@noble/curves 1.9.2 → 1.9.4

package/src/bls12-381.ts

@@ -13,7 +13,7 @@ BLS can mean 2 different things:
 ### Summary
 
 1. BLS Relies on expensive bilinear pairing
-2. Private Keys: 32 bytes
+2. Secret Keys: 32 bytes
 3. Public Keys: 48 OR 96 bytes - big-endian x coordinate of point on G1 OR G2 curve
 4. Signatures: 96 OR 48 bytes - big-endian x coordinate of point on G2 OR G1 curve
 5. The 12 stands for the Embedding degree.
@@ -66,7 +66,7 @@ More complicated math is done over polynominal extension fields.
 
 ### Compatibility and notes
 1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC.
-Filecoin uses little endian byte arrays for private keys - make sure to reverse byte order.
+Filecoin uses little endian byte arrays for secret keys - make sure to reverse byte order.
 2. Make sure to correctly select mode: "long signature" or "short signature".
 3. Compatible with specs:
    RFC 9380,
@@ -98,9 +98,9 @@ import { psiFrobenius, tower12 } from './abstract/tower.ts';
 import {
   mapToCurveSimpleSWU,
   type AffinePoint,
-  type ProjConstructor,
-  type ProjPointType,
   type WeierstrassOpts,
+  type WeierstrassPoint,
+  type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
@@ -146,7 +146,7 @@ const bls12_381_CURVE_G1: WeierstrassOpts<bigint> = {
 };
 
 // CURVE FIELDS
-export const bls12_381_Fr: IField<bigint> = Field(bls12_381_CURVE_G1.n);
+export const bls12_381_Fr: IField<bigint> = Field(bls12_381_CURVE_G1.n, { modOnDecode: true });
 const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
   // Order of Fp
   ORDER: bls12_381_CURVE_G1.p,
@@ -294,7 +294,11 @@ function setMask(
   return bytes;
 }
 
-function pointG1ToBytes(_c: ProjConstructor<Fp>, point: ProjPointType<Fp>, isComp: boolean) {
+function pointG1ToBytes(
+  _c: WeierstrassPointCons<Fp>,
+  point: WeierstrassPoint<Fp>,
+  isComp: boolean
+) {
   const { BYTES: L, ORDER: P } = Fp;
   const is0 = point.is0();
   const { x, y } = point.toAffine();
@@ -311,7 +315,7 @@ function pointG1ToBytes(_c: ProjConstructor<Fp>, point: ProjPointType<Fp>, isCom
   }
 }
 
-function signatureG1ToBytes(point: ProjPointType<Fp>) {
+function signatureG1ToBytes(point: WeierstrassPoint<Fp>) {
   point.assertValidity();
   const { BYTES: L, ORDER: P } = Fp;
   const { x, y } = point.toAffine();
@@ -350,7 +354,7 @@ function pointG1FromBytes(bytes: Uint8Array): AffinePoint<Fp> {
   }
 }
 
-function signatureG1FromBytes(hex: Hex): ProjPointType<Fp> {
+function signatureG1FromBytes(hex: Hex): WeierstrassPoint<Fp> {
   const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex, 48));
   const P = Fp.ORDER;
   const Point = bls12_381.G1.Point;
@@ -368,7 +372,11 @@ function signatureG1FromBytes(hex: Hex): ProjPointType<Fp> {
   return point;
 }
 
-function pointG2ToBytes(_c: ProjConstructor<Fp2>, point: ProjPointType<Fp2>, isComp: boolean) {
+function pointG2ToBytes(
+  _c: WeierstrassPointCons<Fp2>,
+  point: WeierstrassPoint<Fp2>,
+  isComp: boolean
+) {
   const { BYTES: L, ORDER: P } = Fp;
   const is0 = point.is0();
   const { x, y } = point.toAffine();
@@ -392,7 +400,7 @@ function pointG2ToBytes(_c: ProjConstructor<Fp2>, point: ProjPointType<Fp2>, isC
   }
 }
 
