@noble/curves 1.9.0 → 1.9.2

package/src/ed448.ts

@@ -7,17 +7,29 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { shake256 } from '@noble/hashes/sha3';
-import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
+import { shake256 } from '@noble/hashes/sha3.js';
+import {
+  abytes,
+  concatBytes,
+  utf8ToBytes,
+  createHasher as wrapConstructor,
+} from '@noble/hashes/utils.js';
 import type { AffinePoint, Group } from './abstract/curve.ts';
 import { pippenger } from './abstract/curve.ts';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import {
+  type CurveFn,
+  edwards,
+  type EdwardsOpts,
+  type ExtPointConstructor,
+  type ExtPointType,
+  twistedEdwards,
+} from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xof,
-  type Hasher,
+  type H2CHasher,
+  type H2CMethod,
   type htfBasicOpts,
-  type HTFMethod,
 } from './abstract/hash-to-curve.ts';
 import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
 import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
@@ -28,13 +40,53 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.ts';
+} from './utils.ts';
+
+// a = 1n
+// d = Fp.neg(39081n)
+// Finite field 2n**448n - 2n**224n - 1n
+// Subgroup order
+// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+const ed448_CURVE: EdwardsOpts = {
+  p: BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+  ),
+  n: BigInt(
+    '0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'
+  ),
+  h: BigInt(4),
+  a: BigInt(1),
+  d: BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'
+  ),
+  Gx: BigInt(
+    '0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'
+  ),
+  Gy: BigInt(
+    '0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'
+  ),
+};
 
-const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
-const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
-const ed448P = BigInt(
-  '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
-);
+// E448 != Edwards448 used in ed448
+// E448 is defined by NIST
+// It's birationally equivalent to edwards448
+// d = 39082/39081
+// Gx = 3/2
+const E448_CURVE: EdwardsOpts = Object.assign({}, ed448_CURVE, {
+  d: BigInt(
+    '0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'
+  ),
+  Gx: BigInt(
+    '0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'
+  ),
+  Gy: BigInt(
+    '0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
+  ),
+});
+export const E448: ExtPointConstructor = edwards(E448_CURVE);
+
+const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
 
 // prettier-ignore
 const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
@@ -45,7 +97,7 @@ const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(22
 // Used for efficient square root calculation.
 // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
 function ed448_pow_Pminus3div4(x: bigint): bigint {
-  const P = ed448P;
+  const P = ed448_CURVE.p;
   const b2 = (x * x * x) % P;
   const b3 = (b2 * b2 * x) % P;
   const b6 = (pow2(b3, _3n, P) * b3) % P;
@@ -75,7 +127,7 @@ function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
 // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
 // Uses algo from RFC8032 5.1.3.
 function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
-  const P = ed448P;
+  const P = ed448_CURVE.p;
   // https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
   // To compute the square root of (u/v), the first step is to compute the
   //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
@@ -94,34 +146,15 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: mod(x2 * v, P) === u, value: x };
 }
 
-const Fp = Field(ed448P, 456, true);
-
-const ED448_DEF = {
-  // Param: a
-  a: BigInt(1),
-  // -39081 a.k.a. Fp.neg(39081)
-  d: BigInt(
-    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
-  ),
-  // Finite field 2n**448n - 2n**224n - 1n
+// Finite field 2n**448n - 2n**224n - 1n
+const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, 456, true))();
+// RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+// SHAKE256(dom4(phflag,context)||x, 114)
+const ED448_DEF = /* @__PURE__ */ (() => ({
+  ...ed448_CURVE,
   Fp,
-  // Subgroup order
-  // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-  n: BigInt(
-    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
-  ),
-  // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
   nBitLength: 456,
-  h: BigInt(4),
-  Gx: BigInt(
-    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
-  ),
-  Gy: BigInt(
-    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
-  ),
-  // SHAKE256(dom4(phflag,context)||x, 114)
   hash: shake256_114,
-  randomBytes,
   adjustScalarBytes,
   // dom4
   domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
@@ -134,7 +167,7 @@ const ED448_DEF = {
     );
   },
   uvRatio,
-} as const;
+}))();
 
 /**
  * ed448 EdDSA curve and methods.
@@ -146,33 +179,32 @@ const ED448_DEF = {
  * const sig = ed448.sign(msg, priv);
  * ed448.verify(sig, msg, pub);
  */
-export const ed448: CurveFn = /* @__PURE__ */ twistedEdwards(ED448_DEF);
+export const ed448: CurveFn = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
-export const ed448ph: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...ED448_DEF,
-  prehash: shake256_64,
-});
+export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
+  twistedEdwards({
+    ...ED448_DEF,
+    prehash: shake256_64,
+  }))();
 
