@noble/curves 0.8.0 → 0.8.1

package/esm/ed448.js

@@ -0,0 +1,213 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { shake256 } from '@noble/hashes/sha3';
+import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
+import { twistedEdwards } from './abstract/edwards.js';
+import { mod, pow2, Fp as Field } from './abstract/modular.js';
+import { montgomery } from './abstract/montgomery.js';
+import * as htf from './abstract/hash-to-curve.js';
+/**
+ * Edwards448 (not Ed448-Goldilocks) curve with following addons:
+ * * X448 ECDH
+ * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
+ */
+const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
+const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
+// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
+// Used for efficient square root calculation.
+// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
+function ed448_pow_Pminus3div4(x) {
+    const P = ed448P;
+    // prettier-ignore
+    const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _11n = BigInt(11);
+    // prettier-ignore
+    const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
+    const b2 = (x * x * x) % P;
+    const b3 = (b2 * b2 * x) % P;
+    const b6 = (pow2(b3, _3n, P) * b3) % P;
+    const b9 = (pow2(b6, _3n, P) * b3) % P;
+    const b11 = (pow2(b9, _2n, P) * b2) % P;
+    const b22 = (pow2(b11, _11n, P) * b11) % P;
+    const b44 = (pow2(b22, _22n, P) * b22) % P;
+    const b88 = (pow2(b44, _44n, P) * b44) % P;
+    const b176 = (pow2(b88, _88n, P) * b88) % P;
+    const b220 = (pow2(b176, _44n, P) * b44) % P;
+    const b222 = (pow2(b220, _2n, P) * b2) % P;
+    const b223 = (pow2(b222, _1n, P) * x) % P;
+    return (pow2(b223, _223n, P) * b222) % P;
+}
+function adjustScalarBytes(bytes) {
+    // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
+    // significant bit of the last byte to 1.
+    bytes[0] &= 252; // 0b11111100
+    // and the most significant bit of the last byte to 1.
+    bytes[55] |= 128; // 0b10000000
+    // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
+    bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
+    return bytes;
+}
+const Fp = Field(ed448P, 456, true);
+const ED448_DEF = {
+    // Param: a
+    a: BigInt(1),
+    // -39081. Negative number is P - number
+    d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
+    Fp,
+    // Subgroup order: how many points curve has;
+    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
+    nBitLength: 456,
+    // Cofactor
+    h: BigInt(4),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
+    Gy: BigInt('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
+    // SHAKE256(dom4(phflag,context)||x, 114)
+    hash: shake256_114,
+    randomBytes,
+    adjustScalarBytes,
+    // dom4
+    domain: (data, ctx, phflag) => {
+        if (ctx.length > 255)
+            throw new Error(`Context is too big: ${ctx.length}`);
+        return concatBytes(utf8ToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+    },
+    // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
+    // Uses algo from RFC8032 5.1.3.
+    uvRatio: (u, v) => {
+        const P = ed448P;
+        // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
+        // To compute the square root of (u/v), the first step is to compute the
+        //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
+        // following trick, to use a single modular powering for both the
+        // inversion of v and the square root:
+        // x = (u/v)^((p+1)/4)   = u³v(u⁵v³)^((p-3)/4)   (mod p)
+        const u2v = mod(u * u * v, P); // u²v
+        const u3v = mod(u2v * u, P); // u³v
+        const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
+        const root = ed448_pow_Pminus3div4(u5v3);
+        const x = mod(u3v * root, P);
+        // Verify that root is exists
+        const x2 = mod(x * x, P); // x²
+        // If vx² = u, the recovered x-coordinate is x.  Otherwise, no
+        // square root exists, and the decoding fails.
+        return { isValid: mod(x2 * v, P) === u, value: x };
+    },
+};
+export const ed448 = twistedEdwards(ED448_DEF);
+// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
+export const x448 = montgomery({
+    a: BigInt(156326),
+    montgomeryBits: 448,
+    nByteLength: 57,
+    P: ed448P,
+    Gu: BigInt(5),
+    powPminus2: (x) => {
+        const P = ed448P;
+        const Pminus3div4 = ed448_pow_Pminus3div4(x);
+        const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
+        return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
+    },
+    adjustScalarBytes,
+    randomBytes,
+    // The 4-isogeny maps between the Montgomery curve and this Edwards
+    // curve are:
+    //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
+    //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
+    //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
+    //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
+    // xyToU: (p: PointType) => {
+    //   const P = ed448P;
+    //   const { x, y } = p;
+    //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
+    //   const invX = invert(x * x, P); // x^2
+    //   const u = mod(y * y * invX, P); // (y^2/x^2)
+    //   return numberToBytesLE(u, 56);
+    // },
+});
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+const { hashToCurve, encodeToCurve } = htf.createHasher(ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: shake256,
+});
+export { hashToCurve, encodeToCurve };
+//# sourceMappingURL=ed448.js.map

