@noble/curves 1.8.2 → 1.9.1

package/src/ed448.ts

@@ -15,10 +15,11 @@ import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwa
 import {
   createHasher,
   expand_message_xof,
+  type Hasher,
   type htfBasicOpts,
   type HTFMethod,
 } from './abstract/hash-to-curve.ts';
-import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
 import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
@@ -29,8 +30,8 @@ import {
   numberToBytesLE,
 } from './abstract/utils.ts';
 
-const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
-const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
+const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
 const ed448P = BigInt(
   '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
 );
@@ -93,47 +94,49 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: mod(x2 * v, P) === u, value: x };
 }
 
-const Fp = Field(ed448P, 456, true);
-
-const ED448_DEF = {
-  // Param: a
-  a: BigInt(1),
-  // -39081 a.k.a. Fp.neg(39081)
-  d: BigInt(
-    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
-  ),
-  // Finite field 2n**448n - 2n**224n - 1n
-  Fp,
-  // Subgroup order
-  // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-  n: BigInt(
-    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
-  ),
-  // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-  nBitLength: 456,
-  h: BigInt(4),
-  Gx: BigInt(
-    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
-  ),
-  Gy: BigInt(
-    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
-  ),
-  // SHAKE256(dom4(phflag,context)||x, 114)
-  hash: shake256_114,
-  randomBytes,
-  adjustScalarBytes,
-  // dom4
-  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-    if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
-    return concatBytes(
-      utf8ToBytes('SigEd448'),
-      new Uint8Array([phflag ? 1 : 0, ctx.length]),
-      ctx,
-      data
-    );
-  },
-  uvRatio,
-} as const;
+// Finite field 2n**448n - 2n**224n - 1n
+const Fp = /* @__PURE__ */ (() => Field(ed448P, 456, true))();
+
+const ED448_DEF = /* @__PURE__ */ (() =>
+  ({
+    // Param: a
+    a: BigInt(1),
+    // -39081 a.k.a. Fp.neg(39081)
+    d: BigInt(
+      '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
+    ),
+    // Finite field 2n**448n - 2n**224n - 1n
+    Fp,
+    // Subgroup order
+    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    n: BigInt(
+      '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
+    ),
+    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+    nBitLength: 456,
+    h: BigInt(4),
+    Gx: BigInt(
+      '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
+    ),
+    Gy: BigInt(
+      '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
+    ),
+    // SHAKE256(dom4(phflag,context)||x, 114)
+    hash: shake256_114,
+    randomBytes,
+    adjustScalarBytes,
+    // dom4
+    domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
+      if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
+      return concatBytes(
+        utf8ToBytes('SigEd448'),
+        new Uint8Array([phflag ? 1 : 0, ctx.length]),
+        ctx,
+        data
+      );
+    },
+    uvRatio,
+  }) as const)();
 
 /**
  * ed448 EdDSA curve and methods.
@@ -145,28 +148,27 @@ const ED448_DEF = {
  * const sig = ed448.sign(msg, priv);
  * ed448.verify(sig, msg, pub);
  */
-export const ed448: CurveFn = /* @__PURE__ */ twistedEdwards(ED448_DEF);
+export const ed448: CurveFn = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
-export const ed448ph: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...ED448_DEF,
-  prehash: shake256_64,
-});
+export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
+  twistedEdwards({
+    ...ED448_DEF,
+    prehash: shake256_64,
+  }))();
 
 /**
  * ECDH using curve448 aka x448.
+ * x448 has 56-byte keys as per RFC 7748, while
+ * ed448 has 57-byte keys as per RFC 8032.
  */
 export const x448: XCurveFn = /* @__PURE__ */ (() =>
   montgomery({
-    a: BigInt(156326),
-    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-    montgomeryBits: 448,
-    nByteLength: 56,
     P: ed448P,
-    Gu: BigInt(5),
+    type: 'x448',
     powPminus2: (x: bigint): bigint => {
       const P = ed448P;
       const Pminus3div4 = ed448_pow_Pminus3div4(x);
-      const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
+      const Pminus3 = pow2(Pminus3div4, _2n, P);
       return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
     },
     adjustScalarBytes,
@@ -191,8 +193,8 @@ export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontg
 // TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
 
 // Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
+const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = /* @__PURE__ */ BigInt(156326);
 
 function map_to_curve_elligator2_curve448(u: bigint) {
   let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
@@ -263,11 +265,11 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
   yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
 
-  const inv = Fp.invertBatch([xEd, yEd]); // batch division
+  const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
   return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 
-const htf = /* @__PURE__ */ (() =>
+export const ed448_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed448.ExtendedPoint,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
@@ -281,29 +283,30 @@ const htf = /* @__PURE__ */ (() =>
       hash: shake256,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+  ed448_hasher.encodeToCurve)();
 
 function adecafp(other: unknown) {
   if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
 }
 
 // 1-d
-const ONE_MINUS_D = BigInt('39082');
+const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
 // 1-2d
-const ONE_MINUS_TWO_D = BigInt('78163');
+const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
 // √(-d)
-const SQRT_MINUS_D = BigInt(
+const SQRT_MINUS_D = /* @__PURE__ */ BigInt(
   '98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214'
 );
 // 1 / √(-d)
-const INVSQRT_MINUS_D = BigInt(
+const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt(
   '315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716'
 );
 // Calculates 1/√(number)
 const invertSqrt = (number: bigint) => uvRatio(_1n, number);
 
-const MAX_448B = BigInt(
+const MAX_448B = /* @__PURE__ */ BigInt(
   '0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
 );
 const bytes448ToNumberLE = (bytes: Uint8Array) =>
@@ -311,8 +314,11 @@ const bytes448ToNumberLE = (bytes: Uint8Array) =>
 
 type ExtendedPoint = ExtPointType;
 
-// Computes Elligator map for Decaf
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+/**
+ * Elligator map for hash-to-curve of decaf448.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
+ * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
+ */
 function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
   const { d } = ed448.CURVE;
   const P = ed448.CURVE.Fp.ORDER;
@@ -347,7 +353,7 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
  * Decaf point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
  * but it should work in its own namespace: do not combine those two.
- * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
 class DcfPoint implements Group<DcfPoint> {
   static BASE: DcfPoint;
@@ -367,7 +373,8 @@ class DcfPoint implements Group<DcfPoint> {
    * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
    * The hash-to-group operation applies Elligator twice and adds the results.
    * **Note:** this is one-way map, there is no conversion from point to hash.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+   * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
+   * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
    * @param hex 112-byte output of a hash function
    */
   static hashToCurve(hex: Hex): DcfPoint {
@@ -381,7 +388,7 @@ class DcfPoint implements Group<DcfPoint> {
 
   /**
    * Converts decaf-encoded string to decaf point.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-decode-2
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
    * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
    */
   static fromHex(hex: Hex): DcfPoint {
@@ -421,7 +428,7 @@ class DcfPoint implements Group<DcfPoint> {
 
   /**
    * Encodes decaf point to Uint8Array.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-encode-2
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
    */
   toRawBytes(): Uint8Array {
     let { ex: x, ey: _y, ez: z, et: t } = this.ep;
@@ -451,8 +458,10 @@ class DcfPoint implements Group<DcfPoint> {
     return this.toHex();
   }
 
-  // Compare one point to another.
-  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
+  /**
+   * Compare one point to another.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
+   */
   equals(other: DcfPoint): boolean {
     adecafp(other);
     const { ex: X1, ey: Y1 } = this.ep;
@@ -489,6 +498,10 @@ class DcfPoint implements Group<DcfPoint> {
   }
 }
 
+/**
+ * Wrapper over Edwards Point for decaf448 from
+ * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
+ */
 export const DecafPoint: typeof DcfPoint = /* @__PURE__ */ (() => {
   // decaf448 base point is ed448 base x 2
   // https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699
@@ -497,7 +510,10 @@ export const DecafPoint: typeof DcfPoint = /* @__PURE__ */ (() => {
   return DcfPoint;
 })();
 
