@noble/curves 2.0.1 → 2.2.0

package/bn254.d.ts

@@ -56,11 +56,20 @@ Ate loop size: 6x+2
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { type BlsCurvePair, type BlsPostPrecomputeFn } from './abstract/bls.ts';
 import { type IField } from './abstract/modular.ts';
-export declare const bn254_Fr: IField<bigint>;
+import { type TRet } from './utils.ts';
+/** bn254 scalar field. */
+export declare const bn254_Fr: TRet<IField<bigint>>;
 export declare const _postPrecompute: BlsPostPrecomputeFn;
 /**
  * bn254 (a.k.a. alt_bn128) pairing-friendly curve.
- * Contains G1 / G2 operations and pairings.
+ * Contains G1 / G2 operations and pairings only; the commented-out
+ * hash-to-curve and signature surface is intentionally not exposed here.
+ * @example
+ * Compute a pairing from the two generator points.
+ *
+ * ```ts
+ * const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
+ * ```
  */
 export declare const bn254: BlsCurvePair;
 //# sourceMappingURL=bn254.d.ts.map

package/bn254.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bn254.d.ts","sourceRoot":"","sources":["src/bn254.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,sEAAsE;AACtE,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,mBAAmB,EAEzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAyB3D,eAAO,MAAM,QAAQ,EAAE,MAAM,CAAC,MAAM,CAA2B,CAAC;AAoChE,eAAO,MAAM,eAAe,EAAE,mBAY7B,CAAC;AA8EF;;;GAGG;AAEH,eAAO,MAAM,KAAK,EAAE,YAAiE,CAAC"}
+{"version":3,"file":"bn254.d.ts","sourceRoot":"","sources":["src/bn254.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,sEAAsE;AACtE,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,mBAAmB,EAEzB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAS,KAAK,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAI3D,OAAO,EAAU,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AA8B/C,0BAA0B;AAC1B,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CACU,CAAC;AA+DrD,eAAO,MAAM,eAAe,EAAE,mBAY7B,CAAC;AAyFF;;;;;;;;;;GAUG;AAEH,eAAO,MAAM,KAAK,EAAE,YAKnB,CAAC"}

package/bn254.js

@@ -60,14 +60,20 @@ import { psiFrobenius, tower12 } from "./abstract/tower.js";
 import { weierstrass } from "./abstract/weierstrass.js";
 import { bitLen } from "./utils.js";
 // prettier-ignore
-const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
-const _6n = BigInt(6);
-const BN_X = BigInt('4965661367192848881');
-const BN_X_LEN = bitLen(BN_X);
-const SIX_X_SQUARED = _6n * BN_X ** _2n;
+const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
+const _6n = /* @__PURE__ */ BigInt(6);
+// Locally documented BN pairing seed. EIP-197 does not name this scalar
+// directly; noble stores the positive value and derives any `-x` uses later.
+const BN_X = /* @__PURE__ */ BigInt('4965661367192848881');
+// Bit width of the stored seed itself, not the derived Miller-loop scalar `6x+2`.
+const BN_X_LEN = /* @__PURE__ */ (() => bitLen(BN_X))();
+// Derived scalar used by the optimized G2 subgroup test required by EIP-197.
+const SIX_X_SQUARED = /* @__PURE__ */ (() => _6n * BN_X ** _2n)();
 const bn254_G1_CURVE = {
     p: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
     n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+    // The Ethereum specs define G1 as prime-order but do not spell out the
+    // cofactor separately; `h = 1` is the implementation-derived value.
     h: _1n,
     a: _0n,
     b: _3n,
@@ -75,33 +81,64 @@ const bn254_G1_CURVE = {
     Gy: BigInt(2),
 };
 // r == n
-// Finite field over r. It's for convenience and is not used in the code below.
-export const bn254_Fr = Field(bn254_G1_CURVE.n);
-// Fp2.div(Fp2.mul(Fp2.ONE, _3n), Fp2.NONRESIDUE)
-const Fp2B = {
+// Finite field over r. It's for convenience and is not used in the code below,
+// and its canonical `fromBytes()` decoder is stricter than the EIP-196 MUL
+// scalar rule that accepts any 256-bit integer.
+// These factories are side-effect free; mark them pure so single-export bundles can drop the rest.
+/** bn254 scalar field. */
+export const bn254_Fr = /* @__PURE__ */ (() => Field(bn254_G1_CURVE.n))();
+// `3 / (i + 9)` from EIP-197, stored in noble's internal `(c0, c1) = (b, a)`
+// order rather than the spec's `a * i + b` notation.
