@noble/curves 1.9.7 → 2.0.0-beta.2

package/src/ed448.ts

@@ -8,14 +8,14 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3.js';
-import { abytes, concatBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
+import { concatBytes, hexToBytes, createHasher as wrapConstructor } from '@noble/hashes/utils.js';
 import type { AffinePoint } from './abstract/curve.ts';
-import { pippenger } from './abstract/curve.ts';
 import {
+  eddsa,
   edwards,
   PrimeEdwardsPoint,
-  twistedEdwards,
-  type CurveFn,
+  type EdDSA,
+  type EdDSAOpts,
   type EdwardsOpts,
   type EdwardsPoint,
   type EdwardsPointCons,
@@ -24,14 +24,14 @@ import {
   _DST_scalar,
   createHasher,
   expand_message_xof,
+  type H2CDSTOpts,
   type H2CHasher,
   type H2CHasherBase,
-  type H2CMethod,
-  type htfBasicOpts,
 } from './abstract/hash-to-curve.ts';
 import { Field, FpInvertBatch, isNegativeLE, mod, pow2, type IField } from './abstract/modular.ts';
-import { montgomery, type MontgomeryECDH as XCurveFn } from './abstract/montgomery.ts';
-import { asciiToBytes, bytesToNumberLE, ensureBytes, equalBytes, type Hex } from './utils.ts';
+import { montgomery, type MontgomeryECDH } from './abstract/montgomery.ts';
+import { createORPF, type OPRF } from './abstract/oprf.ts';
+import { abytes, asciiToBytes, bytesToNumberLE, equalBytes } from './utils.ts';
 
 // edwards448 curve
 // a = 1n
@@ -39,10 +39,11 @@ import { asciiToBytes, bytesToNumberLE, ensureBytes, equalBytes, type Hex } from
 // Finite field 2n**448n - 2n**224n - 1n
 // Subgroup order
 // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-const ed448_CURVE: EdwardsOpts = {
-  p: BigInt(
-    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
-  ),
+const ed448_CURVE_p = BigInt(
+  '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+);
+const ed448_CURVE: EdwardsOpts = /* @__PURE__ */ (() => ({
+  p: ed448_CURVE_p,
   n: BigInt(
     '0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'
   ),
@@ -57,28 +58,29 @@ const ed448_CURVE: EdwardsOpts = {
   Gy: BigInt(
     '0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'
   ),
-};
+}))();
 
 // E448 NIST curve is identical to edwards448, except for:
 // d = 39082/39081
 // Gx = 3/2
-const E448_CURVE: EdwardsOpts = Object.assign({}, ed448_CURVE, {
-  d: BigInt(
-    '0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'
-  ),
-  Gx: BigInt(
-    '0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'
-  ),
-  Gy: BigInt(
-    '0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
-  ),
-});
+const E448_CURVE: EdwardsOpts = /* @__PURE__ */ (() =>
+  Object.assign({}, ed448_CURVE, {
+    d: BigInt(
+      '0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'
+    ),
+    Gx: BigInt(
+      '0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'
+    ),
+    Gy: BigInt(
+      '0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'
+    ),
+  }))();
 
 const shake256_114 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 114 }));
 const shake256_64 = /* @__PURE__ */ wrapConstructor(() => shake256.create({ dkLen: 64 }));
 
 // prettier-ignore
-const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
+const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _11n = BigInt(11);
 // prettier-ignore
 const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
 
@@ -86,7 +88,7 @@ const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(22
 // Used for efficient square root calculation.
 // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
 function ed448_pow_Pminus3div4(x: bigint): bigint {
-  const P = ed448_CURVE.p;
+  const P = ed448_CURVE_p;
   const b2 = (x * x * x) % P;
   const b3 = (b2 * b2 * x) % P;
   const b6 = (pow2(b3, _3n, P) * b3) % P;
@@ -115,7 +117,7 @@ function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
 // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
 // Uses algo from RFC8032 5.1.3.
 function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
-  const P = ed448_CURVE.p;
+  const P = ed448_CURVE_p;
   // https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
   // To compute the square root of (u/v), the first step is to compute the
   //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
@@ -138,10 +140,10 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
 // The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
 // - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
 // - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
-const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
+const Fp = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 456, isLE: true }))();
 const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
 // decaf448 uses 448-bit (56-byte) keys
-const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 448, isLE: true }))();
+const Fp448 = /* @__PURE__ */ (() => Field(ed448_CURVE_p, { BITS: 448, isLE: true }))();
 const Fn448 = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 448, isLE: true }))();
 
