@noble/curves 1.9.2 → 1.9.4

package/ed448.d.ts

@@ -1,41 +1,40 @@
-import type { AffinePoint, Group } from './abstract/curve.ts';
-import { type CurveFn, type ExtPointConstructor, type ExtPointType } from './abstract/edwards.ts';
-import { type H2CHasher, type H2CMethod, type htfBasicOpts } from './abstract/hash-to-curve.ts';
-import { type CurveFn as XCurveFn } from './abstract/montgomery.ts';
+import type { AffinePoint } from './abstract/curve.ts';
+import { PrimeEdwardsPoint, type CurveFn, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
+import { type H2CHasher, type H2CHasherBase, type H2CMethod, type htfBasicOpts } from './abstract/hash-to-curve.ts';
+import { type IField } from './abstract/modular.ts';
+import { type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
 import { type Hex } from './utils.ts';
-export declare const E448: ExtPointConstructor;
 /**
  * ed448 EdDSA curve and methods.
  * @example
  * import { ed448 } from '@noble/curves/ed448';
- * const priv = ed448.utils.randomPrivateKey();
- * const pub = ed448.getPublicKey(priv);
- * const msg = new TextEncoder().encode('whatsup');
- * const sig = ed448.sign(msg, priv);
- * ed448.verify(sig, msg, pub);
+ * const { secretKey, publicKey } = ed448.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = ed448.sign(msg, secretKey);
+ * const isValid = ed448.verify(sig, msg, publicKey);
  */
 export declare const ed448: CurveFn;
+/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
 export declare const ed448ph: CurveFn;
+/**
+ * E448 curve, defined by NIST.
+ * E448 != edwards448 used in ed448.
+ * E448 is birationally equivalent to edwards448.
+ */
+export declare const E448: EdwardsPointCons;
 /**
  * ECDH using curve448 aka x448.
  * x448 has 56-byte keys as per RFC 7748, while
  * ed448 has 57-byte keys as per RFC 8032.
  */
 export declare const x448: XCurveFn;
-/**
- * Converts edwards448 public key to x448 public key. Uses formula:
- * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
- * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
- * @example
- *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
- *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
- */
+/** @deprecated use `ed448.utils.toMontgomery` */
 export declare function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array;
+/** @deprecated use `ed448.utils.toMontgomery` */
 export declare const edwardsToMontgomery: typeof edwardsToMontgomeryPub;
+/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
 export declare const ed448_hasher: H2CHasher<bigint>;
-export declare const hashToCurve: H2CMethod<bigint>;
-export declare const encodeToCurve: H2CMethod<bigint>;
-type ExtendedPoint = ExtPointType;
+type ExtendedPoint = EdwardsPoint;
 /**
  * Each ed448/ExtendedPoint has 4 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
@@ -43,60 +42,60 @@ type ExtendedPoint = ExtPointType;
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
-declare class DcfPoint implements Group<DcfPoint> {
-    static BASE: DcfPoint;
-    static ZERO: DcfPoint;
-    private readonly ep;
+declare class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
+    static BASE: _DecafPoint;
+    static ZERO: _DecafPoint;
+    static Fp: IField<bigint>;
+    static Fn: IField<bigint>;
     constructor(ep: ExtendedPoint);
-    static fromAffine(ap: AffinePoint<bigint>): DcfPoint;
-    /**
-     * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
-     * The hash-to-group operation applies Elligator twice and adds the results.
-     * **Note:** this is one-way map, there is no conversion from point to hash.
