@noble/curves 1.8.2 → 1.9.0

package/src/abstract/hash-to-curve.ts

@@ -6,7 +6,7 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
-import { type IField, mod } from './modular.ts';
+import { FpInvertBatch, type IField, mod } from './modular.ts';
 import type { CHash } from './utils.ts';
 import { abytes, bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.ts';
 
@@ -172,24 +172,23 @@ export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bi
   return u;
 }
 
-export type XY<T> = (
-  x: T,
-  y: T
-) => {
-  x: T;
-  y: T;
-};
-export function isogenyMap<T, F extends IField<T>>(field: F, map: [T[], T[], T[], T[]]): XY<T> {
+export type XY<T> = (x: T, y: T) => { x: T; y: T };
+export type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
+export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T> {
   // Make same order as in spec
-  const COEFF = map.map((i) => Array.from(i).reverse());
+  const coeff = map.map((i) => Array.from(i).reverse());
   return (x: T, y: T) => {
-    const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
+    const [xn, xd, yn, yd] = coeff.map((val) =>
       val.reduce((acc, i) => field.add(field.mul(acc, x), i))
     );
-    if (field.is0(xDen) || field.is0(yDen)) throw new Error('bad point: ZERO');
-    x = field.div(xNum, xDen); // xNum / xDen
-    y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
-    return { x: x, y: y };
+    // 6.6.3
+    // Exceptional cases of iso_map are inputs that cause the denominator of
+    // either rational function to evaluate to zero; such cases MUST return
+    // the identity point on E.
+    const [xd_inv, yd_inv] = FpInvertBatch(field, [xd, yd], true);
+    x = field.mul(xn, xd_inv); // xNum / xDen
+    y = field.mul(y, field.mul(yn, yd_inv)); // y * (yNum / yDev)
+    return { x, y };
   };
 }
 
@@ -212,46 +211,55 @@ export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
 export type htfBasicOpts = { DST: UnicodeOrBytes };
 export type HTFMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
 export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
+export type Hasher<T> = {
+  hashToCurve: HTFMethod<T>;
+  encodeToCurve: HTFMethod<T>;
+  mapToCurve: MapMethod<T>;
+  defaults: Opts & { encodeDST?: UnicodeOrBytes };
+};
 
 /** Creates hash-to-curve methods from EC Point and mapToCurve function. */
 export function createHasher<T>(
   Point: H2CPointConstructor<T>,
   mapToCurve: MapToCurve<T>,
-  def: Opts & { encodeDST?: UnicodeOrBytes }
-): {
-  hashToCurve: HTFMethod<T>;
-  encodeToCurve: HTFMethod<T>;
-  mapToCurve: MapMethod<T>;
-} {
+  defaults: Opts & { encodeDST?: UnicodeOrBytes }
+): Hasher<T> {
   if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
+  function map(num: bigint[]) {
+    return Point.fromAffine(mapToCurve(num));
+  }
+  function clear(initial: H2CPoint<T>) {
+    const P = initial.clearCofactor();
+    if (P.equals(Point.ZERO)) return Point.ZERO; // zero will throw in assert
+    P.assertValidity();
+    return P;
+  }
+
   return {
+    defaults,
+
     // Encodes byte string to elliptic curve.
     // hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
     hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options } as Opts);
-      const u0 = Point.fromAffine(mapToCurve(u[0]));
-      const u1 = Point.fromAffine(mapToCurve(u[1]));
-      const P = u0.add(u1).clearCofactor();
-      P.assertValidity();
-      return P;
+      const u = hash_to_field(msg, 2, { ...defaults, DST: defaults.DST, ...options } as Opts);
+      const u0 = map(u[0]);
+      const u1 = map(u[1]);
+      return clear(u0.add(u1));
     },
 