-// Hashing to decaf448. https://www.rfc-editor.org/rfc/rfc9380#appendix-C
+/**
+ * hash-to-curve for decaf448.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C).
+ */
 export const hashToDecaf448 = (msg: Uint8Array, options: htfBasicOpts): DcfPoint => {
   const d = options.DST;
   const DST = typeof d === 'string' ? utf8ToBytes(d) : d;

package/src/jubjub.ts

@@ -1,5 +1,12 @@
-export {
-  jubjub_findGroupHash as findGroupHash,
-  jubjub_groupHash as groupHash,
-  jubjub,
-} from './misc.ts';
+/**
+ * @deprecated
+ * @module
+ */
+import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
+
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const jubjub: typeof jubjubn = jubjubn;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const findGroupHash: typeof jubjub_findGroupHash = jubjub_findGroupHash;
+/** @deprecated Use `@noble/curves/misc` module directly. */
+export const groupHash: typeof jubjub_groupHash = jubjub_groupHash;

package/src/misc.ts

@@ -5,7 +5,7 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { blake256 } from '@noble/hashes/blake1';
-import { blake2s } from '@noble/hashes/blake2s';
+import { blake2s } from '@noble/hashes/blake2';
 import { sha256, sha512 } from '@noble/hashes/sha2';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
 import { getHash } from './_shortw_utils.ts';
@@ -70,7 +70,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
 
 // No secret data is leaked here at all.
 // It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(new Uint8Array(), utf8ToBytes('Item_G_'));
+// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
 export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
   const tag = concatBytes(m, new Uint8Array([0]));
   const hashes = [];
@@ -93,7 +93,10 @@ export const pasta_q: bigint = BigInt(
   '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
 );
 
-/** https://neuromancer.sk/std/other/Pallas */
+/**
+ * https://neuromancer.sk/std/other/Pallas
+ * @deprecated
+ */
 export const pallas: WCurveFn = weierstrass({
   a: BigInt(0),
   b: BigInt(5),
@@ -104,7 +107,10 @@ export const pallas: WCurveFn = weierstrass({
   h: BigInt(1),
   ...getHash(sha256),
 });
-/** https://neuromancer.sk/std/other/Vesta */
+/**
+ * https://neuromancer.sk/std/other/Vesta
+ * @deprecated
+ */
 export const vesta: WCurveFn = weierstrass({
   a: BigInt(0),
   b: BigInt(5),

package/src/nist.ts

@@ -0,0 +1,155 @@
+/**
+ * Internal module for NIST P256, P384, P521 curves.
+ * Do not use for now.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2';
+import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
+import { createHasher, type Hasher } from './abstract/hash-to-curve.ts';
+import { Field } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
+
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const p256_a = Fp256.create(BigInt('-3'));
+const p256_b = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
+
+/**
+ * secp256r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
+ */
+// prettier-ignore
+export const p256: CurveFnWithCreate = createCurve({
+  a: p256_a,
+  b: p256_b,
+  Fp: Fp256,
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha256);
+/** Alias to p256. */
+export const secp256r1: CurveFnWithCreate = p256;
+
+const p256_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp256, {
+    A: p256_a,
+    B: p256_b,
+    Z: Fp256.create(BigInt('-10')),
+  }))();
+
+/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
+export const p256_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => p256_mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp256.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp384 = Field(
+  BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
+  )
+);
+const p384_a = Fp384.create(BigInt('-3'));
+// prettier-ignore
+const p384_b = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
+
+/**
+ * secp384r1 curve, ECDSA and ECDH methods.
+ * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
+ * */
+// prettier-ignore
+export const p384: CurveFnWithCreate = createCurve({
+  a: p384_a,
+  b: p384_b,
+  Fp: Fp384,
+  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
+  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
+  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+  h: BigInt(1),
+  lowS: false
+} as const, sha384);
+/** Alias to p384. */
+export const secp384r1: CurveFnWithCreate = p384;
+
+const p384_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp384, {
+    A: p384_a,
+    B: p384_b,
+    Z: Fp384.create(BigInt('-12')),
+  }))();
+
+/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
+export const p384_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => p384_mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp384.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+  }))();
+
+// Field over which we'll do calculations.
+const Fp521 = Field(
+  BigInt(
+    '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  )
+);
+
+const p521_a = Fp521.create(BigInt('-3'));
+const p521_b = BigInt(
+  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+);
+
+/**
+ * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
+ * Field: `2n**521n - 1n`.
+ */
+// prettier-ignore
+export const p521: CurveFnWithCreate = createCurve({
+  a: p521_a,
+  b: p521_b,
+  Fp: Fp521,
+  n: BigInt(
+    '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
+  ),
+  Gx: BigInt(
+    '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
+  ),
+  Gy: BigInt(
+    '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
+  ),
+  h: BigInt(1),
+  lowS: false,
+  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
+} as const, sha512);
+/** Alias to p521. */
+export const secp521r1: CurveFnWithCreate = p521;
+
+const p521_mapSWU = /* @__PURE__ */ (() =>
+  mapToCurveSimpleSWU(Fp521, {
+    A: p521_a,
+    B: p521_b,
+    Z: Fp521.create(BigInt('-4')),
+  }))();
+
+/** Hashing / encoding to p521 points / field. RFC 9380 methods. */
+export const p521_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => p521_mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp521.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+  }))();

