@noble/curves 1.9.7 → 2.0.0-beta.2

package/ed448.d.ts

@@ -1,35 +1,43 @@
 import type { AffinePoint } from './abstract/curve.ts';
-import { PrimeEdwardsPoint, type CurveFn, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
-import { type H2CHasher, type H2CHasherBase, type H2CMethod, type htfBasicOpts } from './abstract/hash-to-curve.ts';
+import { PrimeEdwardsPoint, type EdDSA, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
+import { type H2CHasher, type H2CHasherBase } from './abstract/hash-to-curve.ts';
 import { type IField } from './abstract/modular.ts';
-import { type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
-import { type Hex } from './utils.ts';
+import { type MontgomeryECDH } from './abstract/montgomery.ts';
+import { type OPRF } from './abstract/oprf.ts';
 /**
  * ed448 EdDSA curve and methods.
  * @example
- * import { ed448 } from '@noble/curves/ed448';
+ * ```js
+ * import { ed448 } from '@noble/curves/ed448.js';
  * const { secretKey, publicKey } = ed448.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = ed448.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = ed448.sign(msg, secretKey);
  * const isValid = ed448.verify(sig, msg, publicKey);
+ * ```
  */
-export declare const ed448: CurveFn;
-/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
-export declare const ed448ph: CurveFn;
+export declare const ed448: EdDSA;
+/** Prehashed version of ed448. See {@link ed448} */
+export declare const ed448ph: EdDSA;
 /**
- * E448 curve, defined by NIST.
- * E448 != edwards448 used in ed448.
+ * E448 (NIST) != edwards448 used in ed448.
  * E448 is birationally equivalent to edwards448.
  */
 export declare const E448: EdwardsPointCons;
 /**
  * ECDH using curve448 aka x448.
- * x448 has 56-byte keys as per RFC 7748, while
- * ed448 has 57-byte keys as per RFC 8032.
+ *
+ * @example
+ * ```js
+ * import { x448 } from '@noble/curves/ed448.js';
+ * const alice = x448.keygen();
+ * const bob = x448.keygen();
+ * const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
+ * ```
  */
-export declare const x448: XCurveFn;
+export declare const x448: MontgomeryECDH;
 /** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
-export declare const ed448_hasher: H2CHasher<bigint>;
+export declare const ed448_hasher: H2CHasher<EdwardsPointCons>;
 /**
  * Each ed448/EdwardsPoint has 4 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
@@ -46,17 +54,13 @@ declare class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     static fromAffine(ap: AffinePoint<bigint>): _DecafPoint;
     protected assertSame(other: _DecafPoint): void;
     protected init(ep: EdwardsPoint): _DecafPoint;
-    /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-    static hashToCurve(hex: Hex): _DecafPoint;
     static fromBytes(bytes: Uint8Array): _DecafPoint;
     /**
      * Converts decaf-encoded string to decaf point.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
      * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
      */
-    static fromHex(hex: Hex): _DecafPoint;
-    /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-    static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint;
+    static fromHex(hex: string): _DecafPoint;
     /**
      * Encodes decaf point to Uint8Array.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode-2).
@@ -73,7 +77,9 @@ export declare const decaf448: {
     Point: typeof _DecafPoint;
 };
 /** Hashing to decaf448 points / field. RFC 9380 methods. */
-export declare const decaf448_hasher: H2CHasherBase<bigint>;
+export declare const decaf448_hasher: H2CHasherBase<typeof _DecafPoint>;
+/** decaf448 OPRF, defined in RFC 9497. */
+export declare const decaf448_oprf: OPRF;
 /**
  * Weird / bogus points, useful for debugging.
  * Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
@@ -81,20 +87,5 @@ export declare const decaf448_hasher: H2CHasherBase<bigint>;
  * (0, 1), (0, -1), (-1, 0), (1, 0).
