@noble/curves 2.0.0-beta.1 → 2.0.0-beta.3

package/src/abstract/hash-to-curve.ts

@@ -7,18 +7,18 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { CHash } from '../utils.ts';
 import {
-  _validateObject,
   abytes,
+  asafenumber,
   asciiToBytes,
   bytesToNumberBE,
   concatBytes,
   isBytes,
-  isHash,
+  validateObject,
 } from '../utils.ts';
 import type { AffinePoint, PC_ANY, PC_F, PC_P } from './curve.ts';
 import { FpInvertBatch, mod, type IField } from './modular.ts';
 
-export type UnicodeOrBytes = string | Uint8Array;
+export type AsciiOrBytes = string | Uint8Array;
 
 /**
  * * `DST` is a domain separation tag, defined in section 2.2.5
@@ -29,7 +29,7 @@ export type UnicodeOrBytes = string | Uint8Array;
  * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
  */
 export type H2COpts = {
-  DST: UnicodeOrBytes;
+  DST: AsciiOrBytes;
   expand: 'xmd' | 'xof';
   hash: CHash;
   p: bigint;
@@ -40,14 +40,37 @@ export type H2CHashOpts = {
   expand: 'xmd' | 'xof';
   hash: CHash;
 };
+export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
+
+// Separated from initialization opts, so users won't accidentally change per-curve parameters
+// (changing DST is ok!)
+export type H2CDSTOpts = { DST: AsciiOrBytes };
+export type H2CHasherBase<PC extends PC_ANY> = {
+  hashToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  hashToScalar(msg: Uint8Array, options?: H2CDSTOpts): bigint;
+  deriveToCurve?(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  Point: PC;
+};
+/**
+ * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
+ *
+ * * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
+ * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
+ * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
+ */
+export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC> & {
+  encodeToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  mapToCurve: MapToCurve<PC_F<PC>>;
+  defaults: H2COpts & { encodeDST?: AsciiOrBytes };
+};
 
 // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
 const os2ip = bytesToNumberBE;
 
 // Integer to Octet Stream (numberToBytesBE)
 function i2osp(value: number, length: number): Uint8Array {
-  anum(value);
-  anum(length);
+  asafenumber(value);
+  asafenumber(length);
   if (value < 0 || value >= 1 << (8 * length)) throw new Error('invalid I2OSP input: ' + value);
   const res = Array.from({ length }).fill(0) as number[];
   for (let i = length - 1; i >= 0; i--) {
@@ -65,13 +88,9 @@ function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
   return arr;
 }
 
-function anum(item: unknown): void {
-  if (!Number.isSafeInteger(item)) throw new Error('number expected');
-}
-
 // User can always use utf8 if they want, by passing Uint8Array.
 // If string is passed, we treat it as ASCII: other formats are likely a mistake.
-function normDST(DST: UnicodeOrBytes): Uint8Array {
+function normDST(DST: AsciiOrBytes): Uint8Array {
   if (!isBytes(DST) && typeof DST !== 'string')
     throw new Error('DST must be Uint8Array or ascii string');
   return typeof DST === 'string' ? asciiToBytes(DST) : DST;
@@ -83,12 +102,12 @@ function normDST(DST: UnicodeOrBytes): Uint8Array {
  */
 export function expand_message_xmd(
   msg: Uint8Array,
-  DST: UnicodeOrBytes,
+  DST: AsciiOrBytes,
   lenInBytes: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  anum(lenInBytes);
+  asafenumber(lenInBytes);
   DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   if (DST.length > 255) DST = H(concatBytes(asciiToBytes('H2C-OVERSIZE-DST-'), DST));
@@ -118,13 +137,13 @@ export function expand_message_xmd(
  */
 export function expand_message_xof(
   msg: Uint8Array,
-  DST: UnicodeOrBytes,
+  DST: AsciiOrBytes,
   lenInBytes: number,
   k: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  anum(lenInBytes);
+  asafenumber(lenInBytes);
   DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
@@ -154,16 +173,16 @@ export function expand_message_xof(
  * @returns [u_0, ..., u_(count - 1)], a list of field elements.
  */
 export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts): bigint[][] {
-  _validateObject(options, {
+  validateObject(options, {
     p: 'bigint',
     m: 'number',
     k: 'number',
     hash: 'function',
   });
   const { p, k, m, hash, expand, DST } = options;
-  if (!isHash(options.hash)) throw new Error('expected valid hash');
+  asafenumber(hash.outputLen, 'valid hash');
   abytes(msg);
-  anum(count);
+  asafenumber(count);
   const log2p = p.toString(2).length;
   const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
   const len_in_bytes = count * m * L;
@@ -191,8 +210,8 @@ export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts):
   return u;
 }
 
-export type XY<T> = (x: T, y: T) => { x: T; y: T };
-export type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
+type XY<T> = (x: T, y: T) => { x: T; y: T };
+type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
 export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T> {
   // Make same order as in spec
   const coeff = map.map((i) => Array.from(i).reverse());
@@ -211,38 +230,13 @@ export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): X
   };
 }
 
