Merge packages into one

.github/workflows/nodejs.yml

@@ -13,6 +13,5 @@ jobs:
         node-version: 18
     - run: npm install
     - run: npm run build --if-present
-    - run: cd curve-definitions; npm install; npm run build --if-present
-    - run: npm test
     - run: npm run lint --if-present
+    - run: npm test

README.md

@@ -1,36 +1,36 @@
 # noble-curves
 
-Minimal, zero-dependency JS implementation of elliptic curve cryptography.
+Minimal, auditable JS implementation of elliptic curve cryptography.
 
 - Short Weierstrass, Edwards, Montgomery curves
-- ECDSA, EdDSA, Schnorr, BLS signature schemes
+- ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
-- ECDH key agreement
+- [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
-- [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/) algorithms for encoding or hashing an arbitrary string to a point on an elliptic curve
+  for encoding or hashing an arbitrary string to a point on an elliptic curve
 - Auditable, [fast](#speed)
-- 🔻 Helps JS bundlers with lack of entry point, ensures small size of your app
+- 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
 - 🔍 Unique tests ensure correctness. Wycheproof vectors included
 
-No curve definitions are provided out-of-box. Use separate package `micro-curve-definitions`:
+There are two parts of the package:
 
-- It provides:
+1. `abstract/` directory specifies zero-dependency EC algorithms
+2. root directory utilizes one dependency `@noble/hashes` and provides ready-to-use:
     - NIST curves secp192r1/P192, secp224r1/P224, secp256r1/P256, secp384r1/P384, secp521r1/P521
     - SECG curve secp256k1
-    - bls12-381, bn254 pairing-friendly curves
+    - pairing-friendly curves bls12-381, bn254
     - ed25519/curve25519/x25519/ristretto, edwards448/curve448/x448 RFC7748 / RFC8032 / ZIP215 stuff
-- It allows to keep the main library minimal, zero-dependency.
-  m-c-d depends on a hashing library `@noble/hashes`
-- Packages may be merged later, once a stable version is ready
 
-The goal for the near future is to update previous packages
+Curves incorporate work from previous noble packages
 ([secp256k1](https://github.com/paulmillr/noble-secp256k1),
 [ed25519](https://github.com/paulmillr/noble-ed25519),
-[bls12-381](https://github.com/paulmillr/noble-bls12-381)) with lean UMD builds based on noble-curves. This would improve compatibility & allow having one codebase for everything.
+[bls12-381](https://github.com/paulmillr/noble-bls12-381)),
+which had security audits and were developed from 2019 to 2022.
+The goal is to replace them with lean UMD builds based on single-codebase noble-curves.
 
 ### This library belongs to _noble_ crypto
 
 > **noble-crypto** — high-security, easily auditable set of contained cryptographic libraries and tools.
 
-- No dependencies, small files
+- Minimal dependencies, small files
 - Easily auditable TypeScript/JS code
 - Supported in all major browsers and stable node.js versions
 - All releases are signed with PGP keys
@@ -50,8 +50,23 @@ Use NPM in node.js / browser, or include single file from
 The library does not have an entry point. It allows you to select specific primitives and drop everything else. If you only want to use secp256k1, just use the library with rollup or other bundlers. This is done to make your bundles tiny.
 
 ```ts
-import { Fp } from '@noble/curves/modular';
+import { secp256k1 } from '@noble/curves/secp256k1';
-import { weierstrass } from '@noble/curves/weierstrass';
+
+const key = secp256k1.utils.randomPrivateKey();
+const pub = secp256k1.getPublicKey(key);
+const msg = new Uint8Array(32).fill(1);
+const sig = secp256k1.sign(msg, key);
+secp256k1.verify(sig, msg, pub) === true;
+sig.recoverPublicKey(msg) === pub;
+const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
+const shared = secp256k1.getSharedSecret(key, someonesPub);
+```
+
+To define a custom curve with the same functionality:
+
+```ts
+import { Fp } from '@noble/curves/abstract/modular';
+import { weierstrass } from '@noble/curves/abstract/weierstrass';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
@@ -65,16 +80,8 @@ const secp256k1 = weierstrass({
   Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
   hash: sha256,
   hmac: (k: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs)),
+  randomBytes
 });
-
-const key = secp256k1.utils.randomPrivateKey();
-const pub = secp256k1.getPublicKey(key);
-const msg = randomBytes(32);
-const sig = secp256k1.sign(msg, key);
-secp256k1.verify(sig, msg, pub) === true;
-sig.recoverPublicKey(msg) === pub;
-const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
-const shared = secp256k1.getSharedSecret(key, someonesPub);
 ```
 
 ## API

curve-definitions/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2022 Paul Miller (https://paulmillr.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the “Software”), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

curve-definitions/README.md

@@ -1,13 +0,0 @@
-# micro-curve-definitions
-
-Elliptic curves implementations. `@noble/curves` is zero-dependency library for internal arithmetics.
-
-## Usage
-
-```sh
-npm install micro-curve-definitions
-```
-
-## License
-
-MIT (c) Paul Miller [(https://paulmillr.com)](https://paulmillr.com), see LICENSE file.

