@protontech/openpgp 6.0.0-beta.2 → 6.0.0-beta.3.patch.1

package/dist/lightweight/noble_curves.mjs

@@ -1,4 +1,4 @@
-/*! OpenPGP.js v6.0.0-beta.2 - 2024-07-05 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.0.0-beta.3.patch.1 - 2024-09-11 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
 import { H as Hash, h as hash, t as toBytes, e as exists, b as bytes, c as concatBytes$1, r as randomBytes, s as sha256, a as sha384, d as sha512, w as wrapConstructor, u as utf8ToBytes$1, f as shake256 } from './sha3.mjs';
@@ -74,6 +74,10 @@ class HMAC extends Hash {
  * @param hash - function that would be used e.g. sha256
  * @param key - message key
  * @param message - message data
+ * @example
+ * import { hmac } from '@noble/hashes/hmac';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * const mac1 = hmac(sha256, 'key', 'message');
  */
 const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
 hmac.create = (hash, key) => new HMAC(hash, key);
@@ -83,9 +87,9 @@ hmac.create = (hash, key) => new HMAC(hash, key);
 // This is OK: `abstract` directory does not use noble-hashes.
 // User may opt-in into using different hashing library. This way, noble-hashes
 // won't be included into their bundle.
-const _0n$5 = BigInt(0);
-const _1n$7 = BigInt(1);
-const _2n$4 = BigInt(2);
+const _0n$5 = /* @__PURE__ */ BigInt(0);
+const _1n$7 = /* @__PURE__ */ BigInt(1);
+const _2n$4 = /* @__PURE__ */ BigInt(2);
 function isBytes(a) {
     return (a instanceof Uint8Array ||
         (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array'));
@@ -94,6 +98,10 @@ function abytes(item) {
     if (!isBytes(item))
         throw new Error('Uint8Array expected');
 }
+function abool(title, value) {
+    if (typeof value !== 'boolean')
+        throw new Error(`${title} must be valid boolean, got "${value}".`);
+}
 // Array where index 0xf0 (240) is mapped to string 'f0'
 const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
 /**
@@ -236,6 +244,25 @@ function utf8ToBytes(str) {
         throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
     return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
+// Is positive bigint
+const isPosBig = (n) => typeof n === 'bigint' && _0n$5 <= n;
+function inRange(n, min, max) {
+    return isPosBig(n) && isPosBig(min) && isPosBig(max) && min <= n && n < max;
+}
+/**
+ * Asserts min <= n < max. NOTE: It's < max and not <= max.
+ * @example
+ * aInRange('x', x, 1n, 256n); // would assume x is in (1n..255n)
+ */
+function aInRange(title, n, min, max) {
+    // Why min <= n < max and not a (min < n < max) OR b (min <= n <= max)?
+    // consider P=256n, min=0n, max=P
+    // - a for min=0 would require -1:          `inRange('x', x, -1n, P)`
+    // - b would commonly require subtraction:  `inRange('x', x, 0n, P - 1n)`
+    // - our way is the cleanest:               `inRange('x', x, 0n, P)
+    if (!inRange(n, min, max))
+        throw new Error(`expected valid ${title}: ${min} <= n < ${max}, got ${typeof n} ${n}`);
+}
 // Bit operations
 /**
  * Calculates amount of bits in a bigint.
@@ -366,9 +393,32 @@ function validateObject(object, validators, optValidators = {}) {
 // const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
 // const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
 // const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
+/**
+ * throws not implemented error
+ */
+const notImplemented = () => {
+    throw new Error('not implemented');
+};
+/**
+ * Memoizes (caches) computation result.
+ * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
+ */
+function memoized(fn) {
+    const map = new WeakMap();
+    return (arg, ...args) => {
+        const val = map.get(arg);
+        if (val !== undefined)
+            return val;
+        const computed = fn(arg, ...args);
+        map.set(arg, computed);
+        return computed;
+    };
+}
 
 var ut = /*#__PURE__*/Object.freeze({
     __proto__: null,
+    aInRange: aInRange,
+    abool: abool,
     abytes: abytes,
     bitGet: bitGet,
     bitLen: bitLen,
@@ -383,7 +433,10 @@ var ut = /*#__PURE__*/Object.freeze({
     equalBytes: equalBytes,
     hexToBytes: hexToBytes,
     hexToNumber: hexToNumber,
+    inRange: inRange,
     isBytes: isBytes,
+    memoized: memoized,
+    notImplemented: notImplemented,
     numberToBytesBE: numberToBytesBE,
     numberToBytesLE: numberToBytesLE,
     numberToHexUnpadded: numberToHexUnpadded,
@@ -640,6 +693,9 @@ function nLength(n, nBitLength) {
  * * a) denormalized operations like mulN instead of mul
  * * b) same object shape: never add or remove keys
  * * c) Object.freeze
+ * NOTE: operations don't check 'isValid' for all elements for performance reasons,
+ * it is caller responsibility to check this.
+ * This is low-level code, please make sure you know what you doing.
