Format

Added libraries missing from the code examples.

.github/workflows/nodejs.yml

@@ -3,16 +3,18 @@ name: Node CI
 on: [push, pull_request]
 jobs:
   test:
-    name: v18 @ ubuntu-latest
+    name: v${{ matrix.node }} @ ubuntu-latest
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node: [18, 20]
     steps:
     - uses: actions/checkout@v3
     - name: Use Node.js ${{ matrix.node }}
       uses: actions/setup-node@v3
       with:
-        node-version: 18
+        node-version: ${{ matrix.node }}
     - run: npm install
     - run: npm run build --if-present
-    - run: cd curve-definitions; npm install; npm run build --if-present
     - run: npm test
     - run: npm run lint --if-present

.github/workflows/publish-npm.yml

@@ -0,0 +1,23 @@
+name: Publish Package to npm
+on:
+ release:
+   types: [created]
+jobs:
+ build:
+   runs-on: ubuntu-latest
+   permissions:
+     contents: read
+     id-token: write
+   steps:
+     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+     - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3
+       with:
+         node-version: 20
+         registry-url: 'https://registry.npmjs.org'
+         cache: npm
+     - run: npm install -g npm
+     - run: npm ci
+     - run: npm run build
+     - run: npm publish --provenance --access public
+       env:
+         NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.gitignore

@@ -1,7 +1,9 @@
-build/
+node_modules
-node_modules/
+/*.js
-coverage/
+/esm/*.js
-/lib/**/*.js
+*.d.ts
-/lib/**/*.ts
+*.d.ts.map
-/lib/**/*.d.ts.map
+*.js.map
-/curve-definitions/lib
+/build
+/abstract
+/esm/abstract

.prettierrc.json

@@ -1,4 +1,5 @@
 {
   "printWidth": 100,
-  "singleQuote": true
+  "singleQuote": true,
+  "trailingComma": "es5"
 }

.vscode/settings.json

@@ -0,0 +1,6 @@
+{
+  "files.exclude": {
+    "*.{js,d.ts,js.map,d.ts.map}": true,
+    "esm/*.{js,d.ts,js.map,d.ts.map}": true
+  }
+}

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+See [README's Security section](./README.md#security) for detailed description of internal security practices.
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| >=1.0.0   | :white_check_mark: |
+| <1.0.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use maintainer's email specified at https://github.com/paulmillr.
+
+It's preferred that you use
+PGP key from [pgp proof](https://paulmillr.com/pgp_proof.txt) (current is [697079DA6878B89B](https://paulmillr.com/pgp_proof.txt)).
+Ensure the pgp proof page has maintainer's site/github specified.
+
+You will get an update as soon as the email is read; a "Security vulnerability" phrase in email's title would help.

audit/README.md

@@ -0,0 +1,7 @@
+# Audit
+
+All audits of the library are described in [README's Security section](../README.md#security)
+
+`2023-01-trailofbits-audit-curves.pdf` file in the directory was saved from
+[github.com/trailofbits/publications](https://github.com/trailofbits/publications).
+Check out their repo and verify checksums to ensure the PDF in this directory has not been altered.

benchmark/_shared.js

@@ -0,0 +1,7 @@
+export function generateData(curve) {
+  const priv = curve.utils.randomPrivateKey();
+  const pub = curve.getPublicKey(priv);
+  const msg = curve.utils.randomPrivateKey();
+  const sig = curve.sign(msg, priv);
+  return { priv, pub, msg, sig };
+}

benchmark/bls.js

@@ -0,0 +1,67 @@
+import { readFileSync } from 'fs';
+import { mark, run } from 'micro-bmark';
+import { bls12_381 as bls } from '../bls12-381.js';
+
+const G2_VECTORS = readFileSync('../test/bls12-381/bls12-381-g2-test-vectors.txt', 'utf-8')
+  .trim()
+  .split('\n')
+  .map((l) => l.split(':'));
+
+run(async () => {
+  console.log(`\x1b[36mbls12-381\x1b[0m`);
+  let p1, p2, sig;
+  await mark('init', 1, () => {
+    p1 =
+      bls.G1.ProjectivePoint.BASE.multiply(
+        0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4cn
+      );
+    p2 =
+      bls.G2.ProjectivePoint.BASE.multiply(
+        0x28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4dn
+      );
+    bls.pairing(p1, p2);
+  });
+  const priv = '28b90deaf189015d3a325908c5e0e4bf00f84f7e639b056ff82d7e70b6eede4c';
+  sig = bls.sign('09', priv);
+  const pubs = G2_VECTORS.map((v) => bls.getPublicKey(v[0]));
+  const sigs = G2_VECTORS.map((v) => v[2]);
+  const pub = bls.getPublicKey(priv);
+  const pub512 = pubs.slice(0, 512); // .map(bls.PointG1.fromHex)
+  const pub32 = pub512.slice(0, 32);
+  const pub128 = pub512.slice(0, 128);
+  const pub2048 = pub512.concat(pub512, pub512, pub512);
+  const sig512 = sigs.slice(0, 512); // .map(bls.PointG2.fromSignature);
+  const sig32 = sig512.slice(0, 32);
+  const sig128 = sig512.slice(0, 128);
+  const sig2048 = sig512.concat(sig512, sig512, sig512);
+  await mark('getPublicKey 1-bit', 1000, () => bls.getPublicKey('2'.padStart(64, '0')));
+  await mark('getPublicKey', 1000, () => bls.getPublicKey(priv));
+  await mark('sign', 50, () => bls.sign('09', priv));
+  await mark('verify', 50, () => bls.verify(sig, '09', pub));
+  await mark('pairing', 100, () => bls.pairing(p1, p2));
+
+  const scalars1 = Array(4096).fill(0).map(i => 2n ** 235n - BigInt(i));
+  const scalars2 = Array(4096).fill(0).map(i => 2n ** 241n + BigInt(i));
+  const points = scalars1.map(s => bls.G1.ProjectivePoint.BASE.multiply(s));
+  await mark('MSM 4096 scalars x points', 1, () => {
+    // naive approach, not using multi-scalar-multiplication
+    let sum = bls.G1.ProjectivePoint.ZERO;
+    for (let i = 0; i < 4096; i++) {
+      const scalar = scalars2[i];
+      const G1 = points[i];
+      const mutliplied = G1.multiplyUnsafe(scalar);
+      sum = sum.add(mutliplied);
+    }
+  });
+
+  await mark('aggregatePublicKeys/8', 100, () => bls.aggregatePublicKeys(pubs.slice(0, 8)));
+  await mark('aggregatePublicKeys/32', 50, () => bls.aggregatePublicKeys(pub32));
+  await mark('aggregatePublicKeys/128', 20, () => bls.aggregatePublicKeys(pub128));
+  await mark('aggregatePublicKeys/512', 10, () => bls.aggregatePublicKeys(pub512));
+  await mark('aggregatePublicKeys/2048', 5, () => bls.aggregatePublicKeys(pub2048));
+  await mark('aggregateSignatures/8', 100, () => bls.aggregateSignatures(sigs.slice(0, 8)));
+  await mark('aggregateSignatures/32', 50, () => bls.aggregateSignatures(sig32));
+  await mark('aggregateSignatures/128', 20, () => bls.aggregateSignatures(sig128));
+  await mark('aggregateSignatures/512', 10, () => bls.aggregateSignatures(sig512));
+  await mark('aggregateSignatures/2048', 5, () => bls.aggregateSignatures(sig2048));
+});

benchmark/curves.js

@@ -0,0 +1,23 @@
+import { run, mark, utils } from 'micro-bmark';
+import { generateData } from './_shared.js';
+import { p256 } from '../p256.js';
+import { p384 } from '../p384.js';
+import { p521 } from '../p521.js';
+import { ed25519 } from '../ed25519.js';
+import { ed448 } from '../ed448.js';
+
+run(async () => {
+  const RAM = false
+  for (let kv of Object.entries({ ed25519, ed448, p256, p384, p521 })) {
+    const [name, curve] = kv;
+    console.log();
+    console.log(`\x1b[36m${name}\x1b[0m`);
+    if (RAM) utils.logMem();
+    await mark('init', 1, () => curve.utils.precompute(8));
+    const d = generateData(curve);
+    await mark('getPublicKey', 5000, () => curve.getPublicKey(d.priv));
+    await mark('sign', 5000, () => curve.sign(d.msg, d.priv));
+    await mark('verify', 500, () => curve.verify(d.sig, d.msg, d.pub));
+    if (RAM) utils.logMem();
+  }
+});

benchmark/decaf448.js

@@ -0,0 +1,18 @@
+import { run, mark, utils } from 'micro-bmark';
+import { shake256 } from '@noble/hashes/sha3';
+import * as mod from '../abstract/modular.js';
+import { ed448, DecafPoint } from '../ed448.js';
+
+run(async () => {
+  const RAM = false;
+  if (RAM) utils.logMem();
+  console.log(`\x1b[36mdecaf448\x1b[0m`);
+  const priv = mod.hashToPrivateScalar(shake256(ed448.utils.randomPrivateKey(), { dkLen: 112 }), ed448.CURVE.n);
+  const pub = DecafPoint.BASE.multiply(priv);
+  const encoded = pub.toRawBytes();
+  await mark('add', 1000000, () => pub.add(DecafPoint.BASE));
+  await mark('multiply', 1000, () => DecafPoint.BASE.multiply(priv));
+  await mark('encode', 10000, () => DecafPoint.BASE.toRawBytes());
+  await mark('decode', 10000, () => DecafPoint.fromHex(encoded));
+  if (RAM) utils.logMem();
+});

benchmark/ecdh.js

@@ -0,0 +1,18 @@
+import { run, compare } from 'micro-bmark';
+import { secp256k1 } from '../secp256k1.js';
+import { p256 } from '../p256.js';
+import { p384 } from '../p384.js';
+import { p521 } from '../p521.js';
+import { x25519 } from '../ed25519.js';
+import { x448 } from '../ed448.js';
+
+run(async () => {
+  const curves = { x25519, secp256k1, p256, p384, p521, x448 };
+  const fns = {};
+  for (let [k, c] of Object.entries(curves)) {
+    const pubB = c.getPublicKey(c.utils.randomPrivateKey());
+    const privA = c.utils.randomPrivateKey();
+    fns[k] = () => c.getSharedSecret(privA, pubB);
+  }
+  await compare('ecdh', 1000, fns);
+});

benchmark/hash-to-curve.js

@@ -0,0 +1,32 @@
+import { run, mark, utils } from 'micro-bmark';
+import { hash_to_field } from '../abstract/hash-to-curve.js';
+import { hashToPrivateScalar } from '../abstract/modular.js';
+import { randomBytes } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha256';
+// import { generateData } from './_shared.js';
+import { hashToCurve as secp256k1 } from '../secp256k1.js';
+import { hashToCurve as p256 } from '../p256.js';
+import { hashToCurve as p384 } from '../p384.js';
+import { hashToCurve as p521 } from '../p521.js';
+import { hashToCurve as ed25519, hash_to_ristretto255 } from '../ed25519.js';
+import { hashToCurve as ed448, hash_to_decaf448 } from '../ed448.js';
+import { utf8ToBytes } from '../abstract/utils.js';
+
+const N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141n;
+run(async () => {
+  const rand = randomBytes(40);
+  await mark('hashToPrivateScalar', 1000000, () => hashToPrivateScalar(rand, N));
+  // - p, the characteristic of F
+  // - m, the extension degree of F, m >= 1
+  // - L = ceil((ceil(log2(p)) + k) / 8), where k is the security of suite (e.g. 128)
+  await mark('hash_to_field', 1000000, () =>
+    hash_to_field(rand, 1, { DST: 'secp256k1', hash: sha256, expand: 'xmd', p: N, m: 1, k: 128 })
+  );
+  const msg = utf8ToBytes('message');
+  for (let [title, fn] of Object.entries({ secp256k1, p256, p384, p521, ed25519, ed448 })) {
+    await mark(`hashToCurve ${title}`, 1000, () => fn(msg));
+  }
+
+  await mark('hash_to_ristretto255', 1000, () => hash_to_ristretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' }));
+  await mark('hash_to_decaf448', 1000, () => hash_to_decaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' }));
+});

benchmark/modular.js

@@ -0,0 +1,13 @@
+import { run, mark } from 'micro-bmark';
+import { secp256k1 } from '../secp256k1.js';
+import { Field as Fp  } from '../abstract/modular.js';
+
+run(async () => {
+  console.log(`\x1b[36mmodular, secp256k1 field\x1b[0m`);
+  const { Fp: secpFp } = secp256k1.CURVE;
+  await mark('invert a', 300000, () => secpFp.inv(2n ** 232n - 5910n));
+  await mark('invert b', 300000, () => secpFp.inv(2n ** 231n - 5910n));
+  await mark('sqrt p = 3 mod 4', 15000, () => secpFp.sqrt(2n ** 231n - 5910n));
+  const FpStark = Fp(BigInt('0x800000000000011000000000000000000000000000000000000000000000001'));
+  await mark('sqrt tonneli-shanks', 500, () => FpStark.sqrt(2n ** 231n - 5909n))
+});

benchmark/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "benchmark",
+  "private": true,
+  "version": "0.1.0",
+  "description": "benchmarks",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "bench": "node index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "devDependencies": {
+    "micro-bmark": "0.3.0"
+  },
+  "dependencies": {
+    "@noble/hashes": "^1.1.5",
+    "elliptic": "^6.5.4"
+  }
+}

benchmark/ristretto255.js

@@ -0,0 +1,18 @@
+import { run, mark, utils } from 'micro-bmark';
+import { sha512 } from '@noble/hashes/sha512';
+import * as mod from '../abstract/modular.js';
+import { ed25519, RistrettoPoint } from '../ed25519.js';
+
+run(async () => {
+  const RAM = false;
+  if (RAM) utils.logMem();
+  console.log(`\x1b[36mristretto255\x1b[0m`);
+  const priv = mod.hashToPrivateScalar(sha512(ed25519.utils.randomPrivateKey()), ed25519.CURVE.n);
+  const pub = RistrettoPoint.BASE.multiply(priv);
+  const encoded = pub.toRawBytes();
+  await mark('add', 1000000, () => pub.add(RistrettoPoint.BASE));
+  await mark('multiply', 10000, () => RistrettoPoint.BASE.multiply(priv));
+  await mark('encode', 10000, () => RistrettoPoint.BASE.toRawBytes());
+  await mark('decode', 10000, () => RistrettoPoint.fromHex(encoded));
+  if (RAM) utils.logMem();
+});

benchmark/secp256k1.js

@@ -0,0 +1,22 @@
+import { run, mark, utils } from 'micro-bmark';
+import { secp256k1, schnorr } from '../secp256k1.js';
+import { generateData } from './_shared.js';
+
+run(async () => {
+  const RAM = false;
+  if (RAM) utils.logMem();
+  console.log(`\x1b[36msecp256k1\x1b[0m`);
+  await mark('init', 1, () => secp256k1.utils.precompute(8));
+  const d = generateData(secp256k1);
+  await mark('getPublicKey', 10000, () => secp256k1.getPublicKey(d.priv));
+  await mark('sign', 10000, () => secp256k1.sign(d.msg, d.priv));
+  await mark('verify', 1000, () => secp256k1.verify(d.sig, d.msg, d.pub));
+  const pub2 = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
+  await mark('getSharedSecret', 1000, () => secp256k1.getSharedSecret(d.priv, pub2));
+  await mark('recoverPublicKey', 1000, () => d.sig.recoverPublicKey(d.msg));
+  const s = schnorr.sign(d.msg, d.priv);
+  const spub = schnorr.getPublicKey(d.priv);
+  await mark('schnorr.sign', 1000, () => schnorr.sign(d.msg, d.priv));
+  await mark('schnorr.verify', 1000, () => schnorr.verify(s, d.msg, spub));
+  if (RAM) utils.logMem();
+});

benchmark/utils.js

@@ -0,0 +1,9 @@
+import { hexToBytes } from '../abstract/utils.js';
+import { run, mark } from 'micro-bmark';
+
+run(async () => {
+  const hex32 = '0123456789abcdef'.repeat(4);
+  const hex256 = hex32.repeat(8);
+  await mark('hexToBytes 32b', 5000000, () => hexToBytes(hex32));
+  await mark('hexToBytes 256b', 500000, () => hexToBytes(hex256));
+});

build/README.md

@@ -0,0 +1,7 @@
+# build
+
+The directory is used to build a single file `noble-curves.js` which contains everything.
+
+The output file uses iife wrapper and can be used in browsers as-is.
+
+Don't use it unless you can't use NPM/ESM, which support tree shaking.

build/input.js

@@ -0,0 +1,20 @@
+import { bytesToHex, concatBytes, hexToBytes } from '@noble/curves/abstract/utils';
+
+export { secp256k1, schnorr as secp256k1_schnorr } from '@noble/curves/secp256k1';
+export {
+  ed25519,
+  x25519,
+  edwardsToMontgomeryPub as ed25519_edwardsToMontgomeryPub,
+  edwardsToMontgomeryPriv as ed25519_edwardsToMontgomeryPriv,
+} from '@noble/curves/ed25519';
+export {
+  ed448,
+  x448,
+  edwardsToMontgomeryPub as ed448_edwardsToMontgomeryPub,
+} from '@noble/curves/ed448';
+export { p256 } from '@noble/curves/p256';
+export { p384 } from '@noble/curves/p384';
+export { p521 } from '@noble/curves/p521';
+export { bls12_381 } from '@noble/curves/bls12-381';
+
+export const utils = { bytesToHex, concatBytes, hexToBytes };

build/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "build",
+  "private": true,
+  "version": "1.0.0",
+  "description": "Used to build a single file",
+  "main": "input.js",
+  "keywords": [],
+  "type": "module",
+  "author": "",
+  "license": "MIT",
+  "devDependencies": {
+    "@noble/curves": "..",
+    "esbuild": "0.18.11"
+  },
+  "scripts": {
+    "build": "npx esbuild --bundle input.js --outfile=noble-curves.js --global-name=nobleCurves"
+  }
+}

curve-definitions/LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2022 Paul Miller (https://paulmillr.com)
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the “Software”), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

curve-definitions/README.md

@@ -1,28 +0,0 @@
-# micro-curve-definitions
-
-Elliptic curves implementations. `@noble/curves` is zero-dependency library for internal arithmetics.
-
-`micro-curve-definitions` is the actual implementations. Current functionality:
-
-- NIST curves: P192, P224, P256, P384, P521 (ECDSA)
-- secp256k1 (ECDSA, without Schnorr)
-- stark curve
-- bn254
-
-Pairings are not implemented.
-
-## Usage
-
-```sh
-npm install micro-curve-definitions
-```
-
-```ts
-import * as nist from 'micro-curve-definitions';
-
-// P192, P224, P256, P384, P521, bn254
-```
-
-## License
-
-MIT (c) Paul Miller [(https://paulmillr.com)](https://paulmillr.com), see LICENSE file.

curve-definitions/benchmark/index.js

@@ -1,231 +0,0 @@
-import * as bench from 'micro-bmark';
-const { run, mark } = bench; // or bench.mark
-// Curves
-import { secp256k1 } from '../lib/secp256k1.js';
-import { P256 } from '../lib/p256.js';
-import { P384 } from '../lib/p384.js';
-import { P521 } from '../lib/p521.js';
-import { ed25519 } from '../lib/ed25519.js';
-import { ed448 } from '../lib/ed448.js';
-
-// Others
-import { hmac } from '@noble/hashes/hmac';
-import { sha256 } from '@noble/hashes/sha256';
-import { sha512 } from '@noble/hashes/sha512';
-
-import * as old_secp from '@noble/secp256k1';
-import { concatBytes, hexToBytes } from '@noble/hashes/utils';
-
-import * as starkwareCrypto from '@starkware-industries/starkware-crypto-utils';
-import * as stark from '../lib/stark.js';
-
-old_secp.utils.sha256Sync = (...msgs) =>
-  sha256
-    .create()
-    .update(concatBytes(...msgs))
-    .digest();
-old_secp.utils.hmacSha256Sync = (key, ...msgs) =>
-  hmac
-    .create(sha256, key)
-    .update(concatBytes(...msgs))
-    .digest();
-import * as noble_ed25519 from '@noble/ed25519';
-noble_ed25519.utils.sha512Sync = (...m) => sha512(concatBytes(...m));
-
-for (let item of [secp256k1, ed25519, ed448, P256, P384, P521, old_secp, noble_ed25519]) {
-  item.utils.precompute(8);
-}
-
-const ONLY_NOBLE = process.argv[2] === 'noble';
-
-function generateData(namespace) {
-  const priv = namespace.utils.randomPrivateKey();
-  const pub = namespace.getPublicKey(priv);
-  const msg = namespace.utils.randomPrivateKey();
-  const sig = namespace.sign(msg, priv);
-  return { priv, pub, msg, sig };
-}
-
-export const CURVES = {
-  secp256k1: {
-    data: () => {
-      return generateData(secp256k1);
-    },
-    getPublicKey1: {
-      samples: 10000,
-      secp256k1_old: () => old_secp.getPublicKey(3n),
-      secp256k1: () => secp256k1.getPublicKey(3n),
-    },
-    getPublicKey255: {
-      samples: 10000,
-      secp256k1_old: () => old_secp.getPublicKey(2n**255n-1n),
-      secp256k1: () => secp256k1.getPublicKey(2n**255n-1n),
-    },
-    sign: {
-      samples: 5000,
-      secp256k1_old: ({ msg, priv }) => old_secp.signSync(msg, priv),
-      secp256k1: ({ msg, priv }) => secp256k1.sign(msg, priv),
-    },
-    verify: {
-      samples: 1000,
-      secp256k1_old: ({ sig, msg, pub }) => {
-        return old_secp.verify((new old_secp.Signature(sig.r, sig.s)), msg, pub);
-      },
-      secp256k1: ({ sig, msg, pub }) => secp256k1.verify(sig, msg, pub)
-    },
-    getSharedSecret: {
-      samples: 1000,
-      secp256k1_old: ({ pub, priv }) => old_secp.getSharedSecret(priv, pub),
-      secp256k1: ({ pub, priv }) => secp256k1.getSharedSecret(priv, pub),
-    },
-    recoverPublicKey: {
-      samples: 1000,
-      secp256k1_old: ({ sig, msg }) =>
-        old_secp.recoverPublicKey(msg, (new old_secp.Signature(sig.r, sig.s)), sig.recovery),
-      secp256k1: ({ sig, msg }) => sig.recoverPublicKey(msg)
-    }
-  },
-  ed25519: {
-    data: () => {
-      function to32Bytes(numOrStr) {
-        const hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
-        return hexToBytes(hex.padStart(64, '0'));
-      }
-      const priv = to32Bytes(0x9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60n);
-      const pub = noble_ed25519.sync.getPublicKey(priv);
-      const msg = to32Bytes('deadbeefdeadbeefdeadbeefdeadbeefdeadbeef');
-      const sig = noble_ed25519.sync.sign(msg, priv);
-      return { pub, priv, msg, sig };
-    },
-    getPublicKey: {
-      samples: 10000,
-      old: () => noble_ed25519.sync.getPublicKey(noble_ed25519.utils.randomPrivateKey()),
-      noble: () => ed25519.getPublicKey(ed25519.utils.randomPrivateKey()),
-    },
-    sign: {
-      samples: 5000,
-      old: ({ msg, priv }) => noble_ed25519.sync.sign(msg, priv),
-      noble: ({ msg, priv }) => ed25519.sign(msg, priv),
-    },
-    verify: {
-      samples: 1000,
-      old: ({ sig, msg, pub }) => noble_ed25519.sync.verify(sig, msg, pub),
-      noble: ({ sig, msg, pub }) => ed25519.verify(sig, msg, pub),
-    },
-  },
-  ed448: {
-    data: () => {
-      const priv = ed448.utils.randomPrivateKey();
-      const pub = ed448.getPublicKey(priv);
-      const msg = ed448.utils.randomPrivateKey();
-      const sig = ed448.sign(msg, priv);
-      return { priv, pub, msg, sig };
-    },
-    getPublicKey: {
-      samples: 5000,
-      noble: () => ed448.getPublicKey(ed448.utils.randomPrivateKey()),
-    },
-    sign: {
-      samples: 2500,
-      noble: ({ msg, priv }) => ed448.sign(msg, priv),
-    },
-    verify: {
-      samples: 500,
-      noble: ({ sig, msg, pub }) => ed448.verify(sig, msg, pub)
-    }
-  },
-  nist: {
-    data: () => {
-      return { p256: generateData(P256), p384: generateData(P384), p521: generateData(P521) }
-    },
-    getPublicKey: {
-      samples: 2500,
-      P256: () => P256.getPublicKey(P256.utils.randomPrivateKey()),
-      P384: () => P384.getPublicKey(P384.utils.randomPrivateKey()),
-      P521: () => P521.getPublicKey(P521.utils.randomPrivateKey()),
-    },
-    sign: {
-      samples: 1000,
-      P256: ({ p256: {msg, priv} }) => P256.sign(msg, priv),
-      P384: ({ p384: {msg, priv} }) => P384.sign(msg, priv),
-      P521: ({ p521: {msg, priv} }) => P521.sign(msg, priv),
-    },
-    verify: {
-      samples: 250,
-      P256: ({ p256: {sig, msg, pub} }) => P256.verify(sig, msg, pub),
-      P384: ({ p384: {sig, msg, pub} }) => P384.verify(sig, msg, pub),
-      P521: ({ p521: {sig, msg, pub} }) => P521.verify(sig, msg, pub),
-    }
-  },
-  stark: {
-    data: () => {
-      const priv = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
-      const msg = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
-      const pub = stark.getPublicKey(priv);
-      const sig = stark.sign(msg, priv);
-
-      const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
-      const msgHash = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
-      const keyPair = starkwareCrypto.default.ec.keyFromPrivate(privateKey, 'hex');
-      const publicKeyStark = starkwareCrypto.default.ec.keyFromPublic(
-        keyPair.getPublic(true, 'hex'), 'hex'
-      );
-
-      return { priv, sig, msg, pub, publicKeyStark, msgHash, keyPair }
-    },
-    pedersen: {
-      samples: 500,
-      old: () => {
-        return starkwareCrypto.default.pedersen([
-          '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
-          '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a',
-        ])
-      },
-      noble: () => {
-        return stark.pedersen(
-          '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
-          '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
-        )
-      }
-    },
-    verify: {
-      samples: 500,
-      old: ({ publicKeyStark, msgHash, keyPair }) => {
-        return starkwareCrypto.default.verify(
-          publicKeyStark,
-          msgHash,
-          starkwareCrypto.default.sign(keyPair, msgHash)
-        );
-      },
-      noble: ({ priv, msg, pub }) => {
-        return stark.verify(stark.sign(msg, priv), msg, pub)
-      }
-    }
-  }
-};
-
-const main = () =>
-  run(async () => {
-    for (const [name, curve] of Object.entries(CURVES)) {
-      console.log(`==== ${name} ====`);
-      const data = curve.data();
-      for (const [fnName, libs] of Object.entries(curve)) {
-        if (fnName === 'data') continue;
-        const samples = libs.samples;
-        console.log(`  - ${fnName} (samples: ${samples})`);
-        for (const [lib, fn] of Object.entries(libs)) {
-          if (lib === 'samples') continue;
-          if (ONLY_NOBLE && lib !== 'noble') continue;
-          await mark(`    ${lib}`, samples, () => fn(data));
-        }
-      }
-    }
-    // Log current RAM
-    bench.logMem();
-  });
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  main();
-}

curve-definitions/benchmark/package.json

@@ -1,22 +0,0 @@
-{
-    "name": "benchmark",
-    "private": true,
-    "version": "0.1.0",
-    "description": "benchmarks",
-    "main": "index.js",
-    "type": "module",
-    "scripts": {
-        "bench": "node index.js"
-    },
-    "keywords": [],
-    "author": "",
-    "license": "MIT",
-    "devDependencies": {
-        "micro-bmark": "0.2.0"
-    },
-    "dependencies": {
-        "@noble/ed25519": "^1.7.1",
-        "@noble/secp256k1": "^1.7.0",
-        "@starkware-industries/starkware-crypto-utils": "^0.0.2"
-    }
-}

curve-definitions/package.json

@@ -1,59 +0,0 @@
-{
-  "name": "micro-curve-definitions",
-  "version": "0.2.0",
-  "description": "Curve definitions for @noble/curves",
-  "files": [
-    "lib"
-  ],
-  "type": "module",
-  "main": "lib/index.js",
-  "module": "lib/index.js",
-  "types": "lib/index.d.ts",
-  "dependencies": {
-    "@noble/curves": "0.2.0",
-    "@noble/hashes": "1.1.5"
-  },
-  "devDependencies": {
-    "@scure/base": "~1.1.0",
-    "@scure/bip32": "^1.1.1",
-    "@scure/bip39": "^1.1.0",
-    "@types/node": "18.11.3",
-    "fast-check": "3.0.0",
-    "micro-should": "0.2.0",
-    "prettier": "2.6.2",
-    "typescript": "4.7.3"
-  },
-  "author": "Paul Miller (https://paulmillr.com)",
-  "license": "MIT",
-  "homepage": "https://github.com/paulmillr/noble-curves",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/paulmillr/noble-curves.git"
-  },
-  "scripts": {
-    "build": "tsc",
-    "lint": "prettier --check src",
-    "test": "node test/index.test.js"
-  },
-  "keywords": [
-    "secp192r1",
-    "secp224r1",
-    "secp256r1",
-    "secp384r1",
-    "secp521r1",
-    "NIST P192",
-    "NIST P224",
-    "NIST P256",
-    "NIST P384",
-    "NIST P521",
-    "NIST curves",
-    "EC",
-    "elliptic curves"
-  ],
-  "funding": [
-    {
-      "type": "individual",
-      "url": "https://paulmillr.com/funding/"
-    }
-  ]
-}

curve-definitions/src/bn.ts

@@ -1,21 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { weierstrass } from '@noble/curves/weierstrass';
-import { sha256 } from '@noble/hashes/sha256';
-import { getHash } from './_shortw_utils.js';
-
-/**
- * bn254 pairing-friendly curve.
- * Previously known as alt_bn_128, when it had 128-bit security.
- * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
- * https://github.com/zcash/zcash/issues/2502
- */
-export const bn254 = weierstrass({
-  a: BigInt(0),
-  b: BigInt(3),
-  P: BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47'),
-  n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
-  Gx: BigInt(1),
-  Gy: BigInt(2),
-  h: BigInt(1),
-  ...getHash(sha256),
-});

curve-definitions/src/ed25519.ts

@@ -1,341 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
-import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { twistedEdwards, ExtendedPointType } from '@noble/curves/edwards';
-import { montgomery } from '@noble/curves/montgomery';
-import { mod, pow2, isNegativeLE } from '@noble/curves/modular';
-import {
-  ensureBytes,
-  equalBytes,
-  bytesToHex,
-  bytesToNumberLE,
-  numberToBytesLE,
-  Hex,
-} from '@noble/curves/utils';
-
-/**
- * ed25519 Twisted Edwards curve with following addons:
- * - X25519 ECDH
- * - Ristretto cofactor elimination
- * - Elligator hash-to-group / point indistinguishability
- */
-
-const ED25519_P = BigInt(
-  '57896044618658097711785492504343953926634992332820282019728792003956564819949'
-);
-// √(-1) aka √(a) aka 2^((p-1)/4)
-const ED25519_SQRT_M1 = BigInt(
-  '19681161376707505956807079304988542015446066515923890162744021073123829784752'
-);
-
-// prettier-ignore
-const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _5n = BigInt(5);
-// prettier-ignore
-const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
-function ed25519_pow_2_252_3(x: bigint) {
-  const P = ED25519_P;
-  const x2 = (x * x) % P;
-  const b2 = (x2 * x) % P; // x^3, 11
-  const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
-  const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
-  const b10 = (pow2(b5, _5n, P) * b5) % P;
-  const b20 = (pow2(b10, _10n, P) * b10) % P;
-  const b40 = (pow2(b20, _20n, P) * b20) % P;
-  const b80 = (pow2(b40, _40n, P) * b40) % P;
-  const b160 = (pow2(b80, _80n, P) * b80) % P;
-  const b240 = (pow2(b160, _80n, P) * b80) % P;
-  const b250 = (pow2(b240, _10n, P) * b10) % P;
-  const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
-  // ^ To pow to (p+3)/8, multiply it by x.
-  return { pow_p_5_8, b2 };
-}
-
-/**
- * For X25519, in order to decode 32 random bytes as an integer scalar,
- * set the
- * three least significant bits of the first byte 0b1111_1000,
- * and the most significant bit of the last to zero 0b0111_1111,
- * set the second most significant bit of the last byte to 1 0b0100_0000
- */
-function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
-  bytes[0] &= 248;
-  bytes[31] &= 127;
-  bytes[31] |= 64;
-  return bytes;
-}
-// sqrt(u/v)
-function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
-  const P = ED25519_P;
-  const v3 = mod(v * v * v, P); // v³
-  const v7 = mod(v3 * v3 * v, P); // v⁷
-  // (p+3)/8 and (p-5)/8
-  const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
-  let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
-  const vx2 = mod(v * x * x, P); // vx²
-  const root1 = x; // First root candidate
-  const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
-  const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
-  const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
-  const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
-  if (useRoot1) x = root1;
-  if (useRoot2 || noRoot) x = root2; // We return root2 anyway, for const-time
-  if (isNegativeLE(x, P)) x = mod(-x, P);
-  return { isValid: useRoot1 || useRoot2, value: x };
-}
-
-// Just in case
-export const ED25519_TORSION_SUBGROUP = [
-  '0100000000000000000000000000000000000000000000000000000000000000',
-  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
-  '0000000000000000000000000000000000000000000000000000000000000080',
-  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
-  'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
-  '0000000000000000000000000000000000000000000000000000000000000000',
-  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
-];
-
-const ED25519_DEF = {
-  // Param: a
-  a: BigInt(-1),
-  // Equal to -121665/121666 over finite field.
-  // Negative number is P - number, and division is invert(number, P)
-  d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-  // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
-  P: ED25519_P,
-  // Subgroup order: how many points ed25519 has
-  // 2n ** 252n + 27742317777372353535851937790883648493n;
-  n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-  // Cofactor
-  h: BigInt(8),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
-  Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
-  hash: sha512,
-  randomBytes,
-  adjustScalarBytes,
-  // dom2
-  // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
-  // Constant-time, u/√v
-  uvRatio,
-} as const;
-
-export const ed25519 = twistedEdwards(ED25519_DEF);
-function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
-  if (ctx.length > 255) throw new Error('Context is too big');
-  return concatBytes(
-    utf8ToBytes('SigEd25519 no Ed25519 collisions'),
-    new Uint8Array([phflag ? 1 : 0, ctx.length]),
-    ctx,
-    data
-  );
-}
-export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
-export const ed25519ph = twistedEdwards({
-  ...ED25519_DEF,
-  domain: ed25519_domain,
-  preHash: sha512,
-});
-
-export const x25519 = montgomery({
-  P: ED25519_P,
-  a24: BigInt('121665'),
-  montgomeryBits: 255, // n is 253 bits
-  nByteLength: 32,
-  Gu: '0900000000000000000000000000000000000000000000000000000000000000',
-  powPminus2: (x: bigint): bigint => {
-    const P = ED25519_P;
-    // x^(p-2) aka x^(2^255-21)
-    const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
-    return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
-  },
-  adjustScalarBytes,
-});
-
-function assertRstPoint(other: unknown) {
-  if (!(other instanceof RistrettoPoint)) throw new TypeError('RistrettoPoint expected');
-}
-// √(-1) aka √(a) aka 2^((p-1)/4)
-const SQRT_M1 = BigInt(
-  '19681161376707505956807079304988542015446066515923890162744021073123829784752'
-);
-// √(ad - 1)
-const SQRT_AD_MINUS_ONE = BigInt(
-  '25063068953384623474111414158702152701244531502492656460079210482610430750235'
-);
-// 1 / √(a-d)
-const INVSQRT_A_MINUS_D = BigInt(
-  '54469307008909316920995813868745141605393597292927456921205312896311721017578'
-);
-// 1-d²
-const ONE_MINUS_D_SQ = BigInt(
-  '1159843021668779879193775521855586647937357759715417654439879720876111806838'
-);
-// (d-1)²
-const D_MINUS_ONE_SQ = BigInt(
-  '40440834346308536858101042469323190826248399146238708352240133220865137265952'
-);
-// Calculates 1/√(number)
-const invertSqrt = (number: bigint) => uvRatio(_1n, number);
-
-const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const bytes255ToNumberLE = (bytes: Uint8Array) =>
-  ed25519.utils.mod(bytesToNumberLE(bytes) & MAX_255B);
-
-type ExtendedPoint = ExtendedPointType;
-
-/**
- * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
- * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
- * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
- * but it should work in its own namespace: do not combine those two.
- * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
- */
-export class RistrettoPoint {
-  static BASE = new RistrettoPoint(ed25519.ExtendedPoint.BASE);
-  static ZERO = new RistrettoPoint(ed25519.ExtendedPoint.ZERO);
-
-  // Private property to discourage combining ExtendedPoint + RistrettoPoint
-  // Always use Ristretto encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
-
-  // Computes Elligator map for Ristretto
-  // https://ristretto.group/formulas/elligator.html
-  private static calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
-    const { d, P } = ed25519.CURVE;
-    const { mod } = ed25519.utils;
-    const r = mod(SQRT_M1 * r0 * r0); // 1
-    const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
-    let c = BigInt(-1); // 3
-    const D = mod((c - d * r) * mod(r + d)); // 4
-    let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
-    let s_ = mod(s * r0); // 6
-    if (!isNegativeLE(s_, P)) s_ = mod(-s_);
-    if (!Ns_D_is_sq) s = s_; // 7
-    if (!Ns_D_is_sq) c = r; // 8
-    const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
-    const s2 = s * s;
-    const W0 = mod((s + s) * D); // 10
-    const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
-    const W2 = mod(_1n - s2); // 12
-    const W3 = mod(_1n + s2); // 13
-    return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
-  }
-
-  /**
-   * Takes uniform output of 64-bit hash function like sha512 and converts it to `RistrettoPoint`.
-   * The hash-to-group operation applies Elligator twice and adds the results.
-   * **Note:** this is one-way map, there is no conversion from point to hash.
-   * https://ristretto.group/formulas/elligator.html
-   * @param hex 64-bit output of a hash function
-   */
-  static hashToCurve(hex: Hex): RistrettoPoint {
-    hex = ensureBytes(hex, 64);
-    const r1 = bytes255ToNumberLE(hex.slice(0, 32));
-    const R1 = this.calcElligatorRistrettoMap(r1);
-    const r2 = bytes255ToNumberLE(hex.slice(32, 64));
-    const R2 = this.calcElligatorRistrettoMap(r2);
-    return new RistrettoPoint(R1.add(R2));
-  }
-
-  /**
-   * Converts ristretto-encoded string to ristretto point.
-   * https://ristretto.group/formulas/decoding.html
-   * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
-   */
-  static fromHex(hex: Hex): RistrettoPoint {
-    hex = ensureBytes(hex, 32);
-    const { a, d, P } = ed25519.CURVE;
-    const { mod } = ed25519.utils;
-    const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
-    const s = bytes255ToNumberLE(hex);
-    // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
-    // 3. Check that s is non-negative, or else abort
-    if (!equalBytes(numberToBytesLE(s, 32), hex) || isNegativeLE(s, P)) throw new Error(emsg);
-    const s2 = mod(s * s);
-    const u1 = mod(_1n + a * s2); // 4 (a is -1)
-    const u2 = mod(_1n - a * s2); // 5
-    const u1_2 = mod(u1 * u1);
-    const u2_2 = mod(u2 * u2);
-    const v = mod(a * d * u1_2 - u2_2); // 6
-    const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
-    const Dx = mod(I * u2); // 8
-    const Dy = mod(I * Dx * v); // 9
-    let x = mod((s + s) * Dx); // 10
-    if (isNegativeLE(x, P)) x = mod(-x); // 10
-    const y = mod(u1 * Dy); // 11
-    const t = mod(x * y); // 12
-    if (!isValid || isNegativeLE(t, P) || y === _0n) throw new Error(emsg);
-    return new RistrettoPoint(new ed25519.ExtendedPoint(x, y, _1n, t));
-  }
-
-  /**
-   * Encodes ristretto point to Uint8Array.
-   * https://ristretto.group/formulas/encoding.html
-   */
-  toRawBytes(): Uint8Array {
-    let { x, y, z, t } = this.ep;
-    const { P } = ed25519.CURVE;
-    const { mod } = ed25519.utils;
-    const u1 = mod(mod(z + y) * mod(z - y)); // 1
-    const u2 = mod(x * y); // 2
-    // Square root always exists
-    const u2sq = mod(u2 * u2);
-    const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
-    const D1 = mod(invsqrt * u1); // 4
-    const D2 = mod(invsqrt * u2); // 5
-    const zInv = mod(D1 * D2 * t); // 6
-    let D: bigint; // 7
-    if (isNegativeLE(t * zInv, P)) {
-      let _x = mod(y * SQRT_M1);
-      let _y = mod(x * SQRT_M1);
-      x = _x;
-      y = _y;
-      D = mod(D1 * INVSQRT_A_MINUS_D);
-    } else {
-      D = D2; // 8
-    }
-    if (isNegativeLE(x * zInv, P)) y = mod(-y); // 9
-    let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
-    if (isNegativeLE(s, P)) s = mod(-s);
-    return numberToBytesLE(s, 32); // 11
-  }
-
-  toHex(): string {
-    return bytesToHex(this.toRawBytes());
-  }
-
-  toString(): string {
-    return this.toHex();
-  }
-
-  // Compare one point to another.
-  equals(other: RistrettoPoint): boolean {
-    assertRstPoint(other);
-    const a = this.ep;
-    const b = other.ep;
-    const { mod } = ed25519.utils;
-    // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
-    const one = mod(a.x * b.y) === mod(a.y * b.x);
-    const two = mod(a.y * b.y) === mod(a.x * b.x);
-    return one || two;
-  }
-
-  add(other: RistrettoPoint): RistrettoPoint {
-    assertRstPoint(other);
-    return new RistrettoPoint(this.ep.add(other.ep));
-  }
-
-  subtract(other: RistrettoPoint): RistrettoPoint {
-    assertRstPoint(other);
-    return new RistrettoPoint(this.ep.subtract(other.ep));
-  }
-
-  multiply(scalar: number | bigint): RistrettoPoint {
-    return new RistrettoPoint(this.ep.multiply(scalar));
-  }
-
-  multiplyUnsafe(scalar: number | bigint): RistrettoPoint {
-    return new RistrettoPoint(this.ep.multiplyUnsafe(scalar));
-  }
-}