+const Fp2B = /* @__PURE__ */ (() => ({
     c0: BigInt('19485874751759354771024239261021720505790618469301721065564631296452457478373'),
     c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
-};
-const { Fp, Fp2, Fp6, Fp12 } = tower12({
-    ORDER: bn254_G1_CURVE.p,
-    X_LEN: BN_X_LEN,
-    FP2_NONRESIDUE: [BigInt(9), _1n],
-    Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
-    Fp12finalExponentiate: (num) => {
-        const powMinusX = (num) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
-        const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
-        const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
-        const y1 = Fp12._cyclotomicSquare(powMinusX(r));
-        const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
-        const y4 = powMinusX(y2);
-        const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
-        const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
-        const y9 = Fp12.mul(y8, y1);
-        return Fp12.mul(Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3), Fp12.mul(Fp12.frobeniusMap(y8, 2), Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))));
-    },
-});
+}))();
+// Bootstrap binding: `Fp12finalExponentiate` needs to reference the finished
+// field object while `tower12(...)` is still constructing it.
+let Fp12;
+const tower = /* @__PURE__ */ (() => {
+    const res = tower12({
+        ORDER: bn254_G1_CURVE.p,
+        X_LEN: BN_X_LEN,
+        // Public `Fp2.NONRESIDUE` below is the sextic-tower seed `(9, 1)`, not the
+        // quadratic relation `i^2 + 1 = 0` from the EIP text.
+        FP2_NONRESIDUE: [BigInt(9), _1n],
+        Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
+        Fp12finalExponentiate: (num) => {
+            const powMinusX = (num) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
+            const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));
+            const r = Fp12.mul(Fp12.frobeniusMap(r0, 2), r0);
+            const y1 = Fp12._cyclotomicSquare(powMinusX(r));
+            const y2 = Fp12.mul(Fp12._cyclotomicSquare(y1), y1);
+            const y4 = powMinusX(y2);
+            const y6 = powMinusX(Fp12._cyclotomicSquare(y4));
+            const y8 = Fp12.mul(Fp12.mul(Fp12.conjugate(y6), y4), Fp12.conjugate(y2));
+            const y9 = Fp12.mul(y8, y1);
+            return Fp12.mul(Fp12.frobeniusMap(Fp12.mul(Fp12.conjugate(r), y9), 3), Fp12.mul(Fp12.frobeniusMap(y8, 2), Fp12.mul(Fp12.frobeniusMap(y9, 1), Fp12.mul(Fp12.mul(y8, y4), r))));
+        },
+    });
+    Fp12 = res.Fp12;
+    return res;
+})();
+const Fp = /* @__PURE__ */ (() => tower.Fp)();
+const Fp2 = /* @__PURE__ */ (() => tower.Fp2)();
 // END OF CURVE FIELDS
-const { G2psi, psi } = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE);
+// BN254 uses the same tower seed `(9, 1)` for the Frobenius helper that powers
+// the divisive-twist G2 endomorphism.
+let frob;
+const getFrob = () => frob || (frob = psiFrobenius(Fp, Fp2, Fp2.NONRESIDUE));
+// Eager psiFrobenius setup now dominates `bn254.js` import, so defer it to
+// first use. After that these locals are rewritten to the direct helper refs.
+let psi = (x, y) => {
+    const fn = getFrob().psi;
+    psi = fn;
+    return fn(x, y);
+};
+let G2psi = (c, P) => {
+    const fn = getFrob().G2psi;
+    G2psi = fn;
+    return fn(c, P);
+};
 export const _postPrecompute = (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
     const q = psi(Qx, Qy);
     ({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
@@ -109,9 +146,11 @@ export const _postPrecompute = (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
     pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
 };
 // cofactor: (36 * X^4) + (36 * X^3) + (30 * X^2) + 6*X + 1
-const bn254_G2_CURVE = {
+const bn254_G2_CURVE = /* @__PURE__ */ (() => ({
     p: Fp2.ORDER,
     n: bn254_G1_CURVE.n,
+    // As with G1, the Ethereum specs do not spell out the G2 cofactor
+    // separately; this literal is the implementation-derived value.
     h: BigInt('0x30644e72e131a029b85045b68181585e06ceecda572a2489345f2299c0f9fa8d'),
     a: Fp2.ZERO,
     b: Fp2B,
@@ -123,17 +162,23 @@ const bn254_G2_CURVE = {
         BigInt('8495653923123431417604973247489272438418190587263600148770280649306958101930'),
         BigInt('4082367875863433681332203403145435568316851327593401208105741076214120093531'),
     ]),
-};
-const fields = { Fp, Fp2, Fp6, Fp12, Fr: bn254_Fr };
-const bn254_G1 = weierstrass(bn254_G1_CURVE, {
+}))();
+const fields = /* @__PURE__ */ (() => ({ Fp, Fp2, Fp6: tower.Fp6, Fp12, Fr: bn254_Fr }))();
+const bn254_G1 = /* @__PURE__ */ weierstrass(bn254_G1_CURVE, {
     Fp,
     Fn: bn254_Fr,
+    // Ethereum encodes infinity as `(0, 0)`, so the public point API accepts it
+    // even though it is not an affine curve point, and `fromAffine()` stays lazy:
+    // adversarial inputs still need `assertValidity()`.