package/esm/ed448.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed448.js","sourceRoot":"","sources":["../src/ed448.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAC7F,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,IAAI,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACtD,OAAO,KAAK,GAAG,MAAM,6BAA6B,CAAC;AAEnD;;;;GAIG;AAEH,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;AAC5E,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAC1E,MAAM,MAAM,GAAG,MAAM,CACnB,yIAAyI,CAC1I,CAAC;AAEF,8DAA8D;AAC9D,8CAA8C;AAC9C,+DAA+D;AAC/D,SAAS,qBAAqB,CAAC,CAAS;IACtC,MAAM,CAAC,GAAG,MAAM,CAAC;IACjB,kBAAkB;IAClB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC3E,kBAAkB;IAClB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACnF,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7B,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAiB;IAC1C,yGAAyG;IACzG,yCAAyC;IACzC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,aAAa;IAC9B,sDAAsD;IACtD,KAAK,CAAC,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,aAAa;IAC/B,sDAAsD;IACtD,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,+CAA+C;IAC9D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AAEpC,MAAM,SAAS,GAAG;IAChB,WAAW;IACX,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,wCAAwC;IACxC,CAAC,EAAE,MAAM,CACP,yIAAyI,CAC1I;IACD,kFAAkF;IAClF,EAAE;IACF,6CAA6C;IAC7C,mFAAmF;IACnF,CAAC,EAAE,MAAM,CACP,yIAAyI,CAC1I;IACD,UAAU,EAAE,GAAG;IACf,WAAW;IACX,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,wCAAwC;IACxC,EAAE,EAAE,MAAM,CACR,yIAAyI,CAC1I;IACD,EAAE,EAAE,MAAM,CACR,yIAAyI,CAC1I;IACD,yCAAyC;IACzC,IAAI,EAAE,YAAY;IAClB,WAAW;IACX,iBAAiB;IACjB,OAAO;IACP,MAAM,EAAE,CAAC,IAAgB,EAAE,GAAe,EAAE,MAAe,EAAE,EAAE;QAC7D,IAAI,GAAG,CAAC,MAAM,GAAG,GAAG;YAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3E,OAAO,WAAW,CAChB,WAAW,CAAC,UAAU,CAAC,EACvB,IAAI,UAAU,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,EAC5C,GAAG,EACH,IAAI,CACL,CAAC;IACJ,CAAC;IAED,mFAAmF;IACnF,gCAAgC;IAChC,OAAO,EAAE,CAAC,CAAS,EAAE,CAAS,EAAuC,EAAE;QACrE,MAAM,CAAC,GAAG,MAAM,CAAC;QACjB,8DAA8D;QAC9D,wEAAwE;QACxE,oEAAoE;QACpE,iEAAiE;QACjE,sCAAsC;QACtC,wDAAwD;QACxD,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM;QACrC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM;QACnC,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO;QAC3C,MAAM,IAAI,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC;QACzC,MAAM,CAAC,GAAG,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC;QAC7B,6BAA6B;QAC7B,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK;QAC/B,8DAA8D;QAC9D,8CAA8C;QAC9C,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;IACrD,CAAC;CACO,CAAC;AAEX,MAAM,CAAC,MAAM,KAAK,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;AAC/C,kEAAkE;AAClE,MAAM,CAAC,MAAM,OAAO,GAAG,cAAc,CAAC,EAAE,GAAG,SAAS,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;AAE9E,MAAM,CAAC,MAAM,IAAI,GAAG,UAAU,CAAC;IAC7B,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC;IACjB,cAAc,EAAE,GAAG;IACnB,WAAW,EAAE,EAAE;IACf,CAAC,EAAE,MAAM;IACT,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,UAAU,EAAE,CAAC,CAAS,EAAU,EAAE;QAChC,MAAM,CAAC,GAAG,MAAM,CAAC;QACjB,MAAM,WAAW,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAChD,OAAO,GAAG,CAAC,OAAO,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,wBAAwB;IACtD,CAAC;IACD,iBAAiB;IACjB,WAAW;IACX,mEAAmE;IACnE,aAAa;IACb,8CAA8C;IAC9C,uDAAuD;IACvD,4CAA4C;IAC5C,qDAAqD;IACrD,6BAA6B;IAC7B,sBAAsB;IACtB,wBAAwB;IACxB,2EAA2E;IAC3E,0CAA0C;IAC1C,iDAAiD;IACjD,mCAAmC;IACnC,KAAK;CACN,CAAC,CAAC;AAEH,+BAA+B;AAC/B,MAAM,OAAO,GAAG,CAAC,EAAE,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,mDAAmD;AACvG,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AAC9B,SAAS,gCAAgC,CAAC,CAAS;IACjD,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;IACrC,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,qBAAqB;IACnD,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,8DAA8D;IAC/F,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,oBAAoB;IAClD,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,eAAe;IACzC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACvC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,2CAA2C;IACtE,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,6CAA6C;IACpF,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,qDAAqD;IAC7E,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,4DAA4D;IACpF,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,oEAAoE;IAC5F,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB;IACzC,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,0CAA0C;IAClE,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,4CAA4C;IACpE,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,4DAA4D;IAC3F,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,wEAAwE;IAC9F,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,oEAAoE;IACxG,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,mBAAmB;IAC3C,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,4BAA4B;IAC3D,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACnC,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,IAAI,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,uBAAuB;IAClD,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,6DAA6D;IAC7F,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,6DAA6D;IAC1F,IAAI,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gDAAgD;IACtE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,mCAAmC;IACzE,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,4BAA4B;AACpE,CAAC;AACD,SAAS,kCAAkC,CAAC,CAAS;IACnD,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAC,4DAA4D;IAC1H,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACvC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACvC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB;IACzC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACvC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,iBAAiB;IACvC,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;IAC5C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;IAC5C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAC3C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,oBAAoB;IAC/C,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;IAC5C,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,qBAAqB;IAChD,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,qBAAqB;IAC5C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB;IACpD,IAAI,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAClD,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,sBAAsB;IAC9C,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,qBAAqB;IACnD,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAC5D,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAC3D,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAC3D,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAE3D,MAAM,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,iBAAiB;IACzD,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,kCAAkC;AAC/F,CAAC;AAED,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,YAAY,CACrD,KAAK,CAAC,aAAa,EACnB,CAAC,OAAiB,EAAE,EAAE,CAAC,kCAAkC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EACrE;IACE,GAAG,EAAE,kCAAkC;IACvC,SAAS,EAAE,kCAAkC;IAC7C,CAAC,EAAE,EAAE,CAAC,KAAK;IACX,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,QAAQ;CACf,CACF,CAAC;AACF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/esm/index.js

