@noble/curves 0.4.0 → 0.5.0

package/README.md

@@ -1,38 +1,44 @@
 # noble-curves
 
-Minimal, zero-dependency JS implementation of elliptic curve cryptography.
-
-- Short Weierstrass curve with ECDSA signatures
-- Twisted Edwards curve with EdDSA signatures
-- Montgomery curve for ECDH key agreement
-
-To keep the package minimal, no curve definitions are provided out-of-box. Use `micro-curve-definitions` module:
-
-- It provides P192, P224, P256, P384, P521, secp256k1, stark curve, bn254, pasta (pallas/vesta) short weierstrass curves
-- It also provides ed25519 and ed448 twisted edwards curves
-- Main reason for separate package is the fact hashing library (like `@noble/hashes`) is required for full functionality
-- We may reconsider merging packages in future, when a stable version would be ready
-
-Future plans:
-
-- hash to curve standard
-- point indistinguishability
-- pairings
+Minimal, auditable JS implementation of elliptic curve cryptography.
+
+- Short Weierstrass, Edwards, Montgomery curves
+- ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
+- [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
+  for encoding or hashing an arbitrary string to a point on an elliptic curve
+- Auditable, [fast](#speed)
+- 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
+- 🔍 Unique tests ensure correctness. Wycheproof vectors included
+
+There are two parts of the package:
+
+1. `abstract/` directory specifies zero-dependency EC algorithms
+2. root directory utilizes one dependency `@noble/hashes` and provides ready-to-use:
+   - NIST curves secp192r1/P192, secp224r1/P224, secp256r1/P256, secp384r1/P384, secp521r1/P521
+   - SECG curve secp256k1
+   - pairing-friendly curves bls12-381, bn254
+   - ed25519/curve25519/x25519/ristretto, edwards448/curve448/x448 RFC7748 / RFC8032 / ZIP215 stuff
+
+Curves incorporate work from previous noble packages
+([secp256k1](https://github.com/paulmillr/noble-secp256k1),
+[ed25519](https://github.com/paulmillr/noble-ed25519),
+[bls12-381](https://github.com/paulmillr/noble-bls12-381)),
+which had security audits and were developed from 2019 to 2022.
+The goal is to replace them with lean UMD builds based on single-codebase noble-curves.
 
 ### This library belongs to _noble_ crypto
 
 > **noble-crypto** — high-security, easily auditable set of contained cryptographic libraries and tools.
 
-- No dependencies, small files
+- Minimal dependencies, small files
 - Easily auditable TypeScript/JS code
 - Supported in all major browsers and stable node.js versions
 - All releases are signed with PGP keys
 - Check out [homepage](https://paulmillr.com/noble/) & all libraries:
-  [secp256k1](https://github.com/paulmillr/noble-secp256k1),
+  [curves](https://github.com/paulmillr/noble-curves) ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
   [ed25519](https://github.com/paulmillr/noble-ed25519),
-  [bls12-381](https://github.com/paulmillr/noble-bls12-381),
-  [hashes](https://github.com/paulmillr/noble-hashes),
-  [curves](https://github.com/paulmillr/noble-curves)
+  [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
+  [hashes](https://github.com/paulmillr/noble-hashes)
 