curve-definitions/package.json

@@ -1,58 +0,0 @@
-{
-  "name": "micro-curve-definitions",
-  "version": "0.4.0",
-  "description": "Curve definitions for @noble/curves",
-  "files": [
-    "lib"
-  ],
-  "main": "lib/index.js",
-  "module": "lib/index.js",
-  "types": "lib/index.d.ts",
-  "dependencies": {
-    "@noble/curves": "file:..",
-    "@noble/hashes": "1.1.5"
-  },
-  "devDependencies": {
-    "@scure/base": "~1.1.0",
-    "@scure/bip32": "^1.1.1",
-    "@scure/bip39": "^1.1.0",
-    "@types/node": "18.11.3",
-    "fast-check": "3.0.0",
-    "micro-should": "0.2.0",
-    "prettier": "2.6.2",
-    "typescript": "4.7.3"
-  },
-  "author": "Paul Miller (https://paulmillr.com)",
-  "license": "MIT",
-  "homepage": "https://github.com/paulmillr/noble-curves",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/paulmillr/noble-curves.git"
-  },
-  "scripts": {
-    "build": "tsc && tsc -p tsconfig.esm.json",
-    "lint": "prettier --check src",
-    "test": "node test/index.test.js"
-  },
-  "keywords": [
-    "secp192r1",
-    "secp224r1",
-    "secp256r1",
-    "secp384r1",
-    "secp521r1",
-    "NIST P192",
-    "NIST P224",
-    "NIST P256",
-    "NIST P384",
-    "NIST P521",
-    "NIST curves",
-    "EC",
-    "elliptic curves"
-  ],
-  "funding": [
-    {
-      "type": "individual",
-      "url": "https://paulmillr.com/funding/"
-    }
-  ]
-}

curve-definitions/test/hashToCurve.test.js

@@ -1,109 +0,0 @@
-import { deepStrictEqual } from 'assert';
-import { should } from 'micro-should';
-import { bytesToHex } from '@noble/hashes/utils';
-// Generic tests for all curves in package
-import { sha256 } from '@noble/hashes/sha256';
-import { sha512 } from '@noble/hashes/sha512';
-import { secp256r1 } from '../lib/p256.js';
-import { secp384r1 } from '../lib/p384.js';
-import { secp521r1 } from '../lib/p521.js';
-import { secp256k1 } from '../lib/secp256k1.js';
-import { bls12_381 } from '../lib/bls12-381.js';
-import { ed25519 } from '../lib/ed25519.js';
-import { ed448 } from '../lib/ed448.js';
-import { stringToBytes, expand_message_xmd } from '@noble/curves/hashToCurve';
-
-import { default as xmd_sha256_38 } from './hashToCurve/expand_message_xmd_SHA256_38.json' assert { type: 'json' };
-import { default as xmd_sha256_256 } from './hashToCurve/expand_message_xmd_SHA256_256.json' assert { type: 'json' };
-import { default as xmd_sha512_38 } from './hashToCurve/expand_message_xmd_SHA512_38.json' assert { type: 'json' };
-// P256
-import { default as p256_ro } from './hashToCurve/P256_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
-import { default as p256_nu } from './hashToCurve/P256_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
-// P384
-import { default as p384_ro } from './hashToCurve/P384_XMD:SHA-384_SSWU_RO_.json' assert { type: 'json' };
-import { default as p384_nu } from './hashToCurve/P384_XMD:SHA-384_SSWU_NU_.json' assert { type: 'json' };
-// P521
-import { default as p521_ro } from './hashToCurve/P521_XMD:SHA-512_SSWU_RO_.json' assert { type: 'json' };
-import { default as p521_nu } from './hashToCurve/P521_XMD:SHA-512_SSWU_NU_.json' assert { type: 'json' };
-// secp256k1
-import { default as secp256k1_ro } from './hashToCurve/secp256k1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
-import { default as secp256k1_nu } from './hashToCurve/secp256k1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
-// bls-G1
-import { default as g1_ro } from './hashToCurve/BLS12381G1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
-import { default as g1_nu } from './hashToCurve/BLS12381G1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
-// bls-G2
-import { default as g2_ro } from './hashToCurve/BLS12381G2_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
-import { default as g2_nu } from './hashToCurve/BLS12381G2_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
-// ed25519
-import { default as ed25519_ro } from './hashToCurve/edwards25519_XMD:SHA-512_ELL2_RO_.json' assert { type: 'json' };
-import { default as ed25519_nu } from './hashToCurve/edwards25519_XMD:SHA-512_ELL2_NU_.json' assert { type: 'json' };
-// ed448
-import { default as ed448_ro } from './hashToCurve/edwards448_XOF:SHAKE256_ELL2_RO_.json' assert { type: 'json' };
-import { default as ed448_nu } from './hashToCurve/edwards448_XOF:SHAKE256_ELL2_NU_.json' assert { type: 'json' };
-
-function testExpandXMD(hash, vectors) {
-  for (let i = 0; i < vectors.tests.length; i++) {
-    const t = vectors.tests[i];
-    should(`expand_message_xmd/${vectors.hash}/${vectors.DST.length}/${i}`, () => {
-      const p = expand_message_xmd(
-        stringToBytes(t.msg),
-        stringToBytes(vectors.DST),
-        t.len_in_bytes,
-        hash
-      );
-      deepStrictEqual(bytesToHex(p), t.uniform_bytes);
-    });
-  }
-}
-
-testExpandXMD(sha256, xmd_sha256_38);
-testExpandXMD(sha256, xmd_sha256_256);
-testExpandXMD(sha512, xmd_sha512_38);
-
-function stringToFp(s) {
-  // bls-G2 support
-  if (s.includes(',')) {
-    const [c0, c1] = s.split(',').map(BigInt);
-    return { c0, c1 };
-  }
-  return BigInt(s);
-}
-
-function testCurve(curve, ro, nu) {
-  for (let i = 0; i < ro.vectors.length; i++) {
-    const t = ro.vectors[i];
-    should(`${ro.curve}/${ro.ciphersuite}(${i})`, () => {
-      const p = curve.Point.hashToCurve(stringToBytes(t.msg), {
-        DST: ro.dst,
-      });
-      deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
-      deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
-    });
-  }
-  for (let i = 0; i < nu.vectors.length; i++) {
-    const t = nu.vectors[i];
-    should(`${nu.curve}/${nu.ciphersuite}(${i})`, () => {
-      const p = curve.Point.encodeToCurve(stringToBytes(t.msg), {
-        DST: nu.dst,
-      });
-      deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
-      deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
-    });
-  }
-}
-
-testCurve(secp256r1, p256_ro, p256_nu);
-testCurve(secp384r1, p384_ro, p384_nu);
-testCurve(secp521r1, p521_ro, p521_nu);
-// TODO: remove same tests from bls12
-testCurve(bls12_381.G1, g1_ro, g1_nu);
-testCurve(bls12_381.G2, g2_ro, g2_nu);
-testCurve(secp256k1, secp256k1_ro, secp256k1_nu);
-//testCurve(ed25519, ed25519_ro, ed25519_nu);
-//testCurve(ed448, ed448_ro, ed448_nu);
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/package.json

