@noble/curves 0.9.1 → 1.1.0

package/README.md

@@ -2,21 +2,19 @@
 
 Audited & minimal JS implementation of elliptic curve cryptography.
 
-- Short Weierstrass, Edwards, Montgomery curves
-- ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
 - 🔒 [**Audited**](#security) by an independent security firm
-- #️⃣ [hash to curve](#abstracthash-to-curve-hashing-strings-to-curve-points)
-  for encoding or hashing an arbitrary string to an elliptic curve point
-- 🧜‍♂️ [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash
-- 🏎 [Ultra-fast](#speed), hand-optimized for caveats of JS engines
-- 🔍 Unique tests ensure correctness with Wycheproof vectors and
-  [cryptofuzz](https://github.com/guidovranken/cryptofuzz) differential fuzzing
 - 🔻 Tree-shaking-friendly: use only what's necessary, other code won't be included
+- 🏎 Ultra-fast, hand-optimized for caveats of JS engines
+- 🔍 Unique tests ensure correctness: property-based, cross-library and Wycheproof vectors, fuzzing
+- ➰ Short Weierstrass, Edwards, Montgomery curves
+- ✍️ ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
+- 🔖 SUF-CMA and SBS (non-repudiation) for ed25519, ed448 and others
+- #️⃣ Hash-to-curve
+  for encoding or hashing an arbitrary string to an elliptic curve point
+- 🧜‍♂️ Poseidon ZK-friendly hash
 
 Check out [Upgrading](#upgrading) if you've previously used single-feature noble
-packages ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
-[ed25519](https://github.com/paulmillr/noble-ed25519)).
-See [Resources](#resources) for articles and real-world software that uses curves.
+packages. See [Resources](#resources) for articles and real-world software that uses curves.
 
 ### This library belongs to _noble_ crypto
 
@@ -34,52 +32,48 @@ See [Resources](#resources) for articles and real-world software that uses curve
 
 ## Usage
 
-Browser, deno and node.js are supported:
-
 > npm install @noble/curves
 
-For [Deno](https://deno.land), use it with
-[npm specifier](https://deno.land/manual@v1.28.0/node/npm_specifiers).
-In browser, you could also include the single file from
-[GitHub's releases page](https://github.com/paulmillr/noble-curves/releases).
+We support all major platforms and runtimes.
+For [Deno](https://deno.land), ensure to use [npm specifier](https://deno.land/manual@v1.28.0/node/npm_specifiers).
+For React Native, you may need a [polyfill for crypto.getRandomValues](https://github.com/LinusU/react-native-get-random-values).
+If you don't like NPM, a standalone [noble-curves.js](https://github.com/paulmillr/noble-curves/releases) is also available.
 
 The library is tree-shaking-friendly and does not expose root entry point as
-`import * from '@noble/curves'`. Instead, you need to import specific primitives.
+`@noble/curves`. Instead, you need to import specific primitives.
 This is done to ensure small size of your apps.
 
-Package consists of two parts:
+The package consists of two parts:
 
-1. [Implementations](#implementations), utilizing one dependency `@noble/hashes`,
+* [Implementations](#implementations), utilizing one dependency [noble-hashes](https://github.com/paulmillr/noble-hashes),
    providing ready-to-use:
-   - NIST curves secp256r1/P256, secp384r1/P384, secp521r1/P521
+   - NIST curves secp256r1 / p256, secp384r1 / p384, secp521r1 / p521
    - SECG curve secp256k1
-   - ed25519/curve25519/x25519/ristretto255, edwards448/curve448/x448
-     implementing
-     [RFC7748](https://www.rfc-editor.org/rfc/rfc7748) /
-     [RFC8032](https://www.rfc-editor.org/rfc/rfc8032) /
-     [ZIP215](https://zips.z.cash/zip-0215) standards
+   - ed25519 / curve25519 / x25519 / ristretto255, edwards448 / curve448 / x448
    - pairing-friendly curves bls12-381, bn254
-2. [Abstract](#abstract-api), zero-dependency EC algorithms
+   - [pasta](https://electriccoin.co/blog/the-pasta-curves-for-halo-2-and-beyond/) curves
+2. [Abstract](#abstract-api), zero-dependency elliptic curve algorithms
 
