@noble/curves 0.2.1 → 0.3.1

package/README.md

@@ -45,9 +45,9 @@ The library does not have an entry point. It allows you to select specific primi
 
 ```ts
 import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
+import { concatBytes, randomBytes } from '@noble/curves/utils';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
 
 const secp256k1 = weierstrass({
   a: 0n,
@@ -81,9 +81,13 @@ const shared = secp256k1.getSharedSecret(key, someonesPubkey);
 
 ### Overview
 
-* All arithmetics is done with JS bigints in finite fields
-* Curve variables, order (number of points on curve), field prime (over which the modular division would be done)
-  are required
+* To initialize new curve, you must specify its variables, order (number of points on curve), field prime (over which the modular division would be done)
+* All curves expose same generic interface:
+    * `getPublicKey()`, `sign()`, `verify()` functions
+    * `Point` conforming to `Group` interface with add/multiply/double/negate/add/equals methods
+    * `CURVE` object with curve variables like `Gx`, `Gy`, `P` (field), `n` (order)
+    * `utils` object with `randomPrivateKey()`, `mod()`, `invert()` methods (`mod CURVE.P`)
+* All arithmetics is done with JS bigints over finite fields
 * Many features require hashing, which is not provided. `@noble/hashes` can be used for this purpose.
   Any other library must conform to the CHash interface:
     ```ts
@@ -97,17 +101,9 @@ const shared = secp256k1.getSharedSecret(key, someonesPubkey);
   Precomputes are calculated once (takes ~20-40ms), after that most `G` multiplications
   - for example, `getPublicKey()`, `sign()` and similar methods - would be much faster.
   Use `curve.utils.precompute()`
-* Special params that tune performance can be optionally provided.
-  For example, square root calculation, which is commonly used in point decompression routines
-* Curves export `Point`, which conforms to `Group` interface, which has following methods:
-    - `double()`, `negate()`
-    - `add()`, `subtract()`, `equals()`
-    - `multiply()`
-    Every group also has `BASE` (generator) and `ZERO` (infinity) static properties.
-* Curves export `CURVE` object
-* Curves export `utils`:
-    * `randomPrivateKey()` specific for the curve, avoiding modulo bias
-    * `mod()` & `invert()` methods: function from `modular` with default `P` set to CURVE
+* Special params that tune performance can be optionally provided. For example:
+    * `sqrtMod` square root calculation, used for point decompression
+    * `endo` endomorphism options for Koblitz curves
 
 ### edwards: Twisted Edwards curve
 
@@ -119,19 +115,18 @@ Twisted Edwards curve's formula is: ax² + y² = 1 + dx²y².
 ```typescript
 import { twistedEdwards } from '@noble/curves/edwards'; // Twisted Edwards curve
 import { sha512 } from '@noble/hashes/sha512';
-import { div } from '@noble/curves/modular';
+import * as mod from '@noble/curves/modular';
 
 const ed25519 = twistedEdwards({
   a: -1n,
-  d: div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
+  d: mod.div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
   P: 2n ** 255n - 19n,
   n: 2n ** 252n + 27742317777372353535851937790883648493n,
   h: 8n,
   Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n,
   Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
   hash: sha512,
-  randomBytes,
-  adjustScalarBytes(bytes) { // could be no-op
+  adjustScalarBytes(bytes) { // optional
     bytes[0] &= 248;
     bytes[31] &= 127;
     bytes[31] |= 64;

package/lib/crypto.d.ts

@@ -0,0 +1,4 @@
+export declare const crypto: {
+    node?: any;
+    web?: any;
+};

package/lib/crypto.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.crypto = void 0;
+const nodeCrypto = require("crypto");
+exports.crypto = {
+    node: nodeCrypto,
+    web: undefined,
+};

package/lib/cryptoBrowser.d.ts

@@ -0,0 +1,4 @@
+export declare const crypto: {
+    node?: any;
+    web?: any;
+};

package/lib/cryptoBrowser.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.crypto = void 0;
+exports.crypto = {
+    node: undefined,
+    web: typeof self === 'object' && 'crypto' in self ? self.crypto : undefined,
+};