-function signatureG2ToBytes(point: ProjPointType<Fp2>) {
+function signatureG2ToBytes(point: WeierstrassPoint<Fp2>) {
   point.assertValidity();
   const { BYTES: L } = Fp;
   if (point.is0()) return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
@@ -520,7 +528,7 @@ export const bls12_381: CurveFn = bls({
       const beta = BigInt(
         '0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'
       );
-      const phi = new c(Fp.mul(point.px, beta), point.py, point.pz);
+      const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
       // TODO: unroll
       const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
       const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
@@ -540,16 +548,16 @@ export const bls12_381: CurveFn = bls({
         abytes(bytes);
         return signatureG1FromBytes(bytes);
       },
-      fromHex(hex: Hex): ProjPointType<Fp> {
+      fromHex(hex: Hex): WeierstrassPoint<Fp> {
         return signatureG1FromBytes(hex);
       },
-      toBytes(point: ProjPointType<Fp>) {
+      toBytes(point: WeierstrassPoint<Fp>) {
         return signatureG1ToBytes(point);
       },
-      toRawBytes(point: ProjPointType<Fp>) {
+      toRawBytes(point: WeierstrassPoint<Fp>) {
         return signatureG1ToBytes(point);
       },
-      toHex(point: ProjPointType<Fp>) {
+      toHex(point: WeierstrassPoint<Fp>) {
         return bytesToHex(signatureG1ToBytes(point));
       },
     },
@@ -595,20 +603,20 @@ export const bls12_381: CurveFn = bls({
     fromBytes: pointG2FromBytes,
     toBytes: pointG2ToBytes,
     Signature: {
-      fromBytes(bytes: Uint8Array): ProjPointType<Fp2> {
+      fromBytes(bytes: Uint8Array): WeierstrassPoint<Fp2> {
         abytes(bytes);
         return signatureG2FromBytes(bytes);
       },
-      fromHex(hex: Hex): ProjPointType<Fp2> {
+      fromHex(hex: Hex): WeierstrassPoint<Fp2> {
         return signatureG2FromBytes(hex);
       },
-      toBytes(point: ProjPointType<Fp2>) {
+      toBytes(point: WeierstrassPoint<Fp2>) {
         return signatureG2ToBytes(point);
       },
-      toRawBytes(point: ProjPointType<Fp2>) {
+      toRawBytes(point: WeierstrassPoint<Fp2>) {
         return signatureG2ToBytes(point);
       },
-      toHex(point: ProjPointType<Fp2>) {
+      toHex(point: WeierstrassPoint<Fp2>) {
         return bytesToHex(signatureG2ToBytes(point));
       },
     },

package/src/ed25519.ts

@@ -8,42 +8,44 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha512 } from '@noble/hashes/sha2.js';
 import { abytes, concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
-import { type AffinePoint, type Group, pippenger } from './abstract/curve.ts';
+import { pippenger, type AffinePoint } from './abstract/curve.ts';
 import {
+  PrimeEdwardsPoint,
+  twistedEdwards,
   type CurveFn,
   type EdwardsOpts,
-  type ExtPointType,
-  twistedEdwards,
+  type EdwardsPoint,
 } from './abstract/edwards.ts';
 import {
+  _DST_scalar,
   createHasher,
   expand_message_xmd,
   type H2CHasher,
+  type H2CHasherBase,
   type H2CMethod,
   type htfBasicOpts,
 } from './abstract/hash-to-curve.ts';
-import { Field, FpInvertBatch, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
-  bytesToHex,
-  bytesToNumberLE,
-  ensureBytes,
-  equalBytes,
-  type Hex,
-  numberToBytesLE,
-} from './utils.ts';
+  Field,
+  FpInvertBatch,
+  FpSqrtEven,
+  isNegativeLE,
+  mod,
+  pow2,
+  type IField,
+} from './abstract/modular.ts';
+import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
+import { bytesToNumberLE, ensureBytes, equalBytes, numberToBytesLE, type Hex } from './utils.ts';
 
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
 const _5n = BigInt(5), _8n = BigInt(8);
 
-// 2n**255n - 19n
-// Removing Fp.create() will still work, and is 10% faster on sign
-//     a: Fp.create(BigInt(-1)),
-// d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
-// Finite field 2n**255n - 19n
-// Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
+// P = 2n**255n - 19n
+// N = 2n**252n + 27742317777372353535851937790883648493n
+// a = Fp.create(BigInt(-1))
+// d = -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
 const ed25519_CURVE: EdwardsOpts = {
   p: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed'),
   n: BigInt('0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed'),
@@ -110,19 +112,8 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: useRoot1 || useRoot2, value: x };
 }
 
