@noble/curves 0.4.0 → 0.5.0

package/lib/bn.d.ts

@@ -0,0 +1,7 @@
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
+ * https://github.com/zcash/zcash/issues/2502
+ */
+export declare const bn254: import("./abstract/weierstrass.js").CurveFn;

package/lib/bn.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bn254 = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const weierstrass_js_1 = require("./abstract/weierstrass.js");
+const sha256_1 = require("@noble/hashes/sha256");
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
+const modular_js_1 = require("./abstract/modular.js");
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
+ * https://github.com/zcash/zcash/issues/2502
+ */
+exports.bn254 = (0, weierstrass_js_1.weierstrass)({
+    a: BigInt(0),
+    b: BigInt(3),
+    Fp: (0, modular_js_1.Fp)(BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47')),
+    n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+    Gx: BigInt(1),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...(0, _shortw_utils_js_1.getHash)(sha256_1.sha256),
+});

package/lib/ed25519.d.ts

@@ -0,0 +1,48 @@
+import { ExtendedPointType } from './abstract/edwards.js';
+import { Hex } from './abstract/utils.js';
+export declare const ED25519_TORSION_SUBGROUP: string[];
+export declare const ed25519: import("./abstract/edwards.js").CurveFn;
+export declare const ed25519ctx: import("./abstract/edwards.js").CurveFn;
+export declare const ed25519ph: import("./abstract/edwards.js").CurveFn;
+export declare const x25519: import("./abstract/montgomery.js").CurveFn;
+declare type ExtendedPoint = ExtendedPointType;
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+export declare class RistrettoPoint {
+    private readonly ep;
+    static BASE: RistrettoPoint;
+    static ZERO: RistrettoPoint;
+    constructor(ep: ExtendedPoint);
+    /**
+     * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
+     * The hash-to-group operation applies Elligator twice and adds the results.
+     * **Note:** this is one-way map, there is no conversion from point to hash.
+     * https://ristretto.group/formulas/elligator.html
+     * @param hex 64-bit output of a hash function
+     */
+    static hashToCurve(hex: Hex): RistrettoPoint;
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * https://ristretto.group/formulas/decoding.html
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex: Hex): RistrettoPoint;
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * https://ristretto.group/formulas/encoding.html
+     */
+    toRawBytes(): Uint8Array;
+    toHex(): string;
+    toString(): string;
+    equals(other: RistrettoPoint): boolean;
+    add(other: RistrettoPoint): RistrettoPoint;
+    subtract(other: RistrettoPoint): RistrettoPoint;
+    multiply(scalar: number | bigint): RistrettoPoint;
+    multiplyUnsafe(scalar: number | bigint): RistrettoPoint;
+}
+export {};

