@noble/curves 1.9.5 → 2.0.0-beta.1

package/src/ed448.ts

@@ -8,19 +8,13 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3.js';
-import {
-  abytes,
-  concatBytes,
-  utf8ToBytes,
-  createHasher as wrapConstructor,
-} from '@noble/hashes/utils.js';
+import { concatBytes, hexToBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
 import type { AffinePoint } from './abstract/curve.ts';
-import { pippenger } from './abstract/curve.ts';
 import {
+  eddsa,
   edwards,
   PrimeEdwardsPoint,
-  twistedEdwards,
-  type CurveFn,
+  type EdDSA,
   type EdwardsOpts,
   type EdwardsPoint,
   type EdwardsPointCons,
@@ -31,12 +25,12 @@ import {
   expand_message_xof,
   type H2CHasher,
   type H2CHasherBase,
-  type H2CMethod,
   type htfBasicOpts,
 } from './abstract/hash-to-curve.ts';
 import { Field, FpInvertBatch, isNegativeLE, mod, pow2, type IField } from './abstract/modular.ts';
-import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
-import { bytesToNumberLE, ensureBytes, equalBytes, numberToBytesLE, type Hex } from './utils.ts';
+import { montgomery, type MontgomeryECDH } from './abstract/montgomery.ts';
+import { createORPF, type OPRF } from './abstract/oprf.ts';
+import { abytes, asciiToBytes, bytesToNumberLE, equalBytes } from './utils.ts';
 
 // edwards448 curve
 // a = 1n
@@ -140,33 +134,27 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
 }
 
 // Finite field 2n**448n - 2n**224n - 1n
+// The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
+// - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
+// - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
 const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
-// RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
-// Fn456 has BITS: 456
+const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
+// decaf448 uses 448-bit (56-byte) keys
+const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 448, isLE: true }))();
+const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
 
 // SHAKE256(dom4(phflag,context)||x, 114)
 function dom4(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
   return concatBytes(
-    utf8ToBytes('SigEd448'),
+    asciiToBytes('SigEd448'),
     new Uint8Array([phflag ? 1 : 0, ctx.length]),
     ctx,
     data
   );
 }
-// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
-// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
-
-const ED448_DEF = /* @__PURE__ */ (() => ({
-  ...ed448_CURVE,
-  Fp,
-  Fn,
-  hash: shake256_114,
-  adjustScalarBytes,
-  domain: dom4,
-  uvRatio,
-}))();
+const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
+const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
 
 /**
  * ed448 EdDSA curve and methods.
@@ -177,15 +165,14 @@ const ED448_DEF = /* @__PURE__ */ (() => ({
  * const sig = ed448.sign(msg, secretKey);
  * const isValid = ed448.verify(sig, msg, publicKey);
  */
-export const ed448: CurveFn = twistedEdwards(ED448_DEF);
+export const ed448: EdDSA = eddsa(ed448_Point, shake256_114, ed448_eddsa_opts);
 
 // There is no ed448ctx, since ed448 supports ctx by default
 /** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
-export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
-  twistedEdwards({
-    ...ED448_DEF,
-    prehash: shake256_64,
-  }))();
+export const ed448ph: EdDSA = /* @__PURE__ */ eddsa(ed448_Point, shake256_114, {
+  ...ed448_eddsa_opts,
+  prehash: shake256_64,
+});
 
 /**
  * E448 curve, defined by NIST.
@@ -199,7 +186,7 @@ export const E448: EdwardsPointCons = edwards(E448_CURVE);
  * x448 has 56-byte keys as per RFC 7748, while
  * ed448 has 57-byte keys as per RFC 8032.
  */
-export const x448: XCurveFn = /* @__PURE__ */ (() => {
+export const x448: MontgomeryECDH = /* @__PURE__ */ (() => {
   const P = ed448_CURVE.p;
   return montgomery({
     P,
@@ -291,8 +278,8 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
 }
 