 ### Implementations
 
-Each curve can be used in the following way:
+#### Generic example for all curves, secp256k1
 
 ```ts
+// Each curve has similar methods
 import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
 // import { secp256k1 } from 'npm:@noble/curves@1.2.0/secp256k1'; // Deno
 const priv = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(priv);
 const msg = new Uint8Array(32).fill(1);
 const sig = secp256k1.sign(msg, priv);
-secp256k1.verify(sig, msg, pub) === true;
+const isValid = secp256k1.verify(sig, msg, pub) === true;
 
 // hex strings are also supported besides Uint8Arrays:
 const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236';
 const pub2 = secp256k1.getPublicKey(privHex);
 ```
 
-All curves:
+#### All imports
 
 ```typescript
 import { secp256k1, schnorr } from '@noble/curves/secp256k1';
@@ -90,11 +84,11 @@ import { p384 } from '@noble/curves/p384';
 import { p521 } from '@noble/curves/p521';
 import { pallas, vesta } from '@noble/curves/pasta';
 import { bls12_381 } from '@noble/curves/bls12-381';
-import { bn254 } from '@noble/curves/bn';
+import { bn254 } from '@noble/curves/bn254';
 import { jubjub } from '@noble/curves/jubjub';
 ```
 
-Weierstrass curves feature recovering public keys from signatures and ECDH key agreement:
+#### ECDSA public key recovery & ECDH
 
 ```ts
 // extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html
@@ -104,8 +98,7 @@ const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
 const shared = secp256k1.getSharedSecret(priv, someonesPub); // ECDH
 ```
 
-secp256k1 has schnorr signature implementation which follows
-[BIP340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki):
+#### Schnorr signatures over secp256k1 (BIP340)
 
 ```ts
 import { schnorr } from '@noble/curves/secp256k1';
@@ -116,13 +109,29 @@ const sig = schnorr.sign(msg, priv);
 const isValid = schnorr.verify(sig, msg, pub);
 ```
 
-ed25519 module has ed25519ctx / ed25519ph variants,
-x25519 ECDH and [ristretto255](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448).
-It follows [ZIP215](https://zips.z.cash/zip-0215) and [can be used in consensus-critical applications](https://hdevalence.ca/blog/2020-10-04-its-25519am):
+#### ed25519, X25519, ristretto255
 
 ```ts
 import { ed25519 } from '@noble/curves/ed25519';
+const priv = ed25519.utils.randomPrivateKey();
+const pub = ed25519.getPublicKey(priv);
+const msg = new TextEncoder().encode('hello');
+const sig = ed25519.sign(msg, priv);
+ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
+ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
+```
+
+Default `verify` behavior follows [ZIP215](https://zips.z.cash/zip-0215) and
+[can be used in consensus-critical applications](https://hdevalence.ca/blog/2020-10-04-its-25519am).
+It has SUF-CMA (strong unforgeability under chosen message attacks).
+`zip215: false` option switches verification criteria to strict
+[RFC8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
+and additionally provides non-repudiation with SBS [(Strongly Binding Signatures)](https://eprint.iacr.org/2020/1244).
 
+X25519 follows [RFC7748](https://www.rfc-editor.org/rfc/rfc7748).
+ristretto255 follows [irtf draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448).
+
+```ts
 // Variants from RFC8032: with context, prehashed
 import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
 
@@ -132,11 +141,15 @@ const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
 const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
 x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
 x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
+x25519.getPublicKey(x25519.utils.randomPrivateKey());
 
-// hash-to-curve
-import { hashToCurve, encodeToCurve } from '@noble/curves/ed25519';
+// ed25519 => x25519 conversion
+import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519';
+edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
+edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
 
-import { RistrettoPoint } from '@noble/curves/ed25519';
+// hash-to-curve, ristretto255
+import { hashToCurve, encodeToCurve, RistrettoPoint } from '@noble/curves/ed25519';
 const rp = RistrettoPoint.fromHex(
   '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
 );
@@ -144,59 +157,36 @@ RistrettoPoint.hashToCurve('Ristretto is traditionally a short shot of espresso
 // also has add(), equals(), multiply(), toRawBytes() methods
 ```
 
-ed448 is similar:
+#### ed448, X448
 
 ```ts
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
-import { hashToCurve, encodeToCurve } from '@noble/curves/ed448';
-ed448.getPublicKey(ed448.utils.randomPrivateKey());
+import { ed448 } from '@noble/curves/ed448';
+const priv = ed448.utils.randomPrivateKey();
+const pub = ed448.getPublicKey(priv);
+const msg = new TextEncoder().encode('whatsup');
+const sig = ed448.sign(msg, priv);
+ed448.verify(sig, msg, pub);
+
+import { ed448ph, ed448ctx, x448, hashToCurve, encodeToCurve } from '@noble/curves/ed448';
+x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
+x448.getPublicKey(priv) === x448.scalarMultBase(priv);
 ```
 
-Every curve has params:
+Same RFC7748 / RFC8032 are followed.
 