curve-definitions/src/ed448.ts

@@ -1,146 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { shake256 } from '@noble/hashes/sha3';
-import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
-import { twistedEdwards } from '@noble/curves/edwards';
-import { mod, pow2 } from '@noble/curves/modular';
-import { montgomery } from '../../lib/montgomery.js';
-
-/**
- * Edwards448 (not Ed448-Goldilocks) curve with following addons:
- * * X448 ECDH
- * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
- */
-
-const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
-const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
-const ed448P = BigInt(
-  '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
-);
-
-// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
-function ed448_pow_Pminus3div4(x: bigint): bigint {
-  const P = ed448P;
-  // prettier-ignore
-  let [_1n, _2n, _3n, _11n, _22n, _44n, _88n, _223n] = [1, 2, 3, 11, 22, 44, 88, 223]
-    .map(n => BigInt(n));
-  // x ** ((P - 3n)/4n) % P
-  // [223 of 1, 0, 222 of 1], almost same as secp!
-  const b2 = (x * x * x) % P;
-  const b3 = (b2 * b2 * x) % P;
-  const b6 = (pow2(b3, _3n, P) * b3) % P;
-  const b9 = (pow2(b6, _3n, P) * b3) % P;
-  const b11 = (pow2(b9, _2n, P) * b2) % P;
-  const b22 = (pow2(b11, _11n, P) * b11) % P;
-  const b44 = (pow2(b22, _22n, P) * b22) % P;
-  const b88 = (pow2(b44, _44n, P) * b44) % P;
-  const b176 = (pow2(b88, _88n, P) * b88) % P;
-  const b220 = (pow2(b176, _44n, P) * b44) % P;
-  const b222 = (pow2(b220, _2n, P) * b2) % P;
-  const b223 = (pow2(b222, _1n, P) * x) % P;
-  return (pow2(b223, _223n, P) * b222) % P;
-}
-
-function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
-  // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
-  // significant bit of the last byte to 1.
-  bytes[0] &= 252; // 0b11111100
-  // and the most significant bit of the last byte to 1.
-  bytes[55] |= 128; // 0b10000000
-  // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
-  bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
-  return bytes;
-}
-
-const ED448_DEF = {
-  // Param: a
-  a: BigInt(1),
-  // -39081. Negative number is P - number
-  d: BigInt(
-    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
-  ),
-  // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
-  P: ed448P,
-  // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-  n: BigInt(
-    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
-  ),
-  nBitLength: 456,
-  // Cofactor
-  h: BigInt(4),
-  // Base point (x, y) aka generator point
-  Gx: BigInt(
-    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
-  ),
-  Gy: BigInt(
-    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
-  ),
-  // SHAKE256(dom4(phflag,context)||x, 114)
-  hash: shake256_114,
-  randomBytes,
-  adjustScalarBytes,
-  // dom4
-  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
-    return concatBytes(
-      utf8ToBytes('SigEd448'),
-      new Uint8Array([phflag ? 1 : 0, ctx.length]),
-      ctx,
-      data
-    );
-  },
-  // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
-  // Uses algo from RFC8032 5.1.3.
-  uvRatio: (u: bigint, v: bigint): { isValid: boolean; value: bigint } => {
-    const P = ed448P;
-    // https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.3
-    // To compute the square root of (u/v), the first step is to compute the
-    //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
-    // following trick, to use a single modular powering for both the
-    // inversion of v and the square root:
-    //           (p+1)/4    3            (p-3)/4
-    // x = (u/v)        = u  v (u^5 v^3)         (mod p)
-    const u2v = mod(u * u * v, P);
-    const u3v = mod(u2v * u, P); // u^2v
-    const u5v3 = mod(u3v * u2v * v, P); // u^5v^3
-    const root = ed448_pow_Pminus3div4(u5v3);
-    const x = mod(u3v * root, P);
-    // Verify that root is exists
-    const x2 = mod(x * x, P); // x^2
-    // If v * x^2 = u, the recovered x-coordinate is x.  Otherwise, no
-    // square root exists, and the decoding fails.
-    return { isValid: mod(x2 * v, P) === u, value: x };
-  },
-} as const;
-
-export const ed448 = twistedEdwards(ED448_DEF);
-// NOTE: there is no ed448ctx, since ed448 supports ctx by default
-export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
-
-export const x448 = montgomery({
-  a24: BigInt(39081),
-  montgomeryBits: 448,
-  nByteLength: 57,
-  P: ed448P,
-  Gu: '0500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
-  powPminus2: (x: bigint): bigint => {
-    const P = ed448P;
-    const Pminus3div4 = ed448_pow_Pminus3div4(x);
-    const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
-    return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
-  },
-  adjustScalarBytes,
-  // The 4-isogeny maps between the Montgomery curve and this Edwards
-  // curve are:
-  //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
-  //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
-  //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
-  //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
-  // xyToU: (p: PointType) => {
-  //   const P = ed448P;
-  //   const { x, y } = p;
-  //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
-  //   const invX = invert(x * x, P); // x^2
-  //   const u = mod(y * y * invX, P); // (y^2/x^2)
-  //   return numberToBytesLE(u, 56);
-  // },
-});

curve-definitions/src/p192.ts

@@ -1,24 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
-import { sha256 } from '@noble/hashes/sha256';
-
-// NIST secp192r1 aka P192
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
-export const P192 = createCurve(
-  {
-    // Params: a, b
-    a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffc'),
-    b: BigInt('0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1'),
-    // Field over which we'll do calculations; 2n ** 192n - 2n ** 64n - 1n
-    P: BigInt('0xfffffffffffffffffffffffffffffffeffffffffffffffff'),
-    // Curve order, total count of valid points in the field.
-    n: BigInt('0xffffffffffffffffffffffff99def836146bc9b1b4d22831'),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012'),
-    Gy: BigInt('0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811'),
-    h: BigInt(1),
-    lowS: false,
-  } as const,
-  sha256
-);
-export const secp192r1 = P192;

curve-definitions/src/p224.ts

@@ -1,24 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
-import { sha256 } from '@noble/hashes/sha256';
-
-// NIST secp224r1 aka P224
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-224
-export const P224 = createCurve(
-  {
-    // Params: a, b
-    a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffffffffffe'),
-    b: BigInt('0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4'),
-    // Field over which we'll do calculations; 2n**224n - 2n**96n + 1n
-    P: BigInt('0xffffffffffffffffffffffffffffffff000000000000000000000001'),
-    // Curve order, total count of valid points in the field
-    n: BigInt('0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d'),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21'),
-    Gy: BigInt('0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34'),
-    h: BigInt(1),
-    lowS: false,
-  } as const,
-  sha256 // TODO: replace with sha224 when new @noble/hashes released
-);
-export const secp224r1 = P224;

curve-definitions/src/p256.ts

@@ -1,24 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
-import { sha256 } from '@noble/hashes/sha256';
-
-// NIST secp256r1 aka P256
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
-export const P256 = createCurve(
-  {
-    // Params: a, b
-    a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
-    b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
-    // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-    P: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
-    // Curve order, total count of valid points in the field
-    n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
-    Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-    h: BigInt(1),
-    lowS: false,
-  } as const,
-  sha256
-);
-export const secp256r1 = P256;

curve-definitions/src/p384.ts

@@ -1,22 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
-import { sha384 } from '@noble/hashes/sha512';
-
-// NIST secp384r1 aka P384
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
-// prettier-ignore
-export const P384 = createCurve({
-  // Params: a, b
-  a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
-  b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
-  // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-  P: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
-  // Curve order, total count of valid points in the field.
-  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha384);
-export const secp384r1 = P384;

curve-definitions/src/p521.ts

@@ -1,23 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
-import { sha512 } from '@noble/hashes/sha512';
-
-// NIST secp521r1 aka P521
-// Note that it's 521, which differs from 512 of its hash function.
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
-// prettier-ignore
-export const P521 = createCurve({
-  // Params: a, b
-  a: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
-  b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
-  // Field over which we'll do calculations; 2n**521n - 1n
-  P: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
-  // Curve order, total count of valid points in the field
-  n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
-  // Base point (x, y) aka generator point
-  Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
-  Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
-  h: BigInt(1),
-  lowS: false,
-} as const, sha512);
-export const secp521r1 = P521;

curve-definitions/src/secp256k1.ts

@@ -1,262 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { mod, pow2 } from '@noble/curves/modular';
-import { createCurve } from './_shortw_utils.js';
-import { PointType } from '@noble/curves/weierstrass';
-import {
-  ensureBytes,
-  concatBytes,
-  Hex,
-  hexToBytes,
-  bytesToNumberBE,
-  PrivKey,
-} from '@noble/curves/utils';
-import { randomBytes } from '@noble/hashes/utils';
-
-/**
- * secp256k1 belongs to Koblitz curves: it has
- * efficiently computable Frobenius endomorphism.
- * Endomorphism improves efficiency:
- * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
- * Should always be used for Jacobian's double-and-add multiplication.
- * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
- * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
- */
-
-const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
-const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
-
-/**
- * Allows to compute square root √y 2x faster.
- * To calculate √y, we need to exponentiate it to a very big number:
- * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
- * We are unwrapping the loop and multiplying it bit-by-bit.
- * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
- */
-// prettier-ignore
-function sqrtMod(y: bigint): bigint {
-  const P = secp256k1P;
-  const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11); const _22n = BigInt(22);
-  const _23n = BigInt(23), _44n = BigInt(44), _88n = BigInt(88);
-  const b2 = (y * y * y) % P; // x^3, 11
-  const b3 = (b2 * b2 * y) % P; // x^7
-  const b6 = (pow2(b3, _3n, P) * b3) % P;
-  const b9 = (pow2(b6, _3n, P) * b3) % P;
-  const b11 = (pow2(b9, _2n, P) * b2) % P;
-  const b22 = (pow2(b11, _11n, P) * b11) % P;
-  const b44 = (pow2(b22, _22n, P) * b22) % P;
-  const b88 = (pow2(b44, _44n, P) * b44) % P;
-  const b176 = (pow2(b88, _88n, P) * b88) % P;
-  const b220 = (pow2(b176, _44n, P) * b44) % P;
-  const b223 = (pow2(b220, _3n, P) * b3) % P;
-  const t1 = (pow2(b223, _23n, P) * b22) % P;
-  const t2 = (pow2(t1, _6n, P) * b2) % P;
-  return pow2(t2, _2n, P);
-}
-
-export const secp256k1 = createCurve(
-  {
-    // Params: a, b
-    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
-    a: BigInt(0),
-    b: BigInt(7),
-    // Field over which we'll do calculations;
-    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    P: secp256k1P,
-    // Curve order, total count of valid points in the field
-    n: secp256k1N,
-    // Base point (x, y) aka generator point
-    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
-    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
-    h: BigInt(1),
-    // Alllow only low-S signatures by default in sign() and verify()
-    lowS: true,
-    sqrtMod,
-    endo: {
-      // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
-      beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
-      splitScalar: (k: bigint) => {
-        const n = secp256k1N;
-        const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
-        const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
-        const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
-        const b2 = a1;
-        const POW_2_128 = BigInt('0x100000000000000000000000000000000');
-
-        const c1 = divNearest(b2 * k, n);
-        const c2 = divNearest(-b1 * k, n);
-        let k1 = mod(k - c1 * a1 - c2 * a2, n);
-        let k2 = mod(-c1 * b1 - c2 * b2, n);
-        const k1neg = k1 > POW_2_128;
-        const k2neg = k2 > POW_2_128;
-        if (k1neg) k1 = n - k1;
-        if (k2neg) k2 = n - k2;
-        if (k1 > POW_2_128 || k2 > POW_2_128) {
-          throw new Error('splitScalar: Endomorphism failed, k=' + k);
-        }
-        return { k1neg, k1, k2neg, k2 };
-      },
-    },
-  },
-  sha256
-);
-
-// Schnorr
-const _0n = BigInt(0);
-const numTo32b = secp256k1.utils._bigintToBytes;
-const numTo32bStr = secp256k1.utils._bigintToString;
-const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
-
-// TODO: export?
-function normalizePublicKey(publicKey: Hex | PointType): PointType {
-  if (publicKey instanceof secp256k1.Point) {
-    publicKey.assertValidity();
-    return publicKey;
-  } else {
-    const bytes = ensureBytes(publicKey);
-    // Schnorr is 32 bytes
-    if (bytes.length === 32) {
-      const x = bytesToNumberBE(bytes);
-      if (!isValidFieldElement(x)) throw new Error('Point is not on curve');
-      const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
-      let y = sqrtMod(y2); // y = y² ^ (p+1)/4
-      const isYOdd = (y & _1n) === _1n;
-      // Schnorr
-      if (isYOdd) y = mod(-y, secp256k1.CURVE.P);
-      const point = new secp256k1.Point(x, y);
-      point.assertValidity();
-      return point;
-    }
-    // Do we need that in schnorr at all?
-    return secp256k1.Point.fromHex(publicKey);
-  }
-}
-
-const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
-const isValidFieldElement = secp256k1.utils._isValidFieldElement;
-
-const TAGS = {
-  challenge: 'BIP0340/challenge',
-  aux: 'BIP0340/aux',
-  nonce: 'BIP0340/nonce',
-} as const;
-
-/** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
-const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
-export function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
-  let tagP = TAGGED_HASH_PREFIXES[tag];
-  if (tagP === undefined) {
-    const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
-    tagP = concatBytes(tagH, tagH);
-    TAGGED_HASH_PREFIXES[tag] = tagP;
-  }
-  return sha256(concatBytes(tagP, ...messages));
-}
-
-const toRawX = (point: PointType) => point.toRawBytes(true).slice(1);
-
-// Schnorr signatures are superior to ECDSA from above.
-// Below is Schnorr-specific code as per BIP0340.
-function schnorrChallengeFinalize(ch: Uint8Array): bigint {
-  return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
-}
-// Do we need this at all for Schnorr?
-class SchnorrSignature {
-  constructor(readonly r: bigint, readonly s: bigint) {
-    this.assertValidity();
-  }
-  static fromHex(hex: Hex) {
-    const bytes = ensureBytes(hex);
-    if (bytes.length !== 64)
-      throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
-    const r = bytesToNumberBE(bytes.subarray(0, 32));
-    const s = bytesToNumberBE(bytes.subarray(32, 64));
-    return new SchnorrSignature(r, s);
-  }
-  assertValidity() {
-    const { r, s } = this;
-    if (!isValidFieldElement(r) || !isWithinCurveOrder(s)) throw new Error('Invalid signature');
-  }
-  toHex(): string {
-    return numTo32bStr(this.r) + numTo32bStr(this.s);
-  }
-  toRawBytes(): Uint8Array {
-    return hexToBytes(this.toHex());
-  }
-}
-
-function schnorrGetScalar(priv: bigint) {
-  const point = secp256k1.Point.fromPrivateKey(priv);
-  const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
-  return { point, scalar, x: toRawX(point) };
-}
-/**
- * Synchronously creates Schnorr signature. Improved security: verifies itself before
- * producing an output.
- * @param msg message (not message hash)
- * @param privateKey private key
- * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
- */
-function schnorrSign(
-  message: Hex,
-  privateKey: PrivKey,
-  auxRand: Hex = randomBytes(32)
-): Uint8Array {
-  if (message == null) throw new TypeError(`sign: Expected valid message, not "${message}"`);
-  const m = ensureBytes(message);
-  // checks for isWithinCurveOrder
-  const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
-  const rand = ensureBytes(auxRand);
-  if (rand.length !== 32) throw new TypeError('sign: Expected 32 bytes of aux randomness');
-  const tag = taggedHash;
-  const t0h = tag(TAGS.aux, rand);
-  const t = numTo32b(d ^ bytesToNumberBE(t0h));
-  const k0h = tag(TAGS.nonce, t, px, m);
-  const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
-  if (k0 === _0n) throw new Error('sign: Creation of signature failed. k is zero');
-  const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
-  const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
-  const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
-  if (!schnorrVerify(sig, m, px)) throw new Error('sign: Invalid signature produced');
-  return sig;
-}
-
-/**
- * Verifies Schnorr signature synchronously.
- */
-function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
-  try {
-    const raw = signature instanceof SchnorrSignature;
-    const sig: SchnorrSignature = raw ? signature : SchnorrSignature.fromHex(signature);
-    if (raw) sig.assertValidity(); // just in case
-
-    const { r, s } = sig;
-    const m = ensureBytes(message);
-    const P = normalizePublicKey(publicKey);
-    const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
-    // Finalize
-    // R = s⋅G - e⋅P
-    // -eP == (n-e)P
-    const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(
-      P,
-      normalizePrivateKey(s),
-      mod(-e, secp256k1.CURVE.n)
-    );
-    if (!R || !R.hasEvenY() || R.x !== r) return false;
-    return true;
-  } catch (error) {
-    return false;
-  }
-}
-
-export const schnorr = {
-  Signature: SchnorrSignature,
-  // Schnorr's pubkey is just `x` of Point (BIP340)
-  getPublicKey: (privateKey: PrivKey): Uint8Array =>
-    toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
-  sign: schnorrSign,
-  verify: schnorrVerify,
-};

curve-definitions/src/stark.ts

@@ -1,269 +0,0 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { keccak_256 } from '@noble/hashes/sha3';
-import { sha256 } from '@noble/hashes/sha256';
-import { hmac } from '@noble/hashes/hmac';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { weierstrass, CHash, JacobianPointType } from '@noble/curves/weierstrass';
-import * as cutils from '@noble/curves/utils';
-
-// Stark-friendly elliptic curve
-// https://docs.starkware.co/starkex/stark-curve.html
-
-function getHash(hash: CHash) {
-  return {
-    hash,
-    hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(hash, key, concatBytes(...msgs)),
-    randomBytes,
-  };
-}
-
-const CURVE_N = BigInt(
-  '3618502788666131213697322783095070105526743751716087489154079457884512865583'
-);
-const nBitLength = 252;
-export const starkCurve = weierstrass({
-  // Params: a, b
-  a: BigInt(1),
-  b: BigInt('3141592653589793238462643383279502884197169399375105820974944592307816406665'),
-  // Field over which we'll do calculations; 2n**251n + 17n * 2n**192n + 1n
-  // There is no efficient sqrt for field (P%4==1)
-  P: BigInt('0x800000000000011000000000000000000000000000000000000000000000001'),
-  // Curve order, total count of valid points in the field.
-  n: CURVE_N,
-  nBitLength: nBitLength, // len(bin(N).replace('0b',''))
-  // Base point (x, y) aka generator point
-  Gx: BigInt('874739451078007766457464989774322083649278607533249481151382481072868806602'),
-  Gy: BigInt('152666792071518830868575557812948353041420400780739481342941381225525861407'),
-  h: BigInt(1),
-  // Default options
-  lowS: false,
-  ...getHash(sha256),
-  truncateHash: (hash: Uint8Array, truncateOnly = false): bigint => {
-    // TODO: cleanup, ugly code
-    // Fix truncation
-    if (!truncateOnly) {
-      let hashS = bytesToNumber0x(hash).toString(16);
-      if (hashS.length === 63) {
-        hashS += '0';
-        hash = hexToBytes0x(hashS);
-      }
-    }
-    // Truncate zero bytes on left (compat with elliptic)
-    while (hash[0] === 0) hash = hash.subarray(1);
-    const byteLength = hash.length;
-    const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-    let h = hash.length ? bytesToNumber0x(hash) : 0n;
-    if (delta > 0) h = h >> BigInt(delta);
-    if (!truncateOnly && h >= CURVE_N) h -= CURVE_N;
-    return h;
-  },
-});
-
-// Custom Starknet type conversion functions that can handle 0x and unpadded hex
-function hexToBytes0x(hex: string): Uint8Array {
-  if (typeof hex !== 'string') {
-    throw new TypeError('hexToBytes: expected string, got ' + typeof hex);
-  }
-  hex = strip0x(hex);
-  if (hex.length & 1) hex = '0' + hex; // padding
-  if (hex.length % 2) throw new Error('hexToBytes: received invalid unpadded hex ' + hex.length);
-  const array = new Uint8Array(hex.length / 2);
-  for (let i = 0; i < array.length; i++) {
-    const j = i * 2;
-    const hexByte = hex.slice(j, j + 2);
-    const byte = Number.parseInt(hexByte, 16);
-    if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
-    array[i] = byte;
-  }
-  return array;
-}
-function hexToNumber0x(hex: string): bigint {
-  if (typeof hex !== 'string') {
-    throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
-  }
-  // Big Endian
-  // TODO: strip vs no strip?
-  return BigInt(`0x${strip0x(hex)}`);
-}
-function bytesToNumber0x(bytes: Uint8Array): bigint {
-  return hexToNumber0x(cutils.bytesToHex(bytes));
-}
-function ensureBytes0x(hex: Hex): Uint8Array {
-  // Uint8Array.from() instead of hash.slice() because node.js Buffer
-  // is instance of Uint8Array, and its slice() creates **mutable** copy
-  return hex instanceof Uint8Array ? Uint8Array.from(hex) : hexToBytes0x(hex);
-}
-
-function sign0x(msgHash: Hex, privKey: Hex, opts: any) {
-  return starkCurve.sign(ensureBytes0x(msgHash), ensureBytes0x(privKey), opts);
-}
-function verify0x(signature: Hex, msgHash: Hex, pubKey: Hex) {
-  const sig = signature instanceof Signature ? signature : ensureBytes0x(signature);
-  return starkCurve.verify(sig, ensureBytes0x(msgHash), ensureBytes0x(pubKey));
-}
-
-const { CURVE, Point, JacobianPoint, Signature, getPublicKey, getSharedSecret } = starkCurve;
-export const utils = starkCurve.utils;
-export {
-  CURVE,
-  Point,
-  Signature,
-  JacobianPoint,
-  getPublicKey,
-  getSharedSecret,
-  sign0x as sign,
-  verify0x as verify,
-};
-
-const stripLeadingZeros = (s: string) => s.replace(/^0+/gm, '');
-export const bytesToHexEth = (uint8a: Uint8Array): string =>
-  `0x${stripLeadingZeros(cutils.bytesToHex(uint8a))}`;
-export const strip0x = (hex: string) => hex.replace(/^0x/i, '');
-export const numberToHexEth = (num: bigint | number) => `0x${num.toString(16)}`;
-
-// We accept hex strings besides Uint8Array for simplicity
-type Hex = Uint8Array | string;
-
-// 1. seed generation
-function hashKeyWithIndex(key: Uint8Array, index: number) {
-  let indexHex = cutils.numberToHexUnpadded(index);
-  if (indexHex.length & 1) indexHex = '0' + indexHex;
-  return bytesToNumber0x(sha256(cutils.concatBytes(key, hexToBytes0x(indexHex))));
-}
-
-export function grindKey(seed: Hex) {
-  const _seed = ensureBytes0x(seed);
-  const sha256mask = 2n ** 256n;
-  const limit = sha256mask - starkCurve.utils.mod(sha256mask, starkCurve.CURVE.n);
-  for (let i = 0; ; i++) {
-    const key = hashKeyWithIndex(_seed, i);
-    // key should be in [0, limit)
-    if (key < limit) return starkCurve.utils.mod(key, starkCurve.CURVE.n).toString(16);
-  }
-}
-
-export function getStarkKey(privateKey: Hex) {
-  const priv = typeof privateKey === 'string' ? strip0x(privateKey) : privateKey;
-  return bytesToHexEth(Point.fromPrivateKey(priv).toRawBytes(true).slice(1));
-}
-
-export function ethSigToPrivate(signature: string) {
-  signature = strip0x(signature.replace(/^0x/, ''));
-  if (signature.length !== 130) throw new Error('Wrong ethereum signature');
-  return grindKey(signature.substring(0, 64));
-}
-
-const MASK_31 = 2n ** 31n - 1n;
-const int31 = (n: bigint) => Number(n & MASK_31);
-export function getAccountPath(
-  layer: string,
-  application: string,
-  ethereumAddress: string,
-  index: number
-) {
-  const layerNum = int31(bytesToNumber0x(sha256(layer)));
-  const applicationNum = int31(bytesToNumber0x(sha256(application)));
-  const eth = hexToNumber0x(ethereumAddress);
-  return `m/2645'/${layerNum}'/${applicationNum}'/${int31(eth)}'/${int31(eth >> 31n)}'/${index}`;
-}
-
-// https://docs.starkware.co/starkex/pedersen-hash-function.html
-const PEDERSEN_POINTS = [
-  new Point(
-    2089986280348253421170679821480865132823066470938446095505822317253594081284n,
-    1713931329540660377023406109199410414810705867260802078187082345529207694986n
-  ),
-  new Point(
-    996781205833008774514500082376783249102396023663454813447423147977397232763n,
-    1668503676786377725805489344771023921079126552019160156920634619255970485781n
-  ),
-  new Point(
-    2251563274489750535117886426533222435294046428347329203627021249169616184184n,
-    1798716007562728905295480679789526322175868328062420237419143593021674992973n
-  ),
-  new Point(
-    2138414695194151160943305727036575959195309218611738193261179310511854807447n,
-    113410276730064486255102093846540133784865286929052426931474106396135072156n
-  ),
-  new Point(
-    2379962749567351885752724891227938183011949129833673362440656643086021394946n,
-    776496453633298175483985398648758586525933812536653089401905292063708816422n
-  ),
-];
-// for (const p of PEDERSEN_POINTS) p._setWindowSize(8);
-const PEDERSEN_POINTS_JACOBIAN = PEDERSEN_POINTS.map(JacobianPoint.fromAffine);
-
-function pedersenPrecompute(p1: JacobianPointType, p2: JacobianPointType): JacobianPointType[] {
-  const out: JacobianPointType[] = [];
-  let p = p1;
-  for (let i = 0; i < 248; i++) {
-    out.push(p);
-    p = p.double();
-  }
-  p = p2;
-  for (let i = 0; i < 4; i++) {
-    out.push(p);
-    p = p.double();
-  }
-  return out;
-}
-const PEDERSEN_POINTS1 = pedersenPrecompute(
-  PEDERSEN_POINTS_JACOBIAN[1],
-  PEDERSEN_POINTS_JACOBIAN[2]
-);
-const PEDERSEN_POINTS2 = pedersenPrecompute(
-  PEDERSEN_POINTS_JACOBIAN[3],
-  PEDERSEN_POINTS_JACOBIAN[4]
-);
-
-type PedersenArg = Hex | bigint | number;
-function pedersenArg(arg: PedersenArg): bigint {
-  let value: bigint;
-  if (typeof arg === 'bigint') value = arg;
-  else if (typeof arg === 'number') {
-    if (!Number.isSafeInteger(arg)) throw new Error(`Invalid pedersenArg: ${arg}`);
-    value = BigInt(arg);
-  } else value = bytesToNumber0x(ensureBytes0x(arg));
-  // [0..Fp)
-  if (!(0n <= value && value < starkCurve.CURVE.P))
-    throw new Error(`PedersenArg should be 0 <= value < CURVE.P: ${value}`);
-  return value;
-}
-
-function pedersenSingle(
-  point: JacobianPointType,
-  value: PedersenArg,
-  constants: JacobianPointType[]
-) {
-  let x = pedersenArg(value);
-  for (let j = 0; j < 252; j++) {
-    const pt = constants[j];
-    if (pt.x === point.x) throw new Error('Same point');
-    if ((x & 1n) !== 0n) point = point.add(pt);
-    x >>= 1n;
-  }
-  return point;
-}
-
-// shift_point + x_low * P_0 + x_high * P1 + y_low * P2  + y_high * P3
-export function pedersen(x: PedersenArg, y: PedersenArg) {
-  let point: JacobianPointType = PEDERSEN_POINTS_JACOBIAN[0];
-  point = pedersenSingle(point, x, PEDERSEN_POINTS1);
-  point = pedersenSingle(point, y, PEDERSEN_POINTS2);
-  return bytesToHexEth(point.toAffine().toRawBytes(true).slice(1));
-}
-
-export function hashChain(data: PedersenArg[], fn = pedersen) {
-  if (!Array.isArray(data) || data.length < 1)
-    throw new Error('data should be array of at least 1 element');
-  if (data.length === 1) return numberToHexEth(pedersenArg(data[0]));
-  return Array.from(data)
-    .reverse()
-    .reduce((acc, i) => fn(i, acc));
-}
-// Same as hashChain, but computes hash even for single element and order is not revesed
-export const computeHashOnElements = (data: PedersenArg[], fn = pedersen) =>
-  [0, ...data, data.length].reduce((x, y) => fn(x, y));
-
-const MASK_250 = 2n ** 250n - 1n;
-export const keccak = (data: Uint8Array) => bytesToNumber0x(keccak_256(data)) & MASK_250;

curve-definitions/test/basic.test.js

@@ -1,317 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import * as fc from 'fast-check';
-import * as mod from '@noble/curves/modular';
-import { randomBytes } from '@noble/hashes/utils';
-// Generic tests for all curves in package
-import { secp192r1 } from '../lib/p192.js';
-import { secp224r1 } from '../lib/p224.js';
-import { secp256r1 } from '../lib/p256.js';
-import { secp384r1 } from '../lib/p384.js';
-import { secp521r1 } from '../lib/p521.js';
-import { secp256k1 } from '../lib/secp256k1.js';
-import { ed25519, ed25519ctx, ed25519ph } from '../lib/ed25519.js';
-import { ed448, ed448ph } from '../lib/ed448.js';
-import { starkCurve } from '../lib/stark.js';
-import { pallas, vesta } from '../lib/pasta.js';
-import { bn254 } from '../lib/bn.js';
-import { jubjub } from '../lib/jubjub.js';
-
-// prettier-ignore
-const CURVES = {
-  secp192r1, secp224r1, secp256r1, secp384r1, secp521r1,
-  secp256k1,
-  ed25519, ed25519ctx, ed25519ph,
-  ed448, ed448ph,
-  starkCurve,
-  pallas, vesta,
-  bn254,
-  jubjub,
-};
-
-const NUM_RUNS = 5;
-const getXY = (p) => ({ x: p.x, y: p.y });
-
-function equal(a, b, comment) {
-  deepStrictEqual(a.equals(b), true, `eq(${comment})`);
-  if (a.toAffine && b.toAffine) {
-    deepStrictEqual(getXY(a.toAffine()), getXY(b.toAffine()), `eqToAffine(${comment})`);
-  } else if (!a.toAffine && !b.toAffine) {
-    // Already affine
-    deepStrictEqual(getXY(a), getXY(b), `eqAffine(${comment})`);
-  } else throw new Error('Different point types');
-}
-
-for (const name in CURVES) {
-  const C = CURVES[name];
-  const CURVE_ORDER = C.CURVE.n;
-  const FC_BIGINT = fc.bigInt(1n + 1n, CURVE_ORDER - 1n);
-
-  // Check that curve doesn't accept points from other curves
-  const O = name === 'secp256k1' ? secp256r1 : secp256k1;
-  const POINTS = {};
-  const OTHER_POINTS = {};
-  for (const name of ['Point', 'JacobianPoint', 'ExtendedPoint', 'ProjectivePoint']) {
-    POINTS[name] = C[name];
-    OTHER_POINTS[name] = O[name];
-  }
-
-  for (const pointName in POINTS) {
-    const p = POINTS[pointName];
-    const o = OTHER_POINTS[pointName];
-    if (!p) continue;
-
-    const G = [p.ZERO, p.BASE];
-    for (let i = 2; i < 10; i++) G.push(G[1].multiply(i));
-    // Here we check basic group laws, to verify that points works as group
-    should(`${name}/${pointName}/Basic group laws (zero)`, () => {
-      equal(G[0].double(), G[0], '(0*G).double() = 0');
-      equal(G[0].add(G[0]), G[0], '0*G + 0*G = 0');
-      equal(G[0].subtract(G[0]), G[0], '0*G - 0*G = 0');
-      equal(G[0].negate(), G[0], '-0 = 0');
-      for (let i = 0; i < G.length; i++) {
-        const p = G[i];
-        equal(p, p.add(G[0]), `${i}*G + 0 = ${i}*G`);
-        equal(G[0].multiply(i + 1), G[0], `${i + 1}*0 = 0`);
-      }
-    });
-    should(`${name}/${pointName}/Basic group laws (one)`, () => {
-      equal(G[1].double(), G[2], '(1*G).double() = 2*G');
-      equal(G[1].subtract(G[1]), G[0], '1*G - 1*G = 0');
-      equal(G[1].add(G[1]), G[2], '1*G + 1*G = 2*G');
-    });
-    should(`${name}/${pointName}/Basic group laws (sanity tests)`, () => {
-      equal(G[2].double(), G[4], `(2*G).double() = 4*G`);
-      equal(G[2].add(G[2]), G[4], `2*G + 2*G = 4*G`);
-      equal(G[7].add(G[3].negate()), G[4], `7*G - 3*G = 4*G`);
-    });
-    should(`${name}/${pointName}/Basic group laws (addition commutativity)`, () => {
-      equal(G[4].add(G[3]), G[3].add(G[4]), `4*G + 3*G = 3*G + 4*G`);
-      equal(G[4].add(G[3]), G[3].add(G[2]).add(G[2]), `4*G + 3*G = 3*G + 2*G + 2*G`);
-    });
-    should(`${name}/${pointName}/Basic group laws (double)`, () => {
-      equal(G[3].double(), G[6], '(3*G).double() = 6*G');
-    });
-    should(`${name}/${pointName}/Basic group laws (multiply)`, () => {
-      equal(G[2].multiply(3), G[6], '(2*G).multiply(3) = 6*G');
-    });
-    should(`${name}/${pointName}/Basic group laws (same point addition)`, () => {
-      equal(G[3].add(G[3]), G[6], `3*G + 3*G = 6*G`);
-    });
-    should(`${name}/${pointName}/Basic group laws (same point (negative) addition)`, () => {
-      equal(G[3].add(G[3].negate()), G[0], '3*G + (- 3*G) = 0*G');
-      equal(G[3].subtract(G[3]), G[0], '3*G - 3*G = 0*G');
-    });
-    should(`${name}/${pointName}/Basic group laws (curve order)`, () => {
-      equal(G[1].multiply(CURVE_ORDER - 1n).add(G[1]), G[0], '(N-1)*G + G = 0');
-      equal(G[1].multiply(CURVE_ORDER - 1n).add(G[2]), G[1], '(N-1)*G + 2*G = 1*G');
-      equal(G[1].multiply(CURVE_ORDER - 2n).add(G[2]), G[0], '(N-2)*G + 2*G = 0');
-      const half = CURVE_ORDER / 2n;
-      const carry = CURVE_ORDER % 2n === 1n ? G[1] : G[0];
-      equal(G[1].multiply(half).double().add(carry), G[0], '((N/2) * G).double() = 0');
-    });
-    should(`${name}/${pointName}/Basic group laws (inversion)`, () => {
-      const a = 1234n;
-      const b = 5678n;
-      const c = a * b;
-      equal(G[1].multiply(a).multiply(b), G[1].multiply(c), 'a*b*G = c*G');
-      const inv = mod.invert(b, CURVE_ORDER);
-      equal(G[1].multiply(c).multiply(inv), G[1].multiply(a), 'c*G * (1/b)*G = a*G');
-    });
-    should(`${name}/${pointName}/Basic group laws (multiply, rand)`, () =>
-      fc.assert(
-        fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
-          const c = mod.mod(a + b, CURVE_ORDER);
-          if (c === CURVE_ORDER || c < 1n) return;
-          const pA = G[1].multiply(a);
-          const pB = G[1].multiply(b);
-          const pC = G[1].multiply(c);
-          equal(pA.add(pB), pB.add(pA), `pA + pB = pB + pA`);
-          equal(pA.add(pB), pC, `pA + pB = pC`);
-        }),
-        { numRuns: NUM_RUNS }
-      )
-    );
-    should(`${name}/${pointName}/Basic group laws (multiply2, rand)`, () =>
-      fc.assert(
-        fc.property(FC_BIGINT, FC_BIGINT, (a, b) => {
-          const c = mod.mod(a * b, CURVE_ORDER);
-          const pA = G[1].multiply(a);
-          const pB = G[1].multiply(b);
-          equal(pA.multiply(b), pB.multiply(a), `b*pA = a*pB`);
-          equal(pA.multiply(b), G[1].multiply(c), `b*pA = c*G`);
-        }),
-        { numRuns: NUM_RUNS }
-      )
-    );
-
-    for (const op of ['add', 'subtract']) {
-      should(`${name}/${pointName}/${op} type check`, () => {
-        throws(() => G[1][op](0), '0');
-        throws(() => G[1][op](0n), '0n');
-        G[1][op](G[2]);
-        throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
-        throws(() => G[1][op](123.456), '123.456');
-        throws(() => G[1][op](true), 'true');
-        throws(() => G[1][op]('1'), "'1'");
-        throws(() => G[1][op]({ x: 1n, y: 1n, z: 1n, t: 1n }), '{ x: 1n, y: 1n, z: 1n, t: 1n }');
-        throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
-        throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
-        throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
-        throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
-        if (G[1].toAffine) throws(() => G[1][op](C.Point.BASE), `Point ${op} ${pointName}`);
-        throws(() => G[1][op](o.BASE), `${op}/other curve point`);
-      });
-    }
-
-    should(`${name}/${pointName}/equals type check`, () => {
-      throws(() => G[1].equals(0), '0');
-      throws(() => G[1].equals(0n), '0n');
-      deepStrictEqual(G[1].equals(G[2]), false, '1*G != 2*G');
-      deepStrictEqual(G[1].equals(G[1]), true, '1*G == 1*G');
-      deepStrictEqual(G[2].equals(G[2]), true, '2*G == 2*G');
-      throws(() => G[1].equals(CURVE_ORDER), 'CURVE_ORDER');
-      throws(() => G[1].equals(123.456), '123.456');
-      throws(() => G[1].equals(true), 'true');
-      throws(() => G[1].equals('1'), "'1'");
-      throws(() => G[1].equals({ x: 1n, y: 1n, z: 1n, t: 1n }), '{ x: 1n, y: 1n, z: 1n, t: 1n }');
-      throws(() => G[1].equals(new Uint8Array([])), 'ui8a([])');
-      throws(() => G[1].equals(new Uint8Array([0])), 'ui8a([0])');
-      throws(() => G[1].equals(new Uint8Array([1])), 'ui8a([1])');
-      throws(() => G[1].equals(new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
-      if (G[1].toAffine) throws(() => G[1].equals(C.Point.BASE), `Point.equals(${pointName})`);
-      throws(() => G[1].equals(o.BASE), 'other curve point');
-    });
-
-    for (const op of ['multiply', 'multiplyUnsafe']) {
-      if (!p.BASE[op]) continue;
-      should(`${name}/${pointName}/${op} type check`, () => {
-        if (op !== 'multiplyUnsafe') {
-          throws(() => G[1][op](0), '0');
-          throws(() => G[1][op](0n), '0n');
-        }
-        G[1][op](1n);
-        G[1][op](CURVE_ORDER - 1n);
-        throws(() => G[1][op](G[2]), 'G[2]');
-        throws(() => G[1][op](CURVE_ORDER), 'CURVE_ORDER');
-        throws(() => G[1][op](CURVE_ORDER + 1n), 'CURVE_ORDER+1');
-        throws(() => G[1][op](123.456), '123.456');
-        throws(() => G[1][op](true), 'true');
-        throws(() => G[1][op]('1'), '1');
-        throws(() => G[1][op](new Uint8Array([])), 'ui8a([])');
-        throws(() => G[1][op](new Uint8Array([0])), 'ui8a([0])');
-        throws(() => G[1][op](new Uint8Array([1])), 'ui8a([1])');
-        throws(() => G[1][op](new Uint8Array(4096).fill(1)), 'ui8a(4096*[1])');
-        throws(() => G[1][op](o.BASE), 'other curve point');
-      });
-    }
-    // Complex point (Extended/Jacobian/Projective?)
-    if (p.BASE.toAffine) {
-      should(`${name}/${pointName}/toAffine()`, () => {
-        equal(p.ZERO.toAffine(), C.Point.ZERO, `0 = 0`);
-        equal(p.BASE.toAffine(), C.Point.BASE, `1 = 1`);
-      });
-    }
-    if (p.fromAffine) {
-      should(`${name}/${pointName}/fromAffine()`, () => {
-        equal(p.ZERO, p.fromAffine(C.Point.ZERO), `0 = 0`);
-        equal(p.BASE, p.fromAffine(C.Point.BASE), `1 = 1`);
-      });
-    }
-    // toHex/fromHex (if available)
-    if (p.fromHex && p.BASE.toHex) {
-      should(`${name}/${pointName}/fromHex(toHex()) roundtrip`, () => {
-        fc.assert(
-          fc.property(FC_BIGINT, (x) => {
-            const hex = p.BASE.multiply(x).toHex();
-            deepStrictEqual(p.fromHex(hex).toHex(), hex);
-          })
-        );
-      });
-    }
-  }
-  // Generic complex things (getPublicKey/sign/verify/getSharedSecret)
-  should(`${name}/getPublicKey type check`, () => {
-    throws(() => C.getPublicKey(0), '0');
-    throws(() => C.getPublicKey(0n), '0n');
-    throws(() => C.getPublicKey(false), 'false');
-    throws(() => C.getPublicKey(123.456), '123.456');
-    throws(() => C.getPublicKey(true), 'true');
-    throws(() => C.getPublicKey(''), "''");
-    // NOTE: passes because of disabled hex padding checks for starknet, maybe enable?
-    //throws(() => C.getPublicKey('1'), "'1'");
-    throws(() => C.getPublicKey('key'), "'key'");
-    throws(() => C.getPublicKey(new Uint8Array([])));
-    throws(() => C.getPublicKey(new Uint8Array([0])));
-    throws(() => C.getPublicKey(new Uint8Array([1])));
-    throws(() => C.getPublicKey(new Uint8Array(4096).fill(1)));
-  });
-  should(`${name}.verify()/should verify random signatures`, () =>
-    fc.assert(
-      fc.property(fc.hexaString({ minLength: 64, maxLength: 64 }), (msg) => {
-        const priv = C.utils.randomPrivateKey();
-        const pub = C.getPublicKey(priv);
-        const sig = C.sign(msg, priv);
-        deepStrictEqual(C.verify(sig, msg, pub), true);
-      }),
-      { numRuns: NUM_RUNS }
-    )
-  );
-  should(`${name}.sign()/edge cases`, () => {
-    throws(() => C.sign());
-    throws(() => C.sign(''));
-  });
-
-  should(`${name}.verify()/should not verify signature with wrong hash`, () => {
-    const MSG = '01'.repeat(32);
-    const PRIV_KEY = 0x2n;
-    const WRONG_MSG = '11'.repeat(32);
-    const signature = C.sign(MSG, PRIV_KEY);
-    const publicKey = C.getPublicKey(PRIV_KEY);
-    deepStrictEqual(C.verify(signature, WRONG_MSG, publicKey), false);
-  });
-  // NOTE: fails for ed, because of empty message. Since we convert it to scalar,
-  // need to check what other implementations do. Empty message != new Uint8Array([0]), but what scalar should be in that case?
-  // should(`${name}/should not verify signature with wrong message`, () => {
-  //   fc.assert(
-  //     fc.property(
-  //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
-  //       fc.array(fc.integer({ min: 0x00, max: 0xff })),
-  //       (bytes, wrongBytes) => {
-  //         const privKey = C.utils.randomPrivateKey();
-  //         const message = new Uint8Array(bytes);
-  //         const wrongMessage = new Uint8Array(wrongBytes);
-  //         const publicKey = C.getPublicKey(privKey);
-  //         const signature = C.sign(message, privKey);
-  //         deepStrictEqual(
-  //           C.verify(signature, wrongMessage, publicKey),
-  //           bytes.toString() === wrongBytes.toString()
-  //         );
-  //       }
-  //     ),
-  //     { numRuns: NUM_RUNS }
-  //   );
-  // });
-
-  if (C.getSharedSecret) {
-    should(`${name}/getSharedSecret() should be commutative`, () => {
-      for (let i = 0; i < NUM_RUNS; i++) {
-        const asec = C.utils.randomPrivateKey();
-        const apub = C.getPublicKey(asec);
-        const bsec = C.utils.randomPrivateKey();
-        const bpub = C.getPublicKey(bsec);
-        try {
-          deepStrictEqual(C.getSharedSecret(asec, bpub), C.getSharedSecret(bsec, apub));
-        } catch (error) {
-          console.error('not commutative', { asec, apub, bsec, bpub });
-          throw error;
-        }
-      }
-    });
-  }
-}
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/ed25519.test.js

