@noble/curves 1.9.2 → 1.9.4

package/src/ed448.ts

@@ -14,34 +14,31 @@ import {
   utf8ToBytes,
   createHasher as wrapConstructor,
 } from '@noble/hashes/utils.js';
-import type { AffinePoint, Group } from './abstract/curve.ts';
+import type { AffinePoint } from './abstract/curve.ts';
 import { pippenger } from './abstract/curve.ts';
 import {
-  type CurveFn,
   edwards,
-  type EdwardsOpts,
-  type ExtPointConstructor,
-  type ExtPointType,
+  PrimeEdwardsPoint,
   twistedEdwards,
+  type CurveFn,
+  type EdwardsOpts,
+  type EdwardsPoint,
+  type EdwardsPointCons,
 } from './abstract/edwards.ts';
 import {
+  _DST_scalar,
   createHasher,
   expand_message_xof,
   type H2CHasher,
+  type H2CHasherBase,
   type H2CMethod,
   type htfBasicOpts,
 } from './abstract/hash-to-curve.ts';
-import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
-import {
-  bytesToHex,
-  bytesToNumberLE,
-  ensureBytes,
-  equalBytes,
-  type Hex,
-  numberToBytesLE,
-} from './utils.ts';
+import { Field, FpInvertBatch, isNegativeLE, mod, pow2, type IField } from './abstract/modular.ts';
+import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
+import { bytesToNumberLE, ensureBytes, equalBytes, numberToBytesLE, type Hex } from './utils.ts';
 
+// edwards448 curve
 // a = 1n
 // d = Fp.neg(39081n)
 // Finite field 2n**448n - 2n**224n - 1n
@@ -67,9 +64,7 @@ const ed448_CURVE: EdwardsOpts = {
   ),
 };
 
-// E448 != Edwards448 used in ed448
-// E448 is defined by NIST
-// It's birationally equivalent to edwards448
+// E448 NIST curve is identical to edwards448, except for:
 // d = 39082/39081
 // Gx = 3/2
 const E448_CURVE: EdwardsOpts = Object.assign({}, ed448_CURVE, {
@@ -83,7 +78,6 @@ const E448_CURVE: EdwardsOpts = Object.assign({}, ed448_CURVE, {
     '0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
   ),
 });
-export const E448: ExtPointConstructor = edwards(E448_CURVE);
 
 const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
@@ -147,13 +141,16 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
 }
 
 // Finite field 2n**448n - 2n**224n - 1n
-const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, 456, true))();
+const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
 // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
+// const Fn456 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
+
 // SHAKE256(dom4(phflag,context)||x, 114)
 const ED448_DEF = /* @__PURE__ */ (() => ({
   ...ed448_CURVE,
   Fp,
-  nBitLength: 456,
+  Fn,
   hash: shake256_114,
   adjustScalarBytes,
   // dom4
@@ -173,20 +170,28 @@ const ED448_DEF = /* @__PURE__ */ (() => ({
  * ed448 EdDSA curve and methods.
  * @example
  * import { ed448 } from '@noble/curves/ed448';
- * const priv = ed448.utils.randomPrivateKey();
- * const pub = ed448.getPublicKey(priv);
- * const msg = new TextEncoder().encode('whatsup');
- * const sig = ed448.sign(msg, priv);
- * ed448.verify(sig, msg, pub);
+ * const { secretKey, publicKey } = ed448.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = ed448.sign(msg, secretKey);
+ * const isValid = ed448.verify(sig, msg, publicKey);
  */
 export const ed448: CurveFn = twistedEdwards(ED448_DEF);
-// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+
+// There is no ed448ctx, since ed448 supports ctx by default
+/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
 export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
   twistedEdwards({
     ...ED448_DEF,
     prehash: shake256_64,
   }))();
 
+/**
+ * E448 curve, defined by NIST.
+ * E448 != edwards448 used in ed448.
+ * E448 is birationally equivalent to edwards448.
+ */
+export const E448: EdwardsPointCons = edwards(E448_CURVE);
+
 /**
  * ECDH using curve448 aka x448.
  * x448 has 56-byte keys as per RFC 7748, while
@@ -206,23 +211,13 @@ export const x448: XCurveFn = /* @__PURE__ */ (() => {
   });
 })();
 
