Add and update @noble/curves (#6320)

ernestognw · Amxx · web-flow · commit 43ea73bc10bd · 2026-01-30T12:46:39.000-06:00
Co-authored-by: Hadrien Croubois &lt;hadrien.croubois@gmail.com&gt;
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -58,6 +58,7 @@
     "@changesets/read": "^0.6.0",
     "@eslint/compat": "^1.2.1",
     "@ethereumjs/mpt": "^10.1.0",
+    "@noble/curves": "^2.0.1",
     "@nomicfoundation/hardhat-chai-matchers": "^2.0.6",
     "@nomicfoundation/hardhat-ethers": "^3.0.9",
     "@nomicfoundation/hardhat-network-helpers": "^1.0.13",
diff --git a/test/helpers/signers.js b/test/helpers/signers.js
@@ -1,5 +1,5 @@
 const { ethers } = require('ethers');
-const { secp256r1 } = require('@noble/curves/p256');
+const { p256 } = require('@noble/curves/nist.js');
 const { generateKeyPairSync, privateEncrypt } = require('crypto');
 
 // Lightweight version of BaseWallet
@@ -68,15 +68,15 @@ class P256SigningKey {
   }
 
   static random() {
-    return new this(secp256r1.utils.randomPrivateKey());
+    return new this(p256.utils.randomSecretKey());
   }
 
   get privateKey() {
     return ethers.hexlify(this.#privateKey);
   }
 
   get publicKey() {
-    const publicKeyBytes = secp256r1.getPublicKey(this.#privateKey, false);
+    const publicKeyBytes = p256.getPublicKey(this.#privateKey, false);
     return {
       qx: ethers.hexlify(publicKeyBytes.slice(0x01, 0x21)),
       qy: ethers.hexlify(publicKeyBytes.slice(0x21, 0x41)),
@@ -86,12 +86,15 @@ class P256SigningKey {
   sign(digest /*: BytesLike*/) /*: ethers.Signature*/ {
     ethers.assertArgument(ethers.dataLength(digest) === 32, 'invalid digest length', 'digest', digest);
 
-    const sig = secp256r1.sign(ethers.getBytesCopy(digest), ethers.getBytesCopy(this.#privateKey), { lowS: true });
+    const rawSignature = p256.sign(ethers.getBytes(digest), ethers.getBytes(this.#privateKey), {
+      prehash: false,
+      format: 'recovered',
+    });
 
     return ethers.Signature.from({
-      r: ethers.toBeHex(sig.r, 32),
-      s: ethers.toBeHex(sig.s, 32),
-      v: sig.recovery ? 0x1c : 0x1b,
+      r: ethers.hexlify(rawSignature.slice(0x01, 0x21)),
+      s: ethers.hexlify(rawSignature.slice(0x21, 0x41)),
+      v: rawSignature[0] ? 0x1c : 0x1b,
     });
   }
 }
diff --git a/test/utils/cryptography/ECDSA.test.js b/test/utils/cryptography/ECDSA.test.js
@@ -1,7 +1,7 @@
 const { ethers } = require('hardhat');
 const { expect } = require('chai');
 const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers');
-const { secp256k1 } = require('@noble/curves/secp256k1');
+const { secp256k1 } = require('@noble/curves/secp256k1.js');
 
 const TEST_MESSAGE = ethers.id('OpenZeppelin');
 const WRONG_MESSAGE = ethers.id('Nope');
@@ -245,7 +245,7 @@ describe('ECDSA', function () {
 
       // In ethers v6.15.0+, the library no longer throws 'non-canonical s' error for high-s signatures. This
       // assertion verifies we are in fact dealing with a high-s value that the ECDSA library should reject.
-      expect(ethers.toBigInt(s)).to.be.gt(secp256k1.CURVE.n / 2n);
+      expect(ethers.toBigInt(s)).to.be.gt(secp256k1.Point.Fn.ORDER / 2n);
 
       await expect(this.mock.$recover(message, highSSignature))
         .to.be.revertedWithCustomError(this.mock, 'ECDSAInvalidSignatureS')
diff --git a/test/utils/cryptography/P256.test.js b/test/utils/cryptography/P256.test.js
@@ -1,30 +1,22 @@
 const { ethers } = require('hardhat');
 const { expect } = require('chai');
-const { secp256r1 } = require('@noble/curves/p256');
+const { p256 } = require('@noble/curves/nist.js');
 const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers');
 
 const N = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551n;
 
-// As in ECDSA, signatures are malleable and the tooling produce both high and low S values.
-// We need to ensure that the s value is in the lower half of the order of the curve.
-const ensureLowerOrderS = ({ s, recovery, ...rest }) => {
-  if (s > N / 2n) {
-    s = N - s;
-    recovery = 1 - recovery;
-  }
-  return { s, recovery, ...rest };
-};
-
 const prepareSignature = (
-  privateKey = secp256r1.utils.randomPrivateKey(),
+  privateKey = p256.utils.randomSecretKey(),
   messageHash = ethers.hexlify(ethers.randomBytes(0x20)),
 ) => {
   const publicKey = [
-    secp256r1.getPublicKey(privateKey, false).slice(0x01, 0x21),
-    secp256r1.getPublicKey(privateKey, false).slice(0x21, 0x41),
+    p256.getPublicKey(privateKey, false).slice(0x01, 0x21),
+    p256.getPublicKey(privateKey, false).slice(0x21, 0x41),
   ].map(ethers.hexlify);
-  const { r, s, recovery } = ensureLowerOrderS(secp256r1.sign(messageHash.replace(/0x/, ''), privateKey));
-  const signature = [r, s].map(v => ethers.toBeHex(v, 0x20));
+
+  const rawSignature = p256.sign(ethers.getBytes(messageHash), privateKey, { prehash: false, format: 'recovered' });
+  const signature = [ethers.hexlify(rawSignature.slice(0x01, 0x21)), ethers.hexlify(rawSignature.slice(0x21, 0x41))];
+  const recovery = rawSignature[0];
 
   return { privateKey, publicKey, signature, recovery, messageHash };
 };