     allowInfinityPoint: true,
 });
-const bn254_G2 = weierstrass(bn254_G2_CURVE, {
+const bn254_G2 = /* @__PURE__ */ weierstrass(bn254_G2_CURVE, {
     Fp: Fp2,
     Fn: bn254_Fr,
+    // Ethereum encodes infinity as `((0, 0), (0, 0))`, so the public point API
+    // accepts it even though it is not an affine curve point.
     allowInfinityPoint: true,
+    // Optimized BN254 G2 subgroup test used to satisfy the EIP-197 order check.
     isTorsionFree: (c, P) => P.multiplyUnsafe(SIX_X_SQUARED).equals(G2psi(c, P)), // [p]P = [6X^2]P
 });
 /*
@@ -156,13 +201,16 @@ No hashToCurve for now (and signatures):
 // const hasherOpts = {
 //   { ...htfDefaults, m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' }
 // };
-const bn254_params = {
+const bn254_params = /* @__PURE__ */ (() => ({
+    // Optimal-ate Miller loop parameter derived from the positive BN seed.
     ateLoopSize: BN_X * _6n + _2n,
     r: bn254_Fr.ORDER,
     xNegative: false,
+    // EIP-197 writes G2 as `y^2 = x^3 + 3 / (i + 9)`, so the pairing
+    // configuration uses the divisive twist convention.
     twistType: 'divisive',
     postPrecompute: _postPrecompute,
-};
+}))();
 // const bn254_hasher = {
 //   hasherOpts: htfDefaults,
 //   hasherOptsG1: { m: 1, DST: 'BN254G2_XMD:SHA-256_SVDW_RO_' },
@@ -183,8 +231,15 @@ const bn254_params = {
 // },
 /**
  * bn254 (a.k.a. alt_bn128) pairing-friendly curve.
- * Contains G1 / G2 operations and pairings.
+ * Contains G1 / G2 operations and pairings only; the commented-out
+ * hash-to-curve and signature surface is intentionally not exposed here.
+ * @example
+ * Compute a pairing from the two generator points.
+ *
+ * ```ts
+ * const gt = bn254.pairing(bn254.G1.Point.BASE, bn254.G2.Point.BASE);
+ * ```
  */
 // bn254_hasher
-export const bn254 = blsBasic(fields, bn254_G1, bn254_G2, bn254_params);
+export const bn254 = /* @__PURE__ */ blsBasic(fields, bn254_G1, bn254_G2, bn254_params);
 //# sourceMappingURL=bn254.js.map

package/bn254.js.map

@@ -1 +1 @@
-{"version":3,"file":"bn254.js","sourceRoot":"","sources":["src/bn254.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,sEAAsE;AACtE,OAAO,EACL,QAAQ,GAIT,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,KAAK,EAAe,MAAM,uBAAuB,CAAC;AAE3D,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAwB,MAAM,2BAA2B,CAAC;AAC9E,OAAO,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AACpC,kBAAkB;AAClB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACzE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AAEtB,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,CAAC,CAAC;AAC3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;AAC9B,MAAM,aAAa,GAAG,GAAG,GAAG,IAAI,IAAI,GAAG,CAAC;AAExC,MAAM,cAAc,GAA4B;IAC9C,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,GAAG;IACN,CAAC,EAAE,GAAG;IACN,CAAC,EAAE,GAAG;IACN,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;CACd,CAAC;AAEF,SAAS;AACT,+EAA+E;AAC/E,MAAM,CAAC,MAAM,QAAQ,GAAmB,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;AAEhE,iDAAiD;AACjD,MAAM,IAAI,GAAG;IACX,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,EAAE,EAAE,MAAM,CAAC,6EAA6E,CAAC;CAC1F,CAAC;AAEF,MAAM,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACrC,KAAK,EAAE,cAAc,CAAC,CAAC;IACvB,KAAK,EAAE,QAAQ;IACf,cAAc,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;IAChC,SAAS,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC;IACtC,qBAAqB,EAAE,CAAC,GAAG,EAAE,EAAE;QAC7B,MAAM,SAAS,GAAG,CAAC,GAAS,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;QAChF,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACjD,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAChD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;QACzB,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC;QACjD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC,GAAG,CACb,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,EACrD,IAAI,CAAC,GAAG,CACN,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EACxB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAClE,CACF,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,sBAAsB;AACtB,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,YAAY,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;AAE7D,MAAM,CAAC,MAAM,eAAe,GAAwB,CAClD,EAAO,EACP,EAAO,EACP,EAAO,EACP,EAAO,EACP,EAAO,EACP,QAAqC,EACrC,EAAE;IACF,MAAM,CAAC,GAAG,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACtB,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC,CAAC;AAEF,2DAA2D;AAC3D,MAAM,cAAc,GAAyB;IAC3C,CAAC,EAAE,GAAG,CAAC,KAAK;IACZ,CAAC,EAAE,cAAc,CAAC,CAAC;IACnB,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,GAAG,CAAC,IAAI;IACX,CAAC,EAAE,IAAI;IACP,EAAE,EAAE,GAAG,CAAC,YAAY,CAAC;QACnB,MAAM,CAAC,+EAA+E,CAAC;QACvF,MAAM,CAAC,+EAA+E,CAAC;KACxF,CAAC;IACF,EAAE,EAAE,GAAG,CAAC,YAAY,CAAC;QACnB,MAAM,CAAC,8EAA8E,CAAC;QACtF,MAAM,CAAC,8EAA8E,CAAC;KACvF,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC;AACpD,MAAM,QAAQ,GAAG,WAAW,CAAC,cAAc,EAAE;IAC3C,EAAE;IACF,EAAE,EAAE,QAAQ;IACZ,kBAAkB,EAAE,IAAI;CACzB,CAAC,CAAC;AACH,MAAM,QAAQ,GAAG,WAAW,CAAC,cAAc,EAAE;IAC3C,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,QAAQ;IACZ,kBAAkB,EAAE,IAAI;IACxB,aAAa,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,iBAAiB;CAChG,CAAC,CAAC;AACH;;;;;;EAME;AACF,sCAAsC;AACtC,6DAA6D;AAC7D,yCAAyC;AACzC,+CAA+C;AAC/C,iBAAiB;AACjB,UAAU;AACV,YAAY;AACZ,mBAAmB;AACnB,kBAAkB;AAClB,MAAM;AACN,uBAAuB;AACvB,kEAAkE;AAClE,KAAK;AACL,MAAM,YAAY,GAAG;IACnB,WAAW,EAAE,IAAI,GAAG,GAAG,GAAG,GAAG;IAC7B,CAAC,EAAE,QAAQ,CAAC,KAAK;IACjB,SAAS,EAAE,KAAK;IAChB,SAAS,EAAE,UAAmB;IAC9B,cAAc,EAAE,eAAe;CAChC,CAAC;AACF,yBAAyB;AACzB,6BAA6B;AAC7B,iEAAiE;AACjE,8BAA8B;AAC9B,KAAK;AACL,6GAA6G;AAC7G,6BAA6B;AAC7B,2BAA2B;AAE3B,8BAA8B;AAC9B,6BAA6B;AAC7B,2BAA2B;AAC3B,oBAAoB;AACpB,+BAA+B;AAC/B,6BAA6B;AAC7B,6BAA6B;AAC7B,gCAAgC;AAChC,2BAA2B;AAC3B,KAAK;AAEL;;;GAGG;AACH,eAAe;AACf,MAAM,CAAC,MAAM,KAAK,GAAiB,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC"}
+{"version":3,"file":"bn254.js","sourceRoot":"","sources":["src/bn254.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AACH,sEAAsE;AACtE,OAAO,EACL,QAAQ,GAIT,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,KAAK,EAAe,MAAM,uBAAuB,CAAC;AAE3D,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAwB,MAAM,2BAA2B,CAAC;AAC9E,OAAO,EAAE,MAAM,EAAa,MAAM,YAAY,CAAC;AAC/C,kBAAkB;AAClB,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AACzI,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAEtC,wEAAwE;AACxE,6EAA6E;AAC7E,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;AAC3D,kFAAkF;AAClF,MAAM,QAAQ,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;AACxD,6EAA6E;AAC7E,MAAM,aAAa,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,GAAG,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;AAElE,MAAM,cAAc,GAA4B;IAC9C,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,uEAAuE;IACvE,oEAAoE;IACpE,CAAC,EAAE,GAAG;IACN,CAAC,EAAE,GAAG;IACN,CAAC,EAAE,GAAG;IACN,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;CACd,CAAC;AAEF,SAAS;AACT,+EAA+E;AAC/E,2EAA2E;AAC3E,gDAAgD;AAChD,mGAAmG;AACnG,0BAA0B;AAC1B,MAAM,CAAC,MAAM,QAAQ,GAAyB,eAAe,CAAC,CAAC,GAAG,EAAE,CAClE,KAAK,CAAC,cAAc,CAAC,CAAC,CAAyB,CAAC,EAAE,CAAC;AAErD,6EAA6E;AAC7E,qDAAqD;AACrD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACnC,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,EAAE,EAAE,MAAM,CAAC,6EAA6E,CAAC;CAC1F,CAAC,CAAC,EAAE,CAAC;AAEN,6EAA6E;AAC7E,8DAA8D;AAC9D,IAAI,IAAwC,CAAC;AAC7C,MAAM,KAAK,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE;IAClC,MAAM,GAAG,GAAG,OAAO,CAAC;QAClB,KAAK,EAAE,cAAc,CAAC,CAAC;QACvB,KAAK,EAAE,QAAQ;QACf,2EAA2E;QAC3E,sDAAsD;QACtD,cAAc,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;QAChC,SAAS,EAAE,CAAC,GAAQ,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC;QAC3C,qBAAqB,EAAE,CAAC,GAAS,EAAE,EAAE;YACnC,MAAM,SAAS,GAAG,CAAC,GAAS,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YAChF,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjD,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;YACpD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