-/**
- * Converts edwards448 public key to x448 public key. Uses formula:
- * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
- * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
- * @example
- *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
- *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
- */
+/** @deprecated use `ed448.utils.toMontgomery` */
 export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
-  const bpub = ensureBytes('pub', edwardsPub);
-  const { y } = ed448.Point.fromHex(bpub);
-  const _1n = BigInt(1);
-  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+  return ed448.utils.toMontgomery(ensureBytes('pub', edwardsPub));
 }
 
-export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub; // deprecated
-// TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
+/** @deprecated use `ed448.utils.toMontgomery` */
+export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;
 
 // Hash To Curve Elligator2 Map
 const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
@@ -301,6 +296,7 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
   return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 
+/** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
 export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(ed448.Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
     DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
@@ -311,13 +307,6 @@ export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
     expand: 'xof',
     hash: shake256,
   }))();
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  ed448_hasher.encodeToCurve)();
-
-function adecafp(other: unknown) {
-  if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
-}
 
 // 1-d
 const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
@@ -339,7 +328,7 @@ const MAX_448B = /* @__PURE__ */ BigInt(
 );
 const bytes448ToNumberLE = (bytes: Uint8Array) => Fp.create(bytesToNumberLE(bytes) & MAX_448B);
 
-type ExtendedPoint = ExtPointType;
+type ExtendedPoint = EdwardsPoint;
 
 /**
  * Elligator map for hash-to-curve of decaf448.
@@ -375,6 +364,15 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
   return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
+function decaf448_map(bytes: Uint8Array): _DecafPoint {
+  abytes(bytes, 112);
+  const r1 = bytes448ToNumberLE(bytes.slice(0, 56));
+  const R1 = calcElligatorDecafMap(r1);
+  const r2 = bytes448ToNumberLE(bytes.slice(56, 112));
+  const R2 = calcElligatorDecafMap(r2);
+  return new _DecafPoint(R1.add(R2));
+}
+
 /**
  * Each ed448/ExtendedPoint has 4 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
@@ -382,58 +380,53 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
-class DcfPoint implements Group<DcfPoint> {
-  static BASE: DcfPoint;
-  static ZERO: DcfPoint;
-  private readonly ep: ExtendedPoint;
-  // Private property to discourage combining ExtendedPoint + DecafPoint
-  // Always use Decaf encoding/decoding instead.
+class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
+  // The following gymnastics is done because typescript strips comments otherwise
+  // prettier-ignore
+  static BASE: _DecafPoint =
+    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n))();
+  // prettier-ignore
+  static ZERO: _DecafPoint =
+    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
+  // prettier-ignore
+  static Fp: IField<bigint> =
+    /* @__PURE__ */ Fp;
+  // prettier-ignore
+  static Fn: IField<bigint> =
+    /* @__PURE__ */ Fn;
+
   constructor(ep: ExtendedPoint) {
-    this.ep = ep;
+    super(ep);
   }
 
-  static fromAffine(ap: AffinePoint<bigint>): DcfPoint {
-    return new DcfPoint(ed448.Point.fromAffine(ap));
+  static fromAffine(ap: AffinePoint<bigint>): _DecafPoint {
+    return new _DecafPoint(ed448.Point.fromAffine(ap));
   }
 
-  /**
-   * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
-   * The hash-to-group operation applies Elligator twice and adds the results.
-   * **Note:** this is one-way map, there is no conversion from point to hash.
-   * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
-   * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
-   * @param hex 112-byte output of a hash function
-   */
-  static hashToCurve(hex: Hex): DcfPoint {
-    hex = ensureBytes('decafHash', hex, 112);
-    const r1 = bytes448ToNumberLE(hex.slice(0, 56));
-    const R1 = calcElligatorDecafMap(r1);
-    const r2 = bytes448ToNumberLE(hex.slice(56, 112));
-    const R2 = calcElligatorDecafMap(r2);
-    return new DcfPoint(R1.add(R2));
+  protected assertSame(other: _DecafPoint): void {
+    if (!(other instanceof _DecafPoint)) throw new Error('DecafPoint expected');
   }
 