-```ts
-import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
-console.log(secp256k1.CURVE.p, secp256k1.CURVE.n, secp256k1.CURVE.a, secp256k1.CURVE.b);
-```
+#### bls12-381
 
-BLS12-381 pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to
-construct [zk-SNARKs](https://z.cash/technology/zksnarks/) at the 128-bit security
-and use aggregated, batch-verifiable
-[threshold signatures](https://medium.com/snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716),
-using Boneh-Lynn-Shacham signature scheme. Compatible with ETH and others,
-just make sure to provide correct DST (domain separation tag argument).
-
-```ts
-import { bls12_381 as bls } from '@noble/curves/bls12-381';
-const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
-const message = '64726e3da8';
-const publicKey = bls.getPublicKey(privateKey);
-const signature = bls.sign(message, privateKey);
-const isValid = bls.verify(signature, message, publicKey);
-console.log({ publicKey, signature, isValid });
-
-// Sign 1 msg with 3 keys
-const privateKeys = [
-  '18f020b98eb798752a50ed0563b079c125b0db5dd0b1060d1c1b47d4a193e1e4',
-  'ed69a8c50cf8c9836be3b67c7eeff416612d45ba39a5c099d48fa668bf558c9c',
-  '16ae669f3be7a2121e17d0c68c05a8f3d6bef21ec0f2315f1d7aec12484e4cf5',
-];
-const messages = ['d2', '0d98', '05caf3'];
-const publicKeys = privateKeys.map(bls.getPublicKey);
-const signatures2 = privateKeys.map((p) => bls.sign(message, p));
-const aggPubKey2 = bls.aggregatePublicKeys(publicKeys);
-const aggSignature2 = bls.aggregateSignatures(signatures2);
-const isValid2 = bls.verify(aggSignature2, message, aggPubKey2);
-console.log({ signatures2, aggSignature2, isValid2 });
+See [abstract/bls](#abstractbls-barreto-lynn-scott-curves).
 
-// Sign 3 msgs with 3 keys
-const signatures3 = privateKeys.map((p, i) => bls.sign(messages[i], p));
-const aggSignature3 = bls.aggregateSignatures(signatures3);
-const isValid3 = bls.verifyBatch(aggSignature3, messages, publicKeys);
-console.log({ publicKeys, signatures3, aggSignature3, isValid3 });
-// bls.pairing(PointG1, PointG2) // pairings
+#### Accessing a curve's variables
 
-// hash-to-curve examples can be seen below
+```ts
+import { secp256k1 } from '@noble/curves/secp256k1';
+// Every curve has `CURVE` object that contains its parameters, field, and others
+console.log(secp256k1.CURVE.p); // field modulus
+console.log(secp256k1.CURVE.n); // curve order
+console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params
+console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates
 ```
 
 ## Abstract API
@@ -214,6 +204,7 @@ There are following zero-dependency algorithms:
 - [abstract/weierstrass: Short Weierstrass curve](#abstractweierstrass-short-weierstrass-curve)
 - [abstract/edwards: Twisted Edwards curve](#abstractedwards-twisted-edwards-curve)
 - [abstract/montgomery: Montgomery curve](#abstractmontgomery-montgomery-curve)
+- [abstract/bls: Barreto-Lynn-Scott curves](#abstractbls-barreto-lynn-scott-curves)
 - [abstract/hash-to-curve: Hashing strings to curve points](#abstracthash-to-curve-hashing-strings-to-curve-points)
 - [abstract/poseidon: Poseidon hash](#abstractposeidon-poseidon-hash)
 - [abstract/modular: Modular arithmetics utilities](#abstractmodular-modular-arithmetics-utilities)
@@ -242,7 +233,7 @@ const secq256k1 = weierstrass({
   randomBytes,
 });
 
-// weierstrassPoints can also be used if you don't need ECDSA, hash, hmac, randomBytes
+// Replace weierstrass with weierstrassPoints if you don't need ECDSA, hash, hmac, randomBytes
 ```
 
