@noble/curves 0.5.2 → 0.6.1

package/lib/esm/abstract/hash-to-curve.js

@@ -1,7 +1,6 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { concatBytes } from './utils.js';
-import * as mod from './modular.js';
-export function validateHTFOpts(opts) {
+import { mod } from './modular.js';
+import { concatBytes, ensureBytes } from './utils.js';
+export function validateOpts(opts) {
     if (typeof opts.DST !== 'string')
         throw new Error('Invalid htf/DST');
     if (typeof opts.p !== 'bigint')
@@ -15,13 +14,11 @@ export function validateHTFOpts(opts) {
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
 }
-// UTF8 to ui8a
-// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
 export function stringToBytes(str) {
-    const bytes = new Uint8Array(str.length);
-    for (let i = 0; i < str.length; i++)
-        bytes[i] = str.charCodeAt(i);
-    return bytes;
+    if (typeof str !== 'string') {
+        throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+    }
+    return new TextEncoder().encode(str);
 }
 // Octet Stream to Integer (bytesToNumberBE)
 function os2ip(bytes) {
@@ -120,7 +117,7 @@ export function hash_to_field(msg, count, options) {
         for (let j = 0; j < options.m; j++) {
             const elm_offset = L * (j + i * options.m);
             const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
-            e[j] = mod.mod(os2ip(tv), options.p);
+            e[j] = mod(os2ip(tv), options.p);
         }
         u[i] = e;
     }
@@ -136,3 +133,33 @@ export function isogenyMap(field, map) {
         return { x, y };
     };
 }
+export function hashToCurve(Point, mapToCurve, def) {
+    validateOpts(def);
+    if (typeof mapToCurve !== 'function')
+        throw new Error('hashToCurve: mapToCurve() has not been defined');
+    return {
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        hashToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0]))
+                .add(Point.fromAffine(mapToCurve(u[1])))
+                .clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        encodeToCurve(msg, options) {
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ensureBytes(msg);
+            const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options });
+            const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
+            P.assertValidity();
+            return P;
+        },
+    };
+}

package/lib/esm/abstract/modular.js

@@ -1,7 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: remove circular imports
-import * as utils from './utils.js';
 // Utilities for modular arithmetics and finite fields
+import { bitMask, numberToBytesBE, numberToBytesLE, bytesToNumberBE, bytesToNumberLE, ensureBytes, validateObject, } from './utils.js';
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
@@ -35,7 +34,6 @@ export function pow(num, power, modulo) {
     return res;
 }
 // Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
-// TODO: Fp version?
 export function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n) {
@@ -91,7 +89,7 @@ export function tonelliShanks(P) {
         const p1div4 = (P + _1n) / _4n;
         return function tonelliFast(Fp, n) {
             const root = Fp.pow(n, p1div4);
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -100,26 +98,26 @@ export function tonelliShanks(P) {
     const Q1div2 = (Q + _1n) / _2n;
     return function tonelliSlow(Fp, n) {
         // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-        if (Fp.pow(n, legendreC) === Fp.negate(Fp.ONE))
+        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
             throw new Error('Cannot find square root');
         let r = S;
         // TODO: will fail at Fp2/etc
         let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
         let x = Fp.pow(n, Q1div2); // first guess at the square root
         let b = Fp.pow(n, Q); // first guess at the fudge factor
-        while (!Fp.equals(b, Fp.ONE)) {
-            if (Fp.equals(b, Fp.ZERO))
