@noble/curves 1.9.1 → 1.9.2

package/src/abstract/fft.ts

@@ -76,8 +76,15 @@ function findGenerator(field: IField<bigint>) {
   return G;
 }
 
+export type RootsOfUnity = {
+  roots: (bits: number) => bigint[];
+  brp(bits: number): bigint[];
+  inverse(bits: number): bigint[];
+  omega: (bits: number) => bigint;
+  clear: () => void;
+};
 /** We limit roots up to 2**31, which is a lot: 2-billion polynomimal should be rare. */
-export function rootsOfUnity(field: IField<bigint>, generator?: bigint) {
+export function rootsOfUnity(field: IField<bigint>, generator?: bigint): RootsOfUnity {
   // Factor field.ORDER-1 as oddFactor * 2^powerOfTwo
   let oddFactor = field.ORDER - _1n;
   let powerOfTwo = 0;
@@ -186,8 +193,7 @@ export type FFTCoreLoop<T> = <P extends Polynomial<T>>(values: P) => P;
  * Cyclic NTT: Rq = Zq[x]/(x^n-1). butterfly_DIT+loop_DIT OR butterfly_DIF+loop_DIT, roots are omega
  * Negacyclic NTT: Rq = Zq[x]/(x^n+1). butterfly_DIT+loop_DIF, at least for mlkem / mldsa
  */
-export const FFTCore = <T, R>(opts: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FFTCoreLoop<T> => {
-  const { add, sub, mul } = opts; // inline to butteflies
+export const FFTCore = <T, R>(F: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FFTCoreLoop<T> => {
   const { N, roots, dit, invertButterflies = false, skipStages = 0, brp = true } = coreOpts;
   const bits = log2(N);
   if (!isPowerOfTwo(N)) throw new Error('FFT: Polynomial size should be power of two');
@@ -214,15 +220,15 @@ export const FFTCore = <T, R>(opts: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FF
           const a = values[i0];
           // Inlining gives us 10% perf in kyber vs functions
           if (isDit) {
-            const t = mul(b, omega); // Standard DIT butterfly
-            values[i0] = add(a, t);
-            values[i1] = sub(a, t);
+            const t = F.mul(b, omega); // Standard DIT butterfly
+            values[i0] = F.add(a, t);
+            values[i1] = F.sub(a, t);
           } else if (invertButterflies) {
-            values[i0] = add(b, a); // DIT loop + inverted butterflies (Kyber decode)
-            values[i1] = mul(sub(b, a), omega);
+            values[i0] = F.add(b, a); // DIT loop + inverted butterflies (Kyber decode)
+            values[i1] = F.mul(F.sub(b, a), omega);
           } else {
-            values[i0] = add(a, b); // Standard DIF butterfly
-            values[i1] = mul(sub(a, b), omega);
+            values[i0] = F.add(a, b); // Standard DIF butterfly
+            values[i1] = F.mul(F.sub(a, b), omega);
           }
         }
       }
@@ -232,11 +238,16 @@ export const FFTCore = <T, R>(opts: FFTOpts<T, R>, coreOpts: FFTCoreOpts<R>): FF
   };
 };
 
+export type FFTMethods<T> = {
+  direct<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
+  inverse<P extends Polynomial<T>>(values: P, brpInput?: boolean, brpOutput?: boolean): P;
+};
+
 /**
  * NTT aka FFT over finite field (NOT over complex numbers).
  * Naming mirrors other libraries.
  */
-export const FFT = <T>(roots: ReturnType<typeof rootsOfUnity>, opts: FFTOpts<T, bigint>) => {
+export function FFT<T>(roots: RootsOfUnity, opts: FFTOpts<T, bigint>): FFTMethods<T> {
   const getLoop = (
     N: number,
     roots: Polynomial<bigint>,
@@ -272,12 +283,12 @@ export const FFT = <T>(roots: ReturnType<typeof rootsOfUnity>, opts: FFTOpts<T,
       return res;
     },
   };
-};
+}
 
 export type CreatePolyFn<P extends Polynomial<T>, T> = (len: number, elm?: T) => P;
 
 export type PolyFn<P extends Polynomial<T>, T> = {
-  roots: ReturnType<typeof rootsOfUnity>;
+  roots: RootsOfUnity;
   create: CreatePolyFn<P, T>;
   length?: number; // optional enforced size
 