@@ -1,657 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import * as fc from 'fast-check';
-import { ed25519, ed25519ctx, ed25519ph, x25519, RistrettoPoint } from '../lib/ed25519.js';
-import { readFileSync } from 'fs';
-import { default as zip215 } from './ed25519/zip215.json' assert { type: 'json' };
-import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
-import { numberToBytesLE } from '@noble/curves/utils';
-import { sha512 } from '@noble/hashes/sha512';
-import { default as ed25519vectors } from './wycheproof/eddsa_test.json' assert { type: 'json' };
-import { default as x25519vectors } from './wycheproof/x25519_test.json' assert { type: 'json' };
-
-const ed = ed25519;
-const hex = bytesToHex;
-
-function to32Bytes(numOrStr) {
-  let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
-  return hexToBytes(hex.padStart(64, '0'));
-}
-
-function utf8ToBytes(str) {
-  if (typeof str !== 'string') {
-    throw new TypeError(`utf8ToBytes expected string, got ${typeof str}`);
-  }
-  return new TextEncoder().encode(str);
-}
-
-ed.utils.precompute(8);
-
-should('ed25519/should not accept >32byte private keys', () => {
-  const invalidPriv =
-    100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
-  throws(() => ed.getPublicKey(invalidPriv));
-});
-should('ed25519/should verify recent signature', () => {
-  fc.assert(
-    fc.property(
-      fc.hexaString({ minLength: 2, maxLength: 32 }),
-      fc.bigInt(2n, ed.CURVE.n),
-      (message, privateKey) => {
-        const publicKey = ed.getPublicKey(to32Bytes(privateKey));
-        const signature = ed.sign(to32Bytes(message), to32Bytes(privateKey));
-        deepStrictEqual(publicKey.length, 32);
-        deepStrictEqual(signature.length, 64);
-        deepStrictEqual(ed.verify(signature, to32Bytes(message), publicKey), true);
-      }
-    ),
-    { numRuns: 5 }
-  );
-});
-should('ed25519/should not verify signature with wrong message', () => {
-  fc.assert(
-    fc.property(
-      fc.array(fc.integer({ min: 0x00, max: 0xff })),
-      fc.array(fc.integer({ min: 0x00, max: 0xff })),
-      fc.bigInt(1n, ed.CURVE.n),
-      (bytes, wrongBytes, privateKey) => {
-        const privKey = to32Bytes(privateKey);
-        const message = new Uint8Array(bytes);
-        const wrongMessage = new Uint8Array(wrongBytes);
-        const publicKey = ed.getPublicKey(privKey);
-        const signature = ed.sign(message, privKey);
-        deepStrictEqual(
-          ed.verify(signature, wrongMessage, publicKey),
-          bytes.toString() === wrongBytes.toString()
-        );
-      }
-    ),
-    { numRuns: 5 }
-  );
-});
-const privKey = to32Bytes('a665a45920422f9d417e4867ef');
-const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
-const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
-should('ed25519/basic methods/should sign and verify', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
-});
-should('ed25519/basic methods/should not verify signature with wrong public key', () => {
-  const publicKey = ed.getPublicKey(12);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
-});
-should('ed25519/basic methods/should not verify signature with wrong hash', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
-});
-
-should('ed25519/sync methods/should sign and verify', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
-});
-should('ed25519/sync methods/should not verify signature with wrong public key', () => {
-  const publicKey = ed.getPublicKey(12);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
-});
-should('ed25519/sync methods/should not verify signature with wrong hash', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
-});
-
-// https://xmr.llcoins.net/addresstests.html
-should(
-  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 1',
-  () => {
-    const publicKey =
-      ed.Point.BASE.multiply(0x90af56259a4b6bfbc4337980d5d75fbe3c074630368ff3804d33028e5dbfa77n);
-    deepStrictEqual(
-      publicKey.toHex(),
-      '0f3b913371411b27e646b537e888f685bf929ea7aab93c950ed84433f064480d'
-    );
-  }
-);
-should(
-  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 2',
-  () => {
-    const publicKey =
-      ed.Point.BASE.multiply(0x364e8711a60780382a5d57b061c126f039940f28a9e91fe039d4d3094d8b88n);
-    deepStrictEqual(
-      publicKey.toHex(),
-      'ad545340b58610f0cd62f17d55af1ab11ecde9c084d5476865ddb4dbda015349'
-    );
-  }
-);
-should(
-  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 3',
-  () => {
-    const publicKey =
-      ed.Point.BASE.multiply(0xb9bf90ff3abec042752cac3a07a62f0c16cfb9d32a3fc2305d676ec2d86e941n);
-    deepStrictEqual(
-      publicKey.toHex(),
-      'e097c4415fe85724d522b2e449e8fd78dd40d20097bdc9ae36fe8ec6fe12cb8c'
-    );
-  }
-);
-should(
-  'ed25519/BASE_POINT.multiply()/should create right publicKey without SHA-512 hashing TEST 4',
-  () => {
-    const publicKey =
-      ed.Point.BASE.multiply(0x69d896f02d79524c9878e080308180e2859d07f9f54454e0800e8db0847a46en);
-    deepStrictEqual(
-      publicKey.toHex(),
-      'f12cb7c43b59971395926f278ce7c2eaded9444fbce62ca717564cb508a0db1d'
-    );
-  }
-);
-should('ed25519/BASE_POINT.multiply()/should throw Point#multiply on TEST 5', () => {
-  for (const num of [0n, 0, -1n, -1, 1.1]) {
-    throws(() => ed.Point.BASE.multiply(num));
-  }
-});
-
-// https://ed25519.cr.yp.to/python/sign.py
-// https://ed25519.cr.yp.to/python/sign.input
-const data = readFileSync('./test/ed25519/vectors.txt', 'utf-8');
-const vectors = data
-  .trim()
-  .split('\n')
-  .map((line) => line.split(':'));
-should('ed25519 official vectors/should match 1024 official vectors', () => {
-  for (let i = 0; i < vectors.length; i++) {
-    const vector = vectors[i];
-    // Extract.
-    const priv = vector[0].slice(0, 64);
-    const expectedPub = vector[1];
-    const msg = vector[2];
-    const expectedSignature = vector[3].slice(0, 128);
-
-    // Calculate
-    const pub = ed.getPublicKey(to32Bytes(priv));
-    deepStrictEqual(hex(pub), expectedPub);
-    deepStrictEqual(pub, ed.Point.fromHex(pub).toRawBytes());
-
-    const signature = hex(ed.sign(msg, priv));
-    // console.log('vector', i);
-    // expect(pub).toBe(expectedPub);
-    deepStrictEqual(signature, expectedSignature);
-  }
-});
-
-// https://tools.ietf.org/html/rfc8032#section-7
-should('rfc8032 vectors/should create right signature for 0x9d and empty string', () => {
-  const privateKey = '9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60';
-  const publicKey = ed.getPublicKey(privateKey);
-  const message = '';
-  const signature = ed.sign(message, privateKey);
-  deepStrictEqual(
-    hex(publicKey),
-    'd75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a'
-  );
-  deepStrictEqual(
-    hex(signature),
-    'e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b'
-  );
-});
-should('rfc8032 vectors/should create right signature for 0x4c and 72', () => {
-  const privateKey = '4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb';
-  const publicKey = ed.getPublicKey(privateKey);
-  const message = '72';
-  const signature = ed.sign(message, privateKey);
-  deepStrictEqual(
-    hex(publicKey),
-    '3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c'
-  );
-  deepStrictEqual(
-    hex(signature),
-    '92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00'
-  );
-});
-should('rfc8032 vectors/should create right signature for 0x00 and 5a', () => {
-  const privateKey = '002fdd1f7641793ab064bb7aa848f762e7ec6e332ffc26eeacda141ae33b1783';
-  const publicKey = ed.getPublicKey(privateKey);
-  const message =
-    '5ac1dfc324f43e6cb79a87ab0470fa857b51fb944982e19074ca44b1e40082c1d07b92efa7ea55ad42b7c027e0b9e33756d95a2c1796a7c2066811dc41858377d4b835c1688d638884cd2ad8970b74c1a54aadd27064163928a77988b24403aa85af82ceab6b728e554761af7175aeb99215b7421e4474c04d213e01ff03e3529b11077cdf28964b8c49c5649e3a46fa0a09dcd59dcad58b9b922a83210acd5e65065531400234f5e40cddcf9804968e3e9ac6f5c44af65001e158067fc3a660502d13fa8874fa93332138d9606bc41b4cee7edc39d753dae12a873941bb357f7e92a4498847d6605456cb8c0b425a47d7d3ca37e54e903a41e6450a35ebe5237c6f0c1bbbc1fd71fb7cd893d189850295c199b7d88af26bc8548975fda1099ffefee42a52f3428ddff35e0173d3339562507ac5d2c45bbd2c19cfe89b';
-  const signature = ed.sign(message, privateKey);
-  deepStrictEqual(
-    hex(publicKey),
-    '77d1d8ebacd13f4e2f8a40e28c4a63bc9ce3bfb69716334bcb28a33eb134086c'
-  );
-  deepStrictEqual(
-    hex(signature),
-    '0df3aa0d0999ad3dc580378f52d152700d5b3b057f56a66f92112e441e1cb9123c66f18712c87efe22d2573777296241216904d7cdd7d5ea433928bd2872fa0c'
-  );
-});
-should('rfc8032 vectors/should create right signature for 0xf5 and long msg', () => {
-  const privateKey = 'f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5';
-  const publicKey = ed.getPublicKey(privateKey);
-  const message =
-    '08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0';
-  const signature = ed.sign(message, privateKey);
-  deepStrictEqual(
-    hex(publicKey),
-    '278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e'
-  );
-  deepStrictEqual(
-    hex(signature),
-    '0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03'
-  );
-});
-
-// const PRIVATE_KEY = 0xa665a45920422f9d417e4867efn;
-// const MESSAGE = ripemd160(new Uint8Array([97, 98, 99, 100, 101, 102, 103]));
-// prettier-ignore
-// const MESSAGE = new Uint8Array([
-//   135, 79, 153, 96, 197, 210, 183, 169, 181, 250, 211, 131, 225, 186, 68, 113, 158, 187, 116, 58,
-// ]);
-// const WRONG_MESSAGE = ripemd160(new Uint8Array([98, 99, 100, 101, 102, 103]));
-// prettier-ignore
-// const WRONG_MESSAGE = new Uint8Array([
-//   88, 157, 140, 127, 29, 160, 162, 75, 192, 123, 115, 129, 173, 72, 177, 207, 194, 17, 175, 28,
-// ]);
-// // it("should verify just signed message", async () => {
-// //   await fc.assert(fc.asyncProperty(
-// //     fc.hexa(),
-// //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
-// //     async (message, privateKey) => {
-// //       const publicKey = await ristretto25519.getPublicKey(privateKey);
-// //       const signature = await ristretto25519.sign(message, privateKey);
-// //       expect(publicKey.length).toBe(32);
-// //       expect(signature.length).toBe(64);
-// //       expect(await ristretto25519.verify(signature, message, publicKey)).toBe(true);
-// //     }),
-// //    { numRuns: 1 }
-// //   );
-// // });
-// // it("should not verify sign with wrong message", async () => {
-// //   await fc.assert(fc.asyncProperty(
-// //     fc.array(fc.integer(0x00, 0xff)),
-// //     fc.array(fc.integer(0x00, 0xff)),
-// //     fc.bigInt(2n, ristretto25519.PRIME_ORDER),
-// //     async (bytes, wrongBytes, privateKey) => {
-// //       const message = new Uint8Array(bytes);
-// //       const wrongMessage = new Uint8Array(wrongBytes);
-// //       const publicKey = await ristretto25519.getPublicKey(privateKey);
-// //       const signature = await ristretto25519.sign(message, privateKey);
-// //       expect(await ristretto25519.verify(signature, wrongMessage, publicKey)).toBe(
-// //         bytes.toString() === wrongBytes.toString()
-// //       );
-// //     }),
-// //    { numRuns: 1 }
-// //   );
-// // });
-// // it("should sign and verify", async () => {
-// //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
-// //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
-// //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(true);
-// // });
-// // it("should not verify signature with wrong public key", async () => {
-// //   const publicKey = await ristretto25519.getPublicKey(12);
-// //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
-// //   expect(await ristretto25519.verify(signature, MESSAGE, publicKey)).toBe(false);
-// // });
-// // it("should not verify signature with wrong hash", async () => {
-// //   const publicKey = await ristretto25519.getPublicKey(PRIVATE_KEY);
-// //   const signature = await ristretto25519.sign(MESSAGE, PRIVATE_KEY);
-// //   expect(await ristretto25519.verify(signature, WRONG_MESSAGE, publicKey)).toBe(false);
-// // });
-should('ristretto255/should follow the byte encodings of small multiples', () => {
-  const encodingsOfSmallMultiples = [
-    // This is the identity point
-    '0000000000000000000000000000000000000000000000000000000000000000',
-    // This is the basepoint
-    'e2f2ae0a6abc4e71a884a961c500515f58e30b6aa582dd8db6a65945e08d2d76',
-    // These are small multiples of the basepoint
-    '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919',
-    '94741f5d5d52755ece4f23f044ee27d5d1ea1e2bd196b462166b16152a9d0259',
-    'da80862773358b466ffadfe0b3293ab3d9fd53c5ea6c955358f568322daf6a57',
-    'e882b131016b52c1d3337080187cf768423efccbb517bb495ab812c4160ff44e',
-    'f64746d3c92b13050ed8d80236a7f0007c3b3f962f5ba793d19a601ebb1df403',
-    '44f53520926ec81fbd5a387845beb7df85a96a24ece18738bdcfa6a7822a176d',
-    '903293d8f2287ebe10e2374dc1a53e0bc887e592699f02d077d5263cdd55601c',
-    '02622ace8f7303a31cafc63f8fc48fdc16e1c8c8d234b2f0d6685282a9076031',
-    '20706fd788b2720a1ed2a5dad4952b01f413bcf0e7564de8cdc816689e2db95f',
-    'bce83f8ba5dd2fa572864c24ba1810f9522bc6004afe95877ac73241cafdab42',
-    'e4549ee16b9aa03099ca208c67adafcafa4c3f3e4e5303de6026e3ca8ff84460',
-    'aa52e000df2e16f55fb1032fc33bc42742dad6bd5a8fc0be0167436c5948501f',
-    '46376b80f409b29dc2b5f6f0c52591990896e5716f41477cd30085ab7f10301e',
-    'e0c418f7c8d9c4cdd7395b93ea124f3ad99021bb681dfc3302a9d99a2e53e64e',
-  ];
-  let B = RistrettoPoint.BASE;
-  let P = RistrettoPoint.ZERO;
-  for (const encoded of encodingsOfSmallMultiples) {
-    deepStrictEqual(P.toHex(), encoded);
-    deepStrictEqual(RistrettoPoint.fromHex(encoded).toHex(), encoded);
-    P = P.add(B);
-  }
-});
-should('ristretto255/should not convert bad bytes encoding', () => {
-  const badEncodings = [
-    // These are all bad because they're non-canonical field encodings.
-    '00ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff',
-    'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-    'f3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-    'edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-    // These are all bad because they're negative field elements.
-    '0100000000000000000000000000000000000000000000000000000000000000',
-    '01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-    'ed57ffd8c914fb201471d1c3d245ce3c746fcbe63a3679d51b6a516ebebe0e20',
-    'c34c4e1826e5d403b78e246e88aa051c36ccf0aafebffe137d148a2bf9104562',
-    'c940e5a4404157cfb1628b108db051a8d439e1a421394ec4ebccb9ec92a8ac78',
-    '47cfc5497c53dc8e61c91d17fd626ffb1c49e2bca94eed052281b510b1117a24',
-    'f1c6165d33367351b0da8f6e4511010c68174a03b6581212c71c0e1d026c3c72',
-    '87260f7a2f12495118360f02c26a470f450dadf34a413d21042b43b9d93e1309',
-    // These are all bad because they give a nonsquare x^2.
-    '26948d35ca62e643e26a83177332e6b6afeb9d08e4268b650f1f5bbd8d81d371',
-    '4eac077a713c57b4f4397629a4145982c661f48044dd3f96427d40b147d9742f',
-    'de6a7b00deadc788eb6b6c8d20c0ae96c2f2019078fa604fee5b87d6e989ad7b',
-    'bcab477be20861e01e4a0e295284146a510150d9817763caf1a6f4b422d67042',
-    '2a292df7e32cababbd9de088d1d1abec9fc0440f637ed2fba145094dc14bea08',
-    'f4a9e534fc0d216c44b218fa0c42d99635a0127ee2e53c712f70609649fdff22',
-    '8268436f8c4126196cf64b3c7ddbda90746a378625f9813dd9b8457077256731',
-    '2810e5cbc2cc4d4eece54f61c6f69758e289aa7ab440b3cbeaa21995c2f4232b',
-    // These are all bad because they give a negative xy value.
-    '3eb858e78f5a7254d8c9731174a94f76755fd3941c0ac93735c07ba14579630e',
-    'a45fdc55c76448c049a1ab33f17023edfb2be3581e9c7aade8a6125215e04220',
-    'd483fe813c6ba647ebbfd3ec41adca1c6130c2beeee9d9bf065c8d151c5f396e',
-    '8a2e1d30050198c65a54483123960ccc38aef6848e1ec8f5f780e8523769ba32',
-    '32888462f8b486c68ad7dd9610be5192bbeaf3b443951ac1a8118419d9fa097b',
-    '227142501b9d4355ccba290404bde41575b037693cef1f438c47f8fbf35d1165',
-    '5c37cc491da847cfeb9281d407efc41e15144c876e0170b499a96a22ed31e01e',
-    '445425117cb8c90edcbc7c1cc0e74f747f2c1efa5630a967c64f287792a48a4b',
-    // This is s = -1, which causes y = 0.
-    'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
-  ];
-  for (const badBytes of badEncodings) {
-    const b = hexToBytes(badBytes);
-    throws(() => RistrettoPoint.fromHex(b), badBytes);
-  }
-});
-should('ristretto255/should create right points from uniform hash', async () => {
-  const labels = [
-    'Ristretto is traditionally a short shot of espresso coffee',
-    'made with the normal amount of ground coffee but extracted with',
-    'about half the amount of water in the same amount of time',
-    'by using a finer grind.',
-    'This produces a concentrated shot of coffee per volume.',
-    'Just pulling a normal shot short will produce a weaker shot',
-    'and is not a Ristretto as some believe.',
-  ];
-  const encodedHashToPoints = [
-    '3066f82a1a747d45120d1740f14358531a8f04bbffe6a819f86dfe50f44a0a46',
-    'f26e5b6f7d362d2d2a94c5d0e7602cb4773c95a2e5c31a64f133189fa76ed61b',
-    '006ccd2a9e6867e6a2c5cea83d3302cc9de128dd2a9a57dd8ee7b9d7ffe02826',
-    'f8f0c87cf237953c5890aec3998169005dae3eca1fbb04548c635953c817f92a',
-    'ae81e7dedf20a497e10c304a765c1767a42d6e06029758d2d7e8ef7cc4c41179',
-    'e2705652ff9f5e44d3e841bf1c251cf7dddb77d140870d1ab2ed64f1a9ce8628',
-    '80bd07262511cdde4863f8a7434cef696750681cb9510eea557088f76d9e5065',
-  ];
-
-  for (let i = 0; i < labels.length; i++) {
-    const hash = sha512(utf8ToBytes(labels[i]));
-    const point = RistrettoPoint.hashToCurve(hash);
-    deepStrictEqual(point.toHex(), encodedHashToPoints[i]);
-  }
-});
-
-should('input immutability: sign/verify are immutable', () => {
-  const privateKey = ed.utils.randomPrivateKey();
-  const publicKey = ed.getPublicKey(privateKey);
-
-  for (let i = 0; i < 100; i++) {
-    let payload = randomBytes(100);
-    let signature = ed.sign(payload, privateKey);
-    if (!ed.verify(signature, payload, publicKey)) {
-      throw new Error('Signature verification failed');
-    }
-    const signatureCopy = Buffer.alloc(signature.byteLength);
-    signatureCopy.set(signature, 0); // <-- breaks
-    payload = payload.slice();
-    signature = signature.slice();
-
-    if (!ed.verify(signatureCopy, payload, publicKey))
-      throw new Error('Copied signature verification failed');
-  }
-});
-
-// https://zips.z.cash/zip-0215
-// Vectors from https://gist.github.com/hdevalence/93ed42d17ecab8e42138b213812c8cc7
-should('ZIP-215 compliance tests/should pass all of them', () => {
-  const str = utf8ToBytes('Zcash');
-  for (let v of zip215) {
-    let noble = false;
-    try {
-      noble = ed.verify(v.sig_bytes, str, v.vk_bytes);
-    } catch (e) {
-      noble = false;
-    }
-    deepStrictEqual(noble, v.valid_zip215);
-  }
-});
-should('ZIP-215 compliance tests/disallows sig.s >= CURVE.n', () => {
-  const sig = new ed.Signature(ed.Point.BASE, 1n);
-  sig.s = ed.CURVE.n + 1n;
-  throws(() => ed.verify(sig, 'deadbeef', ed.Point.BASE));
-});
-
-const rfc7748Mul = [
-  {
-    scalar: 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4',
-    u: 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c',
-    outputU: 'c3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552',
-  },
-  {
-    scalar: '4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d',
-    u: 'e5210f12786811d3f4b7959d0538ae2c31dbe7106fc03c3efc4cd549c715a493',
-    outputU: '95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957',
-  },
-];
-for (let i = 0; i < rfc7748Mul.length; i++) {
-  const v = rfc7748Mul[i];
-  should(`RFC7748: scalarMult (${i})`, () => {
-    deepStrictEqual(hex(x25519.scalarMult(v.u, v.scalar)), v.outputU);
-  });
-}
-
-const rfc7748Iter = [
-  { scalar: '422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079', iters: 1 },
-  { scalar: '684cf59ba83309552800ef566f2f4d3c1c3887c49360e3875f2eb94d99532c51', iters: 1000 },
-  // { scalar: '7c3911e0ab2586fd864497297e575e6f3bc601c0883c30df5f4dd2d24f665424', iters: 1000000 },
-];
-for (let i = 0; i < rfc7748Iter.length; i++) {
-  const { scalar, iters } = rfc7748Iter[i];
-  should(`RFC7748: scalarMult iteration (${i})`, () => {
-    let k = x25519.Gu;
-    for (let i = 0, u = k; i < iters; i++) [k, u] = [x25519.scalarMult(u, k), k];
-    deepStrictEqual(hex(k), scalar);
-  });
-}
-
-should('RFC7748 getSharedKey', () => {
-  const alicePrivate = '77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a';
-  const alicePublic = '8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a';
-  const bobPrivate = '5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb';
-  const bobPublic = 'de9edb7d7b7dc1b4d35b61c2ece435373f8343c85b78674dadfc7e146f882b4f';
-  const shared = '4a5d9d5ba4ce2de1728e3bf480350f25e07e21c947d19e3376f09b3c1e161742';
-  deepStrictEqual(alicePublic, hex(x25519.getPublicKey(alicePrivate)));
-  deepStrictEqual(bobPublic, hex(x25519.getPublicKey(bobPrivate)));
-  deepStrictEqual(hex(x25519.scalarMult(bobPublic, alicePrivate)), shared);
-  deepStrictEqual(hex(x25519.scalarMult(alicePublic, bobPrivate)), shared);
-});
-
-// should('X25519/getSharedSecret() should be commutative', () => {
-//   for (let i = 0; i < 512; i++) {
-//     const asec = ed.utils.randomPrivateKey();
-//     const apub = ed.getPublicKey(asec);
-//     const bsec = ed.utils.randomPrivateKey();
-//     const bpub = ed.getPublicKey(bsec);
-//     try {
-//       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
-//     } catch (error) {
-//       console.error('not commutative', { asec, apub, bsec, bpub });
-//       throw error;
-//     }
-//   }
-// });
-
-// should('X25519: should convert base point to montgomery using fromPoint', () => {
-//   deepStrictEqual(
-//     hex(ed.montgomeryCurve.UfromPoint(ed.Point.BASE)),
-//     ed.montgomeryCurve.BASE_POINT_U
-//   );
-// });
-
-{
-  const group = x25519vectors.testGroups[0];
-  should(`Wycheproof/X25519`, () => {
-    for (let i = 0; i < group.tests.length; i++) {
-      const v = group.tests[i];
-      const comment = `(${i}, ${v.result}) ${v.comment}`;
-      if (v.result === 'valid' || v.result === 'acceptable') {
-        try {
-          const shared = hex(x25519.scalarMult(v.public, v.private));
-          deepStrictEqual(shared, v.shared, comment);
-        } catch (e) {
-          // We are more strict
-          if (e.message.includes('Expected valid scalar')) return;
-          if (e.message.includes('Invalid private or public key received')) return;
-          throw e;
-        }
-      } else if (v.result === 'invalid') {
-        let failed = false;
-        try {
-          x25519.scalarMult(v.public, v.private);
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true, comment);
-      } else throw new Error('unknown test result');
-    }
-  });
-}
-
-should(`Wycheproof/ED25519`, () => {
-  for (let g = 0; g < ed25519vectors.testGroups.length; g++) {
-    const group = ed25519vectors.testGroups[g];
-    const key = group.key;
-    deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk, `(${g}, public)`);
-    for (let i = 0; i < group.tests.length; i++) {
-      const v = group.tests[i];
-      const comment = `(${g}/${i}, ${v.result}): ${v.comment}`;
-      if (v.result === 'valid' || v.result === 'acceptable') {
-        deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, comment);
-        deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, comment);
-      } else if (v.result === 'invalid') {
-        let failed = false;
-        try {
-          failed = !ed.verify(v.sig, v.msg, key.pk);
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true, comment);
-      } else throw new Error('unknown test result');
-    }
-  }
-});
-
-should('Property test issue #1', () => {
-  const message = new Uint8Array([12, 12, 12]);
-  const signature = ed.sign(message, to32Bytes(1n));
-  const publicKey = ed.getPublicKey(to32Bytes(1n)); // <- was 1n
-  deepStrictEqual(ed.verify(signature, message, publicKey), true);
-});
-
-const VECTORS_RFC8032_CTX = [
-  {
-    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-    message: 'f726936d19c800494e3fdaff20b276a8',
-    context: '666f6f',
-    signature:
-      '55a4cc2f70a54e04288c5f4cd1e45a7b' +
-      'b520b36292911876cada7323198dd87a' +
-      '8b36950b95130022907a7fb7c4e9b2d5' +
-      'f6cca685a587b4b21f4b888e4e7edb0d',
-  },
-  {
-    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-    message: 'f726936d19c800494e3fdaff20b276a8',
-    context: '626172',
-    signature:
-      'fc60d5872fc46b3aa69f8b5b4351d580' +
-      '8f92bcc044606db097abab6dbcb1aee3' +
-      '216c48e8b3b66431b5b186d1d28f8ee1' +
-      '5a5ca2df6668346291c2043d4eb3e90d',
-  },
-  {
-    secretKey: '0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6',
-    publicKey: 'dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292',
-    message: '508e9e6882b979fea900f62adceaca35',
-    context: '666f6f',
-    signature:
-      '8b70c1cc8310e1de20ac53ce28ae6e72' +
-      '07f33c3295e03bb5c0732a1d20dc6490' +
-      '8922a8b052cf99b7c4fe107a5abb5b2c' +
-      '4085ae75890d02df26269d8945f84b0b',
-  },
-  {
-    secretKey: 'ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560',
-    publicKey: '0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772',
-    message: 'f726936d19c800494e3fdaff20b276a8',
-    context: '666f6f',
-    signature:
-      '21655b5f1aa965996b3f97b3c849eafb' +
-      'a922a0a62992f73b3d1b73106a84ad85' +
-      'e9b86a7b6005ea868337ff2d20a7f5fb' +
-      'd4cd10b0be49a68da2b2e0dc0ad8960f',
-  },
-];
-
-for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
-  const v = VECTORS_RFC8032_CTX[i];
-  should(`RFC8032ctx/${i}`, () => {
-    deepStrictEqual(hex(ed25519ctx.getPublicKey(v.secretKey)), v.publicKey);
-    deepStrictEqual(hex(ed25519ctx.sign(v.message, v.secretKey, v.context)), v.signature);
-    deepStrictEqual(ed25519ctx.verify(v.signature, v.message, v.publicKey, v.context), true);
-  });
-}
-
-const VECTORS_RFC8032_PH = [
-  {
-    secretKey: '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42',
-    publicKey: 'ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf',
-    message: '616263',
-    signature:
-      '98a70222f0b8121aa9d30f813d683f80' +
-      '9e462b469c7ff87639499bb94e6dae41' +
-      '31f85042463c2a355a2003d062adf5aa' +
-      'a10b8c61e636062aaad11c2a26083406',
-  },
-];
-
-for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
-  const v = VECTORS_RFC8032_PH[i];
-  should(`RFC8032ph/${i}`, () => {
-    deepStrictEqual(hex(ed25519ph.getPublicKey(v.secretKey)), v.publicKey);
-    deepStrictEqual(hex(ed25519ph.sign(v.message, v.secretKey)), v.signature);
-    deepStrictEqual(ed25519ph.verify(v.signature, v.message, v.publicKey), true);
-  });
-}
-
-should('X25519 base point', () => {
-  const { y } = ed25519.Point.BASE;
-  const u = ed25519.utils.mod((y + 1n) * ed25519.utils.invert(1n - y, ed25519.CURVE.P));
-  deepStrictEqual(hex(numberToBytesLE(u, 32)), x25519.Gu);
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/ed448.test.js