;YACzB,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC;YACjD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC;YAC1E,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC,GAAG,CACb,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,EACrD,IAAI,CAAC,GAAG,CACN,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EACxB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAClE,CACF,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IACH,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;IAChB,OAAO,GAAG,CAAC;AACb,CAAC,CAAC,EAAE,CAAC;AACL,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9C,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;AAEhD,sBAAsB;AACtB,+EAA+E;AAC/E,sCAAsC;AACtC,IAAI,IAAiD,CAAC;AACtD,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;AAC7E,2EAA2E;AAC3E,8EAA8E;AAC9E,IAAI,GAAG,GAA2C,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;IACzD,MAAM,EAAE,GAAG,OAAO,EAAE,CAAC,GAAG,CAAC;IACzB,GAAG,GAAG,EAAE,CAAC;IACT,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC;AACF,IAAI,KAAK,GAA6C,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;IAC7D,MAAM,EAAE,GAAG,OAAO,EAAE,CAAC,KAAK,CAAC;IAC3B,KAAK,GAAG,EAAE,CAAC;IACX,OAAO,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAwB,CAClD,EAAO,EACP,EAAO,EACP,EAAO,EACP,EAAO,EACP,EAAO,EACP,QAAqC,EACrC,EAAE;IACF,MAAM,CAAC,GAAG,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACtB,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,QAAQ,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC,CAAC;AAEF,2DAA2D;AAC3D,MAAM,cAAc,GAAyB,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IACnE,CAAC,EAAE,GAAG,CAAC,KAAK;IACZ,CAAC,EAAE,cAAc,CAAC,CAAC;IACnB,kEAAkE;IAClE,gEAAgE;IAChE,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,GAAG,CAAC,IAAI;IACX,CAAC,EAAE,IAAI;IACP,EAAE,EAAE,GAAG,CAAC,YAAY,CAAC;QACnB,MAAM,CAAC,+EAA+E,CAAC;QACvF,MAAM,CAAC,+EAA+E,CAAC;KACxF,CAAC;IACF,EAAE,EAAE,GAAG,CAAC,YAAY,CAAC;QACnB,MAAM,CAAC,8EAA8E,CAAC;QACtF,MAAM,CAAC,8EAA8E,CAAC;KACvF,CAAC;CACH,CAAC,CAAC,EAAE,CAAC;AAEN,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC,EAAE,CAAC;AAC3F,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,cAAc,EAAE;IAC3D,EAAE;IACF,EAAE,EAAE,QAAQ;IACZ,4EAA4E;IAC5E,8EAA8E;IAC9E,oDAAoD;IACpD,kBAAkB,EAAE,IAAI;CACzB,CAAC,CAAC;AACH,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,cAAc,EAAE;IAC3D,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,QAAQ;IACZ,2EAA2E;IAC3E,0DAA0D;IAC1D,kBAAkB,EAAE,IAAI;IACxB,4EAA4E;IAC5E,aAAa,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,iBAAiB;CAChG,CAAC,CAAC;AACH;;;;;;EAME;AACF,sCAAsC;AACtC,6DAA6D;AAC7D,yCAAyC;AACzC,+CAA+C;AAC/C,iBAAiB;AACjB,UAAU;AACV,YAAY;AACZ,mBAAmB;AACnB,kBAAkB;AAClB,MAAM;AACN,uBAAuB;AACvB,kEAAkE;AAClE,KAAK;AACL,MAAM,YAAY,GAAG,eAAe,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC3C,uEAAuE;IACvE,WAAW,EAAE,IAAI,GAAG,GAAG,GAAG,GAAG;IAC7B,CAAC,EAAE,QAAQ,CAAC,KAAK;IACjB,SAAS,EAAE,KAAK;IAChB,iEAAiE;IACjE,oDAAoD;IACpD,SAAS,EAAE,UAAmB;IAC9B,cAAc,EAAE,eAAe;CAChC,CAAC,CAAC,EAAE,CAAC;AACN,yBAAyB;AACzB,6BAA6B;AAC7B,iEAAiE;AACjE,8BAA8B;AAC9B,KAAK;AACL,6GAA6G;AAC7G,6BAA6B;AAC7B,2BAA2B;AAE3B,8BAA8B;AAC9B,6BAA6B;AAC7B,2BAA2B;AAC3B,oBAAoB;AACpB,+BAA+B;AAC/B,6BAA6B;AAC7B,6BAA6B;AAC7B,gCAAgC;AAChC,2BAA2B;AAC3B,KAAK;AAEL;;;;;;;;;;GAUG;AACH,eAAe;AACf,MAAM,CAAC,MAAM,KAAK,GAAiB,eAAe,CAAC,QAAQ,CACzD,MAAM,EACN,QAAQ,EACR,QAAQ,EACR,YAAY,CACb,CAAC"}

package/ed25519.d.ts

@@ -1,31 +1,81 @@
 import { type AffinePoint } from './abstract/curve.ts';
 import { PrimeEdwardsPoint, type EdDSA, type EdwardsPoint, type EdwardsPointCons } from './abstract/edwards.ts';
+import { type FROST } from './abstract/frost.ts';
 import { type H2CHasher, type H2CHasherBase } from './abstract/hash-to-curve.ts';
 import { type IField } from './abstract/modular.ts';
 import { type MontgomeryECDH } from './abstract/montgomery.ts';
 import { type OPRF } from './abstract/oprf.ts';
+import { type TArg, type TRet } from './utils.ts';
 /**
  * ed25519 curve with EdDSA signatures.
+ * Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
+ * 32-byte seed buffer instead of copying it.
  * @example
+ * Generate one Ed25519 keypair, sign a message, and verify it.
+ *
  * ```js
  * import { ed25519 } from '@noble/curves/ed25519.js';
  * const { secretKey, publicKey } = ed25519.keygen();
  * // const publicKey = ed25519.getPublicKey(secretKey);
  * const msg = new TextEncoder().encode('hello noble');
  * const sig = ed25519.sign(msg, secretKey);
- * const isValid = ed25519.verify(sig, msg, pub); // ZIP215
+ * const isValid = ed25519.verify(sig, msg, publicKey); // ZIP215
  * // RFC8032 / FIPS 186-5
- * const isValid2 = ed25519.verify(sig, msg, pub, { zip215: false });
+ * const isValid2 = ed25519.verify(sig, msg, publicKey, { zip215: false });
  * ```
  */
 export declare const ed25519: EdDSA;
-/** Context version of ed25519 (ctx for domain separation). See {@link ed25519} */
+/**
+ * Context version of ed25519 (ctx for domain separation). See {@link ed25519}
+ * Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
+ * 32-byte seed buffer instead of copying it.
+ * @example
+ * Sign and verify with Ed25519ctx under one explicit context.
+ *
+ * ```ts
+ * const context = new TextEncoder().encode('docs');
+ * const { secretKey, publicKey } = ed25519ctx.keygen();
+ * const msg = new TextEncoder().encode('hello noble');
+ * const sig = ed25519ctx.sign(msg, secretKey, { context });
+ * const isValid = ed25519ctx.verify(sig, msg, publicKey, { context });
+ * ```
+ */
 export declare const ed25519ctx: EdDSA;
-/** Prehashed version of ed25519. See {@link ed25519} */
+/**
+ * Prehashed version of ed25519. See {@link ed25519}
+ * Seeded `keygen(seed)` / `utils.randomSecretKey(seed)` reuse the provided
+ * 32-byte seed buffer instead of copying it.
+ * @example
+ * Use the prehashed Ed25519 variant for one message.
+ *
+ * ```ts
+ * const { secretKey, publicKey } = ed25519ph.keygen();
+ * const msg = new TextEncoder().encode('hello noble');
+ * const sig = ed25519ph.sign(msg, secretKey);
+ * const isValid = ed25519ph.verify(sig, msg, publicKey);
+ * ```
+ */
 export declare const ed25519ph: EdDSA;
+/**
+ * FROST threshold signatures over ed25519. RFC 9591.
+ * @example
+ * Create one trusted-dealer package for 2-of-3 ed25519 signing.
+ *
+ * ```ts
+ * const alice = ed25519_FROST.Identifier.derive('alice@example.com');
+ * const bob = ed25519_FROST.Identifier.derive('bob@example.com');
+ * const carol = ed25519_FROST.Identifier.derive('carol@example.com');
+ * const deal = ed25519_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
+ * ```
+ */
+export declare const ed25519_FROST: TRet<FROST>;
 /**
  * ECDH using curve25519 aka x25519.
+ * `getSharedSecret()` rejects low-order peer inputs by default, and seeded
+ * `keygen(seed)` reuses the provided 32-byte seed buffer instead of copying it.
  * @example
+ * Derive one shared secret between two X25519 peers.
+ *
  * ```js
  * import { x25519 } from '@noble/curves/ed25519.js';
  * const alice = x25519.keygen();
@@ -33,7 +83,7 @@ export declare const ed25519ph: EdDSA;
  * const shared = x25519.getSharedSecret(alice.secretKey, bob.publicKey);
  * ```
  */
-export declare const x25519: MontgomeryECDH;
+export declare const x25519: TRet<MontgomeryECDH>;
 /**
  * RFC 9380 method `map_to_curve_elligator2_curve25519`. Experimental name: may be renamed later.
  * @private
@@ -44,7 +94,17 @@ export declare function _map_to_curve_elligator2_curve25519(u: bigint): {
     yMn: bigint;
     yMd: bigint;
 };
-/** Hashing to ed25519 points / field. RFC 9380 methods. */
+/**
+ * Hashing to ed25519 points / field. RFC 9380 methods.
+ * Public `mapToCurve()` returns the cofactor-cleared subgroup point; the
+ * internal map callback below consumes one field element bigint, not `[bigint]`.
+ * @example
+ * Hash one message onto the ed25519 curve.