@@ -318,23 +329,23 @@ export type PolyFn<P extends Polynomial<T>, T> = {
  */
 export function poly<T>(
   field: IField<T>,
-  roots: ReturnType<typeof rootsOfUnity>,
+  roots: RootsOfUnity,
   create?: undefined,
-  fft?: ReturnType<typeof FFT<T>>,
+  fft?: FFTMethods<T>,
   length?: number
 ): PolyFn<T[], T>;
 export function poly<T, P extends Polynomial<T>>(
   field: IField<T>,
-  roots: ReturnType<typeof rootsOfUnity>,
+  roots: RootsOfUnity,
   create: CreatePolyFn<P, T>,
-  fft?: ReturnType<typeof FFT<T>>,
+  fft?: FFTMethods<T>,
   length?: number
 ): PolyFn<P, T>;
 export function poly<T, P extends Polynomial<T>>(
   field: IField<T>,
-  roots: ReturnType<typeof rootsOfUnity>,
+  roots: RootsOfUnity,
   create?: CreatePolyFn<P, T>,
-  fft?: ReturnType<typeof FFT<T>>,
+  fft?: FFTMethods<T>,
   length?: number
 ): PolyFn<any, T> {
   const F = field;

package/src/abstract/hash-to-curve.ts

@@ -5,10 +5,18 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import type { CHash } from '../utils.ts';
+import {
+  _validateObject,
+  abytes,
+  bytesToNumberBE,
+  concatBytes,
+  isBytes,
+  isHash,
+  utf8ToBytes,
+} from '../utils.ts';
 import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
 import { FpInvertBatch, type IField, mod } from './modular.ts';
-import type { CHash } from './utils.ts';
-import { abytes, bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.ts';
 
 export type UnicodeOrBytes = string | Uint8Array;
 
@@ -20,14 +28,20 @@ export type UnicodeOrBytes = string | Uint8Array;
  * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
  * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
  */
-export type Opts = {
+export type H2COpts = {
   DST: UnicodeOrBytes;
+  expand: 'xmd' | 'xof';
+  hash: CHash;
   p: bigint;
   m: number;
   k: number;
+};
+export type H2CHashOpts = {
   expand: 'xmd' | 'xof';
   hash: CHash;
 };
+// todo: remove
+export type Opts = H2COpts;
 
 // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
 const os2ip = bytesToNumberBE;
@@ -133,15 +147,17 @@ export function expand_message_xof(
  * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
  * @returns [u_0, ..., u_(count - 1)], a list of field elements.
  */
-export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][] {
-  validateObject(options, {
-    DST: 'stringOrUint8Array',
+export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts): bigint[][] {
+  _validateObject(options, {
     p: 'bigint',
-    m: 'isSafeInteger',
-    k: 'isSafeInteger',
-    hash: 'hash',
+    m: 'number',
+    k: 'number',
+    hash: 'function',
   });
   const { p, k, m, hash, expand, DST: _DST } = options;
+  if (!isBytes(_DST) && typeof _DST !== 'string')
+    throw new Error('DST must be string or uint8array');
+  if (!isHash(options.hash)) throw new Error('expected valid hash');
   abytes(msg);
   anum(count);
   const DST = typeof _DST === 'string' ? utf8ToBytes(_DST) : _DST;
@@ -209,21 +225,32 @@ export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
 // Separated from initialization opts, so users won't accidentally change per-curve parameters
 // (changing DST is ok!)
 export type htfBasicOpts = { DST: UnicodeOrBytes };
-export type HTFMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
+export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
+// TODO: remove
+export type HTFMethod<T> = H2CMethod<T>;
 export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
-export type Hasher<T> = {
-  hashToCurve: HTFMethod<T>;
-  encodeToCurve: HTFMethod<T>;
+/**
+ * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
+ *
+ * * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
+ * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
+ * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
+ */
+export type H2CHasher<T> = {
+  hashToCurve: H2CMethod<T>;
+  encodeToCurve: H2CMethod<T>;
   mapToCurve: MapMethod<T>;
-  defaults: Opts & { encodeDST?: UnicodeOrBytes };
+  defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
 };
+// TODO: remove
+export type Hasher<T> = H2CHasher<T>;
 