 ## Usage
 
@@ -44,82 +50,122 @@ Use NPM in node.js / browser, or include single file from
 The library does not have an entry point. It allows you to select specific primitives and drop everything else. If you only want to use secp256k1, just use the library with rollup or other bundlers. This is done to make your bundles tiny.
 
 ```ts
-import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
-import { sha256 } from '@noble/hashes/sha256';
-import { hmac } from '@noble/hashes/hmac';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
-
-const secp256k1 = weierstrass({
-  a: 0n,
-  b: 7n,
-  P: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
-  n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
-  Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
-  Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
-  hash: sha256,
-  hmac: (k: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)),
-});
+// Common.js and ECMAScript Modules (ESM)
+import { secp256k1 } from '@noble/curves/secp256k1';
 
 const key = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(key);
-const msg = randomBytes(32);
+const msg = new Uint8Array(32).fill(1);
 const sig = secp256k1.sign(msg, key);
-secp256k1.verify(sig, msg, pub); // true
-sig.recoverPublicKey(msg); // == pub
-const someonesPubkey = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
-const shared = secp256k1.getSharedSecret(key, someonesPubkey);
+secp256k1.verify(sig, msg, pub) === true;
+sig.recoverPublicKey(msg) === pub;
+const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
+const shared = secp256k1.getSharedSecret(key, someonesPub);
+```
+
+All curves:
+
+```ts
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
+import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
+import { p256 } from '@noble/curves/p256';
+import { p384 } from '@noble/curves/p384';
+import { p521 } from '@noble/curves/p521';
+import { pallas, vesta } from '@noble/curves/pasta';
+import * as stark from '@noble/curves/stark';
+import { bls12_381 } from '@noble/curves/bls12-381';
+import { bn254 } from '@noble/curves/bn';
+import { jubjub } from '@noble/curves/jubjub';
 ```
 
+To define a custom curve, check out API below.
+
 ## API
 
 - [Overview](#overview)
-- [edwards: Twisted Edwards curve](#edwards-twisted-edwards-curve)
-- [montgomery: Montgomery curve](#montgomery-montgomery-curve)
-- [weierstrass: Short Weierstrass curve](#weierstrass-short-weierstrass-curve)
-- [modular](#modular)
-- [utils](#utils)
+- [abstract/edwards: Twisted Edwards curve](#abstract/edwards-twisted-edwards-curve)
+- [abstract/montgomery: Montgomery curve](#abstract/montgomery-montgomery-curve)
+- [abstract/weierstrass: Short Weierstrass curve](#abstract/weierstrass-short-weierstrass-curve)
+- [abstract/modular](#abstract/modular)
+- [abstract/utils](#abstract/utils)
 
 ### Overview
 
-* To initialize new curve, you must specify its variables, order (number of points on curve), field prime (over which the modular division would be done)
-* All curves expose same generic interface:
-    * `getPublicKey()`, `sign()`, `verify()` functions
-    * `Point` conforming to `Group` interface with add/multiply/double/negate/add/equals methods
-    * `CURVE` object with curve variables like `Gx`, `Gy`, `P` (field), `n` (order)
-    * `utils` object with `randomPrivateKey()`, `mod()`, `invert()` methods (`mod CURVE.P`)
-* All arithmetics is done with JS bigints over finite fields
-* Many features require hashing, which is not provided. `@noble/hashes` can be used for this purpose.
+There are following zero-dependency abstract algorithms:
+
+```ts
+import { bls } from '@noble/curves/abstract/bls';
+import { twistedEdwards } from '@noble/curves/abstract/edwards';
+import { montgomery } from '@noble/curves/abstract/montgomery';
+import { weierstrass } from '@noble/curves/abstract/weierstrass';
+import * as mod from '@noble/curves/abstract/modular';
+import * as utils from '@noble/curves/abstract/utils';
+```
+
+They allow to define a new curve in a few lines of code:
+
+```ts
+import { Fp } from '@noble/curves/abstract/modular';
+import { weierstrass } from '@noble/curves/abstract/weierstrass';
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha256';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
+
+const secp256k1 = weierstrass({
+  a: 0n,
+  b: 7n,
+  Fp: Fp(2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n),
+  n: 2n ** 256n - 432420386565659656852420866394968145599n,
+  Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
+  Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
+  hash: sha256,
+  hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)),
+  randomBytes,
+});
+```
+
+- To initialize new curve, you must specify its variables, order (number of points on curve), field prime (over which the modular division would be done)
+- All curves expose same generic interface:
+  - `getPublicKey()`, `sign()`, `verify()` functions
+  - `Point` conforming to `Group` interface with add/multiply/double/negate/add/equals methods
+  - `CURVE` object with curve variables like `Gx`, `Gy`, `Fp` (field), `n` (order)
+  - `utils` object with `randomPrivateKey()`, `mod()`, `invert()` methods (`mod CURVE.P`)
+- All arithmetics is done with JS bigints over finite fields, which is defined from `modular` sub-module
+- Many features require hashing, which is not provided. `@noble/hashes` can be used for this purpose.
   Any other library must conform to the CHash interface:
-    ```ts
-    export type CHash = {
-      (message: Uint8Array): Uint8Array;
-      blockLen: number; outputLen: number; create(): any;
-    };
-    ```
-* w-ary non-adjacent form (wNAF) method with constant-time adjustments is used for point multiplication.
+  ```ts
+  export type CHash = {
+    (message: Uint8Array): Uint8Array;
+    blockLen: number;
+    outputLen: number;
+    create(): any;
+  };
+  ```
+- w-ary non-adjacent form (wNAF) method with constant-time adjustments is used for point multiplication.
   It is possible to enable precomputes for edwards & weierstrass curves.
-  Precomputes are calculated once (takes ~20-40ms), after that most `G` multiplications
-  - for example, `getPublicKey()`, `sign()` and similar methods - would be much faster.
-  Use `curve.utils.precompute()`
-* Special params that tune performance can be optionally provided. For example:
-    * `sqrtMod` square root calculation, used for point decompression
-    * `endo` endomorphism options for Koblitz curves
+  Precomputes are calculated once (takes ~20-40ms), after that most `G` base point multiplications:
+  for example, `getPublicKey()`, `sign()` and similar methods - would be much faster.
+  Use `curve.utils.precompute()` to adjust precomputation window size
+- You could use optional special params to tune performance:
+  - `Fp({sqrt})` square root calculation, used for point decompression
+  - `endo` endomorphism options for Koblitz curves
 
