@noble/curves 1.9.0 → 1.9.2

package/src/bn254.ts

@@ -13,7 +13,7 @@ There are huge compatibility issues in the ecosystem:
    https://github.com/scipr-lab/libff/blob/a44f482e18b8ac04d034c193bd9d7df7817ad73f/libff/algebra/curves/bn128/bn128_init.cpp#L166-L169
 3. halo2curves bn256 is also incompatible and returns different outputs
 
-We don't implement Point methods toHex / toRawBytes.
+We don't implement Point methods toHex / toBytes.
 To work around this limitation, has to initialize points on their own from BigInts.
 Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
 Points of divergence:
@@ -54,32 +54,40 @@ Ate loop size: 6x+2
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha2';
-import { randomBytes } from '@noble/hashes/utils';
-import { getHash } from './_shortw_utils.ts';
+import { sha256 } from '@noble/hashes/sha2.js';
 import {
   bls,
   type CurveFn as BLSCurveFn,
   type PostPrecomputeFn,
   type PostPrecomputePointAddFn,
 } from './abstract/bls.ts';
-import { Field } from './abstract/modular.ts';
+import { Field, type IField } from './abstract/modular.ts';
 import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
 import { psiFrobenius, tower12 } from './abstract/tower.ts';
-import { bitGet, bitLen, notImplemented } from './abstract/utils.ts';
-import { type CurveFn, weierstrass } from './abstract/weierstrass.ts';
+import { type CurveFn, weierstrass, type WeierstrassOpts } from './abstract/weierstrass.ts';
+import { bitGet, bitLen, notImplemented } from './utils.ts';
 // prettier-ignore
-const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 const _6n = BigInt(6);
 
 const BN_X = BigInt('4965661367192848881');
 const BN_X_LEN = bitLen(BN_X);
 const SIX_X_SQUARED = _6n * BN_X ** _2n;
 
+const bn254_G1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
+  n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+  h: _1n,
+  a: _0n,
+  b: _3n,
+  Gx: _1n,
+  Gy: BigInt(2),
+};
+
+// r == n
 // Finite field over r. It's for convenience and is not used in the code below.
-const Fr = Field(
-  BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617')
-);
+export const bn254_Fr: IField<bigint> = Field(bn254_G1_CURVE.n);
+
 // Fp2.div(Fp2.mul(Fp2.ONE, _3n), Fp2.NONRESIDUE)
 const Fp2B = {
   c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
@@ -87,7 +95,7 @@ const Fp2B = {
 };
 
 const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
-  ORDER: BigInt('21888242871839275222246405745257275088696311157297823662689037894645226208583'),
+  ORDER: bn254_G1_CURVE.p,
   FP2_NONRESIDUE: [BigInt(9), _1n],
   Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
   // The result of any pairing is in a cyclotomic subgroup
@@ -161,7 +169,7 @@ const htfDefaults = Object.freeze({
   k: 128,
   expand: 'xmd',
   hash: sha256,
-} as const);
+});
 
 export const _postPrecompute: PostPrecomputeFn = (
   Rx: Fp2,
@@ -177,20 +185,33 @@ export const _postPrecompute: PostPrecomputeFn = (
   pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
 };
 
+// cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
+const bn254_G2_CURVE: WeierstrassOpts<Fp2> = {
+  p: Fp2.ORDER,
+  n: bn254_G1_CURVE.n,
+  h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
+  a: Fp2.ZERO,
+  b: Fp2B,
+  Gx: Fp2.fromBigTuple([
+    BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
+    BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
+  ]),
+  Gy: Fp2.fromBigTuple([
+    BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
+    BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
+  ]),
+};
+
 /**
  * bn254 (a.k.a. alt_bn128) pairing-friendly curve.
  * Contains G1 / G2 operations and pairings.
  */
 export const bn254: BLSCurveFn = bls({
   // Fields
-  fields: { Fp, Fp2, Fp6, Fp12, Fr },
+  fields: { Fp, Fp2, Fp6, Fp12, Fr: bn254_Fr },
   G1: {
+    ...bn254_G1_CURVE,
     Fp,
-    h: BigInt(1),
-    Gx: BigInt(1),
-    Gy: BigInt(2),
-    a: Fp.ZERO,
-    b: _3n,
     htfDefaults: { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
     wrapPrivateKey: true,
     allowInfinityPoint: true,
@@ -198,25 +219,16 @@ export const bn254: BLSCurveFn = bls({
     fromBytes: notImplemented,
     toBytes: notImplemented,
     ShortSignature: {
+      fromBytes: notImplemented,
       fromHex: notImplemented,
+      toBytes: notImplemented,
       toRawBytes: notImplemented,
       toHex: notImplemented,
     },
   },
   G2: {
+    ...bn254_G2_CURVE,
     Fp: Fp2,
-    // cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
-    h: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
-    Gx: Fp2.fromBigTuple([
-      BigInt('10857046999023057135944570762232829481370756359578518086990519993285655852781'),
-      BigInt('11559732032986387107991004021392285783925812861821192530917403151452391805634'),
-    ]),
-    Gy: Fp2.fromBigTuple([
-      BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
-      BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
-    ]),
-    a: Fp2.ZERO,
-    b: Fp2B,
     hEff: BigInt('21888242871839275222246405745257275088844257914179612981679871602714643921549'),
     htfDefaults: { ...htfDefaults },
     wrapPrivateKey: true,
@@ -226,21 +238,21 @@ export const bn254: BLSCurveFn = bls({
     fromBytes: notImplemented,
     toBytes: notImplemented,
     Signature: {
+      fromBytes: notImplemented,
       fromHex: notImplemented,
+      toBytes: notImplemented,
       toRawBytes: notImplemented,
       toHex: notImplemented,
     },
   },
   params: {
     ateLoopSize: BN_X * _6n + _2n,
-    r: Fr.ORDER,
+    r: bn254_Fr.ORDER,
     xNegative: false,
     twistType: 'divisive',
   },
   htfDefaults,
   hash: sha256,
-  randomBytes,
-
   postPrecompute: _postPrecompute,
 });
 
@@ -258,5 +270,5 @@ export const bn254_weierstrass: CurveFn = weierstrass({
   Gx: BigInt(1),
   Gy: BigInt(2),
   h: BigInt(1),
-  ...getHash(sha256),
+  hash: sha256,
 });

package/src/ed25519.ts

@@ -6,16 +6,21 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha2';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { sha512 } from '@noble/hashes/sha2.js';
+import { abytes, concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 import { type AffinePoint, type Group, pippenger } from './abstract/curve.ts';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import {
+  type CurveFn,
+  type EdwardsOpts,
+  type ExtPointType,
+  twistedEdwards,
+} from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xmd,
-  type Hasher,
+  type H2CHasher,
+  type H2CMethod,
   type htfBasicOpts,
-  type HTFMethod,
 } from './abstract/hash-to-curve.ts';
 import { Field, FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
 import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
@@ -26,27 +31,33 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.ts';
-
-// 2n**255n - 19n
-const ED25519_P = BigInt(
-  '57896044618658097711785492504343953926634992332820282019728792003956564819949'
-);
-// √(-1) aka √(a) aka 2^((p-1)/4)
-// Fp.sqrt(Fp.neg(1))
-const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
-  '19681161376707505956807079304988542015446066515923890162744021073123829784752'
-);
+} from './utils.ts';
 
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
 const _5n = BigInt(5), _8n = BigInt(8);
 
+// 2n**255n - 19n
+// Removing Fp.create() will still work, and is 10% faster on sign
+//     a: Fp.create(BigInt(-1)),
+// d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
+// Finite field 2n**255n - 19n
+// Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
+const ed25519_CURVE: EdwardsOpts = {
+  p: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed'),
+  n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
+  h: _8n,
+  a: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec'),
+  d: BigInt('0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3'),
+  Gx: BigInt('0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a'),
+  Gy: BigInt('0x6666666666666666666666666666666666666666666666666666666666666658'),
+};
+
 function ed25519_pow_2_252_3(x: bigint) {
   // prettier-ignore
   const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
-  const P = ED25519_P;
+  const P = ed25519_CURVE.p;
   const x2 = (x * x) % P;
   const b2 = (x2 * x) % P; // x^3, 11
   const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
@@ -74,9 +85,14 @@ function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
   return bytes;
 }
 
+// √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
+const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
+  '19681161376707505956807079304988542015446066515923890162744021073123829784752'
+);
 // sqrt(u/v)
 function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
-  const P = ED25519_P;
+  const P = ed25519_CURVE.p;
   const v3 = mod(v * v * v, P); // v³
   const v7 = mod(v3 * v3 * v, P); // v⁷
   // (p+3)/8 and (p-5)/8
@@ -106,29 +122,18 @@ export const ED25519_TORSION_SUBGROUP: string[] = [
   'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
 