 /** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
-export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(ed448.Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
+export const ed448_hasher: H2CHasher<EdwardsPointCons> = /* @__PURE__ */ (() =>
+  createHasher(ed448_Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
     DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
     encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
     p: Fp.ORDER,
@@ -317,19 +304,12 @@ const INVSQRT_MINUS_D = /* @__PURE__ */ BigInt(
 // Calculates 1/√(number)
 const invertSqrt = (number: bigint) => uvRatio(_1n, number);
 
-const MAX_448B = /* @__PURE__ */ BigInt(
-  '0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
-);
-const bytes448ToNumberLE = (bytes: Uint8Array) => Fp.create(bytesToNumberLE(bytes) & MAX_448B);
-
-type ExtendedPoint = EdwardsPoint;
-
 /**
  * Elligator map for hash-to-curve of decaf448.
  * Described in [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#appendix-C)
  * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
  */
-function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
+function calcElligatorDecafMap(r0: bigint): EdwardsPoint {
   const { d } = ed448_CURVE;
   const P = Fp.ORDER;
   const mod = (n: bigint) => Fp.create(n);
@@ -355,22 +335,26 @@ function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
   const W1 = mod(s2 + _1n); // 9
   const W2 = mod(s2 - _1n); // 10
   const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
-  return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+  return new ed448_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
 function decaf448_map(bytes: Uint8Array): _DecafPoint {
   abytes(bytes, 112);
-  const r1 = bytes448ToNumberLE(bytes.slice(0, 56));
+  const skipValidation = true;
+  // Note: Similar to the field element decoding described in
+  // [RFC7748], and unlike the field element decoding described in
+  // Section 5.3.1, non-canonical values are accepted.
+  const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
   const R1 = calcElligatorDecafMap(r1);
-  const r2 = bytes448ToNumberLE(bytes.slice(56, 112));
+  const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
   const R2 = calcElligatorDecafMap(r2);
   return new _DecafPoint(R1.add(R2));
 }
 
 /**
- * Each ed448/ExtendedPoint has 4 different equivalent points. This can be
+ * Each ed448/EdwardsPoint has 4 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
- * Decaf point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * Decaf point operates in X:Y:Z:T extended coordinates like EdwardsPoint,
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
@@ -378,23 +362,23 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
   // The following gymnastics is done because typescript strips comments otherwise
   // prettier-ignore
   static BASE: _DecafPoint =
-    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n))();
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.BASE).multiplyUnsafe(_2n))();
   // prettier-ignore
   static ZERO: _DecafPoint =
-    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.ZERO))();
   // prettier-ignore
   static Fp: IField<bigint> =
-    /* @__PURE__ */ (() => Fp)();
+    /* @__PURE__ */ (() => Fp448)();
   // prettier-ignore
   static Fn: IField<bigint> =
-    /* @__PURE__ */ (() => Fn)();
+    /* @__PURE__ */ (() => Fn448)();
 
-  constructor(ep: ExtendedPoint) {
+  constructor(ep: EdwardsPoint) {
     super(ep);
   }
 
   static fromAffine(ap: AffinePoint<bigint>): _DecafPoint {
-    return new _DecafPoint(ed448.Point.fromAffine(ap));
+    return new _DecafPoint(ed448_Point.fromAffine(ap));
   }
 
   protected assertSame(other: _DecafPoint): void {
@@ -405,21 +389,16 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     return new _DecafPoint(ep);
   }
 
-  /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-  static hashToCurve(hex: Hex): _DecafPoint {
-    return decaf448_map(ensureBytes('decafHash', hex, 112));
-  }
-
   static fromBytes(bytes: Uint8Array): _DecafPoint {
     abytes(bytes, 56);
     const { d } = ed448_CURVE;
     const P = Fp.ORDER;
-    const mod = (n: bigint) => Fp.create(n);
-    const s = bytes448ToNumberLE(bytes);
+    const mod = (n: bigint) => Fp448.create(n);
+    const s = Fp448.fromBytes(bytes);
 
     // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
     // 2. Check that s is non-negative, or else abort
-    if (!equalBytes(numberToBytesLE(s, 56), bytes) || isNegativeLE(s, P))
+    if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
       throw new Error('invalid decaf448 encoding 1');
 
     const s2 = mod(s * s); // 1
@@ -437,7 +416,7 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     const t = mod(x * y); // 8
 
     if (!isValid) throw new Error('invalid decaf448 encoding 2');
-    return new _DecafPoint(new ed448.Point(x, y, _1n, t));
+    return new _DecafPoint(new ed448_Point(x, y, _1n, t));
   }
 
