@noble/curves 0.5.1 → 0.6.0

package/lib/abstract/hash-to-curve.d.ts

@@ -1,15 +1,17 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { CHash } from './utils.js';
-import * as mod from './modular.js';
-export declare type htfOpts = {
+import type { Group, GroupConstructor, AffinePoint } from './curve.js';
+import { Field } from './modular.js';
+import { CHash, Hex } from './utils.js';
+export declare type Opts = {
     DST: string;
+    encodeDST: string;
     p: bigint;
     m: number;
     k: number;
     expand?: 'xmd' | 'xof';
     hash: CHash;
 };
-export declare function validateHTFOpts(opts: htfOpts): void;
+export declare function validateOpts(opts: Opts): void;
 export declare function stringToBytes(str: string): Uint8Array;
 export declare function expand_message_xmd(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash): Uint8Array;
 export declare function expand_message_xof(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash): Uint8Array;
@@ -21,8 +23,25 @@ export declare function expand_message_xof(msg: Uint8Array, DST: Uint8Array, len
  * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
  * @returns [u_0, ..., u_(count - 1)], a list of field elements.
  */
-export declare function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
-export declare function isogenyMap<T, F extends mod.Field<T>>(field: F, map: [T[], T[], T[], T[]]): (x: T, y: T) => {
+export declare function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
+export declare function isogenyMap<T, F extends Field<T>>(field: F, map: [T[], T[], T[], T[]]): (x: T, y: T) => {
     x: T;
     y: T;
 };
+export interface H2CPoint<T> extends Group<H2CPoint<T>> {
+    add(rhs: H2CPoint<T>): H2CPoint<T>;
+    toAffine(iz?: bigint): AffinePoint<T>;
+    clearCofactor(): H2CPoint<T>;
+    assertValidity(): void;
+}
+export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
+    fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
+}
+export declare type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
+export declare type htfBasicOpts = {
+    DST: string;
+};
+export declare function hashToCurve<T>(Point: H2CPointConstructor<T>, mapToCurve: MapToCurve<T>, def: Opts): {
+    hashToCurve(msg: Hex, options?: htfBasicOpts): H2CPoint<T>;
+    encodeToCurve(msg: Hex, options?: htfBasicOpts): H2CPoint<T>;
+};

package/lib/abstract/hash-to-curve.js

@@ -1,10 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = exports.stringToBytes = exports.validateHTFOpts = void 0;
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+exports.hashToCurve = exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = exports.stringToBytes = exports.validateOpts = void 0;
+const modular_js_1 = require("./modular.js");
 const utils_js_1 = require("./utils.js");
-const mod = require("./modular.js");
-function validateHTFOpts(opts) {
+function validateOpts(opts) {
     if (typeof opts.DST !== 'string')
         throw new Error('Invalid htf/DST');
     if (typeof opts.p !== 'bigint')
@@ -18,14 +17,12 @@ function validateHTFOpts(opts) {
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
 }
-exports.validateHTFOpts = validateHTFOpts;
-// UTF8 to ui8a
-// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
+exports.validateOpts = validateOpts;
 function stringToBytes(str) {
-    const bytes = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; i++)
-        bytes[i] = str.charCodeAt(i);
-    return bytes;
+    if (typeof str !== 'string') {
+        throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
+    }
+    return new TextEncoder().encode(str);
 }
 exports.stringToBytes = stringToBytes;
 // Octet Stream to Integer (bytesToNumberBE)
@@ -127,7 +124,7 @@ function hash_to_field(msg, count, options) {
         for (let j = 0; j < options.m; j++) {
             const elm_offset = L * (j + i * options.m);
             const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
-            e[j] = mod.mod(os2ip(tv), options.p);
+            e[j] = (0, modular_js_1.mod)(os2ip(tv), options.p);
         }
         u[i] = e;
     }
@@ -145,3 +142,34 @@ function isogenyMap(field, map) {
     };
 }
 exports.isogenyMap = isogenyMap;
+function hashToCurve(Point, mapToCurve, def) {
+    validateOpts(def);
+    if (typeof mapToCurve !== 'function')
+        throw new Error('hashToCurve: mapToCurve() has not been defined');
+    return {
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        hashToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0]))
+                .add(Point.fromAffine(mapToCurve(u[1])))
+                .clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        encodeToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+    };
+}
+exports.hashToCurve = hashToCurve;