  * @param ORDER prime positive bigint
  * @param bitLen how many bits the field consumes
  * @param isLE (def: false) if encoding / decoding should be in little-endian
@@ -748,6 +804,10 @@ function mapHashToField(key, fieldOrder, isLE = false) {
 // Abelian group utilities
 const _0n$3 = BigInt(0);
 const _1n$5 = BigInt(1);
+// Since points in different groups cannot be equal (different object constructor),
+// we can have single place to store precomputes
+const pointPrecomputes = new WeakMap();
+const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
 // Elliptic curve multiplication of Point by scalar. Fragile.
 // Scalars should always be less than curve order: this should be checked inside of a curve itself.
 // Creates precomputation tables for fast multiplication:
@@ -764,7 +824,12 @@ function wNAF(c, bits) {
         const neg = item.negate();
         return condition ? neg : item;
     };
+    const validateW = (W) => {
+        if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
+            throw new Error(`Wrong window size=${W}, should be [1..${bits}]`);
+    };
     const opts = (W) => {
+        validateW(W);
         const windows = Math.ceil(bits / W) + 1; // +1, because
         const windowSize = 2 ** (W - 1); // -1 because we skip zero
         return { windows, windowSize };
@@ -864,21 +929,81 @@ function wNAF(c, bits) {
             // which makes it less const-time: around 1 bigint multiply.
             return { p, f };
         },
-        wNAFCached(P, precomputesMap, n, transform) {
-            // @ts-ignore
-            const W = P._WINDOW_SIZE || 1;
+        wNAFCached(P, n, transform) {
+            const W = pointWindowSizes.get(P) || 1;
             // Calculate precomputes on a first run, reuse them after
-            let comp = precomputesMap.get(P);
+            let comp = pointPrecomputes.get(P);
             if (!comp) {
                 comp = this.precomputeWindow(P, W);
-                if (W !== 1) {
-                    precomputesMap.set(P, transform(comp));
-                }
+                if (W !== 1)
+                    pointPrecomputes.set(P, transform(comp));
             }
             return this.wNAF(W, comp, n);
         },
+        // We calculate precomputes for elliptic curve point multiplication
+        // using windowed method. This specifies window size and
+        // stores precomputed values. Usually only base point would be precomputed.
+        setWindowSize(P, W) {
+            validateW(W);
+            pointWindowSizes.set(P, W);
+            pointPrecomputes.delete(P);
+        },
     };
 }
+/**
+ * Pippenger algorithm for multi-scalar multiplication (MSM).
+ * MSM is basically (Pa + Qb + Rc + ...).
+ * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
+ * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
+ * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
+ * @param c Curve Point constructor
+ * @param field field over CURVE.N - important that it's not over CURVE.P
+ * @param points array of L curve points
+ * @param scalars array of L scalars (aka private keys / bigints)
+ */
+function pippenger(c, field, points, scalars) {
+    // If we split scalars by some window (let's say 8 bits), every chunk will only
+    // take 256 buckets even if there are 4096 scalars, also re-uses double.
+    // TODO:
+    // - https://eprint.iacr.org/2024/750.pdf
+    // - https://tches.iacr.org/index.php/TCHES/article/view/10287
+    // 0 is accepted in scalars
+    if (!Array.isArray(points) || !Array.isArray(scalars) || scalars.length !== points.length)
+        throw new Error('arrays of points and scalars must have equal length');
+    scalars.forEach((s, i) => {
+        if (!field.isValid(s))
+            throw new Error(`wrong scalar at index ${i}`);
+    });
+    points.forEach((p, i) => {
+        if (!(p instanceof c))
+            throw new Error(`wrong point at index ${i}`);
+    });
+    const wbits = bitLen(BigInt(points.length));
+    const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
+    const MASK = (1 << windowSize) - 1;
+    const buckets = new Array(MASK + 1).fill(c.ZERO); // +1 for zero array
+    const lastBits = Math.floor((field.BITS - 1) / windowSize) * windowSize;
+    let sum = c.ZERO;
+    for (let i = lastBits; i >= 0; i -= windowSize) {
+        buckets.fill(c.ZERO);
+        for (let j = 0; j < scalars.length; j++) {
+            const scalar = scalars[j];
+            const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
+            buckets[wbits] = buckets[wbits].add(points[j]);
+        }
+        let resI = c.ZERO; // not using this will do small speed-up, but will lose ct
+        // Skip first bucket, because it is zero
+        for (let j = buckets.length - 1, sumI = c.ZERO; j > 0; j--) {
+            sumI = sumI.add(buckets[j]);
+            resI = resI.add(sumI);
+        }
+        sum = sum.add(resI);
+        if (i !== 0)
+            for (let j = 0; j < windowSize; j++)
+                sum = sum.double();
+    }
+    return sum;
+}
 function validateBasic(curve) {
     validateField(curve.Fp);
     validateObject(curve, {
@@ -900,6 +1025,12 @@ function validateBasic(curve) {
 
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Short Weierstrass curve. The formula is: y² = x³ + ax + b
+function validateSigVerOpts(opts) {
+    if (opts.lowS !== undefined)