  */
 export declare const ED448_TORSION_SUBGROUP: string[];
-type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
-/** @deprecated use `decaf448.Point` */
-export declare const DecafPoint: typeof _DecafPoint;
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export declare const hashToCurve: H2CMethod<bigint>;
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export declare const encodeToCurve: H2CMethod<bigint>;
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export declare const hashToDecaf448: DcfHasher;
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export declare const hash_to_decaf448: DcfHasher;
-/** @deprecated use `ed448.utils.toMontgomery` */
-export declare function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array;
-/** @deprecated use `ed448.utils.toMontgomery` */
-export declare const edwardsToMontgomery: typeof edwardsToMontgomeryPub;
 export {};
 //# sourceMappingURL=ed448.d.ts.map

package/ed448.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["src/ed448.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,EAEL,iBAAiB,EAEjB,KAAK,OAAO,EAEZ,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAIL,KAAK,SAAS,EACd,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,KAAK,YAAY,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAiD,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAc,KAAK,cAAc,IAAI,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACvF,OAAO,EAA0D,KAAK,GAAG,EAAE,MAAM,YAAY,CAAC;AAyI9F;;;;;;;;GAQG;AACH,eAAO,MAAM,KAAK,EAAE,OAAmC,CAAC;AAGxD,0FAA0F;AAC1F,eAAO,MAAM,OAAO,EAAE,OAIf,CAAC;AAER;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,gBAAsC,CAAC;AAE1D;;;;GAIG;AACH,eAAO,MAAM,IAAI,EAAE,QAYf,CAAC;AA+EL,oEAAoE;AACpE,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,MAAM,CASpC,CAAC;AAgER;;;;;;GAMG;AACH,cAAM,WAAY,SAAQ,iBAAiB,CAAC,WAAW,CAAC;IAGtD,MAAM,CAAC,IAAI,EAAE,WAAW,CAC0D;IAElF,MAAM,CAAC,IAAI,EAAE,WAAW,CACsC;IAE9D,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;IAElC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;gBAEtB,EAAE,EAAE,YAAY;IAI5B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,WAAW;IAIvD,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI9C,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,WAAW;IAI7C,kFAAkF;IAClF,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIzC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW;IA+BhD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,WAAW;IAIrC,qFAAqF;IACrF,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,WAAW;IAIjE;;;OAGG;IACH,OAAO,IAAI,UAAU;IAerB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO;IAQnC,GAAG,IAAI,OAAO;CAGf;AAED,eAAO,MAAM,QAAQ,EAAE;IACrB,KAAK,EAAE,OAAO,WAAW,CAAC;CACF,CAAC;AAE3B,4DAA4D;AAC5D,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAajD,CAAC;AAUF;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,EAK1C,CAAC;AAEF,KAAK,SAAS,GAAG,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,KAAK,WAAW,CAAC;AAEzE,uCAAuC;AACvC,eAAO,MAAM,UAAU,EAAE,OAAO,WAAyB,CAAC;AAC1D,+EAA+E;AAC/E,eAAO,MAAM,WAAW,EAAE,SAAS,CAAC,MAAM,CAAsD,CAAC;AACjG,+EAA+E;AAC/E,eAAO,MAAM,aAAa,EAAE,SAAS,CAAC,MAAM,CACb,CAAC;AAChC,kFAAkF;AAClF,eAAO,MAAM,cAAc,EAAE,SACgB,CAAC;AAC9C,kFAAkF;AAClF,eAAO,MAAM,gBAAgB,EAAE,SACc,CAAC;AAC9C,iDAAiD;AACjD,wBAAgB,sBAAsB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,UAAU,CAElF;AACD,iDAAiD;AACjD,eAAO,MAAM,mBAAmB,EAAE,OAAO,sBAA+C,CAAC"}
+{"version":3,"file":"ed448.d.ts","sourceRoot":"","sources":["src/ed448.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAGL,iBAAiB,EACjB,KAAK,KAAK,EAGV,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAiD,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AACnG,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAoI3D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,KAAK,EAAE,KAA+B,CAAC;AAGpD,oDAAoD;AACpD,eAAO,MAAM,OAAO,EAAE,KAAqD,CAAC;AAC5E;;;GAGG;AACH,eAAO,MAAM,IAAI,EAAE,gBAAsD,CAAC;AAE1E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,IAAI,EAAE,cAYf,CAAC;AA+EL,oEAAoE;AACpE,eAAO,MAAM,YAAY,EAAE,SAAS,CAAC,gBAAgB,CAS9C,CAAC;AAkDR;;;;;;GAMG;AACH,cAAM,WAAY,SAAQ,iBAAiB,CAAC,WAAW,CAAC;IAGtD,MAAM,CAAC,IAAI,EAAE,WAAW,CAC0D;IAElF,MAAM,CAAC,IAAI,EAAE,WAAW,CACsC;IAE9D,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;IAElC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACS;gBAEtB,EAAE,EAAE,YAAY;IAI5B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,WAAW;IAIvD,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,WAAW,GAAG,IAAI;IAI9C,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,WAAW;IAI7C,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,WAAW;IA6BhD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW;IAIxC;;;OAGG;IACH,OAAO,IAAI,UAAU;IAerB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO;IAQnC,GAAG,IAAI,OAAO;CAGf;AAED,eAAO,MAAM,QAAQ,EAAE;IACrB,KAAK,EAAE,OAAO,WAAW,CAAC;CACF,CAAC;AAE3B,4DAA4D;AAC5D,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,OAAO,WAAW,CAmC7D,CAAC;AAEF,0CAA0C;AAC1C,eAAO,MAAM,aAAa,EAAE,IAOrB,CAAC;AAER;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,MAAM,EAK1C,CAAC"}

package/ed448.js

@@ -1,7 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.edwardsToMontgomery = exports.hash_to_decaf448 = exports.hashToDecaf448 = exports.encodeToCurve = exports.hashToCurve = exports.DecafPoint = exports.ED448_TORSION_SUBGROUP = exports.decaf448_hasher = exports.decaf448 = exports.ed448_hasher = exports.x448 = exports.E448 = exports.ed448ph = exports.ed448 = void 0;
-exports.edwardsToMontgomeryPub = edwardsToMontgomeryPub;
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * - X448 ECDH
@@ -11,61 +7,62 @@ exports.edwardsToMontgomeryPub = edwardsToMontgomeryPub;
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const sha3_js_1 = require("@noble/hashes/sha3.js");
-const utils_js_1 = require("@noble/hashes/utils.js");
-const curve_ts_1 = require("./abstract/curve.js");
-const edwards_ts_1 = require("./abstract/edwards.js");
-const hash_to_curve_ts_1 = require("./abstract/hash-to-curve.js");
-const modular_ts_1 = require("./abstract/modular.js");
-const montgomery_ts_1 = require("./abstract/montgomery.js");
-const utils_ts_1 = require("./utils.js");
+import { shake256 } from '@noble/hashes/sha3.js';
+import { concatBytes, hexToBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
+import { eddsa, edwards, PrimeEdwardsPoint, } from "./abstract/edwards.js";
+import { _DST_scalar, createHasher, expand_message_xof, } from "./abstract/hash-to-curve.js";
+import { Field, FpInvertBatch, isNegativeLE, mod, pow2 } from "./abstract/modular.js";
+import { montgomery } from "./abstract/montgomery.js";
+import { createORPF } from "./abstract/oprf.js";
+import { abytes, asciiToBytes, bytesToNumberLE, equalBytes } from "./utils.js";
 // edwards448 curve
 // a = 1n
 // d = Fp.neg(39081n)
 // Finite field 2n**448n - 2n**224n - 1n
 // Subgroup order
 // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-const ed448_CURVE = {
-    p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
+const ed448_CURVE_p = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const ed448_CURVE = /* @__PURE__ */ (() => ({
+    p: ed448_CURVE_p,
     n: BigInt('0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'),
     h: BigInt(4),
     a: BigInt(1),
     d: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'),
     Gx: BigInt('0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'),
     Gy: BigInt('0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'),
-};
+}))();
 // E448 NIST curve is identical to edwards448, except for:
 // d = 39082/39081
 // Gx = 3/2
-const E448_CURVE = Object.assign({}, ed448_CURVE, {
+const E448_CURVE = /* @__PURE__ */ (() => Object.assign({}, ed448_CURVE, {
     d: BigInt('0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'),
     Gx: BigInt('0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'),
     Gy: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'),
-});
-const shake256_114 = /* @__PURE__ */ (0, utils_js_1.createHasher)(() => sha3_js_1.shake256.create({ dkLen: 114 }));
-const shake256_64 = /* @__PURE__ */ (0, utils_js_1.createHasher)(() => sha3_js_1.shake256.create({ dkLen: 64 }));
+}))();
+const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
 // prettier-ignore
-const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
+const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _11n = BigInt(11);
 // prettier-ignore
 const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
 // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
 // Used for efficient square root calculation.
 // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
 function ed448_pow_Pminus3div4(x) {
-    const P = ed448_CURVE.p;
+    const P = ed448_CURVE_p;
     const b2 = (x * x * x) % P;
     const b3 = (b2 * b2 * x) % P;
-    const b6 = ((0, modular_ts_1.pow2)(b3, _3n, P) * b3) % P;
-    const b9 = ((0, modular_ts_1.pow2)(b6, _3n, P) * b3) % P;
-    const b11 = ((0, modular_ts_1.pow2)(b9, _2n, P) * b2) % P;
-    const b22 = ((0, modular_ts_1.pow2)(b11, _11n, P) * b11) % P;
-    const b44 = ((0, modular_ts_1.pow2)(b22, _22n, P) * b22) % P;
-    const b88 = ((0, modular_ts_1.pow2)(b44, _44n, P) * b44) % P;
-    const b176 = ((0, modular_ts_1.pow2)(b88, _88n, P) * b88) % P;
-    const b220 = ((0, modular_ts_1.pow2)(b176, _44n, P) * b44) % P;
-    const b222 = ((0, modular_ts_1.pow2)(b220, _2n, P) * b2) % P;
-    const b223 = ((0, modular_ts_1.pow2)(b222, _1n, P) * x) % P;
-    return ((0, modular_ts_1.pow2)(b223, _223n, P) * b222) % P;
+    const b6 = (pow2(b3, _3n, P) * b3) % P;
+    const b9 = (pow2(b6, _3n, P) * b3) % P;
+    const b11 = (pow2(b9, _2n, P) * b2) % P;
+    const b22 = (pow2(b11, _11n, P) * b11) % P;
+    const b44 = (pow2(b22, _22n, P) * b22) % P;
+    const b88 = (pow2(b44, _44n, P) * b44) % P;
+    const b176 = (pow2(b88, _88n, P) * b88) % P;
+    const b220 = (pow2(b176, _44n, P) * b44) % P;
+    const b222 = (pow2(b220, _2n, P) * b2) % P;
+    const b223 = (pow2(b222, _1n, P) * x) % P;
+    return (pow2(b223, _223n, P) * b222) % P;
 }
 function adjustScalarBytes(bytes) {
     // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
@@ -79,93 +76,90 @@ function adjustScalarBytes(bytes) {
 // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
 // Uses algo from RFC8032 5.1.3.
 function uvRatio(u, v) {
-    const P = ed448_CURVE.p;
+    const P = ed448_CURVE_p;
     // https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
     // To compute the square root of (u/v), the first step is to compute the
     //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
     // following trick, to use a single modular powering for both the
     // inversion of v and the square root:
     // x = (u/v)^((p+1)/4)   = u³v(u⁵v³)^((p-3)/4)   (mod p)
-    const u2v = (0, modular_ts_1.mod)(u * u * v, P); // u²v
-    const u3v = (0, modular_ts_1.mod)(u2v * u, P); // u³v
-    const u5v3 = (0, modular_ts_1.mod)(u3v * u2v * v, P); // u⁵v³
+    const u2v = mod(u * u * v, P); // u²v
+    const u3v = mod(u2v * u, P); // u³v
+    const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
     const root = ed448_pow_Pminus3div4(u5v3);
-    const x = (0, modular_ts_1.mod)(u3v * root, P);
+    const x = mod(u3v * root, P);
     // Verify that root is exists
-    const x2 = (0, modular_ts_1.mod)(x * x, P); // x²
+    const x2 = mod(x * x, P); // x²
     // If vx² = u, the recovered x-coordinate is x.  Otherwise, no
     // square root exists, and the decoding fails.