+ *
+ * ```ts
+ * const point = ed25519_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
+ * ```
+ */
 export declare const ed25519_hasher: H2CHasher<EdwardsPointCons>;
 /**
  * Wrapper over Edwards Point for ristretto255.
@@ -61,21 +121,27 @@ declare class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
     static Fp: IField<bigint>;
     static Fn: IField<bigint>;
     constructor(ep: EdwardsPoint);
+    /**
+     * Create one Ristretto255 point from affine Edwards coordinates.
+     * This wraps the internal Edwards representative directly and is not a
+     * canonical ristretto255 decoding path.
+     * Use `toBytes()` / `fromBytes()` if canonical ristretto255 bytes matter.
+     */
     static fromAffine(ap: AffinePoint<bigint>): _RistrettoPoint;
     protected assertSame(other: _RistrettoPoint): void;
     protected init(ep: EdwardsPoint): _RistrettoPoint;
-    static fromBytes(bytes: Uint8Array): _RistrettoPoint;
+    static fromBytes(bytes: TArg<Uint8Array>): _RistrettoPoint;
     /**
      * Converts ristretto-encoded string to ristretto point.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-decode).
-     * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+     * @param hex - Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
      */
     static fromHex(hex: string): _RistrettoPoint;
     /**
      * Encodes ristretto point to Uint8Array.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-encode).
      */
-    toBytes(): Uint8Array;
+    toBytes(): TRet<Uint8Array>;
     /**
      * Compares two Ristretto points.
      * Described in [RFC9496](https://www.rfc-editor.org/rfc/rfc9496#name-equals).
@@ -83,19 +149,64 @@ declare class _RistrettoPoint extends PrimeEdwardsPoint<_RistrettoPoint> {
     equals(other: _RistrettoPoint): boolean;
     is0(): boolean;
 }
+/** Prime-order Ristretto255 group bundle. */
 export declare const ristretto255: {
     Point: typeof _RistrettoPoint;
 };
-/** Hashing to ristretto255 points / field. RFC 9380 methods. */
+/**
+ * Hashing to ristretto255 points / field. RFC 9380 methods.
+ * `hashToCurve()` is RFC 9380 Appendix B, `deriveToCurve()` is the RFC 9496
+ * §4.3.4 element-derivation building block, and `hashToScalar()` is a
+ * library-specific helper for OPRF-style use.
+ * @example
+ * Hash one message onto ristretto255.
+ *
+ * ```ts
+ * const point = ristretto255_hasher.hashToCurve(new TextEncoder().encode('hello noble'));
+ * ```
+ */
 export declare const ristretto255_hasher: H2CHasherBase<typeof _RistrettoPoint>;
-/** ristretto255 OPRF, defined in RFC 9497. */
-export declare const ristretto255_oprf: OPRF;
+/**
+ * ristretto255 OPRF/VOPRF/POPRF bundle, defined in RFC 9497.
+ * @example
+ * Run one blind/evaluate/finalize OPRF round over ristretto255.
+ *
+ * ```ts
+ * const input = new TextEncoder().encode('hello noble');
+ * const keys = ristretto255_oprf.oprf.generateKeyPair();
+ * const blind = ristretto255_oprf.oprf.blind(input);
+ * const evaluated = ristretto255_oprf.oprf.blindEvaluate(keys.secretKey, blind.blinded);
+ * const output = ristretto255_oprf.oprf.finalize(input, blind.blind, evaluated);
+ * ```
+ */
+export declare const ristretto255_oprf: TRet<OPRF>;
+/**
+ * FROST threshold signatures over ristretto255. RFC 9591.
+ * @example
+ * Create one trusted-dealer package for 2-of-3 ristretto255 signing.
+ *
+ * ```ts
+ * const alice = ristretto255_FROST.Identifier.derive('alice@example.com');
+ * const bob = ristretto255_FROST.Identifier.derive('bob@example.com');
+ * const carol = ristretto255_FROST.Identifier.derive('carol@example.com');
+ * const deal = ristretto255_FROST.trustedDealer({ min: 2, max: 3 }, [alice, bob, carol]);
+ * ```
+ */
+export declare const ristretto255_FROST: TRet<FROST>;
 /**
  * Weird / bogus points, useful for debugging.
  * All 8 ed25519 points of 8-torsion subgroup can be generated from the point
  * T = `26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05`.
- * ⟨T⟩ = { O, T, 2T, 3T, 4T, 5T, 6T, 7T }
+ * The subgroup generated by `T` is `{ O, T, 2T, 3T, 4T, 5T, 6T, 7T }`; the
+ * array below is that set, not the powers in that exact index order.
+ * @example
+ * Decode one known torsion point for debugging.