@@ -1,7 +0,0 @@
-{
-  "type": "module",
-  "browser": {
-    "crypto": false,
-    "./crypto": "./esm/cryptoBrowser.js"
-  }
-}

curve-definitions/tsconfig.esm.json

@@ -1,25 +0,0 @@
-{
-  "compilerOptions": {
-    "strict": true,
-    "declaration": true,
-    "declarationMap": true,
-    "target": "es2020",
-    "lib": [
-      "es2020",
-      "dom"
-    ],
-    "module": "es6",
-    "moduleResolution": "node16",
-    "outDir": "lib/esm",
-    "noImplicitAny": true,
-    "preserveConstEnums": true,
-    "baseUrl": ".",
-  },
-  "include": [
-    "src",
-  ],
-  "exclude": [
-    "node_modules",
-    "lib"
-  ]
-}

curve-definitions/tsconfig.json

@@ -1,25 +0,0 @@
-{
-  "compilerOptions": {
-    "strict": true,
-    "declaration": true,
-    "declarationMap": true,
-    "target": "es2020",
-    "lib": [
-      "es2020",
-      "dom"
-    ],
-    "module": "commonjs",
-    "moduleResolution": "node16",
-    "outDir": "lib",
-    "noImplicitAny": true,
-    "preserveConstEnums": true,
-    "baseUrl": ".",
-  },
-  "include": [
-    "src",
-  ],
-  "exclude": [
-    "node_modules",
-    "lib"
-  ]
-}

