@noble/curves 1.8.2 → 1.9.0

package/src/abstract/utils.ts

@@ -32,6 +32,7 @@ export function abool(title: string, value: boolean): void {
   if (typeof value !== 'boolean') throw new Error(title + ' boolean expected, got ' + value);
 }
 
+// Used in weierstrass, der
 export function numberToHexUnpadded(num: number | bigint): string {
   const hex = num.toString(16);
   return hex.length & 1 ? '0' + hex : hex;
@@ -217,6 +218,7 @@ export function aInRange(title: string, n: bigint, min: bigint, max: bigint): vo
 /**
  * Calculates amount of bits in a bigint.
  * Same as `n.toString(2).length`
+ * TODO: merge with nLength in modular
  */
 export function bitLen(n: bigint): number {
   let len;

package/src/abstract/weierstrass.ts

@@ -41,11 +41,13 @@
 // prettier-ignore
 import {
   type AffinePoint, type BasicCurve, type Group, type GroupConstructor,
-  pippenger, validateBasic, wNAF,
+  pippenger, validateBasic, wNAF
 } from './curve.ts';
 // prettier-ignore
 import {
-  Field, type IField, getMinHashLength, invert, mapHashToField, mod, validateField,
+  Field,
+  FpInvertBatch,
+  type IField, getMinHashLength, invert, mapHashToField, mod, validateField
 } from './modular.ts';
 // prettier-ignore
 import {
@@ -94,17 +96,16 @@ export interface ProjPointType<T> extends Group<ProjPointType<T>> {
   readonly pz: T;
   get x(): T;
   get y(): T;
-  multiply(scalar: bigint): ProjPointType<T>;
   toAffine(iz?: T): AffinePoint<T>;
-  isTorsionFree(): boolean;
-  clearCofactor(): ProjPointType<T>;
-  assertValidity(): void;
-  hasEvenY(): boolean;
-  toRawBytes(isCompressed?: boolean): Uint8Array;
   toHex(isCompressed?: boolean): string;
+  toRawBytes(isCompressed?: boolean): Uint8Array;
 
+  assertValidity(): void;
+  hasEvenY(): boolean;
   multiplyUnsafe(scalar: bigint): ProjPointType<T>;
   multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
+  isTorsionFree(): boolean;
+  clearCofactor(): ProjPointType<T>;
   _setWindowSize(windowSize: number): void;
 }
 // Static methods for 3d XYZ points
@@ -413,14 +414,14 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
    */
   class Point implements ProjPointType<T> {
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
     readonly px: T;
     readonly py: T;
     readonly pz: T;
 
     constructor(px: T, py: T, pz: T) {
       if (px == null || !Fp.isValid(px)) throw new Error('x required');
-      if (py == null || !Fp.isValid(py)) throw new Error('y required');
+      if (py == null || !Fp.isValid(py) || Fp.is0(py)) throw new Error('y required');
       if (pz == null || !Fp.isValid(pz)) throw new Error('z required');
       this.px = px;
       this.py = py;
@@ -454,7 +455,10 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      * Optimization: converts a list of projective points to a list of identical points with Z=1.
      */
     static normalizeZ(points: Point[]): Point[] {
-      const toInv = Fp.invertBatch(points.map((p) => p.pz));
+      const toInv = FpInvertBatch(
+        Fp,
+        points.map((p) => p.pz)
+      );
       return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
     }
 
@@ -617,6 +621,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     is0() {
       return this.equals(Point.ZERO);
     }
+
     private wNAF(n: bigint): { p: Point; f: Point } {
       return wnaf.wNAFCached(this, n, Point.normalizeZ);
     }
@@ -734,7 +739,6 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
   }
   const _bits = CURVE.nBitLength;
   const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-  // Validate if generator point is on curve
   return {
     CURVE,
     ProjectivePoint: Point as ProjConstructor<T>,
@@ -756,7 +760,6 @@ export interface SignatureType {
   recoverPublicKey(msgHash: Hex): ProjPointType<bigint>;
   toCompactRawBytes(): Uint8Array;
   toCompactHex(): string;
-  // DER-encoded
   toDERRawBytes(isCompressed?: boolean): Uint8Array;
   toDERHex(isCompressed?: boolean): string;
 }
@@ -975,7 +978,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return hexToBytes(this.toDERHex());
     }
     toDERHex() {
-      return DER.hexFromSig({ r: this.r, s: this.s });
+      return DER.hexFromSig(this);
     }
 