-export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
-
-// Separated from initialization opts, so users won't accidentally change per-curve parameters
-// (changing DST is ok!)
-export type htfBasicOpts = { DST: UnicodeOrBytes };
-export type H2CMethod<P> = (msg: Uint8Array, options?: htfBasicOpts) => P;
-// TODO: remove
-export type H2CHasherBase<P> = {
-  hashToCurve: H2CMethod<P>;
-  hashToScalar: (msg: Uint8Array, options?: htfBasicOpts) => bigint;
-};
-/**
- * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
- *
- * * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
- * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
- * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
- */
-export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC_P<PC>> & {
-  Point: PC;
-  encodeToCurve: H2CMethod<PC_P<PC>>;
-  mapToCurve: MapToCurve<PC_F<PC>>;
-  defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
-};
-
 export const _DST_scalar: Uint8Array = asciiToBytes('HashToScalar-');
 
 /** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
 export function createHasher<PC extends PC_ANY>(
   Point: PC,
   mapToCurve: MapToCurve<PC_F<PC>>,
-  defaults: H2COpts & { encodeDST?: UnicodeOrBytes }
+  defaults: H2COpts & { encodeDST?: AsciiOrBytes }
 ): H2CHasher<PC> {
   if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
   function map(num: bigint[]): PC_P<PC> {
@@ -256,17 +250,17 @@ export function createHasher<PC extends PC_ANY>(
   }
 
   return {
-    defaults,
+    defaults: Object.freeze(defaults),
     Point,
 
-    hashToCurve(msg: Uint8Array, options?: htfBasicOpts): PC_P<PC> {
+    hashToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC> {
       const opts = Object.assign({}, defaults, options);
       const u = hash_to_field(msg, 2, opts);
       const u0 = map(u[0]);
       const u1 = map(u[1]);
       return clear(u0.add(u1) as PC_P<PC>);
     },
-    encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): PC_P<PC> {
+    encodeToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC> {
       const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
       const opts = Object.assign({}, defaults, optsDst, options);
       const u = hash_to_field(msg, 1, opts);
@@ -274,7 +268,12 @@ export function createHasher<PC extends PC_ANY>(
       return clear(u0);
     },
     /** See {@link H2CHasher} */
-    mapToCurve(scalars: bigint[]): PC_P<PC> {
+    mapToCurve(scalars: bigint | bigint[]): PC_P<PC> {
+      // Curves with m=1 accept only single scalar
+      if (defaults.m === 1) {
+        if (typeof scalars !== 'bigint') throw new Error('expected bigint (m=1)');
+        return clear(map([scalars]));
+      }
       if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
       for (const i of scalars)
         if (typeof i !== 'bigint') throw new Error('expected array of bigints');
@@ -283,7 +282,7 @@ export function createHasher<PC extends PC_ANY>(
 
     // hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
     // RFC 9380, draft-irtf-cfrg-bbs-signatures-08
-    hashToScalar(msg: Uint8Array, options?: htfBasicOpts): bigint {
+    hashToScalar(msg: Uint8Array, options?: H2CDSTOpts): bigint {
       // @ts-ignore
       const N = Point.Fn.ORDER;
       const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);

package/src/abstract/modular.ts

@@ -6,21 +6,23 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
-  _validateObject,
   abytes,
   anumber,
   bytesToNumberBE,
   bytesToNumberLE,
   numberToBytesBE,
   numberToBytesLE,
+  validateObject,
 } from '../utils.ts';
 
+// Numbers aren't used in x25519 / x448 builds
 // prettier-ignore
-const _0n = BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
+const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2);
 // prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
+const _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
 // prettier-ignore
-const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
+const _7n = /* @__PURE__ */ BigInt(7), _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
+const _16n = /* @__PURE__ */ BigInt(16);
 
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
@@ -281,7 +283,7 @@ export function validateField<T>(field: IField<T>): IField<T> {
     map[val] = 'function';
     return map;
   }, initial);
-  _validateObject(field, opts);
+  validateObject(field, opts);
   // const max = 16384;
   // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
   // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');

package/src/abstract/montgomery.ts

@@ -6,23 +6,23 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
-  _validateObject,
   abytes,
   aInRange,
   bytesToNumberLE,
   copyBytes,
   numberToBytesLE,
   randomBytes,
+  validateObject,
   type CryptoKeys,
 } from '../utils.ts';
-import type { CurveLengths } from './curve.ts';
+import { createKeygen, type CurveLengths } from './curve.ts';
 import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 
-export type CurveType = {
+export type MontgomeryOpts = {
   P: bigint; // finite field prime
   type: 'x25519' | 'x448';
   adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
@@ -43,15 +43,15 @@ export type MontgomeryECDH = {
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
 };
 
-function validateOpts(curve: CurveType) {
-  _validateObject(curve, {
+function validateOpts(curve: MontgomeryOpts) {
+  validateObject(curve, {
     adjustScalarBytes: 'function',
     powPminus2: 'function',
   });
   return Object.freeze({ ...curve } as const);
 }
 