-/** Weird / bogus points, useful for debugging. */
-export const ED25519_TORSION_SUBGROUP: string[] = [
-  '0100000000000000000000000000000000000000000000000000000000000000',
-  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
-  '0000000000000000000000000000000000000000000000000000000000000080',
-  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
-  'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
-  '0000000000000000000000000000000000000000000000000000000000000000',
-  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
-];
-
-const Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, undefined, true))();
+const Fp = /* @__PURE__ */ (() => Field(ed25519_CURVE.p, { isLE: true }))();
+const Fn = /* @__PURE__ */ (() => Field(ed25519_CURVE.n, { isLE: true }))();
 
 const ed25519Defaults = /* @__PURE__ */ (() => ({
   ...ed25519_CURVE,
@@ -139,8 +130,7 @@ const ed25519Defaults = /* @__PURE__ */ (() => ({
  * ed25519 curve with EdDSA signatures.
  * @example
  * import { ed25519 } from '@noble/curves/ed25519';
- * const priv = ed25519.utils.randomPrivateKey();
- * const pub = ed25519.getPublicKey(priv);
+ * const { secretKey, publicKey } = ed25519.keygen();
  * const msg = new TextEncoder().encode('hello');
  * const sig = ed25519.sign(msg, priv);
  * ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
@@ -158,11 +148,14 @@ function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   );
 }
 
+/** Context of ed25519. Uses context for domain separation. */
 export const ed25519ctx: CurveFn = /* @__PURE__ */ (() =>
   twistedEdwards({
     ...ed25519Defaults,
     domain: ed25519_domain,
   }))();
+
+/** Prehashed version of ed25519. Accepts already-hashed messages in sign() and verify(). */
 export const ed25519ph: CurveFn = /* @__PURE__ */ (() =>
   twistedEdwards(
     Object.assign({}, ed25519Defaults, {
@@ -179,7 +172,7 @@ export const ed25519ph: CurveFn = /* @__PURE__ */ (() =>
  * const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
  * x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
  * x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
- * x25519.getPublicKey(x25519.utils.randomPrivateKey());
+ * x25519.getPublicKey(x25519.utils.randomSecretKey());
  */
 export const x25519: XCurveFn = /* @__PURE__ */ (() => {
   const P = ed25519_CURVE.p;
@@ -195,33 +188,16 @@ export const x25519: XCurveFn = /* @__PURE__ */ (() => {
   });
 })();
 
-/**
- * Converts ed25519 public key to x25519 public key. Uses formula:
- * * `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
- * * `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
- * @example
- *   const someonesPub = ed25519.getPublicKey(ed25519.utils.randomPrivateKey());
- *   const aPriv = x25519.utils.randomPrivateKey();
- *   x25519.getSharedSecret(aPriv, edwardsToMontgomeryPub(someonesPub))
- */
+/** @deprecated use `ed25519.utils.toMontgomery` */
 export function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array {
-  const bpub = ensureBytes('pub', edwardsPub);
-  const { y } = ed25519.Point.fromHex(bpub);
-  const _1n = BigInt(1);
-  return Fp.toBytes(Fp.create((_1n + y) * Fp.inv(_1n - y)));
+  return ed25519.utils.toMontgomery(ensureBytes('pub', edwardsPub));
 }
-export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub; // deprecated
+/** @deprecated use `ed25519.utils.toMontgomery` */
+export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;
 
-/**
- * Converts ed25519 secret key to x25519 secret key.
- * @example
- *   const someonesPub = x25519.getPublicKey(x25519.utils.randomPrivateKey());
- *   const aPriv = ed25519.utils.randomPrivateKey();
- *   x25519.getSharedSecret(edwardsToMontgomeryPriv(aPriv), someonesPub)
- */
+/** @deprecated use `ed25519.utils.toMontgomeryPriv` */
 export function edwardsToMontgomeryPriv(edwardsPriv: Uint8Array): Uint8Array {
-  const hashed = ed25519Defaults.hash(edwardsPriv.subarray(0, 32));
-  return ed25519Defaults.adjustScalarBytes(hashed).subarray(0, 32);
+  return ed25519.utils.toMontgomeryPriv(ensureBytes('pub', edwardsPriv));
 }
 
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
@@ -297,6 +273,7 @@ function map_to_curve_elligator2_edwards25519(u: bigint) {
   return { x: Fp.mul(xn, xd_inv), y: Fp.mul(yn, yd_inv) }; //  13. return (xn, xd, yn, yd)
 }
 
+/** Hashing to ed25519 points / field. RFC 9380 methods. */
 export const ed25519_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
     ed25519.Point,
@@ -311,13 +288,6 @@ export const ed25519_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
       hash: sha512,
     }
   ))();
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  ed25519_hasher.encodeToCurve)();
-
-function aristp(other: unknown) {
-  if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');
-}
 