 Short Weierstrass curve's formula is `y² = x³ + ax + b`. `weierstrass`
@@ -303,6 +294,8 @@ interface ProjPointType<T> extends Group<ProjPointType<T>> {
   readonly px: T;
   readonly py: T;
   readonly pz: T;
+  get x(): bigint;
+  get y(): bigint;
   multiply(scalar: bigint): ProjPointType<T>;
   multiplyUnsafe(scalar: bigint): ProjPointType<T>;
   multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
@@ -388,7 +381,7 @@ import { randomBytes } from '@noble/hashes/utils';
 
 const Fp = Field(2n ** 255n - 19n);
 const ed25519 = twistedEdwards({
-  a: -1n,
+  a: Fp.create(-1n),
   d: Fp.div(-121665n, 121666n), // -121665n/121666n mod p
   Fp: Fp,
   n: 2n ** 252n + 27742317777372353535851937790883648493n,
@@ -447,6 +440,8 @@ interface ExtPointType extends Group<ExtPointType> {
   readonly ey: bigint;
   readonly ez: bigint;
   readonly et: bigint;
+  get x(): bigint;
+  get y(): bigint;
   assertValidity(): void;
   multiply(scalar: bigint): ExtPointType;
   multiplyUnsafe(scalar: bigint): ExtPointType;
@@ -454,6 +449,8 @@ interface ExtPointType extends Group<ExtPointType> {
   isTorsionFree(): boolean;
   clearCofactor(): ExtPointType;
   toAffine(iz?: bigint): AffinePoint<bigint>;
+  toRawBytes(isCompressed?: boolean): Uint8Array;
+  toHex(isCompressed?: boolean): string;
 }
 // Static methods of Extended Point with coordinates in X, Y, Z, T
 interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
@@ -491,6 +488,114 @@ Proper Elliptic Curve Points are not implemented yet.
 
 You must specify curve params `Fp`, `a`, `Gu` coordinate of u, `montgomeryBits` and `nByteLength`.
 
+### abstract/bls: Barreto-Lynn-Scott curves
+
+The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.
+They allow to construct [zk-SNARKs](https://z.cash/technology/zksnarks/) and
+use aggregated, batch-verifiable
+[threshold signatures](https://medium.com/snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716),
+using Boneh-Lynn-Shacham signature scheme.
+
+Main methods and properties are:
+
+- `getPublicKey(privateKey)`
+- `sign(message, privateKey)`
+- `verify(signature, message, publicKey)`
+- `aggregatePublicKeys(publicKeys)`
+- `aggregateSignatures(signatures)`
+- `G1` and `G2` curves containing `CURVE` and `ProjectivePoint`
+- `Signature` property with `fromHex`, `toHex` methods
+- `fields` containing `Fp`, `Fp2`, `Fp6`, `Fp12`, `Fr`
+
+Right now we only implement BLS12-381 (compatible with ETH and others),
+but in theory defining BLS12-377, BLS24 should be straightforward. An example:
+
+```ts
+import { bls12_381 as bls } from '@noble/curves/bls12-381';
+const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
+const message = '64726e3da8';
+const publicKey = bls.getPublicKey(privateKey);
+const signature = bls.sign(message, privateKey);
+const isValid = bls.verify(signature, message, publicKey);
+console.log({ publicKey, signature, isValid });
+
+// Sign 1 msg with 3 keys
+const privateKeys = [
+  '18f020b98eb798752a50ed0563b079c125b0db5dd0b1060d1c1b47d4a193e1e4',
+  'ed69a8c50cf8c9836be3b67c7eeff416612d45ba39a5c099d48fa668bf558c9c',
+  '16ae669f3be7a2121e17d0c68c05a8f3d6bef21ec0f2315f1d7aec12484e4cf5',
+];
+const messages = ['d2', '0d98', '05caf3'];
+const publicKeys = privateKeys.map(bls.getPublicKey);
+const signatures2 = privateKeys.map((p) => bls.sign(message, p));
+const aggPubKey2 = bls.aggregatePublicKeys(publicKeys);
+const aggSignature2 = bls.aggregateSignatures(signatures2);
+const isValid2 = bls.verify(aggSignature2, message, aggPubKey2);
+console.log({ signatures2, aggSignature2, isValid2 });
+
+// Sign 3 msgs with 3 keys
+const signatures3 = privateKeys.map((p, i) => bls.sign(messages[i], p));
+const aggSignature3 = bls.aggregateSignatures(signatures3);
+const isValid3 = bls.verifyBatch(aggSignature3, messages, publicKeys);
+console.log({ publicKeys, signatures3, aggSignature3, isValid3 });
+
+// bls.pairing(PointG1, PointG2) // pairings
+// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE
+// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr
+
+// hash-to-curve examples can be seen below
+```
+
+Full types:
+
+```ts
+getPublicKey: (privateKey: PrivKey) => Uint8Array;
+sign: {
+  (message: Hex, privateKey: PrivKey): Uint8Array;
+  (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
+};
+verify: (
+  signature: Hex | ProjPointType<Fp2>,
+  message: Hex | ProjPointType<Fp2>,
+  publicKey: Hex | ProjPointType<Fp>
+) => boolean;
+verifyBatch: (
+  signature: Hex | ProjPointType<Fp2>,
+  messages: (Hex | ProjPointType<Fp2>)[],
+  publicKeys: (Hex | ProjPointType<Fp>)[]
+) => boolean;
+aggregatePublicKeys: {
+  (publicKeys: Hex[]): Uint8Array;
+  (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
+};
+aggregateSignatures: {
+  (signatures: Hex[]): Uint8Array;
+  (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
+};
+millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
+pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
+G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
+Signature: SignatureCoder<Fp2>;
+params: {
+  x: bigint;
+  r: bigint;
+  G1b: bigint;
+  G2b: Fp2;
+};
+fields: {
+  Fp: IField<Fp>;
+  Fp2: IField<Fp2>;
+  Fp6: IField<Fp6>;
+  Fp12: IField<Fp12>;
+  Fr: IField<bigint>;
+};
+utils: {
+  randomPrivateKey: () => Uint8Array;
+  calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
+};
+```
+
 ### abstract/hash-to-curve: Hashing strings to curve points
 