-### edwards: Twisted Edwards curve
+### abstract/edwards: Twisted Edwards curve
 
 Twisted Edwards curve's formula is: ax² + y² = 1 + dx²y².
 
-* You must specify curve params `a`, `d`, field `P`, order `n`, cofactor `h`, and coordinates `Gx`, `Gy` of generator point.
-* For EdDSA signatures, params `hash` is also required. `adjustScalarBytes` which instructs how to change private scalars could be specified.
+- You must specify curve params `a`, `d`, field `Fp`, order `n`, cofactor `h` and coordinates `Gx`, `Gy` of generator point
+- For EdDSA signatures, params `hash` is also required. `adjustScalarBytes` which instructs how to change private scalars could be specified
 
 ```typescript
-import { twistedEdwards } from '@noble/curves/edwards'; // Twisted Edwards curve
+import { twistedEdwards } from '@noble/curves/abstract/edwards';
+import { div } from '@noble/curves/abstract/modular';
 import { sha512 } from '@noble/hashes/sha512';
-import * as mod from '@noble/curves/modular';
 
 const ed25519 = twistedEdwards({
   a: -1n,
-  d: mod.div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
+  d: div(-121665n, 121666n, 2n ** 255n - 19n), // -121665n/121666n
   P: 2n ** 255n - 19n,
   n: 2n ** 252n + 27742317777372353535851937790883648493n,
   h: 8n,
@@ -127,14 +173,19 @@ const ed25519 = twistedEdwards({
   Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
   hash: sha512,
   randomBytes,
-  adjustScalarBytes(bytes) { // optional
+  adjustScalarBytes(bytes) {
+    // optional in general, mandatory in ed25519
     bytes[0] &= 248;
     bytes[31] &= 127;
     bytes[31] |= 64;
     return bytes;
   },
 } as const);
-ed25519.getPublicKey(ed25519.utils.randomPrivateKey());
+const key = ed25519.utils.randomPrivateKey();
+const pub = ed25519.getPublicKey(key);
+const msg = new TextEncoder().encode('hello world'); // strings not accepted, must be Uint8Array
+const sig = ed25519.sign(msg, key);
+ed25519.verify(sig, msg, pub) === true;
 ```
 
 `twistedEdwards()` returns `CurveFn` of following type:
@@ -163,7 +214,7 @@ export type CurveFn = {
 };
 ```
 
-### montgomery: Montgomery curve
+### abstract/montgomery: Montgomery curve
 
 For now the module only contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
 
@@ -172,6 +223,8 @@ Proper Elliptic Curve Points are not implemented yet.
 You must specify curve field, `a24` special variable, `montgomeryBits`, `nByteLength`, and coordinate `u` of generator point.
 