@@ -1,664 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import * as fc from 'fast-check';
-import { ed448, ed448ph, x448 } from '../lib/ed448.js';
-import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils';
-import { numberToBytesLE } from '@noble/curves/utils';
-import { default as ed448vectors } from './wycheproof/ed448_test.json' assert { type: 'json' };
-import { default as x448vectors } from './wycheproof/x448_test.json' assert { type: 'json' };
-
-const ed = ed448;
-const hex = bytesToHex;
-ed.utils.precompute(4);
-
-should(`Basic`, () => {
-  const G1 = ed.Point.BASE;
-  deepStrictEqual(
-    G1.x,
-    224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710n
-  );
-  deepStrictEqual(
-    G1.y,
-    298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660n
-  );
-  const G2 = ed.Point.BASE.multiply(2n);
-  deepStrictEqual(
-    G2.x,
-    484559149530404593699549205258669689569094240458212040187660132787056912146709081364401144455726350866276831544947397859048262938744149n
-  );
-  deepStrictEqual(
-    G2.y,
-    494088759867433727674302672526735089350544552303727723746126484473087719117037293890093462157703888342865036477787453078312060500281069n
-  );
-  const G3 = ed.Point.BASE.multiply(3n);
-  deepStrictEqual(
-    G3.x,
-    23839778817283171003887799738662344287085130522697782688245073320169861206004018274567429238677677920280078599146891901463786155880335n
-  );
-  deepStrictEqual(
-    G3.y,
-    636046652612779686502873775776967954190574036985351036782021535703553242737829645273154208057988851307101009474686328623630835377952508n
-  );
-});
-
-should('Basic/decompress', () => {
-  const G1 = ed.Point.BASE;
-  const G2 = ed.Point.BASE.multiply(2n);
-  const G3 = ed.Point.BASE.multiply(3n);
-  const points = [G1, G2, G3];
-  const getXY = (p) => ({ x: p.x, y: p.y });
-  for (const p of points) deepStrictEqual(getXY(ed.Point.fromHex(p.toHex())), getXY(p));
-});
-
-const VECTORS_RFC8032 = [
-  {
-    secretKey:
-      '6c82a562cb808d10d632be89c8513ebf' +
-      '6c929f34ddfa8c9f63c9960ef6e348a3' +
-      '528c8a3fcc2f044e39a3fc5b94492f8f' +
-      '032e7549a20098f95b',
-    publicKey:
-      '5fd7449b59b461fd2ce787ec616ad46a' +
-      '1da1342485a70e1f8a0ea75d80e96778' +
-      'edf124769b46c7061bd6783df1e50f6c' +
-      'd1fa1abeafe8256180',
-    message: '',
-    signature:
-      '533a37f6bbe457251f023c0d88f976ae' +
-      '2dfb504a843e34d2074fd823d41a591f' +
-      '2b233f034f628281f2fd7a22ddd47d78' +
-      '28c59bd0a21bfd3980ff0d2028d4b18a' +
-      '9df63e006c5d1c2d345b925d8dc00b41' +
-      '04852db99ac5c7cdda8530a113a0f4db' +
-      'b61149f05a7363268c71d95808ff2e65' +
-      '2600',
-  },
-  {
-    secretKey:
-      'c4eab05d357007c632f3dbb48489924d' +
-      '552b08fe0c353a0d4a1f00acda2c463a' +
-      'fbea67c5e8d2877c5e3bc397a659949e' +
-      'f8021e954e0a12274e',
-    publicKey:
-      '43ba28f430cdff456ae531545f7ecd0a' +
-      'c834a55d9358c0372bfa0c6c6798c086' +
-      '6aea01eb00742802b8438ea4cb82169c' +
-      '235160627b4c3a9480',
-
-    message: '03',
-    signature:
-      '26b8f91727bd62897af15e41eb43c377' +
-      'efb9c610d48f2335cb0bd0087810f435' +
-      '2541b143c4b981b7e18f62de8ccdf633' +
-      'fc1bf037ab7cd779805e0dbcc0aae1cb' +
-      'cee1afb2e027df36bc04dcecbf154336' +
-      'c19f0af7e0a6472905e799f1953d2a0f' +
-      'f3348ab21aa4adafd1d234441cf807c0' +
-      '3a00',
-  },
-  {
-    secretKey:
-      'cd23d24f714274e744343237b93290f5' +
-      '11f6425f98e64459ff203e8985083ffd' +
-      'f60500553abc0e05cd02184bdb89c4cc' +
-      'd67e187951267eb328',
-    publicKey:
-      'dcea9e78f35a1bf3499a831b10b86c90' +
-      'aac01cd84b67a0109b55a36e9328b1e3' +
-      '65fce161d71ce7131a543ea4cb5f7e9f' +
-      '1d8b00696447001400',
-    message: '0c3e544074ec63b0265e0c',
-    signature:
-      '1f0a8888ce25e8d458a21130879b840a' +
-      '9089d999aaba039eaf3e3afa090a09d3' +
-      '89dba82c4ff2ae8ac5cdfb7c55e94d5d' +
-      '961a29fe0109941e00b8dbdeea6d3b05' +
-      '1068df7254c0cdc129cbe62db2dc957d' +
-      'bb47b51fd3f213fb8698f064774250a5' +
-      '028961c9bf8ffd973fe5d5c206492b14' +
-      '0e00',
-  },
-  {
-    secretKey:
-      '258cdd4ada32ed9c9ff54e63756ae582' +
-      'fb8fab2ac721f2c8e676a72768513d93' +
-      '9f63dddb55609133f29adf86ec9929dc' +
-      'cb52c1c5fd2ff7e21b',
-    publicKey:
-      '3ba16da0c6f2cc1f30187740756f5e79' +
-      '8d6bc5fc015d7c63cc9510ee3fd44adc' +
-      '24d8e968b6e46e6f94d19b945361726b' +
-      'd75e149ef09817f580',
-    message: '64a65f3cdedcdd66811e2915',
-    signature:
-      '7eeeab7c4e50fb799b418ee5e3197ff6' +
-      'bf15d43a14c34389b59dd1a7b1b85b4a' +
-      'e90438aca634bea45e3a2695f1270f07' +
-      'fdcdf7c62b8efeaf00b45c2c96ba457e' +
-      'b1a8bf075a3db28e5c24f6b923ed4ad7' +
-      '47c3c9e03c7079efb87cb110d3a99861' +
-      'e72003cbae6d6b8b827e4e6c143064ff' +
-      '3c00',
-  },
-  {
-    secretKey:
-      '7ef4e84544236752fbb56b8f31a23a10' +
-      'e42814f5f55ca037cdcc11c64c9a3b29' +
-      '49c1bb60700314611732a6c2fea98eeb' +
-      'c0266a11a93970100e',
-    publicKey:
-      'b3da079b0aa493a5772029f0467baebe' +
-      'e5a8112d9d3a22532361da294f7bb381' +
-      '5c5dc59e176b4d9f381ca0938e13c6c0' +
-      '7b174be65dfa578e80',
-    message: '64a65f3cdedcdd66811e2915e7',
-    signature:
-      '6a12066f55331b6c22acd5d5bfc5d712' +
-      '28fbda80ae8dec26bdd306743c5027cb' +
-      '4890810c162c027468675ecf645a8317' +
-      '6c0d7323a2ccde2d80efe5a1268e8aca' +
-      '1d6fbc194d3f77c44986eb4ab4177919' +
-      'ad8bec33eb47bbb5fc6e28196fd1caf5' +
-      '6b4e7e0ba5519234d047155ac727a105' +
-      '3100',
-  },
-  {
-    secretKey:
-      'd65df341ad13e008567688baedda8e9d' +
-      'cdc17dc024974ea5b4227b6530e339bf' +
-      'f21f99e68ca6968f3cca6dfe0fb9f4fa' +
-      'b4fa135d5542ea3f01',
-    publicKey:
-      'df9705f58edbab802c7f8363cfe5560a' +
-      'b1c6132c20a9f1dd163483a26f8ac53a' +
-      '39d6808bf4a1dfbd261b099bb03b3fb5' +
-      '0906cb28bd8a081f00',
-    message:
-      'bd0f6a3747cd561bdddf4640a332461a' +
-      '4a30a12a434cd0bf40d766d9c6d458e5' +
-      '512204a30c17d1f50b5079631f64eb31' +
-      '12182da3005835461113718d1a5ef944',
-    signature:
-      '554bc2480860b49eab8532d2a533b7d5' +
-      '78ef473eeb58c98bb2d0e1ce488a98b1' +
-      '8dfde9b9b90775e67f47d4a1c3482058' +
-      'efc9f40d2ca033a0801b63d45b3b722e' +
-      'f552bad3b4ccb667da350192b61c508c' +
-      'f7b6b5adadc2c8d9a446ef003fb05cba' +
-      '5f30e88e36ec2703b349ca229c267083' +
-      '3900',
-  },
-  {
-    secretKey:
-      '2ec5fe3c17045abdb136a5e6a913e32a' +
-      'b75ae68b53d2fc149b77e504132d3756' +
-      '9b7e766ba74a19bd6162343a21c8590a' +
-      'a9cebca9014c636df5',
-    publicKey:
-      '79756f014dcfe2079f5dd9e718be4171' +
-      'e2ef2486a08f25186f6bff43a9936b9b' +
-      'fe12402b08ae65798a3d81e22e9ec80e' +
-      '7690862ef3d4ed3a00',
-    message:
-      '15777532b0bdd0d1389f636c5f6b9ba7' +
-      '34c90af572877e2d272dd078aa1e567c' +
-      'fa80e12928bb542330e8409f31745041' +
-      '07ecd5efac61ae7504dabe2a602ede89' +
-      'e5cca6257a7c77e27a702b3ae39fc769' +
-      'fc54f2395ae6a1178cab4738e543072f' +
-      'c1c177fe71e92e25bf03e4ecb72f47b6' +
-      '4d0465aaea4c7fad372536c8ba516a60' +
-      '39c3c2a39f0e4d832be432dfa9a706a6' +
-      'e5c7e19f397964ca4258002f7c0541b5' +
-      '90316dbc5622b6b2a6fe7a4abffd9610' +
-      '5eca76ea7b98816af0748c10df048ce0' +
-      '12d901015a51f189f3888145c03650aa' +
-      '23ce894c3bd889e030d565071c59f409' +
-      'a9981b51878fd6fc110624dcbcde0bf7' +
-      'a69ccce38fabdf86f3bef6044819de11',
-    signature:
-      'c650ddbb0601c19ca11439e1640dd931' +
-      'f43c518ea5bea70d3dcde5f4191fe53f' +
-      '00cf966546b72bcc7d58be2b9badef28' +
-      '743954e3a44a23f880e8d4f1cfce2d7a' +
-      '61452d26da05896f0a50da66a239a8a1' +
-      '88b6d825b3305ad77b73fbac0836ecc6' +
-      '0987fd08527c1a8e80d5823e65cafe2a' +
-      '3d00',
-  },
-  {
-    secretKey:
-      '872d093780f5d3730df7c212664b37b8' +
-      'a0f24f56810daa8382cd4fa3f77634ec' +
-      '44dc54f1c2ed9bea86fafb7632d8be19' +
-      '9ea165f5ad55dd9ce8',
-    publicKey:
-      'a81b2e8a70a5ac94ffdbcc9badfc3feb' +
-      '0801f258578bb114ad44ece1ec0e799d' +
-      'a08effb81c5d685c0c56f64eecaef8cd' +
-      'f11cc38737838cf400',
-    message:
-      '6ddf802e1aae4986935f7f981ba3f035' +
-      '1d6273c0a0c22c9c0e8339168e675412' +
-      'a3debfaf435ed651558007db4384b650' +
-      'fcc07e3b586a27a4f7a00ac8a6fec2cd' +
-      '86ae4bf1570c41e6a40c931db27b2faa' +
-      '15a8cedd52cff7362c4e6e23daec0fbc' +
-      '3a79b6806e316efcc7b68119bf46bc76' +
-      'a26067a53f296dafdbdc11c77f7777e9' +
-      '72660cf4b6a9b369a6665f02e0cc9b6e' +
-      'dfad136b4fabe723d2813db3136cfde9' +
-      'b6d044322fee2947952e031b73ab5c60' +
-      '3349b307bdc27bc6cb8b8bbd7bd32321' +
-      '9b8033a581b59eadebb09b3c4f3d2277' +
-      'd4f0343624acc817804728b25ab79717' +
-      '2b4c5c21a22f9c7839d64300232eb66e' +
-      '53f31c723fa37fe387c7d3e50bdf9813' +
-      'a30e5bb12cf4cd930c40cfb4e1fc6225' +
-      '92a49588794494d56d24ea4b40c89fc0' +
-      '596cc9ebb961c8cb10adde976a5d602b' +
-      '1c3f85b9b9a001ed3c6a4d3b1437f520' +
-      '96cd1956d042a597d561a596ecd3d173' +
-      '5a8d570ea0ec27225a2c4aaff26306d1' +
-      '526c1af3ca6d9cf5a2c98f47e1c46db9' +
-      'a33234cfd4d81f2c98538a09ebe76998' +
-      'd0d8fd25997c7d255c6d66ece6fa56f1' +
-      '1144950f027795e653008f4bd7ca2dee' +
-      '85d8e90f3dc315130ce2a00375a318c7' +
-      'c3d97be2c8ce5b6db41a6254ff264fa6' +
-      '155baee3b0773c0f497c573f19bb4f42' +
-      '40281f0b1f4f7be857a4e59d416c06b4' +
-      'c50fa09e1810ddc6b1467baeac5a3668' +
-      'd11b6ecaa901440016f389f80acc4db9' +
-      '77025e7f5924388c7e340a732e554440' +
-      'e76570f8dd71b7d640b3450d1fd5f041' +
-      '0a18f9a3494f707c717b79b4bf75c984' +
-      '00b096b21653b5d217cf3565c9597456' +
-      'f70703497a078763829bc01bb1cbc8fa' +
-      '04eadc9a6e3f6699587a9e75c94e5bab' +
-      '0036e0b2e711392cff0047d0d6b05bd2' +
-      'a588bc109718954259f1d86678a579a3' +
-      '120f19cfb2963f177aeb70f2d4844826' +
-      '262e51b80271272068ef5b3856fa8535' +
-      'aa2a88b2d41f2a0e2fda7624c2850272' +
-      'ac4a2f561f8f2f7a318bfd5caf969614' +
-      '9e4ac824ad3460538fdc25421beec2cc' +
-      '6818162d06bbed0c40a387192349db67' +
-      'a118bada6cd5ab0140ee273204f628aa' +
-      'd1c135f770279a651e24d8c14d75a605' +
-      '9d76b96a6fd857def5e0b354b27ab937' +
-      'a5815d16b5fae407ff18222c6d1ed263' +
-      'be68c95f32d908bd895cd76207ae7264' +
-      '87567f9a67dad79abec316f683b17f2d' +
-      '02bf07e0ac8b5bc6162cf94697b3c27c' +
-      'd1fea49b27f23ba2901871962506520c' +
-      '392da8b6ad0d99f7013fbc06c2c17a56' +
-      '9500c8a7696481c1cd33e9b14e40b82e' +
-      '79a5f5db82571ba97bae3ad3e0479515' +
-      'bb0e2b0f3bfcd1fd33034efc6245eddd' +
-      '7ee2086ddae2600d8ca73e214e8c2b0b' +
-      'db2b047c6a464a562ed77b73d2d841c4' +
-      'b34973551257713b753632efba348169' +
-      'abc90a68f42611a40126d7cb21b58695' +
-      '568186f7e569d2ff0f9e745d0487dd2e' +
-      'b997cafc5abf9dd102e62ff66cba87',
-    signature:
-      'e301345a41a39a4d72fff8df69c98075' +
-      'a0cc082b802fc9b2b6bc503f926b65bd' +
-      'df7f4c8f1cb49f6396afc8a70abe6d8a' +
-      'ef0db478d4c6b2970076c6a0484fe76d' +
-      '76b3a97625d79f1ce240e7c576750d29' +
-      '5528286f719b413de9ada3e8eb78ed57' +
-      '3603ce30d8bb761785dc30dbc320869e' +
-      '1a00',
-  },
-];
-
-for (let i = 0; i < VECTORS_RFC8032.length; i++) {
-  const v = VECTORS_RFC8032[i];
-  should(`RFC8032/${i}`, () => {
-    deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
-    deepStrictEqual(hex(ed.sign(v.message, v.secretKey)), v.signature);
-    deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey), true);
-  });
-}
-
-should('ed448/should not accept >57byte private keys', async () => {
-  const invalidPriv =
-    100000000000000000000000000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800073278156000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000n;
-  throws(() => ed.getPublicKey(invalidPriv));
-});
-
-function to57Bytes(numOrStr) {
-  let hex = typeof numOrStr === 'string' ? numOrStr : numOrStr.toString(16);
-  return hexToBytes(hex.padStart(114, '0'));
-}
-
-should('ed448/should verify recent signature', () => {
-  fc.assert(
-    fc.property(
-      fc.hexaString({ minLength: 2, maxLength: 57 }),
-      fc.bigInt(2n, ed.CURVE.n),
-      (message, privateKey) => {
-        const publicKey = ed.getPublicKey(to57Bytes(privateKey));
-        const signature = ed.sign(to57Bytes(message), to57Bytes(privateKey));
-        deepStrictEqual(publicKey.length, 57);
-        deepStrictEqual(signature.length, 114);
-        deepStrictEqual(ed.verify(signature, to57Bytes(message), publicKey), true);
-      }
-    ),
-    { numRuns: 5 }
-  );
-});
-should('ed448/should not verify signature with wrong message', () => {
-  fc.assert(
-    fc.property(
-      fc.array(fc.integer({ min: 0x00, max: 0xff })),
-      fc.array(fc.integer({ min: 0x00, max: 0xff })),
-      fc.bigInt(1n, ed.CURVE.n),
-      (bytes, wrongBytes, privateKey) => {
-        const message = new Uint8Array(bytes);
-        const wrongMessage = new Uint8Array(wrongBytes);
-        const priv = to57Bytes(privateKey);
-        const publicKey = ed.getPublicKey(priv);
-        const signature = ed.sign(message, priv);
-        deepStrictEqual(
-          ed.verify(signature, wrongMessage, publicKey),
-          bytes.toString() === wrongBytes.toString()
-        );
-      }
-    ),
-    { numRuns: 5 }
-  );
-});
-const privKey = to57Bytes('a665a45920422f9d417e4867ef');
-const msg = hexToBytes('874f9960c5d2b7a9b5fad383e1ba44719ebb743a');
-const wrongMsg = hexToBytes('589d8c7f1da0a24bc07b7381ad48b1cfc211af1c');
-should('ed25519/basic methods/should sign and verify', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
-});
-should('ed25519/basic methods/should not verify signature with wrong public key', () => {
-  const publicKey = ed.getPublicKey(12);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
-});
-should('ed25519/basic methods/should not verify signature with wrong hash', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
-});
-
-should('ed25519/sync methods/should sign and verify', () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), true);
-});
-should('ed25519/sync methods/should not verify signature with wrong public key', async () => {
-  const publicKey = ed.getPublicKey(12);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, msg, publicKey), false);
-});
-should('ed25519/sync methods/should not verify signature with wrong hash', async () => {
-  const publicKey = ed.getPublicKey(privKey);
-  const signature = ed.sign(msg, privKey);
-  deepStrictEqual(ed.verify(signature, wrongMsg, publicKey), false);
-});
-
-should('ed25519/BASE_POINT.multiply()/should throw Point#multiply on TEST 5', () => {
-  for (const num of [0n, 0, -1n, -1, 1.1]) {
-    throws(() => ed.Point.BASE.multiply(num));
-  }
-});
-
-should('input immutability: sign/verify are immutable', () => {
-  const privateKey = ed.utils.randomPrivateKey();
-  const publicKey = ed.getPublicKey(privateKey);
-
-  for (let i = 0; i < 100; i++) {
-    let payload = randomBytes(100);
-    let signature = ed.sign(payload, privateKey);
-    if (!ed.verify(signature, payload, publicKey)) {
-      throw new Error('Signature verification failed');
-    }
-    const signatureCopy = Buffer.alloc(signature.byteLength);
-    signatureCopy.set(signature, 0); // <-- breaks
-    payload = payload.slice();
-    signature = signature.slice();
-
-    if (!ed.verify(signatureCopy, payload, publicKey))
-      throw new Error('Copied signature verification failed');
-  }
-});
-
-{
-  for (let g = 0; g < ed448vectors.testGroups.length; g++) {
-    const group = ed448vectors.testGroups[g];
-    const key = group.key;
-    should(`Wycheproof/ED448(${g}, public)`, () => {
-      deepStrictEqual(hex(ed.getPublicKey(key.sk)), key.pk);
-    });
-    should(`Wycheproof/ED448`, () => {
-      for (let i = 0; i < group.tests.length; i++) {
-        const v = group.tests[i];
-        const index = `${g}/${i} ${v.comment}`;
-        if (v.result === 'valid' || v.result === 'acceptable') {
-          deepStrictEqual(hex(ed.sign(v.msg, key.sk)), v.sig, index);
-          deepStrictEqual(ed.verify(v.sig, v.msg, key.pk), true, index);
-        } else if (v.result === 'invalid') {
-          let failed = false;
-          try {
-            failed = !ed.verify(v.sig, v.msg, key.pk);
-          } catch (error) {
-            failed = true;
-          }
-          deepStrictEqual(failed, true, index);
-        } else throw new Error('unknown test result');
-      }
-    });
-  }
-}
-
-// ECDH
-const rfc7748Mul = [
-  {
-    scalar:
-      '3d262fddf9ec8e88495266fea19a34d28882acef045104d0d1aae121700a779c984c24f8cdd78fbff44943eba368f54b29259a4f1c600ad3',
-    u: '06fce640fa3487bfda5f6cf2d5263f8aad88334cbd07437f020f08f9814dc031ddbdc38c19c6da2583fa5429db94ada18aa7a7fb4ef8a086',
-    outputU:
-      'ce3e4ff95a60dc6697da1db1d85e6afbdf79b50a2412d7546d5f239fe14fbaadeb445fc66a01b0779d98223961111e21766282f73dd96b6f',
-  },
-  {
-    scalar:
-      '203d494428b8399352665ddca42f9de8fef600908e0d461cb021f8c538345dd77c3e4806e25f46d3315c44e0a5b4371282dd2c8d5be3095f',
-    u: '0fbcc2f993cd56d3305b0b7d9e55d4c1a8fb5dbb52f8e9a1e9b6201b165d015894e56c4d3570bee52fe205e28a78b91cdfbde71ce8d157db',
-    outputU:
-      '884a02576239ff7a2f2f63b2db6a9ff37047ac13568e1e30fe63c4a7ad1b3ee3a5700df34321d62077e63633c575c1c954514e99da7c179d',
-  },
-];
-for (let i = 0; i < rfc7748Mul.length; i++) {
-  const v = rfc7748Mul[i];
-  should(`RFC7748: scalarMult (${i})`, () => {
-    deepStrictEqual(hex(x448.scalarMult(v.u, v.scalar)), v.outputU);
-  });
-}
-
-const rfc7748Iter = [
-  {
-    scalar:
-      '3f482c8a9f19b01e6c46ee9711d9dc14fd4bf67af30765c2ae2b846a4d23a8cd0db897086239492caf350b51f833868b9bc2b3bca9cf4113',
-    iters: 1,
-  },
-  {
-    scalar:
-      'aa3b4749d55b9daf1e5b00288826c467274ce3ebbdd5c17b975e09d4af6c67cf10d087202db88286e2b79fceea3ec353ef54faa26e219f38',
-    iters: 1000,
-  },
-  // { scalar: '077f453681caca3693198420bbe515cae0002472519b3e67661a7e89cab94695c8f4bcd66e61b9b9c946da8d524de3d69bd9d9d66b997e37', iters: 1000000 },
-];
-for (let i = 0; i < rfc7748Iter.length; i++) {
-  const { scalar, iters } = rfc7748Iter[i];
-  should(`RFC7748: scalarMult iteration (${i})`, () => {
-    let k = x448.Gu;
-    for (let i = 0, u = k; i < iters; i++) [k, u] = [x448.scalarMult(u, k), k];
-    deepStrictEqual(hex(k), scalar);
-  });
-}
-
-should('RFC7748 getSharedKey', () => {
-  const alicePrivate =
-    '9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28dd9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b';
-  const alicePublic =
-    '9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0';
-  const bobPrivate =
-    '1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d';
-  const bobPublic =
-    '3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b43027d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609';
-  const shared =
-    '07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d';
-  deepStrictEqual(alicePublic, hex(x448.getPublicKey(alicePrivate)));
-  deepStrictEqual(bobPublic, hex(x448.getPublicKey(bobPrivate)));
-  deepStrictEqual(hex(x448.scalarMult(bobPublic, alicePrivate)), shared);
-  deepStrictEqual(hex(x448.scalarMult(alicePublic, bobPrivate)), shared);
-});
-
-{
-  const group = x448vectors.testGroups[0];
-  should(`Wycheproof/X448`, () => {
-    for (let i = 0; i < group.tests.length; i++) {
-      const v = group.tests[i];
-      const index = `(${i}, ${v.result}) ${v.comment}`;
-      if (v.result === 'valid' || v.result === 'acceptable') {
-        try {
-          const shared = hex(x448.scalarMult(v.public, v.private));
-          deepStrictEqual(shared, v.shared, index);
-        } catch (e) {
-          // We are more strict
-          if (e.message.includes('Expected valid scalar')) return;
-          if (e.message.includes('Invalid private or public key received')) return;
-          if (e.message.includes('Expected 56 bytes')) return;
-          throw e;
-        }
-      } else if (v.result === 'invalid') {
-        let failed = false;
-        try {
-          x448.scalarMult(v.public, v.private);
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true, index);
-      } else throw new Error('unknown test result');
-    }
-  });
-}
-
-// should('X448: should convert base point to montgomery using fromPoint', () => {
-//   deepStrictEqual(
-//     hex(ed.montgomeryCurve.UfromPoint(ed.Point.BASE)),
-//     ed.montgomeryCurve.BASE_POINT_U
-//   );
-// });
-
-// should('X448/getSharedSecret() should be commutative', async () => {
-//   for (let i = 0; i < 512; i++) {
-//     const asec = ed.utils.randomPrivateKey();
-//     const apub = ed.getPublicKey(asec);
-//     const bsec = ed.utils.randomPrivateKey();
-//     const bpub = ed.getPublicKey(bsec);
-//     try {
-//       deepStrictEqual(ed.getSharedSecret(asec, bpub), ed.getSharedSecret(bsec, apub));
-//     } catch (error) {
-//       console.error('not commutative', { asec, apub, bsec, bpub });
-//       throw error;
-//     }
-//   }
-// });
-
-const VECTORS_RFC8032_CTX = [
-  {
-    secretKey:
-      'c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e',
-    publicKey:
-      '43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480',
-    message: '03',
-    context: '666f6f',
-    signature:
-      'd4f8f6131770dd46f40867d6fd5d5055' +
-      'de43541f8c5e35abbcd001b32a89f7d2' +
-      '151f7647f11d8ca2ae279fb842d60721' +
-      '7fce6e042f6815ea000c85741de5c8da' +
-      '1144a6a1aba7f96de42505d7a7298524' +
-      'fda538fccbbb754f578c1cad10d54d0d' +
-      '5428407e85dcbc98a49155c13764e66c' +
-      '3c00',
-  },
-];
-
-for (let i = 0; i < VECTORS_RFC8032_CTX.length; i++) {
-  const v = VECTORS_RFC8032_CTX[i];
-  should(`RFC8032ctx/${i}`, () => {
-    deepStrictEqual(hex(ed.getPublicKey(v.secretKey)), v.publicKey);
-    deepStrictEqual(hex(ed.sign(v.message, v.secretKey, v.context)), v.signature);
-    deepStrictEqual(ed.verify(v.signature, v.message, v.publicKey, v.context), true);
-  });
-}
-
-const VECTORS_RFC8032_PH = [
-  {
-    secretKey:
-      '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
-    publicKey:
-      '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
-    message: '616263',
-    signature:
-      '822f6901f7480f3d5f562c592994d969' +
-      '3602875614483256505600bbc281ae38' +
-      '1f54d6bce2ea911574932f52a4e6cadd' +
-      '78769375ec3ffd1b801a0d9b3f4030cd' +
-      '433964b6457ea39476511214f97469b5' +
-      '7dd32dbc560a9a94d00bff07620464a3' +
-      'ad203df7dc7ce360c3cd3696d9d9fab9' +
-      '0f00',
-  },
-  {
-    secretKey:
-      '833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42ef7822e0d5104127dc05d6dbefde69e3ab2cec7c867c6e2c49',
-    publicKey:
-      '259b71c19f83ef77a7abd26524cbdb3161b590a48f7d17de3ee0ba9c52beb743c09428a131d6b1b57303d90d8132c276d5ed3d5d01c0f53880',
-    message: '616263',
-    context: '666f6f',
-    signature:
-      'c32299d46ec8ff02b54540982814dce9' +
-      'a05812f81962b649d528095916a2aa48' +
-      '1065b1580423ef927ecf0af5888f90da' +
-      '0f6a9a85ad5dc3f280d91224ba9911a3' +
-      '653d00e484e2ce232521481c8658df30' +
-      '4bb7745a73514cdb9bf3e15784ab7128' +
-      '4f8d0704a608c54a6b62d97beb511d13' +
-      '2100',
-  },
-];
-
-for (let i = 0; i < VECTORS_RFC8032_PH.length; i++) {
-  const v = VECTORS_RFC8032_PH[i];
-  should(`RFC8032ph/${i}`, () => {
-    deepStrictEqual(hex(ed448ph.getPublicKey(v.secretKey)), v.publicKey);
-    deepStrictEqual(hex(ed448ph.sign(v.message, v.secretKey, v.context)), v.signature);
-    deepStrictEqual(ed448ph.verify(v.signature, v.message, v.publicKey, v.context), true);
-  });
-}
-
-should('X448 base point', () => {
-  const { x, y } = ed448.Point.BASE;
-  const { P } = ed448.CURVE;
-  const invX = ed448.utils.invert(x * x, P); // x^2
-  const u = ed448.utils.mod(y * y * invX, P); // (y^2/x^2)
-  deepStrictEqual(hex(numberToBytesLE(u, 56)), x448.Gu);
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/jubjub.test.js

@@ -1,74 +0,0 @@
-import { jubjub, findGroupHash } from '../lib/jubjub.js';
-import { should } from 'micro-should';
-import { deepStrictEqual, throws } from 'assert';
-import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
-
-const G_SPEND = new jubjub.ExtendedPoint(
-  0x055f1f24f0f0512287e51c3c5a0a6903fc0baf8711de9eafd7c0e66f69d8d2dbn,
-  0x566178b2505fdd52132a5007d80a04652842e78ffb376897588f406278214ed7n,
-  0x0141fafa1f11088a3b2007c14d652375888f3b37838ba6bdffae096741ceddfen,
-  0x12eada93c0b7d595f5f04f5ebfb4b7d033ef2884136475cab5e41ce17db5be9cn
-);
-const G_PROOF = new jubjub.ExtendedPoint(
-  0x0174d54ce9fad258a2f8a86a1deabf15c7a2b51106b0fbcd9d29020f78936f71n,
-  0x16871d6d877dcd222e4ec3bccb3f37cb1865a2d37dd3a5dcbc032a69b62b4445n,
-  0x57a3cd31e496d82bd4aa78bd5ecd751cfb76d54a5d3f4560866379f9fc11c9b3n,
-  0x42cc53f6b519d1f4f52c47ff1256463a616c2c2f49ffe77765481eca04c72081n
-);
-
-const getXY = (p) => ({ x: p.x, y: p.y });
-
-should('toHex/fromHex', () => {
-  // More than field
-  throws(() =>
-    jubjub.Point.fromHex(
-      new Uint8Array([
-        255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-        255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
-      ])
-    )
-  );
-  // Multiplicative generator (sqrt == null), not on curve.
-  throws(() =>
-    jubjub.Point.fromHex(
-      new Uint8Array([
-        7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-        0,
-      ])
-    )
-  );
-  const tmp = jubjub.Point.fromHex(
-    new Uint8Array([
-      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-      0,
-    ])
-  );
-  deepStrictEqual(tmp.x, 0x8d51ccce760304d0ec030002760300000001000000000000n);
-  deepStrictEqual(tmp.y, 0n);
-
-  const S = G_SPEND.toAffine().toRawBytes();
-  const S2 = G_SPEND.double().toAffine().toRawBytes();
-  const P = G_PROOF.toAffine().toRawBytes();
-  const P2 = G_PROOF.double().toAffine().toRawBytes();
-  const S_exp = jubjub.Point.fromHex(S);
-  const S2_exp = jubjub.Point.fromHex(S2);
-  const P_exp = jubjub.Point.fromHex(P);
-  const P2_exp = jubjub.Point.fromHex(P2);
-  deepStrictEqual(getXY(G_SPEND.toAffine()), getXY(S_exp));
-  deepStrictEqual(getXY(G_SPEND.double().toAffine()), getXY(S2_exp));
-  deepStrictEqual(getXY(G_PROOF.toAffine()), getXY(P_exp));
-  deepStrictEqual(getXY(G_PROOF.double().toAffine()), getXY(P2_exp));
-});
-
-should('Find generators', () => {
-  const spend = findGroupHash(new Uint8Array(), new Uint8Array([90, 99, 97, 115, 104, 95, 71, 95]));
-  const proof = findGroupHash(new Uint8Array(), new Uint8Array([90, 99, 97, 115, 104, 95, 72, 95]));
-  deepStrictEqual(getXY(spend.toAffine()), getXY(G_SPEND.toAffine()));
-  deepStrictEqual(getXY(proof.toAffine()), getXY(G_PROOF.toAffine()));
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/nist.test.js

@@ -1,387 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import { secp192r1, P192 } from '../lib/p192.js';
-import { secp224r1, P224 } from '../lib/p224.js';
-import { secp256r1, P256 } from '../lib/p256.js';
-import { secp384r1, P384 } from '../lib/p384.js';
-import { secp521r1, P521 } from '../lib/p521.js';
-import { secp256k1 } from '../lib/secp256k1.js';
-import { hexToBytes, bytesToHex } from '@noble/curves/utils';
-import { default as ecdsa } from './wycheproof/ecdsa_test.json' assert { type: 'json' };
-import { default as ecdh } from './wycheproof/ecdh_test.json' assert { type: 'json' };
-import { default as rfc6979 } from './fixtures/rfc6979.json' assert { type: 'json' };
-
-const hex = bytesToHex;
-
-// prettier-ignore
-const NIST = {
-  secp192r1, P192,
-  secp224r1, P224,
-  secp256r1, P256,
-  secp384r1, P384,
-  secp521r1, P521,
-  secp256k1,
-};
-
-should('Curve Fields', () => {
-  const vectors = {
-    secp192r1: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
-    secp224r1: 0xffffffffffffffffffffffffffffffff000000000000000000000001n,
-    secp256r1: 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffffn,
-    secp256k1: 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2fn,
-    secp384r1:
-      0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffffn,
-    secp521r1:
-      0x01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffn,
-  };
-  for (const n in vectors) deepStrictEqual(NIST[n].CURVE.P, vectors[n]);
-});
-
-should('wychenproof ECDSA vectors', () => {
-  for (const group of ecdsa.testGroups) {
-    // Tested in secp256k1.test.js
-    if (group.key.curve === 'secp256k1') continue;
-    // We don't have SHA-224
-    if (group.key.curve === 'secp224r1' && group.sha === 'SHA-224') continue;
-    const CURVE = NIST[group.key.curve];
-    if (!CURVE) continue;
-    const pubKey = CURVE.Point.fromHex(group.key.uncompressed);
-    deepStrictEqual(pubKey.x, BigInt(`0x${group.key.wx}`));
-    deepStrictEqual(pubKey.y, BigInt(`0x${group.key.wy}`));
-    for (const test of group.tests) {
-      if (['Hash weaker than DL-group'].includes(test.comment)) {
-        continue;
-      }
-      const m = CURVE.CURVE.hash(hexToBytes(test.msg));
-      if (test.result === 'valid' || test.result === 'acceptable') {
-        try {
-          CURVE.Signature.fromDER(test.sig);
-        } catch (e) {
-          // Some test has invalid signature which we don't accept
-          if (e.message.includes('Invalid signature: incorrect length')) continue;
-          throw e;
-        }
-        const verified = CURVE.verify(test.sig, m, pubKey);
-        deepStrictEqual(verified, true, 'valid');
-      } else if (test.result === 'invalid') {
-        let failed = false;
-        try {
-          failed = !CURVE.verify(test.sig, m, pubKey);
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true, 'invalid');
-      } else throw new Error('unknown test result');
-    }
-  }
-});
-
-should('wychenproof ECDH vectors', () => {
-  for (const group of ecdh.testGroups) {
-    // // Tested in secp256k1.test.js
-    // if (group.key.curve === 'secp256k1') continue;
-    // We don't have SHA-224
-    const CURVE = NIST[group.curve];
-    if (!CURVE) continue;
-    for (const test of group.tests) {
-      if (test.result === 'valid' || test.result === 'acceptable') {
-        try {
-          const pub = CURVE.Point.fromHex(test.public);
-        } catch (e) {
-          if (e.message.includes('Point.fromHex: received invalid point.')) continue;
-          throw e;
-        }
-        const shared = CURVE.getSharedSecret(test.private, test.public);
-        deepStrictEqual(shared, test.shared, 'valid');
-      } else if (test.result === 'invalid') {
-        let failed = false;
-        try {
-          CURVE.getSharedSecret(test.private, test.public);
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true, 'invalid');
-      } else throw new Error('unknown test result');
-    }
-  }
-});
-
-import { default as ecdh_secp224r1_test } from './wycheproof/ecdh_secp224r1_test.json' assert { type: 'json' };
-import { default as ecdh_secp256r1_test } from './wycheproof/ecdh_secp256r1_test.json' assert { type: 'json' };
-import { default as ecdh_secp256k1_test } from './wycheproof/ecdh_secp256k1_test.json' assert { type: 'json' };
-import { default as ecdh_secp384r1_test } from './wycheproof/ecdh_secp384r1_test.json' assert { type: 'json' };
-import { default as ecdh_secp521r1_test } from './wycheproof/ecdh_secp521r1_test.json' assert { type: 'json' };
-
-// More per curve tests
-const WYCHEPROOF_ECDH = {
-  P224: {
-    curve: P224,
-    tests: [ecdh_secp224r1_test],
-  },
-  P256: {
-    curve: P256,
-    tests: [ecdh_secp256r1_test],
-  },
-  secp256k1: {
-    curve: secp256k1,
-    tests: [ecdh_secp256k1_test],
-  },
-  P384: {
-    curve: P384,
-    tests: [ecdh_secp384r1_test],
-  },
-  P521: {
-    curve: P521,
-    tests: [ecdh_secp521r1_test],
-  },
-};
-
-for (const name in WYCHEPROOF_ECDH) {
-  const { curve, tests } = WYCHEPROOF_ECDH[name];
-  for (let i = 0; i < tests.length; i++) {
-    const test = tests[i];
-    for (let j = 0; j < test.testGroups.length; j++) {
-      const group = test.testGroups[j];
-      should(`Wycheproof/ECDH ${name} (${i}/${j})`, () => {
-        for (const test of group.tests) {
-          if (test.result === 'valid' || test.result === 'acceptable') {
-            try {
-              const pub = curve.Point.fromHex(test.public);
-            } catch (e) {
-              if (e.message.includes('Point.fromHex: received invalid point.')) continue;
-              throw e;
-            }
-            const shared = curve.getSharedSecret(test.private, test.public);
-            deepStrictEqual(hex(shared), test.shared, 'valid');
-          } else if (test.result === 'invalid') {
-            let failed = false;
-            try {
-              curve.getSharedSecret(test.private, test.public);
-            } catch (error) {
-              failed = true;
-            }
-            deepStrictEqual(failed, true, 'invalid');
-          } else throw new Error('unknown test result');
-        }
-      });
-    }
-  }
-}
-
-// Tests with custom hashes
-import { default as secp224r1_sha224_test } from './wycheproof/ecdsa_secp224r1_sha224_test.json' assert { type: 'json' };
-import { default as secp224r1_sha256_test } from './wycheproof/ecdsa_secp224r1_sha256_test.json' assert { type: 'json' };
-import { default as secp224r1_sha3_224_test } from './wycheproof/ecdsa_secp224r1_sha3_224_test.json' assert { type: 'json' };
-import { default as secp224r1_sha3_256_test } from './wycheproof/ecdsa_secp224r1_sha3_256_test.json' assert { type: 'json' };
-import { default as secp224r1_sha3_512_test } from './wycheproof/ecdsa_secp224r1_sha3_512_test.json' assert { type: 'json' };
-import { default as secp224r1_sha512_test } from './wycheproof/ecdsa_secp224r1_sha512_test.json' assert { type: 'json' };
-
-import { default as secp256k1_sha256_test } from './wycheproof/ecdsa_secp256k1_sha256_test.json' assert { type: 'json' };
-import { default as secp256k1_sha3_256_test } from './wycheproof/ecdsa_secp256k1_sha3_256_test.json' assert { type: 'json' };
-import { default as secp256k1_sha3_512_test } from './wycheproof/ecdsa_secp256k1_sha3_512_test.json' assert { type: 'json' };
-import { default as secp256k1_sha512_test } from './wycheproof/ecdsa_secp256k1_sha512_test.json' assert { type: 'json' };
-
-import { default as secp256r1_sha256_test } from './wycheproof/ecdsa_secp256r1_sha256_test.json' assert { type: 'json' };
-import { default as secp256r1_sha3_256_test } from './wycheproof/ecdsa_secp256r1_sha3_256_test.json' assert { type: 'json' };
-import { default as secp256r1_sha3_512_test } from './wycheproof/ecdsa_secp256r1_sha3_512_test.json' assert { type: 'json' };
-import { default as secp256r1_sha512_test } from './wycheproof/ecdsa_secp256r1_sha512_test.json' assert { type: 'json' };
-
-import { default as secp384r1_sha384_test } from './wycheproof/ecdsa_secp384r1_sha384_test.json' assert { type: 'json' };
-import { default as secp384r1_sha3_384_test } from './wycheproof/ecdsa_secp384r1_sha3_384_test.json' assert { type: 'json' };
-import { default as secp384r1_sha3_512_test } from './wycheproof/ecdsa_secp384r1_sha3_512_test.json' assert { type: 'json' };
-import { default as secp384r1_sha512_test } from './wycheproof/ecdsa_secp384r1_sha512_test.json' assert { type: 'json' };
-
-import { default as secp521r1_sha3_512_test } from './wycheproof/ecdsa_secp521r1_sha3_512_test.json' assert { type: 'json' };
-import { default as secp521r1_sha512_test } from './wycheproof/ecdsa_secp521r1_sha512_test.json' assert { type: 'json' };
-
-import { sha3_224, sha3_256, sha3_384, sha3_512 } from '@noble/hashes/sha3';
-import { sha512, sha384 } from '@noble/hashes/sha512';
-import { sha256 } from '@noble/hashes/sha256';
-
-const WYCHEPROOF_ECDSA = {
-  P224: {
-    curve: P224,
-    hashes: {
-      // sha224 not released yet
-      // sha224: {
-      //   hash: sha224,
-      //   tests: [secp224r1_sha224_test],
-      // },
-      sha256: {
-        hash: sha256,
-        tests: [secp224r1_sha256_test],
-      },
-      sha3_224: {
-        hash: sha3_224,
-        tests: [secp224r1_sha3_224_test],
-      },
-      sha3_256: {
-        hash: sha3_256,
-        tests: [secp224r1_sha3_256_test],
-      },
-      sha3_512: {
-        hash: sha3_512,
-        tests: [secp224r1_sha3_512_test],
-      },
-      sha512: {
-        hash: sha512,
-        tests: [secp224r1_sha512_test],
-      },
-    },
-  },
-  secp256k1: {
-    curve: secp256k1,
-    hashes: {
-      // TODO: debug why fails, can be bug
-      sha256: {
-        hash: sha256,
-        tests: [secp256k1_sha256_test],
-      },
-      sha3_256: {
-        hash: sha3_256,
-        tests: [secp256k1_sha3_256_test],
-      },
-      sha3_512: {
-        hash: sha3_512,
-        tests: [secp256k1_sha3_512_test],
-      },
-      sha512: {
-        hash: sha512,
-        tests: [secp256k1_sha512_test],
-      },
-    },
-  },
-  P256: {
-    curve: P256,
-    hashes: {
-      sha256: {
-        hash: sha256,
-        tests: [secp256r1_sha256_test],
-      },
-      sha3_256: {
-        hash: sha3_256,
-        tests: [secp256r1_sha3_256_test],
-      },
-      sha3_512: {
-        hash: sha3_512,
-        tests: [secp256r1_sha3_512_test],
-      },
-      sha512: {
-        hash: sha512,
-        tests: [secp256r1_sha512_test],
-      },
-    },
-  },
-  P384: {
-    curve: P384,
-    hashes: {
-      sha384: {
-        hash: sha384,
-        tests: [secp384r1_sha384_test],
-      },
-      sha3_384: {
-        hash: sha3_384,
-        tests: [secp384r1_sha3_384_test],
-      },
-      sha3_512: {
-        hash: sha3_512,
-        tests: [secp384r1_sha3_512_test],
-      },
-      sha512: {
-        hash: sha512,
-        tests: [secp384r1_sha512_test],
-      },
-    },
-  },
-  P521: {
-    curve: P521,
-    hashes: {
-      sha3_512: {
-        hash: sha3_512,
-        tests: [secp521r1_sha3_512_test],
-      },
-      sha512: {
-        hash: sha512,
-        tests: [secp521r1_sha512_test],
-      },
-    },
-  },
-};
-
-function runWycheproof(name, CURVE, group, index) {
-  const pubKey = CURVE.Point.fromHex(group.key.uncompressed);
-  deepStrictEqual(pubKey.x, BigInt(`0x${group.key.wx}`));
-  deepStrictEqual(pubKey.y, BigInt(`0x${group.key.wy}`));
-  for (const test of group.tests) {
-    const m = CURVE.CURVE.hash(hexToBytes(test.msg));
-
-    if (test.result === 'valid' || test.result === 'acceptable') {
-      try {
-        CURVE.Signature.fromDER(test.sig);
-      } catch (e) {
-        // Some tests has invalid signature which we don't accept
-        if (e.message.includes('Invalid signature: incorrect length')) continue;
-        throw e;
-      }
-      const verified = CURVE.verify(test.sig, m, pubKey);
-      if (name === 'secp256k1') {
-        // lowS: true for secp256k1
-        deepStrictEqual(verified, !CURVE.Signature.fromDER(test.sig).hasHighS(), `${index}: valid`);
-      } else {
-        deepStrictEqual(verified, true, `${index}: valid`);
-      }
-
-    } else if (test.result === 'invalid') {
-      let failed = false;
-      try {
-        failed = !CURVE.verify(test.sig, m, pubKey);
-      } catch (error) {
-        failed = true;
-      }
-      deepStrictEqual(failed, true, `${index}: invalid`);
-    } else throw new Error('unknown test result');
-  }
-}
-
-for (const name in WYCHEPROOF_ECDSA) {
-  const { curve, hashes } = WYCHEPROOF_ECDSA[name];
-  for (const hName in hashes) {
-    const { hash, tests } = hashes[hName];
-    const CURVE = curve.create(hash);
-    should(`Wycheproof/WYCHEPROOF_ECDSA ${name}/${hName}`, () => {
-      for (let i = 0; i < tests.length; i++) {
-        const groups = tests[i].testGroups;
-        for (let j = 0; j < groups.length; j++) {
-          const group = groups[j];
-          runWycheproof(name, CURVE, group, `${i}/${j}`);
-        }
-      }
-    });
-  }
-}
-
-const hexToBigint = (hex) => BigInt(`0x${hex}`);
-should('RFC6979', () => {
-  for (const v of rfc6979) {
-    const curve = NIST[v.curve];
-    deepStrictEqual(curve.CURVE.n, hexToBigint(v.q));
-    const pubKey = curve.getPublicKey(v.private);
-    const pubPoint = curve.Point.fromHex(pubKey);
-    deepStrictEqual(pubPoint.x, hexToBigint(v.Ux));
-    deepStrictEqual(pubPoint.y, hexToBigint(v.Uy));
-    for (const c of v.cases) {
-      const h = curve.CURVE.hash(c.message);
-      const sigObj = curve.sign(h, v.private);
-      deepStrictEqual(sigObj.r, hexToBigint(c.r), 'R');
-      deepStrictEqual(sigObj.s, hexToBigint(c.s), 'S');
-      deepStrictEqual(curve.verify(sigObj.toDERRawBytes(), h, pubKey), true, 'verify(1)');
-      deepStrictEqual(curve.verify(sigObj, h, pubKey), true, 'verify(2)');
-    }
-  }
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/secp256k1.test.js