+        while (!Fp.eql(b, Fp.ONE)) {
+            if (Fp.eql(b, Fp.ZERO))
                 return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
             // Find m such b^(2^m)==1
             let m = 1;
-            for (let t2 = Fp.square(b); m < r; m++) {
-                if (Fp.equals(t2, Fp.ONE))
+            for (let t2 = Fp.sqr(b); m < r; m++) {
+                if (Fp.eql(t2, Fp.ONE))
                     break;
-                t2 = Fp.square(t2); // t2 *= t2
+                t2 = Fp.sqr(t2); // t2 *= t2
             }
             // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
             const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
-            g = Fp.square(ge); // g = ge * ge
+            g = Fp.sqr(ge); // g = ge * ge
             x = Fp.mul(x, ge); // x *= ge
             b = Fp.mul(b, g); // b *= g
             r = m;
@@ -141,7 +139,7 @@ export function FpSqrt(P) {
         return function sqrt3mod4(Fp, n) {
             const root = Fp.pow(n, p1div4);
             // Throw if root**2 != n
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -155,7 +153,7 @@ export function FpSqrt(P) {
             const nv = Fp.mul(n, v);
             const i = Fp.mul(Fp.mul(nv, _2n), v);
             const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-            if (!Fp.equals(Fp.square(root), n))
+            if (!Fp.eql(Fp.sqr(root), n))
                 throw new Error('Cannot find square root');
             return root;
         };
@@ -189,23 +187,22 @@ export function FpSqrt(P) {
 export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
 // prettier-ignore
 const FIELD_FIELDS = [
-    'create', 'isValid', 'isZero', 'negate', 'invert', 'sqrt', 'square',
-    'equals', 'add', 'sub', 'mul', 'pow', 'div',
-    'addN', 'subN', 'mulN', 'squareN'
+    'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+    'eql', 'add', 'sub', 'mul', 'pow', 'div',
+    'addN', 'subN', 'mulN', 'sqrN'
 ];
 export function validateField(field) {
-    for (const i of ['ORDER', 'MASK']) {
-        if (typeof field[i] !== 'bigint')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of ['BYTES', 'BITS']) {
-        if (typeof field[i] !== 'number')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
-    for (const i of FIELD_FIELDS) {
-        if (typeof field[i] !== 'function')
-            throw new Error(`Invalid field param ${i}=${field[i]} (${typeof field[i]})`);
-    }
+    const initial = {
+        ORDER: 'bigint',
+        MASK: 'bigint',
+        BYTES: 'isSafeInteger',
+        BITS: 'isSafeInteger',
+    };
+    const opts = FIELD_FIELDS.reduce((map, val) => {
+        map[val] = 'function';
+        return map;
+    }, initial);
+    return validateObject(field, opts);
 }
 // Generic field functions
 export function FpPow(f, num, power) {
@@ -222,7 +219,7 @@ export function FpPow(f, num, power) {
     while (power > _0n) {
         if (power & _1n)
             p = f.mul(p, d);
-        d = f.square(d);
+        d = f.sqr(d);
         power >>= 1n;
     }
     return p;
@@ -231,16 +228,16 @@ export function FpInvertBatch(f, nums) {
     const tmp = new Array(nums.length);
     // Walk from first to last, multiply them by each other MOD p
     const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = acc;
         return f.mul(acc, num);
     }, f.ONE);
     // Invert last element
-    const inverted = f.invert(lastMultiplied);
+    const inverted = f.inv(lastMultiplied);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.isZero(num))
+        if (f.is0(num))
             return acc;
         tmp[i] = f.mul(acc, tmp[i]);
         return f.mul(acc, num);
@@ -248,20 +245,27 @@ export function FpInvertBatch(f, nums) {
     return tmp;
 }
 export function FpDiv(f, lhs, rhs) {
-    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
+    return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
 }
 // This function returns True whenever the value x is a square in the field F.