-     * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
-     * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
-     * @param hex 112-byte output of a hash function
-     */
-    static hashToCurve(hex: Hex): DcfPoint;
-    static fromBytes(bytes: Uint8Array): DcfPoint;
+    static fromAffine(ap: AffinePoint<bigint>): _DecafPoint;
+    protected assertSame(other: _DecafPoint): void;
+    protected init(ep: EdwardsPoint): _DecafPoint;
+    /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+    static hashToCurve(hex: Hex): _DecafPoint;
+    static fromBytes(bytes: Uint8Array): _DecafPoint;
     /**
      * Converts decaf-encoded string to decaf point.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
      * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
      */
-    static fromHex(hex: Hex): DcfPoint;
-    static msm(points: DcfPoint[], scalars: bigint[]): DcfPoint;
+    static fromHex(hex: Hex): _DecafPoint;
+    /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+    static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint;
     /**
      * Encodes decaf point to Uint8Array.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
      */
     toBytes(): Uint8Array;
-    /** @deprecated use `toBytes` */
-    toRawBytes(): Uint8Array;
-    toHex(): string;
-    toString(): string;
     /**
      * Compare one point to another.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
      */
-    equals(other: DcfPoint): boolean;
-    add(other: DcfPoint): DcfPoint;
-    subtract(other: DcfPoint): DcfPoint;
-    multiply(scalar: bigint): DcfPoint;
-    multiplyUnsafe(scalar: bigint): DcfPoint;
-    double(): DcfPoint;
-    negate(): DcfPoint;
+    equals(other: _DecafPoint): boolean;
+    is0(): boolean;
 }
+/** @deprecated use `decaf448.Point` */
+export declare const DecafPoint: typeof _DecafPoint;
+export declare const decaf448: {
+    Point: typeof _DecafPoint;
+};
+/** Hashing to decaf448 points / field. RFC 9380 methods. */
+export declare const decaf448_hasher: H2CHasherBase<bigint>;
+type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+export declare const hashToCurve: H2CMethod<bigint>;
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+export declare const encodeToCurve: H2CMethod<bigint>;
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+export declare const hashToDecaf448: DcfHasher;
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+export declare const hash_to_decaf448: DcfHasher;
 /**
- * Wrapper over Edwards Point for decaf448 from
- * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
- */
-export declare const DecafPoint: typeof DcfPoint;
-/**
- * hash-to-curve for decaf448.
- * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C).
+ * Weird / bogus points, useful for debugging.
+ * Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
+ * Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
+ * (0, 1), (0, -1), (-1, 0), (1, 0).
  */
-export declare const hashToDecaf448: (msg: Uint8Array, options: htfBasicOpts) => DcfPoint;
-export declare const hash_to_decaf448: typeof hashToDecaf448;
+export declare const ED448_TORSION_SUBGROUP: string[];
 export {};
 //# sourceMappingURL=ed448.d.ts.map

package/ed448.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["src/ed448.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAE9D,OAAO,EACL,KAAK,OAAO,EAGZ,KAAK,mBAAmB,EACxB,KAAK,YAAY,EAElB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAGL,KAAK,SAAS,EACd,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,6BAA6B,CAAC;AAErC,OAAO,EAAc,KAAK,OAAO,IAAI,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAChF,OAAO,EAKL,KAAK,GAAG,EAET,MAAM,YAAY,CAAC;AA2CpB,eAAO,MAAM,IAAI,EAAE,mBAAyC,CAAC;AAsF7D;;;;;;;;;GASG;AACH,eAAO,MAAM,KAAK,EAAE,OAAmC,CAAC;AAExD,eAAO,MAAM,OAAO,EAAE,OAIf,CAAC;AAER;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,QAYf,CAAC;AAEL;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAKlF;AAED