package/src/p256.ts

@@ -1,55 +1,11 @@
 /**
  * NIST secp256r1 aka p256.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha2';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
-
-const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A = Fp256.create(BigInt('-3'));
-const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
-
-/**
- * secp256r1 curve, ECDSA and ECDH methods.
- * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
- */
-// prettier-ignore
-export const p256: CurveFnWithCreate = createCurve({
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp: Fp256,
-  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha256);
-/** Alias to p256. */
-export const secp256r1: CurveFnWithCreate = p256;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp256, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp256.create(BigInt('-10')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P256_XMD:SHA-256_SSWU_RO_',
-    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp256.ORDER,
-    m: 1,
-    k: 128,
-    expand: 'xmd',
-    hash: sha256,
-  }))();
-/** secp256r1 hash-to-curve from RFC 9380. */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp256r1 encode-to-curve from RFC 9380. */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p256_hasher, p256 as p256n } from './nist.ts';
+export const p256: typeof p256n = p256n;
+export const secp256r1: typeof p256n = p256n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

package/src/p384.ts

@@ -1,61 +1,13 @@
 /**
  * NIST secp384r1 aka p384.
- * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha384 } from '@noble/hashes/sha2';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type HTFMethod } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
-
-// Field over which we'll do calculations.
-const Fp384 = Field(
-  BigInt(
-    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
-  )
-);
-const CURVE_A = Fp384.create(BigInt('-3'));
-// prettier-ignore
-const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
-
-/**
- * secp384r1 curve, ECDSA and ECDH methods.
- * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
- * */
-// prettier-ignore
-export const p384: CurveFnWithCreate = createCurve({
-  a: CURVE_A,
-  b: CURVE_B,
-  Fp: Fp384,
-  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha384);
-/** Alias to p384. */
-export const secp384r1: CurveFnWithCreate = p384;
-
-const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp384, {
-    A: CURVE_A,
-    B: CURVE_B,
-    Z: Fp384.create(BigInt('-12')),
-  }))();
-
-const htf = /* @__PURE__ */ (() =>
-  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
-    DST: 'P384_XMD:SHA-384_SSWU_RO_',
-    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp384.ORDER,
-    m: 1,
-    k: 192,
-    expand: 'xmd',
-    hash: sha384,
-  }))();
-/** secp384r1 hash-to-curve from RFC 9380. */
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
-/** secp384r1 encode-to-curve from RFC 9380. */
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
+import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { p384_hasher, p384 as p384n } from './nist.ts';
+export const p384: typeof p384n = p384n;
+export const secp384r1: typeof p384n = p384n;
+export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
+export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
+
+/** @deprecated Use `import { p384_hasher } from "@noble/curves/nist"` module. */