@noble/curves 1.8.1 → 1.9.0

package/src/p256.ts

@@ -1,54 +1,11 @@
 /**
  * NIST secp256r1 aka p256.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-
-const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A = Fp256.create(BigInt('-3'));
-const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
-
-/** secp256r1 curve, ECDSA and ECDH methods. */
-// prettier-ignore
-export const p256: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
-  b: CURVE_B,
-  Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-  // Curve order, total count of valid points in the field
-  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  // Base (generator) point (x, y)
-  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha256);
-/** Alias to p256. */
-export const secp256r1: CurveFnWithCreate = p256;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp256, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp256.create(BigInt('-10')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P256_XMD:SHA-256_SSWU_RO_',
-    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp256.ORDER,
-    m: 1,
-    k: 128,
-    expand: 'xmd',
-    hash: sha256,
-  }))();
-/** secp256r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp256r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p256_hasher, p256 as p256n } from './nist.ts';
+export const p256: typeof p256n = p256n;
+export const secp256r1: typeof p256n = p256n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

package/src/p384.ts

@@ -1,58 +1,13 @@
 /**
  * NIST secp384r1 aka p384.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha384 } from '@noble/hashes/sha512';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-
-// Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp384 = Field(P);
-const CURVE_A = Fp384.create(BigInt('-3'));
-// prettier-ignore
-const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
-
-/** secp384r1 curve, ECDSA and ECDH methods. */
-// prettier-ignore
-export const p384: CurveFnWithCreate = createCurve({
-  a: CURVE_A, // Equation params: a, b
-  b: CURVE_B,
-  Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-  // Curve order, total count of valid points in the field.
-  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  // Base (generator) point (x, y)
-  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha384);
-/** Alias to p384. */
-export const secp384r1: CurveFnWithCreate = p384;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp384, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp384.create(BigInt('-12')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P384_XMD:SHA-384_SSWU_RO_',
-    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp384.ORDER,
-    m: 1,
-    k: 192,
-    expand: 'xmd',
-    hash: sha384,
-  }))();
-/** secp384r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp384r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p384_hasher, p384 as p384n } from './nist.ts';
+export const p384: typeof p384n = p384n;
+export const secp384r1: typeof p384n = p384n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
+
+/** @deprecated Use `import { p384_hasher } from "@noble/curves/nist"` module. */

package/src/p521.ts

@@ -1,75 +1,11 @@
 /**
  * NIST secp521r1 aka p521.
- * Note that it's 521, which differs from 512 of its hash function.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.js';
-import { Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-
-// Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp521 = Field(P);
-
-const CURVE = {
-  a: Fp521.create(BigInt('-3')),
-  b: BigInt(
-    '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
-  ),
-  Fp: Fp521,
-  n: BigInt(
-    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
-  ),
-  Gx: BigInt(
-    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
-  ),
-  Gy: BigInt(
-    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
-  ),
-  h: BigInt(1),
-};
-
-/**
- * NIST secp521r1 aka p521.
- */
-// prettier-ignore
-export const p521: CurveFnWithCreate = createCurve({
-  a: CURVE.a, // Equation params: a, b
-  b: CURVE.b,
-  Fp: Fp521, // Field: 2n**521n - 1n
-  // Curve order, total count of valid points in the field
-  n: CURVE.n,
-  Gx: CURVE.Gx, // Base point (x, y) aka generator point
-  Gy: CURVE.Gy,
-  h: CURVE.h,
-  lowS: false,
-  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
-} as const, sha512);
-export const secp521r1: CurveFnWithCreate = p521;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp521, {
-    A: CURVE.a,
-    B: CURVE.b,
-    Z: Fp521.create(BigInt('-4')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P521_XMD:SHA-512_SSWU_RO_',
-    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
-    p: Fp521.ORDER,
-    m: 1,
-    k: 256,
-    expand: 'xmd',
-    hash: sha512,
-  }))();
-/** secp521r1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp521r1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p521_hasher, p521 as p521n } from './nist.ts';
+export const p521: typeof p521n = p521n;
+export const secp521r1: typeof p521n = p521n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();