+        abool('lowS', opts.lowS);
+    if (opts.prehash !== undefined)
+        abool('prehash', opts.prehash);
+}
 function validatePointOpts(curve) {
     const opts = validateBasic(curve);
     validateObject(opts, {
@@ -927,8 +1058,14 @@ function validatePointOpts(curve) {
     }
     return Object.freeze({ ...opts });
 }
-// ASN.1 DER encoding utilities
 const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
+/**
+ * ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
+ *
+ *     [0x30 (SEQUENCE), bytelength, 0x02 (INTEGER), intLength, R, 0x02 (INTEGER), intLength, S]
+ *
+ * Docs: https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/, https://luca.ntop.org/Teaching/Appunti/asn1.html
+ */
 const DER = {
     // asn.1 DER encoding utils
     Err: class DERErr extends Error {
@@ -936,54 +1073,103 @@ const DER = {
             super(m);
         }
     },
-    _parseInt(data) {
-        const { Err: E } = DER;
-        if (data.length < 2 || data[0] !== 0x02)
-            throw new E('Invalid signature integer tag');
-        const len = data[1];
-        const res = data.subarray(2, len + 2);
-        if (!len || res.length !== len)
-            throw new E('Invalid signature integer: wrong length');
-        // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
-        // since we always use positive integers here. It must always be empty:
-        // - add zero byte if exists
-        // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
-        if (res[0] & 0b10000000)
-            throw new E('Invalid signature integer: negative');
-        if (res[0] === 0x00 && !(res[1] & 0b10000000))
-            throw new E('Invalid signature integer: unnecessary leading zero');
-        return { d: b2n(res), l: data.subarray(len + 2) }; // d is data, l is left
+    // Basic building block is TLV (Tag-Length-Value)
+    _tlv: {
+        encode: (tag, data) => {
+            const { Err: E } = DER;
+            if (tag < 0 || tag > 256)
+                throw new E('tlv.encode: wrong tag');
+            if (data.length & 1)
+                throw new E('tlv.encode: unpadded data');
+            const dataLen = data.length / 2;
+            const len = numberToHexUnpadded(dataLen);
+            if ((len.length / 2) & 128)
+                throw new E('tlv.encode: long form length too big');
+            // length of length with long form flag
+            const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 128) : '';
+            return `${numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
+        },
+        // v - value, l - left bytes (unparsed)
+        decode(tag, data) {
+            const { Err: E } = DER;
+            let pos = 0;
+            if (tag < 0 || tag > 256)
+                throw new E('tlv.encode: wrong tag');
+            if (data.length < 2 || data[pos++] !== tag)
+                throw new E('tlv.decode: wrong tlv');
+            const first = data[pos++];
+            const isLong = !!(first & 128); // First bit of first length byte is flag for short/long form
+            let length = 0;
+            if (!isLong)
+                length = first;
+            else {
+                // Long form: [longFlag(1bit), lengthLength(7bit), length (BE)]
+                const lenLen = first & 127;
+                if (!lenLen)
+                    throw new E('tlv.decode(long): indefinite length not supported');
+                if (lenLen > 4)
+                    throw new E('tlv.decode(long): byte length is too big'); // this will overflow u32 in js
+                const lengthBytes = data.subarray(pos, pos + lenLen);
+                if (lengthBytes.length !== lenLen)
+                    throw new E('tlv.decode: length bytes not complete');
+                if (lengthBytes[0] === 0)
+                    throw new E('tlv.decode(long): zero leftmost byte');
+                for (const b of lengthBytes)
+                    length = (length << 8) | b;
+                pos += lenLen;
+                if (length < 128)
+                    throw new E('tlv.decode(long): not minimal encoding');
+            }
+            const v = data.subarray(pos, pos + length);
+            if (v.length !== length)
+                throw new E('tlv.decode: wrong value length');
+            return { v, l: data.subarray(pos + length) };
+        },
+    },
+    // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+    // since we always use positive integers here. It must always be empty:
+    // - add zero byte if exists
+    // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+    _int: {
+        encode(num) {
+            const { Err: E } = DER;
+            if (num < _0n$2)
+                throw new E('integer: negative integers are not allowed');
+            let hex = numberToHexUnpadded(num);
+            // Pad with zero byte if negative flag is present
+            if (Number.parseInt(hex[0], 16) & 0b1000)
+                hex = '00' + hex;
+            if (hex.length & 1)
+                throw new E('unexpected assertion');
+            return hex;
+        },
+        decode(data) {
+            const { Err: E } = DER;
+            if (data[0] & 128)
+                throw new E('Invalid signature integer: negative');
+            if (data[0] === 0x00 && !(data[1] & 128))
+                throw new E('Invalid signature integer: unnecessary leading zero');