   /**
@@ -445,13 +424,8 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
    * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
    */
-  static fromHex(hex: Hex): _DecafPoint {
-    return _DecafPoint.fromBytes(ensureBytes('decafHex', hex, 56));
-  }
-
-  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-  static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint {
-    return pippenger(_DecafPoint, Fn, points, scalars);
+  static fromHex(hex: string): _DecafPoint {
+    return _DecafPoint.fromBytes(hexToBytes(hex));
   }
 
   /**
@@ -462,20 +436,15 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     const { X, Z, T } = this.ep;
     const P = Fp.ORDER;
     const mod = (n: bigint) => Fp.create(n);
-
     const u1 = mod(mod(X + T) * mod(X - T)); // 1
     const x2 = mod(X * X);
     const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
-
     let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
     if (isNegativeLE(ratio, P)) ratio = mod(-ratio);
-
     const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
-
     let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
     if (isNegativeLE(s, P)) s = mod(-s);
-
-    return numberToBytesLE(s, 56);
+    return Fn448.toBytes(s);
   }
 
   /**
@@ -486,9 +455,8 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     this.assertSame(other);
     const { X: X1, Y: Y1 } = this.ep;
     const { X: X2, Y: Y2 } = other.ep;
-    const mod = (n: bigint) => Fp.create(n);
     // (x1 * y2 == y1 * x2)
-    return mod(X1 * Y2) === mod(Y1 * X2);
+    return Fp.create(X1 * Y2) === Fp.create(Y1 * X2);
   }
 
   is0(): boolean {
@@ -501,23 +469,29 @@ export const decaf448: {
 } = { Point: _DecafPoint };
 
 /** Hashing to decaf448 points / field. RFC 9380 methods. */
-export const decaf448_hasher: H2CHasherBase<bigint> = {
+export const decaf448_hasher: H2CHasherBase<_DecafPoint> = {
   hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _DecafPoint {
     const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
     return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake256));
   },
+  // Warning: has big modulo bias of 2^-64.
+  // RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
+  // it must use 84-byte xof (56+56/2), not 64.
   hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
-    return Fn.create(bytesToNumberLE(expand_message_xof(msg, options.DST, 64, 256, shake256)));
+    // Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
+    const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
+    return Fn448.create(bytesToNumberLE(xof));
   },
 };
 
-// export const decaf448_oprf: OPRF = createORPF({
-//   name: 'decaf448-SHAKE256',
-//   Point: DecafPoint,
-//   hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
-//   hashToGroup: decaf448_hasher.hashToCurve,
-//   hashToScalar: decaf448_hasher.hashToScalar,
-// });
+export const decaf448_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'decaf448-SHAKE256',
+    Point: _DecafPoint,
+    hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
+    hashToGroup: decaf448_hasher.hashToCurve,
+    hashToScalar: decaf448_hasher.hashToScalar,
+  }))();
 
 /**
  * Weird / bogus points, useful for debugging.
@@ -531,27 +505,3 @@ export const ED448_TORSION_SUBGROUP: string[] = [
   '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
   '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
 ];
-
-type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
-
-/** @deprecated use `decaf448.Point` */
-export const DecafPoint: typeof _DecafPoint = _DecafPoint;
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  ed448_hasher.encodeToCurve)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export const hashToDecaf448: DcfHasher = /* @__PURE__ */ (() =>
-  decaf448_hasher.hashToCurve as DcfHasher)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export const hash_to_decaf448: DcfHasher = /* @__PURE__ */ (() =>
-  decaf448_hasher.hashToCurve as DcfHasher)();
-
-/** @deprecated use `ed448.utils.toMontgomery` */
-export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
-  return ed448.utils.toMontgomery(ensureBytes('pub', edwardsPub));
-}
-
-/** @deprecated use `ed448.utils.toMontgomery` */
-export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;