 // SHAKE256(dom4(phflag,context)||x, 114)
@@ -154,53 +156,48 @@ function dom4(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
     data
   );
 }
-// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
-// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
-
-const ED448_DEF = /* @__PURE__ */ (() => ({
-  ...ed448_CURVE,
-  Fp,
-  Fn,
-  nBitLength: Fn.BITS,
-  hash: shake256_114,
-  adjustScalarBytes,
-  domain: dom4,
-  uvRatio,
-}))();
+const ed448_Point = /* @__PURE__ */ edwards(ed448_CURVE, { Fp, Fn, uvRatio });
+
+function ed4(opts: EdDSAOpts) {
+  return eddsa(ed448_Point, shake256_114, Object.assign({ adjustScalarBytes, domain: dom4 }, opts));
+}
 
 /**
  * ed448 EdDSA curve and methods.
  * @example
- * import { ed448 } from '@noble/curves/ed448';
+ * ```js
+ * import { ed448 } from '@noble/curves/ed448.js';
  * const { secretKey, publicKey } = ed448.keygen();
- * const msg = new TextEncoder().encode('hello');
+ * // const publicKey = ed448.getPublicKey(secretKey);
+ * const msg = new TextEncoder().encode('hello noble');
  * const sig = ed448.sign(msg, secretKey);
  * const isValid = ed448.verify(sig, msg, publicKey);
+ * ```
  */
-export const ed448: CurveFn = twistedEdwards(ED448_DEF);
+export const ed448: EdDSA = /* @__PURE__ */ ed4({});
 
 // There is no ed448ctx, since ed448 supports ctx by default
-/** Prehashed version of ed448. Accepts already-hashed messages in sign() and verify(). */
-export const ed448ph: CurveFn = /* @__PURE__ */ (() =>
-  twistedEdwards({
-    ...ED448_DEF,
-    prehash: shake256_64,
-  }))();
-
+/** Prehashed version of ed448. See {@link ed448} */
+export const ed448ph: EdDSA = /* @__PURE__ */ ed4({ prehash: shake256_64 });
 /**
- * E448 curve, defined by NIST.
- * E448 != edwards448 used in ed448.
+ * E448 (NIST) != edwards448 used in ed448.
  * E448 is birationally equivalent to edwards448.
  */
-export const E448: EdwardsPointCons = edwards(E448_CURVE);
+export const E448: EdwardsPointCons = /* @__PURE__ */ edwards(E448_CURVE);
 
 /**
  * ECDH using curve448 aka x448.
- * x448 has 56-byte keys as per RFC 7748, while
- * ed448 has 57-byte keys as per RFC 8032.
+ *
+ * @example
+ * ```js
+ * import { x448 } from '@noble/curves/ed448.js';
+ * const alice = x448.keygen();
+ * const bob = x448.keygen();
+ * const shared = x448.getSharedSecret(alice.secretKey, bob.publicKey);
+ * ```
  */
-export const x448: XCurveFn = /* @__PURE__ */ (() => {
-  const P = ed448_CURVE.p;
+export const x448: MontgomeryECDH = /* @__PURE__ */ (() => {
+  const P = ed448_CURVE_p;
   return montgomery({
     P,
     type: 'x448',
@@ -214,7 +211,7 @@ export const x448: XCurveFn = /* @__PURE__ */ (() => {
 })();
 
 // Hash To Curve Elligator2 Map
-const ELL2_C1 = /* @__PURE__ */ (() => (Fp.ORDER - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_C1 = /* @__PURE__ */ (() => (ed448_CURVE_p - BigInt(3)) / BigInt(4))(); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = /* @__PURE__ */ BigInt(156326);
 
 function map_to_curve_elligator2_curve448(u: bigint) {
@@ -291,11 +288,11 @@ function map_to_curve_elligator2_edwards448(u: bigint) {
 }
 