-    return { isValid: (0, modular_ts_1.mod)(x2 * v, P) === u, value: x };
+    return { isValid: mod(x2 * v, P) === u, value: x };
 }
 // Finite field 2n**448n - 2n**224n - 1n
 // The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
 // - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
 // - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
-const Fp = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.p, { BITS: 456, isLE: true }))();
-const Fn = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.n, { BITS: 456, isLE: true }))();
+const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 456, isLE: true }))();
+const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
 // decaf448 uses 448-bit (56-byte) keys
-const Fp448 = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.p, { BITS: 448, isLE: true }))();
-const Fn448 = /* @__PURE__ */ (() => (0, modular_ts_1.Field)(ed448_CURVE.n, { BITS: 448, isLE: true }))();
+const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 448, isLE: true }))();
+const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
 // SHAKE256(dom4(phflag,context)||x, 114)
 function dom4(data, ctx, phflag) {
     if (ctx.length > 255)
         throw new Error('context must be smaller than 255, got: ' + ctx.length);
-    return (0, utils_js_1.concatBytes)((0, utils_ts_1.asciiToBytes)('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+    return concatBytes(asciiToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+const ed448_Point = /* @__PURE__ */ edwards(ed448_CURVE, { Fp, Fn, uvRatio });
+function ed4(opts) {
+    return eddsa(ed448_Point, shake256_114, Object.assign({ adjustScalarBytes, domain: dom4 }, opts));
 }
-// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
-// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
-const ED448_DEF = /* @__PURE__ */ (() => ({
-    ...ed448_CURVE,
-    Fp,
-    Fn,
-    nBitLength: Fn.BITS,
-    hash: shake256_114,
-    adjustScalarBytes,
-    domain: dom4,
-    uvRatio,
-}))();
 /**
  * ed448 EdDSA curve and methods.
  * @example
- * import { ed448 } from '@noble/curves/ed448';
+ * ```js
+ * import { ed448 } from '@noble/curves/ed448.js';
  * const { secretKey, publicKey } = ed448.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = ed448.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = ed448.sign(msg, secretKey);
  * const isValid = ed448.verify(sig, msg, publicKey);
+ * ```
  */
-exports.ed448 = (0, edwards_ts_1.twistedEdwards)(ED448_DEF);
+export const ed448 = /* @__PURE__ */ ed4({});
 // There is no ed448ctx, since ed448 supports ctx by default
-/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
-exports.ed448ph = (() => (0, edwards_ts_1.twistedEdwards)({
-    ...ED448_DEF,
-    prehash: shake256_64,
-}))();
+/** Prehashed version of ed448. See {@link ed448} */
+export const ed448ph = /* @__PURE__ */ ed4({ prehash: shake256_64 });
 /**
- * E448 curve, defined by NIST.
- * E448 != edwards448 used in ed448.
+ * E448 (NIST) != edwards448 used in ed448.
  * E448 is birationally equivalent to edwards448.
  */
-exports.E448 = (0, edwards_ts_1.edwards)(E448_CURVE);
+export const E448 = /* @__PURE__ */ edwards(E448_CURVE);
 /**
  * ECDH using curve448 aka x448.
- * x448 has 56-byte keys as per RFC 7748, while
- * ed448 has 57-byte keys as per RFC 8032.