     // padded bytes of r, then padded bytes of s
@@ -1383,7 +1386,8 @@ export function mapToCurveSimpleSWU<T>(
     y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
     const e1 = Fp.isOdd!(u) === Fp.isOdd!(y); // 23.  e1 = sgn0(u) == sgn0(y)
     y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
-    x = Fp.div(x, tv4); // 25.   x = x / tv4
+    const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
+    x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
     return { x, y };
   };
 }

package/src/bn254.ts

@@ -13,6 +13,15 @@ There are huge compatibility issues in the ecosystem:
    https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
 3. halo2curves bn256 is also incompatible and returns different outputs
 
+We don't implement Point methods toHex / toRawBytes.
+To work around this limitation, has to initialize points on their own from BigInts.
+Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
+Points of divergence:
+
+- Endianness: LE vs BE (byte-swapped)
+- Flags as first hex bits (similar to BLS) vs no-flags
+- Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
+
 The goal of our implementation is to support "Ethereum" variant of the curve,
 because it at least has specs:
 
@@ -239,6 +248,7 @@ export const bn254: BLSCurveFn = bls({
  * bn254 weierstrass curve with ECDSA.
  * This is very rare and probably not used anywhere.
  * Instead, you should use G1 / G2, defined above.
+ * @deprecated
  */
 export const bn254_weierstrass: CurveFn = weierstrass({
   a: BigInt(0),

package/src/ed25519.ts

@@ -13,10 +13,11 @@ import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwa
 import {
   createHasher,
   expand_message_xmd,
+  type Hasher,
   type htfBasicOpts,
   type HTFMethod,
 } from './abstract/hash-to-curve.ts';
-import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { Field, FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
 import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
@@ -289,12 +290,11 @@ function map_to_curve_elligator2_edwards25519(u: bigint) {
   xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
   yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
   yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
-
-  const inv = Fp.invertBatch([xd, yd]); // batch division
-  return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
+  const [xd_inv, yd_inv] = FpInvertBatch(Fp, [xd, yd], true); // batch division
+  return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; //  13. return (xn, xd, yn, yd)
 }
 
-const htf = /* @__PURE__ */ (() =>
+export const ed25519_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed25519.ExtendedPoint,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
@@ -308,8 +308,9 @@ const htf = /* @__PURE__ */ (() =>
       hash: sha512,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  ed25519_hasher.encodeToCurve)();
 
 function aristp(other: unknown) {
   if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');

package/src/ed448.ts

@@ -15,10 +15,11 @@ import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwa
 import {
   createHasher,
   expand_message_xof,
+  type Hasher,
   type htfBasicOpts,
   type HTFMethod,
 } from './abstract/hash-to-curve.ts';
-import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
 import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
@@ -263,11 +264,11 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
   yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
 
-  const inv = Fp.invertBatch([xEd, yEd]); // batch division
+  const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
   return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 
-const htf = /* @__PURE__ */ (() =>
+export const ed448_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed448.ExtendedPoint,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
@@ -281,8 +282,9 @@ const htf = /* @__PURE__ */ (() =>
       hash: shake256,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  ed448_hasher.encodeToCurve)();
 
 function adecafp(other: unknown) {
   if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');

package/src/jubjub.ts

@@ -1,5 +1,8 @@
-export {
-  jubjub_findGroupHash as findGroupHash,
-  jubjub_groupHash as groupHash,
-  jubjub,
-} from './misc.ts';
+import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
+
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const jubjub: typeof jubjubn = jubjubn;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const findGroupHash: typeof jubjub_findGroupHash = jubjub_findGroupHash;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const groupHash: typeof jubjub_groupHash = jubjub_groupHash;

package/src/misc.ts

@@ -5,7 +5,7 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { blake256 } from '@noble/hashes/blake1';
-import { blake2s } from '@noble/hashes/blake2s';
+import { blake2s } from '@noble/hashes/blake2';
 import { sha256, sha512 } from '@noble/hashes/sha2';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
 import { getHash } from './_shortw_utils.ts';
@@ -70,7 +70,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
 