package.json

@@ -1,19 +1,19 @@
 {
   "name": "@noble/curves",
   "version": "0.4.0",
-  "description": "Minimal, zero-dependency JS implementation of elliptic curve cryptography",
+  "description": "Minimal, auditable JS implementation of elliptic curve cryptography",
   "files": [
     "index.js",
     "lib",
     "lib/esm"
   ],
   "scripts": {
-    "bench": "node curve-definitions/benchmark/index.js",
+    "bench": "node benchmark/index.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
     "build:release": "rollup -c rollup.config.js",
-    "lint": "prettier --check 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
-    "format": "prettier --write 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "format": "prettier --write 'src/**/*.{js,ts}' 'test/*.js'",
-    "test": "cd curve-definitions; node test/index.test.js"
+    "test": "node test/index.test.js"
   },
   "author": "Paul Miller (https://paulmillr.com)",
   "homepage": "https://paulmillr.com/noble/",
@@ -22,8 +22,16 @@
     "url": "https://github.com/paulmillr/noble-curves.git"
   },
   "license": "MIT",
+  "dependencies": {
+    "@noble/hashes": "~1.1.5"
+  },
   "devDependencies": {
     "@rollup/plugin-node-resolve": "13.3.0",
+    "@scure/base": "~1.1.1",
+    "@scure/bip32": "~1.1.1",
+    "@scure/bip39": "~1.1.0",
+    "@types/node": "18.11.3",
+    "fast-check": "3.0.0",
     "micro-bmark": "0.2.0",
     "micro-should": "0.2.0",
     "prettier": "2.6.2",
@@ -32,55 +40,137 @@
   },
   "main": "index.js",
   "exports": {
-    "./edwards": {
+    "./abstract/edwards": {
-      "types": "./lib/edwards.d.ts",
+      "types": "./lib/abstract/edwards.d.ts",
-      "import": "./lib/esm/edwards.js",
+      "import": "./lib/esm/abstract/edwards.js",
-      "default": "./lib/edwards.js"
+      "default": "./lib/abstract/edwards.js"
     },
-    "./modular": {
+    "./abstract/modular": {
-      "types": "./lib/modular.d.ts",
+      "types": "./lib/abstract/modular.d.ts",
-      "import": "./lib/esm/modular.js",
+      "import": "./lib/esm/abstract/modular.js",
-      "default": "./lib/modular.js"
+      "default": "./lib/abstract/modular.js"
     },
-    "./montgomery": {
+    "./abstract/montgomery": {
-      "types": "./lib/montgomery.d.ts",
+      "types": "./lib/abstract/montgomery.d.ts",
-      "import": "./lib/esm/montgomery.js",
+      "import": "./lib/esm/abstract/montgomery.js",
-      "default": "./lib/montgomery.js"
+      "default": "./lib/abstract/montgomery.js"
     },
-    "./weierstrass": {
+    "./abstract/weierstrass": {
-      "types": "./lib/weierstrass.d.ts",
+      "types": "./lib/abstract/weierstrass.d.ts",
-      "import": "./lib/esm/weierstrass.js",
+      "import": "./lib/esm/abstract/weierstrass.js",
-      "default": "./lib/weierstrass.js"
+      "default": "./lib/abstract/weierstrass.js"
     },
-    "./bls": {
+    "./abstract/bls": {
-      "types": "./lib/bls.d.ts",
+      "types": "./lib/abstract/bls.d.ts",
-      "import": "./lib/esm/bls.js",
+      "import": "./lib/esm/abstract/bls.js",
-      "default": "./lib/bls.js"
+      "default": "./lib/abstract/bls.js"
     },
-    "./hashToCurve": {
+    "./abstract/hash-to-curve": {
-      "types": "./lib/hashToCurve.d.ts",
+      "types": "./lib/abstract/hash-to-curve.d.ts",
-      "import": "./lib/esm/hashToCurve.js",
+      "import": "./lib/esm/abstract/hash-to-curve.js",
-      "default": "./lib/hashToCurve.js"
+      "default": "./lib/abstract/hash-to-curve.js"
     },
-    "./group": {
+    "./abstract/group": {
-      "types": "./lib/group.d.ts",
+      "types": "./lib/abstract/group.d.ts",
-      "import": "./lib/esm/group.js",
+      "import": "./lib/esm/abstract/group.js",
-      "default": "./lib/group.js"
+      "default": "./lib/abstract/group.js"
     },
-    "./utils": {
+    "./abstract/utils": {
-      "types": "./lib/utils.d.ts",
+      "types": "./lib/abstract/utils.d.ts",
-      "import": "./lib/esm/utils.js",
+      "import": "./lib/esm/abstract/utils.js",
-      "default": "./lib/utils.js"
+      "default": "./lib/abstract/utils.js"
+    },
+    "./_shortw_utils": {
+      "types": "./lib/_shortw_utils.d.ts",
+      "import": "./lib/esm/_shortw_utils.js",
+      "default": "./lib/_shortw_utils.js"
+    },
+    "./bls12-381": {
+      "types": "./lib/bls12-381.d.ts",
+      "import": "./lib/esm/bls12-381.js",
+      "default": "./lib/bls12-381.js"
+    },
+    "./bn": {
+      "types": "./lib/bn.d.ts",
+      "import": "./lib/esm/bn.js",
+      "default": "./lib/bn.js"
+    },
+    "./ed25519": {
+      "types": "./lib/ed25519.d.ts",
+      "import": "./lib/esm/ed25519.js",
+      "default": "./lib/ed25519.js"
+    },
+    "./ed448": {
+      "types": "./lib/ed448.d.ts",
+      "import": "./lib/esm/ed448.js",
+      "default": "./lib/ed448.js"
+    },
+    "./index": {
+      "types": "./lib/index.d.ts",
+      "import": "./lib/esm/index.js",
+      "default": "./lib/index.js"
+    },
+    "./jubjub": {
+      "types": "./lib/jubjub.d.ts",
+      "import": "./lib/esm/jubjub.js",
+      "default": "./lib/jubjub.js"
+    },
+    "./p192": {
+      "types": "./lib/p192.d.ts",
+      "import": "./lib/esm/p192.js",
+      "default": "./lib/p192.js"
+    },
+    "./p224": {
+      "types": "./lib/p224.d.ts",
+      "import": "./lib/esm/p224.js",
+      "default": "./lib/p224.js"
+    },
+    "./p256": {
+      "types": "./lib/p256.d.ts",
+      "import": "./lib/esm/p256.js",
+      "default": "./lib/p256.js"
+    },
+    "./p384": {
+      "types": "./lib/p384.d.ts",
+      "import": "./lib/esm/p384.js",
+      "default": "./lib/p384.js"
+    },
+    "./p521": {
+      "types": "./lib/p521.d.ts",
+      "import": "./lib/esm/p521.js",
+      "default": "./lib/p521.js"
+    },
+    "./pasta": {
+      "types": "./lib/pasta.d.ts",
+      "import": "./lib/esm/pasta.js",
+      "default": "./lib/pasta.js"
+    },
+    "./secp256k1": {
+      "types": "./lib/secp256k1.d.ts",
+      "import": "./lib/esm/secp256k1.js",
+      "default": "./lib/secp256k1.js"
+    },
+    "./stark": {
+      "types": "./lib/stark.d.ts",
+      "import": "./lib/esm/stark.js",
+      "default": "./lib/stark.js"
     }
   },
   "keywords": [
     "elliptic",
     "curve",
     "cryptography",
-    "hyperelliptic",
+    "weierstrass",
+    "montgomery",
+    "edwards",
     "p256",
     "p384",
     "p521",
+    "secp256r1",
+    "secp256k1",
+    "bls12-381",
+    "bn254",
+    "bls",
     "nist",
     "ecc",
     "ecdsa",

src/_shortw_utils.ts

@@ -1,7 +1,8 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { weierstrass, CurveType } from '@noble/curves/weierstrass';
+import { weierstrass, CurveType } from './abstract/weierstrass.js';
-import { CHash } from '@noble/curves/utils';
+import { CHash } from './abstract/utils.js';
 
 export function getHash(hash: CHash) {
   return {

src/abstract/bls.ts

@@ -7,7 +7,7 @@ import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from '.
 import * as utils from './utils.js';
 // Types
 import { hexToBytes, bytesToHex, Hex, PrivKey } from './utils.js';
-import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
 import { CurvePointsType, PointType, CurvePointsRes, weierstrassPoints } from './weierstrass.js';
 
 type Fp = bigint; // Can be different field?

