@noble/curves 0.2.1 → 0.3.1

package/lib/esm/definitions/ed25519.js

@@ -0,0 +1,304 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha512 } from '@noble/hashes/sha512';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { twistedEdwards } from '../edwards';
+import { montgomery } from '../montgomery';
+import { mod, pow2, isNegativeLE } from '../modular';
+import { ensureBytes, equalBytes, bytesToHex, bytesToNumberLE, numberToBytesLE, } from '../utils';
+/**
+ * ed25519 Twisted Edwards curve with following addons:
+ * - X25519 ECDH
+ * - Ristretto cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ */
+const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const ED25519_SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _5n = BigInt(5);
+// prettier-ignore
+const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+function ed25519_pow_2_252_3(x) {
+    const P = ED25519_P;
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P; // x^3, 11
+    const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
+    const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
+    const b10 = (pow2(b5, _5n, P) * b5) % P;
+    const b20 = (pow2(b10, _10n, P) * b10) % P;
+    const b40 = (pow2(b20, _20n, P) * b20) % P;
+    const b80 = (pow2(b40, _40n, P) * b40) % P;
+    const b160 = (pow2(b80, _80n, P) * b80) % P;
+    const b240 = (pow2(b160, _80n, P) * b80) % P;
+    const b250 = (pow2(b240, _10n, P) * b10) % P;
+    const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
+    // ^ To pow to (p+3)/8, multiply it by x.
+    return { pow_p_5_8, b2 };
+}
+/**
+ * For X25519, in order to decode 32 random bytes as an integer scalar,
+ * set the
+ * three least significant bits of the first byte 0b1111_1000,
+ * and the most significant bit of the last to zero 0b0111_1111,
+ * set the second most significant bit of the last byte to 1 0b0100_0000
+ */
+function adjustScalarBytes(bytes) {
+    bytes[0] &= 248;
+    bytes[31] &= 127;
+    bytes[31] |= 64;
+    return bytes;
+}
+// sqrt(u/v)
+function uvRatio(u, v) {
+    const P = ED25519_P;
+    const v3 = mod(v * v * v, P); // v³
+    const v7 = mod(v3 * v3 * v, P); // v⁷
+    // (p+3)/8 and (p-5)/8
+    const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+    let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
+    const vx2 = mod(v * x * x, P); // vx²
+    const root1 = x; // First root candidate
+    const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
+    const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
+    const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
+    const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2; // We return root2 anyway, for const-time
+    if (isNegativeLE(x, P))
+        x = mod(-x, P);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+// Just in case
+export const ED25519_TORSION_SUBGROUP = [
+    '0100000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+    '0000000000000000000000000000000000000000000000000000000000000080',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+    '0000000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    P: ED25519_P,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+};
+export const ed25519 = twistedEdwards(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
+export const ed25519ph = twistedEdwards({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512,
+});
+export const x25519 = montgomery({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// √(ad - 1)
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+// 1 / √(a-d)
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+// 1-d²
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+// (d-1)²
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+// Calculates 1/√(number)
+const invertSqrt = (number) => uvRatio(_1n, number);
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const bytes255ToNumberLE = (bytes) => ed25519.utils.mod(bytesToNumberLE(bytes) & MAX_255B);
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+export class RistrettoPoint {
+    // Private property to discourage combining ExtendedPoint + RistrettoPoint
+    // Always use Ristretto encoding/decoding instead.
+    constructor(ep) {
+        this.ep = ep;
+    }
+    // Computes Elligator map for Ristretto
+    // https://ristretto.group/formulas/elligator.html