package/lib/definitions/_shortw_utils.d.ts

@@ -0,0 +1,63 @@
+import { CurveType, CHash } from '../weierstrass';
+export declare function getHash(hash: CHash): {
+    hash: CHash;
+    hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => Uint8Array;
+};
+declare type CurveDef = Readonly<Omit<CurveType, 'hash' | 'hmac'>>;
+export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonly<{
+    create: (hash: CHash) => import("../weierstrass").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly P: bigint;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly a: bigint;
+        readonly b: bigint;
+        lowS: boolean;
+        readonly hash: CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        randomBytes: typeof import("../utils").randomBytes;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly sqrtMod?: ((n: bigint) => bigint) | undefined;
+        readonly normalizePrivateKey?: ((key: import("../utils").PrivKey) => import("../utils").PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+    }>;
+    getPublicKey: (privateKey: import("../utils").PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: import("../utils").PrivKey, publicB: import("../weierstrass").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("../utils").Hex, privKey: import("../utils").PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("../utils").Hex) | undefined;
+    } | undefined) => import("../weierstrass").SignatureType;
+    verify: (signature: import("../utils").Hex | import("../weierstrass").SignatureType, msgHash: import("../utils").Hex, publicKey: import("../weierstrass").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("../weierstrass").PointConstructor;
+    JacobianPoint: import("../weierstrass").JacobianPointConstructor;
+    Signature: import("../weierstrass").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: import("../utils").PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("../weierstrass").PubKey) => import("../weierstrass").PointType;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: import("../utils").PrivKey): boolean;
+        hashToPrivateKey: (hash: import("../utils").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;
+export {};

package/lib/definitions/_shortw_utils.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCurve = exports.getHash = void 0;
+const hmac_1 = require("@noble/hashes/hmac");
+const utils_1 = require("@noble/hashes/utils");
+const weierstrass_1 = require("../weierstrass");
+function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => (0, hmac_1.hmac)(hash, key, (0, utils_1.concatBytes)(...msgs)),
+    };
+}
+exports.getHash = getHash;
+function createCurve(curveDef, defHash) {
+    const create = (hash) => (0, weierstrass_1.weierstrass)({ ...curveDef, ...getHash(hash) });
+    return Object.freeze({ ...create(defHash), create });
+}
+exports.createCurve = createCurve;

package/lib/definitions/bn.d.ts

@@ -0,0 +1,7 @@
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
+ * https://github.com/zcash/zcash/issues/2502
+ */
+export declare const bn254: import("../weierstrass").CurveFn;

package/lib/definitions/bn.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bn254 = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const weierstrass_1 = require("../weierstrass");
+const sha256_1 = require("@noble/hashes/sha256");
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
+ * https://github.com/zcash/zcash/issues/2502
+ */
+exports.bn254 = (0, weierstrass_1.weierstrass)({
+    a: BigInt(0),
+    b: BigInt(3),
+    P: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
+    n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+    Gx: BigInt(1),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
+});

package/lib/definitions/ed25519.d.ts

@@ -0,0 +1,49 @@
+import { ExtendedPointType } from '../edwards';
+import { Hex } from '../utils';
+export declare const ED25519_TORSION_SUBGROUP: string[];
+export declare const ed25519: import("../edwards").CurveFn;
+export declare const ed25519ctx: import("../edwards").CurveFn;
+export declare const ed25519ph: import("../edwards").CurveFn;
+export declare const x25519: import("../montgomery").CurveFn;
+declare type ExtendedPoint = ExtendedPointType;
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+export declare class RistrettoPoint {
+    private readonly ep;
+    static BASE: RistrettoPoint;
+    static ZERO: RistrettoPoint;
+    constructor(ep: ExtendedPoint);
+    private static calcElligatorRistrettoMap;
+    /**
+     * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
+     * The hash-to-group operation applies Elligator twice and adds the results.
+     * **Note:** this is one-way map, there is no conversion from point to hash.
+     * https://ristretto.group/formulas/elligator.html
+     * @param hex 64-bit output of a hash function
+     */
+    static hashToCurve(hex: Hex): RistrettoPoint;
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * https://ristretto.group/formulas/decoding.html
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex: Hex): RistrettoPoint;
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * https://ristretto.group/formulas/encoding.html
+     */
+    toRawBytes(): Uint8Array;
+    toHex(): string;
+    toString(): string;
+    equals(other: RistrettoPoint): boolean;
+    add(other: RistrettoPoint): RistrettoPoint;
+    subtract(other: RistrettoPoint): RistrettoPoint;
+    multiply(scalar: number | bigint): RistrettoPoint;
+    multiplyUnsafe(scalar: number | bigint): RistrettoPoint;
+}
+export {};