+ *
+ * ```ts
+ * import { ED25519_TORSION_SUBGROUP, ed25519 } from '@noble/curves/ed25519.js';
+ * const point = ed25519.Point.fromHex(ED25519_TORSION_SUBGROUP[1]);
+ * ```
  */
-export declare const ED25519_TORSION_SUBGROUP: string[];
+export declare const ED25519_TORSION_SUBGROUP: readonly string[];
 export {};
 //# sourceMappingURL=ed25519.d.ts.map

package/ed25519.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["src/ed25519.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAGL,iBAAiB,EACjB,KAAK,KAAK,EAGV,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAML,KAAK,MAAM,EACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAmG3D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,OAAO,EAAE,KAA8B,CAAC;AACrD,kFAAkF;AAClF,eAAO,MAAM,UAAU,EAAE,KAAsD,CAAC;AAChF,wDAAwD;AACxD,eAAO,MAAM,SAAS,EAAE,KAAuE,CAAC;AAEhG;;;;;;;;;GASG;AACH,eAAO,MAAM,MAAM,EAAE,cAYjB,CAAC;AASL;;;GAGG;AAEH,wBAAgB,mCAAmC,CAAC,CAAC,EAAE,MAAM,GAAG;IAC9D,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CACnD,CA2CA;AAqBD,2DAA2D;AAC3D,eAAO,MAAM,cAAc,EAAE,SAAS,CAAC,gBAAgB,CAajD,CAAC;AAuDP;;;;;;;;GAQG;AACH,cAAM,eAAgB,SAAQ,iBAAiB,CAAC,eAAe,CAAC;IAI9D,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;IAE/B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;gBAEnB,EAAE,EAAE,YAAY;IAI5B,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,eAAe;IAI3D,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAIlD,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,eAAe;IAIjD,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,eAAe;IA4BpD;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAI5C;;;OAGG;IACH,OAAO,IAAI,UAAU;IA4BrB;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAWvC,GAAG,IAAI,OAAO;CAGf;AAED,eAAO,MAAM,YAAY,EAAE;IACzB,KAAK,EAAE,OAAO,eAAe,CAAC;CACF,CAAC;AAE/B,gEAAgE;AAChE,eAAO,MAAM,mBAAmB,EAAE,aAAa,CAAC,OAAO,eAAe,CA0CrE,CAAC;AAEF,8CAA8C;AAC9C,eAAO,MAAM,iBAAiB,EAAE,IAOzB,CAAC;AAER;;;;;GAKG;AACH,eAAO,MAAM,wBAAwB,EAAE,MAAM,EAS5C,CAAC"}
+{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["src/ed25519.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAGL,iBAAiB,EACjB,KAAK,KAAK,EAGV,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACtB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAe,KAAK,KAAK,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAKL,KAAK,SAAS,EACd,KAAK,aAAa,EACnB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAML,KAAK,MAAM,EACZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAc,KAAK,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAc,KAAK,IAAI,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAA6C,KAAK,IAAI,EAAE,KAAK,IAAI,EAAE,MAAM,YAAY,CAAC;AAiH7F;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,OAAO,EAAE,KAA8B,CAAC;AACrD;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,UAAU,EAAE,KAAsD,CAAC;AAChF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,SAAS,EAAE,KAAuE,CAAC;AAChG;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,aAAa,EAAE,IAAI,CAAC,KAAK,CAa/B,CAAC;AAER;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,MAAM,EAAE,IAAI,CAAC,cAAc,CAYpC,CAAC;AAUL;;;GAGG;AAEH,wBAAgB,mCAAmC,CAAC,CAAC,EAAE,MAAM,GAAG;IAC9D,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CACnD,CA8CA;AA0BD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,cAAc,EAAE,SAAS,CAAC,gBAAgB,CAajD,CAAC;AA4DP;;;;;;;;GAQG;AACH,cAAM,eAAgB,SAAQ,iBAAiB,CAAC,eAAe,CAAC;IAI9D,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,IAAI,EAAE,eAAe,CACwC;IAEpE,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;IAE/B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CACM;gBAEnB,EAAE,EAAE,YAAY;IAI5B;;;;;OAKG;IACH,MAAM,CAAC,UAAU,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,CAAC,GAAG,eAAe;IAI3D,SAAS,CAAC,UAAU,CAAC,KAAK,EAAE,eAAe,GAAG,IAAI;IAIlD,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,YAAY,GAAG,eAAe;IAIjD,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,eAAe;IA4B1D;;;;OAIG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe;IAI5C;;;OAGG;IACH,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC;IA4B3B;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,eAAe,GAAG,OAAO;IAWvC,GAAG,IAAI,OAAO;CAGf;AAMD,6CAA6C;AAC7C,eAAO,MAAM,YAAY,EAAE;IACzB,KAAK,EAAE,OAAO,eAAe,CAAC;CAC6B,CAAC;AAE9D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,aAAa,CAAC,OAAO,eAAe,CAiDpE,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,EAAE,IAAI,CAAC,IAAI,CAOlC,CAAC;AACR;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB,EAAE,IAAI,CAAC,KAAK,CASpC,CAAC;AAER;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,wBAAwB,EAAE,SAAS,MAAM,EASpD,CAAC"}