@noble/curves 1.8.1 → 1.9.0

package/src/bn254.ts

@@ -13,6 +13,15 @@ There are huge compatibility issues in the ecosystem:
    https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
 3. halo2curves bn256 is also incompatible and returns different outputs
 
+We don't implement Point methods toHex / toRawBytes.
+To work around this limitation, has to initialize points on their own from BigInts.
+Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
+Points of divergence:
+
+- Endianness: LE vs BE (byte-swapped)
+- Flags as first hex bits (similar to BLS) vs no-flags
+- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
+
 The goal of our implementation is to support "Ethereum" variant of the curve,
 because it at least has specs:
 
@@ -45,20 +54,20 @@ Ate loop size: 6x+2
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
-import { getHash } from './_shortw_utils.js';
+import { getHash } from './_shortw_utils.ts';
 import {
   bls,
   type CurveFn as BLSCurveFn,
   type PostPrecomputeFn,
   type PostPrecomputePointAddFn,
-} from './abstract/bls.js';
-import { Field } from './abstract/modular.js';
-import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.js';
-import { psiFrobenius, tower12 } from './abstract/tower.js';
-import { bitGet, bitLen, notImplemented } from './abstract/utils.js';
-import { type CurveFn, weierstrass } from './abstract/weierstrass.js';
+} from './abstract/bls.ts';
+import { Field } from './abstract/modular.ts';
+import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
+import { psiFrobenius, tower12 } from './abstract/tower.ts';
+import { bitGet, bitLen, notImplemented } from './abstract/utils.ts';
+import { type CurveFn, weierstrass } from './abstract/weierstrass.ts';
 // prettier-ignore
 const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 const _6n = BigInt(6);
@@ -239,6 +248,7 @@ export const bn254: BLSCurveFn = bls({
  * bn254 weierstrass curve with ECDSA.
  * This is very rare and probably not used anywhere.
  * Instead, you should use G1 / G2, defined above.
+ * @deprecated
  */
 export const bn254_weierstrass: CurveFn = weierstrass({
   a: BigInt(0),

package/src/ed25519.ts

@@ -6,18 +6,19 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
+import { sha512 } from '@noble/hashes/sha2';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { type AffinePoint, type Group, pippenger } from './abstract/curve.js';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import { type AffinePoint, type Group, pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xmd,
+  type Hasher,
   type htfBasicOpts,
   type HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.js';
+} from './abstract/hash-to-curve.ts';
+import { Field, FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
@@ -25,12 +26,14 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
+// 2n**255n - 19n
 const ED25519_P = BigInt(
   '57896044618658097711785492504343953926634992332820282019728792003956564819949'
 );
 // √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
 const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
   '19681161376707505956807079304988542015446066515923890162744021073123829784752'
 );
@@ -91,7 +94,7 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: useRoot1 || useRoot2, value: x };
 }
 
-// Just in case
+/** Weird / bogus points, useful for debugging. */
 export const ED25519_TORSION_SUBGROUP: string[] = [
   '0100000000000000000000000000000000000000000000000000000000000000',
   'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
@@ -107,19 +110,15 @@ const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
 
 const ed25519Defaults = /* @__PURE__ */ (() =>
   ({
-    // Param: a
-    a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
-    // d is equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
+    // Removing Fp.create() will still work, and is 10% faster on sign
+    a: Fp.create(BigInt(-1)),
+    // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
     d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
+    // Finite field 2n**255n - 19n
     Fp,
-    // Subgroup order: how many points curve has
-    // 2n**252n + 27742317777372353535851937790883648493n;
+    // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
     n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
     h: _8n,
-    // Base point (x, y) aka generator point
     Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
     Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
     hash: sha512,
@@ -291,12 +290,11 @@ function map_to_curve_elligator2_edwards25519(u: bigint) {
   xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
   yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
   yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
-
-  const inv = Fp.invertBatch([xd, yd]); // batch division
-  return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
+  const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
+  return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; //  13. return (xn, xd, yn, yd)
 }
 