 /**
  * ECDH using curve448 aka x448.
+ * x448 has 56-byte keys as per RFC 7748, while
+ * ed448 has 57-byte keys as per RFC 8032.
  */
-export const x448: XCurveFn = /* @__PURE__ */ (() =>
-  montgomery({
-    a: BigInt(156326),
-    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-    montgomeryBits: 448,
-    nByteLength: 56,
-    P: ed448P,
-    Gu: BigInt(5),
+export const x448: XCurveFn = /* @__PURE__ */ (() => {
+  const P = ed448_CURVE.p;
+  return montgomery({
+    P,
+    type: 'x448',
     powPminus2: (x: bigint): bigint => {
-      const P = ed448P;
       const Pminus3div4 = ed448_pow_Pminus3div4(x);
-      const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
+      const Pminus3 = pow2(Pminus3div4, _2n, P);
       return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
     },
     adjustScalarBytes,
-    randomBytes,
-  }))();
+  });
+})();
 
 /**
  * Converts edwards448 public key to x448 public key. Uses formula:
@@ -183,7 +215,8 @@ export const x448: XCurveFn = /* @__PURE__ */ (() =>
  *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
  */
 export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
-  const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
+  const bpub = ensureBytes('pub', edwardsPub);
+  const { y } = ed448.Point.fromHex(bpub);
   const _1n = BigInt(1);
   return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
 }
@@ -192,8 +225,8 @@ export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontg
 // TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
 
 // Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
+const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = /* @__PURE__ */ BigInt(156326);
 
 function map_to_curve_elligator2_curve448(u: bigint) {
   let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
@@ -268,22 +301,18 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 
-export const ed448_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(
-    ed448.ExtendedPoint,
-    (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
-    {
-      DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
-      encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
-      p: Fp.ORDER,
-      m: 1,
-      k: 224,
-      expand: 'xof',
-      hash: shake256,
-    }
-  ))();
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
+  createHasher(ed448.Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: shake256,
+  }))();
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   ed448_hasher.encodeToCurve)();
 
 function adecafp(other: unknown) {
@@ -291,34 +320,36 @@ function adecafp(other: unknown) {
 }
 
 // 1-d
-const ONE_MINUS_D = BigInt('39082');
+const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
 // 1-2d
-const ONE_MINUS_TWO_D = BigInt('78163');
+const ONE_MINUS_TWO_D = /* @__PURE__ */ BigInt('78163');
 // √(-d)
-const SQRT_MINUS_D = BigInt(
+const SQRT_MINUS_D = /* @__PURE__ */ BigInt(
   '98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214'
 );
 // 1 / √(-d)
-const INVSQRT_MINUS_D = BigInt(
+const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt(
   '315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716'
 );
 // Calculates 1/√(number)
 const invertSqrt = (number: bigint) => uvRatio(_1n, number);
 
-const MAX_448B = BigInt(
+const MAX_448B = /* @__PURE__ */ BigInt(
   '0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
 );
-const bytes448ToNumberLE = (bytes: Uint8Array) =>
-  ed448.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_448B);
+const bytes448ToNumberLE = (bytes: Uint8Array) => Fp.create(bytesToNumberLE(bytes) & MAX_448B);
 
 type ExtendedPoint = ExtPointType;
 
-// Computes Elligator map for Decaf
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+/**
+ * Elligator map for hash-to-curve of decaf448.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
+ * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
+ */
 function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
   const { d } = ed448.CURVE;
-  const P = ed448.CURVE.Fp.ORDER;
-  const mod = ed448.CURVE.Fp.create;
+  const P = Fp.ORDER;
+  const mod = Fp.create;
 
   const r = mod(-(r0 * r0)); // 1
   const u0 = mod(d * (r - _1n)); // 2
@@ -341,7 +372,7 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
   const W1 = mod(s2 + _1n); // 9
   const W2 = mod(s2 - _1n); // 10
   const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
-  return new ed448.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+  return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
 /**
@@ -349,7 +380,7 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
  * Decaf point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
  * but it should work in its own namespace: do not combine those two.
- * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
 class DcfPoint implements Group<DcfPoint> {
   static BASE: DcfPoint;
@@ -362,14 +393,15 @@ class DcfPoint implements Group<DcfPoint> {
   }
 
   static fromAffine(ap: AffinePoint<bigint>): DcfPoint {
-    return new DcfPoint(ed448.ExtendedPoint.fromAffine(ap));
+    return new DcfPoint(ed448.Point.fromAffine(ap));
   }
 