 // √(-1) aka √(a) aka 2^((p-1)/4)
 const SQRT_M1 = ED25519_SQRT_M1;
@@ -346,7 +316,7 @@ const MAX_255B = /* @__PURE__ */ BigInt(
 const bytes255ToNumberLE = (bytes: Uint8Array) =>
   ed25519.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
 
-type ExtendedPoint = ExtPointType;
+type ExtendedPoint = EdwardsPoint;
 
 /**
  * Computes Elligator map for Ristretto255.
@@ -375,64 +345,71 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
   return new ed25519.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
+function ristretto255_map(bytes: Uint8Array): _RistrettoPoint {
+  abytes(bytes, 64);
+  const r1 = bytes255ToNumberLE(bytes.subarray(0, 32));
+  const R1 = calcElligatorRistrettoMap(r1);
+  const r2 = bytes255ToNumberLE(bytes.subarray(32, 64));
+  const R2 = calcElligatorRistrettoMap(r2);
+  return new _RistrettoPoint(R1.add(R2));
+}
+
 /**
+ * Wrapper over Edwards Point for ristretto255.
+ *
  * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
  * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
-class RistPoint implements Group<RistPoint> {
-  static BASE: RistPoint;
-  static ZERO: RistPoint;
-  private readonly ep: ExtendedPoint;
-  // Private property to discourage combining ExtendedPoint + RistrettoPoint
-  // Always use Ristretto encoding/decoding instead.
+class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
+  // Do NOT change syntax: the following gymnastics is done,
+  // because typescript strips comments, which makes bundlers disable tree-shaking.
+  // prettier-ignore
+  static BASE: _RistrettoPoint =
+    /* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.BASE))();
+  // prettier-ignore
+  static ZERO: _RistrettoPoint =
+    /* @__PURE__ */ (() => new _RistrettoPoint(ed25519.Point.ZERO))();
+  // prettier-ignore
+  static Fp: IField<bigint> =
+    /* @__PURE__ */ Fp;
+  // prettier-ignore
+  static Fn: IField<bigint> =
+    /* @__PURE__ */ Fn;
+
   constructor(ep: ExtendedPoint) {
-    this.ep = ep;
+    super(ep);
   }
 
-  static fromAffine(ap: AffinePoint<bigint>): RistPoint {
-    return new RistPoint(ed25519.Point.fromAffine(ap));
+  static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint {
+    return new _RistrettoPoint(ed25519.Point.fromAffine(ap));
   }
 
-  /**
-   * Takes uniform output of 64-byte hash function like sha512 and converts it to `RistrettoPoint`.
-   * The hash-to-group operation applies Elligator twice and adds the results.
-   * **Note:** this is one-way map, there is no conversion from point to hash.
-   * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B) and on
-   * the [website](https://ristretto.group/formulas/elligator.html).
-   * @param hex 64-byte output of a hash function
-   */
-  static hashToCurve(hex: Hex): RistPoint {
-    hex = ensureBytes('ristrettoHash', hex, 64);
-    const r1 = bytes255ToNumberLE(hex.slice(0, 32));
-    const R1 = calcElligatorRistrettoMap(r1);
-    const r2 = bytes255ToNumberLE(hex.slice(32, 64));
-    const R2 = calcElligatorRistrettoMap(r2);
-    return new RistPoint(R1.add(R2));
+  protected assertSame(other: _RistrettoPoint): void {
+    if (!(other instanceof _RistrettoPoint)) throw new Error('RistrettoPoint expected');
   }
 
-  static fromBytes(bytes: Uint8Array): RistPoint {
-    abytes(bytes);
-    return this.fromHex(bytes);
+  protected init(ep: EdwardsPoint): _RistrettoPoint {
+    return new _RistrettoPoint(ep);
   }
 