-const htf = /* @__PURE__ */ (() =>
+export const ed25519_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed25519.ExtendedPoint,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
@@ -310,10 +308,11 @@ const htf = /* @__PURE__ */ (() =>
       hash: sha512,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  ed25519_hasher.encodeToCurve)();
 
-function assertRstPoint(other: unknown) {
+function aristp(other: unknown) {
   if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');
 }
 
@@ -380,9 +379,12 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
 class RistPoint implements Group<RistPoint> {
   static BASE: RistPoint;
   static ZERO: RistPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + RistrettoPoint
   // Always use Ristretto encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): RistPoint {
     return new RistPoint(ed25519.ExtendedPoint.fromAffine(ap));
@@ -483,7 +485,7 @@ class RistPoint implements Group<RistPoint> {
 
   // Compare one point to another.
   equals(other: RistPoint): boolean {
-    assertRstPoint(other);
+    aristp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed25519.CURVE.Fp.create;
@@ -494,12 +496,12 @@ class RistPoint implements Group<RistPoint> {
   }
 
   add(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.add(other.ep));
   }
 
   subtract(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.subtract(other.ep));
   }
 
@@ -533,5 +535,6 @@ export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts): Rist
   const P = RistPoint.hashToCurve(uniform_bytes);
   return P;
 };
+/** @deprecated */
 export const hash_to_ristretto255: (msg: Uint8Array, options: htfBasicOpts) => RistPoint =
   hashToRistretto255; // legacy

package/src/ed448.ts

@@ -9,17 +9,18 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
-import type { AffinePoint, Group } from './abstract/curve.js';
-import { pippenger } from './abstract/curve.js';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import type { AffinePoint, Group } from './abstract/curve.ts';
+import { pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xof,
+  type Hasher,
   type htfBasicOpts,
   type HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.js';
+} from './abstract/hash-to-curve.ts';
+import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
@@ -27,7 +28,7 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
 const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
@@ -98,22 +99,20 @@ const Fp = Field(ed448P, 456, true);
 const ED448_DEF = {
   // Param: a
   a: BigInt(1),
-  // -39081. Negative number is P - number
+  // -39081 a.k.a. Fp.neg(39081)
   d: BigInt(
     '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
   ),
-  // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
+  // Finite field 2n**448n - 2n**224n - 1n
   Fp,
-  // Subgroup order: how many points curve has;
+  // Subgroup order
   // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
   n: BigInt(
     '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
   ),
   // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
   nBitLength: 456,
-  // Cofactor
   h: BigInt(4),
-  // Base point (x, y) aka generator point
   Gx: BigInt(
     '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
   ),
@@ -265,11 +264,11 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
   yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
 
-  const inv = Fp.invertBatch([xEd, yEd]); // batch division
+  const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
   return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 
-const htf = /* @__PURE__ */ (() =>
+export const ed448_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed448.ExtendedPoint,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
@@ -283,10 +282,11 @@ const htf = /* @__PURE__ */ (() =>
       hash: shake256,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  ed448_hasher.encodeToCurve)();
 
-function assertDcfPoint(other: unknown) {
+function adecafp(other: unknown) {
   if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
 }
 
@@ -354,9 +354,12 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
 class DcfPoint implements Group<DcfPoint> {
   static BASE: DcfPoint;
   static ZERO: DcfPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + DecafPoint
   // Always use Decaf encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): DcfPoint {
     return new DcfPoint(ed448.ExtendedPoint.fromAffine(ap));
@@ -453,7 +456,7 @@ class DcfPoint implements Group<DcfPoint> {
   // Compare one point to another.
   // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
   equals(other: DcfPoint): boolean {
-    assertDcfPoint(other);
+    adecafp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed448.CURVE.Fp.create;
@@ -462,12 +465,12 @@ class DcfPoint implements Group<DcfPoint> {
   }
 
   add(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.add(other.ep));
   }
 
   subtract(other: DcfPoint): DcfPoint {
-    assertDcfPoint(other);
+    adecafp(other);
     return new DcfPoint(this.ep.subtract(other.ep));
   }
 