,eAAO,MAAM,mBAAmB,EAAE,OAAO,sBAA+C,CAAC;AAgFzF,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,MAAM,CASpC,CAAC;AACR,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAsD,CAAC;AACjG,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACb,CAAC;AA0BhC,KAAK,aAAa,GAAG,YAAY,CAAC;AAoClC;;;;;;GAMG;AACH,cAAM,QAAS,YAAW,KAAK,CAAC,QAAQ,CAAC;IACvC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC;IACtB,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC;IACtB,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAgB;gBAGvB,EAAE,EAAE,aAAa;IAI7B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,QAAQ;IAIpD;;;;;;;OAOG;IACH,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG,QAAQ;IAStC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ;IAK7C;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,QAAQ;IA8BlC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,QAAQ;IAK3D;;;OAGG;IACH,OAAO,IAAI,UAAU;IAoBrB,gCAAgC;IAChC,UAAU,IAAI,UAAU;IAIxB,KAAK,IAAI,MAAM;IAIf,QAAQ,IAAI,MAAM;IAIlB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,QAAQ,GAAG,OAAO;IAShC,GAAG,CAAC,KAAK,EAAE,QAAQ,GAAG,QAAQ;IAK9B,QAAQ,CAAC,KAAK,EAAE,QAAQ,GAAG,QAAQ;IAKnC,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ;IAIlC,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,QAAQ;IAIxC,MAAM,IAAI,QAAQ;IAIlB,MAAM,IAAI,QAAQ;CAGnB;AAED;;;GAGG;AACH,eAAO,MAAM,UAAU,EAAE,OAAO,QAM5B,CAAC;AAEL;;;GAGG;AACH,eAAO,MAAM,cAAc,GAAI,KAAK,UAAU,EAAE,SAAS,YAAY,KAAG,QAMvE,CAAC;AACF,eAAO,MAAM,gBAAgB,EAAE,OAAO,cAA+B,CAAC"}
+{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["src/ed448.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,EAEL,iBAAiB,EAEjB,KAAK,OAAO,EAEZ,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAIL,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAiD,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAc,KAAK,cAAc,IAAI,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAA6D,KAAK,GAAG,EAAE,MAAM,YAAY,CAAC;AAkIjG;;;;;;;;GAQG;AACH,eAAO,MAAM,KAAK,EAAE,OAAmC,CAAC;AAGxD,0FAA0F;AAC1F,eAAO,MAAM,OAAO,EAAE,OAIf,CAAC;AAER;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,gBAAsC,CAAC;AAE1D;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,QAYf,CAAC;AAEL,iDAAiD;AACjD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAElF;AAED,iDAAiD;AACjD,eAAO,MAAM,mBAAmB,EAAE,OAAO,sBAA+C,CAAC;AA+EzF,oEAAoE;AACpE,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,MAAM,CASpC,CAAC;AAsBR,KAAK,aAAa,GAAG,YAAY,CAAC;AA6ClC;;;;;;GAMG;AACH,cAAM,WAAY,SAAQ,iBAAiB,CAAC,WAAW,CAAC;IAGtD,MAAM,CAAC,IAAI,EAAE,WAAW,CAC0D;IAElF,MAAM,CAAC,IAAI,EAAE,WAAW,CACsC;IAE9D,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACJ;IAErB,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACJ;gBAET,EAAE,EAAE,aAAa;IAI7B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,WAAW;IAIvD,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI9C,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,WAAW;IAI7C,kFAAkF;IAClF,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIzC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW;IA8BhD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIrC,qFAAqF;IACrF,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,WAAW;IAIjE;;;OAGG;IACH,OAAO,IAAI,UAAU;IAoBrB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO;IASnC,GAAG,IAAI,OAAO;CAGf;AAED,uCAAuC;AACvC,eAAO,MAAM,UAAU,EAAE,OAAO,WAAyB,CAAC;AAC1D,eAAO,MAAM,QAAQ,EAAE;IACrB,KAAK,EAAE,OAAO,WAAW,CAAC;CACF,CAAC;AAE3B,4DAA4D;AAC5D,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAQjD,CAAC;AAUF,KAAK,SAAS,GAAG,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,KAAK,WAAW,CAAC;AAEzE,+EAA+E;AAC/E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAsD,CAAC;AACjG,+EAA+E;AAC/E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACb,CAAC;AAChC,kFAAkF;AAClF,eAAO,MAAM,cAAc,EAAE,SACgB,CAAC;AAC9C,kFAAkF;AAClF,eAAO,MAAM,gBAAgB,EAAE,SACc,CAAC;AAE9C;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,EAK1C,CAAC"}