package/src/pasta.ts

@@ -1,39 +1,5 @@
-/**
- * Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
- * @module
- */
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { getHash } from './_shortw_utils.js';
-import { Field, mod } from './abstract/modular.js';
-import { type CurveFn, weierstrass } from './abstract/weierstrass.js';
-
-export const p: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
-);
-export const q: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
-);
-
-/** https://neuromancer.sk/std/other/Pallas */
-export const pallas: CurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(p),
-  n: q,
-  Gx: mod(BigInt(-1), p),
-  Gy: BigInt(2),
-  h: BigInt(1),
-  ...getHash(sha256),
-});
-/** https://neuromancer.sk/std/other/Vesta */
-export const vesta: CurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(q),
-  n: p,
-  Gx: mod(BigInt(-1), q),
-  Gy: BigInt(2),
-  h: BigInt(1),
-  ...getHash(sha256),
-});
+import { pallas as pn, vesta as vn } from './misc.ts';
+/** @deprecated */
+export const pallas: typeof pn = pn;
+/** @deprecated */
+export const vesta: typeof vn = vn;

package/src/secp256k1.ts

@@ -11,12 +11,12 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.js';
-import { createHasher, type HTFMethod, isogenyMap } from './abstract/hash-to-curve.js';
-import { Field, mod, pow2 } from './abstract/modular.js';
-import type { Hex, PrivKey } from './abstract/utils.js';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type Hasher, type HTFMethod, isogenyMap } from './abstract/hash-to-curve.ts';
+import { Field, mod, pow2 } from './abstract/modular.ts';
+import type { Hex, PrivKey } from './abstract/utils.ts';
 import {
   aInRange,
   bytesToNumberBE,
@@ -24,8 +24,8 @@ import {
   ensureBytes,
   inRange,
   numberToBytesBE,
-} from './abstract/utils.js';
-import { mapToCurveSimpleSWU, type ProjPointType as PointType } from './abstract/weierstrass.js';
+} from './abstract/utils.ts';
+import { mapToCurveSimpleSWU, type ProjPointType as PointType } from './abstract/weierstrass.ts';
 
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
@@ -64,27 +64,29 @@ function sqrtMod(y: bigint): bigint {
 const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 
 /**
- * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ * secp256k1 curve, ECDSA and ECDH methods.
+ *
+ * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
  *
  * @example
+ * ```js
  * import { secp256k1 } from '@noble/curves/secp256k1';
- *
  * const priv = secp256k1.utils.randomPrivateKey();
  * const pub = secp256k1.getPublicKey(priv);
  * const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
  * const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
  * const isValid = secp256k1.verify(sig, msg, pub) === true;
+ * ```
  */
 export const secp256k1: CurveFnWithCreate = createCurve(
   {
-    a: BigInt(0), // equation params: a, b
+    a: BigInt(0),
     b: BigInt(7),
-    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    n: secp256k1N, // Curve order, total count of valid points in the field
-    // Base point (x, y) aka generator point
+    Fp: Fpk1,
+    n: secp256k1N,
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
-    h: BigInt(1), // Cofactor
+    h: BigInt(1),
     lowS: true, // Allow only low-S signatures by default in sign() and verify()
     endo: {
       // Endomorphism, see above
@@ -242,12 +244,14 @@ export type SecpSchnorr = {
  * Schnorr signatures over secp256k1.
  * https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
  * @example
+ * ```js
  * import { schnorr } from '@noble/curves/secp256k1';
  * const priv = schnorr.utils.randomPrivateKey();
  * const pub = schnorr.getPublicKey(priv);
  * const msg = new TextEncoder().encode('hello');
  * const sig = schnorr.sign(msg, priv);
  * const isValid = schnorr.verify(sig, msg, pub);
+ * ```
  */
 export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => ({
   getPublicKey: schnorrGetPublicKey,
@@ -303,7 +307,8 @@ const mapSWU = /* @__PURE__ */ (() =>
     B: BigInt('1771'),
     Z: Fpk1.create(BigInt('-11')),
   }))();
-const htf = /* @__PURE__ */ (() =>
+/** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
+export const secp256k1_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     secp256k1.ProjectivePoint,
     (scalars: bigint[]) => {
@@ -318,11 +323,11 @@ const htf = /* @__PURE__ */ (() =>
       k: 128,
       expand: 'xmd',
       hash: sha256,
-    }
+    } as const
   ))();
 
-/** secp256k1 hash-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  secp256k1_hasher.hashToCurve)();
 
-/** secp256k1 encode-to-curve from [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380). */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  secp256k1_hasher.encodeToCurve)();