@@ -1,534 +0,0 @@
-import * as fc from 'fast-check';
-import { secp256k1, schnorr } from '../lib/secp256k1.js';
-import { readFileSync } from 'fs';
-import { default as ecdsa } from './vectors/ecdsa.json' assert { type: 'json' };
-import { default as ecdh } from './vectors/ecdh.json' assert { type: 'json' };
-import { default as privates } from './vectors/privates.json' assert { type: 'json' };
-import { default as points } from './vectors/points.json' assert { type: 'json' };
-import { default as wp } from './vectors/wychenproof.json' assert { type: 'json' };
-import { should } from 'micro-should';
-import { deepStrictEqual, throws } from 'assert';
-import { hexToBytes, bytesToHex } from '@noble/hashes/utils';
-
-const hex = bytesToHex;
-const secp = secp256k1;
-const privatesTxt = readFileSync('./test/vectors/privates-2.txt', 'utf-8');
-const schCsv = readFileSync('./test/vectors/schnorr.csv', 'utf-8');
-
-const FC_BIGINT = fc.bigInt(1n + 1n, secp.CURVE.n - 1n);
-// prettier-ignore
-const INVALID_ITEMS = ['deadbeef', Math.pow(2, 53), [1], 'xyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxyxyzxyzxy', secp.CURVE.n + 2n];
-
-const toBEHex = (n) => n.toString(16).padStart(64, '0');
-
-function hexToNumber(hex) {
-  if (typeof hex !== 'string') {
-    throw new TypeError('hexToNumber: expected string, got ' + typeof hex);
-  }
-  // Big Endian
-  return BigInt(`0x${hex}`);
-}
-
-should('secp256k1.getPublicKey()', () => {
-  const data = privatesTxt
-    .split('\n')
-    .filter((line) => line)
-    .map((line) => line.split(':'));
-  for (let [priv, x, y] of data) {
-    const point = secp.Point.fromPrivateKey(BigInt(priv));
-    deepStrictEqual(toBEHex(point.x), x);
-    deepStrictEqual(toBEHex(point.y), y);
-
-    const point2 = secp.Point.fromHex(secp.getPublicKey(toBEHex(BigInt(priv))));
-    deepStrictEqual(toBEHex(point2.x), x);
-    deepStrictEqual(toBEHex(point2.y), y);
-
-    const point3 = secp.Point.fromHex(secp.getPublicKey(hexToBytes(toBEHex(BigInt(priv)))));
-    deepStrictEqual(toBEHex(point3.x), x);
-    deepStrictEqual(toBEHex(point3.y), y);
-  }
-});
-should('secp256k1.getPublicKey() rejects invalid keys', () => {
-  // for (const item of INVALID_ITEMS) {
-  //   throws(() => secp.getPublicKey(item));
-  // }
-});
-should('secp256k1.precompute', () => {
-  secp.utils.precompute(4);
-  const data = privatesTxt
-    .split('\n')
-    .filter((line) => line)
-    .map((line) => line.split(':'));
-  for (let [priv, x, y] of data) {
-    const point = secp.Point.fromPrivateKey(BigInt(priv));
-    deepStrictEqual(toBEHex(point.x), x);
-    deepStrictEqual(toBEHex(point.y), y);
-
-    const point2 = secp.Point.fromHex(secp.getPublicKey(toBEHex(BigInt(priv))));
-    deepStrictEqual(toBEHex(point2.x), x);
-    deepStrictEqual(toBEHex(point2.y), y);
-
-    const point3 = secp.Point.fromHex(secp.getPublicKey(hexToBytes(toBEHex(BigInt(priv)))));
-    deepStrictEqual(toBEHex(point3.x), x);
-    deepStrictEqual(toBEHex(point3.y), y);
-  }
-});
-
-should('secp256k1.Point.isValidPoint()', () => {
-  for (const vector of points.valid.isPoint) {
-    const { P, expected } = vector;
-    if (expected) {
-      secp.Point.fromHex(P);
-    } else {
-      throws(() => secp.Point.fromHex(P));
-    }
-  }
-});
-
-should('secp256k1.Point.fromPrivateKey()', () => {
-  for (const vector of points.valid.pointFromScalar) {
-    const { d, expected } = vector;
-    let p = secp.Point.fromPrivateKey(d);
-    deepStrictEqual(p.toHex(true), expected);
-  }
-});
-
-should('secp256k1.Point#toHex(compressed)', () => {
-  for (const vector of points.valid.pointCompress) {
-    const { P, compress, expected } = vector;
-    let p = secp.Point.fromHex(P);
-    deepStrictEqual(p.toHex(compress), expected);
-  }
-});
-
-should('secp256k1.Point#toHex() roundtrip (failed case)', () => {
-  const point1 =
-    secp.Point.fromPrivateKey(
-      88572218780422190464634044548753414301110513745532121983949500266768436236425n
-    );
-  // const hex = point1.toHex(true);
-  // deepStrictEqual(secp.Point.fromHex(hex).toHex(true), hex);
-});
-
-should('secp256k1.Point#toHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, (x) => {
-      const point1 = secp.Point.fromPrivateKey(x);
-      const hex = point1.toHex(true);
-      deepStrictEqual(secp.Point.fromHex(hex).toHex(true), hex);
-    })
-  );
-});
-
-should('secp256k1.Point#add(other)', () => {
-  for (const vector of points.valid.pointAdd) {
-    const { P, Q, expected } = vector;
-    let p = secp.Point.fromHex(P);
-    let q = secp.Point.fromHex(Q);
-    if (expected) {
-      deepStrictEqual(p.add(q).toHex(true), expected);
-    } else {
-      if (!p.equals(q.negate())) {
-        throws(() => p.add(q).toHex(true));
-      }
-    }
-  }
-});
-
-should('secp256k1.Point#multiply(privateKey)', () => {
-  for (const vector of points.valid.pointMultiply) {
-    const { P, d, expected } = vector;
-    const p = secp.Point.fromHex(P);
-    if (expected) {
-      deepStrictEqual(p.multiply(hexToNumber(d)).toHex(true), expected);
-    } else {
-      throws(() => {
-        p.multiply(hexToNumber(d)).toHex(true);
-      });
-    }
-  }
-
-  for (const vector of points.invalid.pointMultiply) {
-    const { P, d } = vector;
-    if (hexToNumber(d) < secp.CURVE.n) {
-      throws(() => {
-        const p = secp.Point.fromHex(P);
-        p.multiply(hexToNumber(d)).toHex(true);
-      });
-    }
-  }
-  for (const num of [0n, 0, -1n, -1, 1.1]) {
-    throws(() => secp.Point.BASE.multiply(num));
-  }
-});
-
-// multiply() should equal multiplyUnsafe()
-// should('JacobianPoint#multiplyUnsafe', () => {
-//   const p0 = new secp.JacobianPoint(
-//     55066263022277343669578718895168534326250603453777594175500187360389116729240n,
-//     32670510020758816978083085130507043184471273380659243275938904335757337482424n,
-//     1n
-//   );
-//   const z = 106011723082030650010038151861333186846790370053628296836951575624442507889495n;
-//   console.log(p0.multiply(z));
-//   console.log(secp.JacobianPoint.normalizeZ([p0.multiplyUnsafe(z)])[0])
-// });
-
-should('secp256k1.Signature.fromCompactHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
-      const sig = new secp.Signature(r, s);
-      deepStrictEqual(secp.Signature.fromCompact(sig.toCompactHex()), sig);
-    })
-  );
-});
-
-should('secp256k1.Signature.fromDERHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
-      const sig = new secp.Signature(r, s);
-      deepStrictEqual(secp.Signature.fromDER(sig.toDERHex()), sig);
-    })
-  );
-});
-
-should('secp256k1.sign()/should create deterministic signatures with RFC 6979', () => {
-  for (const vector of ecdsa.valid) {
-    let usig = secp.sign(vector.m, vector.d);
-    let sig = usig.toCompactHex();
-    const vsig = vector.signature;
-    deepStrictEqual(sig.slice(0, 64), vsig.slice(0, 64));
-    deepStrictEqual(sig.slice(64, 128), vsig.slice(64, 128));
-  }
-});
-
-should('secp256k1.sign()/should not create invalid deterministic signatures with RFC 6979', () => {
-  for (const vector of ecdsa.invalid.sign) {
-    throws(() => secp.sign(vector.m, vector.d));
-  }
-});
-
-should('secp256k1.sign()/edge cases', () => {
-  throws(() => secp.sign());
-  throws(() => secp.sign(''));
-});
-
-should('secp256k1.sign()/should create correct DER encoding against libsecp256k1', () => {
-  const CASES = [
-    [
-      'd1a9dc8ed4e46a6a3e5e594615ca351d7d7ef44df1e4c94c1802f3592183794b',
-      '304402203de2559fccb00c148574997f660e4d6f40605acc71267ee38101abf15ff467af02200950abdf40628fd13f547792ba2fc544681a485f2fdafb5c3b909a4df7350e6b',
-    ],
-    [
-      '5f97983254982546d3976d905c6165033976ee449d300d0e382099fa74deaf82',
-      '3045022100c046d9ff0bd2845b9aa9dff9f997ecebb31e52349f80fe5a5a869747d31dcb88022011f72be2a6d48fe716b825e4117747b397783df26914a58139c3f4c5cbb0e66c',
-    ],
-    [
-      '0d7017a96b97cd9be21cf28aada639827b2814a654a478c81945857196187808',
-      '3045022100d18990bba7832bb283e3ecf8700b67beb39acc73f4200ed1c331247c46edccc602202e5c8bbfe47ae159512c583b30a3fa86575cddc62527a03de7756517ae4c6c73',
-    ],
-  ];
-  const privKey = hexToBytes('0101010101010101010101010101010101010101010101010101010101010101');
-  for (const [msg, exp] of CASES) {
-    const res = secp.sign(msg, privKey, { extraEntropy: undefined });
-    deepStrictEqual(res.toDERHex(), exp);
-    const rs = secp.Signature.fromDER(res.toDERHex()).toCompactHex();
-    deepStrictEqual(secp.Signature.fromCompact(rs).toDERHex(), exp);
-  }
-});
-should('secp256k1.sign()/sign ecdsa extraData', () => {
-  const ent1 = '0000000000000000000000000000000000000000000000000000000000000000';
-  const ent2 = '0000000000000000000000000000000000000000000000000000000000000001';
-  const ent3 = '6e723d3fd94ed5d2b6bdd4f123364b0f3ca52af829988a63f8afe91d29db1c33';
-  const ent4 = 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141';
-  const ent5 = 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff';
-
-  for (const e of ecdsa.extraEntropy) {
-    const sign = (extraEntropy) => {
-      const s = secp.sign(e.m, e.d, { extraEntropy }).toCompactHex();
-      return s;
-    };
-    deepStrictEqual(sign(), e.signature);
-    deepStrictEqual(sign(ent1), e.extraEntropy0);
-    deepStrictEqual(sign(ent2), e.extraEntropy1);
-    deepStrictEqual(sign(ent3), e.extraEntropyRand);
-    deepStrictEqual(sign(ent4), e.extraEntropyN);
-    deepStrictEqual(sign(ent5), e.extraEntropyMax);
-  }
-});
-
-should('secp256k1.verify()/should verify signature', () => {
-  const MSG = '01'.repeat(32);
-  const PRIV_KEY = 0x2n;
-  const signature = secp.sign(MSG, PRIV_KEY);
-  const publicKey = secp.getPublicKey(PRIV_KEY);
-  deepStrictEqual(publicKey.length, 65);
-  deepStrictEqual(secp.verify(signature, MSG, publicKey), true);
-});
-should('secp256k1.verify()/should not verify signature with wrong public key', () => {
-  const MSG = '01'.repeat(32);
-  const PRIV_KEY = 0x2n;
-  const WRONG_PRIV_KEY = 0x22n;
-  const signature = secp.sign(MSG, PRIV_KEY);
-  const publicKey = secp.Point.fromPrivateKey(WRONG_PRIV_KEY).toHex();
-  deepStrictEqual(publicKey.length, 130);
-  deepStrictEqual(secp.verify(signature, MSG, publicKey), false);
-});
-should('secp256k1.verify()/should not verify signature with wrong hash', () => {
-  const MSG = '01'.repeat(32);
-  const PRIV_KEY = 0x2n;
-  const WRONG_MSG = '11'.repeat(32);
-  const signature = secp.sign(MSG, PRIV_KEY);
-  const publicKey = secp.getPublicKey(PRIV_KEY);
-  deepStrictEqual(publicKey.length, 65);
-  deepStrictEqual(secp.verify(signature, WRONG_MSG, publicKey), false);
-});
-should('secp256k1.verify()/should verify random signatures', () =>
-  fc.assert(
-    fc.property(FC_BIGINT, fc.hexaString({ minLength: 64, maxLength: 64 }), (privKey, msg) => {
-      const pub = secp.getPublicKey(privKey);
-      const sig = secp.sign(msg, privKey);
-      deepStrictEqual(secp.verify(sig, msg, pub), true);
-    })
-  )
-);
-should('secp256k1.verify()/should not verify signature with invalid r/s', () => {
-  const msg = new Uint8Array([
-    0xbb, 0x5a, 0x52, 0xf4, 0x2f, 0x9c, 0x92, 0x61, 0xed, 0x43, 0x61, 0xf5, 0x94, 0x22, 0xa1, 0xe3,
-    0x00, 0x36, 0xe7, 0xc3, 0x2b, 0x27, 0x0c, 0x88, 0x07, 0xa4, 0x19, 0xfe, 0xca, 0x60, 0x50, 0x23,
-  ]);
-  const x = 100260381870027870612475458630405506840396644859280795015145920502443964769584n;
-  const y = 41096923727651821103518389640356553930186852801619204169823347832429067794568n;
-  const r = 1n;
-  const s = 115792089237316195423570985008687907852837564279074904382605163141518162728904n;
-
-  const pub = new secp.Point(x, y);
-  const signature = new secp.Signature(2n, 2n);
-  signature.r = r;
-  signature.s = s;
-
-  const verified = secp.verify(signature, msg, pub);
-  // Verifies, but it shouldn't, because signature S > curve order
-  deepStrictEqual(verified, false);
-});
-should('secp256k1.verify()/should not verify msg = curve order', () => {
-  const msg = 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141';
-  const x = 55066263022277343669578718895168534326250603453777594175500187360389116729240n;
-  const y = 32670510020758816978083085130507043184471273380659243275938904335757337482424n;
-  const r = 104546003225722045112039007203142344920046999340768276760147352389092131869133n;
-  const s = 96900796730960181123786672629079577025401317267213807243199432755332205217369n;
-  const pub = new secp.Point(x, y);
-  const sig = new secp.Signature(r, s);
-  deepStrictEqual(secp.verify(sig, msg, pub), false);
-});
-should('secp256k1.verify()/should verify non-strict msg bb5a...', () => {
-  const msg = 'bb5a52f42f9c9261ed4361f59422a1e30036e7c32b270c8807a419feca605023';
-  const x = 3252872872578928810725465493269682203671229454553002637820453004368632726370n;
-  const y = 17482644437196207387910659778872952193236850502325156318830589868678978890912n;
-  const r = 432420386565659656852420866390673177323n;
-  const s = 115792089237316195423570985008687907852837564279074904382605163141518161494334n;
-  const pub = new secp.Point(x, y);
-  const sig = new secp.Signature(r, s);
-  deepStrictEqual(secp.verify(sig, msg, pub, { strict: false }), true);
-});
-should(
-  'secp256k1.verify()/should not verify invalid deterministic signatures with RFC 6979',
-  () => {
-    for (const vector of ecdsa.invalid.verify) {
-      const res = secp.verify(vector.signature, vector.m, vector.Q);
-      deepStrictEqual(res, false);
-    }
-  }
-);
-
-// index,secret key,public key,aux_rand,message,signature,verification result,comment
-const vectors = schCsv
-  .split('\n')
-  .map((line) => line.split(','))
-  .slice(1, -1);
-for (let vec of vectors) {
-  const [index, sec, pub, rnd, msg, expSig, passes, comment] = vec;
-  should(`sign with Schnorr scheme vector ${index}`, () => {
-    if (sec) {
-      deepStrictEqual(hex(schnorr.getPublicKey(sec)), pub.toLowerCase());
-      const sig = schnorr.sign(msg, sec, rnd);
-      deepStrictEqual(hex(sig), expSig.toLowerCase());
-      deepStrictEqual(schnorr.verify(sig, msg, pub), true);
-    } else {
-      const passed = schnorr.verify(expSig, msg, pub);
-      deepStrictEqual(passed, passes === 'TRUE');
-    }
-  });
-}
-
-should('secp256k1.recoverPublicKey()/should recover public key from recovery bit', () => {
-  const message = '00000000000000000000000000000000000000000000000000000000deadbeef';
-  const privateKey = 123456789n;
-  const publicKey = secp.Point.fromHex(secp.getPublicKey(privateKey)).toHex(false);
-  const sig = secp.sign(message, privateKey);
-  const recoveredPubkey = sig.recoverPublicKey(message);
-  // const recoveredPubkey = secp.recoverPublicKey(message, signature, recovery);
-  deepStrictEqual(recoveredPubkey !== null, true);
-  deepStrictEqual(recoveredPubkey.toHex(), publicKey);
-  deepStrictEqual(secp.verify(sig, message, publicKey), true);
-});
-should('secp256k1.recoverPublicKey()/should not recover zero points', () => {
-  const msgHash = '6b8d2c81b11b2d699528dde488dbdf2f94293d0d33c32e347f255fa4a6c1f0a9';
-  const sig =
-    '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f817986b8d2c81b11b2d699528dde488dbdf2f94293d0d33c32e347f255fa4a6c1f0a9';
-  const recovery = 0;
-  throws(() => secp.recoverPublicKey(msgHash, sig, recovery));
-});
-should('secp256k1.recoverPublicKey()/should handle all-zeros msghash', () => {
-  const privKey = secp.utils.randomPrivateKey();
-  const pub = secp.getPublicKey(privKey);
-  const zeros = '0000000000000000000000000000000000000000000000000000000000000000';
-  const sig = secp.sign(zeros, privKey, { recovered: true });
-  const recoveredKey = sig.recoverPublicKey(zeros);
-  deepStrictEqual(recoveredKey.toRawBytes(), pub);
-});
-should('secp256k1.recoverPublicKey()/should handle RFC 6979 vectors', () => {
-  for (const vector of ecdsa.valid) {
-    if (secp.utils.mod(hexToNumber(vector.m), secp.CURVE.n) === 0n) continue;
-    let usig = secp.sign(vector.m, vector.d);
-    let sig = usig.toDERHex();
-    const vpub = secp.getPublicKey(vector.d);
-    const recovered = usig.recoverPublicKey(vector.m);
-    deepStrictEqual(recovered.toHex(), hex(vpub));
-  }
-});
-
-// TODO: Real implementation.
-function derToPub(der) {
-  return der.slice(46);
-}
-should('secp256k1.getSharedSecret()/should produce correct results', () => {
-  // TODO: Once der is there, run all tests.
-  for (const vector of ecdh.testGroups[0].tests.slice(0, 230)) {
-    if (vector.result === 'invalid' || vector.private.length !== 64) {
-      // We support eth-like hexes
-      if (vector.private.length < 64) continue;
-      throws(() => {
-        secp.getSharedSecret(vector.private, derToPub(vector.public), true);
-      });
-    } else if (vector.result === 'valid') {
-      const res = secp.getSharedSecret(vector.private, derToPub(vector.public), true);
-      deepStrictEqual(hex(res.slice(1)), `${vector.shared}`);
-    }
-  }
-});
-should('secp256k1.getSharedSecret()/priv/pub order matters', () => {
-  for (const vector of ecdh.testGroups[0].tests.slice(0, 100)) {
-    if (vector.result === 'valid') {
-      let priv = vector.private;
-      priv = priv.length === 66 ? priv.slice(2) : priv;
-      throws(() => secp.getSharedSecret(derToPub(vector.public), priv, true));
-    }
-  }
-});
-should('secp256k1.getSharedSecret()/rejects invalid keys', () => {
-  throws(() => secp.getSharedSecret('01', '02'));
-});
-
-should('secp256k1.utils.isValidPrivateKey()', () => {
-  for (const vector of privates.valid.isPrivate) {
-    const { d, expected } = vector;
-    deepStrictEqual(secp.utils.isValidPrivateKey(d), expected);
-  }
-});
-const normal = secp.utils._normalizePrivateKey;
-const tweakUtils = {
-  privateAdd: (privateKey, tweak) => {
-    const p = normal(privateKey);
-    const t = normal(tweak);
-    return secp.utils._bigintToBytes(secp.utils.mod(p + t, secp.CURVE.n));
-  },
-
-  privateNegate: (privateKey) => {
-    const p = normal(privateKey);
-    return secp.utils._bigintToBytes(secp.CURVE.n - p);
-  },
-
-  pointAddScalar: (p, tweak, isCompressed) => {
-    const P = secp.Point.fromHex(p);
-    const t = normal(tweak);
-    const Q = secp.Point.BASE.multiplyAndAddUnsafe(P, t, 1n);
-    if (!Q) throw new Error('Tweaked point at infinity');
-    return Q.toRawBytes(isCompressed);
-  },
-
-  pointMultiply: (p, tweak, isCompressed) => {
-    const P = secp.Point.fromHex(p);
-    const h = typeof tweak === 'string' ? tweak : bytesToHex(tweak);
-    const t = BigInt(`0x${h}`);
-    return P.multiply(t).toRawBytes(isCompressed);
-  },
-};
-
-should('secp256k1.privateAdd()', () => {
-  for (const vector of privates.valid.add) {
-    const { a, b, expected } = vector;
-    deepStrictEqual(bytesToHex(tweakUtils.privateAdd(a, b)), expected);
-  }
-});
-should('secp256k1.privateNegate()', () => {
-  for (const vector of privates.valid.negate) {
-    const { a, expected } = vector;
-    deepStrictEqual(bytesToHex(tweakUtils.privateNegate(a)), expected);
-  }
-});
-should('secp256k1.pointAddScalar()', () => {
-  for (const vector of points.valid.pointAddScalar) {
-    const { description, P, d, expected } = vector;
-    const compressed = !!expected && expected.length === 66; // compressed === 33 bytes
-    deepStrictEqual(bytesToHex(tweakUtils.pointAddScalar(P, d, compressed)), expected);
-  }
-});
-should('secp256k1.pointAddScalar() invalid', () => {
-  for (const vector of points.invalid.pointAddScalar) {
-    const { P, d, exception } = vector;
-    throws(() => tweakUtils.pointAddScalar(P, d));
-  }
-});
-should('secp256k1.pointMultiply()', () => {
-  for (const vector of points.valid.pointMultiply) {
-    const { P, d, expected } = vector;
-    deepStrictEqual(bytesToHex(tweakUtils.pointMultiply(P, d, true)), expected);
-  }
-});
-should('secp256k1.pointMultiply() invalid', () => {
-  for (const vector of points.invalid.pointMultiply) {
-    const { P, d, exception } = vector;
-    throws(() => tweakUtils.pointMultiply(P, d));
-  }
-});
-
-should('secp256k1.wychenproof vectors', () => {
-  for (let group of wp.testGroups) {
-    const pubKey = secp.Point.fromHex(group.key.uncompressed);
-    for (let test of group.tests) {
-      const m = secp.CURVE.hash(hexToBytes(test.msg));
-      if (test.result === 'valid' || test.result === 'acceptable') {
-        const verified = secp.verify(test.sig, m, pubKey);
-        if (secp.Signature.fromDER(test.sig).hasHighS()) {
-          deepStrictEqual(verified, false);
-        } else {
-          deepStrictEqual(verified, true);
-        }
-      } else if (test.result === 'invalid') {
-        let failed = false;
-        try {
-          const verified = secp.verify(test.sig, m, pubKey);
-          if (!verified) failed = true;
-        } catch (error) {
-          failed = true;
-        }
-        deepStrictEqual(failed, true);
-      } else {
-        deepStrictEqual(false, true);
-      }
-    }
-  }
-});
-
-should.run();

curve-definitions/test/stark/basic.test.js

@@ -1,200 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import * as starknet from '../../lib/stark.js';
-import { default as issue2 } from './fixtures/issue2.json' assert { type: 'json' };
-
-should('Basic elliptic sanity check', () => {
-  const g1 = starknet.Point.BASE;
-  deepStrictEqual(
-    g1.x.toString(16),
-    '1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca'
-  );
-  deepStrictEqual(
-    g1.y.toString(16),
-    '5668060aa49730b7be4801df46ec62de53ecd11abe43a32873000c36e8dc1f'
-  );
-  const g2 = g1.double();
-  deepStrictEqual(
-    g2.x.toString(16),
-    '759ca09377679ecd535a81e83039658bf40959283187c654c5416f439403cf5'
-  );
-  deepStrictEqual(
-    g2.y.toString(16),
-    '6f524a3400e7708d5c01a28598ad272e7455aa88778b19f93b562d7a9646c41'
-  );
-  const g3 = g2.add(g1);
-  deepStrictEqual(
-    g3.x.toString(16),
-    '411494b501a98abd8262b0da1351e17899a0c4ef23dd2f96fec5ba847310b20'
-  );
-  deepStrictEqual(
-    g3.y.toString(16),
-    '7e1b3ebac08924d2c26f409549191fcf94f3bf6f301ed3553e22dfb802f0686'
-  );
-  const g32 = g1.multiply(3);
-  deepStrictEqual(
-    g32.x.toString(16),
-    '411494b501a98abd8262b0da1351e17899a0c4ef23dd2f96fec5ba847310b20'
-  );
-  deepStrictEqual(
-    g32.y.toString(16),
-    '7e1b3ebac08924d2c26f409549191fcf94f3bf6f301ed3553e22dfb802f0686'
-  );
-  const minus1 = g1.multiply(starknet.CURVE.n - 1n);
-  deepStrictEqual(
-    minus1.x.toString(16),
-    '1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca'
-  );
-  deepStrictEqual(
-    minus1.y.toString(16),
-    '7a997f9f55b68e04841b7fe20b9139d21ac132ee541bc5cd78cfff3c91723e2'
-  );
-});
-
-should('Pedersen', () => {
-  deepStrictEqual(
-    starknet.pedersen(2, 3),
-    '0x5774fa77b3d843ae9167abd61cf80365a9b2b02218fc2f628494b5bdc9b33b8'
-  );
-  deepStrictEqual(
-    starknet.pedersen(1, 2),
-    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
-  );
-  deepStrictEqual(
-    starknet.pedersen(3, 4),
-    '0x262697b88544f733e5c6907c3e1763131e9f14c51ee7951258abbfb29415fbf'
-  );
-});
-
-should('Hash chain', () => {
-  deepStrictEqual(
-    starknet.hashChain([1, 2, 3]),
-    '0x5d9d62d4040b977c3f8d2389d494e4e89a96a8b45c44b1368f1cc6ec5418915'
-  );
-});
-
-should('Pedersen hash edgecases', () => {
-  // >>> pedersen_hash(0,0)
-  const zero = '0x49ee3eba8c1600700ee1b87eb599f16716b0b1022947733551fde4050ca6804';
-  deepStrictEqual(starknet.pedersen(0, 0), zero);
-  deepStrictEqual(starknet.pedersen(0n, 0n), zero);
-  deepStrictEqual(starknet.pedersen('0', '0'), zero);
-  deepStrictEqual(starknet.pedersen('0x0', '0x0'), zero);
-  // >>> pedersen_hash(3618502788666131213697322783095070105623107215331596699973092056135872020475,3618502788666131213697322783095070105623107215331596699973092056135872020475)
-  // 3226051580231087455100099637526672350308978851161639703631919449959447036451
-  const big = 3618502788666131213697322783095070105623107215331596699973092056135872020475n;
-  const bigExp = '0x721e167a36655994e88efa865e2ed8a0488d36db4d988fec043cda755728223';
-  deepStrictEqual(starknet.pedersen(big, big), bigExp);
-  // >= FIELD
-  const big2 = 36185027886661312136973227830950701056231072153315966999730920561358720204751n;
-  throws(() => starknet.pedersen(big2, big2), 'big2');
-
-  // FIELD -1
-  const big3 = 3618502788666131213697322783095070105623107215331596699973092056135872020480n;
-  const big3exp = '0x7258fccaf3371fad51b117471d9d888a1786c5694c3e6099160477b593a576e';
-  deepStrictEqual(starknet.pedersen(big3, big3), big3exp, 'big3');
-  // FIELD
-  const big4 = 3618502788666131213697322783095070105623107215331596699973092056135872020481n;
-  throws(() => starknet.pedersen(big4, big4), 'big4');
-  throws(() => starknet.pedersen(-1, -1), 'neg');
-  throws(() => starknet.pedersen(false, false), 'false');
-  throws(() => starknet.pedersen(true, true), 'true');
-  throws(() => starknet.pedersen(10.1, 10.1), 'float');
-});
-
-should('hashChain edgecases', () => {
-  deepStrictEqual(starknet.hashChain([32312321312321312312312321n]), '0x1aba6672c014b4838cc201');
-  deepStrictEqual(
-    starknet.hashChain([1n, 2n]),
-    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
-  );
-  deepStrictEqual(
-    starknet.hashChain([1, 2]),
-    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
-  );
-  throws(() => starknet.hashChain([]));
-  throws(() => starknet.hashChain('123'));
-  deepStrictEqual(
-    starknet.hashChain([1, 2]),
-    '0x5bb9440e27889a364bcb678b1f679ecd1347acdedcbf36e83494f857cc58026'
-  );
-});
-
-should('Pedersen hash, issue #2', () => {
-  // Verified with starnet.js
-  deepStrictEqual(
-    starknet.computeHashOnElements(issue2),
-    '0x22064462ea33a6ce5272a295e0f551c5da3834f80d8444e7a4df68190b1bc42'
-  );
-  deepStrictEqual(
-    starknet.computeHashOnElements([]),
-    '0x49ee3eba8c1600700ee1b87eb599f16716b0b1022947733551fde4050ca6804'
-  );
-  deepStrictEqual(
-    starknet.computeHashOnElements([1]),
-    '0x78d74f61aeaa8286418fd34b3a12a610445eba11d00ecc82ecac2542d55f7a4'
-  );
-});
-
-import * as bip32 from '@scure/bip32';
-import * as bip39 from '@scure/bip39';
-
-should('Seed derivation (example)', () => {
-  const layer = 'starkex';
-  const application = 'starkdeployement';
-  const mnemonic =
-    'range mountain blast problem vibrant void vivid doctor cluster enough melody ' +
-    'salt layer language laptop boat major space monkey unit glimpse pause change vibrant';
-  const ethAddress = '0xa4864d977b944315389d1765ffa7e66F74ee8cd7';
-  const hdKey = bip32.HDKey.fromMasterSeed(bip39.mnemonicToSeedSync(mnemonic)).derive(
-    starknet.getAccountPath(layer, application, ethAddress, 0)
-  );
-  deepStrictEqual(
-    starknet.grindKey(hdKey.privateKey),
-    '6cf0a8bf113352eb863157a45c5e5567abb34f8d32cddafd2c22aa803f4892c'
-  );
-});
-
-should('Compressed keys', () => {
-  const G = starknet.Point.BASE;
-  const half = starknet.CURVE.n / 2n;
-  const last = starknet.CURVE.n;
-  const vectors = [
-    1,
-    2,
-    3,
-    4,
-    5,
-    half - 5n,
-    half - 4n,
-    half - 3n,
-    half - 2n,
-    half - 1n,
-    half,
-    half + 1n,
-    half + 2n,
-    half + 3n,
-    half + 4n,
-    half + 5n,
-    last - 5n,
-    last - 4n,
-    last - 3n,
-    last - 2n,
-    last - 1n,
-  ].map((i) => G.multiply(i));
-  const fixPoint = (pt) => ({ ...pt, _WINDOW_SIZE: undefined });
-  for (const v of vectors) {
-    const uncompressed = v.toHex();
-    const compressed = v.toHex(true);
-    const exp = fixPoint(v);
-    deepStrictEqual(fixPoint(starknet.Point.fromHex(uncompressed)), exp);
-    deepStrictEqual(fixPoint(starknet.Point.fromHex(compressed)), exp);
-    deepStrictEqual(starknet.Point.fromHex(compressed).toHex(), uncompressed);
-  }
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/stark/benchmark/index.js

@@ -1,57 +0,0 @@
-import * as microStark from '../../../lib/stark.js';
-import * as starkwareCrypto from '@starkware-industries/starkware-crypto-utils';
-import * as bench from 'micro-bmark';
-const { run, mark } = bench; // or bench.mark
-
-const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
-const msgHash = 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47';
-const keyPair = starkwareCrypto.default.ec.keyFromPrivate(privateKey, 'hex');
-const publicKeyStark = starkwareCrypto.default.ec.keyFromPublic(
-  keyPair.getPublic(true, 'hex'),
-  'hex'
-);
-const publicKeyMicro = microStark.getPublicKey(privateKey);
-
-const FNS = {
-  pedersenHash: {
-    samples: 250,
-    starkware: () =>
-      starkwareCrypto.default.pedersen([
-        '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
-        '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a',
-      ]),
-    'micro-starknet': () =>
-      microStark.pedersen(
-        '3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
-        '208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
-      ),
-  },
-  signVerify: {
-    samples: 500,
-    starkware: () =>
-      starkwareCrypto.default.verify(
-        publicKeyStark,
-        msgHash,
-        starkwareCrypto.default.sign(keyPair, msgHash)
-      ),
-    'micro-starknet': () =>
-      microStark.verify(microStark.sign(msgHash, privateKey), msgHash, publicKeyMicro),
-  },
-};
-
-const main = () =>
-  run(async () => {
-    for (let [k, libs] of Object.entries(FNS)) {
-      console.log(`==== ${k} ====`);
-      for (const [lib, fn] of Object.entries(libs)) {
-        if (lib === 'samples') continue;
-        let title = `${k} (${lib})`;
-        await mark(title, libs.samples, () => fn());
-      }
-      console.log();
-    }
-    // Log current RAM
-    bench.logMem();
-  });
-
-main();

curve-definitions/test/stark/benchmark/package.json

@@ -1,19 +0,0 @@
-{
-    "name": "benchmark",
-    "private": true,
-    "version": "0.1.0",
-    "description": "benchmarks",
-    "main": "index.js",
-    "type": "module",
-    "scripts": {
-        "bench": "node index.js"
-    },
-    "keywords": [],
-    "author": "",
-    "license": "MIT",
-    "devDependencies": {
-        "@starkware-industries/starkware-crypto-utils": "^0.0.2",
-        "micro-bmark": "0.2.0",
-        "micro-should": "0.2.0"
-    }
-}

curve-definitions/test/stark/fixtures/keys_precomputed.json

@@ -1,32 +0,0 @@
-{
-    "0x1": "0x1ef15c18599971b7beced415a40f0c7deacfd9b0d1819e03d723d8bc943cfca",
-    "0x2": "0x759ca09377679ecd535a81e83039658bf40959283187c654c5416f439403cf5",
-    "0x3": "0x411494b501a98abd8262b0da1351e17899a0c4ef23dd2f96fec5ba847310b20",
-    "0x4": "0xa7da05a4d664859ccd6e567b935cdfbfe3018c7771cb980892ef38878ae9bc",
-    "0x5": "0x788435d61046d3eec54d77d25bd194525f4fa26ebe6575536bc6f656656b74c",
-    "0x6": "0x1efc3d7c9649900fcbd03f578a8248d095bc4b6a13b3c25f9886ef971ff96fa",
-    "0x7": "0x743829e0a179f8afe223fc8112dfc8d024ab6b235fd42283c4f5970259ce7b7",
-    "0x8": "0x6eeee2b0c71d681692559735e08a2c3ba04e7347c0c18d4d49b83bb89771591",
-    "0x9": "0x216b4f076ff47e03a05032d1c6ee17933d8de8b2b4c43eb5ad5a7e1b25d3849",
-    "0x800000000000000000000000000000000000000000000000000000000000000": "0x5c79074e7f7b834c12c81a9bb0d46691a5e7517767a849d9d98cb84e2176ed2",
-    "0x800000000000000000000000000000000000000000000000000000000000001": "0x1c4f24e3bd16db0e2457bc005a9d61965105a535554c6b338871e34cb8e2d3a",
-    "0x800000000000000000000000000000000000000000000000000000000000002": "0xdfbb89b39288a9ddacf3942b4481b04d4fa2f8ed3c424757981cc6357f27ac",
-    "0x800000000000000000000000000000000000000000000000000000000000003": "0x41bef28265fd750b102f4f2d1e0231de7f4a33900a214f191a63d4fec4e72f4",
-    "0x800000000000000000000000000000000000000000000000000000000000004": "0x24de66eb164797d4b414e81ded0cfa1a592ef0a9363ebbcb440d4d03cb18af1",
-    "0x800000000000000000000000000000000000000000000000000000000000005": "0x5efb18c3bc9b69003746acc85fb6ee0cfbdc6adfb982f089cc63e1e5495daad",
-    "0x800000000000000000000000000000000000000000000000000000000000006": "0x10dc71f00918a8ebfe4085c834d41dd22b251b9f81eef8b9a4fab77e7e1afe9",
-    "0x800000000000000000000000000000000000000000000000000000000000007": "0x4267ebfd379b1c8caae73febc5920b0c95bd6f9f3536f47c5ddad1259c332ff",
-    "0x800000000000000000000000000000000000000000000000000000000000008": "0x6da515118c8e01fd5b2e96b814ee95bad7d60be4d2ba6b47e0d283f579d9671",
-    "0x800000000000000000000000000000000000000000000000000000000000009": "0x7a5b4797f4e56ed1473876bc2693fbe3f2fef7e050717cbae924ff23d426052",
-    "0x2e9c99d8382fa004dcbbee720aef8a97002de0e991f6a8344e6dc636a71b59e": "0x1ff6803ae740e7e596504ac5c6afbea472e53679361e214f12be0155b13e25d",
-    "0x8620458785138df8722214e073a91b8f55076ea78197cf41007692dd27fd90": "0x5967da40b90d7ca1e36dc4024381d7d4b403c6ac1a0ab358b0743984934a805",
-    "0x1b920e7dfb49ba5ada673882af5342e7448d3e9335e0ac37feb6280cd7289ce": "0x78c7ab46333968fbde3201cf512c1eeb5529360259072c459a158dee4449b57",
-    "0x704170dbfd5dc63caef69d2ce6dfc2b2dbb2af6e75851242bbe79fb6e62a118": "0x534bd8d6ebe4bb2f6992e2d7c19ef3146247e10c2849f357e44eddd283b2af6",
-    "0x4b58bf4228f39550eca59b5c96a0cb606036cc9495eef9a546f24f01b1b7829": "0x1097a8c5a46d94596f1c8e70ca66941f2bb11e3c8d4fd58fdc4589f09965be8",
-    "0x2e93226c90fb7a2381a24e940a94b98433e3553dcbf745d3f54d62963c75604": "0x369f0e8c8e984f244290267393a004dba435a4df091767ad5063fece7b1884c",
-    "0x4615f94598cd756ad1a551d7e57fd725916adfd0054eb773ceb482eef87d0b2": "0x1ee5b8d612102a2408cde59ce52a6498d2e38fe8789bb26d400dea310684ec9",
-    "0x6ade54b7debd7ca1d4e8e932f9545f8fa4024d73be1efcc86df86367fc333f8": "0x37de3bf52412b2fb9b0030d232ca9dd921cd8f71fd67975cdc62546826e121",
-    "0x618e7467dd24c2a3449c4df640439c12cdd0f8ea779afcee6e252b2cf494354": "0x71c2b578c432f2d305d3808bb645ecc46dd670cb43d4f4a076f75ccbff74fbc",
-    "0x7eae185e1f41ec76d214d763f0592f194933622a9dd5f3d52d0209f71619c1a": "0x2b0160052e70176e5b0ff2a6eff90896ae07b732fc27219e36e077735abd57e",
-    "0x178047D3869489C055D7EA54C014FFB834A069C9595186ABE04EA4D1223A03F": "0x1895a6a77ae14e7987b9cb51329a5adfb17bd8e7c638f92d6892d76e51cebcf"
-}

curve-definitions/test/stark/fixtures/rfc6979_signature_test_vector.json

@@ -1,57 +0,0 @@
-{
-  "private_key": "0x3c1e9550e66958296d11b60f8e8e7a7ad990d07fa65d5f7652c4a6c87d4e3cc",
-  "messages": [
-    {
-      "hash": "0x1",
-      "r": "3162358736122783857144396205516927012128897537504463716197279730251407200037",
-      "s": "1447067116407676619871126378936374427636662490882969509559888874644844560850"
-    },
-    {
-      "hash": "0x11",
-      "r": "2282960348362869237018441985726545922711140064809058182483721438101695251648",
-      "s": "2905868291002627709651322791912000820756370440695830310841564989426104902684"
-    },
-
-    {
-      "hash": "0x223",
-      "r": "2851492577225522862152785068304516872062840835882746625971400995051610132955",
-      "s": "2227464623243182122770469099770977514100002325017609907274766387592987135410"
-    },
-
-    {
-      "hash": "0x9999",
-      "r": "3551214266795401081823453828727326248401688527835302880992409448142527576296",
-      "s": "2580950807716503852408066180369610390914312729170066679103651110985466032285"
-    },
-
-    {
-      "hash": "0x387e76d1667c4454bfb835144120583af836f8e32a516765497d23eabe16b3f",
-      "r": "3518448914047769356425227827389998721396724764083236823647519654917215164512",
-      "s": "3042321032945513635364267149196358883053166552342928199041742035443537684462"
-    },
-
-    {
-      "hash": "0x3a7e76d1697c4455bfb835144120283af236f8e32a516765497d23eabe16b2",
-      "r": "2261926635950780594216378185339927576862772034098248230433352748057295357217",
-      "s": "2708700003762962638306717009307430364534544393269844487939098184375356178572"
-    },
-
-    {
-      "hash": "0xfa5f0cd1ebff93c9e6474379a213ba111f9e42f2f1cb361b0327e0737203",
-      "r": "3016953906936760149710218073693613509330129567629289734816320774638425763370",
-      "s": "306146275372136078470081798635201810092238376869367156373203048583896337506"
-    },
-
-    {
-      "hash": "0x4c1e9550e66958296d11b60f8e8e7f7ae99dd0cfa6bd5fa652c1a6c87d4e2cc",
-      "r": "3562728603055564208884290243634917206833465920158600288670177317979301056463",
-      "s": "1958799632261808501999574190111106370256896588537275453140683641951899459876"
-    },
-
-    {
-      "hash": "0x6362b40c218fb4c8a8bd42ca482145e8513b78e00faa0de76a98ba14fc37ae8",
-      "r": "3485557127492692423490706790022678621438670833185864153640824729109010175518",
-      "s": "897592218067946175671768586886915961592526001156186496738437723857225288280"
-    }
-  ]
-}

curve-definitions/test/stark/index.test.js

@@ -1,5 +0,0 @@
-
-import './basic.test.js';
-import './stark.test.js';
-import './property.test.js';
-

curve-definitions/test/stark/property.test.js

@@ -1,51 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import * as starknet from '../../lib/stark.js';
-import * as fc from 'fast-check';
-
-const FC_BIGINT = fc.bigInt(1n + 1n, starknet.CURVE.n - 1n);
-
-should('Point#toHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, (x) => {
-      const point1 = starknet.Point.fromPrivateKey(x);
-      const hex = point1.toHex(true);
-      deepStrictEqual(starknet.Point.fromHex(hex).toHex(true), hex);
-    })
-  );
-});
-
-should('Signature.fromCompactHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
-      const sig = new starknet.Signature(r, s);
-      deepStrictEqual(starknet.Signature.fromCompact(sig.toCompactHex()), sig);
-    })
-  );
-});
-
-should('Signature.fromDERHex() roundtrip', () => {
-  fc.assert(
-    fc.property(FC_BIGINT, FC_BIGINT, (r, s) => {
-      const sig = new starknet.Signature(r, s);
-      deepStrictEqual(starknet.Signature.fromDER(sig.toDERHex()), sig);
-    })
-  );
-});
-
-should('verify()/should verify random signatures', () =>
-  fc.assert(
-    fc.asyncProperty(FC_BIGINT, fc.hexaString({ minLength: 64, maxLength: 64 }), (privNum, msg) => {
-      const privKey = privNum.toString(16).padStart(64, '0');
-      const pub = starknet.getPublicKey(privKey);
-      const sig = starknet.sign(msg, privKey);
-      deepStrictEqual(starknet.verify(sig, msg, pub), true);
-    })
-  )
-);
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/stark/stark.test.js