package/lib/abstract/modular.d.ts

@@ -20,12 +20,12 @@ export interface Field<T> {
     ONE: T;
     create: (num: T) => T;
     isValid: (num: T) => boolean;
-    isZero: (num: T) => boolean;
-    negate(num: T): T;
-    invert(num: T): T;
+    is0: (num: T) => boolean;
+    neg(num: T): T;
+    inv(num: T): T;
     sqrt(num: T): T;
-    square(num: T): T;
-    equals(lhs: T, rhs: T): boolean;
+    sqr(num: T): T;
+    eql(lhs: T, rhs: T): boolean;
     add(lhs: T, rhs: T): T;
     sub(lhs: T, rhs: T): T;
     mul(lhs: T, rhs: T | bigint): T;
@@ -34,9 +34,8 @@ export interface Field<T> {
     addN(lhs: T, rhs: T): T;
     subN(lhs: T, rhs: T): T;
     mulN(lhs: T, rhs: T | bigint): T;
-    squareN(num: T): T;
+    sqrN(num: T): T;
     isOdd?(num: T): boolean;
-    legendre?(num: T): T;
     pow(lhs: T, power: bigint): T;
     invertBatch: (lst: T[]) => T[];
     toBytes(num: T): Uint8Array;
@@ -48,8 +47,22 @@ export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;
 export declare function FpIsSquare<T>(f: Field<T>): (x: T) => boolean;
+export declare function nLength(n: bigint, nBitLength?: number): {
+    nBitLength: number;
+    nByteLength: number;
+};
 declare type FpField = Field<bigint> & Required<Pick<Field<bigint>, 'isOdd'>>;
 export declare function Fp(ORDER: bigint, bitLen?: number, isLE?: boolean, redef?: Partial<Field<bigint>>): Readonly<FpField>;
 export declare function FpSqrtOdd<T>(Fp: Field<T>, elm: T): T;
 export declare function FpSqrtEven<T>(Fp: Field<T>, elm: T): T;
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+export declare function hashToPrivateScalar(hash: string | Uint8Array, groupOrder: bigint, isLE?: boolean): bigint;
 export {};