-  /**
-   * Converts ristretto-encoded string to ristretto point.
-   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
-   * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
-   */
-  static fromHex(hex: Hex): RistPoint {
-    hex = ensureBytes('ristrettoHex', hex, 32);
+  /** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+  static hashToCurve(hex: Hex): _RistrettoPoint {
+    return ristretto255_map(ensureBytes('ristrettoHash', hex, 64));
+  }
+
+  static fromBytes(bytes: Uint8Array): _RistrettoPoint {
+    abytes(bytes, 32);
     const { a, d } = ed25519.CURVE;
     const P = Fp.ORDER;
     const mod = Fp.create;
-    const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
-    const s = bytes255ToNumberLE(hex);
+    const s = bytes255ToNumberLE(bytes);
     // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
     // 3. Check that s is non-negative, or else abort
-    if (!equalBytes(numberToBytesLE(s, 32), hex) || isNegativeLE(s, P)) throw new Error(emsg);
+    if (!equalBytes(numberToBytesLE(s, 32), bytes) || isNegativeLE(s, P))
+      throw new Error('invalid ristretto255 encoding 1');
     const s2 = mod(s * s);
     const u1 = mod(_1n + a * s2); // 4 (a is -1)
     const u2 = mod(_1n - a * s2); // 5
@@ -446,13 +423,22 @@ class RistPoint implements Group<RistPoint> {
     if (isNegativeLE(x, P)) x = mod(-x); // 10
     const y = mod(u1 * Dy); // 11
     const t = mod(x * y); // 12
-    if (!isValid || isNegativeLE(t, P) || y === _0n) throw new Error(emsg);
-    return new RistPoint(new ed25519.Point(x, y, _1n, t));
+    if (!isValid || isNegativeLE(t, P) || y === _0n)
+      throw new Error('invalid ristretto255 encoding 2');
+    return new _RistrettoPoint(new ed25519.Point(x, y, _1n, t));
   }
 
-  static msm(points: RistPoint[], scalars: bigint[]): RistPoint {
-    const Fn = Field(ed25519.CURVE.n, ed25519.CURVE.nBitLength);
-    return pippenger(RistPoint, Fn, points, scalars);
+  /**
+   * Converts ristretto-encoded string to ristretto point.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
+   * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+   */
+  static fromHex(hex: Hex): _RistrettoPoint {
+    return _RistrettoPoint.fromBytes(ensureBytes('ristrettoHex', hex, 32));
+  }
+
+  static msm(points: _RistrettoPoint[], scalars: bigint[]): _RistrettoPoint {
+    return pippenger(_RistrettoPoint, ed25519.Point.Fn, points, scalars);
   }
 
   /**
@@ -460,54 +446,41 @@ class RistPoint implements Group<RistPoint> {
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
    */
   toBytes(): Uint8Array {
-    let { ex: x, ey: y, ez: z, et: t } = this.ep;
+    let { X, Y, Z, T } = this.ep;
     const P = Fp.ORDER;
     const mod = Fp.create;
-    const u1 = mod(mod(z + y) * mod(z - y)); // 1
-    const u2 = mod(x * y); // 2
+    const u1 = mod(mod(Z + Y) * mod(Z - Y)); // 1
+    const u2 = mod(X * Y); // 2
     // Square root always exists
     const u2sq = mod(u2 * u2);
     const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
     const D1 = mod(invsqrt * u1); // 4
     const D2 = mod(invsqrt * u2); // 5
-    const zInv = mod(D1 * D2 * t); // 6
+    const zInv = mod(D1 * D2 * T); // 6
     let D: bigint; // 7
-    if (isNegativeLE(t * zInv, P)) {
-      let _x = mod(y * SQRT_M1);
-      let _y = mod(x * SQRT_M1);
-      x = _x;
-      y = _y;
+    if (isNegativeLE(T * zInv, P)) {
+      let _x = mod(Y * SQRT_M1);
+      let _y = mod(X * SQRT_M1);
+      X = _x;
+      Y = _y;
       D = mod(D1 * INVSQRT_A_MINUS_D);
     } else {
       D = D2; // 8
     }
-    if (isNegativeLE(x * zInv, P)) y = mod(-y); // 9
-    let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
+    if (isNegativeLE(X * zInv, P)) Y = mod(-Y); // 9
+    let s = mod((Z - Y) * D); // 10 (check footer's note, no sqrt(-a))
     if (isNegativeLE(s, P)) s = mod(-s);
     return numberToBytesLE(s, 32); // 11
   }
 
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array {
-    return this.toBytes();
-  }
-
-  toHex(): string {
-    return bytesToHex(this.toBytes());
-  }
-
-  toString(): string {
-    return this.toHex();
-  }
-
   /**
    * Compares two Ristretto points.
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
    */
-  equals(other: RistPoint): boolean {
-    aristp(other);
-    const { ex: X1, ey: Y1 } = this.ep;
-    const { ex: X2, ey: Y2 } = other.ep;
+  equals(other: _RistrettoPoint): boolean {
+    this.assertSame(other);
+    const { X: X1, Y: Y1 } = this.ep;
+    const { X: X2, Y: Y2 } = other.ep;
     const mod = Fp.create;
     // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
     const one = mod(X1 * Y2) === mod(Y1 * X2);
@@ -515,54 +488,63 @@ class RistPoint implements Group<RistPoint> {
     return one || two;
   }
 