package/ed448.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.hash_to_decaf448 = exports.hashToDecaf448 = exports.DecafPoint = exports.encodeToCurve = exports.hashToCurve = exports.ed448_hasher = exports.edwardsToMontgomery = exports.x448 = exports.ed448ph = exports.ed448 = exports.E448 = void 0;
+exports.ED448_TORSION_SUBGROUP = exports.hash_to_decaf448 = exports.hashToDecaf448 = exports.encodeToCurve = exports.hashToCurve = exports.decaf448_hasher = exports.decaf448 = exports.DecafPoint = exports.ed448_hasher = exports.edwardsToMontgomery = exports.x448 = exports.E448 = exports.ed448ph = exports.ed448 = void 0;
 exports.edwardsToMontgomeryPub = edwardsToMontgomeryPub;
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
@@ -19,6 +19,7 @@ const hash_to_curve_ts_1 = require("./abstract/hash-to-curve.js");
 const modular_ts_1 = require("./abstract/modular.js");
 const montgomery_ts_1 = require("./abstract/montgomery.js");
 const utils_ts_1 = require("./utils.js");
+// edwards448 curve
 // a = 1n
 // d = Fp.neg(39081n)
 // Finite field 2n**448n - 2n**224n - 1n
@@ -33,9 +34,7 @@ const ed448_CURVE = {
     Gx: BigInt('0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'),
     Gy: BigInt('0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'),
 };
-// E448 != Edwards448 used in ed448
-// E448 is defined by NIST
-// It's birationally equivalent to edwards448
+// E448 NIST curve is identical to edwards448, except for:
 // d = 39082/39081
 // Gx = 3/2
 const E448_CURVE = Object.assign({}, ed448_CURVE, {
@@ -43,7 +42,6 @@ const E448_CURVE = Object.assign({}, ed448_CURVE, {
     Gx: BigInt('0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'),
     Gy: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'),
 });
-exports.E448 = (0, edwards_ts_1.edwards)(E448_CURVE);
 const shake256_114 = /* @__PURE__ */ (0, utils_js_1.createHasher)(() => sha3_js_1.shake256.create({ dkLen: 114 }));
 const shake256_64 = /* @__PURE__ */ (0, utils_js_1.createHasher)(() => sha3_js_1.shake256.create({ dkLen: 64 }));
 // prettier-ignore
@@ -101,13 +99,15 @@ function uvRatio(u, v) {
     return { isValid: (0, modular_ts_1.mod)(x2 * v, P) === u, value: x };
 }
 // Finite field 2n**448n - 2n**224n - 1n
-const Fp = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.p, 456, true))();
+const Fp = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.p, { BITS: 456, isLE: true }))();
 // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+const Fn = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.n, { BITS: 448, isLE: true }))();
+// const Fn456 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
 // SHAKE256(dom4(phflag,context)||x, 114)
 const ED448_DEF = /* @__PURE__ */ (() => ({
     ...ed448_CURVE,
     Fp,
-    nBitLength: 456,
+    Fn,
     hash: shake256_114,
     adjustScalarBytes,
     // dom4
@@ -122,18 +122,24 @@ const ED448_DEF = /* @__PURE__ */ (() => ({
  * ed448 EdDSA curve and methods.
  * @example
  * import { ed448 } from '@noble/curves/ed448';
- * const priv = ed448.utils.randomPrivateKey();
- * const pub = ed448.getPublicKey(priv);
- * const msg = new TextEncoder().encode('whatsup');
- * const sig = ed448.sign(msg, priv);
- * ed448.verify(sig, msg, pub);
+ * const { secretKey, publicKey } = ed448.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = ed448.sign(msg, secretKey);
+ * const isValid = ed448.verify(sig, msg, publicKey);
  */
 exports.ed448 = (0, edwards_ts_1.twistedEdwards)(ED448_DEF);
-// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+// There is no ed448ctx, since ed448 supports ctx by default
+/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
 exports.ed448ph = (() => (0, edwards_ts_1.twistedEdwards)({
     ...ED448_DEF,
     prehash: shake256_64,
 }))();
+/**
+ * E448 curve, defined by NIST.
+ * E448 != edwards448 used in ed448.
+ * E448 is birationally equivalent to edwards448.
+ */
+exports.E448 = (0, edwards_ts_1.edwards)(E448_CURVE);
 /**
  * ECDH using curve448 aka x448.