package/lib/abstract/modular.js

@@ -1,10 +1,9 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.FpSqrtEven = exports.FpSqrtOdd = exports.Fp = exports.FpIsSquare = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.FpSqrt = exports.tonelliShanks = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
+exports.hashToPrivateScalar = exports.FpSqrtEven = exports.FpSqrtOdd = exports.Fp = exports.nLength = exports.FpIsSquare = exports.FpDiv = exports.FpInvertBatch = exports.FpPow = exports.validateField = exports.isNegativeLE = exports.FpSqrt = exports.tonelliShanks = exports.invert = exports.pow2 = exports.pow = exports.mod = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: remove circular imports
-const utils = require("./utils.js");
 // Utilities for modular arithmetics and finite fields
+const utils_js_1 = require("./utils.js");
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
@@ -61,6 +60,7 @@ function invert(number, modulo) {
     // prettier-ignore
     let x = _0n, y = _1n, u = _1n, v = _0n;
     while (a !== _0n) {
+        // JIT applies optimization if those two lines follow each other
         const q = b / a;
         const r = b % a;
         const m = x - u * q;
@@ -75,7 +75,8 @@ function invert(number, modulo) {
 }
 exports.invert = invert;
 // Tonelli-Shanks algorithm
-// https://eprint.iacr.org/2012/685.pdf (page 12)
+// Paper 1: https://eprint.iacr.org/2012/685.pdf (page 12)
+// Paper 2: Square Roots from 1; 24, 51, 10 to Dan Shanks
 function tonelliShanks(P) {
     // Legendre constant: used to calculate Legendre symbol (a | p),
     // which denotes the value of a^((p-1)/2) (mod p).
@@ -85,7 +86,7 @@ function tonelliShanks(P) {
     const legendreC = (P - _1n) / _2n;
     let Q, S, Z;
     // Step 1: By factoring out powers of 2 from p - 1,
-    // find q and s such that p - 1 = q2s with q odd
+    // find q and s such that p - 1 = q*(2^s) with q odd
     for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)
         ;
     // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
@@ -96,7 +97,7 @@ function tonelliShanks(P) {
         const p1div4 = (P + _1n) / _4n;
         return function tonelliFast(Fp, n) {
             const root = Fp.pow(n, p1div4);
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -104,31 +105,32 @@ function tonelliShanks(P) {
     // Slow-path
     const Q1div2 = (Q + _1n) / _2n;
     return function tonelliSlow(Fp, n) {
-        // Step 0: Check that n is indeed a square: (n | p) must be ≡ 1
-        if (Fp.pow(n, legendreC) !== Fp.ONE)
+        // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
+        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
             throw new Error('Cannot find square root');
-        let s = S;
-        let c = pow(Z, Q, P);
-        let r = Fp.pow(n, Q1div2);
-        let t = Fp.pow(n, Q);
-        let t2 = Fp.ZERO;
-        while (!Fp.equals(Fp.sub(t, Fp.ONE), Fp.ZERO)) {
-            t2 = Fp.square(t);
-            let i;
-            for (i = 1; i < s; i++) {
-                // stop if t2-1 == 0
-                if (Fp.equals(Fp.sub(t2, Fp.ONE), Fp.ZERO))
+        let r = S;
+        // TODO: will fail at Fp2/etc
+        let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
+        let x = Fp.pow(n, Q1div2); // first guess at the square root
+        let b = Fp.pow(n, Q); // first guess at the fudge factor
+        while (!Fp.eql(b, Fp.ONE)) {
+            if (Fp.eql(b, Fp.ZERO))
+                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+            // Find m such b^(2^m)==1
+            let m = 1;
+            for (let t2 = Fp.sqr(b); m < r; m++) {
+                if (Fp.eql(t2, Fp.ONE))
                     break;
-                // t2 *= t2
-                t2 = Fp.square(t2);
+                t2 = Fp.sqr(t2); // t2 *= t2
             }
-            let b = pow(c, BigInt(1 << (s - i - 1)), P);
-            r = Fp.mul(r, b);
-            c = mod(b * b, P);
-            t = Fp.mul(t, c);
-            s = i;
+            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+            const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
+            g = Fp.sqr(ge); // g = ge * ge
+            x = Fp.mul(x, ge); // x *= ge
+            b = Fp.mul(b, g); // b *= g
+            r = m;
         }
-        return r;
+        return x;
     };
 }
 exports.tonelliShanks = tonelliShanks;
@@ -146,7 +148,7 @@ function FpSqrt(P) {
         return function sqrt3mod4(Fp, n) {
             const root = Fp.pow(n, p1div4);
             // Throw if root**2 != n
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -160,7 +162,7 @@ function FpSqrt(P) {
             const nv = Fp.mul(n, v);
             const i = Fp.mul(Fp.mul(nv, _2n), v);
             const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -196,9 +198,9 @@ const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 exports.isNegativeLE = isNegativeLE;
 // prettier-ignore
 const FIELD_FIELDS = [
-    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
-    'equals', 'add', 'sub', 'mul', 'pow', 'div',
-    'addN', 'subN', 'mulN', 'squareN'
+    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+    'eql', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'sqrN'
 ];
 function validateField(field) {
     for (const i of ['ORDER', 'MASK']) {
@@ -230,7 +232,7 @@ function FpPow(f, num, power) {
     while (power > _0n) {
         if (power & _1n)
             p = f.mul(p, d);
-        d = f.square(d);
+        d = f.sqr(d);
         power >>= 1n;
     }
     return p;
@@ -240,16 +242,16 @@ function FpInvertBatch(f, nums) {
     const tmp = new Array(nums.length);
     // Walk from first to last, multiply them by each other MOD p
     const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = acc;
         return f.mul(acc, num);
     }, f.ONE);
     // Invert last element
-    const inverted = f.invert(lastMultiplied);
+    const inverted = f.inv(lastMultiplied);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = f.mul(acc, tmp[i]);
         return f.mul(acc, num);
@@ -258,7 +260,7 @@ function FpInvertBatch(f, nums) {
 }
 exports.FpInvertBatch = FpInvertBatch;
 function FpDiv(f, lhs, rhs) {
-    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 exports.FpDiv = FpDiv;
 // This function returns True whenever the value x is a square in the field F.
@@ -266,14 +268,22 @@ function FpIsSquare(f) {
     const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
     return (x) => {
         const p = f.pow(x, legendreConst);
-        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+        return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
     };
 }
 exports.FpIsSquare = FpIsSquare;
+// CURVE.n lengths
+function nLength(n, nBitLength) {
+    // Bit size, byte size of CURVE.n
+    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+    const nByteLength = Math.ceil(_nBitLength / 8);
+    return { nBitLength: _nBitLength, nByteLength };
+}
+exports.nLength = nLength;
 function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
-    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
     const sqrtP = FpSqrt(ORDER);
@@ -281,41 +291,41 @@ function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         ORDER,
         BITS,
         BYTES,
-        MASK: utils.bitMask(BITS),
+        MASK: (0, utils_js_1.bitMask)(BITS),
         ZERO: _0n,
         ONE: _1n,
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
                 throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
-            return _0n <= num && num < ORDER;
+            return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
-        isZero: (num) => num === _0n,
+        is0: (num) => num === _0n,
         isOdd: (num) => (num & _1n) === _1n,
-        negate: (num) => mod(-num, ORDER),
-        equals: (lhs, rhs) => lhs === rhs,
-        square: (num) => mod(num * num, ORDER),
+        neg: (num) => mod(-num, ORDER),
+        eql: (lhs, rhs) => lhs === rhs,
+        sqr: (num) => mod(num * num, ORDER),
         add: (lhs, rhs) => mod(lhs + rhs, ORDER),
         sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
         mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
         pow: (num, power) => FpPow(f, num, power),
         div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
         // Same as above, but doesn't normalize
-        squareN: (num) => num * num,
+        sqrN: (num) => num * num,
         addN: (lhs, rhs) => lhs + rhs,
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
-        invert: (num) => invert(num, ORDER),
+        inv: (num) => invert(num, ORDER),
         sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
         cmov: (a, b, c) => (c ? b : a),
-        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        toBytes: (num) => (isLE ? (0, utils_js_1.numberToBytesLE)(num, BYTES) : (0, utils_js_1.numberToBytesBE)(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
                 throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
-            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+            return isLE ? (0, utils_js_1.bytesToNumberLE)(bytes) : (0, utils_js_1.bytesToNumberBE)(bytes);
         },
     });
     return Object.freeze(f);
@@ -325,13 +335,32 @@ function FpSqrtOdd(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? root : Fp.negate(root);
+    return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 exports.FpSqrtOdd = FpSqrtOdd;
 function FpSqrtEven(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.negate(root) : root;
+    return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
 exports.FpSqrtEven = FpSqrtEven;
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+function hashToPrivateScalar(hash, groupOrder, isLE = false) {
+    hash = (0, utils_js_1.ensureBytes)(hash);
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+    const num = isLE ? (0, utils_js_1.bytesToNumberLE)(hash) : (0, utils_js_1.bytesToNumberBE)(hash);
+    return mod(num, groupOrder - _1n) + _1n;
+}
+exports.hashToPrivateScalar = hashToPrivateScalar;