-/** Creates hash-to-curve methods from EC Point and mapToCurve function. */
+/** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
 export function createHasher<T>(
   Point: H2CPointConstructor<T>,
   mapToCurve: MapToCurve<T>,
-  defaults: Opts & { encodeDST?: UnicodeOrBytes }
-): Hasher<T> {
+  defaults: H2COpts & { encodeDST?: UnicodeOrBytes }
+): H2CHasher<T> {
   if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
   function map(num: bigint[]) {
     return Point.fromAffine(mapToCurve(num));
@@ -237,24 +264,21 @@ export function createHasher<T>(
 
   return {
     defaults,
-
-    // Encodes byte string to elliptic curve.
-    // hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
     hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const u = hash_to_field(msg, 2, { ...defaults, DST: defaults.DST, ...options } as Opts);
+      const dst = defaults.DST ? defaults.DST : {};
+      const opts = Object.assign({}, defaults, dst, options);
+      const u = hash_to_field(msg, 2, opts);
       const u0 = map(u[0]);
       const u1 = map(u[1]);
       return clear(u0.add(u1));
     },
-
-    // Encodes byte string to elliptic curve.
-    // encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
     encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
-      const u = hash_to_field(msg, 1, { ...defaults, DST: defaults.encodeDST, ...options } as Opts);
+      const dst = defaults.encodeDST ? defaults.encodeDST : {};
+      const opts = Object.assign({}, defaults, dst, options);
+      const u = hash_to_field(msg, 1, opts);
       return clear(map(u[0]));
     },
-
-    // Same as encodeToCurve, but without hash
+    /** See {@link H2CHasher} */
     mapToCurve(scalars: bigint[]): H2CPoint<T> {
       if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
       for (const i of scalars)

package/src/abstract/modular.ts

@@ -1,25 +1,26 @@
 /**
- * Utils for modular division and finite fields.
- * A finite field over 11 is integer number operations `mod 11`.
+ * Utils for modular division and fields.
+ * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
  * There is no division: it is replaced by modular multiplicative inverse.
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { anumber } from '@noble/hashes/utils';
 import {
+  _validateObject,
+  anumber,
   bitMask,
   bytesToNumberBE,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesBE,
   numberToBytesLE,
-  validateObject,
-} from './utils.ts';
+} from '../utils.ts';
 
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
 // prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _8n = /* @__PURE__ */ BigInt(8);
+const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
+const _8n = /* @__PURE__ */ BigInt(8);
 
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
@@ -29,7 +30,6 @@ export function mod(a: bigint, b: bigint): bigint {
 /**
  * Efficiently raise num to power and do modular division.
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- * TODO: remove.
  * @example
  * pow(2n, 6n, 11n) // 64n % 11n == 9n
  */
@@ -128,6 +128,7 @@ function sqrt5mod8<T>(Fp: IField<T>, n: T) {
  */
 export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
   // Initialization (precomputation).
+  // Caching initialization could boost perf by 7%.
   if (P < BigInt(3)) throw new Error('sqrt is not defined for small field');
   // Factor P - 1 = Q * 2^S, where Q is odd
   let Q = P - _1n;
@@ -228,6 +229,7 @@ export interface IField<T> {
   create: (num: T) => T;
   isValid: (num: T) => boolean;
   is0: (num: T) => boolean;
+  isValidNot0: (num: T) => boolean;
   neg(num: T): T;
   inv(num: T): T;
   sqrt(num: T): T;
@@ -267,14 +269,18 @@ export function validateField<T>(field: IField<T>): IField<T> {
   const initial = {
     ORDER: 'bigint',
     MASK: 'bigint',
-    BYTES: 'isSafeInteger',
-    BITS: 'isSafeInteger',
+    BYTES: 'number',
+    BITS: 'number',
   } as Record<string, string>;
   const opts = FIELD_FIELDS.reduce((map, val: string) => {
     map[val] = 'function';
     return map;
   }, initial);
-  return validateObject(field, opts);
+  _validateObject(field, opts);
+  // const max = 16384;
+  // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
+  // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
+  return field;
 }
 