@@ -1,286 +0,0 @@
-import { deepStrictEqual, throws } from 'assert';
-import { should } from 'micro-should';
-import { hex, utf8 } from '@scure/base';
-import * as bip32 from '@scure/bip32';
-import * as bip39 from '@scure/bip39';
-import * as starknet from '../../lib/stark.js';
-import { default as sigVec } from './fixtures/rfc6979_signature_test_vector.json' assert { type: 'json' };
-import { default as precomputedKeys } from './fixtures/keys_precomputed.json' assert { type: 'json' };
-
-should('Starknet keccak', () => {
-  const value = starknet.keccak(utf8.decode('hello'));
-  deepStrictEqual(value, 0x8aff950685c2ed4bc3174f3472287b56d9517b9c948127319a09a7a36deac8n);
-  deepStrictEqual(value < 2n ** 250n, true);
-});
-
-should('RFC6979', () => {
-  for (const msg of sigVec.messages) {
-    const { r, s } = starknet.sign(msg.hash, sigVec.private_key);
-    // const { r, s } = starknet.Signature.fromDER(sig);
-    deepStrictEqual(r.toString(10), msg.r);
-    deepStrictEqual(s.toString(10), msg.s);
-  }
-});
-
-should('Signatures', () => {
-  const vectors = [
-    {
-      // Message hash of length 61.
-      msg: 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47',
-      r: '5f496f6f210b5810b2711c74c15c05244dad43d18ecbbdbe6ed55584bc3b0a2',
-      s: '4e8657b153787f741a67c0666bad6426c3741b478c8eaa3155196fc571416f3',
-    },
-    {
-      // Message hash of length 61, with leading zeros.
-      msg: '00c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47',
-      r: '5f496f6f210b5810b2711c74c15c05244dad43d18ecbbdbe6ed55584bc3b0a2',
-      s: '4e8657b153787f741a67c0666bad6426c3741b478c8eaa3155196fc571416f3',
-    },
-    {
-      // Message hash of length 62.
-      msg: 'c465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47a',
-      r: '233b88c4578f0807b4a7480c8076eca5cfefa29980dd8e2af3c46a253490e9c',
-      s: '28b055e825bc507349edfb944740a35c6f22d377443c34742c04e0d82278cf1',
-    },
-    {
-      // Message hash of length 63.
-      msg: '7465dd6b1bbffdb05442eb17f5ca38ad1aa78a6f56bf4415bdee219114a47a1',
-      r: 'b6bee8010f96a723f6de06b5fa06e820418712439c93850dd4e9bde43ddf',
-      s: '1a3d2bc954ed77e22986f507d68d18115fa543d1901f5b4620db98e2f6efd80',
-    },
-  ];
-  const privateKey = '2dccce1da22003777062ee0870e9881b460a8b7eca276870f57c601f182136c';
-  const publicKey = starknet.getPublicKey(privateKey);
-  for (const v of vectors) {
-    const sig = starknet.sign(v.msg, privateKey);
-    const { r, s } = sig;
-    // const { r, s } = starknet.Signature.fromDER(sig);
-    deepStrictEqual(r.toString(16), v.r, 'r equality');
-    deepStrictEqual(s.toString(16), v.s, 's equality');
-    deepStrictEqual(starknet.verify(sig, v.msg, publicKey), true, 'verify');
-  }
-});
-
-should('Invalid signatures', () => {
-  /*
-
-  it('should not verify invalid signature inputs lengths', () => {
-    const ecOrder = starkwareCrypto.ec.n;
-    const {maxEcdsaVal} = starkwareCrypto;
-    const maxMsgHash = maxEcdsaVal.sub(oneBn);
-    const maxR = maxEcdsaVal.sub(oneBn);
-    const maxS = ecOrder.sub(oneBn).sub(oneBn);
-    const maxStarkKey = maxEcdsaVal.sub(oneBn);
-
-    // Test invalid message length.
-    expect(() =>
-      starkwareCrypto.verify(maxStarkKey, maxMsgHash.add(oneBn).toString(16), {
-        r: maxR,
-        s: maxS
-      })
-    ).to.throw('Message not signable, invalid msgHash length.');
-    // Test invalid r length.
-    expect(() =>
-      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
-        r: maxR.add(oneBn),
-        s: maxS
-      })
-    ).to.throw('Message not signable, invalid r length.');
-    // Test invalid w length.
-    expect(() =>
-      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
-        r: maxR,
-        s: maxS.add(oneBn)
-      })
-    ).to.throw('Message not signable, invalid w length.');
-    // Test invalid s length.
-    expect(() =>
-      starkwareCrypto.verify(maxStarkKey, maxMsgHash.toString(16), {
-        r: maxR,
-        s: maxS.add(oneBn).add(oneBn)
-      })
-    ).to.throw('Message not signable, invalid s length.');
-  });
-
-  it('should not verify invalid signatures', () => {
-    const privKey = generateRandomStarkPrivateKey();
-    const keyPair = starkwareCrypto.ec.keyFromPrivate(privKey, 'hex');
-    const keyPairPub = starkwareCrypto.ec.keyFromPublic(
-      keyPair.getPublic(),
-      'BN'
-    );
-    const msgHash = new BN(randomHexString(61));
-    const msgSignature = starkwareCrypto.sign(keyPair, msgHash);
-
-    // Test invalid public key.
-    const invalidKeyPairPub = starkwareCrypto.ec.keyFromPublic(
-      {x: keyPairPub.pub.getX().add(oneBn), y: keyPairPub.pub.getY()},
-      'BN'
-    );
-    expect(
-      starkwareCrypto.verify(
-        invalidKeyPairPub,
-        msgHash.toString(16),
-        msgSignature
-      )
-    ).to.be.false;
-    // Test invalid message.
-    expect(
-      starkwareCrypto.verify(
-        keyPair,
-        msgHash.add(oneBn).toString(16),
-        msgSignature
-      )
-    ).to.be.false;
-    expect(
-      starkwareCrypto.verify(
-        keyPairPub,
-        msgHash.add(oneBn).toString(16),
-        msgSignature
-      )
-    ).to.be.false;
-    // Test invalid r.
-    msgSignature.r.iadd(oneBn);
-    expect(starkwareCrypto.verify(keyPair, msgHash.toString(16), msgSignature))
-      .to.be.false;
-    expect(
-      starkwareCrypto.verify(keyPairPub, msgHash.toString(16), msgSignature)
-    ).to.be.false;
-    // Test invalid s.
-    msgSignature.r.isub(oneBn);
-    msgSignature.s.iadd(oneBn);
-    expect(starkwareCrypto.verify(keyPair, msgHash.toString(16), msgSignature))
-      .to.be.false;
-    expect(
-      starkwareCrypto.verify(keyPairPub, msgHash.toString(16), msgSignature)
-    ).to.be.false;
-  });
-});
-  */
-});
-
-should('Pedersen', () => {
-  deepStrictEqual(
-    starknet.pedersen(
-      '0x3d937c035c878245caf64531a5756109c53068da139362728feb561405371cb',
-      '0x208a0a10250e382e1e4bbe2880906c2791bf6275695e02fbbc6aeff9cd8b31a'
-    ),
-    '0x30e480bed5fe53fa909cc0f8c4d99b8f9f2c016be4c41e13a4848797979c662'
-  );
-  deepStrictEqual(
-    starknet.pedersen(
-      '0x58f580910a6ca59b28927c08fe6c43e2e303ca384badc365795fc645d479d45',
-      '0x78734f65a067be9bdb39de18434d71e79f7b6466a4b66bbd979ab9e7515fe0b'
-    ),
-    '0x68cc0b76cddd1dd4ed2301ada9b7c872b23875d5ff837b3a87993e0d9996b87'
-  );
-});
-
-should('Hash chain', () => {
-  deepStrictEqual(starknet.hashChain([1, 2, 3]), starknet.pedersen(1, starknet.pedersen(2, 3)));
-});
-
-should('Key grinding', () => {
-  deepStrictEqual(
-    starknet.grindKey('86F3E7293141F20A8BAFF320E8EE4ACCB9D4A4BF2B4D295E8CEE784DB46E0519'),
-    '5c8c8683596c732541a59e03007b2d30dbbbb873556fe65b5fb63c16688f941'
-  );
-  // Loops more than once (verified manually)
-  deepStrictEqual(
-    starknet.grindKey('94F3E7293141F20A8BAFF320E8EE4ACCB9D4A4BF2B4D295E8CEE784DB46E0595'),
-    '33880b9aba464c1c01c9f8f5b4fc1134698f9b0a8d18505cab6cdd34d93dc02'
-  );
-});
-
-should('Private to stark key', () => {
-  deepStrictEqual(
-    starknet.getStarkKey('0x178047D3869489C055D7EA54C014FFB834A069C9595186ABE04EA4D1223A03F'),
-    '0x1895a6a77ae14e7987b9cb51329a5adfb17bd8e7c638f92d6892d76e51cebcf'
-  );
-  for (const [privKey, expectedPubKey] of Object.entries(precomputedKeys)) {
-    deepStrictEqual(starknet.getStarkKey(privKey), expectedPubKey);
-  }
-});
-
-should('Private stark key from eth signature', () => {
-  const ethSignature =
-    '0x21fbf0696d5e0aa2ef41a2b4ffb623bcaf070461d61cf7251c74161f82fec3a43' +
-    '70854bc0a34b3ab487c1bc021cd318c734c51ae29374f2beb0e6f2dd49b4bf41c';
-  deepStrictEqual(
-    starknet.ethSigToPrivate(ethSignature),
-    '766f11e90cd7c7b43085b56da35c781f8c067ac0d578eabdceebc4886435bda'
-  );
-});
-
-should('Key derivation', () => {
-  const layer = 'starkex';
-  const application = 'starkdeployement';
-  const mnemonic =
-    'range mountain blast problem vibrant void vivid doctor cluster enough melody ' +
-    'salt layer language laptop boat major space monkey unit glimpse pause change vibrant';
-  const ethAddress = '0xa4864d977b944315389d1765ffa7e66F74ee8cd7';
-  const VECTORS = [
-    {
-      index: 0,
-      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/0",
-      privateKey: '6cf0a8bf113352eb863157a45c5e5567abb34f8d32cddafd2c22aa803f4892c',
-    },
-    {
-      index: 7,
-      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/7",
-      privateKey: '341751bdc42841da35ab74d13a1372c1f0250617e8a2ef96034d9f46e6847af',
-    },
-    {
-      index: 598,
-      path: "m/2645'/579218131'/891216374'/1961790679'/2135936222'/598",
-      privateKey: '41a4d591a868353d28b7947eb132aa4d00c4a022743689ffd20a3628d6ca28c',
-    },
-  ];
-  const hd = bip32.HDKey.fromMasterSeed(bip39.mnemonicToSeedSync(mnemonic));
-  for (const { index, path, privateKey } of VECTORS) {
-    const realPath = starknet.getAccountPath(layer, application, ethAddress, index);
-    deepStrictEqual(realPath, path);
-    deepStrictEqual(starknet.grindKey(hd.derive(realPath).privateKey), privateKey);
-  }
-});
-
-// Verified against starknet.js
-should('Starknet.js cross-tests', () => {
-  const privateKey = '0x019800ea6a9a73f94aee6a3d2edf018fc770443e90c7ba121e8303ec6b349279';
-  // NOTE: there is no compressed keys here, getPubKey returns stark-key (which is schnorr-like X coordinate)
-  // But it is not used in signing/verifying
-  deepStrictEqual(
-    starknet.getStarkKey(privateKey),
-    '0x33f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d99745'
-  );
-  const msgHash = '0x6d1706bd3d1ba7c517be2a2a335996f63d4738e2f182144d078a1dd9997062e';
-  const sig = starknet.sign(msgHash, privateKey);
-  const { r, s } = (sig);
-
-  deepStrictEqual(
-    r.toString(),
-    '1427981024487605678086498726488552139932400435436186597196374630267616399345'
-  );
-  deepStrictEqual(
-    s.toString(),
-    '1853664302719670721837677288395394946745467311923401353018029119631574115563'
-  );
-  const hashMsg2 = starknet.pedersen(
-    '0x33f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d99745',
-    '1'
-  );
-  deepStrictEqual(hashMsg2, '0x2b0d4d43acce8ff68416f667f92ec7eab2b96f1d2224abd4d9d4d1e7fa4bb00');
-  const pubKey =
-    '04033f45f07e1bd1a51b45fc24ec8c8c9908db9e42191be9e169bfcac0c0d997450319d0f53f6ca077c4fa5207819144a2a4165daef6ee47a7c1d06c0dcaa3e456';
-  const sig2 = new starknet.Signature(
-    558858382392827003930138586379728730695763862039474863361948210004201119180n,
-    2440689354481625417078677634625227600823892606910345662891037256374285369343n
-  );
-  deepStrictEqual(starknet.verify(sig2.toDERHex(), hashMsg2, pubKey), true);
-});
-
-// ESM is broken.
-import url from 'url';
-if (import.meta.url === url.pathToFileURL(process.argv[1]).href) {
-  should.run();
-}

curve-definitions/test/wycheproof/ecdh_secp224r1_ecpoint_test.json

@@ -1,898 +0,0 @@
-{
-  "algorithm" : "ECDH",
-  "generatorVersion" : "0.8r12",
-  "numberOfTests" : 96,
-  "header" : [
-    "Test vectors of type EcdhWebTest are intended for",
-    "testing an ECDH implementations where the public key",
-    "is just an ASN encoded point."
-  ],
-  "notes" : {
-    "AddSubChain" : "The private key has a special value. Implementations using addition subtraction chains for the point multiplication may get the point at infinity as an intermediate result. See CVE_2017_10176",
-    "CompressedPoint" : "The point in the public key is compressed. Not every library supports points in compressed format."
-  },
-  "schema" : "ecdh_ecpoint_test_schema.json",
-  "testGroups" : [
-    {
-      "curve" : "secp224r1",
-      "encoding" : "ecpoint",
-      "type" : "EcdhEcpointTest",
-      "tests" : [
-        {
-          "tcId" : 1,
-          "comment" : "normal case",
-          "public" : "047d8ac211e1228eb094e285a957d9912e93deee433ed777440ae9fc719b01d050dfbe653e72f39491be87fb1a2742daa6e0a2aada98bb1aca",
-          "private" : "565577a49415ca761a0322ad54e4ad0ae7625174baf372c2816f5328",
-          "shared" : "b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 2,
-          "comment" : "compressed public key",
-          "public" : "027d8ac211e1228eb094e285a957d9912e93deee433ed777440ae9fc71",
-          "private" : "565577a49415ca761a0322ad54e4ad0ae7625174baf372c2816f5328",
-          "shared" : "b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f",
-          "result" : "acceptable",
-          "flags" : [
-            "CompressedPoint"
-          ]
-        },
-        {
-          "tcId" : 3,
-          "comment" : "edge case for shared secret",
-          "public" : "04e73a6ca72f3a2fae6e0a01a0ed03bfa3058b04576942eaf063095e62ca16fd31fa0f38eeb592cbeea1147751fdd2a5b6cc0ead404467a5b6",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "00000000000000000000000000000000000000000000000000000003",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 4,
-          "comment" : "edge case for shared secret",
-          "public" : "045763fa2ae16367ad23d471cc9a52466f0d81d864e5640cefe384114594d9fecfbed4f254505ac8b41d2532055a07f0241c4818b552cbb636",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "00000000000000000000000100000000000000000000000000000001",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 5,
-          "comment" : "edge case for shared secret",
-          "public" : "04142c1fd80fa2121a59aa898144084ec033f7a56a34eee0b499e29ae51c6d8c1bbb1ef2a76d565899fe44ffc1207d530d7f598fb77f4bb76b",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "00000000000000ffffffffffffff0000000000000100000000000000",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 6,
-          "comment" : "edge case for shared secret",
-          "public" : "04ed6f793e10c80d12d871cf8988399c4898a9bf9ffd8f27399f63de25f0051cdf4eec7f368f922cfcd948893ceca0c92e540cc4367a99a66a",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "00000000ffffffffffffffff00000000000000010000000000000000",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 7,
-          "comment" : "edge case for shared secret",
-          "public" : "0408fcfc1a63c82860be12e4137433dfc40be9acdd245f9a8c4e56be61a385fc09f808383383f4b1d0d5365b6e5dcfacdc19bc7bcfed221274",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 8,
-          "comment" : "edge case for shared secret",
-          "public" : "04d883ed77f1861e8712800d31df67888fe39f150c79a27aa88caeda6b180f3f623e2ff3ab5370cf8179165b085af3dd4502850c0104caed9a",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "0003fffffff00000003fffffff00000003fffffff000000040000000",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 9,
-          "comment" : "edge case for shared secret",
-          "public" : "042b8b279b85ee3f3d2c0abeb36fdfc5aad6157d652d26489381a32cd73224bd757ef794acc92b0b3b9e7990618bb343a9a09bdb9d3616eff6",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "01fffffffc00000007fffffff00000001fffffffc000000080000001",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 10,
-          "comment" : "edge case for shared secret",
-          "public" : "048bd5f03391eeeae1744e8fc53d314efffafa4d3fa4f1b95c3388a9cd7c86358b273119c537133eb55e79c6ac510b10980b379b919ccf2e2f",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "0a15c112ff784b1445e889f955be7e3ffdf451a2c0e76ab5cb32cf41",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 11,
-          "comment" : "edge case for shared secret",
-          "public" : "04ce9631b6a16227778625c8e5421ae083cdd913abefde01dbe69f6c2b95386aff2b483b2c47151cfaabfd000614c683ce2e1778221ae42c1b",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "62989eaaa26a16f07330c3c51e0a4631fd016bfcede26552816aee39",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 12,
-          "comment" : "edge case for shared secret",
-          "public" : "041f441c98eda956a6a7fdbfd8d21910860ab59d16c3e52f8e7fad6ca5df61a55fc508fc0499c55492f1e87bb2faa0cb4170b79f3a85ec2f3d",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "661ac958c0febbc718ccf39cefc6b66c4231fbb9a76f35228a3bf5c3",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 13,
-          "comment" : "edge case for shared secret",
-          "public" : "04be74583cb9d3a05ae54923624e478a329a697d842dfae33141c844d7d9ba4fc96e0fe716ac0542e87368662fc2f0cb9b0ae57936ddec7190",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "6d7e41821abe1094d430237923d2a50de31768ab51b12dce8a09e34c",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 14,
-          "comment" : "edge case for shared secret",
-          "public" : "04a281ad992b363597ac93ff0de8ab1f7e51a6672dcbb58f9d739ba430ce0192874038daefc3130eec65811c7255da70fea65c1003f6892faa",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "7fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 15,
-          "comment" : "edge case for shared secret",
-          "public" : "04be3e22133f51203f631b81dde8c020cdea5daa1f99cfc05c88fad2dc0f243798d6e72d1de9e3cdca4144e0a6c0f2a584d07589006972c197",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc0008001",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 16,
-          "comment" : "edge case for shared secret",
-          "public" : "04af14547c20afbd91bfe64ea03d45a76a71241f23520ef897ff91eff1b54ca6ca8c25fd73852ec6654617434eff7f0225684d4dea7a4f8a97",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "ffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 17,
-          "comment" : "edge case for shared secret",
-          "public" : "04b1e484925018729926acda56ff3e2f6c1e7e8f162b178d8e8afb45564fceaa6da5d998fe26b6b26a055169063a5ab6908852ca8b54e2de6c",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "fffff0000007fffffe000000ffffffc000001ffffff8000003ffffff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 18,
-          "comment" : "edge case for shared secret",
-          "public" : "04937eb09fb145c8829cb7df20a4cbeed396791373de277871d6c5f9cc3b5b4fd56464a71fc4a2a6af3bd251952bffa829489e68a8d06f96b6",
-          "private" : "00a2b6442a37f9201b56758034d2009be64b0ab7c02d7e398cac9665d6",
-          "shared" : "ffffffff00000000ffffffff00000000ffffffff00000000ffffffff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 19,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04000000000000000000000000000000000000000000000000000000037cac269c67bd55ea14efff4eadefe5e74978514af14c88fab46ec046",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "3fa0b9ff70b884f9f57bb84f7a9532d93f6ba803f89dd8ff008177d7",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 20,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04000000000000000000000001000000000000000000000000000000012ea2f4917bdfdb008306cc10a18e2557633ba861001829dcbfb96fba",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "be1ded8cb7ff8a585181f96d681e31b332fe27dcae922dca2310300d",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 21,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "0400000000000000ffffffffffffff000000000000010000000000000073ca5f8f104997a2399e0c7f25e72a75ec29fc4542533d3fea89a33a",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "a2e86a260e13515918a0cafdd87855f231b5624c560f976159e06a75",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 22,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "0400000000ffffffffffffffff000000000000000100000000000000006fe6805f59b19b0dd389452a1d4a420bfeb6c369cf6fed5b12e6e654",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "31ef7c8d10404a0046994f313a70574b027e87f9028eca242c1b5bf5",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 23,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "040000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff77c5cfa4e2c384938d48bd8dd98f54c86b279f1df8c0a1f6692439c9",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "d1976a8ef5f54f24f5a269ad504fdca849fc9c28587ba294ef267396",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 24,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "040003fffffff00000003fffffff00000003fffffff00000004000000001f0828136016bb97445461bc59f2175d8d23557d6b9381f26136e3d",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "ce7890d108ddb2e5474e6417fcf7a9f2b3bd018816062f4835260dc8",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 25,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "0401fffffffc00000007fffffff00000001fffffffc0000000800000012d8acca6f199d4a94b933ba1aa713a7debde8ac57b928f596ae66a66",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "30b6ff6e8051dae51e4fe34b2d9a0b1879153e007eb0b5bdf1791a9c",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 26,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "040a15c112ff784b1445e889f955be7e3ffdf451a2c0e76ab5cb32cf413d4df973c563c6decdd435e4f864557e4c273096d9941ca4260a266e",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "77ec668a00f72d85aa527624abb16c039fe490d17dd6c455a1ed7fd8",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 27,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "0462989eaaa26a16f07330c3c51e0a4631fd016bfcede26552816aee39389ee9436d616cab90032931aa7fbbfcfc13309f61e2423cc8dab93c",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "a3f432f6aba9a92f49a5ea64ffe7059a9d9b487a0b5223ddc988208b",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 28,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04661ac958c0febbc718ccf39cefc6b66c4231fbb9a76f35228a3bf5c3103b8040e3cb41966fc64a68cacb0c14053f87d27e8ed7bf2d7fe51b",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "1530fd9caf03737af34a4ba716b558cbecbc35d18402535a0a142313",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 29,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "046d7e41821abe1094d430237923d2a50de31768ab51b12dce8a09e34c276cf273d75d367820dd556182def0957af0a314f48fed227c298dc0",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "cfc39ccacb94ad0e0552b2e47112f60fbbe7ae0dc32230b9273dd210",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 30,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "047fffffffffffffffffffffffffffffffffffffffffffffffffffffff7d8dbca36c56bcaae92e3475f799294f30768038e816a7d5f7f07d77",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "73bd63bd384a0faafb75cfed3e95d3892cbacf0db10f282c3b644771",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 31,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04fffc0007fff0001fffc0007fff0001fffc0007fff0001fffc000800174f1ff5ea7fbc72b92f61e06556c26bab84c0b082dd6400ca1c1eb6d",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "85b079c62e1f5b0fd6841dfa16026e15b641f65e13a14042567166bb",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 32,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04ffff0000003ffffff0000003ffffff0000003ffffff0000003ffffff0126fdd5fccd0b5aa7fd5bb5b1308584b30556248cec80208a2fe962",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "8a834ff40e3fc9f9d412a481e18537ea799536c5520c6c7baaf12166",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 33,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04fffff0000007fffffe000000ffffffc000001ffffff8000003ffffff20cfa23077acc9fbcb71339c65880cd0b966b8a9497e65abed17f0b5",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "a0887269766e6efcbc81d2b38f2d4638663f12377468a23421044188",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 34,
-          "comment" : "edge cases for ephemeral key",
-          "public" : "04ffffffff00000000ffffffff00000000ffffffff00000000ffffffff1c05ac2d4f10b69877c3243d51f887277b7bf735c326ab2f0d70da8c",
-          "private" : "2bc15cf3981f4e15bbad387b506df647989e5478160be862f8c26969",
-          "shared" : "c65d1911bc076a74588d8793ce7a0dcabf5793460cd2ebb02754a1be",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 35,
-          "comment" : "point with coordinate y = 1",
-          "public" : "043b5889352ddf7468bf8c0729212aa1b2a3fcb1a844b8be91abb753d500000000000000000000000000000000000000000000000000000001",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "e973c413cc7dd34d4e3637522b2e033c20815412b67574a1f2f6bdd7",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 36,
-          "comment" : "point with coordinate y = 1",
-          "public" : "04bf09e268942555c73ce9e00d272c9b12bf0c3fc13a639acc791167f6b05df0023c9bd41d0b0c461854582d0601182213f2219d44ea44914a",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "ec856e807808a9c5332e886759e03f01be02437cfe0214613e4e7dc7",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 37,
-          "comment" : "point with coordinate y = 1",
-          "public" : "047b664cff2eef0a4f7dce24780113432f66feb25cb0931d033d63910f548ee514f6fdf1cb6f5709581c197d76a5eb218afaed19f205f4ab80",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "91d424e122c9c01720bbed6b53ec1b37a86996fa4fcf74bfd30f723d",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 38,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "045a2b3ec1053390550b587557712bcc0bf85654d23099420154877ec4138322ca02e5fceae870227a43ae8982b67276f6d8f1dd7e12692474",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "012879a1ff456acb8726455836bc4f504c1bd799a4d96f514b3730c6",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 39,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04fc229bb1df3e11351e7e4224f68f40c0d0e194023c6e0840cd45ee5ca242112fbab5736e821dad26493e4006e2c6125342e7d9bc25272856",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "fd6e5edb54d7dd554f8747ec87b8031258fc0bf1d2404b64db4540d4",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 40,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "0469a65f62d4159235801a246f2d13e45c8983a3362da480e7a51d42a65b7047abfc2a179d943bb196fede7ac3ad8a4fcacd4c4caa717b6b26",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "164e95bfa2a9c3a1f959feb88720bb7a37f988a08124639d8adf86df",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 41,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04dc68eb945528af0051cbf23e3eea43b2bc4c728976231e7031e63a2744ba65a4e1e34e8ec50cf7e8df4458582b16413ab83f568508c59037",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "b0ffd55fa112aa48eddc960db4a1200d406e144aac9e109ad9892b2d",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 42,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "0481c89369d7be252920e08e2d6c6841b887efb4fc747db31dd1030b1919bf8ccb629b58fea6234e39812083fb0833a0c937e348eda22ea0c0",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "d6ab4567eff21277284be082d9e09eb08bb80685f4929dc3dca4b333",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 43,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "0451d830f792795409f1ee972d3b94289f59206fe09e12166920739a73d2f1831b26677901bfaf8323f82b81e1012d9d3f1c9296c59c97970f",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "b43de12912b40cbdd56e30fdfe9a2c24fb72687168c9cfe6b7476966",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 44,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04ab63ce55145842149f99023f37a0a89b9fc4ae6a878fdae8caf31d17ffd0d55830eed46f8255f94b6dcf98a22f1ff26dabf773d556788881",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "588ee0af3bc60118a715325c6d56c850f73067dcb37b7596d0cfda5f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 45,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "041d64535d54bfcccb38165acbfac01ae33db20e802c5687343cb21b7eb59d86f1892a974741925624477eef21f4e72fa04ee6ce35dfffe5f2",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "7219ef73ac9e47ac2e03dead23fa8382ae898e2415017cdeb4739f0f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 46,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04d9d78436a3f9c1fa20e8c2318e61e62b94623e23a0ab746c5ac0cbc38262bd66c17515d3048944dae43b2bd6dd9d7c7a0f7042de2d1001c6",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "267b069aac5d768a720acc62c92f20b786fc48c7da42f1f5677424ee",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 47,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "0465eb3750c6401339caa69ebe6dec86dfc4d79bf657d68bbdd082c5a03eb81e85931352ff338ccbc3a1d332e2d8bc84342d516da06bef220f",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "bbdd4ac5890b9c0412e4ef3135f666e5b3ddb658ec837691e8129be8",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 48,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04e92d3be1614555ae17a90647979fbb37468c55a1fff9e15f376d49994e470f515b7b3fe50cb55def16142df594c3e46d9d1354730778f9e8",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "f793ff0d14bd7690840c733162b589cd3413d8c41f4488b427da496f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 49,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "043c92710c9a7f6f98bbec9d2a4fa617cc70e96bc96ecd4597e329143f4750a027c6972459c091ab02c0e2a3082fccec429a38d3596e7aff2b",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "56c703d4716239c954109b9b841db75b04a790f1f72aa966aece3494",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 50,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04568dfbfa42efc94ce207322e637b4c94f37a5668ad230e987a91d048dcadd244fc059cffab5fa8820a969353620e708e85bd5eec8a0c68ec",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "7823fe7eb642d50984fb32f911ef289419d85330c3398423d0eda05f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 51,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04ec10837e495b644904dba58d8dd82133c905a285ae7c2a06d5ccaf6bf0fbf00d13e21a399dc95ae5524a1a37044193e94e3300259b70e058",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "f7014d38f460836a51075cce9667b56b8851ba19011c8b0274b74a4b",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 52,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04bee2f9352f42ceeb3bf3109e90e6578d0bd4888458df7d179d746977e50e53503dee83eca1824a290566588fa3591645b1a2d56861bda760",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "777f99f2bdaa72a1185388465ddda1d059872ad043c7cb85b94e28bb",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 53,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "04546facbcaa8b551c51715a9add5edc3c8a66dcc47a6223f605614cf7af6d92f5bdebea738658a42c6231e53c08237ccf52f79399579b2dcc",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "a1db178b716e51e0fa46c1d74a2603005326bca7e81170d4b33a3d2a",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 54,
-          "comment" : "point with coordinate y = 1 in left to right addition chain",
-          "public" : "0423b1811fee891adb33c8bfee289964e92a9d3358daf975d0efb73e229a3332668b7d6da290a2edc941e8bd6f2e33745fc606756eddc013bb",
-          "private" : "00938f3dbe37135cdbdb9993a187a0e9b9f0def035fbc52ad59fc50421",
-          "shared" : "f455c8273416199505019861266ddb9bcde7bee3c3f15a98ee54607b",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 55,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "0458f53d67332415fe5b4b81999f8332fb6dcdb965d96dbcbab0fac375f29efef7ab4d94bb2d25d25205eae29fe8d9a85b811114a50f6c6859",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "d3af1857aca1689514fcfee8d8c40b8637d40452ae35c404f9e67494",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 56,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "04f2d6e58fcd3ed3f656a9bc687fe4c789ba9614d0359967bc0468eabfa1658a14ef0633f2485e29141e2c4a13bd328ec9bf6af4c7a774131b",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "933c385d5fadb57de53e4a5d385118fce830430703c3f585a5d4d0b5",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 57,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "0402ca5d1b7638b7b88ad02176bd10ff1cfe8812a62f9769a6d62e0c6c787b3e3b2a063940911bf987fc38deebf542400b8bbd9dfeb7d90a8a",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "75aea79d99e5c7edaab0284443b548843371d1d9b55f2d73a1a9092f",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 58,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "04a394d8bf9b479ec3c7ac3fc6a631d01d57d338b9fb5a0ed6e5130e050cfc600cfb08e67727ac5a33345ec1d48d4a9a18516c2203acbd2667",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "8c1d0850691cda7523ffccf1cba44b4d472193e6a3bb0727e490a8b5",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 59,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "04642e26421e96fa88f956d098ac26f02f1d6faa80e460e701a3789a66c38dd95c6b33de8768c85cbe6879d0d77e29fe5a18b26a35cb60c0b6",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "50b9ed4d99e2f24e0096eaeded0b552cf8deff5ca8f976964ae47e92",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 60,
-          "comment" : "point with coordinate y = 1 in precomputation or right to left addition chain",
-          "public" : "04f974d1cbbf4171d4773c3e84eab80bc3c6c2858dadcfbd11d64316905df36fbe345f28a3ef663125649474c6fc1ebe175c3865c4469e192b",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "5616ee3e63dfb424d329c2b9b50cf378bb77a8bd7e314a241b5942c7",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 61,
-          "comment" : "point with coordinate y = 1 in right to left addition chain",
-          "public" : "0455561db3cc8fb08a71654ee9573a1a36a44f0913ca8ad7582cfafbfc62b31e5e78be98ad8c8ceab4bb82e8efc0acb29f1a8d031ed044046c",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "b1da14507b5c05159e15f77d085c017acd89f158011357a97802855d",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 62,
-          "comment" : "point with coordinate y = 1 in right to left addition chain",
-          "public" : "04a363bcb9bddd5de84a2f4433c039f7be3fce6057b0d3b4a3459e54a2ba32302871e7ba5c3dd7ec9b76946cdc702c15a8d9ec0f4a04e7afb6",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "2f1bd4a5a497481c4a21222320ff61f32674a95d540cc3f4f3ca5849",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 63,
-          "comment" : "point with coordinate y = 1 in right to left addition chain",
-          "public" : "043a656d0e25bce27282f256b121fbfcde0a180ccd7aa601a5929fc74002f89e45b4dcb873c56da5d1a28fbca33a126177b217a098e0952e62",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "8c807d65ba7b9fd3061dffef26c025a89524a26b942edd3a984fe51d",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 64,
-          "comment" : "point with coordinate y = 1 in right to left addition chain",
-          "public" : "04bf5f49ba0086eec289b068b783438ef24b6f28130bb1ed969ef8b041f11b0de95f15edcd835f01bab1f5faaa1749c2ca4f16a7d99d916ff4",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "8fda76f4d124e6727f855e5f4921cc05c48e2a8ed0fee7c75d6a8047",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 65,
-          "comment" : "point with coordinate y = 1 in right to left addition chain",
-          "public" : "04a57232560d9d604655181f775859b0723d4e01a4c867844eb9d81dabb5d19507bbe9cda3346bad7c184daa432e7f794a5b9b8b8d4e55be3a",
-          "private" : "00c1781d86cac2c0af3fb50d54c554a67bd75d25ca796f0486e3fa84f9",
-          "shared" : "daf35bb7bf3a056bb62bb01ba00f581c107f64de85842b3a49bc2a4a",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 66,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "03",
-          "shared" : "e71f2157bfe37697ea5193d4732dcc6e5412fa9d38387eacd391c1c6",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 67,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffffffffffffffffffffffff",
-          "shared" : "fa2664717c7fa0161ec2c669b2c0986cdc20456a6e5406302bb53c77",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 68,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "01000000000000000000000000000000000000000000000000000000",
-          "shared" : "af6e5ad34497bae0745f53ad78ce8b285d79f400d5c6e6a071f8e6bd",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 69,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "7fffffffffffffffffffffffffffffffffffffffffffffffffffffff",
-          "shared" : "12fd302ff8c13c55a9c111f8bb6b0a13ecf88299c0ae3032ce2bcaff",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 70,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "0080000000000000000000000000000000000000000000000000000000",
-          "shared" : "73f1a395b842f1a6752ae417e2c3dc90cafc4476d1d861b7e68ad030",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 71,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03d13dd29455c5c2a3d",
-          "shared" : "b329c20ddb7c78ee4e622bb23a984c0d273ba34b6269f3d9e8f89f8e",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 72,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13cd29455c5c2a3d",
-          "shared" : "6f48345209b290ffc5abbe754a201479e5d667a209468080d06197b4",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 73,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13d529455c5c2a3d",
-          "shared" : "9f6e30c1c9dad42a153aacd4b49a8e5c721d085cd07b5d5aec244fc1",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 74,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29445c5c2a3d",
-          "shared" : "8cadfb19a80949e61bd5b829ad0e76d18a5bb2eeb9ed7fe2b901cecd",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 75,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c29b7",
-          "shared" : "475fd96e0eb8cb8f100a5d7fe043a7a6851d1d611da2643a3c6ae708",
-          "result" : "valid",
-          "flags" : [
-            "AddSubChain"
-          ]
-        },
-        {
-          "tcId" : 76,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a37",
-          "shared" : "41ef931d669d1f57d8bb95a01a92321da74be8c6cbc3bbe0b2e73ebd",
-          "result" : "valid",
-          "flags" : [
-            "AddSubChain"
-          ]
-        },
-        {
-          "tcId" : 77,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3a",
-          "shared" : "e71f2157bfe37697ea5193d4732dcc6e5412fa9d38387eacd391c1c6",
-          "result" : "valid",
-          "flags" : []
-        },
-        {
-          "tcId" : 78,
-          "comment" : "edge case private key",
-          "public" : "04478e73465bb1183583f4064e67e8b4343af4a05d29dfc04eb60ac2302e5b9a3a1b32e4208d4c284ff26822e09c3a9a4683443e4a35175504",
-          "private" : "00ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3b",
-          "shared" : "11ff15126411299cbd49e2b7542e69e91ef132e2551a16ecfebb23a3",
-          "result" : "valid",
-          "flags" : [
-            "AddSubChain"
-          ]
-        },
-        {
-          "tcId" : 79,
-          "comment" : "point is not on curve",
-          "public" : "040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 80,
-          "comment" : "point is not on curve",
-          "public" : "040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 81,
-          "comment" : "point is not on curve",
-          "public" : "0400000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffff000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 82,
-          "comment" : "point is not on curve",
-          "public" : "0400000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffff000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 83,
-          "comment" : "point is not on curve",
-          "public" : "040000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 84,
-          "comment" : "point is not on curve",
-          "public" : "040000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 85,
-          "comment" : "point is not on curve",
-          "public" : "0400000000000000000000000000000000000000000000000000000001ffffffffffffffffffffffffffffffff000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 86,
-          "comment" : "point is not on curve",
-          "public" : "0400000000000000000000000000000000000000000000000000000001ffffffffffffffffffffffffffffffff000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 87,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 88,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 89,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff000000000000000000000000ffffffffffffffffffffffffffffffff000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 90,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff000000000000000000000000ffffffffffffffffffffffffffffffff000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 91,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff00000000000000000000000100000000000000000000000000000000000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 92,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff00000000000000000000000100000000000000000000000000000000000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 93,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff000000000000000000000001ffffffffffffffffffffffffffffffff000000000000000000000000",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 94,
-          "comment" : "point is not on curve",
-          "public" : "04ffffffffffffffffffffffffffffffff000000000000000000000001ffffffffffffffffffffffffffffffff000000000000000000000001",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 95,
-          "comment" : "",
-          "public" : "",
-          "private" : "00c6cafb74e2a5b5ed4b991cbbfbc28c18f6df208b6d05e7a2e6668014",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : []
-        },
-        {
-          "tcId" : 96,
-          "comment" : "invalid public key",
-          "public" : "020ca753db5ddeca474241f8d2dafc0844343fd0e37eded2f0192d51b2",
-          "private" : "00fc28a0ca0f8e36b0d4f71421845135a22aef543b9fddf8c775b2d18f",
-          "shared" : "",
-          "result" : "invalid",
-          "flags" : [
-            "CompressedPoint"
-          ]
-        }
-      ]
-    }
-  ]
-}