 The module allows to hash arbitrary strings to elliptic curve points. Implements [hash-to-curve v16](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16).
@@ -589,11 +694,6 @@ type PoseidonOpts = {
 const instance = poseidon(opts: PoseidonOpts);
 ```
 
-### abstract/bls
-
-The module abstracts BLS (Barreto-Lynn-Scott) primitives. In theory you should be able to write BLS12-377, BLS24,
-and others with it.
-
 ### abstract/modular: Modular arithmetics utilities
 
 ```ts
@@ -640,12 +740,14 @@ import * as utils from '@noble/curves/abstract/utils';
 
 utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.hexToBytes('deadbeef');
+utils.numberToHexUnpadded(123n);
 utils.hexToNumber();
+
 utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.numberToBytesBE(123n, 32);
 utils.numberToBytesLE(123n, 64);
-utils.numberToHexUnpadded(123n);
+
 utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef]));
 utils.nLength(255n);
 utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
@@ -653,9 +755,9 @@ utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
 
 ## Security
 
-1. The library has been audited during Jan-Feb 2023 by an independent security firm [Trail of Bits](https://www.trailofbits.com):
+1. The library has been audited in Feb 2023 by an independent security firm [Trail of Bits](https://www.trailofbits.com):
 [PDF](https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf).
-The audit has been funded by Ryan Shea. Audit scope was abstract modules `curve`, `hash-to-curve`, `modular`, `poseidon`, `utils`, `weierstrass`, and top-level modules `_shortw_utils` and `secp256k1`. See [changes since audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main).
+The audit has been funded by [Ryan Shea](https://www.shea.io). Audit scope was abstract modules `curve`, `hash-to-curve`, `modular`, `poseidon`, `utils`, `weierstrass`, and top-level modules `_shortw_utils` and `secp256k1`. See [changes since audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main).
 2. The library has been fuzzed by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz). You can run the fuzzer by yourself to check it.
 3. [Timing attack](https://en.wikipedia.org/wiki/Timing_attack) considerations: _JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to achieve in a scripting language. Which means _any other JS library can't have constant-timeness_. Even statically typed Rust, a language without GC, [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security) for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
 
@@ -668,82 +770,89 @@ We consider infrastructure attacks like rogue NPM modules very important; that's
   The packages are big, which makes it hard to audit their source code thoroughly and fully.
 - They are only used if you clone the git repo and want to add some feature to it. End-users won't use them.
 