-export function montgomery(curveDef: CurveType): MontgomeryECDH {
+export function montgomery(curveDef: MontgomeryOpts): MontgomeryECDH {
   const CURVE = validateOpts(curveDef);
   const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
   const is25519 = type === 'x25519';
@@ -105,6 +105,8 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
   function scalarMultBase(scalar: Uint8Array): Uint8Array {
     return scalarMult(scalar, GuBytes);
   }
+  const getPublicKey = scalarMultBase;
+  const getSharedSecret = scalarMult;
 
   // cswap from RFC7748 "example code"
   function cswap(swap: bigint, x_2: bigint, x_3: bigint): { x_2: bigint; x_3: bigint } {
@@ -170,20 +172,12 @@ export function montgomery(curveDef: CurveType): MontgomeryECDH {
     abytes(seed, lengths.seed, 'seed');
     return seed;
   };
-  function keygen(seed?: Uint8Array) {
-    const secretKey = randomSecretKey(seed);
-    return { secretKey, publicKey: scalarMultBase(secretKey) };
-  }
-  const utils = {
-    randomSecretKey,
-    randomPrivateKey: randomSecretKey,
-  };
+  const utils = { randomSecretKey };
 
   return Object.freeze({
-    keygen,
-    getSharedSecret: (secretKey: Uint8Array, publicKey: Uint8Array) =>
-      scalarMult(secretKey, publicKey),
-    getPublicKey: (secretKey: Uint8Array): Uint8Array => scalarMultBase(secretKey),
+    keygen: createKeygen(randomSecretKey, getPublicKey),
+    getSharedSecret,
+    getPublicKey,
     scalarMult,
     scalarMultBase,
     utils,

package/src/abstract/oprf.ts

@@ -60,8 +60,8 @@ import {
   validateObject,
 } from '../utils.ts';
 import { pippenger, type CurvePoint, type CurvePointCons } from './curve.ts';
-import { _DST_scalar, type H2CMethod, type htfBasicOpts } from './hash-to-curve.js';
-import { getMinHashLength, mapHashToField } from './modular.js';
+import { _DST_scalar, type H2CDSTOpts } from './hash-to-curve.ts';
+import { getMinHashLength, mapHashToField } from './modular.ts';
 
 // OPRF is designed to be used across network, so we default to serialized values.
 export type PointBytes = Uint8Array;
@@ -73,9 +73,9 @@ export type OPRFOpts<P extends CurvePoint<any, P>> = {
   name: string;
   Point: CurvePointCons<P>; // we don't return Point, so we need generic interface only
   // Fn: IField<bigint>;
-  hash: (msg: Bytes) => Bytes;
-  hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
-  hashToGroup: ((msg: Uint8Array, options: htfBasicOpts) => P) | H2CMethod<P>;
+  hash(msg: Bytes): Bytes;
+  hashToScalar(msg: Uint8Array, options: H2CDSTOpts): bigint;
+  hashToGroup(msg: Uint8Array, options: H2CDSTOpts): P;
 };
 
 export type OPRFKeys = { secretKey: ScalarBytes; publicKey: PointBytes };
@@ -433,7 +433,7 @@ export function createORPF<P extends CurvePoint<any, P>>(opts: OPRFOpts<P>): OPR
 
   function deriveKeyPair(ctx: Bytes, seed: Bytes, info: Bytes) {
     const dst = concatBytes(asciiToBytes('DeriveKeyPair'), ctx);
-    const msg = concatBytes(seed, encode(info), new Uint8Array([0]));
+    const msg = concatBytes(seed, encode(info), Uint8Array.of(0));
     for (let counter = 0; counter <= 255; counter++) {
       msg[msg.length - 1] = counter;
       const skS = opts.hashToScalar(msg, { DST: dst });

package/src/abstract/poseidon.ts

@@ -7,7 +7,7 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { _validateObject, bitGet } from '../utils.ts';
+import { asafenumber, bitGet, validateObject } from '../utils.ts';
 import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
 
 // Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
@@ -44,7 +44,7 @@ export type PoseidonBasicOpts = {
 function assertValidPosOpts(opts: PoseidonBasicOpts) {
   const { Fp, roundsFull } = opts;
   validateField(Fp);
-  _validateObject(
+  validateObject(
     opts,
     {
       t: 'number',
@@ -55,8 +55,9 @@ function assertValidPosOpts(opts: PoseidonBasicOpts) {
       isSboxInverse: 'boolean',
     }
   );
-  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (!Number.isSafeInteger(opts[i]) || opts[i] < 1) throw new Error('invalid number ' + i);
+  for (const k of ['t', 'roundsFull', 'roundsPartial'] as const) {
+    asafenumber(opts[k], k);
+    if (opts[k] < 1) throw new Error('invalid number ' + k);
   }
   if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
 }
@@ -322,10 +323,7 @@ export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
  * - https://github.com/arkworks-rs/crypto-primitives/tree/main
  */
 export function poseidonSponge(opts: PoseidonSpongeOpts): () => PoseidonSponge {
-  for (const i of ['rate', 'capacity'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
-  }
+  for (const k of ['rate', 'capacity'] as const) asafenumber(opts[k], k);
   const { rate, capacity } = opts;
   const t = opts.rate + opts.capacity;
   // Re-use hash instance between multiple instances