-  add(other: RistPoint): RistPoint {
-    aristp(other);
-    return new RistPoint(this.ep.add(other.ep));
-  }
-
-  subtract(other: RistPoint): RistPoint {
-    aristp(other);
-    return new RistPoint(this.ep.subtract(other.ep));
-  }
-
-  multiply(scalar: bigint): RistPoint {
-    return new RistPoint(this.ep.multiply(scalar));
-  }
-
-  multiplyUnsafe(scalar: bigint): RistPoint {
-    return new RistPoint(this.ep.multiplyUnsafe(scalar));
+  is0(): boolean {
+    return this.equals(_RistrettoPoint.ZERO);
   }
+}
 
-  double(): RistPoint {
-    return new RistPoint(this.ep.double());
-  }
+/** @deprecated use `ristretto255.Point` */
+export const RistrettoPoint: typeof _RistrettoPoint = _RistrettoPoint;
+
+export const ristretto255: {
+  Point: typeof _RistrettoPoint;
+} = { Point: _RistrettoPoint };
+
+/** Hashing to ristretto255 points / field. RFC 9380 methods. */
+export const ristretto255_hasher: H2CHasherBase<bigint> = {
+  hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _RistrettoPoint {
+    const DST = options?.DST || 'ristretto255_XMD:SHA-512_R255MAP_RO_';
+    return ristretto255_map(expand_message_xmd(msg, DST, 64, sha512));
+  },
+  hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
+    return Fn.create(bytesToNumberLE(expand_message_xmd(msg, options.DST, 64, sha512)));
+  },
+};
 
-  negate(): RistPoint {
-    return new RistPoint(this.ep.negate());
-  }
-}
+// export const ristretto255_oprf: OPRF = createORPF({
+//   name: 'ristretto255-SHA512',
+//   Point: RistrettoPoint,
+//   hash: sha512,
+//   hashToGroup: ristretto255_hasher.hashToCurve,
+//   hashToScalar: ristretto255_hasher.hashToScalar,
+// });
 
-/**
- * Wrapper over Edwards Point for ristretto255 from
- * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
- */
-export const RistrettoPoint: typeof RistPoint = /* @__PURE__ */ (() => {
-  if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.Point.BASE);
-  if (!RistPoint.ZERO) RistPoint.ZERO = new RistPoint(ed25519.Point.ZERO);
-  return RistPoint;
-})();
+/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed25519_hasher.hashToCurve)();
+/** @deprecated use `import { ed25519_hasher } from '@noble/curves/ed25519.js';` */
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
+  ed25519_hasher.encodeToCurve)();
+type RistHasher = (msg: Uint8Array, options: htfBasicOpts) => _RistrettoPoint;
+/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+export const hashToRistretto255: RistHasher = /* @__PURE__ */ (() =>
+  ristretto255_hasher.hashToCurve as RistHasher)();
+/** @deprecated use `import { ristretto255_hasher } from '@noble/curves/ed25519.js';` */
+export const hash_to_ristretto255: RistHasher = /* @__PURE__ */ (() =>
+  ristretto255_hasher.hashToCurve as RistHasher)();
 
 /**
- * hash-to-curve for ristretto255.
- * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-B).
+ * Weird / bogus points, useful for debugging.
+ * All 8 ed25519 points of 8-torsion subgroup can be generated from the point
+ * T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
+ * ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
  */
-export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts): RistPoint => {
-  const d = options.DST;
-  const DST = typeof d === 'string' ? utf8ToBytes(d) : d;
-  const uniform_bytes = expand_message_xmd(msg, DST, 64, sha512);
-  const P = RistPoint.hashToCurve(uniform_bytes);
-  return P;
-};
-/** @deprecated */
-export const hash_to_ristretto255: (msg: Uint8Array, options: htfBasicOpts) => RistPoint =
-  hashToRistretto255; // legacy
+export const ED25519_TORSION_SUBGROUP: string[] = [
+  '0100000000000000000000000000000000000000000000000000000000000000',
+  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+  '0000000000000000000000000000000000000000000000000000000000000080',
+  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+  'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+  '0000000000000000000000000000000000000000000000000000000000000000',
+  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];