@noble/curves 1.8.0 → 1.8.2

package/src/ed25519.ts

@@ -6,32 +6,33 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
+import { sha512 } from '@noble/hashes/sha2';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { AffinePoint, Group } from './abstract/curve.js';
-import { CurveFn, ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import { type AffinePoint, type Group, pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xmd,
-  htfBasicOpts,
-  HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { CurveFn as XCurveFn, montgomery } from './abstract/montgomery.js';
-import { pippenger } from './abstract/curve.js';
+  type htfBasicOpts,
+  type HTFMethod,
+} from './abstract/hash-to-curve.ts';
+import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
   ensureBytes,
   equalBytes,
-  Hex,
+  type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
+// 2n**255n - 19n
 const ED25519_P = BigInt(
   '57896044618658097711785492504343953926634992332820282019728792003956564819949'
 );
 // √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
 const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
   '19681161376707505956807079304988542015446066515923890162744021073123829784752'
 );
@@ -92,7 +93,7 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: useRoot1 || useRoot2, value: x };
 }
 
-// Just in case
+/** Weird / bogus points, useful for debugging. */
 export const ED25519_TORSION_SUBGROUP: string[] = [
   '0100000000000000000000000000000000000000000000000000000000000000',
   'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
@@ -108,19 +109,15 @@ const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
 
 const ed25519Defaults = /* @__PURE__ */ (() =>
   ({
-    // Param: a
-    a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
-    // d is equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
+    // Removing Fp.create() will still work, and is 10% faster on sign
+    a: Fp.create(BigInt(-1)),
+    // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
     d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
+    // Finite field 2n**255n - 19n
     Fp,
-    // Subgroup order: how many points curve has
-    // 2n**252n + 27742317777372353535851937790883648493n;
+    // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
     n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
     h: _8n,
-    // Base point (x, y) aka generator point
     Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
     Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
     hash: sha512,
@@ -314,7 +311,7 @@ const htf = /* @__PURE__ */ (() =>
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
 
-function assertRstPoint(other: unknown) {
+function aristp(other: unknown) {
   if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');
 }
 
@@ -381,9 +378,12 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
 class RistPoint implements Group<RistPoint> {
   static BASE: RistPoint;
   static ZERO: RistPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + RistrettoPoint
   // Always use Ristretto encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): RistPoint {
     return new RistPoint(ed25519.ExtendedPoint.fromAffine(ap));
@@ -484,7 +484,7 @@ class RistPoint implements Group<RistPoint> {
 
   // Compare one point to another.
   equals(other: RistPoint): boolean {
-    assertRstPoint(other);
+    aristp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed25519.CURVE.Fp.create;
@@ -495,12 +495,12 @@ class RistPoint implements Group<RistPoint> {
   }
 
   add(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.add(other.ep));
   }
 
   subtract(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.subtract(other.ep));
   }
 
@@ -534,5 +534,6 @@ export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts): Rist
   const P = RistPoint.hashToCurve(uniform_bytes);
   return P;
 };
+/** @deprecated */
 export const hash_to_ristretto255: (msg: Uint8Array, options: htfBasicOpts) => RistPoint =
   hashToRistretto255; // legacy

package/src/ed448.ts

@@ -9,25 +9,25 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
-import { AffinePoint, Group } from './abstract/curve.js';
-import { CurveFn, ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import type { AffinePoint, Group } from './abstract/curve.ts';
+import { pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xof,
-  htfBasicOpts,
-  HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { CurveFn as XCurveFn, montgomery } from './abstract/montgomery.js';
-import { pippenger } from './abstract/curve.js';
+  type htfBasicOpts,
+  type HTFMethod,
+} from './abstract/hash-to-curve.ts';
+import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
   ensureBytes,
   equalBytes,
-  Hex,
+  type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
 const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
@@ -98,22 +98,20 @@ const Fp = Field(ed448P, 456, true);
 const ED448_DEF = {
   // Param: a
   a: BigInt(1),
-  // -39081. Negative number is P - number
+  // -39081 a.k.a. Fp.neg(39081)
   d: BigInt(
     '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
   ),
-  // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
+  // Finite field 2n**448n - 2n**224n - 1n
   Fp,
-  // Subgroup order: how many points curve has;
+  // Subgroup order
   // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
   n: BigInt(
     '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
   ),
   // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
   nBitLength: 456,
-  // Cofactor
   h: BigInt(4),
-  // Base point (x, y) aka generator point
   Gx: BigInt(
     '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
   ),
@@ -286,7 +284,7 @@ const htf = /* @__PURE__ */ (() =>
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
 
-function assertDcfPoint(other: unknown) {
+function adecafp(other: unknown) {
   if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
 }
 