+            return b2n(data);
+        },
     },
     toSig(hex) {
         // parse DER signature
-        const { Err: E } = DER;
+        const { Err: E, _int: int, _tlv: tlv } = DER;
         const data = typeof hex === 'string' ? h2b(hex) : hex;
         abytes(data);
-        let l = data.length;
-        if (l < 2 || data[0] != 0x30)
-            throw new E('Invalid signature tag');
-        if (data[1] !== l - 2)
-            throw new E('Invalid signature: incorrect length');
-        const { d: r, l: sBytes } = DER._parseInt(data.subarray(2));
-        const { d: s, l: rBytesLeft } = DER._parseInt(sBytes);
-        if (rBytesLeft.length)
+        const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
+        if (seqLeftBytes.length)
             throw new E('Invalid signature: left bytes after parsing');
-        return { r, s };
+        const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
+        const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);
+        if (sLeftBytes.length)
+            throw new E('Invalid signature: left bytes after parsing');
+        return { r: int.decode(rBytes), s: int.decode(sBytes) };
     },
     hexFromSig(sig) {
-        // Add leading zero if first byte has negative bit enabled. More details in '_parseInt'
-        const slice = (s) => (Number.parseInt(s[0], 16) & 0b1000 ? '00' + s : s);
-        const h = (num) => {
-            const hex = num.toString(16);
-            return hex.length & 1 ? `0${hex}` : hex;
-        };
-        const s = slice(h(sig.s));
-        const r = slice(h(sig.r));
-        const shl = s.length / 2;
-        const rhl = r.length / 2;
-        const sl = h(shl);
-        const rl = h(rhl);
-        return `30${h(rhl + shl + 4)}02${rl}${r}02${sl}${s}`;
+        const { _tlv: tlv, _int: int } = DER;
+        const seq = `${tlv.encode(0x02, int.encode(sig.r))}${tlv.encode(0x02, int.encode(sig.s))}`;
+        return tlv.encode(0x30, seq);
     },
 };
 // Be friendly to bad ECMAScript parsers by not using bigint literals
@@ -992,6 +1178,7 @@ const _0n$2 = BigInt(0), _1n$4 = BigInt(1); BigInt(2); const _3n$1 = BigInt(3);
 function weierstrassPoints(opts) {
     const CURVE = validatePointOpts(opts);
     const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
+    const Fn = Field(CURVE.n, CURVE.nBitLength);
     const toBytes = CURVE.toBytes ||
         ((_c, point, _isCompressed) => {
             const a = point.toAffine();
@@ -1024,16 +1211,12 @@ function weierstrassPoints(opts) {
         throw new Error('bad generator point: equation left != right');
     // Valid group elements reside in range 1..n-1
     function isWithinCurveOrder(num) {
-        return typeof num === 'bigint' && _0n$2 < num && num < CURVE.n;
-    }
-    function assertGE(num) {
-        if (!isWithinCurveOrder(num))
-            throw new Error('Expected valid bigint: 0 < bigint < curve.n');
+        return inRange(num, _1n$4, CURVE.n);
     }
     // Validates if priv key is valid and converts it to bigint.
     // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
     function normPrivateKeyToScalar(key) {
-        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n } = CURVE;
+        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
         if (lengths && typeof key !== 'bigint') {
             if (isBytes(key))
                 key = bytesToHex(key);
@@ -1053,15 +1236,61 @@ function weierstrassPoints(opts) {
             throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
         }
         if (wrapPrivateKey)
-            num = mod(num, n); // disabled by default, enabled for BLS
-        assertGE(num); // num in range [1..N-1]
+            num = mod(num, N); // disabled by default, enabled for BLS
+        aInRange('private key', num, _1n$4, N); // num in range [1..N-1]
         return num;
     }
-    const pointPrecomputes = new Map();
     function assertPrjPoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
+    // Memoized toAffine / validity check. They are heavy. Points are immutable.
+    // Converts Projective point to affine (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    // (x, y, z) ∋ (x=x/z, y=y/z)
+    const toAffineMemo = memoized((p, iz) => {
+        const { px: x, py: y, pz: z } = p;
+        // Fast-path for normalized points
+        if (Fp.eql(z, Fp.ONE))
+            return { x, y };
+        const is0 = p.is0();
+        // If invZ was 0, we return zero point. However we still want to execute
+        // all operations, so we replace invZ with a random number, 1.
+        if (iz == null)
+            iz = is0 ? Fp.ONE : Fp.inv(z);
+        const ax = Fp.mul(x, iz);
+        const ay = Fp.mul(y, iz);
+        const zz = Fp.mul(z, iz);
+        if (is0)
+            return { x: Fp.ZERO, y: Fp.ZERO };
+        if (!Fp.eql(zz, Fp.ONE))
+            throw new Error('invZ was invalid');
+        return { x: ax, y: ay };
+    });
+    // NOTE: on exception this will crash 'cached' and no value will be set.
+    // Otherwise true will be return
+    const assertValidMemo = memoized((p) => {
+        if (p.is0()) {
+            // (0, 1, 0) aka ZERO is invalid in most contexts.
+            // In BLS, ZERO can be serialized, so we allow it.
+            // (0, 0, 0) is wrong representation of ZERO and is always invalid.
