@noble/curves 0.5.2 → 0.6.1

package/lib/esm/secp256k1.js

@@ -3,9 +3,9 @@ import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field, mod, pow2 } from './abstract/modular.js';
 import { createCurve } from './_shortw_utils.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-import { ensureBytes, concatBytes, hexToBytes, bytesToNumberBE, } from './abstract/utils.js';
+import { ensureBytes, concatBytes, bytesToNumberBE as bytesToInt, numberToBytesBE, } from './abstract/utils.js';
 import { randomBytes } from '@noble/hashes/utils';
-import { isogenyMap } from './abstract/hash-to-curve.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
  * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
@@ -19,10 +19,7 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const divNearest = (a, b) => (a + b / _2n) / b;
 /**
- * Allows to compute square root √y 2x faster.
- * To calculate √y, we need to exponentiate it to a very big number:
- * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
- * We are unwrapping the loop and multiplying it bit-by-bit.
+ * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
  */
 function sqrtMod(y) {
@@ -45,45 +42,11 @@ function sqrtMod(y) {
     const t1 = (pow2(b223, _23n, P) * b22) % P;
     const t2 = (pow2(t1, _6n, P) * b2) % P;
     const root = pow2(t2, _2n, P);
-    if (!Fp.equals(Fp.square(root), y))
+    if (!Fp.eql(Fp.sqr(root), y))
         throw new Error('Cannot find square root');
     return root;
 }
 const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
-const isoMap = isogenyMap(Fp, [
-    // xNum
-    [
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
-        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
-        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
-    ],
-    // xDen
-    [
-        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
-        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-    // yNum
-    [
-        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
-        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
-        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
-        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
-    ],
-    // yDen
-    [
-        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
-        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
-        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-].map((i) => i.map((j) => BigInt(j))));
-const mapSWU = mapToCurveSimpleSWU(Fp, {
-    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
-    B: BigInt('1771'),
-    Z: Fp.create(BigInt('-11')),
-});
 export const secp256k1 = createCurve({
     // Params: a, b
     // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
@@ -126,51 +89,13 @@ export const secp256k1 = createCurve({
             return { k1neg, k1, k2neg, k2 };
         },
     },
-    mapToCurve: (scalars) => {
-        const { x, y } = mapSWU(Fp.create(scalars[0]));
-        return isoMap(x, y);
-    },
-    htfDefaults: {
-        DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256,
-    },
 }, sha256);
-// Schnorr
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
-const numTo32b = secp256k1.utils._bigintToBytes;
-const numTo32bStr = secp256k1.utils._bigintToString;
-const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
-// TODO: export?
-function normalizePublicKey(publicKey) {
-    if (publicKey instanceof secp256k1.Point) {
-        publicKey.assertValidity();
-        return publicKey;
-    }
-    else {
-        const bytes = ensureBytes(publicKey);
-        // Schnorr is 32 bytes
-        if (bytes.length !== 32)
-            throw new Error('Schnorr pubkeys must be 32 bytes');
-        const x = bytesToNumberBE(bytes);
-        if (!isValidFieldElement(x))
-            throw new Error('Point is not on curve');
-        const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
-        let y = sqrtMod(y2); // y = y² ^ (p+1)/4
-        const isYOdd = (y & _1n) === _1n;
-        // Schnorr
-        if (isYOdd)
-            y = secp256k1.CURVE.Fp.negate(y);
-        const point = new secp256k1.Point(x, y);
-        point.assertValidity();
-        return point;
-    }
-}
-const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
-const isValidFieldElement = secp256k1.utils._isValidFieldElement;
+const fe = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
+const ge = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
 const TAGS = {
     challenge: 'BIP0340/challenge',
     aux: 'BIP0340/aux',
@@ -178,7 +103,7 @@ const TAGS = {
 };
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
 const TAGGED_HASH_PREFIXES = {};
-export function taggedHash(tag, ...messages) {
+function taggedHash(tag, ...messages) {
     let tagP = TAGGED_HASH_PREFIXES[tag];
     if (tagP === undefined) {
         const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
@@ -187,71 +112,55 @@ export function taggedHash(tag, ...messages) {
     }
     return sha256(concatBytes(tagP, ...messages));
 }
-const toRawX = (point) => point.toRawBytes(true).slice(1);
-// Schnorr signatures are superior to ECDSA from above.