package/lib/definitions/ed25519.js

@@ -0,0 +1,308 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RistrettoPoint = exports.x25519 = exports.ed25519ph = exports.ed25519ctx = exports.ed25519 = exports.ED25519_TORSION_SUBGROUP = void 0;
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha512_1 = require("@noble/hashes/sha512");
+const utils_1 = require("@noble/hashes/utils");
+const edwards_1 = require("../edwards");
+const montgomery_1 = require("../montgomery");
+const modular_1 = require("../modular");
+const utils_2 = require("../utils");
+/**
+ * ed25519 Twisted Edwards curve with following addons:
+ * - X25519 ECDH
+ * - Ristretto cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ */
+const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const ED25519_SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _5n = BigInt(5);
+// prettier-ignore
+const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+function ed25519_pow_2_252_3(x) {
+    const P = ED25519_P;
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P; // x^3, 11
+    const b4 = ((0, modular_1.pow2)(b2, _2n, P) * b2) % P; // x^15, 1111
+    const b5 = ((0, modular_1.pow2)(b4, _1n, P) * x) % P; // x^31
+    const b10 = ((0, modular_1.pow2)(b5, _5n, P) * b5) % P;
+    const b20 = ((0, modular_1.pow2)(b10, _10n, P) * b10) % P;
+    const b40 = ((0, modular_1.pow2)(b20, _20n, P) * b20) % P;
+    const b80 = ((0, modular_1.pow2)(b40, _40n, P) * b40) % P;
+    const b160 = ((0, modular_1.pow2)(b80, _80n, P) * b80) % P;
+    const b240 = ((0, modular_1.pow2)(b160, _80n, P) * b80) % P;
+    const b250 = ((0, modular_1.pow2)(b240, _10n, P) * b10) % P;
+    const pow_p_5_8 = ((0, modular_1.pow2)(b250, _2n, P) * x) % P;
+    // ^ To pow to (p+3)/8, multiply it by x.
+    return { pow_p_5_8, b2 };
+}
+/**
+ * For X25519, in order to decode 32 random bytes as an integer scalar,
+ * set the
+ * three least significant bits of the first byte 0b1111_1000,
+ * and the most significant bit of the last to zero 0b0111_1111,
+ * set the second most significant bit of the last byte to 1 0b0100_0000
+ */
+function adjustScalarBytes(bytes) {
+    bytes[0] &= 248;
+    bytes[31] &= 127;
+    bytes[31] |= 64;
+    return bytes;
+}
+// sqrt(u/v)
+function uvRatio(u, v) {
+    const P = ED25519_P;
+    const v3 = (0, modular_1.mod)(v * v * v, P); // v³
+    const v7 = (0, modular_1.mod)(v3 * v3 * v, P); // v⁷
+    // (p+3)/8 and (p-5)/8
+    const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+    let x = (0, modular_1.mod)(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
+    const vx2 = (0, modular_1.mod)(v * x * x, P); // vx²
+    const root1 = x; // First root candidate
+    const root2 = (0, modular_1.mod)(x * ED25519_SQRT_M1, P); // Second root candidate
+    const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
+    const useRoot2 = vx2 === (0, modular_1.mod)(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
+    const noRoot = vx2 === (0, modular_1.mod)(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2; // We return root2 anyway, for const-time
+    if ((0, modular_1.isNegativeLE)(x, P))
+        x = (0, modular_1.mod)(-x, P);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+// Just in case
+exports.ED25519_TORSION_SUBGROUP = [
+    '0100000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+    '0000000000000000000000000000000000000000000000000000000000000080',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+    '0000000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    P: ED25519_P,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512_1.sha512,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+};
+exports.ed25519 = (0, edwards_1.twistedEdwards)(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+exports.ed25519ctx = (0, edwards_1.twistedEdwards)({ ...ED25519_DEF, domain: ed25519_domain });
+exports.ed25519ph = (0, edwards_1.twistedEdwards)({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512_1.sha512,
+});
+exports.x25519 = (0, montgomery_1.montgomery)({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return (0, modular_1.mod)((0, modular_1.pow2)(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// √(ad - 1)
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+// 1 / √(a-d)
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+// 1-d²
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+// (d-1)²
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+// Calculates 1/√(number)
+const invertSqrt = (number) => uvRatio(_1n, number);
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const bytes255ToNumberLE = (bytes) => exports.ed25519.utils.mod((0, utils_2.bytesToNumberLE)(bytes) & MAX_255B);
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+class RistrettoPoint {
+    // Private property to discourage combining ExtendedPoint + RistrettoPoint
+    // Always use Ristretto encoding/decoding instead.
+    constructor(ep) {
+        this.ep = ep;
+    }