package/src/index.ts

@@ -9,7 +9,7 @@ import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
 import { p256, p384, p521 } from '@noble/curves/nist.js';
 import { bls12_381 } from '@noble/curves/bls12-381.js';
 import { bn254 } from '@noble/curves/bn254.js';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
+import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/utils.js';
 ```
  */
 throw new Error('root module cannot be imported: import submodules instead. Check out README');

package/src/misc.ts

@@ -6,18 +6,19 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { blake256 } from '@noble/hashes/blake1.js';
 import { blake2s } from '@noble/hashes/blake2.js';
-import { sha256, sha512 } from '@noble/hashes/sha2.js';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
+import { concatBytes } from '@noble/hashes/utils.js';
 import {
-  twistedEdwards,
-  type CurveFn,
+  eddsa,
+  edwards,
+  type EdDSA,
   type EdwardsOpts,
   type EdwardsPoint,
 } from './abstract/edwards.ts';
-import { Field, mod } from './abstract/modular.ts';
-import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
+import { ecdsa, weierstrass, type ECDSA, type WeierstrassOpts } from './abstract/weierstrass.ts';
 import { bls12_381_Fr } from './bls12-381.ts';
 import { bn254_Fr } from './bn254.ts';
+import { asciiToBytes } from './utils.ts';
 
 // Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
 // jubjub Fp = bls n. babyjubjub Fp = bn254 n.
@@ -32,11 +33,7 @@ const jubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
 };
 /** Curve over scalar field of bls12-381. jubjub Fp = bls n */
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...jubjub_CURVE,
-  Fp: bls12_381_Fr,
-  hash: sha512,
-});
+export const jubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(jubjub_CURVE), sha512);
 
 const babyjubjub_CURVE: EdwardsOpts = {
   p: bn254_Fr.ORDER,
@@ -48,13 +45,9 @@ const babyjubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
 };
 /** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
-export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...babyjubjub_CURVE,
-  Fp: bn254_Fr,
-  hash: blake256,
-});
+export const babyjubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(babyjubjub_CURVE), blake256);
 
-const jubjub_gh_first_block = utf8ToBytes(
+const jubjub_gh_first_block = asciiToBytes(
   '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
 );
 
@@ -87,38 +80,62 @@ export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array)
   return hashes[0];
 }
 
-// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
-
-export const pasta_p: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
-);
-export const pasta_q: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
-);
+const brainpoolP256r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'),
+  a: BigInt('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'),
+  b: BigInt('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6'),
+  n: BigInt('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
+  Gx: BigInt('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
+  Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
+  h: BigInt(1),
+};
+/** Brainpool P256r1 with sha256, from RFC 5639. */
+export const brainpoolP256r1: ECDSA = ecdsa(weierstrass(brainpoolP256r1_CURVE), sha256);
 
-/**
- * @deprecated
- */
-export const pallas: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_p),
-  n: pasta_q,
-  Gx: mod(BigInt(-1), pasta_p),
-  Gy: BigInt(2),
+const brainpoolP384r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'
+  ),
+  a: BigInt(
+    '0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'
+  ),
+  b: BigInt(
+    '0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11'
+  ),
+  n: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'
+  ),
+  Gx: BigInt(
+    '0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'
+  ),
+  Gy: BigInt(
+    '0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
-/**
- * @deprecated
- */
-export const vesta: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_q),
-  n: pasta_p,
-  Gx: mod(BigInt(-1), pasta_q),
-  Gy: BigInt(2),
+};
+/** Brainpool P384r1 with sha384, from RFC 5639. */
+export const brainpoolP384r1: ECDSA = ecdsa(weierstrass(brainpoolP384r1_CURVE), sha384);
+
+const brainpoolP512r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'
+  ),
+  a: BigInt(
+    '0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'
+  ),
+  b: BigInt(
+    '0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723'
+  ),
+  n: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'
+  ),
+  Gx: BigInt(
+    '0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'
+  ),
+  Gy: BigInt(
+    '0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
+};
+/** Brainpool P521r1 with sha512, from RFC 5639. */
+export const brainpoolP512r1: ECDSA = ecdsa(weierstrass(brainpoolP512r1_CURVE), sha512);