package/lib/ed25519.js

@@ -0,0 +1,322 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RistrettoPoint = exports.x25519 = exports.ed25519ph = exports.ed25519ctx = exports.ed25519 = exports.ED25519_TORSION_SUBGROUP = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha512_1 = require("@noble/hashes/sha512");
+const utils_1 = require("@noble/hashes/utils");
+const edwards_js_1 = require("./abstract/edwards.js");
+const montgomery_js_1 = require("./abstract/montgomery.js");
+const modular_js_1 = require("./abstract/modular.js");
+const utils_js_1 = require("./abstract/utils.js");
+/**
+ * ed25519 Twisted Edwards curve with following addons:
+ * - X25519 ECDH
+ * - Ristretto cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ */
+const ED25519_P = BigInt('57896044618658097711785492504343953926634992332820282019728792003956564819949');
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const ED25519_SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _5n = BigInt(5);
+// prettier-ignore
+const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+function ed25519_pow_2_252_3(x) {
+    const P = ED25519_P;
+    const x2 = (x * x) % P;
+    const b2 = (x2 * x) % P; // x^3, 11
+    const b4 = ((0, modular_js_1.pow2)(b2, _2n, P) * b2) % P; // x^15, 1111
+    const b5 = ((0, modular_js_1.pow2)(b4, _1n, P) * x) % P; // x^31
+    const b10 = ((0, modular_js_1.pow2)(b5, _5n, P) * b5) % P;
+    const b20 = ((0, modular_js_1.pow2)(b10, _10n, P) * b10) % P;
+    const b40 = ((0, modular_js_1.pow2)(b20, _20n, P) * b20) % P;
+    const b80 = ((0, modular_js_1.pow2)(b40, _40n, P) * b40) % P;
+    const b160 = ((0, modular_js_1.pow2)(b80, _80n, P) * b80) % P;
+    const b240 = ((0, modular_js_1.pow2)(b160, _80n, P) * b80) % P;
+    const b250 = ((0, modular_js_1.pow2)(b240, _10n, P) * b10) % P;
+    const pow_p_5_8 = ((0, modular_js_1.pow2)(b250, _2n, P) * x) % P;
+    // ^ To pow to (p+3)/8, multiply it by x.
+    return { pow_p_5_8, b2 };
+}
+function adjustScalarBytes(bytes) {
+    // Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
+    // set the three least significant bits of the first byte
+    bytes[0] &= 248; // 0b1111_1000
+    // and the most significant bit of the last to zero,
+    bytes[31] &= 127; // 0b0111_1111
+    // set the second most significant bit of the last byte to 1
+    bytes[31] |= 64; // 0b0100_0000
+    return bytes;
+}
+// sqrt(u/v)
+function uvRatio(u, v) {
+    const P = ED25519_P;
+    const v3 = (0, modular_js_1.mod)(v * v * v, P); // v³
+    const v7 = (0, modular_js_1.mod)(v3 * v3 * v, P); // v⁷
+    // (p+3)/8 and (p-5)/8
+    const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+    let x = (0, modular_js_1.mod)(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
+    const vx2 = (0, modular_js_1.mod)(v * x * x, P); // vx²
+    const root1 = x; // First root candidate
+    const root2 = (0, modular_js_1.mod)(x * ED25519_SQRT_M1, P); // Second root candidate
+    const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
+    const useRoot2 = vx2 === (0, modular_js_1.mod)(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
+    const noRoot = vx2 === (0, modular_js_1.mod)(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
+    if (useRoot1)
+        x = root1;
+    if (useRoot2 || noRoot)
+        x = root2; // We return root2 anyway, for const-time
+    if ((0, modular_js_1.isNegativeLE)(x, P))
+        x = (0, modular_js_1.mod)(-x, P);
+    return { isValid: useRoot1 || useRoot2, value: x };
+}
+// Just in case
+exports.ED25519_TORSION_SUBGROUP = [
+    '0100000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+    '0000000000000000000000000000000000000000000000000000000000000080',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+    '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+    '0000000000000000000000000000000000000000000000000000000000000000',
+    'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];
+const Fp = (0, modular_js_1.Fp)(ED25519_P);