-// Below is Schnorr-specific code as per BIP0340.
-function schnorrChallengeFinalize(ch) {
-    return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
+const pointToBytes = (point) => point.toRawBytes(true).slice(1);
+const numTo32b = (n) => numberToBytesBE(n, 32);
+const modN = (x) => mod(x, secp256k1N);
+const Point = secp256k1.ProjectivePoint;
+const GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
+const hex32ToInt = (key) => bytesToInt(ensureBytes(key, 32));
+function schnorrGetExtPubKey(priv) {
+    let d = typeof priv === 'bigint' ? priv : hex32ToInt(priv);
+    const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
+    const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
+    return { point, scalar, bytes: pointToBytes(point) };
 }
-// Do we need this at all for Schnorr?
-class SchnorrSignature {
-    constructor(r, s) {
-        this.r = r;
-        this.s = s;
-        this.assertValidity();
-    }
-    static fromHex(hex) {
-        const bytes = ensureBytes(hex);
-        const len = 32; // group length
-        if (bytes.length !== 2 * len)
-            throw new TypeError(`SchnorrSignature.fromHex: expected ${2 * len} bytes, not ${bytes.length}`);
-        const r = bytesToNumberBE(bytes.subarray(0, len));
-        const s = bytesToNumberBE(bytes.subarray(len, 2 * len));
-        return new SchnorrSignature(r, s);
-    }
-    assertValidity() {
-        const { r, s } = this;
-        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
-            throw new Error('Invalid signature');
-    }
-    toHex() {
-        return numTo32bStr(this.r) + numTo32bStr(this.s);
-    }
-    toRawBytes() {
-        return hexToBytes(this.toHex());
-    }
+function lift_x(x) {
+    if (!fe(x))
+        throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
+    const c = mod(x * x * x + BigInt(7), secp256k1P); // Let c = x³ + 7 mod p.
+    let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
+    if (y % 2n !== 0n)
+        y = mod(-y, secp256k1P); // Return the unique point P such that x(P) = x and
+    const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+    p.assertValidity();
+    return p;
 }
-function schnorrGetScalar(priv) {
-    const point = secp256k1.Point.fromPrivateKey(priv);
-    const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
-    return { point, scalar, x: toRawX(point) };
+function challenge(...args) {
+    return modN(bytesToInt(taggedHash(TAGS.challenge, ...args)));
 }
-/**
- * Synchronously creates Schnorr signature. Improved security: verifies itself before
- * producing an output.
- * @param msg message (not message hash)
- * @param privateKey private key
- * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
- */
+// Schnorr's pubkey is just `x` of Point (BIP340)
+function schnorrGetPublicKey(privateKey) {
+    return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
+}
+// Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
+// auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous
 function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
     if (message == null)
-        throw new TypeError(`sign: Expected valid message, not "${message}"`);
-    const m = ensureBytes(message);
-    // checks for isWithinCurveOrder
-    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
-    const rand = ensureBytes(auxRand);
-    if (rand.length !== 32)
-        throw new TypeError('sign: Expected 32 bytes of aux randomness');
-    const tag = taggedHash;
-    const t0h = tag(TAGS.aux, rand);
-    const t = numTo32b(d ^ bytesToNumberBE(t0h));
-    const k0h = tag(TAGS.nonce, t, px, m);
-    const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
-    if (k0 === _0n)
-        throw new Error('sign: Creation of signature failed. k is zero');
-    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
-    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
-    const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
+        throw new Error(`sign: Expected valid message, not "${message}"`);
+    const m = ensureBytes(message); // checks for isWithinCurveOrder
+    const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
+    const a = ensureBytes(auxRand, 32); // Auxiliary random data a: a 32-byte array
+    const t = numTo32b(d ^ bytesToInt(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
+    const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
+    const k_ = modN(bytesToInt(rand)); // Let k' = int(rand) mod n
+    if (k_ === _0n)
+        throw new Error('sign failed: k is zero'); // Fail if k' = 0.