 // No secret data is leaked here at all.
 // It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
+// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
 export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
   const tag = concatBytes(m, new Uint8Array([0]));
   const hashes = [];
@@ -93,7 +93,10 @@ export const pasta_q: bigint = BigInt(
   '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
 );
 
-/** https://neuromancer.sk/std/other/Pallas */
+/**
+ * https://neuromancer.sk/std/other/Pallas
+ * @deprecated
+ */
 export const pallas: WCurveFn = weierstrass({
   a: BigInt(0),
   b: BigInt(5),
@@ -104,7 +107,10 @@ export const pallas: WCurveFn = weierstrass({
   h: BigInt(1),
   ...getHash(sha256),
 });
-/** https://neuromancer.sk/std/other/Vesta */
+/**
+ * https://neuromancer.sk/std/other/Vesta
+ * @deprecated
+ */
 export const vesta: WCurveFn = weierstrass({
   a: BigInt(0),
   b: BigInt(5),

package/src/nist.ts

@@ -0,0 +1,154 @@
+/**
+ * Internal module for NIST P256, P384, P521 curves.
+ * Do not use for now.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type Hasher } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
+
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const p256_a = Fp256.create(BigInt('-3'));
+const p256_b = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
+
+/**
+ * secp256r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
+ */
+// prettier-ignore
+export const p256: CurveFnWithCreate = createCurve({
+  a: p256_a,
+  b: p256_b,
+  Fp: Fp256,
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha256);
+/** Alias to p256. */
+export const secp256r1: CurveFnWithCreate = p256;
+
+const p256_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp256, {
+    A: p256_a,
+    B: p256_b,
+    Z: Fp256.create(BigInt('-10')),
+  }))();
+
+/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
+export const p256_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => p256_mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp256.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp384 = Field(
+  BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
+  )
+);
+const p384_a = Fp384.create(BigInt('-3'));
+// prettier-ignore
+const p384_b = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
+
+/**
+ * secp384r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
+ * */
+// prettier-ignore
+export const p384: CurveFnWithCreate = createCurve({
+  a: p384_a,
+  b: p384_b,
+  Fp: Fp384,
+  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha384);
+/** Alias to p384. */
+export const secp384r1: CurveFnWithCreate = p384;
+
+const p384_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp384, {
+    A: p384_a,
+    B: p384_b,
+    Z: Fp384.create(BigInt('-12')),
+  }))();
+
+/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
+export const p384_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => p384_mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp384.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp521 = Field(
+  BigInt(
+    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  )
+);
+
+const p521_a = Fp521.create(BigInt('-3'));
+const p521_b = BigInt(
+  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+);
+
+/**
+ * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
+ * Field: `2n**521n - 1n`.
+ */
+// prettier-ignore
+export const p521: CurveFnWithCreate = createCurve({
+  a: p521_a,
+  b: p521_b,
+  Fp: Fp521,
+  n: BigInt(
+    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
+  ),
+  Gx: BigInt(
+    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
+  ),
+  Gy: BigInt(
+    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
+  ),
+  h: BigInt(1),
+  lowS: false,
+  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
+} as const, sha512);
+export const secp521r1: CurveFnWithCreate = p521;
+
+const p521_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp521, {
+    A: p521_a,
+    B: p521_b,
+    Z: Fp521.create(BigInt('-4')),
+  }))();
+
+/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
+export const p521_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => p521_mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp521.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+  }))();