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    Fp,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512_1.sha512,
+    randomBytes: utils_1.randomBytes,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+    htfDefaults: {
+        DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+        p: Fp.ORDER,
+        m: 1,
+        k: 128,
+        expand: true,
+        hash: sha512_1.sha512,
+    },
+    mapToCurve: (scalars) => {
+        throw new Error('Not supported yet');
+        // const { x, y } = calcElligatorRistrettoMap(scalars[0]).toAffine();
+        // return { x, y };
+    },
+};
+exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+exports.ed25519ctx = (0, edwards_js_1.twistedEdwards)({ ...ED25519_DEF, domain: ed25519_domain });
+exports.ed25519ph = (0, edwards_js_1.twistedEdwards)({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512_1.sha512,
+});
+exports.x25519 = (0, montgomery_js_1.montgomery)({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return (0, modular_js_1.mod)((0, modular_js_1.pow2)(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
+function assertRstPoint(other) {
+    if (!(other instanceof RistrettoPoint))
+        throw new TypeError('RistrettoPoint expected');
+}
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
+// √(ad - 1)
+const SQRT_AD_MINUS_ONE = BigInt('25063068953384623474111414158702152701244531502492656460079210482610430750235');
+// 1 / √(a-d)
+const INVSQRT_A_MINUS_D = BigInt('54469307008909316920995813868745141605393597292927456921205312896311721017578');
+// 1-d²
+const ONE_MINUS_D_SQ = BigInt('1159843021668779879193775521855586647937357759715417654439879720876111806838');
+// (d-1)²
+const D_MINUS_ONE_SQ = BigInt('40440834346308536858101042469323190826248399146238708352240133220865137265952');
+// Calculates 1/√(number)
+const invertSqrt = (number) => uvRatio(_1n, number);
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const bytes255ToNumberLE = (bytes) => exports.ed25519.utils.mod((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B);
+// Computes Elligator map for Ristretto
+// https://ristretto.group/formulas/elligator.html
+function calcElligatorRistrettoMap(r0) {
+    const { d } = exports.ed25519.CURVE;
+    const P = exports.ed25519.CURVE.Fp.ORDER;
+    const { mod } = exports.ed25519.utils;
+    const r = mod(SQRT_M1 * r0 * r0); // 1
+    const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
+    let c = BigInt(-1); // 3
+    const D = mod((c - d * r) * mod(r + d)); // 4
+    let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
+    let s_ = mod(s * r0); // 6
+    if (!(0, modular_js_1.isNegativeLE)(s_, P))
+        s_ = mod(-s_);
+    if (!Ns_D_is_sq)
+        s = s_; // 7
+    if (!Ns_D_is_sq)
+        c = r; // 8
+    const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
+    const s2 = s * s;
+    const W0 = mod((s + s) * D); // 10
+    const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
+    const W2 = mod(_1n - s2); // 12
+    const W3 = mod(_1n + s2); // 13
+    return new exports.ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+}
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+class RistrettoPoint {
+    // Private property to discourage combining ExtendedPoint + RistrettoPoint
+    // Always use Ristretto encoding/decoding instead.
+    constructor(ep) {
+        this.ep = ep;
+    }
+    /**
+     * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
+     * The hash-to-group operation applies Elligator twice and adds the results.
+     * **Note:** this is one-way map, there is no conversion from point to hash.
+     * https://ristretto.group/formulas/elligator.html
+     * @param hex 64-bit output of a hash function
+     */
+    static hashToCurve(hex) {
+        hex = (0, utils_js_1.ensureBytes)(hex, 64);
+        const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+        const R1 = calcElligatorRistrettoMap(r1);
+        const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+        const R2 = calcElligatorRistrettoMap(r2);