src/abstract/edwards.ts

@@ -23,7 +23,7 @@ import {
   PrivKey,
 } from './utils.js'; // TODO: import * as u from './utils.js'?
 import { Group, GroupConstructor, wNAF } from './group.js';
-import { hash_to_field, htfOpts, validateHTFOpts } from './hashToCurve.js';
+import { hash_to_field, htfOpts, validateHTFOpts } from './hash-to-curve.js';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);

src/abstract/weierstrass.ts

@@ -23,7 +23,7 @@ import {
   PrivKey,
 } from './utils.js';
 import * as utils from './utils.js';
-import { hash_to_field, htfOpts, validateHTFOpts } from './hashToCurve.js';
+import { hash_to_field, htfOpts, validateHTFOpts } from './hash-to-curve.js';
 import { Group, GroupConstructor, wNAF } from './group.js';
 
 type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;

src/bls12-381.ts

@@ -1,7 +1,8 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
-import { bls, CurveFn } from '@noble/curves/bls';
+import { bls, CurveFn } from './abstract/bls.js';
-import * as mod from '@noble/curves/modular';
+import * as mod from './abstract/modular.js';
 import {
   concatBytes,
   ensureBytes,
@@ -12,15 +13,15 @@ import {
   bitGet,
   Hex,
   bitMask,
-} from '@noble/curves/utils';
+} from './abstract/utils.js';
 // Types
 import {
   PointType,
   ProjectivePointType,
   ProjectiveConstructor,
   mapToCurveSimpleSWU,
-} from '@noble/curves/weierstrass';
+} from './abstract/weierstrass.js';
-import { isogenyMap } from '@noble/curves/hashToCurve';
+import { isogenyMap } from './abstract/hash-to-curve.js';
 
 // Differences from bls12-381:
 // - PointG1 -> G1.Point
@@ -202,14 +203,14 @@ const FP2_FROBENIUS_COEFFICIENTS = [
 // For Fp2 roots of unity.
 const rv1 =
   0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09n;
-const ev1 =
+// const ev1 =
-  0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90n;
+//   0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90n;
-const ev2 =
+// const ev2 =
-  0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5n;
+//   0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5n;
-const ev3 =
+// const ev3 =
-  0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17n;
+//   0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17n;
-const ev4 =
+// const ev4 =
-  0xaa404866706722864480885d68ad0ccac1967c7544b447873cc37e0181271e006df72162a3d3e0287bf597fbf7f8fc1n;
+//   0xaa404866706722864480885d68ad0ccac1967c7544b447873cc37e0181271e006df72162a3d3e0287bf597fbf7f8fc1n;
 
 // Eighth roots of unity, used for computing square roots in Fp2.
 // To verify or re-calculate:
@@ -225,12 +226,12 @@ const FP2_ROOTS_OF_UNITY = [
   [-rv1, -rv1],
 ].map((pair) => Fp2.fromBigTuple(pair));
 // eta values, used for computing sqrt(g(X1(t)))
-const FP2_ETAs = [
+// const FP2_ETAs = [
-  [ev1, ev2],
+//   [ev1, ev2],
-  [-ev2, ev1],
+//   [-ev2, ev1],
-  [ev3, ev4],
+//   [ev3, ev4],
-  [-ev4, ev3],
+//   [-ev4, ev3],
-].map((pair) => Fp2.fromBigTuple(pair));
+// ].map((pair) => Fp2.fromBigTuple(pair));
 
 // Finite extension field over irreducible polynominal.
 // Fp2(v) / (v³ - ξ) where ξ = u + 1

src/bn.ts

@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { weierstrass } from '@noble/curves/weierstrass';
+import { weierstrass } from './abstract/weierstrass.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { getHash } from './_shortw_utils.js';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 /**
  * bn254 pairing-friendly curve.
  * Previously known as alt_bn_128, when it had 128-bit security.

src/ed25519.ts

@@ -1,9 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { twistedEdwards, ExtendedPointType } from '@noble/curves/edwards';
+import { twistedEdwards, ExtendedPointType } from './abstract/edwards.js';
-import { montgomery } from '@noble/curves/montgomery';
+import { montgomery } from './abstract/montgomery.js';
-import { mod, pow2, isNegativeLE, Fp as Field } from '@noble/curves/modular';
+import { mod, pow2, isNegativeLE, Fp as Field } from './abstract/modular.js';
 import {
   ensureBytes,
   equalBytes,
@@ -11,7 +11,7 @@ import {
   bytesToNumberLE,
   numberToBytesLE,
   Hex,
-} from '@noble/curves/utils';
+} from './abstract/utils.js';
 
 /**
  * ed25519 Twisted Edwards curve with following addons:

src/ed448.ts

@@ -1,9 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
-import { twistedEdwards } from '@noble/curves/edwards';
+import { twistedEdwards } from './abstract/edwards.js';
-import { mod, pow2, Fp } from '@noble/curves/modular';
+import { mod, pow2, Fp } from './abstract/modular.js';
-import { montgomery } from '@noble/curves/montgomery';
+import { montgomery } from './abstract/montgomery.js';
 
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:

src/jubjub.ts

@@ -1,9 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { twistedEdwards } from '@noble/curves/edwards';
+import { twistedEdwards } from './abstract/edwards.js';
 import { blake2s } from '@noble/hashes/blake2s';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 
 /**
  * jubjub Twisted Edwards curve.