+ *
+ * @example
+ * ```js
+ * import { x448 } from '@noble/curves/ed448.js';
+ * const alice = x448.keygen();
+ * const bob = x448.keygen();
+ * const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
+ * ```
  */
-exports.x448 = (() => {
-    const P = ed448_CURVE.p;
-    return (0, montgomery_ts_1.montgomery)({
+export const x448 = /* @__PURE__ */ (() => {
+    const P = ed448_CURVE_p;
+    return montgomery({
         P,
         type: 'x448',
         powPminus2: (x) => {
             const Pminus3div4 = ed448_pow_Pminus3div4(x);
-            const Pminus3 = (0, modular_ts_1.pow2)(Pminus3div4, _2n, P);
-            return (0, modular_ts_1.mod)(Pminus3 * x, P); // Pminus3 * x = Pminus2
+            const Pminus3 = pow2(Pminus3div4, _2n, P);
+            return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
         },
         adjustScalarBytes,
     });
 })();
 // Hash To Curve Elligator2 Map
-const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_C1 = /* @__PURE__ */ (() => (ed448_CURVE_p - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = /* @__PURE__ */ BigInt(156326);
 function map_to_curve_elligator2_curve448(u) {
     let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
@@ -234,18 +228,18 @@ function map_to_curve_elligator2_edwards448(u) {
     xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
     yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
     yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
-    const inv = (0, modular_ts_1.FpInvertBatch)(Fp, [xEd, yEd], true); // batch division
+    const inv = FpInvertBatch(Fp, [xEd, yEd], true); // batch division
     return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
 }
 /** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
-exports.ed448_hasher = (() => (0, hash_to_curve_ts_1.createHasher)(exports.ed448.Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+export const ed448_hasher = /* @__PURE__ */ (() => createHasher(ed448_Point, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
     DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
     encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
-    p: Fp.ORDER,
+    p: ed448_CURVE_p,
     m: 1,
     k: 224,
     expand: 'xof',
-    hash: sha3_js_1.shake256,
+    hash: shake256,
 }))();
 // 1-d
 const ONE_MINUS_D = /* @__PURE__ */ BigInt('39082');
@@ -263,9 +257,8 @@ const invertSqrt = (number) => uvRatio(_1n, number);
  * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
  */
 function calcElligatorDecafMap(r0) {
-    const { d } = ed448_CURVE;
-    const P = Fp.ORDER;
-    const mod = (n) => Fp.create(n);
+    const { d, p: P } = ed448_CURVE;
+    const mod = (n) => Fp448.create(n);
     const r = mod(-(r0 * r0)); // 1
     const u0 = mod(d * (r - _1n)); // 2
     const u1 = mod((u0 + _1n) * (u0 - r)); // 3
@@ -278,26 +271,14 @@ function calcElligatorDecafMap(r0) {
         sgn = mod(-_1n);
     const s = mod(v_prime * (r + _1n)); // 7
     let s_abs = s;
-    if ((0, modular_ts_1.isNegativeLE)(s, P))
+    if (isNegativeLE(s, P))
         s_abs = mod(-s);
     const s2 = s * s;
     const W0 = mod(s_abs * _2n); // 8
     const W1 = mod(s2 + _1n); // 9
     const W2 = mod(s2 - _1n); // 10
     const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
-    return new exports.ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
-}
-function decaf448_map(bytes) {
-    (0, utils_js_1.abytes)(bytes, 112);
-    const skipValidation = true;
-    // Note: Similar to the field element decoding described in
-    // [RFC7748], and unlike the field element decoding described in
-    // Section 5.3.1, non-canonical values are accepted.
-    const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
-    const R1 = calcElligatorDecafMap(r1);
-    const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
-    const R2 = calcElligatorDecafMap(r2);
-    return new _DecafPoint(R1.add(R2));
+    return new ed448_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 /**
  * Each ed448/EdwardsPoint has 4 different equivalent points. This can be
@@ -306,12 +287,25 @@ function decaf448_map(bytes) {
  * but it should work in its own namespace: do not combine those two.
  * See [RFC9496](https://www.rfc-editor.org/rfc/rfc9496).
  */
-class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
+class _DecafPoint extends PrimeEdwardsPoint {
+    // The following gymnastics is done because typescript strips comments otherwise
+    // prettier-ignore
+    static BASE = 
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.BASE).multiplyUnsafe(_2n))();
+    // prettier-ignore
+    static ZERO = 
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.ZERO))();
+    // prettier-ignore
+    static Fp = 
+    /* @__PURE__ */ (() => Fp448)();
+    // prettier-ignore
+    static Fn = 
+    /* @__PURE__ */ (() => Fn448)();
     constructor(ep) {
         super(ep);
     }
     static fromAffine(ap) {
-        return new _DecafPoint(exports.ed448.Point.fromAffine(ap));