 ```typescript
+import { montgomery } from '@noble/curves/abstract/montgomery';
+
 const x25519 = montgomery({
   P: 2n ** 255n - 19n,
   a24: 121665n, // TODO: change to a
@@ -180,7 +233,9 @@ const x25519 = montgomery({
   Gu: '0900000000000000000000000000000000000000000000000000000000000000',
 
   // Optional params
-  powPminus2: (x: bigint): bigint => { return mod.pow(x, P-2, P); },
+  powPminus2: (x: bigint): bigint => {
+    return mod.pow(x, P - 2, P);
+  },
   adjustScalarBytes(bytes) {
     bytes[0] &= 248;
     bytes[31] &= 127;
@@ -190,27 +245,27 @@ const x25519 = montgomery({
 });
 ```
 
-### weierstrass: Short Weierstrass curve
+### abstract/weierstrass: Short Weierstrass curve
 
 Short Weierstrass curve's formula is: y² = x³ + ax + b. Uses deterministic ECDSA from RFC6979. You can also specify `extraEntropy` in `sign()`.
 
-* You must specify curve params: `a`, `b`; field `P`; curve order `n`; coordinates `Gx`, `Gy` of generator point
-* For ECDSA, you must specify `hash`, `hmac`. It is also possible to recover keys from signatures
-* For ECDH, use `getSharedSecret(privKeyA, pubKeyB)`
-* Optional params are `lowS` (default value), `sqrtMod` (square root chain) and `endo` (endomorphism)
+- You must specify curve params: `a`, `b`, field `Fp`, order `n`, cofactor `h` and coordinates `Gx`, `Gy` of generator point
+- For ECDSA, you must specify `hash`, `hmac`. It is also possible to recover keys from signatures
+- For ECDH, use `getSharedSecret(privKeyA, pubKeyB)`
+- Optional params are `lowS` (default value) and `endo` (endomorphism)
 
 ```typescript
-import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
+import { Fp } from '@noble/curves/abstract/modular';
+import { weierstrass } from '@noble/curves/abstract/weierstrass'; // Short Weierstrass curve
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
 
 const secp256k1 = weierstrass({
-  // Required params
   a: 0n,
   b: 7n,
-  P: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
-  n: 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n,
+  Fp: Fp(2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n),
+  n: 2n ** 256n - 432420386565659656852420866394968145599n,
   Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
   Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
   hash: sha256,
@@ -218,19 +273,15 @@ const secp256k1 = weierstrass({
   randomBytes,
 