+        return new RistrettoPoint(R1.add(R2));
+    }
+    /**
+     * Converts ristretto-encoded string to ristretto point.
+     * https://ristretto.group/formulas/decoding.html
+     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     */
+    static fromHex(hex) {
+        hex = (0, utils_js_1.ensureBytes)(hex, 32);
+        const { a, d } = exports.ed25519.CURVE;
+        const P = exports.ed25519.CURVE.Fp.ORDER;
+        const { mod } = exports.ed25519.utils;
+        const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+        const s = bytes255ToNumberLE(hex);
+        // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+        // 3. Check that s is non-negative, or else abort
+        if (!(0, utils_js_1.equalBytes)((0, utils_js_1.numberToBytesLE)(s, 32), hex) || (0, modular_js_1.isNegativeLE)(s, P))
+            throw new Error(emsg);
+        const s2 = mod(s * s);
+        const u1 = mod(_1n + a * s2); // 4 (a is -1)
+        const u2 = mod(_1n - a * s2); // 5
+        const u1_2 = mod(u1 * u1);
+        const u2_2 = mod(u2 * u2);
+        const v = mod(a * d * u1_2 - u2_2); // 6
+        const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
+        const Dx = mod(I * u2); // 8
+        const Dy = mod(I * Dx * v); // 9
+        let x = mod((s + s) * Dx); // 10
+        if ((0, modular_js_1.isNegativeLE)(x, P))
+            x = mod(-x); // 10
+        const y = mod(u1 * Dy); // 11
+        const t = mod(x * y); // 12
+        if (!isValid || (0, modular_js_1.isNegativeLE)(t, P) || y === _0n)
+            throw new Error(emsg);
+        return new RistrettoPoint(new exports.ed25519.ExtendedPoint(x, y, _1n, t));
+    }
+    /**
+     * Encodes ristretto point to Uint8Array.
+     * https://ristretto.group/formulas/encoding.html
+     */
+    toRawBytes() {
+        let { x, y, z, t } = this.ep;
+        const P = exports.ed25519.CURVE.Fp.ORDER;
+        const { mod } = exports.ed25519.utils;
+        const u1 = mod(mod(z + y) * mod(z - y)); // 1
+        const u2 = mod(x * y); // 2
+        // Square root always exists
+        const u2sq = mod(u2 * u2);
+        const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
+        const D1 = mod(invsqrt * u1); // 4
+        const D2 = mod(invsqrt * u2); // 5
+        const zInv = mod(D1 * D2 * t); // 6
+        let D; // 7
+        if ((0, modular_js_1.isNegativeLE)(t * zInv, P)) {
+            let _x = mod(y * SQRT_M1);
+            let _y = mod(x * SQRT_M1);
+            x = _x;
+            y = _y;
+            D = mod(D1 * INVSQRT_A_MINUS_D);
+        }
+        else {
+            D = D2; // 8
+        }
+        if ((0, modular_js_1.isNegativeLE)(x * zInv, P))
+            y = mod(-y); // 9
+        let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
+        if ((0, modular_js_1.isNegativeLE)(s, P))
+            s = mod(-s);
+        return (0, utils_js_1.numberToBytesLE)(s, 32); // 11
+    }
+    toHex() {
+        return (0, utils_js_1.bytesToHex)(this.toRawBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    // Compare one point to another.
+    equals(other) {
+        assertRstPoint(other);
+        const a = this.ep;
+        const b = other.ep;
+        const { mod } = exports.ed25519.utils;
+        // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
+        const one = mod(a.x * b.y) === mod(a.y * b.x);
+        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        return one || two;
+    }
+    add(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        assertRstPoint(other);
+        return new RistrettoPoint(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return new RistrettoPoint(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
+    }
+}
+exports.RistrettoPoint = RistrettoPoint;
+RistrettoPoint.BASE = new RistrettoPoint(exports.ed25519.ExtendedPoint.BASE);
+RistrettoPoint.ZERO = new RistrettoPoint(exports.ed25519.ExtendedPoint.ZERO);