+As for key generation, we're deferring to built-in
+[crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
+which is considered cryptographically secure (CSPRNG).
+
 ## Speed
 
-Benchmark results on Apple M2 with node v19:
+Benchmark results on Apple M2 with node v20:
 
 ```
 secp256k1
-init x 58 ops/sec @ 17ms/op
-getPublicKey x 5,640 ops/sec @ 177μs/op
-sign x 3,909 ops/sec @ 255μs/op
-verify x 780 ops/sec @ 1ms/op
-getSharedSecret x 465 ops/sec @ 2ms/op
-recoverPublicKey x 740 ops/sec @ 1ms/op
-schnorr.sign x 597 ops/sec @ 1ms/op
-schnorr.verify x 775 ops/sec @ 1ms/op
-
-P256
-init x 31 ops/sec @ 31ms/op
-getPublicKey x 5,607 ops/sec @ 178μs/op
-sign x 3,930 ops/sec @ 254μs/op
-verify x 540 ops/sec @ 1ms/op
-
-P384
-init x 15 ops/sec @ 63ms/op
-getPublicKey x 2,622 ops/sec @ 381μs/op
-sign x 1,913 ops/sec @ 522μs/op
-verify x 222 ops/sec @ 4ms/op
-
-P521
-init x 8 ops/sec @ 119ms/op
-getPublicKey x 1,371 ops/sec @ 729μs/op
-sign x 1,090 ops/sec @ 917μs/op
-verify x 118 ops/sec @ 8ms/op
+init x 68 ops/sec @ 14ms/op
+getPublicKey x 6,750 ops/sec @ 148μs/op
+sign x 5,206 ops/sec @ 192μs/op
+verify x 880 ops/sec @ 1ms/op
+getSharedSecret x 536 ops/sec @ 1ms/op
+recoverPublicKey x 852 ops/sec @ 1ms/op
+schnorr.sign x 685 ops/sec @ 1ms/op
+schnorr.verify x 908 ops/sec @ 1ms/op
+
+p256
+init x 38 ops/sec @ 26ms/op
+getPublicKey x 6,530 ops/sec @ 153μs/op
+sign x 5,074 ops/sec @ 197μs/op
+verify x 626 ops/sec @ 1ms/op
+
+p384
+init x 17 ops/sec @ 57ms/op
+getPublicKey x 2,883 ops/sec @ 346μs/op
+sign x 2,358 ops/sec @ 424μs/op
+verify x 245 ops/sec @ 4ms/op
+
+p521
+init x 9 ops/sec @ 109ms/op
+getPublicKey x 1,516 ops/sec @ 659μs/op
+sign x 1,271 ops/sec @ 786μs/op
+verify x 123 ops/sec @ 8ms/op
 
 ed25519
-init x 47 ops/sec @ 20ms/op
-getPublicKey x 9,414 ops/sec @ 106μs/op
-sign x 4,516 ops/sec @ 221μs/op
-verify x 912 ops/sec @ 1ms/op
+init x 54 ops/sec @ 18ms/op
+getPublicKey x 10,269 ops/sec @ 97μs/op
+sign x 5,110 ops/sec @ 195μs/op
+verify x 1,049 ops/sec @ 952μs/op
 
 ed448
-init x 17 ops/sec @ 56ms/op
-getPublicKey x 3,363 ops/sec @ 297μs/op
-sign x 1,615 ops/sec @ 619μs/op
-verify x 319 ops/sec @ 3ms/op
+init x 19 ops/sec @ 51ms/op
+getPublicKey x 3,775 ops/sec @ 264μs/op
+sign x 1,771 ops/sec @ 564μs/op
+verify x 351 ops/sec @ 2ms/op
 
 ecdh
-├─x25519 x 1,337 ops/sec @ 747μs/op
-├─secp256k1 x 461 ops/sec @ 2ms/op
-├─P256 x 441 ops/sec @ 2ms/op
-├─P384 x 179 ops/sec @ 5ms/op
-├─P521 x 93 ops/sec @ 10ms/op
-└─x448 x 496 ops/sec @ 2ms/op
+├─x25519 x 1,466 ops/sec @ 682μs/op
+├─secp256k1 x 539 ops/sec @ 1ms/op
+├─p256 x 511 ops/sec @ 1ms/op
+├─p384 x 199 ops/sec @ 5ms/op
+├─p521 x 103 ops/sec @ 9ms/op
+└─x448 x 548 ops/sec @ 1ms/op
 
 bls12-381
-init x 32 ops/sec @ 30ms/op
-getPublicKey 1-bit x 858 ops/sec @ 1ms/op
-getPublicKey x 858 ops/sec @ 1ms/op
-sign x 49 ops/sec @ 20ms/op
-verify x 34 ops/sec @ 28ms/op
-pairing x 94 ops/sec @ 10ms/op
-aggregatePublicKeys/8 x 116 ops/sec @ 8ms/op
-aggregatePublicKeys/32 x 31 ops/sec @ 31ms/op
-aggregatePublicKeys/128 x 7 ops/sec @ 125ms/op
-aggregateSignatures/8 x 45 ops/sec @ 22ms/op
-aggregateSignatures/32 x 11 ops/sec @ 84ms/op
-aggregateSignatures/128 x 3 ops/sec @ 332ms/opp
+init x 36 ops/sec @ 27ms/op
+getPublicKey 1-bit x 973 ops/sec @ 1ms/op
+getPublicKey x 970 ops/sec @ 1ms/op
+sign x 55 ops/sec @ 17ms/op
+verify x 39 ops/sec @ 25ms/op
+pairing x 106 ops/sec @ 9ms/op
+aggregatePublicKeys/8 x 129 ops/sec @ 7ms/op
+aggregatePublicKeys/32 x 34 ops/sec @ 28ms/op
+aggregatePublicKeys/128 x 8 ops/sec @ 112ms/op
+aggregatePublicKeys/512 x 2 ops/sec @ 446ms/op
+aggregatePublicKeys/2048 x 0 ops/sec @ 1778ms/op
+aggregateSignatures/8 x 50 ops/sec @ 19ms/op
+aggregateSignatures/32 x 13 ops/sec @ 74ms/op
+aggregateSignatures/128 x 3 ops/sec @ 296ms/op
+aggregateSignatures/512 x 0 ops/sec @ 1180ms/op
+aggregateSignatures/2048 x 0 ops/sec @ 4715ms/op
 
 hash-to-curve
-hash_to_field x 850,340 ops/sec @ 1μs/op
-hashToCurve
-├─secp256k1 x 1,850 ops/sec @ 540μs/op
-├─P256 x 3,352 ops/sec @ 298μs/op
-├─P384 x 1,367 ops/sec @ 731μs/op
-├─P521 x 691 ops/sec @ 1ms/op
-├─ed25519 x 2,492 ops/sec @ 401μs/op
-└─ed448 x 1,045 ops/sec @ 956μs/op
+hash_to_field x 91,600 ops/sec @ 10μs/op
+secp256k1 x 2,373 ops/sec @ 421μs/op
+p256 x 4,310 ops/sec @ 231μs/op
+p384 x 1,664 ops/sec @ 600μs/op
+p521 x 807 ops/sec @ 1ms/op
+ed25519 x 3,088 ops/sec @ 323μs/op
+ed448 x 1,247 ops/sec @ 801μs/op
 ```
 
