@noble/curves 0.5.1 → 0.6.0

package/lib/esm/ed25519.js

@@ -5,6 +5,7 @@ import { twistedEdwards } from './abstract/edwards.js';
 import { montgomery } from './abstract/montgomery.js';
 import { mod, pow2, isNegativeLE, Fp as Field, FpSqrtEven } from './abstract/modular.js';
 import { ensureBytes, equalBytes, bytesToHex, bytesToNumberLE, numberToBytesLE, } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * ed25519 Twisted Edwards curve with following addons:
  * - X25519 ECDH
@@ -79,57 +80,107 @@ export const ED25519_TORSION_SUBGROUP = [
     'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
 const Fp = Field(ED25519_P, undefined, true);
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    Fp,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512,
+    randomBytes,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+};
+export const ed25519 = twistedEdwards(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
+export const ed25519ph = twistedEdwards({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512,
+});
+export const x25519 = montgomery({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart
 const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
 const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
-const ELL2_C3 = Fp.sqrt(Fp.negate(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C3 = Fp.sqrt(Fp.neg(Fp.ONE)); // 3. c3 = sqrt(-1)
 const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
 const ELL2_J = BigInt(486662);
 // prettier-ignore
 function map_to_curve_elligator2_curve25519(u) {
-    let tv1 = Fp.square(u); //  1.  tv1 = u^2
+    let tv1 = Fp.sqr(u); //  1.  tv1 = u^2
     tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
     let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
-    let x1n = Fp.negate(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
-    let tv2 = Fp.square(xd); //  5.  tv2 = xd^2
+    let x1n = Fp.neg(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.sqr(xd); //  5.  tv2 = xd^2
     let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
     let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
     gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
     gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
     gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); //  11. tv3 = gxd^2
-    tv2 = Fp.square(tv3); //  12. tv2 = tv3^2           # gxd^4
+    let tv3 = Fp.sqr(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.sqr(tv3); //  12. tv2 = tv3^2           # gxd^4
     tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
     tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
     tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
     let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
     y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
     let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
-    tv2 = Fp.square(y11); //  19. tv2 = y11^2
+    tv2 = Fp.sqr(y11); //  19. tv2 = y11^2
     tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
-    let e1 = Fp.equals(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
     let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
     let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
     let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
     y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
     let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
     let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
-    tv2 = Fp.square(y21); //  28. tv2 = y21^2
+    tv2 = Fp.sqr(y21); //  28. tv2 = y21^2
     tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
     let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
-    tv2 = Fp.square(y1); //  32. tv2 = y1^2
+    tv2 = Fp.sqr(y1); //  32. tv2 = y1^2
     tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
-    let e3 = Fp.equals(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
     let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
     let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
     let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
     return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
 }
-const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.negate(BigInt(486664))); // sgn0(c1) MUST equal 0
+const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
 function map_to_curve_elligator2_edwards25519(u) {
     const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
     let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
@@ -138,7 +189,7 @@ function map_to_curve_elligator2_edwards25519(u) {
     let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
     let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
     let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
-    let e = Fp.equals(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
     xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
     xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
     yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
@@ -146,68 +197,19 @@ function map_to_curve_elligator2_edwards25519(u) {
     const inv = Fp.invertBatch([xd, yd]); // batch division
     return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
 }
-const ED25519_DEF = {
-    // Param: a
-    a: BigInt(-1),
-    // Equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
-    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
-    Fp,
-    // Subgroup order: how many points ed25519 has
-    // 2n ** 252n + 27742317777372353535851937790883648493n;
-    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
-    h: BigInt(8),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
-    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(ed25519.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
+    DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+    encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
     hash: sha512,
-    randomBytes,
-    adjustScalarBytes,
-    // dom2
-    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
-    // Constant-time, u/√v
-    uvRatio,
-    htfDefaults: {
-        DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha512,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]),
-};
-export const ed25519 = twistedEdwards(ED25519_DEF);
-function ed25519_domain(data, ctx, phflag) {
-    if (ctx.length > 255)
-        throw new Error('Context is too big');
-    return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
-}
-export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
-export const ed25519ph = twistedEdwards({
-    ...ED25519_DEF,
-    domain: ed25519_domain,
-    preHash: sha512,
-});
-export const x25519 = montgomery({
-    P: ED25519_P,
-    a24: BigInt('121665'),
-    montgomeryBits: 255,
-    nByteLength: 32,
-    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
-    powPminus2: (x) => {
-        const P = ED25519_P;
-        // x^(p-2) aka x^(2^255-21)
-        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
-        return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
-    },
-    adjustScalarBytes,
 });
+export { hashToCurve, encodeToCurve };
 function assertRstPoint(other) {
     if (!(other instanceof RistrettoPoint))
-        throw new TypeError('RistrettoPoint expected');
+        throw new Error('RistrettoPoint expected');
 }
 // √(-1) aka √(a) aka 2^((p-1)/4)
 const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
@@ -222,13 +224,13 @@ const D_MINUS_ONE_SQ = BigInt('4044083434630853685810104246932319082624839914623
 // Calculates 1/√(number)
 const invertSqrt = (number) => uvRatio(_1n, number);
 const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const bytes255ToNumberLE = (bytes) => ed25519.utils.mod(bytesToNumberLE(bytes) & MAX_255B);
+const bytes255ToNumberLE = (bytes) => ed25519.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
 // Computes Elligator map for Ristretto
 // https://ristretto.group/formulas/elligator.html
 function calcElligatorRistrettoMap(r0) {
     const { d } = ed25519.CURVE;
     const P = ed25519.CURVE.Fp.ORDER;
-    const { mod } = ed25519.utils;
+    const mod = ed25519.CURVE.Fp.create;
     const r = mod(SQRT_M1 * r0 * r0); // 1
     const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
     let c = BigInt(-1); // 3
@@ -286,7 +288,7 @@ export class RistrettoPoint {
         hex = ensureBytes(hex, 32);
         const { a, d } = ed25519.CURVE;
         const P = ed25519.CURVE.Fp.ORDER;
-        const { mod } = ed25519.utils;
+        const mod = ed25519.CURVE.Fp.create;
         const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
         const s = bytes255ToNumberLE(hex);
         // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
@@ -316,9 +318,9 @@ export class RistrettoPoint {
      * https://ristretto.group/formulas/encoding.html
      */
     toRawBytes() {
-        let { x, y, z, t } = this.ep;
+        let { ex: x, ey: y, ez: z, et: t } = this.ep;
         const P = ed25519.CURVE.Fp.ORDER;
-        const { mod } = ed25519.utils;
+        const mod = ed25519.CURVE.Fp.create;
         const u1 = mod(mod(z + y) * mod(z - y)); // 1
         const u2 = mod(x * y); // 2
         // Square root always exists
@@ -354,12 +356,12 @@ export class RistrettoPoint {
     // Compare one point to another.
     equals(other) {
         assertRstPoint(other);
-        const a = this.ep;
-        const b = other.ep;
-        const { mod } = ed25519.utils;
+        const { ex: X1, ey: Y1 } = this.ep;
+        const { ex: X2, ey: Y2 } = this.ep;
+        const mod = ed25519.CURVE.Fp.create;
         // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
-        const one = mod(a.x * b.y) === mod(a.y * b.x);
-        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        const one = mod(X1 * Y2) === mod(Y1 * X2);
+        const two = mod(Y1 * Y2) === mod(X1 * X2);
         return one || two;
     }
     add(other) {