package/lib/ed448.d.ts

@@ -0,0 +1,3 @@
+export declare const ed448: import("./abstract/edwards.js").CurveFn;
+export declare const ed448ph: import("./abstract/edwards.js").CurveFn;
+export declare const x448: import("./abstract/montgomery.js").CurveFn;

package/lib/ed448.js

@@ -0,0 +1,128 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.x448 = exports.ed448ph = exports.ed448 = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+const sha3_1 = require("@noble/hashes/sha3");
+const utils_1 = require("@noble/hashes/utils");
+const edwards_js_1 = require("./abstract/edwards.js");
+const modular_js_1 = require("./abstract/modular.js");
+const montgomery_js_1 = require("./abstract/montgomery.js");
+/**
+ * Edwards448 (not Ed448-Goldilocks) curve with following addons:
+ * * X448 ECDH
+ * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
+ */
+const shake256_114 = (0, utils_1.wrapConstructor)(() => sha3_1.shake256.create({ dkLen: 114 }));
+const shake256_64 = (0, utils_1.wrapConstructor)(() => sha3_1.shake256.create({ dkLen: 64 }));
+const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
+// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
+// Used for efficient square root calculation.
+// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
+function ed448_pow_Pminus3div4(x) {
+    const P = ed448P;
+    // prettier-ignore
+    const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _11n = BigInt(11);
+    // prettier-ignore
+    const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
+    const b2 = (x * x * x) % P;
+    const b3 = (b2 * b2 * x) % P;
+    const b6 = ((0, modular_js_1.pow2)(b3, _3n, P) * b3) % P;
+    const b9 = ((0, modular_js_1.pow2)(b6, _3n, P) * b3) % P;
+    const b11 = ((0, modular_js_1.pow2)(b9, _2n, P) * b2) % P;
+    const b22 = ((0, modular_js_1.pow2)(b11, _11n, P) * b11) % P;
+    const b44 = ((0, modular_js_1.pow2)(b22, _22n, P) * b22) % P;
+    const b88 = ((0, modular_js_1.pow2)(b44, _44n, P) * b44) % P;
+    const b176 = ((0, modular_js_1.pow2)(b88, _88n, P) * b88) % P;
+    const b220 = ((0, modular_js_1.pow2)(b176, _44n, P) * b44) % P;
+    const b222 = ((0, modular_js_1.pow2)(b220, _2n, P) * b2) % P;
+    const b223 = ((0, modular_js_1.pow2)(b222, _1n, P) * x) % P;
+    return ((0, modular_js_1.pow2)(b223, _223n, P) * b222) % P;
+}
+function adjustScalarBytes(bytes) {
+    // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
+    // significant bit of the last byte to 1.
+    bytes[0] &= 252; // 0b11111100
+    // and the most significant bit of the last byte to 1.
+    bytes[55] |= 128; // 0b10000000
+    // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
+    bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
+    return bytes;
+}
+const ED448_DEF = {
+    // Param: a
+    a: BigInt(1),
+    // -39081. Negative number is P - number
+    d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
+    Fp: (0, modular_js_1.Fp)(ed448P, 456),
+    // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
+    nBitLength: 456,
+    // Cofactor
+    h: BigInt(4),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
+    Gy: BigInt('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
+    // SHAKE256(dom4(phflag,context)||x, 114)
+    hash: shake256_114,
+    randomBytes: utils_1.randomBytes,
+    adjustScalarBytes,
+    // dom4
+    domain: (data, ctx, phflag) => {
+        if (ctx.length > 255)
+            throw new Error(`Context is too big: ${ctx.length}`);
+        return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+    },
+    // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
+    // Uses algo from RFC8032 5.1.3.
+    uvRatio: (u, v) => {
+        const P = ed448P;
+        // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
+        // To compute the square root of (u/v), the first step is to compute the
+        //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
+        // following trick, to use a single modular powering for both the
+        // inversion of v and the square root:
+        // x = (u/v)^((p+1)/4)   = u³v(u⁵v³)^((p-3)/4)   (mod p)
+        const u2v = (0, modular_js_1.mod)(u * u * v, P); // u²v
+        const u3v = (0, modular_js_1.mod)(u2v * u, P); // u³v
+        const u5v3 = (0, modular_js_1.mod)(u3v * u2v * v, P); // u⁵v³
+        const root = ed448_pow_Pminus3div4(u5v3);
+        const x = (0, modular_js_1.mod)(u3v * root, P);
+        // Verify that root is exists
+        const x2 = (0, modular_js_1.mod)(x * x, P); // x²
+        // If vx² = u, the recovered x-coordinate is x.  Otherwise, no
+        // square root exists, and the decoding fails.
+        return { isValid: (0, modular_js_1.mod)(x2 * v, P) === u, value: x };
+    },
+};
+exports.ed448 = (0, edwards_js_1.twistedEdwards)(ED448_DEF);
+// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+exports.ed448ph = (0, edwards_js_1.twistedEdwards)({ ...ED448_DEF, preHash: shake256_64 });
+exports.x448 = (0, montgomery_js_1.montgomery)({
+    a24: BigInt(39081),
+    montgomeryBits: 448,
+    nByteLength: 57,
+    P: ed448P,
+    Gu: '0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ed448P;
+        const Pminus3div4 = ed448_pow_Pminus3div4(x);
+        const Pminus3 = (0, modular_js_1.pow2)(Pminus3div4, BigInt(2), P);
+        return (0, modular_js_1.mod)(Pminus3 * x, P); // Pminus3 * x = Pminus2
+    },
+    adjustScalarBytes,
+    // The 4-isogeny maps between the Montgomery curve and this Edwards
+    // curve are:
+    //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
+    //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
+    //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
+    //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
+    // xyToU: (p: PointType) => {
+    //   const P = ed448P;
+    //   const { x, y } = p;
+    //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
+    //   const invX = invert(x * x, P); // x^2
+    //   const u = mod(y * y * invX, P); // (y^2/x^2)
+    //   return numberToBytesLE(u, 56);
+    // },
+});