 ## Contributing & testing
@@ -753,30 +862,16 @@ hashToCurve
 3. `npm run build` to compile TypeScript code
 4. `npm run test` will execute all main tests
 
-## Resources
-
-Article about some of library's features: [Learning fast elliptic-curve cryptography](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/)
-
-Projects using the library:
-
-- secp256k1
-  - [btc-signer](https://github.com/paulmillr/scure-btc-signer), [eth-signer](https://github.com/paulmillr/micro-eth-signer)
-- ed25519
-  - [sol-signer](https://github.com/paulmillr/micro-sol-signer)
-- BLS12-381
-  - Check out `bls12-381.ts` for articles about the curve
-  - Threshold sigs demo [genthresh.com](https://genthresh.com)
-  - BBS signatures [github.com/Wind4Greg/BBS-Draft-Checks](https://github.com/Wind4Greg/BBS-Draft-Checks) following [draft-irtf-cfrg-bbs-signatures-latest](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html)
-- Others
-  - All curves demo: Elliptic curve calculator [paulmillr.com/noble](https://paulmillr.com/noble)
-  - [micro-starknet](https://github.com/paulmillr/micro-starknet) for stark-friendly elliptic curve.
-
 ## Upgrading
 
 Previously, the library was split into single-feature packages
-noble-secp256k1 and noble-ed25519. curves can be thought as a continuation of their
-original work. The libraries now changed their direction towards providing
-minimal 4kb implementations of cryptography and are not as feature-complete.
+noble-secp256k1, noble-ed25519 and noble-bls12-381.
+
+Curves continue their original work. The single-feature packages changed their
+direction towards providing minimal 4kb implementations of cryptography,
+which means they have less features.
+
+Upgrading from @noble/secp256k1 2.0 or @noble/ed25519 2.0: no changes, libraries are compatible.
 