 // Generic field functions
@@ -353,14 +359,9 @@ export function FpIsSquare<T>(Fp: IField<T>, n: T): boolean {
   return l === 1;
 }
 
+export type NLength = { nByteLength: number; nBitLength: number };
 // CURVE.n lengths
-export function nLength(
-  n: bigint,
-  nBitLength?: number
-): {
-  nBitLength: number;
-  nByteLength: number;
-} {
+export function nLength(n: bigint, nBitLength?: number): NLength {
   // Bit size, byte size of CURVE.n
   if (nBitLength !== undefined) anumber(nBitLength);
   const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
@@ -369,29 +370,47 @@ export function nLength(
 }
 
 type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
+type SqrtFn = (n: bigint) => bigint;
+type FieldOpts = Partial<{ sqrt: SqrtFn; isLE: boolean; BITS: number }>;
 /**
- * Initializes a finite field over prime.
- * Major performance optimizations:
- * * a) denormalized operations like mulN instead of mul
- * * b) same object shape: never add or remove keys
- * * c) Object.freeze
+ * Creates a finite field. Major performance optimizations:
+ * * 1. Denormalized operations like mulN instead of mul.
+ * * 2. Identical object shape: never add or remove keys.
+ * * 3. `Object.freeze`.
  * Fragile: always run a benchmark on a change.
  * Security note: operations don't check 'isValid' for all elements for performance reasons,
  * it is caller responsibility to check this.
  * This is low-level code, please make sure you know what you're doing.
- * @param ORDER prime positive bigint
+ *
+ * Note about field properties:
+ * * CHARACTERISTIC p = prime number, number of elements in main subgroup.
+ * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
+ *
+ * @param ORDER field order, probably prime, or could be composite
  * @param bitLen how many bits the field consumes
- * @param isLE (def: false) if encoding / decoding should be in little-endian
+ * @param isLE (default: false) if encoding / decoding should be in little-endian
  * @param redef optional faster redefinitions of sqrt and other methods
  */
 export function Field(
   ORDER: bigint,
-  bitLen?: number,
+  bitLenOrOpts?: number | FieldOpts,
   isLE = false,
-  redef: Partial<IField<bigint>> = {}
+  opts: { sqrt?: SqrtFn } = {}
 ): Readonly<FpField> {
   if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
+  let _nbitLength: number | undefined = undefined;
+  let _sqrt: SqrtFn | undefined = undefined;
+  if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
+    if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
+    const _opts = bitLenOrOpts;
+    if (_opts.BITS) _nbitLength = _opts.BITS;
+    if (_opts.sqrt) _sqrt = _opts.sqrt;
+    if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
+  } else {
+    if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
+    if (opts.sqrt) _sqrt = opts.sqrt;
+  }
+  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
   if (BYTES > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
   let sqrtP: ReturnType<typeof FpSqrt>; // cached sqrtP
   const f: Readonly<FpField> = Object.freeze({
@@ -409,6 +428,8 @@ export function Field(
       return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
     },
     is0: (num) => num === _0n,
+    // is valid and invertible
+    isValidNot0: (num: bigint) => !f.is0(num) && f.isValid(num),
     isOdd: (num) => (num & _1n) === _1n,
     neg: (num) => mod(-num, ORDER),
     eql: (lhs, rhs) => lhs === rhs,
@@ -428,7 +449,7 @@ export function Field(
 
     inv: (num) => invert(num, ORDER),
     sqrt:
-      redef.sqrt ||
+      _sqrt ||
       ((n) => {
         if (!sqrtP) sqrtP = FpSqrt(ORDER);
         return sqrtP(f, n);

package/src/abstract/montgomery.ts

@@ -5,14 +5,15 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { mod } from './modular.ts';
 import {
+  _validateObject,
   aInRange,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesLE,
-  validateObject,
-} from './utils.ts';
+  randomBytes,
+} from '../utils.ts';
+import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -24,7 +25,7 @@ export type CurveType = {
   type: 'x25519' | 'x448';
   adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
   powPminus2: (x: bigint) => bigint;
-  randomBytes: (bytesLength?: number) => Uint8Array;
+  randomBytes?: (bytesLength?: number) => Uint8Array;
 };
 