package/src/p256.ts

@@ -1,55 +1,11 @@
 /**
  * NIST secp256r1 aka p256.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha2';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
-
-const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A = Fp256.create(BigInt('-3'));
-const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
-
-/**
- * secp256r1 curve, ECDSA and ECDH methods.
- * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
- */
-// prettier-ignore
-export const p256: CurveFnWithCreate = createCurve({
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp: Fp256,
-  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha256);
-/** Alias to p256. */
-export const secp256r1: CurveFnWithCreate = p256;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp256, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp256.create(BigInt('-10')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P256_XMD:SHA-256_SSWU_RO_',
-    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp256.ORDER,
-    m: 1,
-    k: 128,
-    expand: 'xmd',
-    hash: sha256,
-  }))();
-/** secp256r1 hash-to-curve from RFC 9380. */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp256r1 encode-to-curve from RFC 9380. */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p256_hasher, p256 as p256n } from './nist.ts';
+export const p256: typeof p256n = p256n;
+export const secp256r1: typeof p256n = p256n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

package/src/p384.ts

@@ -1,61 +1,13 @@
 /**
  * NIST secp384r1 aka p384.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha384 } from '@noble/hashes/sha2';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
-
-// Field over which we'll do calculations.
-const Fp384 = Field(
-  BigInt(
-    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
-  )
-);
-const CURVE_A = Fp384.create(BigInt('-3'));
-// prettier-ignore
-const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
-
-/**
- * secp384r1 curve, ECDSA and ECDH methods.
- * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
- * */
-// prettier-ignore
-export const p384: CurveFnWithCreate = createCurve({
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp: Fp384,
-  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha384);
-/** Alias to p384. */
-export const secp384r1: CurveFnWithCreate = p384;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp384, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp384.create(BigInt('-12')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P384_XMD:SHA-384_SSWU_RO_',
-    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp384.ORDER,
-    m: 1,
-    k: 192,
-    expand: 'xmd',
-    hash: sha384,
-  }))();
-/** secp384r1 hash-to-curve from RFC 9380. */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp384r1 encode-to-curve from RFC 9380. */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p384_hasher, p384 as p384n } from './nist.ts';
+export const p384: typeof p384n = p384n;
+export const secp384r1: typeof p384n = p384n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
+
+/** @deprecated Use `import { p384_hasher } from "@noble/curves/nist"` module. */

package/src/p521.ts

@@ -1,70 +1,11 @@
 /**
  * NIST secp521r1 aka p521.
- * Note that it's 521, which differs from 512 of its hash function.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha2';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
-
-// Field over which we'll do calculations.
-const Fp521 = Field(
-  BigInt(
-    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
-  )
-);
-
-const CURVE_A = Fp521.create(BigInt('-3'));
-const CURVE_B = BigInt(
-  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
-);
-
-/**
- * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
- * Field: `2n**521n - 1n`.
- */
-// prettier-ignore
-export const p521: CurveFnWithCreate = createCurve({
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp: Fp521,
-  n: BigInt(
-    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
-  ),
-  Gx: BigInt(
-    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
-  ),
-  Gy: BigInt(
-    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
-  ),
-  h: BigInt(1),
-  lowS: false,
-  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
-} as const, sha512);
-export const secp521r1: CurveFnWithCreate = p521;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp521, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp521.create(BigInt('-4')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P521_XMD:SHA-512_SSWU_RO_',
-    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
-    p: Fp521.ORDER,
-    m: 1,
-    k: 256,
-    expand: 'xmd',
-    hash: sha512,
-  }))();
-/** secp521r1 hash-to-curve from RFC 9380. */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp521r1 encode-to-curve from RFC 9380. */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p521_hasher, p521 as p521n } from './nist.ts';
+export const p521: typeof p521n = p521n;
+export const secp521r1: typeof p521n = p521n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();

package/src/pasta.ts

@@ -1 +1,5 @@
-export { pallas, vesta } from './misc.ts';
+import { pallas as pn, vesta as vn } from './misc.ts';
+/** @deprecated */
+export const pallas: typeof pn = pn;
+/** @deprecated */
+export const vesta: typeof vn = vn;