 /** Hashing / encoding to ed448 points / field. RFC 9380 methods. */
-export const ed448_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(ed448.Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
+export const ed448_hasher: H2CHasher<EdwardsPointCons> = /* @__PURE__ */ (() =>
+  createHasher(ed448_Point, (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]), {
     DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
     encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
-    p: Fp.ORDER,
+    p: ed448_CURVE_p,
     m: 1,
     k: 224,
     expand: 'xof',
@@ -323,9 +320,8 @@ const invertSqrt = (number: bigint) => uvRatio(_1n, number);
  * and [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-element-derivation-2).
  */
 function calcElligatorDecafMap(r0: bigint): EdwardsPoint {
-  const { d } = ed448_CURVE;
-  const P = Fp.ORDER;
-  const mod = (n: bigint) => Fp.create(n);
+  const { d, p: P } = ed448_CURVE;
+  const mod = (n: bigint) => Fp448.create(n);
 
   const r = mod(-(r0 * r0)); // 1
   const u0 = mod(d * (r - _1n)); // 2
@@ -348,20 +344,7 @@ function calcElligatorDecafMap(r0: bigint): EdwardsPoint {
   const W1 = mod(s2 + _1n); // 9
   const W2 = mod(s2 - _1n); // 10
   const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
-  return new ed448.Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
-}
-
-function decaf448_map(bytes: Uint8Array): _DecafPoint {
-  abytes(bytes, 112);
-  const skipValidation = true;
-  // Note: Similar to the field element decoding described in
-  // [RFC7748], and unlike the field element decoding described in
-  // Section 5.3.1, non-canonical values are accepted.
-  const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
-  const R1 = calcElligatorDecafMap(r1);
-  const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
-  const R2 = calcElligatorDecafMap(r2);
-  return new _DecafPoint(R1.add(R2));
+  return new ed448_Point(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
 }
 
 /**
@@ -375,10 +358,10 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
   // The following gymnastics is done because typescript strips comments otherwise
   // prettier-ignore
   static BASE: _DecafPoint =
-    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.BASE).multiplyUnsafe(_2n))();
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.BASE).multiplyUnsafe(_2n))();
   // prettier-ignore
   static ZERO: _DecafPoint =
-    /* @__PURE__ */ (() => new _DecafPoint(ed448.Point.ZERO))();
+    /* @__PURE__ */ (() => new _DecafPoint(ed448_Point.ZERO))();
   // prettier-ignore
   static Fp: IField<bigint> =
     /* @__PURE__ */ (() => Fp448)();
@@ -391,7 +374,7 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
   }
 
   static fromAffine(ap: AffinePoint<bigint>): _DecafPoint {
-    return new _DecafPoint(ed448.Point.fromAffine(ap));
+    return new _DecafPoint(ed448_Point.fromAffine(ap));
   }
 
   protected assertSame(other: _DecafPoint): void {
@@ -402,21 +385,14 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     return new _DecafPoint(ep);
   }
 
-  /** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-  static hashToCurve(hex: Hex): _DecafPoint {
-    return decaf448_map(ensureBytes('decafHash', hex, 112));
-  }
-
   static fromBytes(bytes: Uint8Array): _DecafPoint {
     abytes(bytes, 56);
-    const { d } = ed448_CURVE;
-    const P = Fp.ORDER;
+    const { d, p: P } = ed448_CURVE;
     const mod = (n: bigint) => Fp448.create(n);
     const s = Fp448.fromBytes(bytes);
 
     // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
     // 2. Check that s is non-negative, or else abort
-
     if (!equalBytes(Fn448.toBytes(s), bytes) || isNegativeLE(s, P))
       throw new Error('invalid decaf448 encoding 1');
 
@@ -435,7 +411,7 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     const t = mod(x * y); // 8
 
     if (!isValid) throw new Error('invalid decaf448 encoding 2');
-    return new _DecafPoint(new ed448.Point(x, y, _1n, t));
+    return new _DecafPoint(new ed448_Point(x, y, _1n, t));
   }
 