+            if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
+                return;
+            throw new Error('bad point: ZERO');
+        }
+        // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
+        const { x, y } = p.toAffine();
+        // Check if x, y are valid field elements
+        if (!Fp.isValid(x) || !Fp.isValid(y))
+            throw new Error('bad point: x or y not FE');
+        const left = Fp.sqr(y); // y²
+        const right = weierstrassEquation(x); // x³ + ax + b
+        if (!Fp.eql(left, right))
+            throw new Error('bad point: equation left != right');
+        if (!p.isTorsionFree())
+            throw new Error('bad point: not in prime-order subgroup');
+        return true;
+    });
     /**
      * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
      * Default Point works in 2d / affine coordinates: (x, y)
@@ -1078,6 +1307,7 @@ function weierstrassPoints(opts) {
                 throw new Error('y required');
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
+            Object.freeze(this);
         }
         // Does not validate if the point is on-curve.
         // Use fromHex instead, or call assertValidity() later.
@@ -1122,32 +1352,17 @@ function weierstrassPoints(opts) {
         static fromPrivateKey(privateKey) {
             return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
         }
+        // Multiscalar Multiplication
+        static msm(points, scalars) {
+            return pippenger(Point, Fn, points, scalars);
+        }
         // "Private method", don't use it directly
         _setWindowSize(windowSize) {
-            this._WINDOW_SIZE = windowSize;
-            pointPrecomputes.delete(this);
+            wnaf.setWindowSize(this, windowSize);
         }
         // A point on curve is valid if it conforms to equation.
         assertValidity() {
-            if (this.is0()) {
-                // (0, 1, 0) aka ZERO is invalid in most contexts.
-                // In BLS, ZERO can be serialized, so we allow it.
-                // (0, 0, 0) is wrong representation of ZERO and is always invalid.
-                if (CURVE.allowInfinityPoint && !Fp.is0(this.py))
-                    return;
-                throw new Error('bad point: ZERO');
-            }
-            // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
-            const { x, y } = this.toAffine();
-            // Check if x, y are valid field elements
-            if (!Fp.isValid(x) || !Fp.isValid(y))
-                throw new Error('bad point: x or y not FE');
-            const left = Fp.sqr(y); // y²
-            const right = weierstrassEquation(x); // x³ + ax + b
-            if (!Fp.eql(left, right))
-                throw new Error('bad point: equation left != right');
-            if (!this.isTorsionFree())
-                throw new Error('bad point: not in prime-order subgroup');
+            assertValidMemo(this);
         }
         hasEvenY() {
             const { y } = this.toAffine();
@@ -1274,28 +1489,25 @@ function weierstrassPoints(opts) {
             return this.equals(Point.ZERO);
         }
         wNAF(n) {
-            return wnaf.wNAFCached(this, pointPrecomputes, n, (comp) => {
-                const toInv = Fp.invertBatch(comp.map((p) => p.pz));
-                return comp.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
-            });
+            return wnaf.wNAFCached(this, n, Point.normalizeZ);
         }
         /**
          * Non-constant-time multiplication. Uses double-and-add algorithm.
          * It's faster, but should only be used when you don't care about
          * an exposed private key e.g. sig verification, which works over *public* keys.
          */
-        multiplyUnsafe(n) {
+        multiplyUnsafe(sc) {
+            aInRange('scalar', sc, _0n$2, CURVE.n);
             const I = Point.ZERO;
-            if (n === _0n$2)
+            if (sc === _0n$2)
                 return I;
-            assertGE(n); // Will throw on 0
-            if (n === _1n$4)
+            if (sc === _1n$4)
                 return this;
             const { endo } = CURVE;
             if (!endo)
-                return wnaf.unsafeLadder(this, n);
+                return wnaf.unsafeLadder(this, sc);
             // Apply endomorphism
-            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
             let k1p = I;
             let k2p = I;
             let d = this;
@@ -1325,12 +1537,11 @@ function weierstrassPoints(opts) {
          * @returns New point
          */
         multiply(scalar) {
-            assertGE(scalar);
-            let n = scalar;
+            const { endo, n: N } = CURVE;
+            aInRange('scalar', scalar, _1n$4, N);
             let point, fake; // Fake point is used to const-time mult
-            const { endo } = CURVE;
             if (endo) {
-                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(n);
+                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
                 let { p: k1p, f: f1p } = this.wNAF(k1);
                 let { p: k2p, f: f2p } = this.wNAF(k2);
                 k1p = wnaf.constTimeNegate(k1neg, k1p);
@@ -1340,7 +1551,7 @@ function weierstrassPoints(opts) {
                 fake = f1p.add(f2p);
             }
             else {
-                const { p, f } = this.wNAF(n);
+                const { p, f } = this.wNAF(scalar);
                 point = p;
                 fake = f;
             }
@@ -1364,20 +1575,7 @@ function weierstrassPoints(opts) {
         // Can accept precomputed Z^-1 - for example, from invertBatch.
         // (x, y, z) ∋ (x=x/z, y=y/z)
         toAffine(iz) {
-            const { px: x, py: y, pz: z } = this;
-            const is0 = this.is0();
-            // If invZ was 0, we return zero point. However we still want to execute
-            // all operations, so we replace invZ with a random number, 1.