 export function FpIsSquare(f) {
     const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
     return (x) => {
         const p = f.pow(x, legendreConst);
-        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+        return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
     };
 }
+// CURVE.n lengths
+export function nLength(n, nBitLength) {
+    // Bit size, byte size of CURVE.n
+    const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+    const nByteLength = Math.ceil(_nBitLength / 8);
+    return { nBitLength: _nBitLength, nByteLength };
+}
 export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
-    const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
+    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
     const sqrtP = FpSqrt(ORDER);
@@ -269,41 +273,41 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         ORDER,
         BITS,
         BYTES,
-        MASK: utils.bitMask(BITS),
+        MASK: bitMask(BITS),
         ZERO: _0n,
         ONE: _1n,
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
                 throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
-            return _0n <= num && num < ORDER;
+            return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
-        isZero: (num) => num === _0n,
+        is0: (num) => num === _0n,
         isOdd: (num) => (num & _1n) === _1n,
-        negate: (num) => mod(-num, ORDER),
-        equals: (lhs, rhs) => lhs === rhs,
-        square: (num) => mod(num * num, ORDER),
+        neg: (num) => mod(-num, ORDER),
+        eql: (lhs, rhs) => lhs === rhs,
+        sqr: (num) => mod(num * num, ORDER),
         add: (lhs, rhs) => mod(lhs + rhs, ORDER),
         sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
         mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
         pow: (num, power) => FpPow(f, num, power),
         div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
         // Same as above, but doesn't normalize
-        squareN: (num) => num * num,
+        sqrN: (num) => num * num,
         addN: (lhs, rhs) => lhs + rhs,
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
-        invert: (num) => invert(num, ORDER),
+        inv: (num) => invert(num, ORDER),
         sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
         cmov: (a, b, c) => (c ? b : a),
-        toBytes: (num) => isLE ? utils.numberToBytesLE(num, BYTES) : utils.numberToBytesBE(num, BYTES),
+        toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
         fromBytes: (bytes) => {
             if (bytes.length !== BYTES)
                 throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
-            return isLE ? utils.bytesToNumberLE(bytes) : utils.bytesToNumberBE(bytes);
+            return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
         },
     });
     return Object.freeze(f);
@@ -312,11 +316,29 @@ export function FpSqrtOdd(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? root : Fp.negate(root);
+    return Fp.isOdd(root) ? root : Fp.neg(root);
 }
 export function FpSqrtEven(Fp, elm) {
     if (!Fp.isOdd)
         throw new Error(`Field doesn't have isOdd`);
     const root = Fp.sqrt(elm);
-    return Fp.isOdd(root) ? Fp.negate(root) : root;
+    return Fp.isOdd(root) ? Fp.neg(root) : root;
+}
+/**
+ * FIPS 186 B.4.1-compliant "constant-time" private key generation utility.
+ * Can take (n+8) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being neglible.
+ * Needs at least 40 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * @param hash hash output from SHA3 or a similar function
+ * @returns valid private scalar
+ */
+export function hashToPrivateScalar(hash, groupOrder, isLE = false) {
+    hash = ensureBytes(hash);
+    const hashLen = hash.length;
+    const minLen = nLength(groupOrder).nByteLength + 8;
+    if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+        throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+    const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
+    return mod(num, groupOrder - _1n) + _1n;
 }

package/lib/esm/abstract/montgomery.js

@@ -1,33 +1,20 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import * as mod from './modular.js';
-import { ensureBytes, numberToBytesLE, bytesToNumberLE, isPositiveInt } from './utils.js';
+import { mod, pow } from './modular.js';
+import { bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 function validateOpts(curve) {
-    for (const i of ['a24']) {
-        if (typeof curve[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const i of ['montgomeryBits', 'nByteLength']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (!isPositiveInt(curve[i]))
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
-    for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2']) {
-        if (curve[fn] === undefined)
-            continue; // Optional
-        if (typeof curve[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const i of ['Gu']) {
-        if (curve[i] === undefined)
-            continue; // Optional
-        if (typeof curve[i] !== 'string')
-            throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
-    }
+    validateObject(curve, {
+        a24: 'bigint',
+    }, {
+        montgomeryBits: 'isSafeInteger',
+        nByteLength: 'isSafeInteger',
+        adjustScalarBytes: 'function',
+        domain: 'function',
+        powPminus2: 'function',
+        Gu: 'string',
+    });
     // Set defaults
-    // ...nLength(curve.n, curve.nBitLength),
     return Object.freeze({ ...curve });
 }
 // NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)
@@ -35,37 +22,13 @@ function validateOpts(curve) {
 export function montgomery(curveDef) {
     const CURVE = validateOpts(curveDef);
     const { P } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const modP = (a) => mod(a, P);
     const montgomeryBits = CURVE.montgomeryBits;
     const montgomeryBytes = Math.ceil(montgomeryBits / 8);
     const fieldLen = CURVE.nByteLength;
     const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
-    const powPminus2 = CURVE.powPminus2 || ((x) => mod.pow(x, P - BigInt(2), P));
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    // cswap from RFC7748
-    // NOTE: cswap is not from RFC7748!