curve-definitions/tsconfig.json

@@ -1,25 +0,0 @@
-{
-  "compilerOptions": {
-    "strict": true,
-    "declaration": true,
-    "declarationMap": true,
-    "target": "es2020",
-    "lib": [
-      "es2020",
-      "dom"
-    ],
-    "module": "es6",
-    "moduleResolution": "node16",
-    "outDir": "lib",
-    "noImplicitAny": true,
-    "preserveConstEnums": true,
-    "baseUrl": ".",
-  },
-  "include": [
-    "src",
-  ],
-  "exclude": [
-    "node_modules",
-    "lib"
-  ]
-}

esm/package.json

@@ -0,0 +1,4 @@
+{
+  "type": "module",
+  "sideEffects": false
+}

index.js

@@ -1 +0,0 @@
-throw new Error('Incorrect usage. Import submodules instead');

package-lock.json

@@ -0,0 +1,109 @@
+{
+  "name": "@noble/curves",
+  "version": "1.3.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "@noble/curves",
+      "version": "1.3.0",
+      "license": "MIT",
+      "dependencies": {
+        "@noble/hashes": "1.3.3"
+      },
+      "devDependencies": {
+        "fast-check": "3.0.0",
+        "micro-bmark": "0.3.1",
+        "micro-should": "0.4.0",
+        "prettier": "3.1.1",
+        "typescript": "5.3.2"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/@noble/hashes": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.3.3.tgz",
+      "integrity": "sha512-V7/fPHgl+jsVPXqqeOzT8egNj2iBIVt+ECeMMG8TdcnTikP3oaBtUVqpT/gYCR68aEBJSF+XbYUxStjbFMqIIA==",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/fast-check": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/fast-check/-/fast-check-3.0.0.tgz",
+      "integrity": "sha512-uujtrFJEQQqnIMO52ARwzPcuV4omiL1OJBUBLE9WnNFeu0A97sREXDOmCIHY+Z6KLVcemUf09rWr0q0Xy/Y/Ew==",
+      "dev": true,
+      "dependencies": {
+        "pure-rand": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/fast-check"
+      }
+    },
+    "node_modules/micro-bmark": {
+      "version": "0.3.1",
+      "resolved": "https://registry.npmjs.org/micro-bmark/-/micro-bmark-0.3.1.tgz",
+      "integrity": "sha512-bNaKObD4yPAAPrpEqp5jO6LJ2sEFgLoFSmRjEY809mJ62+2AehI/K3+RlVpN3Oo92RHpgC2RQhj6b1Tb4dmo+w==",
+      "dev": true
+    },
+    "node_modules/micro-should": {
+      "version": "0.4.0",
+      "resolved": "https://registry.npmjs.org/micro-should/-/micro-should-0.4.0.tgz",
+      "integrity": "sha512-Vclj8yrngSYc9Y3dL2C+AdUlTkyx/syWc4R7LYfk4h7+icfF0DoUBGjjUIaEDzZA19RzoI+Hg8rW9IRoNGP0tQ==",
+      "dev": true
+    },
+    "node_modules/prettier": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.1.1.tgz",
+      "integrity": "sha512-22UbSzg8luF4UuZtzgiUOfcGM8s4tjBv6dJRT7j275NXsy2jb4aJa4NNveul5x4eqlF1wuhuR2RElK71RvmVaw==",
+      "dev": true,
+      "bin": {
+        "prettier": "bin/prettier.cjs"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
+      }
+    },
+    "node_modules/pure-rand": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/pure-rand/-/pure-rand-5.0.5.tgz",
+      "integrity": "sha512-BwQpbqxSCBJVpamI6ydzcKqyFmnd5msMWUGvzXLm1aXvusbbgkbOto/EUPM00hjveJEaJtdbhUjKSzWRhQVkaw==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://github.com/sponsors/dubzzz"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fast-check"
+        }
+      ]
+    },
+    "node_modules/typescript": {
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.2.tgz",
+      "integrity": "sha512-6l+RyNy7oAHDfxC4FzSJcz9vnjTKxrLpDG5M2Vu4SHRVNg6xzqZp6LYSR9zjqQTu8DU/f5xwxUdADOkbrIX2gQ==",
+      "dev": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    }
+  }
+}

package.json

@@ -1,87 +1,181 @@
 {
   "name": "@noble/curves",
-  "version": "0.2.0",
+  "version": "1.3.0",
-  "description": "Minimal, zero-dependency JS implementation of elliptic curve cryptography",
+  "description": "Audited & minimal JS implementation of elliptic curve cryptography",
   "files": [
-    "index.js",
+    "abstract",
-    "lib",
+    "esm",
-    "lib/esm"
+    "src",
+    "*.js",
+    "*.js.map",
+    "*.d.ts",
+    "*.d.ts.map"
   ],
   "scripts": {
-    "bench": "node curve-definitions/benchmark/index.js",
+    "bench": "cd benchmark; node secp256k1.js; node curves.js; node ecdh.js; node hash-to-curve.js; node modular.js; node bls.js; node ristretto255.js; node decaf448.js",
     "build": "tsc && tsc -p tsconfig.esm.json",
-    "build:release": "rollup -c rollup.config.js",
+    "build:release": "cd build; npm install && npm run build",
-    "lint": "prettier --check 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "build:clean": "rm *.{js,d.ts,d.ts.map,js.map} esm/*.{js,d.ts,d.ts.map,js.map} 2> /dev/null",
-    "format": "prettier --write 'src/**/*.{js,ts}' 'curve-definitions/src/**/*.{js,ts}'",
+    "lint": "prettier --check 'src/**/*.{js,ts}' 'test/*.js'",
-    "test": "cd curve-definitions; node test/index.test.js"
+    "format": "prettier --write 'src/**/*.{js,ts}' 'test/*.js'",
+    "test": "node test/index.test.js"
   },
   "author": "Paul Miller (https://paulmillr.com)",
   "homepage": "https://paulmillr.com/noble/",
   "repository": {
     "type": "git",
-    "url": "https://github.com/paulmillr/noble-curves.git"
+    "url": "git+https://github.com/paulmillr/noble-curves.git"
   },
   "license": "MIT",
-  "devDependencies": {
+  "dependencies": {
-    "@rollup/plugin-node-resolve": "13.3.0",
+    "@noble/hashes": "1.3.3"
-    "micro-bmark": "0.2.0",
-    "micro-should": "0.2.0",
-    "prettier": "2.6.2",
-    "rollup": "2.75.5",
-    "typescript": "4.7.3"
   },
+  "devDependencies": {
+    "fast-check": "3.0.0",
+    "micro-bmark": "0.3.1",
+    "micro-should": "0.4.0",
+    "prettier": "3.1.1",
+    "typescript": "5.3.2"
+  },
+  "sideEffects": false,
   "main": "index.js",
   "exports": {
-    "./edwards": {
+    ".": {
-      "types": "./lib/edwards.d.ts",
+      "types": "./index.d.ts",
-      "import": "./lib/esm/edwards.js",
+      "import": "./esm/index.js",
-      "default": "./lib/edwards.js"
+      "default": "./index.js"
     },
-    "./modular": {
+    "./abstract/edwards": {
-      "types": "./lib/modular.d.ts",
+      "types": "./abstract/edwards.d.ts",
-      "import": "./lib/esm/modular.js",
+      "import": "./esm/abstract/edwards.js",
-      "default": "./lib/modular.js"
+      "default": "./abstract/edwards.js"
     },
-    "./montgomery": {
+    "./abstract/modular": {
-      "types": "./lib/montgomery.d.ts",
+      "types": "./abstract/modular.d.ts",
-      "import": "./lib/esm/montgomery.js",
+      "import": "./esm/abstract/modular.js",
-      "default": "./lib/montgomery.js"
+      "default": "./abstract/modular.js"
     },
-    "./weierstrass": {
+    "./abstract/montgomery": {
-      "types": "./lib/weierstrass.d.ts",
+      "types": "./abstract/montgomery.d.ts",
-      "import": "./lib/esm/weierstrass.js",
+      "import": "./esm/abstract/montgomery.js",
-      "default": "./lib/weierstrass.js"
+      "default": "./abstract/montgomery.js"
     },
-    "./utils": {
+    "./abstract/weierstrass": {
-      "types": "./lib/utils.d.ts",
+      "types": "./abstract/weierstrass.d.ts",
-      "import": "./lib/esm/utils.js",
+      "import": "./esm/abstract/weierstrass.js",
-      "default": "./lib/utils.js"
+      "default": "./abstract/weierstrass.js"
+    },
+    "./abstract/bls": {
+      "types": "./abstract/bls.d.ts",
+      "import": "./esm/abstract/bls.js",
+      "default": "./abstract/bls.js"
+    },
+    "./abstract/hash-to-curve": {
+      "types": "./abstract/hash-to-curve.d.ts",
+      "import": "./esm/abstract/hash-to-curve.js",
+      "default": "./abstract/hash-to-curve.js"
+    },
+    "./abstract/curve": {
+      "types": "./abstract/curve.d.ts",
+      "import": "./esm/abstract/curve.js",
+      "default": "./abstract/curve.js"
+    },
+    "./abstract/utils": {
+      "types": "./abstract/utils.d.ts",
+      "import": "./esm/abstract/utils.js",
+      "default": "./abstract/utils.js"
+    },
+    "./abstract/poseidon": {
+      "types": "./abstract/poseidon.d.ts",
+      "import": "./esm/abstract/poseidon.js",
+      "default": "./abstract/poseidon.js"
+    },
+    "./_shortw_utils": {
+      "types": "./_shortw_utils.d.ts",
+      "import": "./esm/_shortw_utils.js",
+      "default": "./_shortw_utils.js"
+    },
+    "./bls12-381": {
+      "types": "./bls12-381.d.ts",
+      "import": "./esm/bls12-381.js",
+      "default": "./bls12-381.js"
+    },
+    "./bn254": {
+      "types": "./bn254.d.ts",
+      "import": "./esm/bn254.js",
+      "default": "./bn254.js"
+    },
+    "./ed25519": {
+      "types": "./ed25519.d.ts",
+      "import": "./esm/ed25519.js",
+      "default": "./ed25519.js"
+    },
+    "./ed448": {
+      "types": "./ed448.d.ts",
+      "import": "./esm/ed448.js",
+      "default": "./ed448.js"
+    },
+    "./index": {
+      "types": "./index.d.ts",
+      "import": "./esm/index.js",
+      "default": "./index.js"
+    },
+    "./jubjub": {
+      "types": "./jubjub.d.ts",
+      "import": "./esm/jubjub.js",
+      "default": "./jubjub.js"
+    },
+    "./p256": {
+      "types": "./p256.d.ts",
+      "import": "./esm/p256.js",
+      "default": "./p256.js"
+    },
+    "./p384": {
+      "types": "./p384.d.ts",
+      "import": "./esm/p384.js",
+      "default": "./p384.js"
+    },
+    "./p521": {
+      "types": "./p521.d.ts",
+      "import": "./esm/p521.js",
+      "default": "./p521.js"
+    },
+    "./pasta": {
+      "types": "./pasta.d.ts",
+      "import": "./esm/pasta.js",
+      "default": "./pasta.js"
+    },
+    "./secp256k1": {
+      "types": "./secp256k1.d.ts",
+      "import": "./esm/secp256k1.js",
+      "default": "./secp256k1.js"
     }
   },
   "keywords": [
     "elliptic",
     "curve",
     "cryptography",
-    "hyperelliptic",
     "weierstrass",
-    "edwards",
     "montgomery",
-    "secp256k1",
+    "edwards",
-    "ed25519",
-    "ed448",
     "p256",
     "p384",
     "p521",
-    "nist",
+    "secp256r1",
+    "secp256k1",
+    "ed25519",
+    "ed448",
+    "x25519",
+    "ed25519",
+    "bls12-381",
+    "bn254",
+    "pasta",
+    "bls",
+    "noble",
     "ecc",
     "ecdsa",
     "eddsa",
     "schnorr"
   ],
-  "funding": [
+  "funding": "https://paulmillr.com/funding/"
-    {
-      "type": "individual",
-      "url": "https://paulmillr.com/funding/"
-    }
-  ]
 }

src/_shortw_utils.ts

@@ -1,7 +1,10 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { weierstrass, CurveType, CHash } from '@noble/curves/weierstrass';
+import { weierstrass, CurveType } from './abstract/weierstrass.js';
+import { CHash } from './abstract/utils.js';
 
+// connects noble-curves to noble-hashes
 export function getHash(hash: CHash) {
   return {
     hash,

src/abstract/bls.ts

@@ -0,0 +1,496 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/**
+ * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
+ * Implements BLS (Boneh-Lynn-Shacham) signatures.
+ * Consists of two curves: G1 and G2:
+ * - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
+ * - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
+ * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
+ *   Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
+ * Pairing is used to aggregate and verify signatures.
+ * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
+ * Some projects may prefer to swap this relation, it is not supported for now.
+ */
+import { AffinePoint } from './curve.js';
+import { IField, getMinHashLength, mapHashToField } from './modular.js';
+import { Hex, PrivKey, CHash, bitLen, bitGet, ensureBytes } from './utils.js';
+// prettier-ignore
+import {
+  MapToCurve, Opts as HTFOpts, H2CPointConstructor, htfBasicOpts,
+  createHasher
+} from './hash-to-curve.js';
+import {
+  CurvePointsType,
+  ProjPointType as ProjPointType,
+  CurvePointsRes,
+  weierstrassPoints,
+} from './weierstrass.js';
+
+type Fp = bigint; // Can be different field?
+
+// prettier-ignore
+const _2n = BigInt(2), _3n = BigInt(3);
+
+export type ShortSignatureCoder<Fp> = {
+  fromHex(hex: Hex): ProjPointType<Fp>;
+  toRawBytes(point: ProjPointType<Fp>): Uint8Array;
+  toHex(point: ProjPointType<Fp>): string;
+};
+
+export type SignatureCoder<Fp2> = {
+  fromHex(hex: Hex): ProjPointType<Fp2>;
+  toRawBytes(point: ProjPointType<Fp2>): Uint8Array;
+  toHex(point: ProjPointType<Fp2>): string;
+};
+
+export type CurveType<Fp, Fp2, Fp6, Fp12> = {
+  G1: Omit<CurvePointsType<Fp>, 'n'> & {
+    ShortSignature: SignatureCoder<Fp>;
+    mapToCurve: MapToCurve<Fp>;
+    htfDefaults: HTFOpts;
+  };
+  G2: Omit<CurvePointsType<Fp2>, 'n'> & {
+    Signature: SignatureCoder<Fp2>;
+    mapToCurve: MapToCurve<Fp2>;
+    htfDefaults: HTFOpts;
+  };
+  fields: {
+    Fp: IField<Fp>;
+    Fr: IField<bigint>;
+    Fp2: IField<Fp2> & {
+      reim: (num: Fp2) => { re: bigint; im: bigint };
+      multiplyByB: (num: Fp2) => Fp2;
+      frobeniusMap(num: Fp2, power: number): Fp2;
+    };
+    Fp6: IField<Fp6>;
+    Fp12: IField<Fp12> & {
+      frobeniusMap(num: Fp12, power: number): Fp12;
+      multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
+      conjugate(num: Fp12): Fp12;
+      finalExponentiate(num: Fp12): Fp12;
+    };
+  };
+  params: {
+    x: bigint;
+    r: bigint;
+  };
+  htfDefaults: HTFOpts;
+  hash: CHash; // Because we need outputLen for DRBG
+  randomBytes: (bytesLength?: number) => Uint8Array;
+};
+
+export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
+  getPublicKey: (privateKey: PrivKey) => Uint8Array;
+  getPublicKeyForShortSignatures: (privateKey: PrivKey) => Uint8Array;
+  sign: {
+    (message: Hex, privateKey: PrivKey): Uint8Array;
+    (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
+  };
+  signShortSignature: {
+    (message: Hex, privateKey: PrivKey): Uint8Array;
+    (message: ProjPointType<Fp>, privateKey: PrivKey): ProjPointType<Fp>;
+  };
+  verify: (
+    signature: Hex | ProjPointType<Fp2>,
+    message: Hex | ProjPointType<Fp2>,
+    publicKey: Hex | ProjPointType<Fp>,
+    htfOpts?: htfBasicOpts
+  ) => boolean;
+  verifyShortSignature: (
+    signature: Hex | ProjPointType<Fp>,
+    message: Hex | ProjPointType<Fp>,
+    publicKey: Hex | ProjPointType<Fp2>,
+    htfOpts?: htfBasicOpts
+  ) => boolean;
+  verifyBatch: (
+    signature: Hex | ProjPointType<Fp2>,
+    messages: (Hex | ProjPointType<Fp2>)[],
+    publicKeys: (Hex | ProjPointType<Fp>)[],
+    htfOpts?: htfBasicOpts
+  ) => boolean;
+  aggregatePublicKeys: {
+    (publicKeys: Hex[]): Uint8Array;
+    (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
+  };
+  aggregateSignatures: {
+    (signatures: Hex[]): Uint8Array;
+    (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
+  };
+  aggregateShortSignatures: {
+    (signatures: Hex[]): Uint8Array;
+    (signatures: ProjPointType<Fp>[]): ProjPointType<Fp>;
+  };
+  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
+  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+  G1: CurvePointsRes<Fp> & ReturnType<typeof createHasher<Fp>>;
+  G2: CurvePointsRes<Fp2> & ReturnType<typeof createHasher<Fp2>>;
+  Signature: SignatureCoder<Fp2>;
+  ShortSignature: ShortSignatureCoder<Fp>;
+  params: {
+    x: bigint;
+    r: bigint;
+    G1b: bigint;
+    G2b: Fp2;
+  };
+  fields: {
+    Fp: IField<Fp>;
+    Fp2: IField<Fp2>;
+    Fp6: IField<Fp6>;
+    Fp12: IField<Fp12>;
+    Fr: IField<bigint>;
+  };
+  utils: {
+    randomPrivateKey: () => Uint8Array;
+    calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
+  };
+};
+
+export function bls<Fp2, Fp6, Fp12>(
+  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>
+): CurveFn<Fp, Fp2, Fp6, Fp12> {
+  // Fields are specific for curve, so for now we'll need to pass them with opts
+  const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE.fields;
+  const BLS_X_LEN = bitLen(CURVE.params.x);
+
+  // Pre-compute coefficients for sparse multiplication
+  // Point addition and point double calculations is reused for coefficients
+  function calcPairingPrecomputes(p: AffinePoint<Fp2>) {
+    const { x, y } = p;
+    // prettier-ignore
+    const Qx = x, Qy = y, Qz = Fp2.ONE;
+    // prettier-ignore
+    let Rx = Qx, Ry = Qy, Rz = Qz;
+    let ell_coeff: [Fp2, Fp2, Fp2][] = [];
+    for (let i = BLS_X_LEN - 2; i >= 0; i--) {
+      // Double
+      let t0 = Fp2.sqr(Ry); // Ry²
+      let t1 = Fp2.sqr(Rz); // Rz²
+      let t2 = Fp2.multiplyByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
+      let t3 = Fp2.mul(t2, _3n); // 3 * T2
+      let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+      ell_coeff.push([
+        Fp2.sub(t2, t0), // T2 - T0
+        Fp2.mul(Fp2.sqr(Rx), _3n), // 3 * Rx²
+        Fp2.neg(t4), // -T4
+      ]);
+      Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), _2n); // ((T0 - T3) * Rx * Ry) / 2
+      Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), _2n)), Fp2.mul(Fp2.sqr(t2), _3n)); // ((T0 + T3) / 2)² - 3 * T2²
+      Rz = Fp2.mul(t0, t4); // T0 * T4
+      if (bitGet(CURVE.params.x, i)) {
+        // Addition
+        let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
+        let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
+        ell_coeff.push([
+          Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)), // T0 * Qx - T1 * Qy
+          Fp2.neg(t0), // -T0
+          t1, // T1
+        ]);
+        let t2 = Fp2.sqr(t1); // T1²
+        let t3 = Fp2.mul(t2, t1); // T2 * T1
+        let t4 = Fp2.mul(t2, Rx); // T2 * Rx
+        let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+        Rx = Fp2.mul(t1, t5); // T1 * T5
+        Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+        Rz = Fp2.mul(Rz, t3); // Rz * T3
+      }
+    }
+    return ell_coeff;
+  }
+
+  function millerLoop(ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]): Fp12 {
+    const { x } = CURVE.params;
+    const Px = g1[0];
+    const Py = g1[1];
+    let f12 = Fp12.ONE;
+    for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
+      const E = ell[j];
+      f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
+      if (bitGet(x, i)) {
+        j += 1;
+        const F = ell[j];
+        f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
+      }
+      if (i !== 0) f12 = Fp12.sqr(f12);
+    }
+    return Fp12.conjugate(f12);
+  }
+
+  const utils = {
+    randomPrivateKey: (): Uint8Array => {
+      const length = getMinHashLength(Fr.ORDER);
+      return mapHashToField(CURVE.randomBytes(length), Fr.ORDER);
+    },
+    calcPairingPrecomputes,
+  };
+
+  // Point on G1 curve: (x, y)
+  const G1_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G1 });
+  const G1 = Object.assign(
+    G1_,
+    createHasher(G1_.ProjectivePoint, CURVE.G1.mapToCurve, {
+      ...CURVE.htfDefaults,
+      ...CURVE.G1.htfDefaults,
+    })
+  );
+
+  // Sparse multiplication against precomputed coefficients
+  // TODO: replace with weakmap?
+  type withPairingPrecomputes = { _PPRECOMPUTES: [Fp2, Fp2, Fp2][] | undefined };
+  function pairingPrecomputes(point: G2): [Fp2, Fp2, Fp2][] {
+    const p = point as G2 & withPairingPrecomputes;
+    if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
+    p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
+    return p._PPRECOMPUTES;
+  }
+
+  // TODO: export
+  // function clearPairingPrecomputes(point: G2) {
+  //   const p = point as G2 & withPairingPrecomputes;
+  //   p._PPRECOMPUTES = undefined;
+  // }
+
+  // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
+  const G2_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G2 });
+  const G2 = Object.assign(
+    G2_,
+    createHasher(G2_.ProjectivePoint as H2CPointConstructor<Fp2>, CURVE.G2.mapToCurve, {
+      ...CURVE.htfDefaults,
+      ...CURVE.G2.htfDefaults,
+    })
+  );
+
+  const { ShortSignature } = CURVE.G1;
+  const { Signature } = CURVE.G2;
+
+  // Calculates bilinear pairing
+  function pairing(Q: G1, P: G2, withFinalExponent: boolean = true): Fp12 {
+    if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
+      throw new Error('pairing is not available for ZERO point');
+    Q.assertValidity();
+    P.assertValidity();
+    // Performance: 9ms for millerLoop and ~14ms for exp.
+    const Qa = Q.toAffine();
+    const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
+    return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
+  }
+  type G1 = typeof G1.ProjectivePoint.BASE;
+  type G2 = typeof G2.ProjectivePoint.BASE;
+
+  type G1Hex = Hex | G1;
+  type G2Hex = Hex | G2;
+  function normP1(point: G1Hex): G1 {
+    return point instanceof G1.ProjectivePoint ? (point as G1) : G1.ProjectivePoint.fromHex(point);
+  }
+  function normP1Hash(point: G1Hex, htfOpts?: htfBasicOpts): G1 {
+    return point instanceof G1.ProjectivePoint
+      ? point
+      : (G1.hashToCurve(ensureBytes('point', point), htfOpts) as G1);
+  }
+  function normP2(point: G2Hex): G2 {
+    return point instanceof G2.ProjectivePoint ? point : Signature.fromHex(point);
+  }
+  function normP2Hash(point: G2Hex, htfOpts?: htfBasicOpts): G2 {
+    return point instanceof G2.ProjectivePoint
+      ? point
+      : (G2.hashToCurve(ensureBytes('point', point), htfOpts) as G2);
+  }
+
+  // Multiplies generator (G1) by private key.
+  // P = pk x G
+  function getPublicKey(privateKey: PrivKey): Uint8Array {
+    return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+  }
+
+  // Multiplies generator (G2) by private key.
+  // P = pk x G
+  function getPublicKeyForShortSignatures(privateKey: PrivKey): Uint8Array {
+    return G2.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+  }
+
+  // Executes `hashToCurve` on the message and then multiplies the result by private key.
+  // S = pk x H(m)
+  function sign(message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
+  function sign(message: G2, privateKey: PrivKey, htfOpts?: htfBasicOpts): G2;
+  function sign(message: G2Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array | G2 {
+    const msgPoint = normP2Hash(message, htfOpts);
+    msgPoint.assertValidity();
+    const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
+    if (message instanceof G2.ProjectivePoint) return sigPoint;
+    return Signature.toRawBytes(sigPoint);
+  }
+
+  function signShortSignature(
+    message: Hex,
+    privateKey: PrivKey,
+    htfOpts?: htfBasicOpts
+  ): Uint8Array;
+  function signShortSignature(message: G1, privateKey: PrivKey, htfOpts?: htfBasicOpts): G1;
+  function signShortSignature(
+    message: G1Hex,
+    privateKey: PrivKey,
+    htfOpts?: htfBasicOpts
+  ): Uint8Array | G1 {
+    const msgPoint = normP1Hash(message, htfOpts);
+    msgPoint.assertValidity();
+    const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
+    if (message instanceof G1.ProjectivePoint) return sigPoint;
+    return ShortSignature.toRawBytes(sigPoint);
+  }
+
+  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+  // e(P, H(m)) == e(G, S)
+  function verify(
+    signature: G2Hex,
+    message: G2Hex,
+    publicKey: G1Hex,
+    htfOpts?: htfBasicOpts
+  ): boolean {
+    const P = normP1(publicKey);
+    const Hm = normP2Hash(message, htfOpts);
+    const G = G1.ProjectivePoint.BASE;
+    const S = normP2(signature);
+    // Instead of doing 2 exponentiations, we use property of billinear maps
+    // and do one exp after multiplying 2 points.
+    const ePHm = pairing(P.negate(), Hm, false);
+    const eGS = pairing(G, S, false);
+    const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
+    return Fp12.eql(exp, Fp12.ONE);
+  }
+
+  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+  // e(S, G) == e(H(m), P)
+  function verifyShortSignature(
+    signature: G1Hex,
+    message: G1Hex,
+    publicKey: G2Hex,
+    htfOpts?: htfBasicOpts
+  ): boolean {
+    const P = normP2(publicKey);
+    const Hm = normP1Hash(message, htfOpts);
+    const G = G2.ProjectivePoint.BASE;
+    const S = normP1(signature);
+    // Instead of doing 2 exponentiations, we use property of billinear maps
+    // and do one exp after multiplying 2 points.
+    const eHmP = pairing(Hm, P, false);
+    const eSG = pairing(S, G.negate(), false);
+    const exp = Fp12.finalExponentiate(Fp12.mul(eSG, eHmP));
+    return Fp12.eql(exp, Fp12.ONE);
+  }
+
+  // Adds a bunch of public key points together.
+  // pk1 + pk2 + pk3 = pkA
+  function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
+  function aggregatePublicKeys(publicKeys: G1[]): G1;
+  function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
+    if (!publicKeys.length) throw new Error('Expected non-empty array');
+    const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
+    const aggAffine = agg; //.toAffine();
+    if (publicKeys[0] instanceof G1.ProjectivePoint) {
+      aggAffine.assertValidity();
+      return aggAffine;
+    }
+    // toRawBytes ensures point validity
+    return aggAffine.toRawBytes(true);
+  }
+
+  // Adds a bunch of signature points together.
+  function aggregateSignatures(signatures: Hex[]): Uint8Array;
+  function aggregateSignatures(signatures: G2[]): G2;
+  function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
+    if (!signatures.length) throw new Error('Expected non-empty array');
+    const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
+    const aggAffine = agg; //.toAffine();
+    if (signatures[0] instanceof G2.ProjectivePoint) {
+      aggAffine.assertValidity();
+      return aggAffine;
+    }
+    return Signature.toRawBytes(aggAffine);
+  }
+
+  // Adds a bunch of signature points together.
+  function aggregateShortSignatures(signatures: Hex[]): Uint8Array;
+  function aggregateShortSignatures(signatures: G1[]): G1;
+  function aggregateShortSignatures(signatures: G1Hex[]): Uint8Array | G1 {
+    if (!signatures.length) throw new Error('Expected non-empty array');
+    const agg = signatures.map(normP1).reduce((sum, s) => sum.add(s), G1.ProjectivePoint.ZERO);
+    const aggAffine = agg; //.toAffine();
+    if (signatures[0] instanceof G1.ProjectivePoint) {
+      aggAffine.assertValidity();
+      return aggAffine;
+    }
+    return ShortSignature.toRawBytes(aggAffine);
+  }
+
+  // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
+  // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+  function verifyBatch(
+    signature: G2Hex,
+    messages: G2Hex[],
+    publicKeys: G1Hex[],
+    htfOpts?: htfBasicOpts
+  ): boolean {
+    // @ts-ignore
+    // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
+
+    if (!messages.length) throw new Error('Expected non-empty messages array');
+    if (publicKeys.length !== messages.length)
+      throw new Error('Pubkey count should equal msg count');
+    const sig = normP2(signature);
+    const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
+    const nPublicKeys = publicKeys.map(normP1);
+    try {
+      const paired = [];
+      for (const message of new Set(nMessages)) {
+        const groupPublicKey = nMessages.reduce(
+          (groupPublicKey, subMessage, i) =>
+            subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey,
+          G1.ProjectivePoint.ZERO
+        );
+        // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
+        // Possible to batch pairing for same msg with different groupPublicKey here
+        paired.push(pairing(groupPublicKey, message, false));
+      }
+      paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
+      const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
+      const exp = Fp12.finalExponentiate(product);
+      return Fp12.eql(exp, Fp12.ONE);
+    } catch {
+      return false;
+    }
+  }
+
+  G1.ProjectivePoint.BASE._setWindowSize(4);
+
+  return {
+    getPublicKey,
+    getPublicKeyForShortSignatures,
+    sign,
+    signShortSignature,
+    verify,
+    verifyBatch,
+    verifyShortSignature,
+    aggregatePublicKeys,
+    aggregateSignatures,
+    aggregateShortSignatures,
+    millerLoop,
+    pairing,
+    G1,
+    G2,
+    Signature,
+    ShortSignature,
+    fields: {
+      Fr,
+      Fp,
+      Fp2,
+      Fp6,
+      Fp12,
+    },
+    params: {
+      x: CURVE.params.x,
+      r: CURVE.params.r,
+      G1b: CURVE.G1.b,
+      G2b: CURVE.G2.b,
+    },
+    utils,
+  };
+}

src/abstract/curve.ts

@@ -1,29 +1,47 @@
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Default group related functions
+// Abelian group utilities
+import { IField, validateField, nLength } from './modular.js';
+import { validateObject } from './utils.js';
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 
+export type AffinePoint<T> = {
+  x: T;
+  y: T;
+} & { z?: never; t?: never };
+
 export interface Group<T extends Group<T>> {
   double(): T;
   negate(): T;
   add(other: T): T;
   subtract(other: T): T;
   equals(other: T): boolean;
-  multiply(scalar: number | bigint): T;
+  multiply(scalar: bigint): T;
 }
 
 export type GroupConstructor<T> = {
   BASE: T;
   ZERO: T;
 };
-// Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
+export type Mapper<T> = (i: T[]) => T[];
+
+// Elliptic curve multiplication of Point by scalar. Fragile.
+// Scalars should always be less than curve order: this should be checked inside of a curve itself.
+// Creates precomputation tables for fast multiplication:
+// - private scalar is split by fixed size windows of W bits
+// - every window point is collected from window's table & added to accumulator
+// - since windows are different, same point inside tables won't be accessed more than once per calc
+// - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+// - +1 window is neccessary for wNAF
+// - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+// TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
+// windows to be in different memory locations
 export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
   const constTimeNegate = (condition: boolean, item: T): T => {
     const neg = item.negate();
     return condition ? neg : item;
   };
   const opts = (W: number) => {
-    if (256 % W) throw new Error('Invalid precomputation window, must be power of 2');
     const windows = Math.ceil(bits / W) + 1; // +1, because
     const windowSize = 2 ** (W - 1); // -1 because we skip zero
     return { windows, windowSize };
@@ -45,8 +63,12 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
     /**
      * Creates a wNAF precomputation window. Used for caching.
      * Default window size is set by `utils.precompute()` and is equal to 8.
-     * Which means we are caching 65536 points: 256 points for every bit from 0 to 256.
+     * Number of precomputed points depends on the curve size:
-     * @returns 65K precomputed points, depending on W
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @returns precomputed point tables flattened to a single array
      */
     precomputeWindow(elm: T, W: number): Group<T>[] {
       const { windows, windowSize } = opts(W);
@@ -67,12 +89,15 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
     },
 
     /**
-     * Implements w-ary non-adjacent form for calculating ec multiplication.
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-     * @param n
+     * @param W window size
-     * @param affinePoint optional 2d point to save cached precompute windows on it.
+     * @param precomputes precomputed tables
+     * @param n scalar (we don't check here, but should be less than curve order)
      * @returns real and fake (for const-time) points
      */
     wNAF(W: number, precomputes: T[], n: bigint): { p: T; f: T } {
+      // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
+      // But need to carefully remove other checks before wNAF. ORDER == bits here
       const { windows, windowSize } = opts(W);
 
       let p = c.ZERO;
@@ -123,5 +148,56 @@ export function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number) {
       // which makes it less const-time: around 1 bigint multiply.
       return { p, f };
     },
+
+    wNAFCached(P: T, precomputesMap: Map<T, T[]>, n: bigint, transform: Mapper<T>): { p: T; f: T } {
+      // @ts-ignore
+      const W: number = P._WINDOW_SIZE || 1;
+      // Calculate precomputes on a first run, reuse them after
+      let comp = precomputesMap.get(P);
+      if (!comp) {
+        comp = this.precomputeWindow(P, W) as T[];
+        if (W !== 1) {
+          precomputesMap.set(P, transform(comp));
+        }
+      }
+      return this.wNAF(W, comp, n);
+    },
   };
 }
+
+// Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
+// Though generator can be different (Fp2 / Fp6 for BLS).
+export type BasicCurve<T> = {
+  Fp: IField<T>; // Field over which we'll do calculations (Fp)
+  n: bigint; // Curve order, total count of valid points in the field
+  nBitLength?: number; // bit length of curve order
+  nByteLength?: number; // byte length of curve order
+  h: bigint; // cofactor. we can assign default=1, but users will just ignore it w/o validation
+  hEff?: bigint; // Number to multiply to clear cofactor
+  Gx: T; // base point X coordinate
+  Gy: T; // base point Y coordinate
+  allowInfinityPoint?: boolean; // bls12-381 requires it. ZERO point is valid, but invalid pubkey
+};
+
+export function validateBasic<FP, T>(curve: BasicCurve<FP> & T) {
+  validateField(curve.Fp);
+  validateObject(
+    curve,
+    {
+      n: 'bigint',
+      h: 'bigint',
+      Gx: 'field',
+      Gy: 'field',
+    },
+    {
+      nBitLength: 'isSafeInteger',
+      nByteLength: 'isSafeInteger',
+    }
+  );
+  // Set defaults
+  return Object.freeze({
+    ...nLength(curve.n, curve.nBitLength),
+    ...curve,
+    ...{ p: curve.Fp.ORDER },
+  } as const);
+}