-            if (iz == null)
-                iz = is0 ? Fp.ONE : Fp.inv(z);
-            const ax = Fp.mul(x, iz);
-            const ay = Fp.mul(y, iz);
-            const zz = Fp.mul(z, iz);
-            if (is0)
-                return { x: Fp.ZERO, y: Fp.ZERO };
-            if (!Fp.eql(zz, Fp.ONE))
-                throw new Error('invZ was invalid');
-            return { x: ax, y: ay };
+            return toAffineMemo(this, iz);
         }
         isTorsionFree() {
             const { h: cofactor, isTorsionFree } = CURVE;
@@ -1396,10 +1594,12 @@ function weierstrassPoints(opts) {
             return this.multiplyUnsafe(CURVE.h);
         }
         toRawBytes(isCompressed = true) {
+            abool('isCompressed', isCompressed);
             this.assertValidity();
             return toBytes(Point, this, isCompressed);
         }
         toHex(isCompressed = true) {
+            abool('isCompressed', isCompressed);
             return bytesToHex(this.toRawBytes(isCompressed));
         }
     }
@@ -1429,14 +1629,18 @@ function validateOpts$2(curve) {
     });
     return Object.freeze({ lowS: true, ...opts });
 }
+/**
+ * Creates short weierstrass curve and ECDSA signature methods for it.
+ * @example
+ * import { Field } from '@noble/curves/abstract/modular';
+ * // Before that, define BigInt-s: a, b, p, n, Gx, Gy
+ * const curve = weierstrass({ a, b, Fp: Field(p), n, Gx, Gy, h: 1n })
+ */
 function weierstrass(curveDef) {
     const CURVE = validateOpts$2(curveDef);
     const { Fp, n: CURVE_ORDER } = CURVE;
     const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
     const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
-    function isValidFieldElement(num) {
-        return _0n$2 < num && num < Fp.ORDER; // 0 is banned since it's not invertible FE
-    }
     function modN(a) {
         return mod(a, CURVE_ORDER);
     }
@@ -1449,6 +1653,7 @@ function weierstrass(curveDef) {
             const a = point.toAffine();
             const x = Fp.toBytes(a.x);
             const cat = concatBytes;
+            abool('isCompressed', isCompressed);
             if (isCompressed) {
                 return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
             }
@@ -1463,7 +1668,7 @@ function weierstrass(curveDef) {
             // this.assertValidity() is done inside of fromHex
             if (len === compressedLen && (head === 0x02 || head === 0x03)) {
                 const x = bytesToNumberBE(tail);
-                if (!isValidFieldElement(x))
+                if (!inRange(x, _1n$4, Fp.ORDER))
                     throw new Error('Point is not on curve');
                 const y2 = weierstrassEquation(x); // y² = x³ + ax + b
                 let y;
@@ -1524,11 +1729,8 @@ function weierstrass(curveDef) {
             return new Signature(r, s);
         }
         assertValidity() {
-            // can use assertGE here
-            if (!isWithinCurveOrder(this.r))
-                throw new Error('r must be 0 < r < CURVE.n');
-            if (!isWithinCurveOrder(this.s))
-                throw new Error('s must be 0 < s < CURVE.n');
+            aInRange('r', this.r, _1n$4, CURVE_ORDER); // r in [1..N]
+            aInRange('s', this.s, _1n$4, CURVE_ORDER); // s in [1..N]
         }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
@@ -1671,10 +1873,7 @@ function weierstrass(curveDef) {
      * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
      */
     function int2octets(num) {
-        if (typeof num !== 'bigint')
-            throw new Error('bigint expected');
-        if (!(_0n$2 <= num && num < ORDER_MASK))
-            throw new Error(`bigint expected < 2^${CURVE.nBitLength}`);
+        aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n$2, ORDER_MASK);
         // works with order, can have different size than numToField!
         return numberToBytesBE(num, CURVE.nByteLength);
     }
@@ -1691,6 +1890,7 @@ function weierstrass(curveDef) {
         if (lowS == null)
             lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
         msgHash = ensureBytes('msgHash', msgHash);
+        validateSigVerOpts(opts);
         if (prehash)
             msgHash = ensureBytes('prehashed msgHash', hash(msgHash));
         // We can't later call bits2octets, since nested bits2int is broken for curves
@@ -1777,6 +1977,7 @@ function weierstrass(curveDef) {
         publicKey = ensureBytes('publicKey', publicKey);
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
+        validateSigVerOpts(opts);
         const { lowS, prehash } = opts;
         let _sig = undefined;
         let P;
@@ -1946,12 +2147,19 @@ function validateOpts$1(curve) {
     // Set defaults
     return Object.freeze({ ...opts });
 }
-// It is not generic twisted curve for now, but ed25519/ed448 generic implementation
+/**
+ * Creates Twisted Edwards curve with EdDSA signatures.