     // Encodes byte string to elliptic curve.
     // encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
     encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options } as Opts);
-      const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
-      P.assertValidity();
-      return P;
+      const u = hash_to_field(msg, 1, { ...defaults, DST: defaults.encodeDST, ...options } as Opts);
+      return clear(map(u[0]));
     },
+
     // Same as encodeToCurve, but without hash
     mapToCurve(scalars: bigint[]): H2CPoint<T> {
-      if (!Array.isArray(scalars)) throw new Error('mapToCurve: expected array of bigints');
+      if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
       for (const i of scalars)
-        if (typeof i !== 'bigint') throw new Error('mapToCurve: expected array of bigints');
-      const P = Point.fromAffine(mapToCurve(scalars)).clearCofactor();
-      P.assertValidity();
-      return P;
+        if (typeof i !== 'bigint') throw new Error('expected array of bigints');
+      return clear(map(scalars));
     },
   };
 }

package/src/abstract/modular.ts

@@ -5,6 +5,7 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { anumber } from '@noble/hashes/utils';
 import {
   bitMask,
   bytesToNumberBE,
@@ -30,7 +31,7 @@ export function mod(a: bigint, b: bigint): bigint {
 /**
  * Efficiently raise num to power and do modular division.
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- * @todo use field version && remove
+ * TODO: remove.
  * @example
  * pow(2n, 6n, 11n) // 64n % 11n == 9n
  */
@@ -87,27 +88,25 @@ export function invert(number: bigint, modulo: bigint): bigint {
  * Tonelli-Shanks square root search algorithm.
  * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
  * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
- * Will start an infinite loop if field order P is not prime.
  * @param P field order
  * @returns function that takes field Fp (created from P) and number n
  */
 export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
-  // Legendre constant: used to calculate Legendre symbol (a | p),
-  // which denotes the value of a^((p-1)/2) (mod p).
-  // (a | p) ≡ 1    if a is a square (mod p)
-  // (a | p) ≡ -1   if a is not a square (mod p)
-  // (a | p) ≡ 0    if a ≡ 0 (mod p)
-  const legendreC = (P - _1n) / _2n;
-
-  let Q: bigint, S: number, Z: bigint;
+  // Do expensive precomputation step
   // Step 1: By factoring out powers of 2 from p - 1,
-  // find q and s such that p - 1 = q*(2^s) with q odd
-  for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++);
+  // find q and s such that p-1 == q*(2^s) with q odd
+  let Q = P - _1n;
+  let S = 0;
+  while (Q % _2n === _0n) {
+    Q /= _2n;
+    S++;
+  }
 
   // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
-  for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++) {
-    // Crash instead of infinity loop, we cannot reasonable count until P.
-    if (Z > 1000) throw new Error('Cannot find square root: likely non-prime P');
+  let Z = _2n;
+  const _Fp = Field(P);
+  while (Z < P && FpIsSquare(_Fp, Z)) {
+    if (Z++ > 1000) throw new Error('Cannot find square root: probably non-prime P');
   }
 
   // Fast-path
@@ -119,27 +118,29 @@ export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
       return root;
     };
   }
-
   // Slow-path
   const Q1div2 = (Q + _1n) / _2n;
   return function tonelliSlow<T>(Fp: IField<T>, n: T): T {
     // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-    if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE)) throw new Error('Cannot find square root');
+    if (!FpIsSquare(Fp, n)) throw new Error('Cannot find square root');
     let r = S;
-    // TODO: will fail at Fp2/etc
+    // TODO: test on Fp2 and others
     let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
     let x = Fp.pow(n, Q1div2); // first guess at the square root
     let b = Fp.pow(n, Q); // first guess at the fudge factor
 
     while (!Fp.eql(b, Fp.ONE)) {
-      if (Fp.eql(b, Fp.ZERO)) return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+      // (4. If t = 0, return r = 0)
+      // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm
+      if (Fp.eql(b, Fp.ZERO)) return Fp.ZERO;
       // Find m such b^(2^m)==1
       let m = 1;
       for (let t2 = Fp.sqr(b); m < r; m++) {
         if (Fp.eql(t2, Fp.ONE)) break;
         t2 = Fp.sqr(t2); // t2 *= t2
       }
-      // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+      // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift,
+      // otherwise there will be overflow.
       const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
       g = Fp.sqr(ge); // g = ge * ge
       x = Fp.mul(x, ge); // x *= ge
@@ -169,8 +170,8 @@ export function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T {
     // const ORDER =
     //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
     // const NUM = 72057594037927816n;
-    const p1div4 = (P + _1n) / _4n;
     return function sqrt3mod4<T>(Fp: IField<T>, n: T) {
+      const p1div4 = (P + _1n) / _4n;
       const root = Fp.pow(n, p1div4);
       // Throw if root**2 != n
       if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
@@ -180,9 +181,9 @@ export function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T {
 
   // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
   if (P % _8n === _5n) {
-    const c1 = (P - _5n) / _8n;
     return function sqrt5mod8<T>(Fp: IField<T>, n: T) {
       const n2 = Fp.mul(n, _2n);
+      const c1 = (P - _5n) / _8n;
       const v = Fp.pow(n2, c1);
       const nv = Fp.mul(n, v);
       const i = Fp.mul(Fp.mul(nv, _2n), v);
@@ -291,17 +292,16 @@ export function validateField<T>(field: IField<T>): IField<T> {
  * Same as `pow` but for Fp: non-constant-time.
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
  */
-export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
-  // Should have same speed as pow for bigints
-  // TODO: benchmark!
+export function FpPow<T>(Fp: IField<T>, num: T, power: bigint): T {
   if (power < _0n) throw new Error('invalid exponent, negatives unsupported');
-  if (power === _0n) return f.ONE;
+  if (power === _0n) return Fp.ONE;
   if (power === _1n) return num;
-  let p = f.ONE;
+  // @ts-ignore
+  let p = Fp.ONE;
   let d = num;
   while (power > _0n) {
-    if (power & _1n) p = f.mul(p, d);
-    d = f.sqr(d);
+    if (power & _1n) p = Fp.mul(p, d);
+    d = Fp.sqr(d);
     power >>= _1n;
   }
   return p;
@@ -309,49 +309,56 @@ export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
 
 /**
  * Efficiently invert an array of Field elements.
- * `inv(0)` will return `undefined` here: make sure to throw an error.
+ * Exception-free. Will return `undefined` for 0 elements.
+ * @param passZero map 0 to 0 (instead of undefined)
  */
-export function FpInvertBatch<T>(f: IField<T>, nums: T[]): T[] {
-  const tmp = new Array(nums.length);
+export function FpInvertBatch<T>(Fp: IField<T>, nums: T[], passZero = false): T[] {
+  const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
   // Walk from first to last, multiply them by each other MOD p
-  const lastMultiplied = nums.reduce((acc, num, i) => {
-    if (f.is0(num)) return acc;
-    tmp[i] = acc;
-    return f.mul(acc, num);
-  }, f.ONE);
+  const multipliedAcc = nums.reduce((acc, num, i) => {
+    if (Fp.is0(num)) return acc;
+    inverted[i] = acc;
+    return Fp.mul(acc, num);
+  }, Fp.ONE);
   // Invert last element
-  const inverted = f.inv(lastMultiplied);
+  const invertedAcc = Fp.inv(multipliedAcc);
   // Walk from last to first, multiply them by inverted each other MOD p
   nums.reduceRight((acc, num, i) => {
-    if (f.is0(num)) return acc;
-    tmp[i] = f.mul(acc, tmp[i]);
-    return f.mul(acc, num);
-  }, inverted);
-  return tmp;
+    if (Fp.is0(num)) return acc;
+    inverted[i] = Fp.mul(acc, inverted[i]);
+    return Fp.mul(acc, num);
+  }, invertedAcc);
+  return inverted;
 }
 
-export function FpDiv<T>(f: IField<T>, lhs: T, rhs: T | bigint): T {
-  return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
+// TODO: remove
+export function FpDiv<T>(Fp: IField<T>, lhs: T, rhs: T | bigint): T {
+  return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
 }
 
 /**
  * Legendre symbol.
+ * Legendre constant is used to calculate Legendre symbol (a | p)
+ * which denotes the value of a^((p-1)/2) (mod p)..
+ *
  * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
  * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
  * * (a | p) ≡ 0    if a ≡ 0 (mod p)
  */
-export function FpLegendre(order: bigint): <T>(f: IField<T>, x: T) => T {
-  const legendreConst = (order - _1n) / _2n; // Integer arithmetic
-  return <T>(f: IField<T>, x: T): T => f.pow(x, legendreConst);
+export function FpLegendre<T>(Fp: IField<T>, n: T): number {
+  const legc = (Fp.ORDER - _1n) / _2n;
+  const powered = Fp.pow(n, legc);
+  const yes = Fp.eql(powered, Fp.ONE);
+  const zero = Fp.eql(powered, Fp.ZERO);
+  const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+  if (!yes && !zero && !no) throw new Error('Cannot find square root: probably non-prime P');
+  return yes ? 1 : zero ? 0 : -1;
 }
 
 // This function returns True whenever the value x is a square in the field F.
-export function FpIsSquare<T>(f: IField<T>): (x: T) => boolean {
-  const legendre = FpLegendre(f.ORDER);
-  return (x: T): boolean => {
-    const p = legendre(f, x);
-    return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
-  };
+export function FpIsSquare<T>(Fp: IField<T>, n: T): boolean {
+  const l = FpLegendre(Fp, n);
+  return l === 0 || l === 1;
 }
 
 // CURVE.n lengths
@@ -363,6 +370,7 @@ export function nLength(
   nByteLength: number;
 } {
   // Bit size, byte size of CURVE.n
+  if (nBitLength !== undefined) anumber(nBitLength);
   const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
   const nByteLength = Math.ceil(_nBitLength / 8);
   return { nBitLength: _nBitLength, nByteLength };
@@ -433,16 +441,17 @@ export function Field(
         if (!sqrtP) sqrtP = FpSqrt(ORDER);
         return sqrtP(f, n);
       }),
-    invertBatch: (lst) => FpInvertBatch(f, lst),
-    // TODO: do we really need constant cmov?
-    // We don't have const-time bigints anyway, so probably will be not very useful
-    cmov: (a, b, c) => (c ? b : a),
     toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
     fromBytes: (bytes) => {
       if (bytes.length !== BYTES)
         throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
       return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
     },
+    // TODO: we don't need it here, move out to separate fn
+    invertBatch: (lst) => FpInvertBatch(f, lst),
+    // We can't move this out because Fp6, Fp12 implement it
+    // and it's unclear what to return in there.
+    cmov: (a, b, c) => (c ? b : a),
   } as FpField);
   return Object.freeze(f);
 }

package/src/abstract/montgomery.ts

@@ -5,7 +5,7 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { mod, pow } from './modular.ts';
+import { Field, mod } from './modular.ts';
 import {
   aInRange,
   bytesToNumberLE,
@@ -63,12 +63,13 @@ function validateOpts(curve: CurveType) {
 export function montgomery(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef);
   const { P } = CURVE;
+  const Fp = Field(P);
   const modP = (n: bigint) => mod(n, P);
   const montgomeryBits = CURVE.montgomeryBits;
   const montgomeryBytes = Math.ceil(montgomeryBits / 8);
   const fieldLen = CURVE.nByteLength;
   const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
-  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => pow(x, P - BigInt(2), P));
+  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => Fp.pow(x, P - BigInt(2)));
 
   // cswap from RFC7748. But it is not from RFC7748!
   /*

package/src/abstract/poseidon.ts

@@ -7,19 +7,127 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { FpPow, type IField, validateField } from './modular.ts';
+import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
+import { bitGet } from './utils.ts';
 
-export type PoseidonOpts = {
+// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
+function grainLFSR(state: number[]): () => boolean {
+  let pos = 0;
+  if (state.length !== 80) throw new Error('grainLFRS: wrong state length, should be 80 bits');
+  const getBit = (): boolean => {
+    const r = (offset: number) => state[(pos + offset) % 80];
+    const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
+    state[pos] = bit;
+    pos = ++pos % 80;
+    return !!bit;
+  };
+  for (let i = 0; i < 160; i++) getBit();
+  return () => {
+    // https://en.wikipedia.org/wiki/Shrinking_generator
+    while (true) {
+      const b1 = getBit();
+      const b2 = getBit();
+      if (!b1) continue;
+      return b2;
+    }
+  };
+}
+
+export type PoseidonBasicOpts = {
   Fp: IField<bigint>;
-  t: number;
+  t: number; // t = rate + capacity
   roundsFull: number;
   roundsPartial: number;
+  isSboxInverse?: boolean;
+};
+
+function validateBasicOpts(opts: PoseidonBasicOpts) {
+  const { Fp, roundsFull } = opts;
+  validateField(Fp);
+  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error('invalid number ' + i);
+  }
+  if (opts.isSboxInverse !== undefined && typeof opts.isSboxInverse !== 'boolean')
+    throw new Error(`Poseidon: invalid param isSboxInverse=${opts.isSboxInverse}`);
+  if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
+}
+
+function poseidonGrain(opts: PoseidonBasicOpts) {
+  validateBasicOpts(opts);
+  const { Fp } = opts;
+  const state = Array(80).fill(1);
+  let pos = 0;
+  const writeBits = (value: bigint, bitCount: number) => {
+    for (let i = bitCount - 1; i >= 0; i--) state[pos++] = Number(bitGet(value, i));
+  };
+  const _0n = BigInt(0);
+  const _1n = BigInt(1);
+  writeBits(_1n, 2); // prime field
+  writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
+  writeBits(BigInt(Fp.BITS), 12); // b6..b17
+  writeBits(BigInt(opts.t), 12); // b18..b29
+  writeBits(BigInt(opts.roundsFull), 10); // b30..b39
+  writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
+
+  const getBit = grainLFSR(state);
+  return (count: number, reject: boolean): bigint[] => {
+    const res: bigint[] = [];
+    for (let i = 0; i < count; i++) {
+      while (true) {
+        let num = _0n;
+        for (let i = 0; i < Fp.BITS; i++) {
+          num <<= _1n;
+          if (getBit()) num |= _1n;
+        }
+        if (reject && num >= Fp.ORDER) continue; // rejection sampling
+        res.push(Fp.create(num));
+        break;
+      }
+    }
+    return res;
+  };
+}
+
+export type PoseidonGrainOpts = PoseidonBasicOpts & {
   sboxPower?: number;
-  reversePartialPowIdx?: boolean; // Hack for stark
-  mds: bigint[][];
-  roundConstants: bigint[][];
 };
 