@@ -0,0 +1,3 @@
+"use strict";
+throw new Error('Incorrect usage. Import submodules instead');
+//# sourceMappingURL=index.js.map

package/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC"}

package/esm/jubjub.js

@@ -0,0 +1,54 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha512 } from '@noble/hashes/sha512';
+import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { twistedEdwards } from './abstract/edwards.js';
+import { blake2s } from '@noble/hashes/blake2s';
+import { Fp } from './abstract/modular.js';
+/**
+ * jubjub Twisted Edwards curve.
+ * https://neuromancer.sk/std/other/JubJub
+ * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
+ */
+export const jubjub = twistedEdwards({
+    // Params: a, d
+    a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+    d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+    // Finite field 𝔽p over which we'll do calculations
+    // Same value as bls12-381 Fr (not Fp)
+    Fp: Fp(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
+    // Subgroup order: how many points curve has
+    n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+    Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+    hash: sha512,
+    randomBytes,
+});
+const GH_FIRST_BLOCK = utf8ToBytes('096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0');
+// Returns point at JubJub curve which is prime order and not zero
+export function groupHash(tag, personalization) {
+    const h = blake2s.create({ personalization, dkLen: 32 });
+    h.update(GH_FIRST_BLOCK);
+    h.update(tag);
+    // NOTE: returns ExtendedPoint, in case it will be multiplied later
+    let p = jubjub.ExtendedPoint.fromHex(h.digest());
+    // NOTE: cannot replace with isSmallOrder, returns Point*8
+    p = p.multiply(jubjub.CURVE.h);
+    if (p.equals(jubjub.ExtendedPoint.ZERO))
+        throw new Error('Point has small order');
+    return p;
+}
+export function findGroupHash(m, personalization) {
+    const tag = concatBytes(m, new Uint8Array([0]));
+    for (let i = 0; i < 256; i++) {
+        tag[tag.length - 1] = i;
+        try {
+            return groupHash(tag, personalization);
+        }
+        catch (e) { }
+    }
+    throw new Error('findGroupHash tag overflow');
+}
+//# sourceMappingURL=jubjub.js.map

package/esm/jubjub.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jubjub.js","sourceRoot":"","sources":["../src/jubjub.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAE3C;;;;GAIG;AAEH,MAAM,CAAC,MAAM,MAAM,GAAG,cAAc,CAAC;IACnC,eAAe;IACf,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,oDAAoD;IACpD,sCAAsC;IACtC,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,oEAAoE,CAAC,CAAC;IACpF,4CAA4C;IAC5C,CAAC,EAAE,MAAM,CAAC,mEAAmE,CAAC;IAC9E,WAAW;IACX,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,IAAI,EAAE,MAAM;IACZ,WAAW;CACH,CAAC,CAAC;AAEZ,MAAM,cAAc,GAAG,WAAW,CAChC,kEAAkE,CACnE,CAAC;AAEF,kEAAkE;AAClE,MAAM,UAAU,SAAS,CAAC,GAAe,EAAE,eAA2B;IACpE,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;IACzD,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IACzB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACd,mEAAmE;IACnE,IAAI,CAAC,GAAG,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IACjD,0DAA0D;IAC1D,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAClF,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,CAAa,EAAE,eAA2B;IACtE,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE;QAC5B,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QACxB,IAAI;YACF,OAAO,SAAS,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;SACxC;QAAC,OAAO,CAAC,EAAE,GAAE;KACf;IACD,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;AAChD,CAAC"}

package/esm/p256.js

@@ -0,0 +1,42 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha256 } from '@noble/hashes/sha256';
+import { Fp as Field } from './abstract/modular.js';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
+// NIST secp256r1 aka P256
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
+// Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const CURVE_A = Fp.create(BigInt('-3'));
+const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: CURVE_A,
+    B: CURVE_B,
+    Z: Fp.create(BigInt('-10')),
+});
+export const P256 = createCurve({
+    // Params: a, b
+    a: CURVE_A,
+    b: CURVE_B,
+    Fp,
+    // Curve order, total count of valid points in the field
+    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+    h: BigInt(1),
+    lowS: false,
+}, sha256);
+export const secp256r1 = P256;
+const { hashToCurve, encodeToCurve } = htf.createHasher(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };
+//# sourceMappingURL=p256.js.map

package/esm/p256.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"p256.js","sourceRoot":"","sources":["../src/p256.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,EAAE,IAAI,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,GAAG,MAAM,6BAA6B,CAAC;AAEnD,0BAA0B;AAC1B,0EAA0E;AAE1E,0FAA0F;AAC1F,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,oEAAoE,CAAC,CAAC,CAAC;AAC/F,MAAM,OAAO,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACxC,MAAM,OAAO,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAE7F,MAAM,MAAM,GAAG,mBAAmB,CAAC,EAAE,EAAE;IACrC,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;CAC5B,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,IAAI,GAAG,WAAW,CAC7B;IACE,eAAe;IACf,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,EAAE;IACF,wDAAwD;IACxD,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,EAAE,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAChF,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,KAAK;CACH,EACV,MAAM,CACP,CAAC;AACF,MAAM,CAAC,MAAM,SAAS,GAAG,IAAI,CAAC;AAE9B,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,YAAY,CACrD,SAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EACzC;IACE,GAAG,EAAE,2BAA2B;IAChC,SAAS,EAAE,2BAA2B;IACtC,CAAC,EAAE,EAAE,CAAC,KAAK;IACX,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,MAAM;CACb,CACF,CAAC;AACF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/esm/p384.js