-  static fromBytes(bytes: Uint8Array): DcfPoint {
-    abytes(bytes);
-    return this.fromHex(bytes);
+  protected init(ep: EdwardsPoint): _DecafPoint {
+    return new _DecafPoint(ep);
   }
 
-  /**
-   * Converts decaf-encoded string to decaf point.
-   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
-   * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
-   */
-  static fromHex(hex: Hex): DcfPoint {
-    hex = ensureBytes('decafHex', hex, 56);
+  /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+  static hashToCurve(hex: Hex): _DecafPoint {
+    return decaf448_map(ensureBytes('decafHash', hex, 112));
+  }
+
+  static fromBytes(bytes: Uint8Array): _DecafPoint {
+    abytes(bytes, 56);
     const { d } = ed448.CURVE;
     const P = Fp.ORDER;
     const mod = Fp.create;
-    const emsg = 'DecafPoint.fromHex: the hex is not valid encoding of DecafPoint';
-    const s = bytes448ToNumberLE(hex);
+    const s = bytes448ToNumberLE(bytes);
 
     // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
     // 2. Check that s is non-negative, or else abort
-    if (!equalBytes(numberToBytesLE(s, 56), hex) || isNegativeLE(s, P)) throw new Error(emsg);
+    if (!equalBytes(numberToBytesLE(s, 56), bytes) || isNegativeLE(s, P))
+      throw new Error('invalid decaf448 encoding 1');
 
     const s2 = mod(s * s); // 1
     const u1 = mod(_1n + s2); // 2
@@ -449,13 +442,22 @@ class DcfPoint implements Group<DcfPoint> {
     const y = mod((_1n - s2) * invsqrt * u1); // 7
     const t = mod(x * y); // 8
 
-    if (!isValid) throw new Error(emsg);
-    return new DcfPoint(new ed448.Point(x, y, _1n, t));
+    if (!isValid) throw new Error('invalid decaf448 encoding 2');
+    return new _DecafPoint(new ed448.Point(x, y, _1n, t));
+  }
+
+  /**
+   * Converts decaf-encoded string to decaf point.
+   * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
+   * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
+   */
+  static fromHex(hex: Hex): _DecafPoint {
+    return _DecafPoint.fromBytes(ensureBytes('decafHex', hex, 56));
   }
 
-  static msm(points: DcfPoint[], scalars: bigint[]): DcfPoint {
-    const Fn = Field(ed448.CURVE.n, ed448.CURVE.nBitLength);
-    return pippenger(DcfPoint, Fn, points, scalars);
+  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+  static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint {
+    return pippenger(_DecafPoint, Fn, points, scalars);
   }
 
   /**
@@ -463,99 +465,91 @@ class DcfPoint implements Group<DcfPoint> {
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
    */
   toBytes(): Uint8Array {
-    let { ex: x, ey: _y, ez: z, et: t } = this.ep;
+    const { X, Z, T } = this.ep;
     const P = Fp.ORDER;
     const mod = Fp.create;
 
-    const u1 = mod(mod(x + t) * mod(x - t)); // 1
-    const x2 = mod(x * x);
+    const u1 = mod(mod(X + T) * mod(X - T)); // 1
+    const x2 = mod(X * X);
     const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
 
     let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
     if (isNegativeLE(ratio, P)) ratio = mod(-ratio);
 
-    const u2 = mod(INVSQRT_MINUS_D * ratio * z - t); // 4
+    const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
 