   /**
@@ -443,13 +419,8 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
    * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode-2).
    * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
    */
-  static fromHex(hex: Hex): _DecafPoint {
-    return _DecafPoint.fromBytes(ensureBytes('decafHex', hex, 56));
-  }
-
-  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-  static msm(points: _DecafPoint[], scalars: bigint[]): _DecafPoint {
-    return pippenger(_DecafPoint, Fn, points, scalars);
+  static fromHex(hex: string): _DecafPoint {
+    return _DecafPoint.fromBytes(hexToBytes(hex));
   }
 
   /**
@@ -458,8 +429,8 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
    */
   toBytes(): Uint8Array {
     const { X, Z, T } = this.ep;
-    const P = Fp.ORDER;
-    const mod = (n: bigint) => Fp.create(n);
+    const P = ed448_CURVE.p;
+    const mod = (n: bigint) => Fp448.create(n);
     const u1 = mod(mod(X + T) * mod(X - T)); // 1
     const x2 = mod(X * X);
     const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
@@ -480,7 +451,7 @@ class _DecafPoint extends PrimeEdwardsPoint<_DecafPoint> {
     const { X: X1, Y: Y1 } = this.ep;
     const { X: X2, Y: Y2 } = other.ep;
     // (x1 * y2 == y1 * x2)
-    return Fp.create(X1 * Y2) === Fp.create(Y1 * X2);
+    return Fp448.create(X1 * Y2) === Fp448.create(Y1 * X2);
   }
 
   is0(): boolean {
@@ -493,28 +464,52 @@ export const decaf448: {
 } = { Point: _DecafPoint };
 
 /** Hashing to decaf448 points / field. RFC 9380 methods. */
-export const decaf448_hasher: H2CHasherBase<bigint> = {
-  hashToCurve(msg: Uint8Array, options?: htfBasicOpts): _DecafPoint {
+export const decaf448_hasher: H2CHasherBase<typeof _DecafPoint> = {
+  Point: _DecafPoint,
+  hashToCurve(msg: Uint8Array, options?: H2CDSTOpts): _DecafPoint {
     const DST = options?.DST || 'decaf448_XOF:SHAKE256_D448MAP_RO_';
-    return decaf448_map(expand_message_xof(msg, DST, 112, 224, shake256));
+    return decaf448_hasher.deriveToCurve!(expand_message_xof(msg, DST, 112, 224, shake256));
   },
-  // Warning: has big modulo bias of 2^-64.
-  // RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
-  // it must use 84-byte xof (56+56/2), not 64.
-  hashToScalar(msg: Uint8Array, options: htfBasicOpts = { DST: _DST_scalar }) {
+  /**
+   * Warning: has big modulo bias of 2^-64.
+   * RFC is invalid. RFC says "use 64-byte xof", while for 2^-112 bias
+   * it must use 84-byte xof (56+56/2), not 64.
+   */
+  hashToScalar(msg: Uint8Array, options: H2CDSTOpts = { DST: _DST_scalar }): bigint {
     // Can't use `Fn448.fromBytes()`. 64-byte input => 56-byte field element
     const xof = expand_message_xof(msg, options.DST, 64, 256, shake256);
     return Fn448.create(bytesToNumberLE(xof));
   },
+  /**
+   * HashToCurve-like construction based on RFC 9496 (Element Derivation).
+   * Converts 112 uniform random bytes into a curve point.
+   *
+   * WARNING: This represents an older hash-to-curve construction, preceding the finalization of RFC 9380.
+   * It was later reused as a component in the newer `hash_to_ristretto255` function defined in RFC 9380.
+   */
+  deriveToCurve(bytes: Uint8Array): _DecafPoint {
+    abytes(bytes, 112);
+    const skipValidation = true;
+    // Note: Similar to the field element decoding described in
+    // [RFC7748], and unlike the field element decoding described in
+    // Section 5.3.1, non-canonical values are accepted.
+    const r1 = Fp448.create(Fp448.fromBytes(bytes.subarray(0, 56), skipValidation));
+    const R1 = calcElligatorDecafMap(r1);
+    const r2 = Fp448.create(Fp448.fromBytes(bytes.subarray(56, 112), skipValidation));
+    const R2 = calcElligatorDecafMap(r2);
+    return new _DecafPoint(R1.add(R2));
+  },
 };
 