+        return new _DecafPoint(ed448_Point.fromAffine(ap));
     }
     assertSame(other) {
         if (!(other instanceof _DecafPoint))
@@ -320,19 +314,14 @@ class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
     init(ep) {
         return new _DecafPoint(ep);
     }
-    /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-    static hashToCurve(hex) {
-        return decaf448_map((0, utils_ts_1.ensureBytes)('decafHash', hex, 112));
-    }
     static fromBytes(bytes) {
-        (0, utils_js_1.abytes)(bytes, 56);
-        const { d } = ed448_CURVE;
-        const P = Fp.ORDER;
+        abytes(bytes, 56);
+        const { d, p: P } = ed448_CURVE;
         const mod = (n) => Fp448.create(n);
         const s = Fp448.fromBytes(bytes);
         // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
         // 2. Check that s is non-negative, or else abort
-        if (!(0, utils_ts_1.equalBytes)(Fn448.toBytes(s), bytes) || (0, modular_ts_1.isNegativeLE)(s, P))
+        if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
             throw new Error('invalid decaf448 encoding 1');
         const s2 = mod(s * s); // 1
         const u1 = mod(_1n + s2); // 2
@@ -340,14 +329,14 @@ class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
         const u2 = mod(u1sq - _4n * d * s2); // 3
         const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
         let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
-        if ((0, modular_ts_1.isNegativeLE)(u3, P))
+        if (isNegativeLE(u3, P))
             u3 = mod(-u3);
         const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
         const y = mod((_1n - s2) * invsqrt * u1); // 7
         const t = mod(x * y); // 8
         if (!isValid)
             throw new Error('invalid decaf448 encoding 2');
-        return new _DecafPoint(new exports.ed448.Point(x, y, _1n, t));
+        return new _DecafPoint(new ed448_Point(x, y, _1n, t));
     }
     /**
      * Converts decaf-encoded string to decaf point.
@@ -355,11 +344,7 @@ class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
      * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
      */
     static fromHex(hex) {
-        return _DecafPoint.fromBytes((0, utils_ts_1.ensureBytes)('decafHex', hex, 56));
-    }
-    /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-    static msm(points, scalars) {
-        return (0, curve_ts_1.pippenger)(_DecafPoint, Fn, points, scalars);
+        return _DecafPoint.fromBytes(hexToBytes(hex));
     }
     /**
      * Encodes decaf point to Uint8Array.
@@ -367,17 +352,17 @@ class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
      */
     toBytes() {
         const { X, Z, T } = this.ep;
-        const P = Fp.ORDER;
-        const mod = (n) => Fp.create(n);
+        const P = ed448_CURVE.p;
+        const mod = (n) => Fp448.create(n);
         const u1 = mod(mod(X + T) * mod(X - T)); // 1
         const x2 = mod(X * X);
         const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
         let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
-        if ((0, modular_ts_1.isNegativeLE)(ratio, P))
+        if (isNegativeLE(ratio, P))
             ratio = mod(-ratio);
         const u2 = mod(INVSQRT_MINUS_D * ratio * Z - T); // 4
         let s = mod(ONE_MINUS_D * invsqrt * X * u2); // 5
-        if ((0, modular_ts_1.isNegativeLE)(s, P))
+        if (isNegativeLE(s, P))
             s = mod(-s);
         return Fn448.toBytes(s);
     }
@@ -390,74 +375,68 @@ class _DecafPoint extends edwards_ts_1.PrimeEdwardsPoint {
         const { X: X1, Y: Y1 } = this.ep;
         const { X: X2, Y: Y2 } = other.ep;
         // (x1 * y2 == y1 * x2)
-        return Fp.create(X1 * Y2) === Fp.create(Y1 * X2);
+        return Fp448.create(X1 * Y2) === Fp448.create(Y1 * X2);
     }
     is0() {
         return this.equals(_DecafPoint.ZERO);
     }
 }
-// The following gymnastics is done because typescript strips comments otherwise
-// prettier-ignore
-_DecafPoint.BASE = 
-/* @__PURE__ */ (() => new _DecafPoint(exports.ed448.Point.BASE).multiplyUnsafe(_2n))();
-// prettier-ignore
-_DecafPoint.ZERO = 
-/* @__PURE__ */ (() => new _DecafPoint(exports.ed448.Point.ZERO))();
-// prettier-ignore
-_DecafPoint.Fp = 
-/* @__PURE__ */ (() => Fp448)();
-// prettier-ignore
-_DecafPoint.Fn = 
-/* @__PURE__ */ (() => Fn448)();
-exports.decaf448 = { Point: _DecafPoint };
+export const decaf448 = { Point: _DecafPoint };
 /** Hashing to decaf448 points / field. RFC 9380 methods. */
-exports.decaf448_hasher = {
+export const decaf448_hasher = {
+    Point: _DecafPoint,
     hashToCurve(msg, options) {
         const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
-        return decaf448_map((0, hash_to_curve_ts_1.expand_message_xof)(msg, DST, 112, 224, sha3_js_1.shake256));
+        return decaf448_hasher.deriveToCurve(expand_message_xof(msg, DST, 112, 224, shake256));
     },
-    // Warning: has big modulo bias of 2^-64.