  * x448 has 56-byte keys as per RFC 7748, while
@@ -152,22 +158,12 @@ exports.x448 = (() => {
         adjustScalarBytes,
     });
 })();
-/**
- * Converts edwards448 public key to x448 public key. Uses formula:
- * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
- * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
- * @example
- *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
- *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
- */
+/** @deprecated use `ed448.utils.toMontgomery` */
 function edwardsToMontgomeryPub(edwardsPub) {
-    const bpub = (0, utils_ts_1.ensureBytes)('pub', edwardsPub);
-    const { y } = exports.ed448.Point.fromHex(bpub);
-    const _1n = BigInt(1);
-    return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+    return exports.ed448.utils.toMontgomery((0, utils_ts_1.ensureBytes)('pub', edwardsPub));
 }
-exports.edwardsToMontgomery = edwardsToMontgomeryPub; // deprecated
-// TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
+/** @deprecated use `ed448.utils.toMontgomery` */
+exports.edwardsToMontgomery = edwardsToMontgomeryPub;
 // Hash To Curve Elligator2 Map
 const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = /* @__PURE__ */ BigInt(156326);
@@ -241,6 +237,7 @@ function map_to_curve_elligator2_edwards448(u) {
     const inv = (0, modular_ts_1.FpInvertBatch)(Fp, [xEd, yEd], true); // batch division
     return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
+/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
 exports.ed448_hasher = (() => (0, hash_to_curve_ts_1.createHasher)(exports.ed448.Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
     DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
     encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
@@ -250,12 +247,6 @@ exports.ed448_hasher = (() => (0, hash_to_curve_ts_1.createHasher)(exports.ed448
     expand: 'xof',
     hash: sha3_js_1.shake256,
 }))();
-exports.hashToCurve = (() => exports.ed448_hasher.hashToCurve)();
-exports.encodeToCurve = (() => exports.ed448_hasher.encodeToCurve)();
-function adecafp(other) {
-    if (!(other instanceof DcfPoint))
-        throw new Error('DecafPoint expected');
-}
 // 1-d
 const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
 // 1-2d
@@ -298,6 +289,14 @@ function calcElligatorDecafMap(r0) {
     const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
     return new exports.ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
+function decaf448_map(bytes) {
+    (0, utils_js_1.abytes)(bytes, 112);
+    const r1 = bytes448ToNumberLE(bytes.slice(0, 56));
+    const R1 = calcElligatorDecafMap(r1);
+    const r2 = bytes448ToNumberLE(bytes.slice(56, 112));
+    const R2 = calcElligatorDecafMap(r2);
+    return new _DecafPoint(R1.add(R2));
+}
 /**
  * Each ed448/ExtendedPoint has 4 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
@@ -305,51 +304,34 @@ function calcElligatorDecafMap(r0) {
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
-class DcfPoint {
-    // Private property to discourage combining ExtendedPoint + DecafPoint
-    // Always use Decaf encoding/decoding instead.
+class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
     constructor(ep) {
-        this.ep = ep;
+        super(ep);
     }
     static fromAffine(ap) {
-        return new DcfPoint(exports.ed448.Point.fromAffine(ap));
+        return new _DecafPoint(exports.ed448.Point.fromAffine(ap));
     }
-    /**
-     * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
-     * The hash-to-group operation applies Elligator twice and adds the results.
-     * **Note:** this is one-way map, there is no conversion from point to hash.
-     * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
-     * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
-     * @param hex 112-byte output of a hash function
-     */
+    assertSame(other) {
+        if (!(other instanceof _DecafPoint))
+            throw new Error('DecafPoint expected');
+    }
+    init(ep) {
+        return new _DecafPoint(ep);
+    }
+    /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
     static hashToCurve(hex) {
-        hex = (0, utils_ts_1.ensureBytes)('decafHash', hex, 112);
-        const r1 = bytes448ToNumberLE(hex.slice(0, 56));
-        const R1 = calcElligatorDecafMap(r1);
-        const r2 = bytes448ToNumberLE(hex.slice(56, 112));
-        const R2 = calcElligatorDecafMap(r2);
-        return new DcfPoint(R1.add(R2));
+        return decaf448_map((0, utils_ts_1.ensureBytes)('decafHash', hex, 112));
     }
     static fromBytes(bytes) {
-        (0, utils_js_1.abytes)(bytes);
-        return this.fromHex(bytes);
-    }
-    /**
-     * Converts decaf-encoded string to decaf point.