package/lib/esm/ed448.js

@@ -4,6 +4,7 @@ import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/h
 import { twistedEdwards } from './abstract/edwards.js';
 import { mod, pow2, Fp as Field } from './abstract/modular.js';
 import { montgomery } from './abstract/montgomery.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * * X448 ECDH
@@ -46,79 +47,6 @@ function adjustScalarBytes(bytes) {
     return bytes;
 }
 const Fp = Field(ed448P, 456, true);
-// Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
-function map_to_curve_elligator2_curve448(u) {
-    let tv1 = Fp.square(u); // 1.  tv1 = u^2
-    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
-    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
-    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
-    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
-    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
-    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
-    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
-    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
-    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
-    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
-    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
-    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
-    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
-    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
-    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
-    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
-    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
-    tv2 = Fp.square(y1); // 20. tv2 = y1^2
-    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
-    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
-    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
-    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
-    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
-}
-function map_to_curve_elligator2_edwards448(u) {
-    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
-    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
-    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
-    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
-    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
-    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
-    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
-    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
-    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
-    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
-    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
-    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
-    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
-    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
-    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
-    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
-    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
-    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
-    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
-    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
-    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
-    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
-    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
-    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
-    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
-    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
-    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
-    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
-    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
-    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
-    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
-    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
-    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
-    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
-    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
-    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
-    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
-    const inv = Fp.invertBatch([xEd, yEd]); // batch division
-    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
-}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
@@ -126,7 +54,8 @@ const ED448_DEF = {
     d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
     // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
     Fp,
-    // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    // Subgroup order: how many points curve has;
+    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
     n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
     nBitLength: 456,
     // Cofactor
@@ -165,15 +94,6 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: mod(x2 * v, P) === u, value: x };
     },
-    htfDefaults: {
-        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 224,
-        expand: 'xof',
-        hash: shake256,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
@@ -206,3 +126,86 @@ export const x448 = montgomery({
     //   return numberToBytesLE(u, 56);
     // },
 });
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: shake256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/jubjub.js

@@ -1,5 +1,5 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
 import { twistedEdwards } from './abstract/edwards.js';
 import { blake2s } from '@noble/hashes/blake2s';
@@ -7,22 +7,23 @@ import { Fp } from './abstract/modular.js';
 /**
  * jubjub Twisted Edwards curve.
  * https://neuromancer.sk/std/other/JubJub
+ * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
  */
 export const jubjub = twistedEdwards({
     // Params: a, d
     a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
     d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
     // Finite field 𝔽p over which we'll do calculations
+    // Same value as bls12-381 Fr (not Fp)
     Fp: Fp(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
-    // Subgroup order: how many points ed25519 has
-    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    // Subgroup order: how many points curve has
     n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
     // Cofactor
     h: BigInt(8),
     // Base point (x, y) aka generator point
     Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
     Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
-    hash: sha256,
+    hash: sha512,
     randomBytes,
 });
 const GH_FIRST_BLOCK = utf8ToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
@@ -32,7 +33,7 @@ export function groupHash(tag, personalization) {
     h.update(GH_FIRST_BLOCK);
     h.update(tag);
     // NOTE: returns ExtendedPoint, in case it will be multiplied later
-    let p = jubjub.ExtendedPoint.fromAffine(jubjub.Point.fromHex(h.digest()));
+    let p = jubjub.ExtendedPoint.fromHex(h.digest());
     // NOTE: cannot replace with isSmallOrder, returns Point*8
     p = p.multiply(jubjub.CURVE.h);
     if (p.equals(jubjub.ExtendedPoint.ZERO))

package/lib/esm/p256.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
@@ -26,14 +27,15 @@ export const P256 = createCurve({
     Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P256_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256,
-    },
 }, sha256);
 export const secp256r1 = P256;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p384.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
@@ -31,14 +32,15 @@ export const P384 = createCurve({
     Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P384_XMD:SHA-384_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 192,
-        expand: 'xmd',
-        hash: sha384,
-    },
 }, sha384);
 export const secp384r1 = P384;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p521.js

@@ -4,6 +4,7 @@ import { sha512 } from '@noble/hashes/sha512';
 import { bytesToHex } from './abstract/utils.js';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
@@ -32,8 +33,7 @@ export const P521 = createCurve({
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
     h: BigInt(1),
     lowS: false,
-    // P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
-    // We ensure all keys are 132 bytes.
+    // P521 keys could be 130, 131, 132 bytes. We normalize to 132 bytes.
     // Does not replace validation; invalid keys would still be rejected.
     normalizePrivateKey(key) {
         if (typeof key === 'bigint')
@@ -43,16 +43,17 @@ export const P521 = createCurve({
         if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
             throw new Error('Invalid key');
         }
-        return key.padStart(66 * 2, '0');
-    },
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P521_XMD:SHA-512_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 256,
-        expand: 'xmd',
-        hash: sha512,
+        return key.padStart(66 * 2, '0'); // ensure it's always 132 bytes
     },
 }, sha512);
 export const secp521r1 = P521;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+});
+export { hashToCurve, encodeToCurve };