-    // RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
-    // it must use 84-byte xof (56+56/2), not 64.
-    hashToScalar(msg, options = { DST: hash_to_curve_ts_1._DST_scalar }) {
+    /**
+     * Warning: has big modulo bias of 2^-64.
+     * RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
+     * it must use 84-byte xof (56+56/2), not 64.
+     */
+    hashToScalar(msg, options = { DST: _DST_scalar }) {
         // Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
-        const xof = (0, hash_to_curve_ts_1.expand_message_xof)(msg, options.DST, 64, 256, sha3_js_1.shake256);
-        return Fn448.create((0, utils_ts_1.bytesToNumberLE)(xof));
+        const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
+        return Fn448.create(bytesToNumberLE(xof));
+    },
+    /**
+     * HashToCurve-like construction based on RFC 9496 (Element Derivation).
+     * Converts 112 uniform random bytes into a curve point.
+     *
+     * WARNING: This represents an older hash-to-curve construction, preceding the finalization of RFC 9380.
+     * It was later reused as a component in the newer `hash_to_ristretto255` function defined in RFC 9380.
+     */
+    deriveToCurve(bytes) {
+        abytes(bytes, 112);
+        const skipValidation = true;
+        // Note: Similar to the field element decoding described in
+        // [RFC7748], and unlike the field element decoding described in
+        // Section 5.3.1, non-canonical values are accepted.
+        const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
+        const R1 = calcElligatorDecafMap(r1);
+        const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
+        const R2 = calcElligatorDecafMap(r2);
+        return new _DecafPoint(R1.add(R2));
     },
 };
-// export const decaf448_oprf: OPRF = createORPF({
-//   name: 'decaf448-SHAKE256',
-//   Point: DecafPoint,
-//   hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
-//   hashToGroup: decaf448_hasher.hashToCurve,
-//   hashToScalar: decaf448_hasher.hashToScalar,
-// });
+/** decaf448 OPRF, defined in RFC 9497. */
+export const decaf448_oprf = /* @__PURE__ */ (() => createORPF({
+    name: 'decaf448-SHAKE256',
+    Point: _DecafPoint,
+    hash: (msg) => shake256(msg, { dkLen: 64 }),
+    hashToGroup: decaf448_hasher.hashToCurve,
+    hashToScalar: decaf448_hasher.hashToScalar,
+}))();
 /**
  * Weird / bogus points, useful for debugging.
  * Unlike ed25519, there is no ed448 generator point which can produce full T subgroup.
  * Instead, there is a Klein four-group, which spans over 2 independent 2-torsion points:
  * (0, 1), (0, -1), (-1, 0), (1, 0).
  */
-exports.ED448_TORSION_SUBGROUP = [
+export const ED448_TORSION_SUBGROUP = [
     '010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
     'fefffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffff00',
     '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
     '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
 ];
-/** @deprecated use `decaf448.Point` */
-exports.DecafPoint = _DecafPoint;
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-exports.hashToCurve = (() => exports.ed448_hasher.hashToCurve)();
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-exports.encodeToCurve = (() => exports.ed448_hasher.encodeToCurve)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-exports.hashToDecaf448 = (() => exports.decaf448_hasher.hashToCurve)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-exports.hash_to_decaf448 = (() => exports.decaf448_hasher.hashToCurve)();
-/** @deprecated use `ed448.utils.toMontgomery` */
-function edwardsToMontgomeryPub(edwardsPub) {
-    return exports.ed448.utils.toMontgomery((0, utils_ts_1.ensureBytes)('pub', edwardsPub));
-}
-/** @deprecated use `ed448.utils.toMontgomery` */
-exports.edwardsToMontgomery = edwardsToMontgomeryPub;
 //# sourceMappingURL=ed448.js.map