   // Optional params
-  // Cofactor
-  h: BigInt(1),
-  // Allow only low-S signatures by default in sign() and verify()
-  lowS: true,
-  // More efficient curve-specific implementation of square root
-  sqrtMod(y: bigint) { return sqrt(y); },
-  // Endomorphism options
+  h: 1n, // Cofactor
+  lowS: true, // Allow only low-S signatures by default in sign() and verify()
   endo: {
+    // Endomorphism options for Koblitz curve
     // Beta param
-    beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+    beta: 0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501een,
     // Split scalar k into k1, k2
     splitScalar: (k: bigint) => {
-      return { k1neg: true, k1: 512n, k2neg: false, k2: 448n };
+      // return { k1neg: true, k1: 512n, k2neg: false, k2: 448n };
     },
   },
 });
@@ -255,14 +306,17 @@ export type CurveFn = {
   getSharedSecret: (privateA: PrivKey, publicB: PubKey, isCompressed?: boolean) => Uint8Array;
   sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
   verify: (
-    signature: Hex | SignatureType, msgHash: Hex, publicKey: PubKey, opts?: {lowS?: boolean;}
+    signature: Hex | SignatureType,
+    msgHash: Hex,
+    publicKey: PubKey,
+    opts?: { lowS?: boolean }
   ) => boolean;
   Point: PointConstructor;
-  JacobianPoint: JacobianPointConstructor;
+  ProjectivePoint: ProjectivePointConstructor;
   Signature: SignatureConstructor;
   utils: {
-    mod: (a: bigint, b?: bigint) => bigint;
-    invert: (number: bigint, modulo?: bigint) => bigint;
+    mod: (a: bigint) => bigint;
+    invert: (number: bigint) => bigint;
     isValidPrivateKey(privateKey: PrivKey): boolean;
     hashToPrivateKey: (hash: Hex) => Uint8Array;
     randomPrivateKey: () => Uint8Array;
@@ -270,23 +324,26 @@ export type CurveFn = {
 };
 ```
 
-### modular
+### abstract/modular
 
 Modular arithmetics utilities.
 
 ```typescript
-import * as mod from '@noble/curves/modular';
-mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
-mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
-mod.div(5n, 17n, 10n); // 5/17 mod 10 == 5 * invert(17) mod 10; division
-mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
-mod.sqrt(21n, 73n); // sqrt(21) mod 73; square root
+import { mod, invert, div, invertBatch, sqrt, Fp } from '@noble/curves/abstract/modular';
+mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
+invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
+div(5n, 17n, 10n); // 5/17 mod 10 == 5 * invert(17) mod 10; division
+invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
+sqrt(21n, 73n); // √21 mod 73; square root
+const fp = Fp(2n ** 255n - 19n); // Finite field over 2^255-19
+fp.mul(591n, 932n);
+fp.pow(481n, 11024858120n);
 ```
 
-### utils
+### abstract/utils
 
 ```typescript
-import * as utils from '@noble/curves/utils';
+import * as utils from '@noble/curves/abstract/utils';
 
 utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.hexToBytes('deadbeef');
@@ -315,59 +372,43 @@ We consider infrastructure attacks like rogue NPM modules very important; that's
 Benchmark results on Apple M2 with node v18.10:
 
 ```
-==== secp256k1 ====
-  - getPublicKey1 (samples: 10000)
-    noble_old x 8,131 ops/sec @ 122μs/op
-    secp256k1 x 7,374 ops/sec @ 135μs/op
-  - getPublicKey255 (samples: 10000)
-    noble_old x 7,894 ops/sec @ 126μs/op
-    secp256k1 x 7,327 ops/sec @ 136μs/op
-  - sign (samples: 5000)
-    noble_old x 5,243 ops/sec @ 190μs/op
-    secp256k1 x 4,834 ops/sec @ 206μs/op
-  - getSharedSecret (samples: 1000)
-    noble_old x 653 ops/sec @ 1ms/op
-    secp256k1 x 634 ops/sec @ 1ms/op
-  - verify (samples: 1000)
-    secp256k1_old x 1,038 ops/sec @ 962μs/op
-    secp256k1 x 1,009 ops/sec @ 990μs/op
-==== ed25519 ====
-  - getPublicKey (samples: 10000)
-    old x 8,632 ops/sec @ 115μs/op
-    noble x 8,390 ops/sec @ 119μs/op
-  - sign (samples: 5000)
-    old x 4,376 ops/sec @ 228μs/op
-    noble x 4,233 ops/sec @ 236μs/op
-  - verify (samples: 1000)
-    old x 865 ops/sec @ 1ms/op
-    noble x 860 ops/sec @ 1ms/op
-==== ed448 ====
-  - getPublicKey (samples: 5000)
-    noble x 3,224 ops/sec @ 310μs/op
-  - sign (samples: 2500)
-    noble x 1,561 ops/sec @ 640μs/op
-  - verify (samples: 500)
-    noble x 313 ops/sec @ 3ms/op
-==== nist ====
-  - getPublicKey (samples: 2500)
-    P256 x 7,993 ops/sec @ 125μs/op
-    P384 x 3,819 ops/sec @ 261μs/op
-    P521 x 2,074 ops/sec @ 481μs/op
-  - sign (samples: 1000)
-    P256 x 5,327 ops/sec @ 187μs/op
-    P384 x 2,728 ops/sec @ 366μs/op
-    P521 x 1,594 ops/sec @ 626μs/op
-  - verify (samples: 250)
-    P256 x 806 ops/sec @ 1ms/op
-    P384 x 353 ops/sec @ 2ms/op
-    P521 x 171 ops/sec @ 5ms/op
+getPublicKey
+  secp256k1 x 5,241 ops/sec @ 190μs/op
+  P256 x 7,993 ops/sec @ 125μs/op
+  P384 x 3,819 ops/sec @ 261μs/op
+  P521 x 2,074 ops/sec @ 481μs/op
+  ed25519 x 8,390 ops/sec @ 119μs/op
+  ed448 x 3,224 ops/sec @ 310μs/op
+sign
+  secp256k1 x 3,934 ops/sec @ 254μs/op
+  P256 x 5,327 ops/sec @ 187μs/op
+  P384 x 2,728 ops/sec @ 366μs/op
+  P521 x 1,594 ops/sec @ 626μs/op
+  ed25519 x 4,233 ops/sec @ 236μs/op
+  ed448 x 1,561 ops/sec @ 640μs/op
+verify
+  secp256k1 x 731 ops/sec @ 1ms/op
+  P256 x 806 ops/sec @ 1ms/op
+  P384 x 353 ops/sec @ 2ms/op
+  P521 x 171 ops/sec @ 5ms/op
+  ed25519 x 860 ops/sec @ 1ms/op
+  ed448 x 313 ops/sec @ 3ms/op
+getSharedSecret
+  secp256k1 x 445 ops/sec @ 2ms/op
+recoverPublicKey
+  secp256k1 x 732 ops/sec @ 1ms/op
+==== bls12-381 ====
+getPublicKey x 817 ops/sec @ 1ms/op
+sign x 50 ops/sec @ 19ms/op
+verify x 34 ops/sec @ 28ms/op
+pairing x 89 ops/sec @ 11ms/op
 ==== stark ====
-  - pedersen (samples: 500)
-    old x 85 ops/sec @ 11ms/op
-    noble x 1,216 ops/sec @ 822μs/op
-  - verify (samples: 500)
-    old x 302 ops/sec @ 3ms/op
-    noble x 698 ops/sec @ 1ms/op
+pedersen
+  old x 85 ops/sec @ 11ms/op
+  noble x 1,216 ops/sec @ 822μs/op
+verify
+  old x 302 ops/sec @ 3ms/op
+  noble x 698 ops/sec @ 1ms/op
 ```
 