@@ -0,0 +1,47 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha384 } from '@noble/hashes/sha512';
+import { Fp as Field } from './abstract/modular.js';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
+// NIST secp384r1 aka P384
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
+// Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+// prettier-ignore
+const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
+const Fp = Field(P);
+const CURVE_A = Fp.create(BigInt('-3'));
+// prettier-ignore
+const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: CURVE_A,
+    B: CURVE_B,
+    Z: Fp.create(BigInt('-12')),
+});
+// prettier-ignore
+export const P384 = createCurve({
+    // Params: a, b
+    a: CURVE_A,
+    b: CURVE_B,
+    // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+    Fp,
+    // Curve order, total count of valid points in the field.
+    n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+    Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+    h: BigInt(1),
+    lowS: false,
+}, sha384);
+export const secp384r1 = P384;
+const { hashToCurve, encodeToCurve } = htf.createHasher(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+});
+export { hashToCurve, encodeToCurve };
+//# sourceMappingURL=p384.js.map

package/esm/p384.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"p384.js","sourceRoot":"","sources":["../src/p384.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,EAAE,IAAI,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,GAAG,MAAM,6BAA6B,CAAC;AAEnD,0BAA0B;AAC1B,0EAA0E;AAE1E,uFAAuF;AACvF,kBAAkB;AAClB,MAAM,CAAC,GAAG,MAAM,CAAC,oGAAoG,CAAC,CAAC;AACvH,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;AACpB,MAAM,OAAO,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACxC,kBAAkB;AAClB,MAAM,OAAO,GAAG,MAAM,CAAC,oGAAoG,CAAC,CAAC;AAE7H,MAAM,MAAM,GAAG,mBAAmB,CAAC,EAAE,EAAE;IACrC,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;CAC5B,CAAC,CAAC;AAEH,kBAAkB;AAClB,MAAM,CAAC,MAAM,IAAI,GAAG,WAAW,CAAC;IAC5B,eAAe;IACf,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,uFAAuF;IACvF,EAAE;IACF,yDAAyD;IACzD,CAAC,EAAE,MAAM,CAAC,oGAAoG,CAAC;IAC/G,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,oGAAoG,CAAC;IAChH,EAAE,EAAE,MAAM,CAAC,oGAAoG,CAAC;IAChH,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,KAAK;CACH,EACV,MAAM,CACP,CAAC;AACF,MAAM,CAAC,MAAM,SAAS,GAAG,IAAI,CAAC;AAE9B,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,YAAY,CACrD,SAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EACzC;IACE,GAAG,EAAE,2BAA2B;IAChC,SAAS,EAAE,2BAA2B;IACtC,CAAC,EAAE,EAAE,CAAC,KAAK;IACX,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,MAAM;CACb,CACF,CAAC;AACF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/esm/p521.js

@@ -0,0 +1,48 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { createCurve } from './_shortw_utils.js';
+import { sha512 } from '@noble/hashes/sha512';
+import { Fp as Field } from './abstract/modular.js';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
+// NIST secp521r1 aka P521
+// Note that it's 521, which differs from 512 of its hash function.
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
+// Field over which we'll do calculations; 2n**521n - 1n
+// prettier-ignore
+const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const Fp = Field(P);
+const CURVE_A = Fp.create(BigInt('-3'));
+// prettier-ignore
+const CURVE_B = BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00');
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: CURVE_A,
+    B: CURVE_B,
+    Z: Fp.create(BigInt('-4')),
+});
+// prettier-ignore
+export const P521 = createCurve({
+    // Params: a, b
+    a: CURVE_A,
+    b: CURVE_B,
+    Fp,
+    // Curve order, total count of valid points in the field
+    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
+    Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
+    h: BigInt(1),
+    lowS: false,
+    allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
+}, sha512);
+export const secp521r1 = P521;
+const { hashToCurve, encodeToCurve } = htf.createHasher(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+});
+export { hashToCurve, encodeToCurve };
+//# sourceMappingURL=p521.js.map