+    static calcElligatorRistrettoMap(r0) {
+        const { d, P } = ed25519.CURVE;
+        const { mod } = ed25519.utils;
+        const r = mod(SQRT_M1 * r0 * r0); // 1
+        const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
+        let c = BigInt(-1); // 3
+        const D = mod((c - d * r) * mod(r + d)); // 4
+        let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
+        let s_ = mod(s * r0); // 6
+        if (!isNegativeLE(s_, P))
+            s_ = mod(-s_);
+        if (!Ns_D_is_sq)
+            s = s_; // 7
+        if (!Ns_D_is_sq)
+            c = r; // 8
+        const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
+        const s2 = s * s;
+        const W0 = mod((s + s) * D); // 10
+        const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
+        const W2 = mod(_1n - s2); // 12
+        const W3 = mod(_1n + s2); // 13
+        return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+    }
+    /**
+     * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
+     * The hash-to-group operation applies Elligator twice and adds the results.
+     * **Note:** this is one-way map, there is no conversion from point to hash.
+     * https://ristretto.group/formulas/elligator.html
+     * @param hex 64-bit output of a hash function
+     */
+    static hashToCurve(hex) {
+        hex = ensureBytes(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = this.calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = this.calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * https://ristretto.group/formulas/decoding.html
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex) {
+        hex = ensureBytes(hex, 32);
+        const { a, d, P } = ed25519.CURVE;
+        const { mod } = ed25519.utils;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+        // 3. Check that s is non-negative, or else abort
+        if (!equalBytes(numberToBytesLE(s, 32), hex) || isNegativeLE(s, P))
+            throw new Error(emsg);
+        const s2 = mod(s * s);
+        const u1 = mod(_1n + a * s2); // 4 (a is -1)
+        const u2 = mod(_1n - a * s2); // 5
+        const u1_2 = mod(u1 * u1);
+        const u2_2 = mod(u2 * u2);
+        const v = mod(a * d * u1_2 - u2_2); // 6
+        const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
+        const Dx = mod(I * u2); // 8
+        const Dy = mod(I * Dx * v); // 9
+        let x = mod((s + s) * Dx); // 10
+        if (isNegativeLE(x, P))
+            x = mod(-x); // 10
+        const y = mod(u1 * Dy); // 11
+        const t = mod(x * y); // 12
+        if (!isValid || isNegativeLE(t, P) || y === _0n)
+            throw new Error(emsg);
+        return new RistrettoPoint(new ed25519.ExtendedPoint(x, y, _1n, t));
+    }
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * https://ristretto.group/formulas/encoding.html
+     */
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const { P } = ed25519.CURVE;
+        const { mod } = ed25519.utils;
+        const u1 = mod(mod(z + y) * mod(z - y)); // 1
+        const u2 = mod(x * y); // 2
+        // Square root always exists
+        const u2sq = mod(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
+        const D1 = mod(invsqrt * u1); // 4
+        const D2 = mod(invsqrt * u2); // 5
+        const zInv = mod(D1 * D2 * t); // 6
+        let D; // 7
+        if (isNegativeLE(t * zInv, P)) {
+            let _x = mod(y * SQRT_M1);
+            let _y = mod(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2; // 8
+        }
+        if (isNegativeLE(x * zInv, P))
+            y = mod(-y); // 9
+        let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
+        if (isNegativeLE(s, P))
+            s = mod(-s);
+        return numberToBytesLE(s, 32); // 11
+    }
+    toHex() {
+        return bytesToHex(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    // Compare one point to another.
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const { mod } = ed25519.utils;
+        // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
+        const one = mod(a.x * b.y) === mod(a.y * b.x);
+        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+RistrettoPoint.BASE = new RistrettoPoint(ed25519.ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(ed25519.ExtendedPoint.ZERO);