 ## Contributing & testing

package/lib/_shortw_utils.d.ts

@@ -0,0 +1,75 @@
+import { randomBytes } from '@noble/hashes/utils';
+import { CurveType } from './abstract/weierstrass.js';
+import { CHash } from './abstract/utils.js';
+export declare function getHash(hash: CHash): {
+    hash: CHash;
+    hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => Uint8Array;
+    randomBytes: typeof randomBytes;
+};
+declare type CurveDef = Readonly<Omit<CurveType, 'hash' | 'hmac' | 'randomBytes'>>;
+export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonly<{
+    create: (hash: CHash) => import("./abstract/weierstrass.js").CurveFn;
+    CURVE: Readonly<{
+        readonly nBitLength: number;
+        readonly nByteLength: number;
+        readonly Fp: import("./abstract/modular.js").Field<bigint>;
+        readonly n: bigint;
+        readonly h: bigint;
+        readonly hEff?: bigint | undefined;
+        readonly Gx: bigint;
+        readonly Gy: bigint;
+        readonly wrapPrivateKey?: boolean | undefined;
+        readonly allowInfinityPoint?: boolean | undefined;
+        readonly a: bigint;
+        readonly b: bigint;
+        readonly normalizePrivateKey?: ((key: import("./abstract/utils.js").PrivKey) => import("./abstract/utils.js").PrivKey) | undefined;
+        readonly endo?: {
+            beta: bigint;
+            splitScalar: (k: bigint) => {
+                k1neg: boolean;
+                k1: bigint;
+                k2neg: boolean;
+                k2: bigint;
+            };
+        } | undefined;
+        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => boolean) | undefined;
+        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => import("./abstract/weierstrass.js").ProjectivePointType<bigint>) | undefined;
+        readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
+        readonly mapToCurve?: ((scalar: bigint[]) => {
+            x: bigint;
+            y: bigint;
+        }) | undefined;
+        lowS: boolean;
+        readonly hash: CHash;
+        readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+        readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+    }>;
+    getPublicKey: (privateKey: import("./abstract/utils.js").PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: import("./abstract/utils.js").PrivKey, publicB: import("./abstract/weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("./abstract/utils.js").Hex, privKey: import("./abstract/utils.js").PrivKey, opts?: {
+        lowS?: boolean | undefined;
+        extraEntropy?: (true | import("./abstract/utils.js").Hex) | undefined;
+    } | undefined) => import("./abstract/weierstrass.js").SignatureType;
+    verify: (signature: import("./abstract/utils.js").Hex | import("./abstract/weierstrass.js").SignatureType, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/weierstrass.js").PubKey, opts?: {
+        lowS?: boolean | undefined;
+    } | undefined) => boolean;
+    Point: import("./abstract/weierstrass.js").PointConstructor<bigint>;
+    ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>;
+    Signature: import("./abstract/weierstrass.js").SignatureConstructor;
+    utils: {
+        mod: (a: bigint, b?: bigint | undefined) => bigint;
+        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
+        _bigintToBytes: (num: bigint) => Uint8Array;
+        _bigintToString: (num: bigint) => string;
+        _normalizePrivateKey: (key: import("./abstract/utils.js").PrivKey) => bigint;
+        _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => import("./abstract/weierstrass.js").PointType<bigint>;
+        _isWithinCurveOrder: (num: bigint) => boolean;
+        _isValidFieldElement: (num: bigint) => boolean;
+        _weierstrassEquation: (x: bigint) => bigint;
+        isValidPrivateKey(privateKey: import("./abstract/utils.js").PrivKey): boolean;
+        hashToPrivateKey: (hash: import("./abstract/utils.js").Hex) => Uint8Array;
+        randomPrivateKey: () => Uint8Array;
+    };
+}>;
+export {};

package/lib/_shortw_utils.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCurve = exports.getHash = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const hmac_1 = require("@noble/hashes/hmac");
+const utils_1 = require("@noble/hashes/utils");
+const weierstrass_js_1 = require("./abstract/weierstrass.js");
+function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => (0, hmac_1.hmac)(hash, key, (0, utils_1.concatBytes)(...msgs)),
+        randomBytes: utils_1.randomBytes,
+    };
+}
+exports.getHash = getHash;
+function createCurve(curveDef, defHash) {
+    const create = (hash) => (0, weierstrass_js_1.weierstrass)({ ...curveDef, ...getHash(hash) });
+    return Object.freeze({ ...create(defHash), create });
+}
+exports.createCurve = createCurve;

package/lib/{bls.d.ts → abstract/bls.d.ts}

@@ -1,7 +1,8 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 import * as utils from './utils.js';
 import { Hex, PrivKey } from './utils.js';
-import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
 import { CurvePointsType, PointType, CurvePointsRes } from './weierstrass.js';
 declare type Fp = bigint;
 export declare type SignatureCoder<Fp2> = {