package/esm/p521.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"p521.js","sourceRoot":"","sources":["../src/p521.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,EAAE,IAAI,KAAK,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAChE,OAAO,KAAK,GAAG,MAAM,6BAA6B,CAAC;AAEnD,0BAA0B;AAC1B,mEAAmE;AACnE,0EAA0E;AAE1E,wDAAwD;AACxD,kBAAkB;AAClB,MAAM,CAAC,GAAG,MAAM,CAAC,uIAAuI,CAAC,CAAC;AAC1J,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;AAEpB,MAAM,OAAO,GAAG,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AACxC,kBAAkB;AAClB,MAAM,OAAO,GAAG,MAAM,CAAC,wIAAwI,CAAC,CAAC;AAEjK,MAAM,MAAM,GAAG,mBAAmB,CAAC,EAAE,EAAE;IACrC,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;CAC3B,CAAC,CAAC;AAEH,kBAAkB;AAClB,MAAM,CAAC,MAAM,IAAI,GAAG,WAAW,CAAC;IAC9B,eAAe;IACf,CAAC,EAAE,OAAO;IACV,CAAC,EAAE,OAAO;IACV,EAAE;IACF,wDAAwD;IACxD,CAAC,EAAE,MAAM,CAAC,wIAAwI,CAAC;IACnJ,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,wIAAwI,CAAC;IACpJ,EAAE,EAAE,MAAM,CAAC,wIAAwI,CAAC;IACpJ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,KAAK;IACX,wBAAwB,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,mDAAmD;CACrF,EAAE,MAAM,CAAC,CAAC;AACpB,MAAM,CAAC,MAAM,SAAS,GAAG,IAAI,CAAC;AAE9B,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,GAAG,GAAG,CAAC,YAAY,CACrD,SAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EACzC;IACE,GAAG,EAAE,2BAA2B;IAChC,SAAS,EAAE,2BAA2B;IACtC,CAAC,EAAE,EAAE,CAAC,KAAK;IACX,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,MAAM;CACb,CACF,CAAC;AACF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/esm/package.json

@@ -0,0 +1,7 @@
+{
+  "type": "module",
+  "browser": {
+    "crypto": false,
+    "./crypto": "./esm/crypto.js"
+  }
+}

package/esm/pasta.js

@@ -0,0 +1,30 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
+import { getHash } from './_shortw_utils.js';
+import * as mod from './abstract/modular.js';
+export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
+export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
+// https://neuromancer.sk/std/other/Pallas
+export const pallas = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    Fp: mod.Fp(p),
+    n: q,
+    Gx: mod.mod(BigInt(-1), p),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});
+// https://neuromancer.sk/std/other/Vesta
+export const vesta = weierstrass({
+    a: BigInt(0),
+    b: BigInt(5),
+    Fp: mod.Fp(q),
+    n: p,
+    Gx: mod.mod(BigInt(-1), q),
+    Gy: BigInt(2),
+    h: BigInt(1),
+    ...getHash(sha256),
+});
+//# sourceMappingURL=pasta.js.map

package/esm/pasta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pasta.js","sourceRoot":"","sources":["../src/pasta.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,KAAK,GAAG,MAAM,uBAAuB,CAAC;AAE7C,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAC9F,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAE9F,0CAA0C;AAC1C,MAAM,CAAC,MAAM,MAAM,GAAG,WAAW,CAAC;IAChC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,CAAC;IACJ,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,GAAG,OAAO,CAAC,MAAM,CAAC;CACnB,CAAC,CAAC;AACH,yCAAyC;AACzC,MAAM,CAAC,MAAM,KAAK,GAAG,WAAW,CAAC;IAC/B,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,CAAC;IACJ,EAAE,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1B,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACb,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,GAAG,OAAO,CAAC,MAAM,CAAC;CACnB,CAAC,CAAC"}