package/lib/esm/definitions/ed448.js

@@ -0,0 +1,124 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { shake256 } from '@noble/hashes/sha3';
+import { concatBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
+import { twistedEdwards } from '../edwards';
+import { mod, pow2 } from '../modular';
+import { montgomery } from '../montgomery';
+/**
+ * Edwards448 (not Ed448-Goldilocks) curve with following addons:
+ * * X448 ECDH
+ * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
+ */
+const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
+const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
+// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
+function ed448_pow_Pminus3div4(x) {
+    const P = ed448P;
+    // prettier-ignore
+    let [_1n, _2n, _3n, _11n, _22n, _44n, _88n, _223n] = [1, 2, 3, 11, 22, 44, 88, 223]
+        .map(n => BigInt(n));
+    // x ** ((P - 3n)/4n) % P
+    // [223 of 1, 0, 222 of 1], almost same as secp!
+    const b2 = (x * x * x) % P;
+    const b3 = (b2 * b2 * x) % P;
+    const b6 = (pow2(b3, _3n, P) * b3) % P;
+    const b9 = (pow2(b6, _3n, P) * b3) % P;
+    const b11 = (pow2(b9, _2n, P) * b2) % P;
+    const b22 = (pow2(b11, _11n, P) * b11) % P;
+    const b44 = (pow2(b22, _22n, P) * b22) % P;
+    const b88 = (pow2(b44, _44n, P) * b44) % P;
+    const b176 = (pow2(b88, _88n, P) * b88) % P;
+    const b220 = (pow2(b176, _44n, P) * b44) % P;
+    const b222 = (pow2(b220, _2n, P) * b2) % P;
+    const b223 = (pow2(b222, _1n, P) * x) % P;
+    return (pow2(b223, _223n, P) * b222) % P;
+}
+function adjustScalarBytes(bytes) {
+    // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
+    // significant bit of the last byte to 1.
+    bytes[0] &= 252; // 0b11111100
+    // and the most significant bit of the last byte to 1.
+    bytes[55] |= 128; // 0b10000000
+    // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
+    bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
+    return bytes;
+}
+const ED448_DEF = {
+    // Param: a
+    a: BigInt(1),
+    // -39081. Negative number is P - number
+    d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
+    P: ed448P,
+    // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
+    nBitLength: 456,
+    // Cofactor
+    h: BigInt(4),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
+    Gy: BigInt('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
+    // SHAKE256(dom4(phflag,context)||x, 114)
+    hash: shake256_114,
+    adjustScalarBytes,
+    // dom4
+    domain: (data, ctx, phflag) => {
+        if (ctx.length > 255)
+            throw new Error(`Context is too big: ${ctx.length}`);
+        return concatBytes(utf8ToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+    },
+    // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
+    // Uses algo from RFC8032 5.1.3.
+    uvRatio: (u, v) => {
+        const P = ed448P;
+        // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
+        // To compute the square root of (u/v), the first step is to compute the
+        //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
+        // following trick, to use a single modular powering for both the
+        // inversion of v and the square root:
+        //           (p+1)/4    3            (p-3)/4
+        // x = (u/v)        = u  v (u^5 v^3)         (mod p)
+        const u2v = mod(u * u * v, P);
+        const u3v = mod(u2v * u, P); // u^2v
+        const u5v3 = mod(u3v * u2v * v, P); // u^5v^3
+        const root = ed448_pow_Pminus3div4(u5v3);
+        const x = mod(u3v * root, P);
+        // Verify that root is exists
+        const x2 = mod(x * x, P); // x^2
+        // If v * x^2 = u, the recovered x-coordinate is x.  Otherwise, no
+        // square root exists, and the decoding fails.
+        return { isValid: mod(x2 * v, P) === u, value: x };
+    },
+};
+export const ed448 = twistedEdwards(ED448_DEF);
+// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
+export const x448 = montgomery({
+    a24: BigInt(39081),
+    montgomeryBits: 448,
+    nByteLength: 57,
+    P: ed448P,
+    Gu: '0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ed448P;
+        const Pminus3div4 = ed448_pow_Pminus3div4(x);
+        const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
+        return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
+    },
+    adjustScalarBytes,
+    // The 4-isogeny maps between the Montgomery curve and this Edwards
+    // curve are:
+    //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
+    //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
+    //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
+    //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
+    // xyToU: (p: PointType) => {
+    //   const P = ed448P;
+    //   const { x, y } = p;
+    //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
+    //   const invX = invert(x * x, P); // x^2
+    //   const u = mod(y * y * invX, P); // (y^2/x^2)
+    //   return numberToBytesLE(u, 56);
+    // },
+});

package/lib/esm/definitions/index.js

@@ -0,0 +1,2 @@
+"use strict";
+throw new Error('Incorrect usage. Import submodules instead');

package/lib/esm/definitions/jubjub.js

@@ -0,0 +1,50 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { twistedEdwards } from '../edwards';
+import { blake2s } from '@noble/hashes/blake2s';
+/**
+ * jubjub Twisted Edwards curve.
+ * https://neuromancer.sk/std/other/JubJub
+ */
+export const jubjub = twistedEdwards({
+    // Params: a, d
+    a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+    d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+    // Finite field 𝔽p over which we'll do calculations
+    P: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'),
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+    Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+    hash: sha256,
+});
+const GH_FIRST_BLOCK = utf8ToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
+// Returns point at JubJub curve which is prime order and not zero
+export function groupHash(tag, personalization) {
+    const h = blake2s.create({ personalization, dkLen: 32 });
+    h.update(GH_FIRST_BLOCK);
+    h.update(tag);
+    // NOTE: returns ExtendedPoint, in case it will be multiplied later
+    let p = jubjub.ExtendedPoint.fromAffine(jubjub.Point.fromHex(h.digest()));
+    // NOTE: cannot replace with isSmallOrder, returns Point*8
+    p = p.multiply(jubjub.CURVE.h);
+    if (p.equals(jubjub.ExtendedPoint.ZERO))
+        throw new Error('Point has small order');
+    return p;
+}
+export function findGroupHash(m, personalization) {
+    const tag = concatBytes(m, new Uint8Array([0]));
+    for (let i = 0; i < 256; i++) {
+        tag[tag.length - 1] = i;
+        try {
+            return groupHash(tag, personalization);
+        }
+        catch (e) { }
+    }
+    throw new Error('findGroupHash tag overflow');
+}