package/lib/abstract/montgomery.js

@@ -2,7 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.montgomery = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const mod = require("./modular.js");
+const modular_js_1 = require("./modular.js");
 const utils_js_1 = require("./utils.js");
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -30,7 +30,6 @@ function validateOpts(curve) {
             throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
     // Set defaults
-    // ...nLength(curve.n, curve.nBitLength),
     return Object.freeze({ ...curve });
 }
 // NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)
@@ -38,12 +37,12 @@ function validateOpts(curve) {
 function montgomery(curveDef) {
     const CURVE = validateOpts(curveDef);
     const { P } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const modP = (a) => (0, modular_js_1.mod)(a, P);
     const montgomeryBits = CURVE.montgomeryBits;
     const montgomeryBytes = Math.ceil(montgomeryBits / 8);
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
-    const powPminus2 = CURVE.powPminus2 || ((x) => mod.pow(x, P - BigInt(2), P));
+    const powPminus2 = CURVE.powPminus2 || ((x) => (0, modular_js_1.pow)(x, P - BigInt(2), P));
     /**
      * Checks for num to be in range:
      * For strict == true:  `0 <  num < max`.

package/lib/abstract/poseidon.d.ts

@@ -0,0 +1,29 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { Field } from './modular.js';
+export declare type PoseidonOpts = {
+    Fp: Field<bigint>;
+    t: number;
+    roundsFull: number;
+    roundsPartial: number;
+    sboxPower?: number;
+    reversePartialPowIdx?: boolean;
+    mds: bigint[][];
+    roundConstants: bigint[][];
+};
+export declare function validateOpts(opts: PoseidonOpts): Readonly<{
+    rounds: number;
+    sboxFn: (n: bigint) => bigint;
+    roundConstants: bigint[][];
+    mds: bigint[][];
+    Fp: Field<bigint>;
+    t: number;
+    roundsFull: number;
+    roundsPartial: number;
+    sboxPower?: number | undefined;
+    reversePartialPowIdx?: boolean | undefined;
+}>;
+export declare function splitConstants(rc: bigint[], t: number): bigint[][];
+export declare function poseidon(opts: PoseidonOpts): {
+    (values: bigint[]): bigint[];
+    roundConstants: bigint[][];
+};