src/p192.ts

@@ -1,7 +1,7 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 
 // NIST secp192r1 aka P192
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1

src/p224.ts

@@ -1,7 +1,7 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha224 } from '@noble/hashes/sha256';
-import { Fp } from '@noble/curves/modular';
+import { Fp } from './abstract/modular.js';
 
 // NIST secp224r1 aka P224
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-224

src/p256.ts

@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
-import { Fp as Field } from '@noble/curves/modular';
+import { Fp as Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from '@noble/curves/weierstrass';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256

src/p384.ts

@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
-import { Fp as Field } from '@noble/curves/modular';
+import { Fp as Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from '@noble/curves/weierstrass';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384

src/p521.ts

@@ -1,9 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { createCurve } from './_shortw_utils.js';
 import { sha512 } from '@noble/hashes/sha512';
-import { bytesToHex, PrivKey } from '@noble/curves/utils';
+import { bytesToHex, PrivKey } from './abstract/utils.js';
-import { Fp as Field } from '@noble/curves/modular';
+import { Fp as Field } from './abstract/modular.js';
-import { mapToCurveSimpleSWU } from '@noble/curves/weierstrass';
+import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.

src/pasta.ts

@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
-import { weierstrass } from '@noble/curves/weierstrass';
+import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
-import * as mod from '@noble/curves/modular';
+import * as mod from './abstract/modular.js';
 
 export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
 export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');

src/secp256k1.ts

@@ -1,8 +1,8 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
-import { Fp as Field, mod, pow2 } from '@noble/curves/modular';
+import { Fp as Field, mod, pow2 } from './abstract/modular.js';
 import { createCurve } from './_shortw_utils.js';
-import { PointType, mapToCurveSimpleSWU } from '@noble/curves/weierstrass';
+import { PointType, mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import {
   ensureBytes,
   concatBytes,
@@ -10,9 +10,9 @@ import {
   hexToBytes,
   bytesToNumberBE,
   PrivKey,
-} from '@noble/curves/utils';
+} from './abstract/utils.js';
 import { randomBytes } from '@noble/hashes/utils';
-import { isogenyMap } from '@noble/curves/hashToCurve';
+import { isogenyMap } from './abstract/hash-to-curve.js';
 
 /**
  * secp256k1 belongs to Koblitz curves: it has

src/stark.ts

@@ -1,11 +1,9 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { keccak_256 } from '@noble/hashes/sha3';
 import { sha256 } from '@noble/hashes/sha256';
-import { hmac } from '@noble/hashes/hmac';
+import { weierstrass, ProjectivePointType } from './abstract/weierstrass.js';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
+import * as cutils from './abstract/utils.js';
-import { weierstrass, ProjectivePointType } from '@noble/curves/weierstrass';
+import { Fp } from './abstract/modular.js';
-import * as cutils from '@noble/curves/utils';
-import { Fp } from '@noble/curves/modular';
 import { getHash } from './_shortw_utils.js';
 
 type ProjectivePoint = ProjectivePointType<bigint>;

test/basic.test.js

@@ -1,21 +1,20 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
-import * as mod from '@noble/curves/modular';
+import * as mod from '../lib/esm/abstract/modular.js';
-import { randomBytes } from '@noble/hashes/utils';
 // Generic tests for all curves in package
-import { secp192r1 } from '../lib/p192.js';
+import { secp192r1 } from '../lib/esm/p192.js';
-import { secp224r1 } from '../lib/p224.js';
+import { secp224r1 } from '../lib/esm/p224.js';
-import { secp256r1 } from '../lib/p256.js';
+import { secp256r1 } from '../lib/esm/p256.js';
-import { secp384r1 } from '../lib/p384.js';
+import { secp384r1 } from '../lib/esm/p384.js';
-import { secp521r1 } from '../lib/p521.js';
+import { secp521r1 } from '../lib/esm/p521.js';
-import { secp256k1 } from '../lib/secp256k1.js';
+import { secp256k1 } from '../lib/esm/secp256k1.js';
-import { ed25519, ed25519ctx, ed25519ph } from '../lib/ed25519.js';
+import { ed25519, ed25519ctx, ed25519ph } from '../lib/esm/ed25519.js';
-import { ed448, ed448ph } from '../lib/ed448.js';
+import { ed448, ed448ph } from '../lib/esm/ed448.js';
-import { starkCurve } from '../lib/stark.js';
+import { starkCurve } from '../lib/esm/stark.js';
-import { pallas, vesta } from '../lib/pasta.js';
+import { pallas, vesta } from '../lib/esm/pasta.js';
-import { bn254 } from '../lib/bn.js';
+import { bn254 } from '../lib/esm/bn.js';
-import { jubjub } from '../lib/jubjub.js';
+import { jubjub } from '../lib/esm/jubjub.js';
 
 // prettier-ignore
 const CURVES = {

test/bls12-381.test.js

@@ -1,4 +1,4 @@
-import { bls12_381 } from '../lib/bls12-381.js';
+import { bls12_381 } from '../lib/esm/bls12-381.js';
 import { should } from 'micro-should';
 import { deepStrictEqual, notDeepStrictEqual, throws } from 'assert';
 import { sha512 } from '@noble/hashes/sha512';
@@ -6,7 +6,7 @@ import * as fc from 'fast-check';
 import { readFileSync } from 'fs';
 import zkVectors from './bls12-381/zkcrypto/converted.json' assert { type: 'json' };
 import pairingVectors from './bls12-381/go_pairing_vectors/pairing.json' assert { type: 'json' };
-import { wNAF } from '@noble/curves/group';
+import { wNAF } from '../lib/esm/abstract/group.js';
 const bls = bls12_381;
 const { Fp2 } = bls;
 