   /**
    * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
    * The hash-to-group operation applies Elligator twice and adds the results.
    * **Note:** this is one-way map, there is no conversion from point to hash.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+   * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
+   * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
    * @param hex 112-byte output of a hash function
    */
   static hashToCurve(hex: Hex): DcfPoint {
@@ -381,16 +413,21 @@ class DcfPoint implements Group<DcfPoint> {
     return new DcfPoint(R1.add(R2));
   }
 
+  static fromBytes(bytes: Uint8Array): DcfPoint {
+    abytes(bytes);
+    return this.fromHex(bytes);
+  }
+
   /**
    * Converts decaf-encoded string to decaf point.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-decode-2
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
    * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
    */
   static fromHex(hex: Hex): DcfPoint {
     hex = ensureBytes('decafHex', hex, 56);
     const { d } = ed448.CURVE;
-    const P = ed448.CURVE.Fp.ORDER;
-    const mod = ed448.CURVE.Fp.create;
+    const P = Fp.ORDER;
+    const mod = Fp.create;
     const emsg = 'DecafPoint.fromHex: the hex is not valid encoding of DecafPoint';
     const s = bytes448ToNumberLE(hex);
 
@@ -413,7 +450,7 @@ class DcfPoint implements Group<DcfPoint> {
     const t = mod(x * y); // 8
 
     if (!isValid) throw new Error(emsg);
-    return new DcfPoint(new ed448.ExtendedPoint(x, y, _1n, t));
+    return new DcfPoint(new ed448.Point(x, y, _1n, t));
   }
 
   static msm(points: DcfPoint[], scalars: bigint[]): DcfPoint {
@@ -423,12 +460,12 @@ class DcfPoint implements Group<DcfPoint> {
 
   /**
    * Encodes decaf point to Uint8Array.
-   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-encode-2
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
    */
-  toRawBytes(): Uint8Array {
+  toBytes(): Uint8Array {
     let { ex: x, ey: _y, ez: z, et: t } = this.ep;
-    const P = ed448.CURVE.Fp.ORDER;
-    const mod = ed448.CURVE.Fp.create;
+    const P = Fp.ORDER;
+    const mod = Fp.create;
 
     const u1 = mod(mod(x + t) * mod(x - t)); // 1
     const x2 = mod(x * x);
@@ -445,21 +482,28 @@ class DcfPoint implements Group<DcfPoint> {
     return numberToBytesLE(s, 56);
   }
 
+  /** @deprecated use `toBytes` */
+  toRawBytes(): Uint8Array {
+    return this.toBytes();
+  }
+
   toHex(): string {
-    return bytesToHex(this.toRawBytes());
+    return bytesToHex(this.toBytes());
   }
 
   toString(): string {
     return this.toHex();
   }
 
-  // Compare one point to another.
-  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
+  /**
+   * Compare one point to another.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
+   */
   equals(other: DcfPoint): boolean {
     adecafp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
-    const mod = ed448.CURVE.Fp.create;
+    const mod = Fp.create;
     // (x1 * y2 == y1 * x2)
     return mod(X1 * Y2) === mod(Y1 * X2);
   }
@@ -491,15 +535,22 @@ class DcfPoint implements Group<DcfPoint> {
   }
 }
 
+/**
+ * Wrapper over Edwards Point for decaf448 from
+ * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
+ */
 export const DecafPoint: typeof DcfPoint = /* @__PURE__ */ (() => {
   // decaf448 base point is ed448 base x 2
   // https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699
-  if (!DcfPoint.BASE) DcfPoint.BASE = new DcfPoint(ed448.ExtendedPoint.BASE).multiply(_2n);
-  if (!DcfPoint.ZERO) DcfPoint.ZERO = new DcfPoint(ed448.ExtendedPoint.ZERO);
+  if (!DcfPoint.BASE) DcfPoint.BASE = new DcfPoint(ed448.Point.BASE).multiply(_2n);
+  if (!DcfPoint.ZERO) DcfPoint.ZERO = new DcfPoint(ed448.Point.ZERO);
   return DcfPoint;
 })();
 
-// Hashing to decaf448. https://www.rfc-editor.org/rfc/rfc9380#appendix-C
+/**
+ * hash-to-curve for decaf448.
+ * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C).
+ */
 export const hashToDecaf448 = (msg: Uint8Array, options: htfBasicOpts): DcfPoint => {
   const d = options.DST;
   const DST = typeof d === 'string' ? utf8ToBytes(d) : d;

package/src/jubjub.ts

@@ -1,3 +1,7 @@
+/**
+ * @deprecated
+ * @module
+ */
 import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
 