+    const { point: R, bytes: rx, scalar: k } = schnorrGetExtPubKey(k_); // Let R = k'⋅G.
+    const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
+    const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
+    sig.set(numTo32b(R.px), 0);
+    sig.set(numTo32b(modN(k + e * d)), 32);
+    // If Verify(bytes(P), m, sig) (see below) returns failure, abort
     if (!schnorrVerify(sig, m, px))
         throw new Error('sign: Invalid signature produced');
     return sig;
@@ -261,30 +170,83 @@ function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
  */
 function schnorrVerify(signature, message, publicKey) {
     try {
-        const raw = signature instanceof SchnorrSignature;
-        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
-        if (raw)
-            sig.assertValidity(); // just in case
-        const { r, s } = sig;
-        const m = ensureBytes(message);
-        const P = normalizePublicKey(publicKey);
-        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
-        // Finalize
-        // R = s⋅G - e⋅P
-        // -eP == (n-e)P
-        const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), mod(-e, secp256k1.CURVE.n));
-        if (!R || !R.hasEvenY() || R.x !== r)
+        const P = lift_x(hex32ToInt(publicKey)); // P = lift_x(int(pk)); fail if that fails
+        const sig = ensureBytes(signature, 64);
+        const r = bytesToInt(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
+        if (!fe(r))
+            return false;
+        const s = bytesToInt(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
+        if (!ge(s))
             return false;
-        return true;
+        const m = ensureBytes(message);
+        const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
+        const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
+        if (!R || !R.hasEvenY() || R.toAffine().x !== r)
+            return false; // -eP == (n-e)P
+        return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
     }
     catch (error) {
         return false;
     }
 }
 export const schnorr = {
-    Signature: SchnorrSignature,
-    // Schnorr's pubkey is just `x` of Point (BIP340)
-    getPublicKey: (privateKey) => toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
+    getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,
+    utils: {
+        getExtendedPublicKey: schnorrGetExtPubKey,
+        lift_x,
+        pointToBytes,
+        numberToBytesBE,
+        bytesToNumberBE: bytesToInt,
+        taggedHash,
+        mod,
+    },
 };
+const isoMap = htf.isogenyMap(Fp, [
+    // xNum
+    [
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
+        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
+        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
+    ],
+    // xDen
+    [
+        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
+        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+    // yNum
+    [
+        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
+        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
+        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
+        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
+    ],
+    // yDen
+    [
+        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
+        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
+        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+].map((i) => i.map((j) => BigInt(j))));
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
+    B: BigInt('1771'),
+    Z: Fp.create(BigInt('-11')),
+});
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp256k1.ProjectivePoint, (scalars) => {
+    const { x, y } = mapSWU(Fp.create(scalars[0]));
+    return isoMap(x, y);
+}, {
+    DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/stark.js

@@ -3,12 +3,23 @@ import { keccak_256 } from '@noble/hashes/sha3';
 import { sha256 } from '@noble/hashes/sha256';
 import { weierstrass } from './abstract/weierstrass.js';
 import * as cutils from './abstract/utils.js';
-import { Fp } from './abstract/modular.js';
+import { Fp, mod, validateField } from './abstract/modular.js';
 import { getHash } from './_shortw_utils.js';
+import * as poseidon from './abstract/poseidon.js';
+import { utf8ToBytes } from '@noble/hashes/utils';
 // Stark-friendly elliptic curve
 // https://docs.starkware.co/starkex/stark-curve.html