test/ed25519.test.js

@@ -1,11 +1,11 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
-import { ed25519, ed25519ctx, ed25519ph, x25519, RistrettoPoint } from '../lib/ed25519.js';
+import { ed25519, ed25519ctx, ed25519ph, x25519, RistrettoPoint } from '../lib/esm/ed25519.js';
 import { readFileSync } from 'fs';
 import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
-import { numberToBytesLE } from '@noble/curves/utils';
+import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
 import { sha512 } from '@noble/hashes/sha512';
 import { default as ed25519vectors } from './wycheproof/eddsa_test.json' assert { type: 'json' };
 import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };

test/ed448.test.js

@@ -1,9 +1,9 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
 import * as fc from 'fast-check';
-import { ed448, ed448ph, x448 } from '../lib/ed448.js';
+import { ed448, ed448ph, x448 } from '../lib/esm/ed448.js';
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
-import { numberToBytesLE } from '@noble/curves/utils';
+import { numberToBytesLE } from '../lib/esm/abstract/utils.js';
 import { default as ed448vectors } from './wycheproof/ed448_test.json' assert { type: 'json' };
 import { default as x448vectors } from './wycheproof/x448_test.json' assert { type: 'json' };
 

test/hash-to-curve.test.js

@@ -0,0 +1,107 @@
+import { deepStrictEqual } from 'assert';
+import { should } from 'micro-should';
+import { bytesToHex } from '@noble/hashes/utils';
+// Generic tests for all curves in package
+import { sha256 } from '@noble/hashes/sha256';
+import { sha512 } from '@noble/hashes/sha512';
+import { secp256r1 } from '../lib/esm/p256.js';
+import { secp384r1 } from '../lib/esm/p384.js';
+import { secp521r1 } from '../lib/esm/p521.js';
+import { secp256k1 } from '../lib/esm/secp256k1.js';
+import { bls12_381 } from '../lib/esm/bls12-381.js';
+import { stringToBytes, expand_message_xmd } from '../lib/esm/abstract/hash-to-curve.js';
+
+import { default as xmd_sha256_38 } from './hash-to-curve/expand_message_xmd_SHA256_38.json' assert { type: 'json' };
+import { default as xmd_sha256_256 } from './hash-to-curve/expand_message_xmd_SHA256_256.json' assert { type: 'json' };
+import { default as xmd_sha512_38 } from './hash-to-curve/expand_message_xmd_SHA512_38.json' assert { type: 'json' };
+// P256
+import { default as p256_ro } from './hash-to-curve/P256_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
+import { default as p256_nu } from './hash-to-curve/P256_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
+// P384
+import { default as p384_ro } from './hash-to-curve/P384_XMD:SHA-384_SSWU_RO_.json' assert { type: 'json' };
+import { default as p384_nu } from './hash-to-curve/P384_XMD:SHA-384_SSWU_NU_.json' assert { type: 'json' };
+// P521
+import { default as p521_ro } from './hash-to-curve/P521_XMD:SHA-512_SSWU_RO_.json' assert { type: 'json' };
+import { default as p521_nu } from './hash-to-curve/P521_XMD:SHA-512_SSWU_NU_.json' assert { type: 'json' };
+// secp256k1
+import { default as secp256k1_ro } from './hash-to-curve/secp256k1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
+import { default as secp256k1_nu } from './hash-to-curve/secp256k1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
+// bls-G1
+import { default as g1_ro } from './hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
+import { default as g1_nu } from './hash-to-curve/BLS12381G1_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
+// bls-G2
+import { default as g2_ro } from './hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_RO_.json' assert { type: 'json' };
+import { default as g2_nu } from './hash-to-curve/BLS12381G2_XMD:SHA-256_SSWU_NU_.json' assert { type: 'json' };
+// ed25519
+import { default as ed25519_ro } from './hash-to-curve/edwards25519_XMD:SHA-512_ELL2_RO_.json' assert { type: 'json' };
+import { default as ed25519_nu } from './hash-to-curve/edwards25519_XMD:SHA-512_ELL2_NU_.json' assert { type: 'json' };
+// ed448
+import { default as ed448_ro } from './hash-to-curve/edwards448_XOF:SHAKE256_ELL2_RO_.json' assert { type: 'json' };
+import { default as ed448_nu } from './hash-to-curve/edwards448_XOF:SHAKE256_ELL2_NU_.json' assert { type: 'json' };
+
+function testExpandXMD(hash, vectors) {
+  for (let i = 0; i < vectors.tests.length; i++) {
+    const t = vectors.tests[i];
+    should(`expand_message_xmd/${vectors.hash}/${vectors.DST.length}/${i}`, () => {
+      const p = expand_message_xmd(
+        stringToBytes(t.msg),
+        stringToBytes(vectors.DST),
+        t.len_in_bytes,
+        hash
+      );
+      deepStrictEqual(bytesToHex(p), t.uniform_bytes);
+    });
+  }
+}
+
+testExpandXMD(sha256, xmd_sha256_38);
+testExpandXMD(sha256, xmd_sha256_256);
+testExpandXMD(sha512, xmd_sha512_38);
+
+function stringToFp(s) {
+  // bls-G2 support
+  if (s.includes(',')) {
+    const [c0, c1] = s.split(',').map(BigInt);
+    return { c0, c1 };
+  }
+  return BigInt(s);
+}
+
+function testCurve(curve, ro, nu) {
+  for (let i = 0; i < ro.vectors.length; i++) {
+    const t = ro.vectors[i];
+    should(`${ro.curve}/${ro.ciphersuite}(${i})`, () => {
+      const p = curve.Point.hashToCurve(stringToBytes(t.msg), {
+        DST: ro.dst,
+      });
+      deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
+      deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
+    });
+  }
+  for (let i = 0; i < nu.vectors.length; i++) {
+    const t = nu.vectors[i];
+    should(`${nu.curve}/${nu.ciphersuite}(${i})`, () => {
+      const p = curve.Point.encodeToCurve(stringToBytes(t.msg), {
+        DST: nu.dst,
+      });
+      deepStrictEqual(p.x, stringToFp(t.P.x), 'Px');
+      deepStrictEqual(p.y, stringToFp(t.P.y), 'Py');
+    });
+  }
+}
+
+testCurve(secp256r1, p256_ro, p256_nu);
+testCurve(secp384r1, p384_ro, p384_nu);
+testCurve(secp521r1, p521_ro, p521_nu);
+// TODO: remove same tests from bls12
+testCurve(bls12_381.G1, g1_ro, g1_nu);
+testCurve(bls12_381.G2, g2_ro, g2_nu);
+testCurve(secp256k1, secp256k1_ro, secp256k1_nu);
+//testCurve(ed25519, ed25519_ro, ed25519_nu);
+//testCurve(ed448, ed448_ro, ed448_nu);
+
+// ESM is broken.
+import url from 'url';
+if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
+  should.run();
+}