-    let s = mod(ONE_MINUS_D * invsqrt * x * u2); // 5
+    let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
     if (isNegativeLE(s, P)) s = mod(-s);
 
     return numberToBytesLE(s, 56);
   }
 
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array {
-    return this.toBytes();
-  }
-
-  toHex(): string {
-    return bytesToHex(this.toBytes());
-  }
-
-  toString(): string {
-    return this.toHex();
-  }
-
   /**
    * Compare one point to another.
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals-2).
    */
-  equals(other: DcfPoint): boolean {
-    adecafp(other);
-    const { ex: X1, ey: Y1 } = this.ep;
-    const { ex: X2, ey: Y2 } = other.ep;
+  equals(other: _DecafPoint): boolean {
+    this.assertSame(other);
+    const { X: X1, Y: Y1 } = this.ep;
+    const { X: X2, Y: Y2 } = other.ep;
     const mod = Fp.create;
     // (x1 * y2 == y1 * x2)
     return mod(X1 * Y2) === mod(Y1 * X2);
   }
 
-  add(other: DcfPoint): DcfPoint {
-    adecafp(other);
-    return new DcfPoint(this.ep.add(other.ep));
-  }
-
-  subtract(other: DcfPoint): DcfPoint {
-    adecafp(other);
-    return new DcfPoint(this.ep.subtract(other.ep));
-  }
-
-  multiply(scalar: bigint): DcfPoint {
-    return new DcfPoint(this.ep.multiply(scalar));
+  is0(): boolean {
+    return this.equals(_DecafPoint.ZERO);
   }
+}
 
-  multiplyUnsafe(scalar: bigint): DcfPoint {
-    return new DcfPoint(this.ep.multiplyUnsafe(scalar));
-  }
+/** @deprecated use `decaf448.Point` */
+export const DecafPoint: typeof _DecafPoint = _DecafPoint;
+export const decaf448: {
+  Point: typeof _DecafPoint;
+} = { Point: _DecafPoint };
+
+/** Hashing to decaf448 points / field. RFC 9380 methods. */
+export const decaf448_hasher: H2CHasherBase<bigint> = {
+  hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _DecafPoint {
+    const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
+    return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake256));
+  },
+  hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
+    return Fn.create(bytesToNumberLE(expand_message_xof(msg, options.DST, 64, 256, shake256)));
+  },
+};
 
-  double(): DcfPoint {
-    return new DcfPoint(this.ep.double());
-  }
+// export const decaf448_oprf: OPRF = createORPF({
+//   name: 'decaf448-SHAKE256',
+//   Point: DecafPoint,
+//   hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
+//   hashToGroup: decaf448_hasher.hashToCurve,
+//   hashToScalar: decaf448_hasher.hashToScalar,
+// });
 
-  negate(): DcfPoint {
-    return new DcfPoint(this.ep.negate());
-  }
-}
+type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
 
-/**
- * Wrapper over Edwards Point for decaf448 from
- * [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
- */
-export const DecafPoint: typeof DcfPoint = /* @__PURE__ */ (() => {
-  // decaf448 base point is ed448 base x 2
-  // https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699
-  if (!DcfPoint.BASE) DcfPoint.BASE = new DcfPoint(ed448.Point.BASE).multiply(_2n);
-  if (!DcfPoint.ZERO) DcfPoint.ZERO = new DcfPoint(ed448.Point.ZERO);
-  return DcfPoint;
-})();
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
+/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
+  ed448_hasher.encodeToCurve)();
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+export const hashToDecaf448: DcfHasher = /* @__PURE__ */ (() =>
+  decaf448_hasher.hashToCurve as DcfHasher)();
+/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
+export const hash_to_decaf448: DcfHasher = /* @__PURE__ */ (() =>
+  decaf448_hasher.hashToCurve as DcfHasher)();
 