@@ -354,9 +352,12 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
 class DcfPoint implements Group<DcfPoint> {
   static BASE: DcfPoint;
   static ZERO: DcfPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + DecafPoint
   // Always use Decaf encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): DcfPoint {
     return new DcfPoint(ed448.ExtendedPoint.fromAffine(ap));
@@ -453,7 +454,7 @@ class DcfPoint implements Group<DcfPoint> {
   // Compare one point to another.
   // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
   equals(other: DcfPoint): boolean {
-    assertDcfPoint(other);
+    adecafp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed448.CURVE.Fp.create;
@@ -462,12 +463,12 @@ class DcfPoint implements Group<DcfPoint> {
   }
 
   add(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.add(other.ep));
   }
 
   subtract(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.subtract(other.ep));
   }
 

package/src/index.ts

@@ -1,5 +1,17 @@
 /**
- * Audited & minimal JS implementation of elliptic curve cryptography. Check out individual modules.
+ * Audited & minimal JS implementation of elliptic curve cryptography.
  * @module
+ * @example
+```js
+import { secp256k1, schnorr } from '@noble/curves/secp256k1';
+import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
+import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
+import { p256 } from '@noble/curves/p256';
+import { p384 } from '@noble/curves/p384';
+import { p521 } from '@noble/curves/p521';
+import { bls12_381 } from '@noble/curves/bls12-381';
+import { bn254 } from '@noble/curves/bn254';
+import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
+```
  */
 throw new Error('root module cannot be imported: import submodules instead. Check out README');

package/src/jubjub.ts

@@ -1,63 +1,5 @@
-/**
- * jubjub Twisted Edwards curve.
- * https://neuromancer.sk/std/other/JubJub
- * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { blake2s } from '@noble/hashes/blake2s';
-import { sha512 } from '@noble/hashes/sha512';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { CurveFn, ExtPointType, twistedEdwards } from './abstract/edwards.js';
-import { Field } from './abstract/modular.js';
-
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  // Params: a, d
-  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
-  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
-  // Finite field 𝔽p over which we'll do calculations
-  // Same value as bls12-381 Fr (not Fp)
-  Fp: Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
-  // Subgroup order: how many points curve has
-  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
-  // Cofactor
-  h: BigInt(8),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
-  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
-  hash: sha512,
-  randomBytes,
-} as const);
-
-const GH_FIRST_BLOCK = utf8ToBytes(
-  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
-);
-
-// Returns point at JubJub curve which is prime order and not zero
-export function groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const h = blake2s.create({ personalization, dkLen: 32 });
-  h.update(GH_FIRST_BLOCK);
-  h.update(tag);
-  // NOTE: returns ExtendedPoint, in case it will be multiplied later
-  let p = jubjub.ExtendedPoint.fromHex(h.digest());
-  // NOTE: cannot replace with isSmallOrder, returns Point*8
-  p = p.multiply(jubjub.CURVE.h);
-  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
-  return p;
-}
-
-// No secret data is leaked here at all.
-// It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
-export function findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const tag = concatBytes(m, new Uint8Array([0]));
-  const hashes = [];
-  for (let i = 0; i < 256; i++) {
-    tag[tag.length - 1] = i;
-    try {
-      hashes.push(groupHash(tag, personalization));
-    } catch (e) {}
-  }
-  if (!hashes.length) throw new Error('findGroupHash tag overflow');
-  return hashes[0];
-}
+export {
+  jubjub_findGroupHash as findGroupHash,
+  jubjub_groupHash as groupHash,
+  jubjub,
+} from './misc.ts';