test/index.test.js

@@ -9,6 +9,6 @@ import './secp256k1.test.js';
 import './stark/stark.test.js';
 import './jubjub.test.js';
 import './bls12-381.test.js';
-import './hashToCurve.test.js';
+import './hash-to-curve.test.js';
 
 should.run();

test/jubjub.test.js

@@ -1,4 +1,4 @@
-import { jubjub, findGroupHash } from '../lib/jubjub.js';
+import { jubjub, findGroupHash } from '../lib/esm/jubjub.js';
 import { should } from 'micro-should';
 import { deepStrictEqual, throws } from 'assert';
 import { hexToBytes, bytesToHex } from '@noble/hashes/utils';

test/nist.test.js

@@ -1,12 +1,12 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
-import { secp192r1, P192 } from '../lib/p192.js';
+import { secp192r1, P192 } from '../lib/esm/p192.js';
-import { secp224r1, P224 } from '../lib/p224.js';
+import { secp224r1, P224 } from '../lib/esm/p224.js';
-import { secp256r1, P256 } from '../lib/p256.js';
+import { secp256r1, P256 } from '../lib/esm/p256.js';
-import { secp384r1, P384 } from '../lib/p384.js';
+import { secp384r1, P384 } from '../lib/esm/p384.js';
-import { secp521r1, P521 } from '../lib/p521.js';
+import { secp521r1, P521 } from '../lib/esm/p521.js';
-import { secp256k1 } from '../lib/secp256k1.js';
+import { secp256k1 } from '../lib/esm/secp256k1.js';
-import { hexToBytes, bytesToHex } from '@noble/curves/utils';
+import { hexToBytes, bytesToHex } from '../lib/esm/abstract/utils.js';
 import { default as ecdsa } from './wycheproof/ecdsa_test.json' assert { type: 'json' };
 import { default as ecdh } from './wycheproof/ecdh_test.json' assert { type: 'json' };
 import { default as rfc6979 } from './fixtures/rfc6979.json' assert { type: 'json' };

test/secp256k1.test.js

@@ -1,5 +1,5 @@
 import * as fc from 'fast-check';
-import { secp256k1, schnorr } from '../lib/secp256k1.js';
+import { secp256k1, schnorr } from '../lib/esm/secp256k1.js';
 import { readFileSync } from 'fs';
 import { default as ecdsa } from './vectors/ecdsa.json' assert { type: 'json' };
 import { default as ecdh } from './vectors/ecdh.json' assert { type: 'json' };

test/stark/basic.test.js

@@ -1,6 +1,6 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
-import * as starknet from '../../lib/stark.js';
+import * as starknet from '../../lib/esm/stark.js';
 import { default as issue2 } from './fixtures/issue2.json' assert { type: 'json' };
 
 should('Basic elliptic sanity check', () => {

test/stark/benchmark/index.js

@@ -1,4 +1,4 @@
-import * as microStark from '../../../lib/stark.js';
+import * as microStark from '../../../lib/esm/stark.js';
 import * as starkwareCrypto from '@starkware-industries/starkware-crypto-utils';
 import * as bench from 'micro-bmark';
 const { run, mark } = bench; // or bench.mark

test/stark/property.test.js

@@ -1,6 +1,6 @@
 import { deepStrictEqual, throws } from 'assert';
 import { should } from 'micro-should';
-import * as starknet from '../../lib/stark.js';
+import * as starknet from '../../lib/esm/stark.js';
 import * as fc from 'fast-check';
 
 const FC_BIGINT = fc.bigInt(1n + 1n, starknet.CURVE.n - 1n);

test/stark/stark.test.js

@@ -3,7 +3,7 @@ import { should } from 'micro-should';
 import { hex, utf8 } from '@scure/base';
 import * as bip32 from '@scure/bip32';
 import * as bip39 from '@scure/bip39';
-import * as starknet from '../../lib/stark.js';
+import * as starknet from '../../lib/esm/stark.js';
 import { default as sigVec } from './fixtures/rfc6979_signature_test_vector.json' assert { type: 'json' };
 import { default as precomputedKeys } from './fixtures/keys_precomputed.json' assert { type: 'json' };