+    const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
+    // cswap from RFC7748. But it is not from RFC7748!
     /*
       cswap(swap, x_2, x_3):
            dummy = mask(swap) AND (x_2 XOR x_3)
@@ -81,6 +44,11 @@ export function montgomery(curveDef) {
         x_3 = modP(x_3 + dummy);
         return [x_2, x_3];
     }
+    function assertFieldElement(n) {
+        if (typeof n === 'bigint' && _0n <= n && n < P)
+            return n;
+        throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+    }
     // x25519 from 4
     /**
      *
@@ -89,11 +57,10 @@ export function montgomery(curveDef) {
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(pointU, scalar) {
-        const { P } = CURVE;
-        const u = normalizeScalar(pointU, P);
+        const u = assertFieldElement(pointU);
         // Section 5: Implementations MUST accept non-canonical values and process them as
         // if they had been reduced modulo the field prime.
-        const k = normalizeScalar(scalar, P);
+        const k = assertFieldElement(scalar);
         // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
         const a24 = CURVE.a24;
         const x_1 = u;
@@ -146,11 +113,11 @@ export function montgomery(curveDef) {
         return numberToBytesLE(modP(u), montgomeryBytes);
     }
     function decodeUCoordinate(uEnc) {
-        const u = ensureBytes(uEnc, montgomeryBytes);
         // Section 5: When receiving such an array, implementations of X25519
         // MUST mask the most significant bit in the final byte.
         // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
         // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
+        const u = ensureBytes(uEnc, montgomeryBytes);
         u[fieldLen - 1] &= 127; // 0b0111_1111
         return bytesToNumberLE(u);
     }
@@ -160,13 +127,6 @@ export function montgomery(curveDef) {
             throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
         return bytesToNumberLE(adjustScalarBytes(bytes));
     }
-    /**
-     * Computes shared secret between private key "scalar" and public key's "u" (x) coordinate.
-     * We can get 'y' coordinate from 'u',
-     * but Point.fromHex also wants 'x' coordinate oddity flag,
-     * and we cannot get 'x' without knowing 'v'.
-     * Need to add generic conversion between twisted edwards and complimentary curve for JubJub.
-     */
     function scalarMult(scalar, u) {
         const pointU = decodeUCoordinate(u);
         const _scalar = decodeScalar(scalar);
@@ -177,12 +137,7 @@ export function montgomery(curveDef) {
             throw new Error('Invalid private or public key received');
         return encodeUCoordinate(pu);
     }
-    /**
-     * Computes public key from private.
-     * Executes scalar multiplication of curve's base point by scalar.
-     * @param scalar private key
-     * @returns new public key
-     */
+    // Computes public key from private. By doing scalar multiplication of base point.