 const CURVE_N = BigInt('3618502788666131213697322783095070105526743751716087489154079457884512865583');
 const nBitLength = 252;
+// Copy-pasted from weierstrass.ts
+function bits2int(bytes) {
+    const delta = bytes.length * 8 - nBitLength;
+    const num = cutils.bytesToNumberBE(bytes);
+    return delta > 0 ? num >> BigInt(delta) : num;
+}
+function bits2int_modN(bytes) {
+    return mod(bits2int(bytes), CURVE_N);
+}
 export const starkCurve = weierstrass({
     // Params: a, b
     a: BigInt(1),
@@ -26,33 +37,28 @@ export const starkCurve = weierstrass({
     // Default options
     lowS: false,
     ...getHash(sha256),
-    truncateHash: (hash, truncateOnly = false) => {
-        // TODO: cleanup, ugly code
-        // Fix truncation
-        if (!truncateOnly) {
-            let hashS = bytesToNumber0x(hash).toString(16);
-            if (hashS.length === 63) {
-                hashS += '0';
-                hash = hexToBytes0x(hashS);
-            }
+    // Custom truncation routines for stark curve
+    bits2int: (bytes) => {
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int(bytes);
+    },
+    bits2int_modN: (bytes) => {
+        let hashS = cutils.bytesToNumberBE(bytes).toString(16);
+        if (hashS.length === 63) {
+            hashS += '0';
+            bytes = hexToBytes0x(hashS);
         }
         // Truncate zero bytes on left (compat with elliptic)
-        while (hash[0] === 0)
-            hash = hash.subarray(1);
-        const byteLength = hash.length;
-        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = hash.length ? bytesToNumber0x(hash) : 0n;
-        if (delta > 0)
-            h = h >> BigInt(delta);
-        if (!truncateOnly && h >= CURVE_N)
-            h -= CURVE_N;
-        return h;
+        while (bytes[0] === 0)
+            bytes = bytes.subarray(1);
+        return bits2int_modN(bytes);
     },
 });
 // Custom Starknet type conversion functions that can handle 0x and unpadded hex
 function hexToBytes0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
+        throw new Error('hexToBytes: expected string, got ' + typeof hex);
     }
     hex = strip0x(hex);
     if (hex.length & 1)
@@ -72,7 +78,7 @@ function hexToBytes0x(hex) {
 }
 function hexToNumber0x(hex) {
     if (typeof hex !== 'string') {
-        throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
+        throw new Error('hexToNumber: expected string, got ' + typeof hex);
     }
     // Big Endian
     // TODO: strip vs no strip?
@@ -87,9 +93,9 @@ function ensureBytes0x(hex) {
     return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
 }
 function normalizePrivateKey(privKey) {
-    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(32 * 2, '0');
+    return cutils.bytesToHex(ensureBytes0x(privKey)).padStart(64, '0');
 }
-function getPublicKey0x(privKey, isCompressed) {
+function getPublicKey0x(privKey, isCompressed = false) {
     return starkCurve.getPublicKey(normalizePrivateKey(privKey), isCompressed);
 }
 function getSharedSecret0x(privKeyA, pubKeyB) {
@@ -104,9 +110,9 @@ function verify0x(signature, msgHash, pubKey) {
     const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
     return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
 }
-const { CURVE, Point, ProjectivePoint, Signature } = starkCurve;
+const { CURVE, ProjectivePoint, Signature } = starkCurve;
 export const utils = starkCurve.utils;
-export { CURVE, Point, Signature, ProjectivePoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
+export { CURVE, Signature, ProjectivePoint, getPublicKey0x as getPublicKey, getSharedSecret0x as getSharedSecret, sign0x as sign, verify0x as verify, };
 const stripLeadingZeros = (s) => s.replace(/^0+/gm, '');
 export const bytesToHexEth = (uint8a) => `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
 export const strip0x = (hex) => hex.replace(/^0x/i, '');
@@ -116,18 +122,17 @@ function hashKeyWithIndex(key, index) {
     let indexHex = cutils.numberToHexUnpadded(index);
     if (indexHex.length & 1)
         indexHex = '0' + indexHex;
-    return bytesToNumber0x(sha256(cutils.concatBytes(key, hexToBytes0x(indexHex))));
+    return sha256Num(cutils.concatBytes(key, hexToBytes0x(indexHex)));
 }
 export function grindKey(seed) {
     const _seed = ensureBytes0x(seed);
     const sha256mask = 2n ** 256n;
-    const Fn = Fp(CURVE.n);
-    const limit = sha256mask - Fn.create(sha256mask);
+    const limit = sha256mask - mod(sha256mask, CURVE_N);
     for (let i = 0;; i++) {