 /** @deprecated Use `@noble/curves/misc` module directly. */

package/src/misc.ts

@@ -4,52 +4,57 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { blake256 } from '@noble/hashes/blake1';
-import { blake2s } from '@noble/hashes/blake2';
-import { sha256, sha512 } from '@noble/hashes/sha2';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { getHash } from './_shortw_utils.ts';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
+import { blake256 } from '@noble/hashes/blake1.js';
+import { blake2s } from '@noble/hashes/blake2.js';
+import { sha256, sha512 } from '@noble/hashes/sha2.js';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import {
+  twistedEdwards,
+  type CurveFn,
+  type EdwardsOpts,
+  type ExtPointType,
+} from './abstract/edwards.ts';
 import { Field, mod } from './abstract/modular.ts';
-import { type CurveFn as WCurveFn, weierstrass } from './abstract/weierstrass.ts';
+import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
+import { bls12_381_Fr } from './bls12-381.ts';
+import { bn254_Fr } from './bn254.ts';
 
 // Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
 // jubjub Fp = bls n. babyjubjub Fp = bn254 n.
 // verify manually, check bls12-381.ts and bn254.ts.
 // https://neuromancer.sk/std/other/JubJub
 
-const bls12_381_Fr = Field(
-  BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001')
-);
-const bn254_Fr = Field(
-  BigInt('21888242871839275222246405745257275088548364400416034343698204186575808495617')
-);
-
-/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
-  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
-  Fp: bls12_381_Fr,
+const jubjub_CURVE: EdwardsOpts = {
+  p: bls12_381_Fr.ORDER,
   n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
   h: BigInt(8),
+  a: BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000000'),
+  d: BigInt('0x2a9318e74bfa2b48f5fd9207e6bd7fd4292d7f6d37579d2601065fd6d6343eb1'),
   Gx: BigInt('0x11dafe5d23e1218086a365b99fbf3d3be72f6afd7d1f72623e6b071492d1122b'),
   Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
+};
+/** Curve over scalar field of bls12-381. jubjub Fp = bls n */
+export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
+  ...jubjub_CURVE,
+  Fp: bls12_381_Fr,
   hash: sha512,
-  randomBytes,
-} as const);
+});
 
+const babyjubjub_CURVE: EdwardsOpts = {
+  p: bn254_Fr.ORDER,
+  n: BigInt('0x30644e72e131a029b85045b68181585d59f76dc1c90770533b94bee1c9093788'),
+  h: BigInt(8),
+  a: BigInt('168700'),
+  d: BigInt('168696'),
+  Gx: BigInt('0x23343e3445b673d38bcba38f25645adb494b1255b1162bb40f41a59f4d4b45e'),
+  Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
+};
 /** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
 export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  a: BigInt(168700),
-  d: BigInt(168696),
+  ...babyjubjub_CURVE,
   Fp: bn254_Fr,
-  n: BigInt('21888242871839275222246405745257275088614511777268538073601725287587578984328'),
-  h: BigInt(8),
-  Gx: BigInt('995203441582195749578291179787384436505546430278305826713579947235728471134'),
-  Gy: BigInt('5472060717959818805561601436314318772137091100104008585924551046643952123905'),
   hash: blake256,
-  randomBytes,
-} as const);
+});
 
 const jubjub_gh_first_block = utf8ToBytes(
   '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
@@ -61,10 +66,10 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
   h.update(jubjub_gh_first_block);
   h.update(tag);
   // NOTE: returns ExtendedPoint, in case it will be multiplied later
-  let p = jubjub.ExtendedPoint.fromHex(h.digest());
+  let p = jubjub.Point.fromHex(h.digest());
   // NOTE: cannot replace with isSmallOrder, returns Point*8
   p = p.multiply(jubjub.CURVE.h);
-  if (p.equals(jubjub.ExtendedPoint.ZERO)) throw new Error('Point has small order');
+  if (p.equals(jubjub.Point.ZERO)) throw new Error('Point has small order');
   return p;
 }
 
@@ -72,7 +77,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
 // It operates over public data:
 // const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
 export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
-  const tag = concatBytes(m, new Uint8Array([0]));
+  const tag = concatBytes(m, Uint8Array.of(0));
   const hashes = [];
   for (let i = 0; i < 256; i++) {
     tag[tag.length - 1] = i;
@@ -105,7 +110,7 @@ export const pallas: WCurveFn = weierstrass({
   Gx: mod(BigInt(-1), pasta_p),
   Gy: BigInt(2),
   h: BigInt(1),
-  ...getHash(sha256),
+  hash: sha256,
 });
 /**
  * https://neuromancer.sk/std/other/Vesta
@@ -119,5 +124,5 @@ export const vesta: WCurveFn = weierstrass({
   Gx: mod(BigInt(-1), pasta_q),
   Gy: BigInt(2),
   h: BigInt(1),
-  ...getHash(sha256),
+  hash: sha256,
 });