-     * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
-     * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
-     */
-    static fromHex(hex) {
-        hex = (0, utils_ts_1.ensureBytes)('decafHex', hex, 56);
+        (0, utils_js_1.abytes)(bytes, 56);
         const { d } = exports.ed448.CURVE;
         const P = Fp.ORDER;
         const mod = Fp.create;
-        const emsg = 'DecafPoint.fromHex: the hex is not valid encoding of DecafPoint';
-        const s = bytes448ToNumberLE(hex);
+        const s = bytes448ToNumberLE(bytes);
         // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
         // 2. Check that s is non-negative, or else abort
-        if (!(0, utils_ts_1.equalBytes)((0, utils_ts_1.numberToBytesLE)(s, 56), hex) || (0, modular_ts_1.isNegativeLE)(s, P))
-            throw new Error(emsg);
+        if (!(0, utils_ts_1.equalBytes)((0, utils_ts_1.numberToBytesLE)(s, 56), bytes) || (0, modular_ts_1.isNegativeLE)(s, P))
+            throw new Error('invalid decaf448 encoding 1');
         const s2 = mod(s * s); // 1
         const u1 = mod(_1n + s2); // 2
         const u1sq = mod(u1 * u1);
@@ -362,100 +344,101 @@ class DcfPoint {
         const y = mod((_1n - s2) * invsqrt * u1); // 7
         const t = mod(x * y); // 8
         if (!isValid)
-            throw new Error(emsg);
-        return new DcfPoint(new exports.ed448.Point(x, y, _1n, t));
+            throw new Error('invalid decaf448 encoding 2');
+        return new _DecafPoint(new exports.ed448.Point(x, y, _1n, t));
+    }
+    /**
+     * Converts decaf-encoded string to decaf point.
+     * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
+     * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
+     */
+    static fromHex(hex) {
+        return _DecafPoint.fromBytes((0, utils_ts_1.ensureBytes)('decafHex', hex, 56));
     }
+    /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
     static msm(points, scalars) {
-        const Fn = (0, modular_ts_1.Field)(exports.ed448.CURVE.n, exports.ed448.CURVE.nBitLength);
-        return (0, curve_ts_1.pippenger)(DcfPoint, Fn, points, scalars);
+        return (0, curve_ts_1.pippenger)(_DecafPoint, Fn, points, scalars);
     }
     /**
      * Encodes decaf point to Uint8Array.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
      */
     toBytes() {
-        let { ex: x, ey: _y, ez: z, et: t } = this.ep;
+        const { X, Z, T } = this.ep;
         const P = Fp.ORDER;
         const mod = Fp.create;
-        const u1 = mod(mod(x + t) * mod(x - t)); // 1
-        const x2 = mod(x * x);
+        const u1 = mod(mod(X + T) * mod(X - T)); // 1
+        const x2 = mod(X * X);
         const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
         let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
         if ((0, modular_ts_1.isNegativeLE)(ratio, P))
             ratio = mod(-ratio);
-        const u2 = mod(INVSQRT_MINUS_D * ratio * z - t); // 4
-        let s = mod(ONE_MINUS_D * invsqrt * x * u2); // 5
+        const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
+        let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
         if ((0, modular_ts_1.isNegativeLE)(s, P))
             s = mod(-s);
         return (0, utils_ts_1.numberToBytesLE)(s, 56);
     }
-    /** @deprecated use `toBytes` */
-    toRawBytes() {
-        return this.toBytes();
-    }
-    toHex() {
-        return (0, utils_ts_1.bytesToHex)(this.toBytes());
-    }
-    toString() {
-        return this.toHex();
-    }
     /**
      * Compare one point to another.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
      */
     equals(other) {
-        adecafp(other);
-        const { ex: X1, ey: Y1 } = this.ep;
-        const { ex: X2, ey: Y2 } = other.ep;
+        this.assertSame(other);
+        const { X: X1, Y: Y1 } = this.ep;
+        const { X: X2, Y: Y2 } = other.ep;