         const key = hashKeyWithIndex(_seed, i);
         // key should be in [0, limit)
         if (key < limit)
-            return Fn.create(key).toString(16);
+            return mod(key, CURVE_N).toString(16);
     }
 }
 export function getStarkKey(privateKey) {
@@ -142,21 +147,21 @@ export function ethSigToPrivate(signature) {
 const MASK_31 = 2n ** 31n - 1n;
 const int31 = (n) => Number(n & MASK_31);
 export function getAccountPath(layer, application, ethereumAddress, index) {
-    const layerNum = int31(bytesToNumber0x(sha256(layer)));
-    const applicationNum = int31(bytesToNumber0x(sha256(application)));
+    const layerNum = int31(sha256Num(layer));
+    const applicationNum = int31(sha256Num(application));
     const eth = hexToNumber0x(ethereumAddress);
     return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
 }
 // https://docs.starkware.co/starkex/pedersen-hash-function.html
 const PEDERSEN_POINTS_AFFINE = [
-    new Point(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n),
-    new Point(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n),
-    new Point(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n),
-    new Point(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n),
-    new Point(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n),
+    new ProjectivePoint(2089986280348253421170679821480865132823066470938446095505822317253594081284n, 1713931329540660377023406109199410414810705867260802078187082345529207694986n, 1n),
+    new ProjectivePoint(996781205833008774514500082376783249102396023663454813447423147977397232763n, 1668503676786377725805489344771023921079126552019160156920634619255970485781n, 1n),
+    new ProjectivePoint(2251563274489750535117886426533222435294046428347329203627021249169616184184n, 1798716007562728905295480679789526322175868328062420237419143593021674992973n, 1n),
+    new ProjectivePoint(2138414695194151160943305727036575959195309218611738193261179310511854807447n, 113410276730064486255102093846540133784865286929052426931474106396135072156n, 1n),
+    new ProjectivePoint(2379962749567351885752724891227938183011949129833673362440656643086021394946n, 776496453633298175483985398648758586525933812536653089401905292063708816422n, 1n),
 ];
 // for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
-const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE.map(ProjectivePoint.fromAffine);
+const PEDERSEN_POINTS = PEDERSEN_POINTS_AFFINE;
 function pedersenPrecompute(p1, p2) {
     const out = [];
     let p = p1;
@@ -195,7 +200,7 @@ function pedersenSingle(point, value, constants) {
     let x = pedersenArg(value);
     for (let j = 0; j < 252; j++) {
         const pt = constants[j];
-        if (pt.x === point.x)
+        if (pt.px === point.px)
             throw new Error('Same point');
         if ((x & 1n) !== 0n)
             point = point.add(pt);
@@ -208,7 +213,7 @@ export function pedersen(x, y) {
     let point = PEDERSEN_POINTS[0];
     point = pedersenSingle(point, x, PEDERSEN_POINTS1);
     point = pedersenSingle(point, y, PEDERSEN_POINTS2);
-    return bytesToHexEth(point.toAffine().toRawBytes(true).slice(1));
+    return bytesToHexEth(point.toRawBytes(true).slice(1));
 }
 export function hashChain(data, fn = pedersen) {
     if (!Array.isArray(data) || data.length < 1)
@@ -221,5 +226,64 @@ export function hashChain(data, fn = pedersen) {
 }
 // Same as hashChain, but computes hash even for single element and order is not revesed
 export const computeHashOnElements = (data, fn = pedersen) => [0, ...data, data.length].reduce((x, y) => fn(x, y));
-const MASK_250 = 2n ** 250n - 1n;
+const MASK_250 = cutils.bitMask(250);
 export const keccak = (data) => bytesToNumber0x(keccak_256(data)) & MASK_250;
+const sha256Num = (data) => cutils.bytesToNumberBE(sha256(data));
+// Poseidon hash
+export const Fp253 = Fp(BigInt('14474011154664525231415395255581126252639794253786371766033694892385558855681')); // 2^253 + 2^199 + 1
+export const Fp251 = Fp(BigInt('3618502788666131213697322783095070105623107215331596699973092056135872020481')); // 2^251 + 17 * 2^192 + 1
+function poseidonRoundConstant(Fp, name, idx) {
+    const val = Fp.fromBytes(sha256(utf8ToBytes(`${name}${idx}`)));
+    return Fp.create(val);
+}
+// NOTE: doesn't check eiginvalues and possible can create unsafe matrix. But any filtration here will break compatibility with starknet
+// Please use only if you really know what you doing.