+ * @example
+ * import { Field } from '@noble/curves/abstract/modular';
+ * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h
+ * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })
+ */
 function twistedEdwards(curveDef) {
     const CURVE = validateOpts$1(curveDef);
     const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
     const MASK = _2n$2 << (BigInt(nByteLength * 8) - _1n$3);
     const modP = Fp.create; // Function overrides
+    const Fn = Field(CURVE.n, CURVE.nBitLength);
     // sqrt(u/v)
     const uvRatio = CURVE.uvRatio ||
         ((u, v) => {
@@ -1965,28 +2173,59 @@ function twistedEdwards(curveDef) {
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
     const domain = CURVE.domain ||
         ((data, ctx, phflag) => {
+            abool('phflag', phflag);
             if (ctx.length || phflag)
                 throw new Error('Contexts/pre-hash are not supported');
             return data;
         }); // NOOP
-    const inBig = (n) => typeof n === 'bigint' && _0n$1 < n; // n in [1..]
-    const inRange = (n, max) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
-    const in0MaskRange = (n) => n === _0n$1 || inRange(n, MASK); // n in [0..MASK-1]
-    function assertInRange(n, max) {
-        // n in [1..max-1]
-        if (inRange(n, max))
-            return n;
-        throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
+    // 0 <= n < MASK
+    // Coordinates larger than Fp.ORDER are allowed for zip215
+    function aCoordinate(title, n) {
+        aInRange('coordinate ' + title, n, _0n$1, MASK);
     }
-    function assertGE0(n) {
-        // n in [0..CURVE_ORDER-1]
-        return n === _0n$1 ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
-    }
-    const pointPrecomputes = new Map();
-    function isPoint(other) {
+    function assertPoint(other) {
         if (!(other instanceof Point))
             throw new Error('ExtendedPoint expected');
     }
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    const toAffineMemo = memoized((p, iz) => {
+        const { ex: x, ey: y, ez: z } = p;
+        const is0 = p.is0();
+        if (iz == null)
+            iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
+        const ax = modP(x * iz);
+        const ay = modP(y * iz);
+        const zz = modP(z * iz);
+        if (is0)
+            return { x: _0n$1, y: _1n$3 };
+        if (zz !== _1n$3)
+            throw new Error('invZ was invalid');
+        return { x: ax, y: ay };
+    });
+    const assertValidMemo = memoized((p) => {
+        const { a, d } = CURVE;
+        if (p.is0())
+            throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+        // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+        // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+        const { ex: X, ey: Y, ez: Z, et: T } = p;
+        const X2 = modP(X * X); // X²
+        const Y2 = modP(Y * Y); // Y²
+        const Z2 = modP(Z * Z); // Z²
+        const Z4 = modP(Z2 * Z2); // Z⁴
+        const aX2 = modP(X2 * a); // aX²
+        const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+        const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+        if (left !== right)
+            throw new Error('bad point: equation left != right (1)');
+        // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+        const XY = modP(X * Y);
+        const ZT = modP(Z * T);
+        if (XY !== ZT)
+            throw new Error('bad point: equation left != right (2)');
+        return true;
+    });
     // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
     // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
     class Point {
@@ -1995,14 +2234,11 @@ function twistedEdwards(curveDef) {
             this.ey = ey;
             this.ez = ez;
             this.et = et;
-            if (!in0MaskRange(ex))
-                throw new Error('x required');
-            if (!in0MaskRange(ey))
-                throw new Error('y required');
-            if (!in0MaskRange(ez))
-                throw new Error('z required');
-            if (!in0MaskRange(et))
-                throw new Error('t required');
+            aCoordinate('x', ex);
+            aCoordinate('y', ey);
+            aCoordinate('z', ez);
+            aCoordinate('t', et);
+            Object.freeze(this);
         }
         get x() {
             return this.toAffine().x;
@@ -2014,46 +2250,30 @@ function twistedEdwards(curveDef) {
             if (p instanceof Point)
                 throw new Error('extended point not allowed');
             const { x, y } = p || {};
-            if (!in0MaskRange(x) || !in0MaskRange(y))
-                throw new Error('invalid affine point');
+            aCoordinate('x', x);
+            aCoordinate('y', y);
             return new Point(x, y, _1n$3, modP(x * y));
         }
         static normalizeZ(points) {
             const toInv = Fp.invertBatch(points.map((p) => p.ez));
             return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
         }
+        // Multiscalar Multiplication
+        static msm(points, scalars) {
+            return pippenger(Point, Fn, points, scalars);
+        }
         // "Private method", don't use it directly
         _setWindowSize(windowSize) {
-            this._WINDOW_SIZE = windowSize;
-            pointPrecomputes.delete(this);
+            wnaf.setWindowSize(this, windowSize);
         }
         // Not required for fromHex(), which always creates valid points.
         // Could be useful for fromAffine().
         assertValidity() {
-            const { a, d } = CURVE;
-            if (this.is0())
-                throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
-            // Equation in affine coordinates: ax² + y² = 1 + dx²y²
-            // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-            const { ex: X, ey: Y, ez: Z, et: T } = this;
-            const X2 = modP(X * X); // X²
-            const Y2 = modP(Y * Y); // Y²
-            const Z2 = modP(Z * Z); // Z²
-            const Z4 = modP(Z2 * Z2); // Z⁴
-            const aX2 = modP(X2 * a); // aX²
-            const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
-            const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
-            if (left !== right)
-                throw new Error('bad point: equation left != right (1)');
-            // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
-            const XY = modP(X * Y);
-            const ZT = modP(Z * T);
-            if (XY !== ZT)
-                throw new Error('bad point: equation left != right (2)');
+            assertValidMemo(this);
         }
         // Compare one point to another.