         const mod = Fp.create;
         // (x1 * y2 == y1 * x2)
         return mod(X1 * Y2) === mod(Y1 * X2);
     }
-    add(other) {
-        adecafp(other);
-        return new DcfPoint(this.ep.add(other.ep));
-    }
-    subtract(other) {
-        adecafp(other);
-        return new DcfPoint(this.ep.subtract(other.ep));
-    }
-    multiply(scalar) {
-        return new DcfPoint(this.ep.multiply(scalar));
-    }
-    multiplyUnsafe(scalar) {
-        return new DcfPoint(this.ep.multiplyUnsafe(scalar));
-    }
-    double() {
-        return new DcfPoint(this.ep.double());
-    }
-    negate() {
-        return new DcfPoint(this.ep.negate());
+    is0() {
+        return this.equals(_DecafPoint.ZERO);
     }
 }
+// The following gymnastics is done because typescript strips comments otherwise
+// prettier-ignore
+_DecafPoint.BASE = 
+/* @__PURE__ */ (() => new _DecafPoint(exports.ed448.Point.BASE).multiplyUnsafe(_2n))();
+// prettier-ignore
+_DecafPoint.ZERO = 
+/* @__PURE__ */ (() => new _DecafPoint(exports.ed448.Point.ZERO))();
+// prettier-ignore
+_DecafPoint.Fp = 
+/* @__PURE__ */ Fp;
+// prettier-ignore
+_DecafPoint.Fn = 
+/* @__PURE__ */ Fn;
+/** @deprecated use `decaf448.Point` */
+exports.DecafPoint = _DecafPoint;
+exports.decaf448 = { Point: _DecafPoint };
+/** Hashing to decaf448 points / field. RFC 9380 methods. */
+exports.decaf448_hasher = {
+    hashToCurve(msg, options) {
+        const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
+        return decaf448_map((0, hash_to_curve_ts_1.expand_message_xof)(msg, DST, 112, 224, sha3_js_1.shake256));
+    },
+    hashToScalar(msg, options = { DST: hash_to_curve_ts_1._DST_scalar }) {
+        return Fn.create((0, utils_ts_1.bytesToNumberLE)((0, hash_to_curve_ts_1.expand_message_xof)(msg, options.DST, 64, 256, sha3_js_1.shake256)));
+    },
+};
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+exports.hashToCurve = (() => exports.ed448_hasher.hashToCurve)();
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+exports.encodeToCurve = (() => exports.ed448_hasher.encodeToCurve)();
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+exports.hashToDecaf448 = (() => exports.decaf448_hasher.hashToCurve)();
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+exports.hash_to_decaf448 = (() => exports.decaf448_hasher.hashToCurve)();
 /**
- * Wrapper over Edwards Point for decaf448 from
- * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
- */
-exports.DecafPoint = (() => {
-    // decaf448 base point is ed448 base x 2
-    // https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699
-    if (!DcfPoint.BASE)
-        DcfPoint.BASE = new DcfPoint(exports.ed448.Point.BASE).multiply(_2n);
-    if (!DcfPoint.ZERO)
-        DcfPoint.ZERO = new DcfPoint(exports.ed448.Point.ZERO);
-    return DcfPoint;
-})();
-/**
- * hash-to-curve for decaf448.
- * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C).
+ * Weird / bogus points, useful for debugging.
+ * Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
+ * Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
+ * (0, 1), (0, -1), (-1, 0), (1, 0).
  */
-const hashToDecaf448 = (msg, options) => {
-    const d = options.DST;
-    const DST = typeof d === 'string' ? (0, utils_js_1.utf8ToBytes)(d) : d;
-    const uniform_bytes = (0, hash_to_curve_ts_1.expand_message_xof)(msg, DST, 112, 224, sha3_js_1.shake256);
-    const P = DcfPoint.hashToCurve(uniform_bytes);
-    return P;
-};
-exports.hashToDecaf448 = hashToDecaf448;
-exports.hash_to_decaf448 = exports.hashToDecaf448; // legacy
+exports.ED448_TORSION_SUBGROUP = [
+    '010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+    'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
+    '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+    '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
+];
 //# sourceMappingURL=ed448.js.map