-const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
-
-const ed25519Defaults = /* @__PURE__ */ (() =>
-  ({
-    // Removing Fp.create() will still work, and is 10% faster on sign
-    a: Fp.create(BigInt(-1)),
-    // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
-    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 2n**255n - 19n
-    Fp,
-    // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
-    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    h: _8n,
-    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
-    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
-    hash: sha512,
-    randomBytes,
-    adjustScalarBytes,
-    // dom2
-    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
-    // Constant-time, u/√v
-    uvRatio,
-  }) as const)();
+const Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, undefined, true))();
+
+const ed25519Defaults = /* @__PURE__ */ (() => ({
+  ...ed25519_CURVE,
+  Fp,
+  hash: sha512,
+  adjustScalarBytes,
+  // dom2
+  // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+  // Constant-time, u/√v
+  uvRatio,
+}))();
 
 /**
  * ed25519 curve with EdDSA signatures.
@@ -176,22 +181,19 @@ export const ed25519ph: CurveFn = /* @__PURE__ */ (() =>
  * x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
  * x25519.getPublicKey(x25519.utils.randomPrivateKey());
  */
-export const x25519: XCurveFn = /* @__PURE__ */ (() =>
-  montgomery({
-    P: ED25519_P,
-    a: BigInt(486662),
-    montgomeryBits: 255, // n is 253 bits
-    nByteLength: 32,
-    Gu: BigInt(9),
+export const x25519: XCurveFn = /* @__PURE__ */ (() => {
+  const P = ed25519_CURVE.p;
+  return montgomery({
+    P,
+    type: 'x25519',
     powPminus2: (x: bigint): bigint => {
-      const P = ED25519_P;
       // x^(p-2) aka x^(2^255-21)
       const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
       return mod(pow2(pow_p_5_8, _3n, P) * b2, P);
     },
     adjustScalarBytes,
-    randomBytes,
-  }))();
+  });
+})();
 
 /**
  * Converts ed25519 public key to x25519 public key. Uses formula:
@@ -203,7 +205,8 @@ export const x25519: XCurveFn = /* @__PURE__ */ (() =>
  *   x25519.getSharedSecret(aPriv, edwardsToMontgomeryPub(someonesPub))
  */
 export function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array {
-  const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
+  const bpub = ensureBytes('pub', edwardsPub);
+  const { y } = ed25519.Point.fromHex(bpub);
   const _1n = BigInt(1);
   return Fp.toBytes(Fp.create((_1n + y) * Fp.inv(_1n - y)));
 }
@@ -294,9 +297,9 @@ function map_to_curve_elligator2_edwards25519(u: bigint) {
   return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; //  13. return (xn, xd, yn, yd)
 }
 
-export const ed25519_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+export const ed25519_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
-    ed25519.ExtendedPoint,
+    ed25519.Point,
     (scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
     {
       DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
@@ -308,8 +311,8 @@ export const ed25519_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
       hash: sha512,
     }
   ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   ed25519_hasher.encodeToCurve)();
 
 function aristp(other: unknown) {
@@ -345,8 +348,11 @@ const bytes255ToNumberLE = (bytes: Uint8Array) =>
 
 type ExtendedPoint = ExtPointType;
 
-// Computes Elligator map for Ristretto
-// https://ristretto.group/formulas/elligator.html
+/**
+ * Computes Elligator map for Ristretto255.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
+ * the [website](https://ristretto.group/formulas/elligator.html).
+ */
 function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
   const { d } = ed25519.CURVE;
   const P = ed25519.CURVE.Fp.ORDER;
@@ -366,7 +372,7 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
   const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
   const W2 = mod(_1n - s2); // 12
   const W3 = mod(_1n + s2); // 13
-  return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+  return new ed25519.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
 /**
@@ -374,7 +380,7 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
  * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
  * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
  * but it should work in its own namespace: do not combine those two.
- * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
 class RistPoint implements Group<RistPoint> {
   static BASE: RistPoint;
@@ -387,14 +393,15 @@ class RistPoint implements Group<RistPoint> {
   }
 
   static fromAffine(ap: AffinePoint<bigint>): RistPoint {
-    return new RistPoint(ed25519.ExtendedPoint.fromAffine(ap));
+    return new RistPoint(ed25519.Point.fromAffine(ap));
   }
 
