAC-DRBG reseed() function. Steps D-G
-    k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed)
+    k = h(byte0, seed); // k = hmac(k || v || 0x00 || seed)
     v = h(); // v = hmac(k || v)
     if (seed.length === 0) return;
-    k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed)
+    k = h(byte1, seed); // k = hmac(k || v || 0x01 || seed)
     v = h(); // v = hmac(k || v)
   };
   const gen = () => {
     // HMAC-DRBG generate() function
-    if (i++ >= 1000) throw new Error('drbg: tried 1000 values');
+    if (i++ >= _maxDrbgIters) throw new Error('drbg: tried max amount of iterations');
     let len = 0;
     const out: Uint8Array[] = [];
     while (len < qByteLen) {
@@ -232,7 +230,7 @@ export function createHmacDrbg<T>(
     }
     return concatBytes_(...out);
   };
-  const genUntil = (seed: Uint8Array, pred: Pred<T>): T => {
+  const genUntil = (seed: Uint8Array<any>, pred: Pred<T>): T => {
     reset();
     reseed(seed); // Steps D-G
     let res: T | undefined = undefined; // Step H: grind until k is in [1..n-1]
@@ -243,59 +241,9 @@ export function createHmacDrbg<T>(
   return genUntil;
 }
 
-// Validating curves and fields
-
-const validatorFns = {
-  bigint: (val: any): boolean => typeof val === 'bigint',
-  function: (val: any): boolean => typeof val === 'function',
-  boolean: (val: any): boolean => typeof val === 'boolean',
-  string: (val: any): boolean => typeof val === 'string',
-  stringOrUint8Array: (val: any): boolean => typeof val === 'string' || isBytes_(val),
-  isSafeInteger: (val: any): boolean => Number.isSafeInteger(val),
-  array: (val: any): boolean => Array.isArray(val),
-  field: (val: any, object: any): any => (object as any).Fp.isValid(val),
-  hash: (val: any): boolean => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
-} as const;
-type Validator = keyof typeof validatorFns;
-type ValMap<T extends Record<string, any>> = { [K in keyof T]?: Validator };
-// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
-
-export function validateObject<T extends Record<string, any>>(
-  object: T,
-  validators: ValMap<T>,
-  optValidators: ValMap<T> = {}
-): T {
-  const checkField = (fieldName: keyof T, type: Validator, isOptional: boolean) => {
-    const checkVal = validatorFns[type];
-    if (typeof checkVal !== 'function') throw new Error('invalid validator function');
-
-    const val = object[fieldName as keyof typeof object];
-    if (isOptional && val === undefined) return;
-    if (!checkVal(val, object)) {
-      throw new Error(
-        'param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val
-      );
-    }
-  };
-  for (const [fieldName, type] of Object.entries(validators)) checkField(fieldName, type!, false);
-  for (const [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type!, true);
-  return object;
-}
-// validate type tests
-// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
-// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
-// // Should fail type-check
-// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
-// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
-// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
-// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
-
-export function isHash(val: CHash): boolean {
-  return typeof val === 'function' && Number.isSafeInteger(val.outputLen);
-}
-export function _validateObject(
+export function validateObject(
   object: Record<string, any>,
-  fields: Record<string, string>,
+  fields: Record<string, string> = {},
   optFields: Record<string, string> = {}
 ): void {
   if (!object || typeof object !== 'object') throw new Error('expected valid options object');
@@ -307,8 +255,10 @@ export function _validateObject(
     if (current !== expectedType || val === null)
       throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
   }
-  Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
-  Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
+  const iter = (f: typeof fields, isOpt: boolean) =>
+    Object.entries(f).forEach(([k, v]) => checkField(k, v, isOpt));
+  iter(fields, false);
+  iter(optFields, true);
 }
 
 /**