 export type CurveFn = {
@@ -37,7 +38,7 @@ export type CurveFn = {
 };
 
 function validateOpts(curve: CurveType) {
-  validateObject(curve, {
+  _validateObject(curve, {
     adjustScalarBytes: 'function',
     powPminus2: 'function',
   });
@@ -46,9 +47,10 @@ function validateOpts(curve: CurveType) {
 
 export function montgomery(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef);
-  const { P, type, adjustScalarBytes, powPminus2 } = CURVE;
+  const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
   const is25519 = type === 'x25519';
   if (!is25519 && type !== 'x448') throw new Error('invalid type');
+  const randomBytes_ = rand || randomBytes;
 
   const montgomeryBits = is25519 ? 255 : 448;
   const fieldLen = is25519 ? 32 : 56;
@@ -159,7 +161,7 @@ export function montgomery(curveDef: CurveType): CurveFn {
     scalarMultBase,
     getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
     getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    utils: { randomPrivateKey: () => CURVE.randomBytes!(fieldLen) },
+    utils: { randomPrivateKey: () => randomBytes_(fieldLen) },
     GuBytes: GuBytes.slice(),
   };
 }

package/src/abstract/poseidon.ts

@@ -7,8 +7,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { _validateObject, bitGet } from '../utils.ts';
 import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
-import { bitGet } from './utils.ts';
 
 // Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
 function grainLFSR(state: number[]): () => boolean {
@@ -41,20 +41,28 @@ export type PoseidonBasicOpts = {
   isSboxInverse?: boolean;
 };
 
-function validateBasicOpts(opts: PoseidonBasicOpts) {
+function assertValidPosOpts(opts: PoseidonBasicOpts) {
   const { Fp, roundsFull } = opts;
   validateField(Fp);
+  _validateObject(
+    opts,
+    {
+      t: 'number',
+      roundsFull: 'number',
+      roundsPartial: 'number',
+    },
+    {
+      isSboxInverse: 'boolean',
+    }
+  );
   for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
+    if (!Number.isSafeInteger(opts[i]) || opts[i] < 1) throw new Error('invalid number ' + i);
   }
-  if (opts.isSboxInverse !== undefined && typeof opts.isSboxInverse !== 'boolean')
-    throw new Error(`Poseidon: invalid param isSboxInverse=${opts.isSboxInverse}`);
   if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
 }
 
 function poseidonGrain(opts: PoseidonBasicOpts) {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp } = opts;
   const state = Array(80).fill(1);
   let pos = 0;
@@ -140,7 +148,7 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
   sboxPower?: number;
   reversePartialPowIdx?: boolean; // Hack for stark
 }> {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
   const { roundsFull, roundsPartial, sboxPower, t } = opts;
 
@@ -196,12 +204,13 @@ export function splitConstants(rc: bigint[], t: number): bigint[][] {
   return res;
 }
 
-/** Poseidon NTT-friendly hash. */
-export function poseidon(opts: PoseidonOpts): {
+export type PoseidonFn = {
   (values: bigint[]): bigint[];
   // For verification in tests
   roundConstants: bigint[][];
-} {
+};
+/** Poseidon NTT-friendly hash. */
+export function poseidon(opts: PoseidonOpts): PoseidonFn {
   const _opts = validateOpts(opts);
   const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
   const halfRoundsFull = _opts.roundsFull / 2;
@@ -242,17 +251,12 @@ export class PoseidonSponge {
   private Fp: IField<bigint>;
   readonly rate: number;
   readonly capacity: number;
-  readonly hash: ReturnType<typeof poseidon>;
+  readonly hash: PoseidonFn;
   private state: bigint[]; // [...capacity, ...rate]
   private pos = 0;
   private isAbsorbing = true;
 
-  constructor(
-    Fp: IField<bigint>,
-    rate: number,
-    capacity: number,
-    hash: ReturnType<typeof poseidon>
-  ) {
+  constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn) {
     this.Fp = Fp;
     this.hash = hash;
     this.rate = rate;