   /**
    * Takes uniform output of 64-byte hash function like sha512 and converts it to `RistrettoPoint`.
    * The hash-to-group operation applies Elligator twice and adds the results.
    * **Note:** this is one-way map, there is no conversion from point to hash.
-   * https://ristretto.group/formulas/elligator.html
+   * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
+   * the [website](https://ristretto.group/formulas/elligator.html).
    * @param hex 64-byte output of a hash function
    */
   static hashToCurve(hex: Hex): RistPoint {
@@ -406,16 +413,21 @@ class RistPoint implements Group<RistPoint> {
     return new RistPoint(R1.add(R2));
   }
 
+  static fromBytes(bytes: Uint8Array): RistPoint {
+    abytes(bytes);
+    return this.fromHex(bytes);
+  }
+
   /**
    * Converts ristretto-encoded string to ristretto point.
-   * https://ristretto.group/formulas/decoding.html
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
    * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
    */
   static fromHex(hex: Hex): RistPoint {
     hex = ensureBytes('ristrettoHex', hex, 32);
     const { a, d } = ed25519.CURVE;
-    const P = ed25519.CURVE.Fp.ORDER;
-    const mod = ed25519.CURVE.Fp.create;
+    const P = Fp.ORDER;
+    const mod = Fp.create;
     const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
     const s = bytes255ToNumberLE(hex);
     // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
@@ -435,7 +447,7 @@ class RistPoint implements Group<RistPoint> {
     const y = mod(u1 * Dy); // 11
     const t = mod(x * y); // 12
     if (!isValid || isNegativeLE(t, P) || y === _0n) throw new Error(emsg);
-    return new RistPoint(new ed25519.ExtendedPoint(x, y, _1n, t));
+    return new RistPoint(new ed25519.Point(x, y, _1n, t));
   }
 
   static msm(points: RistPoint[], scalars: bigint[]): RistPoint {
@@ -445,12 +457,12 @@ class RistPoint implements Group<RistPoint> {
 
   /**
    * Encodes ristretto point to Uint8Array.
-   * https://ristretto.group/formulas/encoding.html
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
    */
-  toRawBytes(): Uint8Array {
+  toBytes(): Uint8Array {
     let { ex: x, ey: y, ez: z, et: t } = this.ep;
-    const P = ed25519.CURVE.Fp.ORDER;
-    const mod = ed25519.CURVE.Fp.create;
+    const P = Fp.ORDER;
+    const mod = Fp.create;
     const u1 = mod(mod(z + y) * mod(z - y)); // 1
     const u2 = mod(x * y); // 2
     // Square root always exists
@@ -475,20 +487,28 @@ class RistPoint implements Group<RistPoint> {
     return numberToBytesLE(s, 32); // 11
   }
 
+  /** @deprecated use `toBytes` */
+  toRawBytes(): Uint8Array {
+    return this.toBytes();
+  }
+
   toHex(): string {
-    return bytesToHex(this.toRawBytes());
+    return bytesToHex(this.toBytes());
   }
 
   toString(): string {
     return this.toHex();
   }
 
-  // Compare one point to another.
+  /**
+   * Compares two Ristretto points.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
+   */
   equals(other: RistPoint): boolean {
     aristp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
-    const mod = ed25519.CURVE.Fp.create;
+    const mod = Fp.create;
     // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
     const one = mod(X1 * Y2) === mod(Y1 * X2);
     const two = mod(Y1 * Y2) === mod(X1 * X2);
@@ -521,13 +541,21 @@ class RistPoint implements Group<RistPoint> {
     return new RistPoint(this.ep.negate());
   }
 }
+
+/**
+ * Wrapper over Edwards Point for ristretto255 from
+ * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
+ */
 export const RistrettoPoint: typeof RistPoint = /* @__PURE__ */ (() => {
-  if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.ExtendedPoint.BASE);
-  if (!RistPoint.ZERO) RistPoint.ZERO = new RistPoint(ed25519.ExtendedPoint.ZERO);
+  if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.Point.BASE);
+  if (!RistPoint.ZERO) RistPoint.ZERO = new RistPoint(ed25519.Point.ZERO);
   return RistPoint;
 })();
 
-// Hashing to ristretto255. https://www.rfc-editor.org/rfc/rfc9380#appendix-B
+/**
+ * hash-to-curve for ristretto255.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B).
+ */
 export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts): RistPoint => {
   const d = options.DST;
   const DST = typeof d === 'string' ? utf8ToBytes(d) : d;