-// export const decaf448_oprf: OPRF = createORPF({
-//   name: 'decaf448-SHAKE256',
-//   Point: DecafPoint,
-//   hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
-//   hashToGroup: decaf448_hasher.hashToCurve,
-//   hashToScalar: decaf448_hasher.hashToScalar,
-// });
+/** decaf448 OPRF, defined in RFC 9497. */
+export const decaf448_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'decaf448-SHAKE256',
+    Point: _DecafPoint,
+    hash: (msg: Uint8Array) => shake256(msg, { dkLen: 64 }),
+    hashToGroup: decaf448_hasher.hashToCurve,
+    hashToScalar: decaf448_hasher.hashToScalar,
+  }))();
 
 /**
  * Weird / bogus points, useful for debugging.
@@ -528,25 +523,3 @@ export const ED448_TORSION_SUBGROUP: string[] = [
   '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
   '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080',
 ];
-
-type DcfHasher = (msg: Uint8Array, options: htfBasicOpts) => _DecafPoint;
-
-/** @deprecated use `decaf448.Point` */
-export const DecafPoint: typeof _DecafPoint = _DecafPoint;
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => ed448_hasher.hashToCurve)();
-/** @deprecated use `import { ed448_hasher } from '@noble/curves/ed448.js';` */
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  ed448_hasher.encodeToCurve)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export const hashToDecaf448: DcfHasher = /* @__PURE__ */ (() =>
-  decaf448_hasher.hashToCurve as DcfHasher)();
-/** @deprecated use `import { decaf448_hasher } from '@noble/curves/ed448.js';` */
-export const hash_to_decaf448: DcfHasher = /* @__PURE__ */ (() =>
-  decaf448_hasher.hashToCurve as DcfHasher)();
-/** @deprecated use `ed448.utils.toMontgomery` */
-export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
-  return ed448.utils.toMontgomery(ensureBytes('pub', edwardsPub));
-}
-/** @deprecated use `ed448.utils.toMontgomery` */
-export const edwardsToMontgomery: typeof edwardsToMontgomeryPub = edwardsToMontgomeryPub;

package/src/index.ts

@@ -4,12 +4,28 @@
  * @example
 ```js
 import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
-import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519.js';
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
+import { ed25519, ed25519ph, ed25519ctx, x25519, ristretto255 } from '@noble/curves/ed25519.js';
+import { ed448, ed448ph, x448, decaf448 } from '@noble/curves/ed448.js';
 import { p256, p384, p521 } from '@noble/curves/nist.js';
 import { bls12_381 } from '@noble/curves/bls12-381.js';
 import { bn254 } from '@noble/curves/bn254.js';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
+import { jubjub, babyjubjub, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 } from '@noble/curves/misc.js';
+import * as webcrypto from '@noble/curves/webcrypto.js';
+
+// hash-to-curve
+import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
+import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
+import { ristretto255_hasher } from '@noble/curves/ed25519.js';
+import { decaf448_hasher } from '@noble/curves/ed448.js';
+
+// OPRFs
+import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
+import { decaf448_oprf } from '@noble/curves/ed448.js';
+
+// utils
+import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
+import { Field } from '@noble/curves/abstract/modular.js';
 ```
  */
 throw new Error('root module cannot be imported: import submodules instead. Check out README');

package/src/misc.ts

@@ -6,18 +6,19 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { blake256 } from '@noble/hashes/blake1.js';
 import { blake2s } from '@noble/hashes/blake2.js';
-import { sha256, sha512 } from '@noble/hashes/sha2.js';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
+import { concatBytes } from '@noble/hashes/utils.js';
 import {
-  twistedEdwards,
-  type CurveFn,
+  eddsa,
+  edwards,
+  type EdDSA,
   type EdwardsOpts,
   type EdwardsPoint,
 } from './abstract/edwards.ts';
-import { Field, mod } from './abstract/modular.ts';
-import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
+import { ecdsa, weierstrass, type ECDSA, type WeierstrassOpts } from './abstract/weierstrass.ts';
 import { bls12_381_Fr } from './bls12-381.ts';
 import { bn254_Fr } from './bn254.ts';
+import { asciiToBytes } from './utils.ts';
 
 // Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
 // jubjub Fp = bls n. babyjubjub Fp = bn254 n.
@@ -32,11 +33,7 @@ const jubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
 };
 /** Curve over scalar field of bls12-381. jubjub Fp = bls n */
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...jubjub_CURVE,
-  Fp: bls12_381_Fr,
-  hash: sha512,
-});
+export const jubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(jubjub_CURVE), sha512);
 
 const babyjubjub_CURVE: EdwardsOpts = {
   p: bn254_Fr.ORDER,
@@ -48,13 +45,9 @@ const babyjubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
 };
 /** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
-export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...babyjubjub_CURVE,
-  Fp: bn254_Fr,
-  hash: blake256,
-});
+export const babyjubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(babyjubjub_CURVE), blake256);
 
-const jubjub_gh_first_block = utf8ToBytes(
+const jubjub_gh_first_block = asciiToBytes(
   '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
 );
 
@@ -63,7 +56,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
   const h = blake2s.create({ personalization, dkLen: 32 });
   h.update(jubjub_gh_first_block);
   h.update(tag);
-  // NOTE: returns ExtendedPoint, in case it will be multiplied later
+  // NOTE: returns EdwardsPoint, in case it will be multiplied later
   let p = jubjub.Point.fromBytes(h.digest());
   // NOTE: cannot replace with isSmallOrder, returns Point*8
   p = p.multiply(jubjub_CURVE.h);
@@ -73,7 +66,7 @@ export function jubjub_groupHash(tag: Uint8Array, personalization: Uint8Array):
 
 // No secret data is leaked here at all.
 // It operates over public data:
-// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), utf8ToBytes('Item_G_'));
+// const G_SPEND = jubjub.findGroupHash(Uint8Array.of(), asciiToBytes('Item_G_'));
 export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array): EdwardsPoint {
   const tag = concatBytes(m, Uint8Array.of(0));
   const hashes = [];
@@ -87,38 +80,62 @@ export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array)
   return hashes[0];
 }
 
-// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
-
-export const pasta_p: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
-);
-export const pasta_q: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
-);
+const brainpoolP256r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'),
+  a: BigInt('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'),
+  b: BigInt('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6'),
+  n: BigInt('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
+  Gx: BigInt('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
+  Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
+  h: BigInt(1),
+};
+/** Brainpool P256r1 with sha256, from RFC 5639. */
+export const brainpoolP256r1: ECDSA = ecdsa(weierstrass(brainpoolP256r1_CURVE), sha256);
 
-/**
- * @deprecated
- */
-export const pallas: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_p),
-  n: pasta_q,
-  Gx: mod(BigInt(-1), pasta_p),
-  Gy: BigInt(2),
+const brainpoolP384r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'
+  ),
+  a: BigInt(
+    '0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'
+  ),
+  b: BigInt(
+    '0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11'
+  ),
+  n: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'
+  ),
+  Gx: BigInt(
+    '0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'
+  ),
+  Gy: BigInt(
+    '0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
-/**
- * @deprecated
- */
-export const vesta: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_q),
-  n: pasta_p,
-  Gx: mod(BigInt(-1), pasta_q),
-  Gy: BigInt(2),
+};
+/** Brainpool P384r1 with sha384, from RFC 5639. */
+export const brainpoolP384r1: ECDSA = ecdsa(weierstrass(brainpoolP384r1_CURVE), sha384);
+
+const brainpoolP512r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'
+  ),
+  a: BigInt(
+    '0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'
+  ),
+  b: BigInt(
+    '0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723'
+  ),
+  n: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'
+  ),
+  Gx: BigInt(
+    '0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'
+  ),
+  Gy: BigInt(
+    '0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
+};
+/** Brainpool P521r1 with sha512, from RFC 5639. */
+export const brainpoolP512r1: ECDSA = ecdsa(weierstrass(brainpoolP512r1_CURVE), sha512);