+type PoseidonConstants = { mds: bigint[][]; roundConstants: bigint[][] };
+
+// NOTE: this is not standard but used often for constant generation for poseidon
+// (grain LFRS-like structure)
+export function grainGenConstants(opts: PoseidonGrainOpts, skipMDS: number = 0): PoseidonConstants {
+  const { Fp, t, roundsFull, roundsPartial } = opts;
+  const rounds = roundsFull + roundsPartial;
+  const sample = poseidonGrain(opts);
+  const roundConstants: bigint[][] = [];
+  for (let r = 0; r < rounds; r++) roundConstants.push(sample(t, true));
+  if (skipMDS > 0) for (let i = 0; i < skipMDS; i++) sample(2 * t, false);
+  const xs = sample(t, false);
+  const ys = sample(t, false);
+  // Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
+  const mds: bigint[][] = [];
+  for (let i = 0; i < t; i++) {
+    const row: bigint[] = [];
+    for (let j = 0; j < t; j++) {
+      const xy = Fp.add(xs[i], ys[j]);
+      if (Fp.is0(xy))
+        throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
+      row.push(xy);
+    }
+    mds.push(FpInvertBatch(Fp, row));
+  }
+
+  return { roundConstants, mds };
+}
+
+export type PoseidonOpts = PoseidonBasicOpts &
+  PoseidonConstants & {
+    sboxPower?: number;
+    reversePartialPowIdx?: boolean; // Hack for stark
+  };
+
 export function validateOpts(opts: PoseidonOpts): Readonly<{
   rounds: number;
   sboxFn: (n: bigint) => bigint;
@@ -32,15 +140,10 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
   sboxPower?: number;
   reversePartialPowIdx?: boolean; // Hack for stark
 }> {
+  validateBasicOpts(opts);
   const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
   const { roundsFull, roundsPartial, sboxPower, t } = opts;
 
-  validateField(Fp);
-  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
-  }
-
   // MDS is TxT matrix
   if (!Array.isArray(mds) || mds.length !== t) throw new Error('Poseidon: invalid MDS matrix');
   const _mds = mds.map((mdsRow) => {
@@ -68,7 +171,7 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
     });
   });
 
