@noble/curves 1.8.1 → 1.8.2

package/src/ed448.ts

@@ -9,17 +9,17 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
-import type { AffinePoint, Group } from './abstract/curve.js';
-import { pippenger } from './abstract/curve.js';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import type { AffinePoint, Group } from './abstract/curve.ts';
+import { pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xof,
   type htfBasicOpts,
   type HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.js';
+} from './abstract/hash-to-curve.ts';
+import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
@@ -27,7 +27,7 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
 const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
@@ -98,22 +98,20 @@ const Fp = Field(ed448P, 456, true);
 const ED448_DEF = {
   // Param: a
   a: BigInt(1),
-  // -39081. Negative number is P - number
+  // -39081 a.k.a. Fp.neg(39081)
   d: BigInt(
     '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
   ),
-  // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
+  // Finite field 2n**448n - 2n**224n - 1n
   Fp,
-  // Subgroup order: how many points curve has;
+  // Subgroup order
   // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
   n: BigInt(
     '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
   ),
   // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
   nBitLength: 456,
-  // Cofactor
   h: BigInt(4),
-  // Base point (x, y) aka generator point
   Gx: BigInt(
     '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
   ),
@@ -286,7 +284,7 @@ const htf = /* @__PURE__ */ (() =>
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
 
-function assertDcfPoint(other: unknown) {
+function adecafp(other: unknown) {
   if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
 }
 
@@ -354,9 +352,12 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
 class DcfPoint implements Group<DcfPoint> {
   static BASE: DcfPoint;
   static ZERO: DcfPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + DecafPoint
   // Always use Decaf encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): DcfPoint {
     return new DcfPoint(ed448.ExtendedPoint.fromAffine(ap));
@@ -453,7 +454,7 @@ class DcfPoint implements Group<DcfPoint> {
   // Compare one point to another.
   // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
   equals(other: DcfPoint): boolean {
-    assertDcfPoint(other);
+    adecafp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed448.CURVE.Fp.create;
@@ -462,12 +463,12 @@ class DcfPoint implements Group<DcfPoint> {
   }
 
   add(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.add(other.ep));
   }
 
   subtract(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.subtract(other.ep));
   }
 

package/src/jubjub.ts

@@ -1,63 +1,5 @@
-/**
- * jubjub Twisted Edwards curve.
- * https://neuromancer.sk/std/other/JubJub
- * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { blake2s } from '@noble/hashes/blake2s';
-import { sha512 } from '@noble/hashes/sha512';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
-import { Field } from './abstract/modular.js';
-
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  // Params: a, d
-  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
-  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
-  // Finite field 𝔽p over which we'll do calculations
-  // Same value as bls12-381 Fr (not Fp)
-  Fp: Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
-  // Subgroup order: how many points curve has
-  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
-  // Cofactor
-  h: BigInt(8),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
-  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
-  hash: sha512,
-  randomBytes,
-} as const);
-
-const GH_FIRST_BLOCK = utf8ToBytes(
-  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
-);
-
-// Returns point at JubJub curve which is prime order and not zero
-export function groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const h = blake2s.create({ personalization, dkLen: 32 });
-  h.update(GH_FIRST_BLOCK);
-  h.update(tag);
-  // NOTE: returns ExtendedPoint, in case it will be multiplied later
-  let p = jubjub.ExtendedPoint.fromHex(h.digest());
-  // NOTE: cannot replace with isSmallOrder, returns Point*8
-  p = p.multiply(jubjub.CURVE.h);
-  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
-  return p;
-}
-
-// No secret data is leaked here at all.
-// It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
-export function findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const tag = concatBytes(m, new Uint8Array([0]));
-  const hashes = [];
-  for (let i = 0; i < 256; i++) {
-    tag[tag.length - 1] = i;
-    try {
-      hashes.push(groupHash(tag, personalization));
-    } catch (e) {}
-  }
-  if (!hashes.length) throw new Error('findGroupHash tag overflow');
-  return hashes[0];
-}
+export {
+  jubjub_findGroupHash as findGroupHash,
+  jubjub_groupHash as groupHash,
+  jubjub,
+} from './misc.ts';