package/src/jubjub.ts

@@ -1,63 +1,8 @@
-/**
- * jubjub Twisted Edwards curve.
- * https://neuromancer.sk/std/other/JubJub
- * jubjub does not use EdDSA, so `hash`/sha512 params are passed because interface expects them.
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { blake2s } from '@noble/hashes/blake2s';
-import { sha512 } from '@noble/hashes/sha512';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
-import { Field } from './abstract/modular.js';
-
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  // Params: a, d
-  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
-  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
-  // Finite field 𝔽p over which we'll do calculations
-  // Same value as bls12-381 Fr (not Fp)
-  Fp: Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')),
-  // Subgroup order: how many points curve has
-  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
-  // Cofactor
-  h: BigInt(8),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
-  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
-  hash: sha512,
-  randomBytes,
-} as const);
-
-const GH_FIRST_BLOCK = utf8ToBytes(
-  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
-);
-
-// Returns point at JubJub curve which is prime order and not zero
-export function groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const h = blake2s.create({ personalization, dkLen: 32 });
-  h.update(GH_FIRST_BLOCK);
-  h.update(tag);
-  // NOTE: returns ExtendedPoint, in case it will be multiplied later
-  let p = jubjub.ExtendedPoint.fromHex(h.digest());
-  // NOTE: cannot replace with isSmallOrder, returns Point*8
-  p = p.multiply(jubjub.CURVE.h);
-  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
-  return p;
-}
-
-// No secret data is leaked here at all.
-// It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
-export function findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const tag = concatBytes(m, new Uint8Array([0]));
-  const hashes = [];
-  for (let i = 0; i < 256; i++) {
-    tag[tag.length - 1] = i;
-    try {
-      hashes.push(groupHash(tag, personalization));
-    } catch (e) {}
-  }
-  if (!hashes.length) throw new Error('findGroupHash tag overflow');
-  return hashes[0];
-}
+import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
+
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const jubjub: typeof jubjubn = jubjubn;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const findGroupHash: typeof jubjub_findGroupHash = jubjub_findGroupHash;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const groupHash: typeof jubjub_groupHash = jubjub_groupHash;

package/src/misc.ts

@@ -0,0 +1,123 @@
+/**
+ * Miscellaneous, rarely used curves.
+ * jubjub, babyjubjub, pallas, vesta.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { blake256 } from '@noble/hashes/blake1';
+import { blake2s } from '@noble/hashes/blake2';
+import { sha256, sha512 } from '@noble/hashes/sha2';
+import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { getHash } from './_shortw_utils.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import { Field, mod } from './abstract/modular.ts';
+import { type CurveFn as WCurveFn, weierstrass } from './abstract/weierstrass.ts';
+
+// Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
+// jubjub Fp = bls n. babyjubjub Fp = bn254 n.
+// verify manually, check bls12-381.ts and bn254.ts.
+// https://neuromancer.sk/std/other/JubJub
+
+const bls12_381_Fr = Field(
+  BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')
+);
+const bn254_Fr = Field(
+  BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617')
+);
+
+/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
+export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
+  Fp: bls12_381_Fr,
+  n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
+  h: BigInt(8),
+  Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
+  Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+  hash: sha512,
+  randomBytes,
+} as const);
+
+/** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
+export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  a: BigInt(168700),
+  d: BigInt(168696),
+  Fp: bn254_Fr,
+  n: BigInt('21888242871839275222246405745257275088614511777268538073601725287587578984328'),
+  h: BigInt(8),
+  Gx: BigInt('995203441582195749578291179787384436505546430278305826713579947235728471134'),
+  Gy: BigInt('5472060717959818805561601436314318772137091100104008585924551046643952123905'),
+  hash: blake256,
+  randomBytes,
+} as const);
+
+const jubjub_gh_first_block = utf8ToBytes(
+  '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
+);
+
+// Returns point at JubJub curve which is prime order and not zero
+export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const h = blake2s.create({ personalization, dkLen: 32 });
+  h.update(jubjub_gh_first_block);
+  h.update(tag);
+  // NOTE: returns ExtendedPoint, in case it will be multiplied later
+  let p = jubjub.ExtendedPoint.fromHex(h.digest());
+  // NOTE: cannot replace with isSmallOrder, returns Point*8
+  p = p.multiply(jubjub.CURVE.h);
+  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
+  return p;
+}
+
+// No secret data is leaked here at all.
+// It operates over public data:
+// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
+export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
+  const tag = concatBytes(m, new Uint8Array([0]));
+  const hashes = [];
+  for (let i = 0; i < 256; i++) {
+    tag[tag.length - 1] = i;
+    try {
+      hashes.push(jubjub_groupHash(tag, personalization));
+    } catch (e) {}
+  }
+  if (!hashes.length) throw new Error('findGroupHash tag overflow');
+  return hashes[0];
+}
+
+// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
+
+export const pasta_p: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
+);
+export const pasta_q: bigint = BigInt(
+  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
+);
+
+/**
+ * https://neuromancer.sk/std/other/Pallas
+ * @deprecated
+ */
+export const pallas: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_p),
+  n: pasta_q,
+  Gx: mod(BigInt(-1), pasta_p),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});
+/**
+ * https://neuromancer.sk/std/other/Vesta
+ * @deprecated
+ */
+export const vesta: WCurveFn = weierstrass({
+  a: BigInt(0),
+  b: BigInt(5),
+  Fp: Field(pasta_q),
+  n: pasta_p,
+  Gx: mod(BigInt(-1), pasta_q),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});