-  if (!sboxPower || ![3, 5, 7].includes(sboxPower)) throw new Error('invalid sboxPower');
+  if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower)) throw new Error('invalid sboxPower');
   const _sboxPower = BigInt(sboxPower);
   let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
   // Unwrapped sbox power for common cases (195->142μs)
@@ -134,3 +237,95 @@ export function poseidon(opts: PoseidonOpts): {
   poseidonHash.roundConstants = roundConstants;
   return poseidonHash;
 }
+
+export class PoseidonSponge {
+  private Fp: IField<bigint>;
+  readonly rate: number;
+  readonly capacity: number;
+  readonly hash: ReturnType<typeof poseidon>;
+  private state: bigint[]; // [...capacity, ...rate]
+  private pos = 0;
+  private isAbsorbing = true;
+
+  constructor(
+    Fp: IField<bigint>,
+    rate: number,
+    capacity: number,
+    hash: ReturnType<typeof poseidon>
+  ) {
+    this.Fp = Fp;
+    this.hash = hash;
+    this.rate = rate;
+    this.capacity = capacity;
+    this.state = new Array(rate + capacity);
+    this.clean();
+  }
+  private process(): void {
+    this.state = this.hash(this.state);
+  }
+  absorb(input: bigint[]): void {
+    for (const i of input)
+      if (typeof i !== 'bigint' || !this.Fp.isValid(i)) throw new Error('invalid input: ' + i);
+    for (let i = 0; i < input.length; ) {
+      if (!this.isAbsorbing || this.pos === this.rate) {
+        this.process();
+        this.pos = 0;
+        this.isAbsorbing = true;
+      }
+      const chunk = Math.min(this.rate - this.pos, input.length - i);
+      for (let j = 0; j < chunk; j++) {
+        const idx = this.capacity + this.pos++;
+        this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
+      }
+    }
+  }
+  squeeze(count: number): bigint[] {
+    const res: bigint[] = [];
+    while (res.length < count) {
+      if (this.isAbsorbing || this.pos === this.rate) {
+        this.process();
+        this.pos = 0;
+        this.isAbsorbing = false;
+      }
+      const chunk = Math.min(this.rate - this.pos, count - res.length);
+      for (let i = 0; i < chunk; i++) res.push(this.state[this.capacity + this.pos++]);
+    }
+    return res;
+  }
+  clean(): void {
+    this.state.fill(this.Fp.ZERO);
+    this.isAbsorbing = true;
+    this.pos = 0;
+  }
+  clone(): PoseidonSponge {
+    const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
+    c.pos = this.pos;
+    c.state = [...this.state];
+    return c;
+  }
+}
+
+export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
+  rate: number;
+  capacity: number;
+};
+
+/**
+ * The method is not defined in spec, but nevertheless used often.
+ * Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
+ * We cross-test against:
+ * - https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms
+ * - https://github.com/arkworks-rs/crypto-primitives/tree/main
+ */
+export function poseidonSponge(opts: PoseidonSpongeOpts): () => PoseidonSponge {
+  for (const i of ['rate', 'capacity'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error('invalid number ' + i);
+  }
+  const { rate, capacity } = opts;
+  const t = opts.rate + opts.capacity;
+  // Re-use hash instance between multiple instances
+  const hash = poseidon({ ...opts, t });
+  const { Fp } = opts;
+  return () => new PoseidonSponge(Fp, rate, capacity, hash);
+}

package/src/abstract/tower.ts

@@ -167,7 +167,6 @@ export function tower12(opts: Tower12Opts): {
   // Fp
   const Fp = mod.Field(ORDER);
   const FpNONRESIDUE = Fp.create(opts.NONRESIDUE || BigInt(-1));
-  const FpLegendre = mod.FpLegendre(ORDER);
   const Fpdiv2 = Fp.div(Fp.ONE, _2n); // 1/2
 
   // Fp2
@@ -265,14 +264,14 @@ export function tower12(opts: Tower12Opts): {
       const { c0, c1 } = num;
       if (Fp.is0(c1)) {
         // if c0 is quadratic residue
-        if (Fp.eql(FpLegendre(Fp, c0), Fp.ONE)) return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
+        if (mod.FpLegendre(Fp, c0) === 1) return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
         else return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, FpNONRESIDUE)) });
       }
       const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), FpNONRESIDUE)));
       let d = Fp.mul(Fp.add(a, c0), Fpdiv2);
-      const legendre = FpLegendre(Fp, d);
+      const legendre = mod.FpLegendre(Fp, d);
       // -1, Quadratic non residue
-      if (!Fp.is0(legendre) && !Fp.eql(legendre, Fp.ONE)) d = Fp.sub(d, a);
+      if (legendre === -1) d = Fp.sub(d, a);
       const a0 = Fp.sqrt(d);
       const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, Fpdiv2), a0) });
       if (!Fp2.eql(Fp2.sqr(candidateSqrt), num)) throw new Error('Cannot find square root');