package/src/misc.ts

@@ -0,0 +1,117 @@
+/**
+ * Miscellaneous, rarely used curves.
+ * jubjub, babyjubjub, pallas, vesta.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { blake256 } from '@noble/hashes/blake1';
+import { blake2s } from '@noble/hashes/blake2s';
+import { sha256, sha512 } from '@noble/hashes/sha2';
+import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { getHash } from './_shortw_utils.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import { Field, mod } from './abstract/modular.ts';
+import { type CurveFn as WCurveFn, weierstrass } from './abstract/weierstrass.ts';
+
+// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
+// jubjub Fp = bls n. babyjubjub Fp = bn254 n.
+// verify manually, check bls12-381.ts and bn254.ts.
+// https://neuromancer.sk/std/other/JubJub
+
+const bls12_381_Fr = Field(
+  BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')
+);
+const bn254_Fr = Field(
+  BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617')
+);
+
+/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
+export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+  Fp: bls12_381_Fr,
+  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+  h: BigInt(8),
+  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+  hash: sha512,
+  randomBytes,
+} as const);
+
+/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
+export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt(168700),
+  d: BigInt(168696),
+  Fp: bn254_Fr,
+  n: BigInt('21888242871839275222246405745257275088614511777268538073601725287587578984328'),
+  h: BigInt(8),
+  Gx: BigInt('995203441582195749578291179787384436505546430278305826713579947235728471134'),
+  Gy: BigInt('5472060717959818805561601436314318772137091100104008585924551046643952123905'),
+  hash: blake256,
+  randomBytes,
+} as const);
+
+const jubjub_gh_first_block = utf8ToBytes(
+  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
+);
+
+// Returns point at JubJub curve which is prime order and not zero
+export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const h = blake2s.create({ personalization, dkLen: 32 });
+  h.update(jubjub_gh_first_block);
+  h.update(tag);
+  // NOTE: returns ExtendedPoint, in case it will be multiplied later
+  let p = jubjub.ExtendedPoint.fromHex(h.digest());
+  // NOTE: cannot replace with isSmallOrder, returns Point*8
+  p = p.multiply(jubjub.CURVE.h);
+  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
+  return p;
+}
+
+// No secret data is leaked here at all.
+// It operates over public data:
+// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
+export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const tag = concatBytes(m, new Uint8Array([0]));
+  const hashes = [];
+  for (let i = 0; i < 256; i++) {
+    tag[tag.length - 1] = i;
+    try {
+      hashes.push(jubjub_groupHash(tag, personalization));
+    } catch (e) {}
+  }
+  if (!hashes.length) throw new Error('findGroupHash tag overflow');
+  return hashes[0];
+}
+
+// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
+
+export const pasta_p: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
+);
+export const pasta_q: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
+);
+
+/** https://neuromancer.sk/std/other/Pallas */
+export const pallas: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_p),
+  n: pasta_q,
+  Gx: mod(BigInt(-1), pasta_p),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});
+/** https://neuromancer.sk/std/other/Vesta */
+export const vesta: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_q),
+  n: pasta_p,
+  Gx: mod(BigInt(-1), pasta_q),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});

package/src/p256.ts

@@ -4,25 +4,26 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha256 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
 const CURVE_A = Fp256.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 
-/** secp256r1 curve, ECDSA and ECDH methods. */
+/**
+ * secp256r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
+ */
 // prettier-ignore
 export const p256: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
+  a: CURVE_A,
   b: CURVE_B,
-  Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-  // Curve order, total count of valid points in the field
+  Fp: Fp256,
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  // Base (generator) point (x, y)
   Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
   Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
   h: BigInt(1),
@@ -48,7 +49,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha256,
   }))();
-/** secp256r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp256r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();

package/src/p384.ts

@@ -4,29 +4,32 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha384 } from '@noble/hashes/sha512';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha384 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 // Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp384 = Field(P);
+const Fp384 = Field(
+  BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
+  )
+);
 const CURVE_A = Fp384.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 
-/** secp384r1 curve, ECDSA and ECDH methods. */
+/**
+ * secp384r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
+ * */
 // prettier-ignore
 export const p384: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
+  a: CURVE_A,
   b: CURVE_B,
-  Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-  // Curve order, total count of valid points in the field.
+  Fp: Fp384,
   n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  // Base (generator) point (x, y)
   Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
   Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
   h: BigInt(1),
@@ -52,7 +55,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha384,
   }))();
-/** secp384r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp384r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp384r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp384r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();

package/src/p521.ts

@@ -5,22 +5,32 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import { sha512 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
 
 // Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp521 = Field(P);
+const Fp521 = Field(
+  BigInt(
+    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  )
+);
 
-const CURVE = {
-  a: Fp521.create(BigInt('-3')),
-  b: BigInt(
-    '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
-  ),
+const CURVE_A = Fp521.create(BigInt('-3'));
+const CURVE_B = BigInt(
+  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+);
+
+/**
+ * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
+ * Field: `2n**521n - 1n`.
+ */
+// prettier-ignore
+export const p521: CurveFnWithCreate = createCurve({
+  a: CURVE_A,
+  b: CURVE_B,
   Fp: Fp521,
   n: BigInt(
     '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
@@ -32,21 +42,6 @@ const CURVE = {
     '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
   ),
   h: BigInt(1),
-};
-
-/**
- * NIST secp521r1 aka p521.
- */
-// prettier-ignore
-export const p521: CurveFnWithCreate = createCurve({
-  a: CURVE.a, // Equation params: a, b
-  b: CURVE.b,
-  Fp: Fp521, // Field: 2n**521n - 1n
-  // Curve order, total count of valid points in the field
-  n: CURVE.n,
-  Gx: CURVE.Gx, // Base point (x, y) aka generator point
-  Gy: CURVE.Gy,
-  h: CURVE.h,
   lowS: false,
   allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
 } as const, sha512);
@@ -54,8 +49,8 @@ export const secp521r1: CurveFnWithCreate = p521;
 