package/lib/esm/_shortw_utils.js

@@ -0,0 +1,15 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
+import { weierstrass } from './abstract/weierstrass.js';
+export function getHash(hash) {
+    return {
+        hash,
+        hmac: (key, ...msgs) => hmac(hash, key, concatBytes(...msgs)),
+        randomBytes,
+    };
+}
+export function createCurve(curveDef, defHash) {
+    const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
+    return Object.freeze({ ...create(defHash), create });
+}

package/lib/esm/{bls.js → abstract/bls.js}

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
 // NOTE: only 12 supported for now
 // Constructed from pair of weierstrass curves, based pairing logic
@@ -5,7 +6,7 @@ import * as mod from './modular.js';
 import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from './utils.js';
 // Types
 import { hexToBytes, bytesToHex } from './utils.js';
-import { stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
 import { weierstrassPoints } from './weierstrass.js';
 export function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
@@ -27,33 +28,33 @@ export function bls(CURVE) {
             // Double
             let t0 = Fp2.square(Ry); // Ry²
             let t1 = Fp2.square(Rz); // Rz²
-            let t2 = Fp2.multiplyByB(Fp2.multiply(t1, 3n)); // 3 * T1 * B
-            let t3 = Fp2.multiply(t2, 3n); // 3 * T2
-            let t4 = Fp2.subtract(Fp2.subtract(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
+            let t3 = Fp2.mul(t2, 3n); // 3 * T2
+            let t4 = Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
             ell_coeff.push([
-                Fp2.subtract(t2, t0),
-                Fp2.multiply(Fp2.square(Rx), 3n),
+                Fp2.sub(t2, t0),
+                Fp2.mul(Fp2.square(Rx), 3n),
                 Fp2.negate(t4), // -T4
             ]);
-            Rx = Fp2.div(Fp2.multiply(Fp2.multiply(Fp2.subtract(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
-            Ry = Fp2.subtract(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.multiply(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
-            Rz = Fp2.multiply(t0, t4); // T0 * T4
+            Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+            Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Rz = Fp2.mul(t0, t4); // T0 * T4
             if (bitGet(CURVE.x, i)) {
                 // Addition
-                let t0 = Fp2.subtract(Ry, Fp2.multiply(Qy, Rz)); // Ry - Qy * Rz
-                let t1 = Fp2.subtract(Rx, Fp2.multiply(Qx, Rz)); // Rx - Qx * Rz
+                let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
+                let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
                 ell_coeff.push([
-                    Fp2.subtract(Fp2.multiply(t0, Qx), Fp2.multiply(t1, Qy)),
+                    Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)),
                     Fp2.negate(t0),
                     t1, // T1
                 ]);
                 let t2 = Fp2.square(t1); // T1²
-                let t3 = Fp2.multiply(t2, t1); // T2 * T1
-                let t4 = Fp2.multiply(t2, Rx); // T2 * Rx
-                let t5 = Fp2.add(Fp2.subtract(t3, Fp2.multiply(t4, 2n)), Fp2.multiply(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
-                Rx = Fp2.multiply(t1, t5); // T1 * T5
-                Ry = Fp2.subtract(Fp2.multiply(Fp2.subtract(t4, t5), t0), Fp2.multiply(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
-                Rz = Fp2.multiply(Rz, t3); // Rz * T3
+                let t3 = Fp2.mul(t2, t1); // T2 * T1
+                let t4 = Fp2.mul(t2, Rx); // T2 * Rx
+                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                Rx = Fp2.mul(t1, t5); // T1 * T5
+                Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+                Rz = Fp2.mul(Rz, t3); // Rz * T3
             }
         }
         return ell_coeff;
@@ -64,11 +65,11 @@ export function bls(CURVE) {
         let f12 = Fp12.ONE;
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
-            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.multiply(E[1], Px), Fp2.multiply(E[2], Py));
+            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
             if (bitGet(CURVE.x, i)) {
                 j += 1;
                 const F = ell[j];
-                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.multiply(F[1], Px), Fp2.multiply(F[2], Py));
+                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
             }
             if (i !== 0)
                 f12 = Fp12.square(f12);
@@ -217,7 +218,7 @@ export function bls(CURVE) {
         // and do one exp after multiplying 2 points.
         const ePHm = pairing(P.negate(), Hm, false);
         const eGS = pairing(G, S, false);
-        const exp = Fp12.finalExponentiate(Fp12.multiply(eGS, ePHm));
+        const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
         return Fp12.equals(exp, Fp12.ONE);
     }
     function aggregatePublicKeys(publicKeys) {
@@ -225,7 +226,7 @@ export function bls(CURVE) {
             throw new Error('Expected non-empty array');
         const agg = publicKeys
             .map(normP1)
-            .reduce((sum, p) => sum.add(G1.JacobianPoint.fromAffine(p)), G1.JacobianPoint.ZERO);
+            .reduce((sum, p) => sum.add(G1.ProjectivePoint.fromAffine(p)), G1.ProjectivePoint.ZERO);
         const aggAffine = agg.toAffine();
         if (publicKeys[0] instanceof G1.Point) {
             aggAffine.assertValidity();
@@ -239,7 +240,7 @@ export function bls(CURVE) {
             throw new Error('Expected non-empty array');
         const agg = signatures
             .map(normP2)
-            .reduce((sum, s) => sum.add(G2.JacobianPoint.fromAffine(s)), G2.JacobianPoint.ZERO);
+            .reduce((sum, s) => sum.add(G2.ProjectivePoint.fromAffine(s)), G2.ProjectivePoint.ZERO);
         const aggAffine = agg.toAffine();
         if (signatures[0] instanceof G2.Point) {
             aggAffine.assertValidity();
@@ -266,7 +267,7 @@ export function bls(CURVE) {
                 paired.push(pairing(groupPublicKey, message, false));
             }
             paired.push(pairing(G1.Point.BASE.negate(), sig, false));
-            const product = paired.reduce((a, b) => Fp12.multiply(a, b), Fp12.ONE);
+            const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
             const exp = Fp12.finalExponentiate(product);
             return Fp12.equals(exp, Fp12.ONE);
         }