+    // Computes Elligator map for Ristretto
+    // https://ristretto.group/formulas/elligator.html
+    static calcElligatorRistrettoMap(r0) {
+        const { d, P } = exports.ed25519.CURVE;
+        const { mod } = exports.ed25519.utils;
+        const r = mod(SQRT_M1 * r0 * r0); // 1
+        const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
+        let c = BigInt(-1); // 3
+        const D = mod((c - d * r) * mod(r + d)); // 4
+        let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
+        let s_ = mod(s * r0); // 6
+        if (!(0, modular_1.isNegativeLE)(s_, P))
+            s_ = mod(-s_);
+        if (!Ns_D_is_sq)
+            s = s_; // 7
+        if (!Ns_D_is_sq)
+            c = r; // 8
+        const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
+        const s2 = s * s;
+        const W0 = mod((s + s) * D); // 10
+        const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
+        const W2 = mod(_1n - s2); // 12
+        const W3 = mod(_1n + s2); // 13
+        return new exports.ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+    }
+    /**
+     * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
+     * The hash-to-group operation applies Elligator twice and adds the results.
+     * **Note:** this is one-way map, there is no conversion from point to hash.
+     * https://ristretto.group/formulas/elligator.html
+     * @param hex 64-bit output of a hash function
+     */
+    static hashToCurve(hex) {
+        hex = (0, utils_2.ensureBytes)(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = this.calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = this.calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * https://ristretto.group/formulas/decoding.html
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex) {
+        hex = (0, utils_2.ensureBytes)(hex, 32);
+        const { a, d, P } = exports.ed25519.CURVE;
+        const { mod } = exports.ed25519.utils;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+        // 3. Check that s is non-negative, or else abort
+        if (!(0, utils_2.equalBytes)((0, utils_2.numberToBytesLE)(s, 32), hex) || (0, modular_1.isNegativeLE)(s, P))
+            throw new Error(emsg);
+        const s2 = mod(s * s);
+        const u1 = mod(_1n + a * s2); // 4 (a is -1)
+        const u2 = mod(_1n - a * s2); // 5
+        const u1_2 = mod(u1 * u1);
+        const u2_2 = mod(u2 * u2);
+        const v = mod(a * d * u1_2 - u2_2); // 6
+        const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
+        const Dx = mod(I * u2); // 8
+        const Dy = mod(I * Dx * v); // 9
+        let x = mod((s + s) * Dx); // 10
+        if ((0, modular_1.isNegativeLE)(x, P))
+            x = mod(-x); // 10
+        const y = mod(u1 * Dy); // 11
+        const t = mod(x * y); // 12
+        if (!isValid || (0, modular_1.isNegativeLE)(t, P) || y === _0n)
+            throw new Error(emsg);
+        return new RistrettoPoint(new exports.ed25519.ExtendedPoint(x, y, _1n, t));
+    }
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * https://ristretto.group/formulas/encoding.html
+     */
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const { P } = exports.ed25519.CURVE;
+        const { mod } = exports.ed25519.utils;
+        const u1 = mod(mod(z + y) * mod(z - y)); // 1
+        const u2 = mod(x * y); // 2
+        // Square root always exists
+        const u2sq = mod(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
+        const D1 = mod(invsqrt * u1); // 4
+        const D2 = mod(invsqrt * u2); // 5
+        const zInv = mod(D1 * D2 * t); // 6
+        let D; // 7
+        if ((0, modular_1.isNegativeLE)(t * zInv, P)) {
+            let _x = mod(y * SQRT_M1);
+            let _y = mod(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2; // 8
+        }
+        if ((0, modular_1.isNegativeLE)(x * zInv, P))
+            y = mod(-y); // 9
+        let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
+        if ((0, modular_1.isNegativeLE)(s, P))
+            s = mod(-s);
+        return (0, utils_2.numberToBytesLE)(s, 32); // 11
+    }
+    toHex() {
+        return (0, utils_2.bytesToHex)(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    // Compare one point to another.
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const { mod } = exports.ed25519.utils;
+        // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
+        const one = mod(a.x * b.y) === mod(a.y * b.x);
+        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+exports.RistrettoPoint = RistrettoPoint;
+RistrettoPoint.BASE = new RistrettoPoint(exports.ed25519.ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(exports.ed25519.ExtendedPoint.ZERO);

package/lib/definitions/ed448.d.ts

@@ -0,0 +1,3 @@
+export declare const ed448: import("../edwards").CurveFn;
+export declare const ed448ph: import("../edwards").CurveFn;
+export declare const x448: import("../montgomery").CurveFn;