package/src/misc.ts

@@ -0,0 +1,117 @@
+/**
+ * Miscellaneous, rarely used curves.
+ * jubjub, babyjubjub, pallas, vesta.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { blake256 } from '@noble/hashes/blake1';
+import { blake2s } from '@noble/hashes/blake2s';
+import { sha256, sha512 } from '@noble/hashes/sha2';
+import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { getHash } from './_shortw_utils.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import { Field, mod } from './abstract/modular.ts';
+import { type CurveFn as WCurveFn, weierstrass } from './abstract/weierstrass.ts';
+
+// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
+// jubjub Fp = bls n. babyjubjub Fp = bn254 n.
+// verify manually, check bls12-381.ts and bn254.ts.
+// https://neuromancer.sk/std/other/JubJub
+
+const bls12_381_Fr = Field(
+  BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')
+);
+const bn254_Fr = Field(
+  BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617')
+);
+
+/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
+export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+  Fp: bls12_381_Fr,
+  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+  h: BigInt(8),
+  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+  hash: sha512,
+  randomBytes,
+} as const);
+
+/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
+export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt(168700),
+  d: BigInt(168696),
+  Fp: bn254_Fr,
+  n: BigInt('21888242871839275222246405745257275088614511777268538073601725287587578984328'),
+  h: BigInt(8),
+  Gx: BigInt('995203441582195749578291179787384436505546430278305826713579947235728471134'),
+  Gy: BigInt('5472060717959818805561601436314318772137091100104008585924551046643952123905'),
+  hash: blake256,
+  randomBytes,
+} as const);
+
+const jubjub_gh_first_block = utf8ToBytes(
+  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
+);
+
+// Returns point at JubJub curve which is prime order and not zero
+export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const h = blake2s.create({ personalization, dkLen: 32 });
+  h.update(jubjub_gh_first_block);
+  h.update(tag);
+  // NOTE: returns ExtendedPoint, in case it will be multiplied later
+  let p = jubjub.ExtendedPoint.fromHex(h.digest());
+  // NOTE: cannot replace with isSmallOrder, returns Point*8
+  p = p.multiply(jubjub.CURVE.h);
+  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
+  return p;
+}
+
+// No secret data is leaked here at all.
+// It operates over public data:
+// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
+export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const tag = concatBytes(m, new Uint8Array([0]));
+  const hashes = [];
+  for (let i = 0; i < 256; i++) {
+    tag[tag.length - 1] = i;
+    try {
+      hashes.push(jubjub_groupHash(tag, personalization));
+    } catch (e) {}
+  }
+  if (!hashes.length) throw new Error('findGroupHash tag overflow');
+  return hashes[0];
+}
+
+// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
+
+export const pasta_p: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
+);
+export const pasta_q: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
+);
+
+/** https://neuromancer.sk/std/other/Pallas */
+export const pallas: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_p),
+  n: pasta_q,
+  Gx: mod(BigInt(-1), pasta_p),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});
+/** https://neuromancer.sk/std/other/Vesta */
+export const vesta: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_q),
+  n: pasta_p,
+  Gx: mod(BigInt(-1), pasta_q),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});

package/src/p256.ts

@@ -4,25 +4,26 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { createCurve, CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha256 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
 const CURVE_A = Fp256.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 
-/** secp256r1 curve, ECDSA and ECDH methods. */
+/**
+ * secp256r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
+ */
 // prettier-ignore
 export const p256: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
+  a: CURVE_A,
   b: CURVE_B,
-  Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-  // Curve order, total count of valid points in the field
+  Fp: Fp256,
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  // Base (generator) point (x, y)
   Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
   Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
   h: BigInt(1),
@@ -48,7 +49,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha256,
   }))();
-/** secp256r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp256r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();

package/src/p384.ts

@@ -4,29 +4,32 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha384 } from '@noble/hashes/sha512';
-import { createCurve, CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha384 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 // Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp384 = Field(P);
+const Fp384 = Field(
+  BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
+  )
+);
 const CURVE_A = Fp384.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 
-/** secp384r1 curve, ECDSA and ECDH methods. */
+/**
+ * secp384r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
+ * */
 // prettier-ignore
 export const p384: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
+  a: CURVE_A,
   b: CURVE_B,
-  Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-  // Curve order, total count of valid points in the field.
+  Fp: Fp384,
   n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  // Base (generator) point (x, y)
   Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
   Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
   h: BigInt(1),
@@ -52,7 +55,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha384,
   }))();
-/** secp384r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp384r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp384r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp384r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();

package/src/p521.ts

@@ -5,22 +5,32 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
-import { createCurve, CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha512 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 // Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp521 = Field(P);
+const Fp521 = Field(
+  BigInt(
+    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  )
+);
 
-const CURVE = {
-  a: Fp521.create(BigInt('-3')),
-  b: BigInt(
-    '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
-  ),
+const CURVE_A = Fp521.create(BigInt('-3'));
+const CURVE_B = BigInt(
+  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+);
+
+/**
+ * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
+ * Field: `2n**521n - 1n`.
+ */
+// prettier-ignore
+export const p521: CurveFnWithCreate = createCurve({
+  a: CURVE_A,
+  b: CURVE_B,
   Fp: Fp521,
   n: BigInt(
     '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
@@ -32,21 +42,6 @@ const CURVE = {
     '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
   ),
   h: BigInt(1),
-};
-
-/**
- * NIST secp521r1 aka p521.
- */
-// prettier-ignore
-export const p521: CurveFnWithCreate = createCurve({
-  a: CURVE.a, // Equation params: a, b
-  b: CURVE.b,
-  Fp: Fp521, // Field: 2n**521n - 1n
-  // Curve order, total count of valid points in the field
-  n: CURVE.n,
-  Gx: CURVE.Gx, // Base point (x, y) aka generator point
-  Gy: CURVE.Gy,
-  h: CURVE.h,
   lowS: false,
   allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
 } as const, sha512);
@@ -54,8 +49,8 @@ export const secp521r1: CurveFnWithCreate = p521;
 
 const mapSWU = /* @__PURE__ */ (() =>
   mapToCurveSimpleSWU(Fp521, {
-    A: CURVE.a,
-    B: CURVE.b,
+    A: CURVE_A,
+    B: CURVE_B,
     Z: Fp521.create(BigInt('-4')),
   }))();
 
@@ -69,7 +64,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha512,
   }))();
-/** secp521r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp521r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp521r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp521r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();