         equals(other) {
-            isPoint(other);
+            assertPoint(other);
             const { ex: X1, ey: Y1, ez: Z1 } = this;
             const { ex: X2, ey: Y2, ez: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
@@ -2094,7 +2314,7 @@ function twistedEdwards(curveDef) {
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
         // Cost: 9M + 1*a + 1*d + 7add.
         add(other) {
-            isPoint(other);
+            assertPoint(other);
             const { a, d } = CURVE;
             const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
             const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
@@ -2137,11 +2357,13 @@ function twistedEdwards(curveDef) {
             return this.add(other.negate());
         }
         wNAF(n) {
-            return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
+            return wnaf.wNAFCached(this, n, Point.normalizeZ);
         }
         // Constant-time multiplication.
         multiply(scalar) {
-            const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
+            const n = scalar;
+            aInRange('scalar', n, _1n$3, CURVE_ORDER); // 1 <= scalar < L
+            const { p, f } = this.wNAF(n);
             return Point.normalizeZ([p, f])[0];
         }
         // Non-constant-time multiplication. Uses double-and-add algorithm.
@@ -2149,7 +2371,8 @@ function twistedEdwards(curveDef) {
         // an exposed private key e.g. sig verification.
         // Does NOT allow scalars higher than CURVE.n.
         multiplyUnsafe(scalar) {
-            let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
+            const n = scalar;
+            aInRange('scalar', n, _0n$1, CURVE_ORDER); // 0 <= scalar < L
             if (n === _0n$1)
                 return I;
             if (this.equals(I) || n === _1n$3)
@@ -2173,18 +2396,7 @@ function twistedEdwards(curveDef) {
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
         toAffine(iz) {
-            const { ex: x, ey: y, ez: z } = this;
-            const is0 = this.is0();
-            if (iz == null)
-                iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
-            const ax = modP(x * iz);
-            const ay = modP(y * iz);
-            const zz = modP(z * iz);
-            if (is0)
-                return { x: _0n$1, y: _1n$3 };
-            if (zz !== _1n$3)
-                throw new Error('invZ was invalid');
-            return { x: ax, y: ay };
+            return toAffineMemo(this, iz);
         }
         clearCofactor() {
             const { h: cofactor } = CURVE;
@@ -2198,18 +2410,16 @@ function twistedEdwards(curveDef) {
             const { d, a } = CURVE;
             const len = Fp.BYTES;
             hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
+            abool('zip215', zip215);
             const normed = hex.slice(); // copy again, we'll manipulate it
             const lastByte = hex[len - 1]; // select last byte
             normed[len - 1] = lastByte & ~0x80; // clear last bit
             const y = bytesToNumberLE(normed);
-            if (y === _0n$1) ;
-            else {
-                // RFC8032 prohibits >= p, but ZIP215 doesn't
-                if (zip215)
-                    assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
-                else
-                    assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
-            }
+            // RFC8032 prohibits >= p, but ZIP215 doesn't
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+            const max = zip215 ? MASK : Fp.ORDER;
+            aInRange('pointHex.y', y, _0n$1, max);
             // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
             // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
             const y2 = modP(y * y); // denominator is always non-0 mod p.
@@ -2284,7 +2494,7 @@ function twistedEdwards(curveDef) {
         const R = G.multiply(r).toRawBytes(); // R = rG
         const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
-        assertGE0(s); // 0 <= s < l
+        aInRange('signature.s', s, _0n$1, CURVE_ORDER); // 0 <= s < l
         const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
         return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
     }
@@ -2294,6 +2504,8 @@ function twistedEdwards(curveDef) {
         const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
         sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
         msg = ensureBytes('message', msg);
+        if (zip215 !== undefined)
+            abool('zip215', zip215);
         if (prehash)
             msg = prehash(msg); // for ed25519ph, etc
         const s = bytesToNumberLE(sig.slice(len, 2 * len));
@@ -2386,12 +2598,6 @@ function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
-    // Accepts 0 as well
-    function assertFieldElement(n) {
-        if (typeof n === 'bigint' && _0n <= n && n < P)
-            return n;
-        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
-    }
     // x25519 from 4
     // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
     const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
@@ -2401,11 +2607,12 @@ function montgomery(curveDef) {
      * @param scalar by which the point would be multiplied
      * @returns new Point on Montgomery curve
      */
-    function montgomeryLadder(pointU, scalar) {
-        const u = assertFieldElement(pointU);
+    function montgomeryLadder(u, scalar) {
+        aInRange('u', u, _0n, P);
+        aInRange('scalar', scalar, _0n, P);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = assertFieldElement(scalar);
+        const k = scalar;
         const x_1 = u;
         let x_2 = _1n$2;
         let z_2 = _0n;
@@ -2658,6 +2865,9 @@ function sqrtMod(y) {
     return root;
 }
 const Fp$3 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+/**
+ * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ */
 const secp256k1 = createCurve({
     a: BigInt(0), // equation params: a, b
     b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975