package/lib/abstract/poseidon.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.poseidon = exports.splitConstants = exports.validateOpts = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
+const modular_js_1 = require("./modular.js");
+function validateOpts(opts) {
+    const { Fp } = opts;
+    (0, modular_js_1.validateField)(Fp);
+    for (const i of ['t', 'roundsFull', 'roundsPartial']) {
+        if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+            throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
+    }
+    if (opts.reversePartialPowIdx !== undefined && typeof opts.reversePartialPowIdx !== 'boolean')
+        throw new Error(`Poseidon: invalid param reversePartialPowIdx=${opts.reversePartialPowIdx}`);
+    // Default is 5, but by some reasons stark uses 3
+    let sboxPower = opts.sboxPower;
+    if (sboxPower === undefined)
+        sboxPower = 5;
+    if (typeof sboxPower !== 'number' || !Number.isSafeInteger(sboxPower))
+        throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
+    const _sboxPower = BigInt(sboxPower);
+    let sboxFn = (n) => (0, modular_js_1.FpPow)(Fp, n, _sboxPower);
+    // Unwrapped sbox power for common cases (195->142μs)
+    if (sboxPower === 3)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(n), n);
+    else if (sboxPower === 5)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
+    if (opts.roundsFull % 2 !== 0)
+        throw new Error(`Poseidon roundsFull is not even: ${opts.roundsFull}`);
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    if (!Array.isArray(opts.roundConstants) || opts.roundConstants.length !== rounds)
+        throw new Error('Poseidon: wrong round constants');
+    const roundConstants = opts.roundConstants.map((rc) => {
+        if (!Array.isArray(rc) || rc.length !== opts.t)
+            throw new Error(`Poseidon wrong round constants: ${rc}`);
+        return rc.map((i) => {
+            if (typeof i !== 'bigint' || !Fp.isValid(i))
+                throw new Error(`Poseidon wrong round constant=${i}`);
+            return Fp.create(i);
+        });
+    });
+    // MDS is TxT matrix
+    if (!Array.isArray(opts.mds) || opts.mds.length !== opts.t)
+        throw new Error('Poseidon: wrong MDS matrix');
+    const mds = opts.mds.map((mdsRow) => {
+        if (!Array.isArray(mdsRow) || mdsRow.length !== opts.t)
+            throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
+        return mdsRow.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon MDS matrix value=${i}`);
+            return Fp.create(i);
+        });
+    });
+    return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds });
+}
+exports.validateOpts = validateOpts;
+function splitConstants(rc, t) {
+    if (typeof t !== 'number')
+        throw new Error('poseidonSplitConstants: wrong t');
+    if (!Array.isArray(rc) || rc.length % t)
+        throw new Error('poseidonSplitConstants: wrong rc');
+    const res = [];
+    let tmp = [];
+    for (let i = 0; i < rc.length; i++) {
+        tmp.push(rc[i]);
+        if (tmp.length === t) {
+            res.push(tmp);
+            tmp = [];
+        }
+    }
+    return res;
+}
+exports.splitConstants = splitConstants;
+function poseidon(opts) {
+    const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts);
+    const halfRoundsFull = Math.floor(opts.roundsFull / 2);
+    const partialIdx = reversePartialPowIdx ? t - 1 : 0;
+    const poseidonRound = (values, isFull, idx) => {
+        values = values.map((i, j) => Fp.add(i, opts.roundConstants[idx][j]));
+        if (isFull)
+            values = values.map((i) => sboxFn(i));
+        else
+            values[partialIdx] = sboxFn(values[partialIdx]);
+        // Matrix multiplication
+        values = opts.mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
+        return values;
+    };
+    const poseidonHash = function poseidonHash(values) {
+        if (!Array.isArray(values) || values.length !== t)
+            throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
+        values = values.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
+            return Fp.create(i);
+        });
+        let round = 0;
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        // Apply r_p partial rounds.
+        for (let i = 0; i < opts.roundsPartial; i++)
+            values = poseidonRound(values, false, round++);
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        if (round !== rounds)
+            throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
+        return values;
+    };
+    // For verification in tests
+    poseidonHash.roundConstants = opts.roundConstants;
+    return poseidonHash;
+}
+exports.poseidon = poseidon;