+// https://eprint.iacr.org/2019/458.pdf Section 2.3 (Avoiding Insecure Matrices)
+export function _poseidonMDS(Fp, name, m, attempt = 0) {
+    const x_values = [];
+    const y_values = [];
+    for (let i = 0; i < m; i++) {
+        x_values.push(poseidonRoundConstant(Fp, `${name}x`, attempt * m + i));
+        y_values.push(poseidonRoundConstant(Fp, `${name}y`, attempt * m + i));
+    }
+    if (new Set([...x_values, ...y_values]).size !== 2 * m)
+        throw new Error('X and Y values are not distinct');
+    return x_values.map((x) => y_values.map((y) => Fp.inv(Fp.sub(x, y))));
+}
+const MDS_SMALL = [
+    [3, 1, 1],
+    [1, -1, 1],
+    [1, 1, -2],
+].map((i) => i.map(BigInt));
+export function poseidonBasic(opts, mds) {
+    validateField(opts.Fp);
+    if (!Number.isSafeInteger(opts.rate) || !Number.isSafeInteger(opts.capacity))
+        throw new Error(`Wrong poseidon opts: ${opts}`);
+    const m = opts.rate + opts.capacity;
+    const rounds = opts.roundsFull + opts.roundsPartial;
+    const roundConstants = [];
+    for (let i = 0; i < rounds; i++) {
+        const row = [];
+        for (let j = 0; j < m; j++)
+            row.push(poseidonRoundConstant(opts.Fp, 'Hades', m * i + j));
+        roundConstants.push(row);
+    }
+    return poseidon.poseidon({
+        ...opts,
+        t: m,
+        sboxPower: 3,
+        reversePartialPowIdx: true,
+        mds,
+        roundConstants,
+    });
+}
+export function poseidonCreate(opts, mdsAttempt = 0) {
+    const m = opts.rate + opts.capacity;
+    if (!Number.isSafeInteger(mdsAttempt))
+        throw new Error(`Wrong mdsAttempt=${mdsAttempt}`);
+    return poseidonBasic(opts, _poseidonMDS(opts.Fp, 'HadesMDS', m, mdsAttempt));
+}
+export const poseidonSmall = poseidonBasic({ Fp: Fp251, rate: 2, capacity: 1, roundsFull: 8, roundsPartial: 83 }, MDS_SMALL);
+export function poseidonHash(x, y, fn = poseidonSmall) {
+    return fn([x, y, 2n])[0];
+}

package/lib/jubjub.d.ts

@@ -4,5 +4,5 @@
  * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
  */
 export declare const jubjub: import("./abstract/edwards.js").CurveFn;
-export declare function groupHash(tag: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtendedPointType;
-export declare function findGroupHash(m: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtendedPointType;
+export declare function groupHash(tag: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtPointType;
+export declare function findGroupHash(m: Uint8Array, personalization: Uint8Array): import("./abstract/edwards.js").ExtPointType;

package/lib/jubjub.js

@@ -36,7 +36,7 @@ function groupHash(tag, personalization) {
     h.update(GH_FIRST_BLOCK);
     h.update(tag);
     // NOTE: returns ExtendedPoint, in case it will be multiplied later
-    let p = exports.jubjub.ExtendedPoint.fromAffine(exports.jubjub.Point.fromHex(h.digest()));
+    let p = exports.jubjub.ExtendedPoint.fromHex(h.digest());
     // NOTE: cannot replace with isSmallOrder, returns Point*8
     p = p.multiply(exports.jubjub.CURVE.h);
     if (p.equals(exports.jubjub.ExtendedPoint.ZERO))