package/src/nist.ts

@@ -0,0 +1,154 @@
+/**
+ * Internal module for NIST P256, P384, P521 curves.
+ * Do not use for now.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type Hasher } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
+
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const p256_a = Fp256.create(BigInt('-3'));
+const p256_b = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
+
+/**
+ * secp256r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
+ */
+// prettier-ignore
+export const p256: CurveFnWithCreate = createCurve({
+  a: p256_a,
+  b: p256_b,
+  Fp: Fp256,
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha256);
+/** Alias to p256. */
+export const secp256r1: CurveFnWithCreate = p256;
+
+const p256_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp256, {
+    A: p256_a,
+    B: p256_b,
+    Z: Fp256.create(BigInt('-10')),
+  }))();
+
+/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
+export const p256_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => p256_mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp256.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp384 = Field(
+  BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
+  )
+);
+const p384_a = Fp384.create(BigInt('-3'));
+// prettier-ignore
+const p384_b = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
+
+/**
+ * secp384r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
+ * */
+// prettier-ignore
+export const p384: CurveFnWithCreate = createCurve({
+  a: p384_a,
+  b: p384_b,
+  Fp: Fp384,
+  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha384);
+/** Alias to p384. */
+export const secp384r1: CurveFnWithCreate = p384;
+
+const p384_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp384, {
+    A: p384_a,
+    B: p384_b,
+    Z: Fp384.create(BigInt('-12')),
+  }))();
+
+/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
+export const p384_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => p384_mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp384.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp521 = Field(
+  BigInt(
+    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  )
+);
+
+const p521_a = Fp521.create(BigInt('-3'));
+const p521_b = BigInt(
+  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+);
+
+/**
+ * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
+ * Field: `2n**521n - 1n`.
+ */
+// prettier-ignore
+export const p521: CurveFnWithCreate = createCurve({
+  a: p521_a,
+  b: p521_b,
+  Fp: Fp521,
+  n: BigInt(
+    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
+  ),
+  Gx: BigInt(
+    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
+  ),
+  Gy: BigInt(
+    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
+  ),
+  h: BigInt(1),
+  lowS: false,
+  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
+} as const, sha512);
+export const secp521r1: CurveFnWithCreate = p521;
+
+const p521_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp521, {
+    A: p521_a,
+    B: p521_b,
+    Z: Fp521.create(BigInt('-4')),
+  }))();
+
+/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
+export const p521_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => p521_mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp521.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+  }))();