     function scalarMultBase(scalar) {
         return scalarMult(scalar, CURVE.Gu);
     }

package/lib/esm/abstract/poseidon.js

@@ -0,0 +1,109 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
+import { FpPow, validateField } from './modular.js';
+export function validateOpts(opts) {
+    const { Fp } = opts;
+    validateField(Fp);
+    for (const i of ['t', 'roundsFull', 'roundsPartial']) {
+        if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+            throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
+    }
+    if (opts.reversePartialPowIdx !== undefined && typeof opts.reversePartialPowIdx !== 'boolean')
+        throw new Error(`Poseidon: invalid param reversePartialPowIdx=${opts.reversePartialPowIdx}`);
+    // Default is 5, but by some reasons stark uses 3
+    let sboxPower = opts.sboxPower;
+    if (sboxPower === undefined)
+        sboxPower = 5;
+    if (typeof sboxPower !== 'number' || !Number.isSafeInteger(sboxPower))
+        throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
+    const _sboxPower = BigInt(sboxPower);
+    let sboxFn = (n) => FpPow(Fp, n, _sboxPower);
+    // Unwrapped sbox power for common cases (195->142μs)
+    if (sboxPower === 3)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(n), n);
+    else if (sboxPower === 5)
+        sboxFn = (n) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
+    if (opts.roundsFull % 2 !== 0)
+        throw new Error(`Poseidon roundsFull is not even: ${opts.roundsFull}`);
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    if (!Array.isArray(opts.roundConstants) || opts.roundConstants.length !== rounds)
+        throw new Error('Poseidon: wrong round constants');
+    const roundConstants = opts.roundConstants.map((rc) => {
+        if (!Array.isArray(rc) || rc.length !== opts.t)
+            throw new Error(`Poseidon wrong round constants: ${rc}`);
+        return rc.map((i) => {
+            if (typeof i !== 'bigint' || !Fp.isValid(i))
+                throw new Error(`Poseidon wrong round constant=${i}`);
+            return Fp.create(i);
+        });
+    });
+    // MDS is TxT matrix
+    if (!Array.isArray(opts.mds) || opts.mds.length !== opts.t)
+        throw new Error('Poseidon: wrong MDS matrix');
+    const mds = opts.mds.map((mdsRow) => {
+        if (!Array.isArray(mdsRow) || mdsRow.length !== opts.t)
+            throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
+        return mdsRow.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon MDS matrix value=${i}`);
+            return Fp.create(i);
+        });
+    });
+    return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds });
+}
+export function splitConstants(rc, t) {
+    if (typeof t !== 'number')
+        throw new Error('poseidonSplitConstants: wrong t');
+    if (!Array.isArray(rc) || rc.length % t)
+        throw new Error('poseidonSplitConstants: wrong rc');
+    const res = [];
+    let tmp = [];
+    for (let i = 0; i < rc.length; i++) {
+        tmp.push(rc[i]);
+        if (tmp.length === t) {
+            res.push(tmp);
+            tmp = [];
+        }
+    }
+    return res;
+}
+export function poseidon(opts) {
+    const { t, Fp, rounds, sboxFn, reversePartialPowIdx } = validateOpts(opts);
+    const halfRoundsFull = Math.floor(opts.roundsFull / 2);
+    const partialIdx = reversePartialPowIdx ? t - 1 : 0;
+    const poseidonRound = (values, isFull, idx) => {
+        values = values.map((i, j) => Fp.add(i, opts.roundConstants[idx][j]));
+        if (isFull)
+            values = values.map((i) => sboxFn(i));
+        else
+            values[partialIdx] = sboxFn(values[partialIdx]);
+        // Matrix multiplication
+        values = opts.mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
+        return values;
+    };
+    const poseidonHash = function poseidonHash(values) {
+        if (!Array.isArray(values) || values.length !== t)
+            throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
+        values = values.map((i) => {
+            if (typeof i !== 'bigint')
+                throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
+            return Fp.create(i);
+        });
+        let round = 0;
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        // Apply r_p partial rounds.
+        for (let i = 0; i < opts.roundsPartial; i++)
+            values = poseidonRound(values, false, round++);
+        // Apply r_f/2 full rounds.
+        for (let i = 0; i < halfRoundsFull; i++)
+            values = poseidonRound(values, true, round++);
+        if (round !== rounds)
+            throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
+        return values;
+    };
+    // For verification in tests
+    poseidonHash.roundConstants = opts.roundConstants;
+    return poseidonHash;
+}