 Upgrading from [@noble/secp256k1](https://github.com/paulmillr/noble-secp256k1) 1.7:
 
@@ -814,6 +909,58 @@ Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) 1.7:
 - `utils` were split into `utils` (same api as in noble-curves) and
   `etc` (`sha512Sync` and others)
 - `getSharedSecret` was moved to `x25519` module
+- `toX25519` has been moved to `edwardsToMontgomeryPub` and `edwardsToMontgomeryPriv` methods
+
+Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):
+
+- Methods and classes were renamed:
+    - PointG1 -> G1.Point, PointG2 -> G2.Point
+    - PointG2.fromSignature -> Signature.decode, PointG2.toSignature ->  Signature.encode
+- Fp2 ORDER was corrected
+
+## Resources
+
+Useful documentation and articles about the library or its primitives:
+
+- [Learning fast elliptic-curve cryptography](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/)
+- [Taming the many EdDSAs](https://csrc.nist.gov/csrc/media/Presentations/2023/crclub-2023-03-08/images-media/20230308-crypto-club-slides--taming-the-many-EdDSAs.pdf)
+  that describes concepts of Strong UnForgeability under Chosen Message Attacks and Strongly Binding Signatures
+- Pairings and BLS
+    - [BLS signatures for busy people](https://gist.github.com/paulmillr/18b802ad219b1aee34d773d08ec26ca2)
+    - [BLS12-381 for the rest of us](https://hackmd.io/@benjaminion/bls12-381)
+    - [Key concepts of pairings](https://medium.com/@alonmuroch_65570/bls-signatures-part-2-key-concepts-of-pairings-27a8a9533d0c)
+    - Pairing over bls12-381:
+      [part 1](https://research.nccgroup.com/2020/07/06/pairing-over-bls12-381-part-1-fields/),
+      [part 2](https://research.nccgroup.com/2020/07/13/pairing-over-bls12-381-part-2-curves/),
+      [part 3](https://research.nccgroup.com/2020/08/13/pairing-over-bls12-381-part-3-pairing/)
+    - [Estimating the bit security of pairing-friendly curves](https://research.nccgroup.com/2022/02/03/estimating-the-bit-security-of-pairing-friendly-curves/)
+
+Online demos:
+
+- [Elliptic Curve Calculator](https://paulmillr.com/noble): add / multiply points, sign messages
+- [BLS threshold signatures](https://genthresh.com)
+
+Projects using noble-curves:
+
+- [scure-bip32](https://github.com/paulmillr/scure-bip32) and separate [bip32](https://github.com/bitcoinjs/bip32) HDkey libraries
+- Ethereum libraries:
+    - [ethereum-cryptography](https://github.com/ethereum/js-ethereum-cryptography)
+    - [@ethereumjs](https://github.com/ethereumjs/ethereumjs-monorepo)
+    - [micro-eth-signer](https://github.com/paulmillr/micro-eth-signer)
+    - [ethers](https://github.com/ethers-io/ethers.js) (old noble-secp256k1 for now)
+    - [viem.sh](https://viem.sh)
+    - [metamask's eth-sig-util](https://github.com/MetaMask/eth-sig-util)
+    - [gridplus lattice sdk](https://github.com/GridPlus/lattice-eth2-utils)
+- Bitcoin libraries: [scure-btc-signer](https://github.com/paulmillr/scure-btc-signer)
+- Solana libraries: [micro-sol-signer](https://github.com/paulmillr/micro-sol-signer), [solana-web3.js](https://github.com/solana-labs/solana-web3.js)
+- [polkadot.js](https://github.com/polkadot-js/common), [micro-starknet](https://github.com/paulmillr/micro-starknet)
+- [protonmail](https://github.com/ProtonMail/WebClients) (old noble-ed25519 for now)
+- [did-jwt](https://github.com/decentralized-identity/did-jwt), [hpke-js](https://github.com/dajiaji/hpke-js), [nostr-tools](https://github.com/nbd-wtf/nostr-tools)
+- [ed25519-keygen](https://github.com/paulmillr/ed25519-keygen) SSH, PGP, TOR key generation
+- [secp256k1 compatibility layer](https://github.com/ethereum/js-ethereum-cryptography/blob/2.0.0/src/secp256k1-compat.ts)
+for users who want to switch from secp256k1-node or tiny-secp256k1. Allows to see which methods map to corresponding noble code.
+- [BLS BBS signatures](https://github.com/Wind4Greg/BBS-Draft-Checks) following [draft-irtf-cfrg-bbs-signatures-latest](https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html)
+- [KZG trusted setup ceremony](https://github.com/dsrvlabs/czg-keremony)
 
 ## License