 /**
- * hash-to-curve for decaf448.
- * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C).
+ * Weird / bogus points, useful for debugging.
+ * Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
+ * Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
+ * (0, 1), (0, -1), (-1, 0), (1, 0).
  */
-export const hashToDecaf448 = (msg: Uint8Array, options: htfBasicOpts): DcfPoint => {
-  const d = options.DST;
-  const DST = typeof d === 'string' ? utf8ToBytes(d) : d;
-  const uniform_bytes = expand_message_xof(msg, DST, 112, 224, shake256);
-  const P = DcfPoint.hashToCurve(uniform_bytes);
-  return P;
-};
-export const hash_to_decaf448: typeof hashToDecaf448 = hashToDecaf448; // legacy
+export const ED448_TORSION_SUBGROUP: string[] = [
+  '010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+  'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
+  '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
+  '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
+];

package/src/index.ts

@@ -3,15 +3,13 @@
  * @module
  * @example
 ```js
-import { secp256k1, schnorr } from '@noble/curves/secp256k1';
-import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
-import { p256 } from '@noble/curves/p256';
-import { p384 } from '@noble/curves/p384';
-import { p521 } from '@noble/curves/p521';
-import { bls12_381 } from '@noble/curves/bls12-381';
-import { bn254 } from '@noble/curves/bn254';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
+import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
+import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519.js';
+import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
+import { p256, p384, p521 } from '@noble/curves/nist.js';
+import { bls12_381 } from '@noble/curves/bls12-381.js';
+import { bn254 } from '@noble/curves/bn254.js';
+import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
 ```
  */
 throw new Error('root module cannot be imported: import submodules instead. Check out README');

package/src/jubjub.ts

@@ -4,9 +4,9 @@
  */
 import { jubjub_findGroupHash, jubjub_groupHash, jubjub as jubjubn } from './misc.ts';
 
-/** @deprecated Use `@noble/curves/misc` module directly. */
+/** @deprecated use `import { jubjub } from '@noble/curves/misc.js';` */
 export const jubjub: typeof jubjubn = jubjubn;
-/** @deprecated Use `@noble/curves/misc` module directly. */
+/** @deprecated use `import { jubjub_findGroupHash } from '@noble/curves/misc.js';` */
 export const findGroupHash: typeof jubjub_findGroupHash = jubjub_findGroupHash;
-/** @deprecated Use `@noble/curves/misc` module directly. */
+/** @deprecated use `import { jubjub_groupHash } from '@noble/curves/misc.js';` */
 export const groupHash: typeof jubjub_groupHash = jubjub_groupHash;

package/src/misc.ts

@@ -12,7 +12,7 @@ import {
   twistedEdwards,
   type CurveFn,
   type EdwardsOpts,
-  type ExtPointType,
+  type EdwardsPoint,
 } from './abstract/edwards.ts';
 import { Field, mod } from './abstract/modular.ts';
 import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
@@ -22,8 +22,6 @@ import { bn254_Fr } from './bn254.ts';
 // Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
 // jubjub Fp = bls n. babyjubjub Fp = bn254 n.
 // verify manually, check bls12-381.ts and bn254.ts.
-// https://neuromancer.sk/std/other/JubJub
-
 const jubjub_CURVE: EdwardsOpts = {
   p: bls12_381_Fr.ORDER,
   n: BigInt('0xe7db4ea6533afa906673b0101343b00a6682093ccc81082d0970e5ed6f72cb7'),
@@ -61,7 +59,7 @@ const jubjub_gh_first_block = utf8ToBytes(
 );
 
 // Returns point at JubJub curve which is prime order and not zero
-export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): ExtPointType {
+export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array): EdwardsPoint {
   const h = blake2s.create({ personalization, dkLen: 32 });
   h.update(jubjub_gh_first_block);
   h.update(tag);
@@ -76,7 +74,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
 // No secret data is leaked here at all.
 // It operates over public data:
 // const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
-export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): ExtPointType {
+export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): EdwardsPoint {
   const tag = concatBytes(m, Uint8Array.of(0));
   const hashes = [];
   for (let i = 0; i < 256; i++) {
@@ -99,7 +97,6 @@ export const pasta_q: bigint = BigInt(
 );
 
 /**
- * https://neuromancer.sk/std/other/Pallas
  * @deprecated
  */
 export const pallas: WCurveFn = weierstrass({
@@ -113,7 +110,6 @@ export const pallas: WCurveFn = weierstrass({
   hash: sha256,
 });
 /**
- * https://neuromancer.sk/std/other/Vesta
  * @deprecated
  */
 export const vesta: WCurveFn = weierstrass({