 const mapSWU = /* @__PURE__ */ (() =>
   mapToCurveSimpleSWU(Fp521, {
-    A: CURVE.a,
-    B: CURVE.b,
+    A: CURVE_A,
+    B: CURVE_B,
     Z: Fp521.create(BigInt('-4')),
   }))();
 
@@ -69,7 +64,7 @@ const htf = /* @__PURE__ */ (() =>
     expand: 'xmd',
     hash: sha512,
   }))();
-/** secp521r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp521r1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp521r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp521r1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();

package/src/pasta.ts

@@ -1,39 +1 @@
-/**
- * Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { getHash } from './_shortw_utils.js';
-import { Field, mod } from './abstract/modular.js';
-import { type CurveFn, weierstrass } from './abstract/weierstrass.js';
-
-export const p: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
-);
-export const q: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
-);
-
-/** https://neuromancer.sk/std/other/Pallas */
-export const pallas: CurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(p),
-  n: q,
-  Gx: mod(BigInt(-1), p),
-  Gy: BigInt(2),
-  h: BigInt(1),
-  ...getHash(sha256),
-});
-/** https://neuromancer.sk/std/other/Vesta */
-export const vesta: CurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(q),
-  n: p,
-  Gx: mod(BigInt(-1), q),
-  Gy: BigInt(2),
-  h: BigInt(1),
-  ...getHash(sha256),
-});
+export { pallas, vesta } from './misc.ts';

package/src/secp256k1.ts

@@ -11,12 +11,12 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod, isogenyMap } from './abstract/hash-to-curve.js';
-import { Field, mod, pow2 } from './abstract/modular.js';
-import type { Hex, PrivKey } from './abstract/utils.js';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type HTFMethod, isogenyMap } from './abstract/hash-to-curve.ts';
+import { Field, mod, pow2 } from './abstract/modular.ts';
+import type { Hex, PrivKey } from './abstract/utils.ts';
 import {
   aInRange,
   bytesToNumberBE,
@@ -24,8 +24,8 @@ import {
   ensureBytes,
   inRange,
   numberToBytesBE,
-} from './abstract/utils.js';
-import { mapToCurveSimpleSWU, type ProjPointType as PointType } from './abstract/weierstrass.js';
+} from './abstract/utils.ts';
+import { mapToCurveSimpleSWU, type ProjPointType as PointType } from './abstract/weierstrass.ts';
 
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
@@ -64,24 +64,26 @@ function sqrtMod(y: bigint): bigint {
 const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 
 /**
- * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ * secp256k1 curve, ECDSA and ECDH methods.
+ *
+ * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
  *
  * @example
+ * ```js
  * import { secp256k1 } from '@noble/curves/secp256k1';
- *
  * const priv = secp256k1.utils.randomPrivateKey();
  * const pub = secp256k1.getPublicKey(priv);
  * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
  * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
  * const isValid = secp256k1.verify(sig, msg, pub) === true;
+ * ```
  */
 export const secp256k1: CurveFnWithCreate = createCurve(
   {
-    a: BigInt(0), // equation params: a, b
+    a: BigInt(0),
     b: BigInt(7),
-    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    n: secp256k1N, // Curve order, total count of valid points in the field
-    // Base point (x, y) aka generator point
+    Fp: Fpk1,
+    n: secp256k1N,
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
     h: BigInt(1), // Cofactor
@@ -242,12 +244,14 @@ export type SecpSchnorr = {
  * Schnorr signatures over secp256k1.
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
+ * ```js
  * import { schnorr } from '@noble/curves/secp256k1';
  * const priv = schnorr.utils.randomPrivateKey();
  * const pub = schnorr.getPublicKey(priv);
  * const msg = new TextEncoder().encode('hello');
  * const sig = schnorr.sign(msg, priv);
  * const isValid = schnorr.verify(sig, msg, pub);
+ * ```
  */
 export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => ({
   getPublicKey: schnorrGetPublicKey,
@@ -321,8 +325,8 @@ const htf = /* @__PURE__ */ (() =>
     }
   ))();
 
-/** secp256k1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256k1 hash-to-curve from RFC 9380. */
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
 
-/** secp256k1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
+/** secp256k1 encode-to-curve from RFC 9380. */
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();