package/lib/esm/definitions/p192.js

@@ -0,0 +1,20 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha256 } from '@noble/hashes/sha256';
+// NIST secp192r1 aka P192
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
+export const P192 = createCurve({
+    // Params: a, b
+    a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffc'),
+    b: BigInt('0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1'),
+    // Field over which we'll do calculations; 2n ** 192n - 2n ** 64n - 1n
+    P: BigInt('0xfffffffffffffffffffffffffffffffeffffffffffffffff'),
+    // Curve order, total count of valid points in the field.
+    n: BigInt('0xffffffffffffffffffffffff99def836146bc9b1b4d22831'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012'),
+    Gy: BigInt('0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811'),
+    h: BigInt(1),
+    lowS: false,
+}, sha256);
+export const secp192r1 = P192;

package/lib/esm/definitions/p224.js

@@ -0,0 +1,21 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha256 } from '@noble/hashes/sha256';
+// NIST secp224r1 aka P224
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-224
+export const P224 = createCurve({
+    // Params: a, b
+    a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe'),
+    b: BigInt('0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4'),
+    // Field over which we'll do calculations; 2n**224n - 2n**96n + 1n
+    P: BigInt('0xffffffffffffffffffffffffffffffff000000000000000000000001'),
+    // Curve order, total count of valid points in the field
+    n: BigInt('0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21'),
+    Gy: BigInt('0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34'),
+    h: BigInt(1),
+    lowS: false,
+}, sha256 // TODO: replace with sha224 when new @noble/hashes released
+);
+export const secp224r1 = P224;

package/lib/esm/definitions/p256.js

@@ -0,0 +1,20 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha256 } from '@noble/hashes/sha256';
+// NIST secp256r1 aka P256
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
+export const P256 = createCurve({
+    // Params: a, b
+    a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+    b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
+    // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+    P: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
+    // Curve order, total count of valid points in the field
+    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+    h: BigInt(1),
+    lowS: false,
+}, sha256);
+export const secp256r1 = P256;

package/lib/esm/definitions/p384.js

@@ -0,0 +1,21 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha384 } from '@noble/hashes/sha512';
+// NIST secp384r1 aka P384
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
+// prettier-ignore
+export const P384 = createCurve({
+    // Params: a, b
+    a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
+    b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
+    // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+    P: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
+    // Curve order, total count of valid points in the field.
+    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+    h: BigInt(1),
+    lowS: false,
+}, sha384);
+export const secp384r1 = P384;

package/lib/esm/definitions/p521.js

@@ -0,0 +1,33 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha512 } from '@noble/hashes/sha512';
+import { bytesToHex } from '../utils';
+// NIST secp521r1 aka P521
+// Note that it's 521, which differs from 512 of its hash function.
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
+// prettier-ignore
+export const P521 = createCurve({
+    // Params: a, b
+    a: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
+    b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
+    // Field over which we'll do calculations; 2n**521n - 1n
+    P: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
+    // Curve order, total count of valid points in the field
+    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
+    Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
+    h: BigInt(1),
+    lowS: false,
+    normalizePrivateKey(key) {
+        if (typeof key === 'bigint')
+            return key;
+        if (key instanceof Uint8Array)
+            key = bytesToHex(key);
+        if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
+            throw new Error('Invalid key');
+        }
+        return key.padStart(66 * 2, '0');
+    }
+}, sha512);
+export const secp521r1 = P521;

package/lib/esm/definitions/pasta.js

@@ -0,0 +1,29 @@
+/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from '../weierstrass';
+import { getHash } from './_shortw_utils.js';
+import * as mod from '../modular';
+const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
+const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
+// https://neuromancer.sk/std/other/Pallas
+export const pallas = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    P: p,
+    n: q,
+    Gx: mod.mod(BigInt(-1), p),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});
+// https://neuromancer.sk/std/other/Vesta
+export const vesta = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    P: q,
+    n: p,
+    Gx: mod.mod(BigInt(-1), q),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});