src/abstract/edwards.ts

@@ -0,0 +1,513 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
+import { mod } from './modular.js';
+import * as ut from './utils.js';
+import { ensureBytes, FHash, Hex } from './utils.js';
+import { Group, GroupConstructor, wNAF, BasicCurve, validateBasic, AffinePoint } from './curve.js';
+
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
+
+// Edwards curves must declare params a & d.
+export type CurveType = BasicCurve<bigint> & {
+  a: bigint; // curve param a
+  d: bigint; // curve param d
+  hash: FHash; // Hashing
+  randomBytes: (bytesLength?: number) => Uint8Array; // CSPRNG
+  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
+  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
+  uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint }; // Ratio √(u/v)
+  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
+  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
+};
+
+// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+const VERIFY_DEFAULT = { zip215: true };
+
+function validateOpts(curve: CurveType) {
+  const opts = validateBasic(curve);
+  ut.validateObject(
+    curve,
+    {
+      hash: 'function',
+      a: 'bigint',
+      d: 'bigint',
+      randomBytes: 'function',
+    },
+    {
+      adjustScalarBytes: 'function',
+      domain: 'function',
+      uvRatio: 'function',
+      mapToCurve: 'function',
+    }
+  );
+  // Set defaults
+  return Object.freeze({ ...opts } as const);
+}
+
+// Instance of Extended Point with coordinates in X, Y, Z, T
+export interface ExtPointType extends Group<ExtPointType> {
+  readonly ex: bigint;
+  readonly ey: bigint;
+  readonly ez: bigint;
+  readonly et: bigint;
+  get x(): bigint;
+  get y(): bigint;
+  assertValidity(): void;
+  multiply(scalar: bigint): ExtPointType;
+  multiplyUnsafe(scalar: bigint): ExtPointType;
+  isSmallOrder(): boolean;
+  isTorsionFree(): boolean;
+  clearCofactor(): ExtPointType;
+  toAffine(iz?: bigint): AffinePoint<bigint>;
+  toRawBytes(isCompressed?: boolean): Uint8Array;
+  toHex(isCompressed?: boolean): string;
+}
+// Static methods of Extended Point with coordinates in X, Y, Z, T
+export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
+  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
+  fromAffine(p: AffinePoint<bigint>): ExtPointType;
+  fromHex(hex: Hex): ExtPointType;
+  fromPrivateKey(privateKey: Hex): ExtPointType;
+}
+
+export type CurveFn = {
+  CURVE: ReturnType<typeof validateOpts>;
+  getPublicKey: (privateKey: Hex) => Uint8Array;
+  sign: (message: Hex, privateKey: Hex, options?: { context?: Hex }) => Uint8Array;
+  verify: (
+    sig: Hex,
+    message: Hex,
+    publicKey: Hex,
+    options?: { context?: Hex; zip215: boolean }
+  ) => boolean;
+  ExtendedPoint: ExtPointConstructor;
+  utils: {
+    randomPrivateKey: () => Uint8Array;
+    getExtendedPublicKey: (key: Hex) => {
+      head: Uint8Array;
+      prefix: Uint8Array;
+      scalar: bigint;
+      point: ExtPointType;
+      pointBytes: Uint8Array;
+    };
+  };
+};
+
+// It is not generic twisted curve for now, but ed25519/ed448 generic implementation
+export function twistedEdwards(curveDef: CurveType): CurveFn {
+  const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
+  const {
+    Fp,
+    n: CURVE_ORDER,
+    prehash: prehash,
+    hash: cHash,
+    randomBytes,
+    nByteLength,
+    h: cofactor,
+  } = CURVE;
+  const MASK = _2n << (BigInt(nByteLength * 8) - _1n);
+  const modP = Fp.create; // Function overrides
+
+  // sqrt(u/v)
+  const uvRatio =
+    CURVE.uvRatio ||
+    ((u: bigint, v: bigint) => {
+      try {
+        return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
+      } catch (e) {
+        return { isValid: false, value: _0n };
+      }
+    });
+  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes); // NOOP
+  const domain =
+    CURVE.domain ||
+    ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
+      if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
+      return data;
+    }); // NOOP
+  const inBig = (n: bigint) => typeof n === 'bigint' && _0n < n; // n in [1..]
+  const inRange = (n: bigint, max: bigint) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
+  const in0MaskRange = (n: bigint) => n === _0n || inRange(n, MASK); // n in [0..MASK-1]
+  function assertInRange(n: bigint, max: bigint) {
+    // n in [1..max-1]
+    if (inRange(n, max)) return n;
+    throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
+  }
+  function assertGE0(n: bigint) {
+    // n in [0..CURVE_ORDER-1]
+    return n === _0n ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
+  }
+  const pointPrecomputes = new Map<Point, Point[]>();
+  function isPoint(other: unknown) {
+    if (!(other instanceof Point)) throw new Error('ExtendedPoint expected');
+  }
+  // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
+  // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
+  class Point implements ExtPointType {
+    static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
+    static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
+
+    constructor(
+      readonly ex: bigint,
+      readonly ey: bigint,
+      readonly ez: bigint,
+      readonly et: bigint
+    ) {
+      if (!in0MaskRange(ex)) throw new Error('x required');
+      if (!in0MaskRange(ey)) throw new Error('y required');
+      if (!in0MaskRange(ez)) throw new Error('z required');
+      if (!in0MaskRange(et)) throw new Error('t required');
+    }
+
+    get x(): bigint {
+      return this.toAffine().x;
+    }
+    get y(): bigint {
+      return this.toAffine().y;
+    }
+
+    static fromAffine(p: AffinePoint<bigint>): Point {
+      if (p instanceof Point) throw new Error('extended point not allowed');
+      const { x, y } = p || {};
+      if (!in0MaskRange(x) || !in0MaskRange(y)) throw new Error('invalid affine point');
+      return new Point(x, y, _1n, modP(x * y));
+    }
+    static normalizeZ(points: Point[]): Point[] {
+      const toInv = Fp.invertBatch(points.map((p) => p.ez));
+      return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+    }
+
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    _WINDOW_SIZE?: number;
+
+    // "Private method", don't use it directly
+    _setWindowSize(windowSize: number) {
+      this._WINDOW_SIZE = windowSize;
+      pointPrecomputes.delete(this);
+    }
+    // Not required for fromHex(), which always creates valid points.
+    // Could be useful for fromAffine().
+    assertValidity(): void {
+      const { a, d } = CURVE;
+      if (this.is0()) throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
+      // Equation in affine coordinates: ax² + y² = 1 + dx²y²
+      // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
+      const { ex: X, ey: Y, ez: Z, et: T } = this;
+      const X2 = modP(X * X); // X²
+      const Y2 = modP(Y * Y); // Y²
+      const Z2 = modP(Z * Z); // Z²
+      const Z4 = modP(Z2 * Z2); // Z⁴
+      const aX2 = modP(X2 * a); // aX²
+      const left = modP(Z2 * modP(aX2 + Y2)); // (aX² + Y²)Z²
+      const right = modP(Z4 + modP(d * modP(X2 * Y2))); // Z⁴ + dX²Y²
+      if (left !== right) throw new Error('bad point: equation left != right (1)');
+      // In Extended coordinates we also have T, which is x*y=T/Z: check X*Y == Z*T
+      const XY = modP(X * Y);
+      const ZT = modP(Z * T);
+      if (XY !== ZT) throw new Error('bad point: equation left != right (2)');
+    }
+
+    // Compare one point to another.
+    equals(other: Point): boolean {
+      isPoint(other);
+      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const { ex: X2, ey: Y2, ez: Z2 } = other;
+      const X1Z2 = modP(X1 * Z2);
+      const X2Z1 = modP(X2 * Z1);
+      const Y1Z2 = modP(Y1 * Z2);
+      const Y2Z1 = modP(Y2 * Z1);
+      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
+    }
+
+    protected is0(): boolean {
+      return this.equals(Point.ZERO);
+    }
+
+    negate(): Point {
+      // Flips point sign to a negative one (-x, y in affine coords)
+      return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+    }
+
+    // Fast algo for doubling Extended Point.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
+    // Cost: 4M + 4S + 1*a + 6add + 1*2.
+    double(): Point {
+      const { a } = CURVE;
+      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const A = modP(X1 * X1); // A = X12
+      const B = modP(Y1 * Y1); // B = Y12
+      const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
+      const D = modP(a * A); // D = a*A
+      const x1y1 = X1 + Y1;
+      const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
+      const G = D + B; // G = D+B
+      const F = G - C; // F = G-C
+      const H = D - B; // H = D-B
+      const X3 = modP(E * F); // X3 = E*F
+      const Y3 = modP(G * H); // Y3 = G*H
+      const T3 = modP(E * H); // T3 = E*H
+      const Z3 = modP(F * G); // Z3 = F*G
+      return new Point(X3, Y3, Z3, T3);
+    }
+
+    // Fast algo for adding 2 Extended Points.
+    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
+    // Cost: 9M + 1*a + 1*d + 7add.
+    add(other: Point) {
+      isPoint(other);
+      const { a, d } = CURVE;
+      const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
+      const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
+      // Faster algo for adding 2 Extended Points when curve's a=-1.
+      // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
+      // Cost: 8M + 8add + 2*2.
+      // Note: It does not check whether the `other` point is valid.
+      if (a === BigInt(-1)) {
+        const A = modP((Y1 - X1) * (Y2 + X2));
+        const B = modP((Y1 + X1) * (Y2 - X2));
+        const F = modP(B - A);
+        if (F === _0n) return this.double(); // Same point. Tests say it doesn't affect timing
+        const C = modP(Z1 * _2n * T2);
+        const D = modP(T1 * _2n * Z2);
+        const E = D + C;
+        const G = B + A;
+        const H = D - C;
+        const X3 = modP(E * F);
+        const Y3 = modP(G * H);
+        const T3 = modP(E * H);
+        const Z3 = modP(F * G);
+        return new Point(X3, Y3, Z3, T3);
+      }
+      const A = modP(X1 * X2); // A = X1*X2
+      const B = modP(Y1 * Y2); // B = Y1*Y2
+      const C = modP(T1 * d * T2); // C = T1*d*T2
+      const D = modP(Z1 * Z2); // D = Z1*Z2
+      const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
+      const F = D - C; // F = D-C
+      const G = D + C; // G = D+C
+      const H = modP(B - a * A); // H = B-a*A
+      const X3 = modP(E * F); // X3 = E*F
+      const Y3 = modP(G * H); // Y3 = G*H
+      const T3 = modP(E * H); // T3 = E*H
+      const Z3 = modP(F * G); // Z3 = F*G
+
+      return new Point(X3, Y3, Z3, T3);
+    }
+
+    subtract(other: Point): Point {
+      return this.add(other.negate());
+    }
+
+    private wNAF(n: bigint): { p: Point; f: Point } {
+      return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
+    }
+
+    // Constant-time multiplication.
+    multiply(scalar: bigint): Point {
+      const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
+      return Point.normalizeZ([p, f])[0];
+    }
+
+    // Non-constant-time multiplication. Uses double-and-add algorithm.
+    // It's faster, but should only be used when you don't care about
+    // an exposed private key e.g. sig verification.
+    // Does NOT allow scalars higher than CURVE.n.
+    multiplyUnsafe(scalar: bigint): Point {
+      let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
+      if (n === _0n) return I;
+      if (this.equals(I) || n === _1n) return this;
+      if (this.equals(G)) return this.wNAF(n).p;
+      return wnaf.unsafeLadder(this, n);
+    }
+
+    // Checks if point is of small order.
+    // If you add something to small order point, you will have "dirty"
+    // point with torsion component.
+    // Multiplies point by cofactor and checks if the result is 0.
+    isSmallOrder(): boolean {
+      return this.multiplyUnsafe(cofactor).is0();
+    }
+
+    // Multiplies point by curve order and checks if the result is 0.
+    // Returns `false` is the point is dirty.
+    isTorsionFree(): boolean {
+      return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
+    }
+
+    // Converts Extended point to default (x, y) coordinates.
+    // Can accept precomputed Z^-1 - for example, from invertBatch.
+    toAffine(iz?: bigint): AffinePoint<bigint> {
+      const { ex: x, ey: y, ez: z } = this;
+      const is0 = this.is0();
+      if (iz == null) iz = is0 ? _8n : (Fp.inv(z) as bigint); // 8 was chosen arbitrarily
+      const ax = modP(x * iz);
+      const ay = modP(y * iz);
+      const zz = modP(z * iz);
+      if (is0) return { x: _0n, y: _1n };
+      if (zz !== _1n) throw new Error('invZ was invalid');
+      return { x: ax, y: ay };
+    }
+
+    clearCofactor(): Point {
+      const { h: cofactor } = CURVE;
+      if (cofactor === _1n) return this;
+      return this.multiplyUnsafe(cofactor);
+    }
+
+    // Converts hash string or Uint8Array to Point.
+    // Uses algo from RFC8032 5.1.3.
+    static fromHex(hex: Hex, zip215 = false): Point {
+      const { d, a } = CURVE;
+      const len = Fp.BYTES;
+      hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
+      const normed = hex.slice(); // copy again, we'll manipulate it
+      const lastByte = hex[len - 1]; // select last byte
+      normed[len - 1] = lastByte & ~0x80; // clear last bit
+      const y = ut.bytesToNumberLE(normed);
+      if (y === _0n) {
+        // y=0 is allowed
+      } else {
+        // RFC8032 prohibits >= p, but ZIP215 doesn't
+        if (zip215) assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
+        else assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
+      }
+
+      // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
+      // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
+      const y2 = modP(y * y); // denominator is always non-0 mod p.
+      const u = modP(y2 - _1n); // u = y² - 1
+      const v = modP(d * y2 - a); // v = d y² + 1.
+      let { isValid, value: x } = uvRatio(u, v); // √(u/v)
+      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
+      const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
+      const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
+      if (!zip215 && x === _0n && isLastByteOdd)
+        // if x=0 and x_0 = 1, fail
+        throw new Error('Point.fromHex: x=0 and x_0=1');
+      if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
+      return Point.fromAffine({ x, y });
+    }
+    static fromPrivateKey(privKey: Hex) {
+      return getExtendedPublicKey(privKey).point;
+    }
+    toRawBytes(): Uint8Array {
+      const { x, y } = this.toAffine();
+      const bytes = ut.numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
+      bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
+      return bytes; // and use the last byte to encode sign of x
+    }
+    toHex(): string {
+      return ut.bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
+    }
+  }
+  const { BASE: G, ZERO: I } = Point;
+  const wnaf = wNAF(Point, nByteLength * 8);
+
+  function modN(a: bigint) {
+    return mod(a, CURVE_ORDER);
+  }
+  // Little-endian SHA512 with modulo n
+  function modN_LE(hash: Uint8Array): bigint {
+    return modN(ut.bytesToNumberLE(hash));
+  }
+
+  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
+  function getExtendedPublicKey(key: Hex) {
+    const len = nByteLength;
+    key = ensureBytes('private key', key, len);
+    // Hash private key with curve's hash function to produce uniformingly random input
+    // Check byte lengths: ensure(64, h(ensure(32, key)))
+    const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);
+    const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
+    const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
+    const scalar = modN_LE(head); // The actual private scalar
+    const point = G.multiply(scalar); // Point on Edwards curve aka public key
+    const pointBytes = point.toRawBytes(); // Uint8Array representation
+    return { head, prefix, scalar, point, pointBytes };
+  }
+
+  // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
+  function getPublicKey(privKey: Hex): Uint8Array {
+    return getExtendedPublicKey(privKey).pointBytes;
+  }
+
+  // int('LE', SHA512(dom2(F, C) || msgs)) mod N
+  function hashDomainToScalar(context: Hex = new Uint8Array(), ...msgs: Uint8Array[]) {
+    const msg = ut.concatBytes(...msgs);
+    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
+  }
+
+  /** Signs message with privateKey. RFC8032 5.1.6 */
+  function sign(msg: Hex, privKey: Hex, options: { context?: Hex } = {}): Uint8Array {
+    msg = ensureBytes('message', msg);
+    if (prehash) msg = prehash(msg); // for ed25519ph etc.
+    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+    const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
+    const R = G.multiply(r).toRawBytes(); // R = rG
+    const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
+    const s = modN(r + k * scalar); // S = (r + k * s) mod L
+    assertGE0(s); // 0 <= s < l
+    const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
+    return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
+  }
+
+  const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+  function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
+    const { context, zip215 } = options;
+    const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+    sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
+    msg = ensureBytes('message', msg);
+    if (prehash) msg = prehash(msg); // for ed25519ph, etc
+
+    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
+    // zip215: true is good for consensus-critical apps and allows points < 2^256
+    // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
+    let A, R, SB;
+    try {
+      A = Point.fromHex(publicKey, zip215);
+      R = Point.fromHex(sig.slice(0, len), zip215);
+      SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+    } catch (error) {
+      return false;
+    }
+    if (!zip215 && A.isSmallOrder()) return false;
+
+    const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+    const RkA = R.add(A.multiplyUnsafe(k));
+    // [8][S]B = [8]R + [8][k]A'
+    return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
+  }
+
+  G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+
+  const utils = {
+    getExtendedPublicKey,
+    // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
+    randomPrivateKey: (): Uint8Array => randomBytes(Fp.BYTES),
+
+    /**
+     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
+     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
+     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
+     * @param windowSize 2, 4, 8, 16
+     */
+    precompute(windowSize = 8, point = Point.BASE): typeof Point.BASE {
+      point._setWindowSize(windowSize);
+      point.multiply(BigInt(3));
+      return point;
+    },
+  };
+
+  return {
+    CURVE,
+    getPublicKey,
+    sign,
+    verify,
+    ExtendedPoint: Point,
+    utils,
+  };
+}

src/abstract/hash-to-curve.ts

@@ -0,0 +1,230 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import type { Group, GroupConstructor, AffinePoint } from './curve.js';
+import { mod, IField } from './modular.js';
+import type { CHash } from './utils.js';
+import { bytesToNumberBE, isBytes, concatBytes, utf8ToBytes, validateObject } from './utils.js';
+
+/**
+ * * `DST` is a domain separation tag, defined in section 2.2.5
+ * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
+ * * `m` is extension degree (1 for prime fields)
+ * * `k` is the target security target in bits (e.g. 128), from section 5.1
+ * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
+ * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
+ */
+type UnicodeOrBytes = string | Uint8Array;
+export type Opts = {
+  DST: UnicodeOrBytes;
+  p: bigint;
+  m: number;
+  k: number;
+  expand: 'xmd' | 'xof';
+  hash: CHash;
+};
+
+function validateDST(dst: UnicodeOrBytes): Uint8Array {
+  if (isBytes(dst)) return dst;
+  if (typeof dst === 'string') return utf8ToBytes(dst);
+  throw new Error('DST must be Uint8Array or string');
+}
+
+// Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
+const os2ip = bytesToNumberBE;
+
+// Integer to Octet Stream (numberToBytesBE)
+function i2osp(value: number, length: number): Uint8Array {
+  if (value < 0 || value >= 1 << (8 * length)) {
+    throw new Error(`bad I2OSP call: value=${value} length=${length}`);
+  }
+  const res = Array.from({ length }).fill(0) as number[];
+  for (let i = length - 1; i >= 0; i--) {
+    res[i] = value & 0xff;
+    value >>>= 8;
+  }
+  return new Uint8Array(res);
+}
+
+function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
+  const arr = new Uint8Array(a.length);
+  for (let i = 0; i < a.length; i++) {
+    arr[i] = a[i] ^ b[i];
+  }
+  return arr;
+}
+
+function abytes(item: unknown): void {
+  if (!isBytes(item)) throw new Error('Uint8Array expected');
+}
+function isNum(item: unknown): void {
+  if (!Number.isSafeInteger(item)) throw new Error('number expected');
+}
+
+// Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
+// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.1
+export function expand_message_xmd(
+  msg: Uint8Array,
+  DST: Uint8Array,
+  lenInBytes: number,
+  H: CHash
+): Uint8Array {
+  abytes(msg);
+  abytes(DST);
+  isNum(lenInBytes);
+  // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
+  if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
+  const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
+  const ell = Math.ceil(lenInBytes / b_in_bytes);
+  if (ell > 255) throw new Error('Invalid xmd length');
+  const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
+  const Z_pad = i2osp(0, r_in_bytes);
+  const l_i_b_str = i2osp(lenInBytes, 2); // len_in_bytes_str
+  const b = new Array<Uint8Array>(ell);
+  const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
+  b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
+  for (let i = 1; i <= ell; i++) {
+    const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
+    b[i] = H(concatBytes(...args));
+  }
+  const pseudo_random_bytes = concatBytes(...b);
+  return pseudo_random_bytes.slice(0, lenInBytes);
+}
+
+// Produces a uniformly random byte string using an extendable-output function (XOF) H.
+// 1. The collision resistance of H MUST be at least k bits.
+// 2. H MUST be an XOF that has been proved indifferentiable from
+//    a random oracle under a reasonable cryptographic assumption.
+// https://www.rfc-editor.org/rfc/rfc9380#section-5.3.2
+export function expand_message_xof(
+  msg: Uint8Array,
+  DST: Uint8Array,
+  lenInBytes: number,
+  k: number,
+  H: CHash
+): Uint8Array {
+  abytes(msg);
+  abytes(DST);
+  isNum(lenInBytes);
+  // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
+  // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
+  if (DST.length > 255) {
+    const dkLen = Math.ceil((2 * k) / 8);
+    DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
+  }
+  if (lenInBytes > 65535 || DST.length > 255)
+    throw new Error('expand_message_xof: invalid lenInBytes');
+  return (
+    H.create({ dkLen: lenInBytes })
+      .update(msg)
+      .update(i2osp(lenInBytes, 2))
+      // 2. DST_prime = DST || I2OSP(len(DST), 1)
+      .update(DST)
+      .update(i2osp(DST.length, 1))
+      .digest()
+  );
+}
+
+/**
+ * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+ * https://www.rfc-editor.org/rfc/rfc9380#section-5.2
+ * @param msg a byte string containing the message to hash
+ * @param count the number of elements of F to output
+ * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`, see above
+ * @returns [u_0, ..., u_(count - 1)], a list of field elements.
+ */
+export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][] {
+  validateObject(options, {
+    DST: 'stringOrUint8Array',
+    p: 'bigint',
+    m: 'isSafeInteger',
+    k: 'isSafeInteger',
+    hash: 'hash',
+  });
+  const { p, k, m, hash, expand, DST: _DST } = options;
+  abytes(msg);
+  isNum(count);
+  const DST = validateDST(_DST);
+  const log2p = p.toString(2).length;
+  const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
+  const len_in_bytes = count * m * L;
+  let prb; // pseudo_random_bytes
+  if (expand === 'xmd') {
+    prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
+  } else if (expand === 'xof') {
+    prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
+  } else if (expand === '_internal_pass') {
+    // for internal tests only
+    prb = msg;
+  } else {
+    throw new Error('expand must be "xmd" or "xof"');
+  }
+  const u = new Array(count);
+  for (let i = 0; i < count; i++) {
+    const e = new Array(m);
+    for (let j = 0; j < m; j++) {
+      const elm_offset = L * (j + i * m);
+      const tv = prb.subarray(elm_offset, elm_offset + L);
+      e[j] = mod(os2ip(tv), p);
+    }
+    u[i] = e;
+  }
+  return u;
+}
+
+export function isogenyMap<T, F extends IField<T>>(field: F, map: [T[], T[], T[], T[]]) {
+  // Make same order as in spec
+  const COEFF = map.map((i) => Array.from(i).reverse());
+  return (x: T, y: T) => {
+    const [xNum, xDen, yNum, yDen] = COEFF.map((val) =>
+      val.reduce((acc, i) => field.add(field.mul(acc, x), i))
+    );
+    x = field.div(xNum, xDen); // xNum / xDen
+    y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
+    return { x, y };
+  };
+}
+
+export interface H2CPoint<T> extends Group<H2CPoint<T>> {
+  add(rhs: H2CPoint<T>): H2CPoint<T>;
+  toAffine(iz?: bigint): AffinePoint<T>;
+  clearCofactor(): H2CPoint<T>;
+  assertValidity(): void;
+}
+
+export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
+  fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
+}
+
+export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
+
+// Separated from initialization opts, so users won't accidentally change per-curve parameters
+// (changing DST is ok!)
+export type htfBasicOpts = { DST: UnicodeOrBytes };
+
+export function createHasher<T>(
+  Point: H2CPointConstructor<T>,
+  mapToCurve: MapToCurve<T>,
+  def: Opts & { encodeDST?: UnicodeOrBytes }
+) {
+  if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
+  return {
+    // Encodes byte string to elliptic curve.
+    // hash_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
+    hashToCurve(msg: Uint8Array, options?: htfBasicOpts) {
+      const u = hash_to_field(msg, 2, { ...def, DST: def.DST, ...options } as Opts);
+      const u0 = Point.fromAffine(mapToCurve(u[0]));
+      const u1 = Point.fromAffine(mapToCurve(u[1]));
+      const P = u0.add(u1).clearCofactor();
+      P.assertValidity();
+      return P;
+    },
+
+    // Encodes byte string to elliptic curve.
+    // encode_to_curve from https://www.rfc-editor.org/rfc/rfc9380#section-3
+    encodeToCurve(msg: Uint8Array, options?: htfBasicOpts) {
+      const u = hash_to_field(msg, 1, { ...def, DST: def.encodeDST, ...options } as Opts);
+      const P = Point.fromAffine(mapToCurve(u[0])).clearCofactor();
+      P.assertValidity();
+      return P;
+    },
+  };
+}

src/abstract/modular.ts

@@ -0,0 +1,484 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Utilities for modular arithmetics and finite fields
+import {
+  bitMask,
+  numberToBytesBE,
+  numberToBytesLE,
+  bytesToNumberBE,
+  bytesToNumberLE,
+  ensureBytes,
+  validateObject,
+} from './utils.js';
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
+// prettier-ignore
+const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
+// prettier-ignore
+const _9n = BigInt(9), _16n = BigInt(16);
+
+// Calculates a modulo b
+export function mod(a: bigint, b: bigint): bigint {
+  const result = a % b;
+  return result >= _0n ? result : b + result;
+}
+/**
+ * Efficiently raise num to power and do modular division.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+ * @example
+ * pow(2n, 6n, 11n) // 64n % 11n == 9n
+ */
+// TODO: use field version && remove
+export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
+  if (modulo <= _0n || power < _0n) throw new Error('Expected power/modulo > 0');
+  if (modulo === _1n) return _0n;
+  let res = _1n;
+  while (power > _0n) {
+    if (power & _1n) res = (res * num) % modulo;
+    num = (num * num) % modulo;
+    power >>= _1n;
+  }
+  return res;
+}
+
+// Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
+export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
+  let res = x;
+  while (power-- > _0n) {
+    res *= res;
+    res %= modulo;
+  }
+  return res;
+}
+
+// Inverses number over modulo
+export function invert(number: bigint, modulo: bigint): bigint {
+  if (number === _0n || modulo <= _0n) {
+    throw new Error(`invert: expected positive integers, got n=${number} mod=${modulo}`);
+  }
+  // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
+  // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
+  let a = mod(number, modulo);
+  let b = modulo;
+  // prettier-ignore
+  let x = _0n, y = _1n, u = _1n, v = _0n;
+  while (a !== _0n) {
+    // JIT applies optimization if those two lines follow each other
+    const q = b / a;
+    const r = b % a;
+    const m = x - u * q;
+    const n = y - v * q;
+    // prettier-ignore
+    b = a, a = r, x = u, y = v, u = m, v = n;
+  }
+  const gcd = b;
+  if (gcd !== _1n) throw new Error('invert: does not exist');
+  return mod(x, modulo);
+}
+
+/**
+ * Tonelli-Shanks square root search algorithm.
+ * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
+ * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
+ * Will start an infinite loop if field order P is not prime.
+ * @param P field order
+ * @returns function that takes field Fp (created from P) and number n
+ */
+export function tonelliShanks(P: bigint) {
+  // Legendre constant: used to calculate Legendre symbol (a | p),
+  // which denotes the value of a^((p-1)/2) (mod p).
+  // (a | p) ≡ 1    if a is a square (mod p)
+  // (a | p) ≡ -1   if a is not a square (mod p)
+  // (a | p) ≡ 0    if a ≡ 0 (mod p)
+  const legendreC = (P - _1n) / _2n;
+
+  let Q: bigint, S: number, Z: bigint;
+  // Step 1: By factoring out powers of 2 from p - 1,
+  // find q and s such that p - 1 = q*(2^s) with q odd
+  for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++);
+
+  // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
+  for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++);
+
+  // Fast-path
+  if (S === 1) {
+    const p1div4 = (P + _1n) / _4n;
+    return function tonelliFast<T>(Fp: IField<T>, n: T) {
+      const root = Fp.pow(n, p1div4);
+      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+      return root;
+    };
+  }
+
+  // Slow-path
+  const Q1div2 = (Q + _1n) / _2n;
+  return function tonelliSlow<T>(Fp: IField<T>, n: T): T {
+    // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
+    if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE)) throw new Error('Cannot find square root');
+    let r = S;
+    // TODO: will fail at Fp2/etc
+    let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
+    let x = Fp.pow(n, Q1div2); // first guess at the square root
+    let b = Fp.pow(n, Q); // first guess at the fudge factor
+
+    while (!Fp.eql(b, Fp.ONE)) {
+      if (Fp.eql(b, Fp.ZERO)) return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
+      // Find m such b^(2^m)==1
+      let m = 1;
+      for (let t2 = Fp.sqr(b); m < r; m++) {
+        if (Fp.eql(t2, Fp.ONE)) break;
+        t2 = Fp.sqr(t2); // t2 *= t2
+      }
+      // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
+      const ge = Fp.pow(g, _1n << BigInt(r - m - 1)); // ge = 2^(r-m-1)
+      g = Fp.sqr(ge); // g = ge * ge
+      x = Fp.mul(x, ge); // x *= ge
+      b = Fp.mul(b, g); // b *= g
+      r = m;
+    }
+    return x;
+  };
+}
+
+export function FpSqrt(P: bigint) {
+  // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
+  // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
+
+  // P ≡ 3 (mod 4)
+  // √n = n^((P+1)/4)
+  if (P % _4n === _3n) {
+    // Not all roots possible!
+    // const ORDER =
+    //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
+    // const NUM = 72057594037927816n;
+    const p1div4 = (P + _1n) / _4n;
+    return function sqrt3mod4<T>(Fp: IField<T>, n: T) {
+      const root = Fp.pow(n, p1div4);
+      // Throw if root**2 != n
+      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+      return root;
+    };
+  }
+
+  // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
+  if (P % _8n === _5n) {
+    const c1 = (P - _5n) / _8n;
+    return function sqrt5mod8<T>(Fp: IField<T>, n: T) {
+      const n2 = Fp.mul(n, _2n);
+      const v = Fp.pow(n2, c1);
+      const nv = Fp.mul(n, v);
+      const i = Fp.mul(Fp.mul(nv, _2n), v);
+      const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+      if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+      return root;
+    };
+  }
+
+  // P ≡ 9 (mod 16)
+  if (P % _16n === _9n) {
+    // NOTE: tonelli is too slow for bls-Fp2 calculations even on start
+    // Means we cannot use sqrt for constants at all!
+    //
+    // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+    // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+    // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+    // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic
+    // sqrt = (x) => {
+    //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4
+    //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1
+    //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1
+    //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1
+    //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
+    //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
+    //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+    //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+    //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
+    //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
+    // }
+  }
+
+  // Other cases: Tonelli-Shanks algorithm
+  return tonelliShanks(P);
+}
+
+// Little-endian check for first LE bit (last BE bit);
+export const isNegativeLE = (num: bigint, modulo: bigint) => (mod(num, modulo) & _1n) === _1n;
+
+// Field is not always over prime: for example, Fp2 has ORDER(q)=p^m
+export interface IField<T> {
+  ORDER: bigint;
+  BYTES: number;
+  BITS: number;
+  MASK: bigint;
+  ZERO: T;
+  ONE: T;
+  // 1-arg
+  create: (num: T) => T;
+  isValid: (num: T) => boolean;
+  is0: (num: T) => boolean;
+  neg(num: T): T;
+  inv(num: T): T;
+  sqrt(num: T): T;
+  sqr(num: T): T;
+  // 2-args
+  eql(lhs: T, rhs: T): boolean;
+  add(lhs: T, rhs: T): T;
+  sub(lhs: T, rhs: T): T;
+  mul(lhs: T, rhs: T | bigint): T;
+  pow(lhs: T, power: bigint): T;
+  div(lhs: T, rhs: T | bigint): T;
+  // N for NonNormalized (for now)
+  addN(lhs: T, rhs: T): T;
+  subN(lhs: T, rhs: T): T;
+  mulN(lhs: T, rhs: T | bigint): T;
+  sqrN(num: T): T;
+
+  // Optional
+  // Should be same as sgn0 function in
+  // [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
+  // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
+  isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
+  // legendre?(num: T): T;
+  pow(lhs: T, power: bigint): T;
+  invertBatch: (lst: T[]) => T[];
+  toBytes(num: T): Uint8Array;
+  fromBytes(bytes: Uint8Array): T;
+  // If c is False, CMOV returns a, otherwise it returns b.
+  cmov(a: T, b: T, c: boolean): T;
+}
+// prettier-ignore
+const FIELD_FIELDS = [
+  'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+  'eql', 'add', 'sub', 'mul', 'pow', 'div',
+  'addN', 'subN', 'mulN', 'sqrN'
+] as const;
+export function validateField<T>(field: IField<T>) {
+  const initial = {
+    ORDER: 'bigint',
+    MASK: 'bigint',
+    BYTES: 'isSafeInteger',
+    BITS: 'isSafeInteger',
+  } as Record<string, string>;
+  const opts = FIELD_FIELDS.reduce((map, val: string) => {
+    map[val] = 'function';
+    return map;
+  }, initial);
+  return validateObject(field, opts);
+}
+
+// Generic field functions
+
+/**
+ * Same as `pow` but for Fp: non-constant-time.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+ */
+export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
+  // Should have same speed as pow for bigints
+  // TODO: benchmark!
+  if (power < _0n) throw new Error('Expected power > 0');
+  if (power === _0n) return f.ONE;
+  if (power === _1n) return num;
+  let p = f.ONE;
+  let d = num;
+  while (power > _0n) {
+    if (power & _1n) p = f.mul(p, d);
+    d = f.sqr(d);
+    power >>= _1n;
+  }
+  return p;
+}
+
+/**
+ * Efficiently invert an array of Field elements.
+ * `inv(0)` will return `undefined` here: make sure to throw an error.
+ */
+export function FpInvertBatch<T>(f: IField<T>, nums: T[]): T[] {
+  const tmp = new Array(nums.length);
+  // Walk from first to last, multiply them by each other MOD p
+  const lastMultiplied = nums.reduce((acc, num, i) => {
+    if (f.is0(num)) return acc;
+    tmp[i] = acc;
+    return f.mul(acc, num);
+  }, f.ONE);
+  // Invert last element
+  const inverted = f.inv(lastMultiplied);
+  // Walk from last to first, multiply them by inverted each other MOD p
+  nums.reduceRight((acc, num, i) => {
+    if (f.is0(num)) return acc;
+    tmp[i] = f.mul(acc, tmp[i]);
+    return f.mul(acc, num);
+  }, inverted);
+  return tmp;
+}
+
+export function FpDiv<T>(f: IField<T>, lhs: T, rhs: T | bigint): T {
+  return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.inv(rhs));
+}
+
+// This function returns True whenever the value x is a square in the field F.
+export function FpIsSquare<T>(f: IField<T>) {
+  const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
+  return (x: T): boolean => {
+    const p = f.pow(x, legendreConst);
+    return f.eql(p, f.ZERO) || f.eql(p, f.ONE);
+  };
+}
+
+// CURVE.n lengths
+export function nLength(n: bigint, nBitLength?: number) {
+  // Bit size, byte size of CURVE.n
+  const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+
+type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
+/**
+ * Initializes a finite field over prime. **Non-primes are not supported.**
+ * Do not init in loop: slow. Very fragile: always run a benchmark on a change.
+ * Major performance optimizations:
+ * * a) denormalized operations like mulN instead of mul
+ * * b) same object shape: never add or remove keys
+ * * c) Object.freeze
+ * @param ORDER prime positive bigint
+ * @param bitLen how many bits the field consumes
+ * @param isLE (def: false) if encoding / decoding should be in little-endian
+ * @param redef optional faster redefinitions of sqrt and other methods
+ */
+export function Field(
+  ORDER: bigint,
+  bitLen?: number,
+  isLE = false,
+  redef: Partial<IField<bigint>> = {}
+): Readonly<FpField> {
+  if (ORDER <= _0n) throw new Error(`Expected Field ORDER > 0, got ${ORDER}`);
+  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
+  if (BYTES > 2048) throw new Error('Field lengths over 2048 bytes are not supported');
+  const sqrtP = FpSqrt(ORDER);
+  const f: Readonly<FpField> = Object.freeze({
+    ORDER,
+    BITS,
+    BYTES,
+    MASK: bitMask(BITS),
+    ZERO: _0n,
+    ONE: _1n,
+    create: (num) => mod(num, ORDER),
+    isValid: (num) => {
+      if (typeof num !== 'bigint')
+        throw new Error(`Invalid field element: expected bigint, got ${typeof num}`);
+      return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
+    },
+    is0: (num) => num === _0n,
+    isOdd: (num) => (num & _1n) === _1n,
+    neg: (num) => mod(-num, ORDER),
+    eql: (lhs, rhs) => lhs === rhs,
+
+    sqr: (num) => mod(num * num, ORDER),
+    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
+    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
+    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
+    pow: (num, power) => FpPow(f, num, power),
+    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
+
+    // Same as above, but doesn't normalize
+    sqrN: (num) => num * num,
+    addN: (lhs, rhs) => lhs + rhs,
+    subN: (lhs, rhs) => lhs - rhs,
+    mulN: (lhs, rhs) => lhs * rhs,
+
+    inv: (num) => invert(num, ORDER),
+    sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
+    invertBatch: (lst) => FpInvertBatch(f, lst),
+    // TODO: do we really need constant cmov?
+    // We don't have const-time bigints anyway, so probably will be not very useful
+    cmov: (a, b, c) => (c ? b : a),
+    toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
+    fromBytes: (bytes) => {
+      if (bytes.length !== BYTES)
+        throw new Error(`Fp.fromBytes: expected ${BYTES}, got ${bytes.length}`);
+      return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    },
+  } as FpField);
+  return Object.freeze(f);
+}
+
+export function FpSqrtOdd<T>(Fp: IField<T>, elm: T) {
+  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
+  const root = Fp.sqrt(elm);
+  return Fp.isOdd(root) ? root : Fp.neg(root);
+}
+
+export function FpSqrtEven<T>(Fp: IField<T>, elm: T) {
+  if (!Fp.isOdd) throw new Error(`Field doesn't have isOdd`);
+  const root = Fp.sqrt(elm);
+  return Fp.isOdd(root) ? Fp.neg(root) : root;
+}
+
+/**
+ * "Constant-time" private key generation utility.
+ * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
+ * Which makes it slightly more biased, less secure.
+ * @deprecated use mapKeyToField instead
+ */
+export function hashToPrivateScalar(
+  hash: string | Uint8Array,
+  groupOrder: bigint,
+  isLE = false
+): bigint {
+  hash = ensureBytes('privateHash', hash);
+  const hashLen = hash.length;
+  const minLen = nLength(groupOrder).nByteLength + 8;
+  if (minLen < 24 || hashLen < minLen || hashLen > 1024)
+    throw new Error(`hashToPrivateScalar: expected ${minLen}-1024 bytes of input, got ${hashLen}`);
+  const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
+  return mod(num, groupOrder - _1n) + _1n;
+}
+
+/**
+ * Returns total number of bytes consumed by the field element.
+ * For example, 32 bytes for usual 256-bit weierstrass curve.
+ * @param fieldOrder number of field elements, usually CURVE.n
+ * @returns byte length of field
+ */
+export function getFieldBytesLength(fieldOrder: bigint): number {
+  if (typeof fieldOrder !== 'bigint') throw new Error('field order must be bigint');
+  const bitLength = fieldOrder.toString(2).length;
+  return Math.ceil(bitLength / 8);
+}
+
+/**
+ * Returns minimal amount of bytes that can be safely reduced
+ * by field order.
+ * Should be 2^-128 for 128-bit curve such as P256.
+ * @param fieldOrder number of field elements, usually CURVE.n
+ * @returns byte length of target hash
+ */
+export function getMinHashLength(fieldOrder: bigint): number {
+  const length = getFieldBytesLength(fieldOrder);
+  return length + Math.ceil(length / 2);
+}
+
+/**
+ * "Constant-time" private key generation utility.
+ * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being negligible.
+ * Needs at least 48 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
+ * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
+ * @param hash hash output from SHA3 or a similar function
+ * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
+ * @param isLE interpret hash bytes as LE num
+ * @returns valid private scalar
+ */
+export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false): Uint8Array {
+  const len = key.length;
+  const fieldLen = getFieldBytesLength(fieldOrder);
+  const minLen = getMinHashLength(fieldOrder);
+  // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
+  if (len < 16 || len < minLen || len > 1024)
+    throw new Error(`expected ${minLen}-1024 bytes of input, got ${len}`);
+  const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
+  // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
+  const reduced = mod(num, fieldOrder - _1n) + _1n;
+  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
+}

src/abstract/montgomery.ts

@@ -1,55 +1,48 @@
-import * as mod from './modular.js';
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import {
+import { mod, pow } from './modular.js';
-  ensureBytes,
+import { bytesToNumberLE, ensureBytes, numberToBytesLE, validateObject } from './utils.js';
-  numberToBytesLE,
-  bytesToNumberLE,
-  // nLength,
-} from './utils.js';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 type Hex = string | Uint8Array;
 
 export type CurveType = {
-  // Field over which we'll do calculations. Verify with:
+  P: bigint; // finite field prime
-  P: bigint;
   nByteLength: number;
   adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
   domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
-  a24: bigint; // Related to d, but cannot be derived from it
+  a: bigint;
   montgomeryBits: number;
   powPminus2?: (x: bigint) => bigint;
   xyToU?: (x: bigint, y: bigint) => bigint;
-  Gu: string;
+  Gu: bigint;
+  randomBytes?: (bytesLength?: number) => Uint8Array;
 };
 export type CurveFn = {
-  scalarMult: (u: Hex, scalar: Hex) => Uint8Array;
+  scalarMult: (scalar: Hex, u: Hex) => Uint8Array;
   scalarMultBase: (scalar: Hex) => Uint8Array;
+  getSharedSecret: (privateKeyA: Hex, publicKeyB: Hex) => Uint8Array;
   getPublicKey: (privateKey: Hex) => Uint8Array;
-  Gu: string;
+  utils: { randomPrivateKey: () => Uint8Array };
+  GuBytes: Uint8Array;
 };
 
 function validateOpts(curve: CurveType) {
-  for (const i of ['a24'] as const) {
+  validateObject(
-    if (typeof curve[i] !== 'bigint')
+    curve,
-      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+    {
-  }
+      a: 'bigint',
-  for (const i of ['montgomeryBits', 'nByteLength'] as const) {
+    },
-    if (curve[i] === undefined) continue; // Optional
+    {
-    if (!Number.isSafeInteger(curve[i]))
+      montgomeryBits: 'isSafeInteger',
-      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
+      nByteLength: 'isSafeInteger',
-  }
+      adjustScalarBytes: 'function',
-  for (const fn of ['adjustScalarBytes', 'domain', 'powPminus2'] as const) {
+      domain: 'function',
-    if (curve[fn] === undefined) continue; // Optional
+      powPminus2: 'function',
-    if (typeof curve[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
+      Gu: 'bigint',
-  }
-  for (const i of ['Gu'] as const) {
-    if (curve[i] === undefined) continue; // Optional
-    if (typeof curve[i] !== 'string')
-      throw new Error(`Invalid curve param ${i}=${curve[i]} (${typeof curve[i]})`);
     }
+  );
   // Set defaults
-  // ...nLength(curve.n, curve.nBitLength),
   return Object.freeze({ ...curve } as const);
 }
 
@@ -58,34 +51,14 @@ function validateOpts(curve: CurveType) {
 export function montgomery(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef);
   const { P } = CURVE;
-  const modP = (a: bigint) => mod.mod(a, P);
+  const modP = (n: bigint) => mod(n, P);
   const montgomeryBits = CURVE.montgomeryBits;
   const montgomeryBytes = Math.ceil(montgomeryBits / 8);
   const fieldLen = CURVE.nByteLength;
   const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
-  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => mod.pow(x, P - BigInt(2), P));
+  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => pow(x, P - BigInt(2), P));
 
-  /**
+  // cswap from RFC7748. But it is not from RFC7748!
-   * Checks for num to be in range:
-   * For strict == true:  `0 <  num < max`.
-   * For strict == false: `0 <= num < max`.
-   * Converts non-float safe numbers to bigints.
-   */
-  function normalizeScalar(num: number | bigint, max: bigint, strict = true): bigint {
-    if (!max) throw new TypeError('Specify max value');
-    if (typeof num === 'number' && Number.isSafeInteger(num)) num = BigInt(num);
-    if (typeof num === 'bigint' && num < max) {
-      if (strict) {
-        if (_0n < num) return num;
-      } else {
-        if (_0n <= num) return num;
-      }
-    }
-    throw new TypeError('Expected valid scalar: 0 < scalar < max');
-  }
-
-  // cswap from RFC7748
-  // NOTE: cswap is not from RFC7748!
   /*
     cswap(swap, x_2, x_3):
          dummy = mask(swap) AND (x_2 XOR x_3)
@@ -102,7 +75,15 @@ export function montgomery(curveDef: CurveType): CurveFn {
     return [x_2, x_3];
   }
 
+  // Accepts 0 as well
+  function assertFieldElement(n: bigint): bigint {
+    if (typeof n === 'bigint' && _0n <= n && n < P) return n;
+    throw new Error('Expected valid scalar 0 < scalar < CURVE.P');
+  }
+
   // x25519 from 4
+  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
+  const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
   /**
    *
    * @param pointU u coordinate (x) on Montgomery Curve 25519
@@ -110,13 +91,10 @@ export function montgomery(curveDef: CurveType): CurveFn {
    * @returns new Point on Montgomery curve
    */
   function montgomeryLadder(pointU: bigint, scalar: bigint): bigint {
-    const { P } = CURVE;
+    const u = assertFieldElement(pointU);
-    const u = normalizeScalar(pointU, P);
     // Section 5: Implementations MUST accept non-canonical values and process them as
     // if they had been reduced modulo the field prime.
-    const k = normalizeScalar(scalar, P);
+    const k = assertFieldElement(scalar);
-    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
-    const a24 = CURVE.a24;
     const x_1 = u;
     let x_2 = _1n;
     let z_2 = _0n;
@@ -170,23 +148,20 @@ export function montgomery(curveDef: CurveType): CurveFn {
   }
 
   function decodeUCoordinate(uEnc: Hex): bigint {
-    const u = ensureBytes(uEnc, montgomeryBytes);
     // Section 5: When receiving such an array, implementations of X25519
     // MUST mask the most significant bit in the final byte.
-    // This is very ugly way, but it works because fieldLen-1 is outside of bounds for X448, so this becomes NOOP
+    const u = ensureBytes('u coordinate', uEnc, montgomeryBytes);
-    // fieldLen - scalaryBytes = 1 for X448 and = 0 for X25519
+    if (fieldLen === 32) u[31] &= 127; // 0b0111_1111
-    u[fieldLen - 1] &= 127; // 0b0111_1111
     return bytesToNumberLE(u);
   }
-
   function decodeScalar(n: Hex): bigint {
-    const bytes = ensureBytes(n);
+    const bytes = ensureBytes('scalar', n);
-    if (bytes.length !== montgomeryBytes && bytes.length !== fieldLen)
+    const len = bytes.length;
-      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${bytes.length}`);
+    if (len !== montgomeryBytes && len !== fieldLen)
+      throw new Error(`Expected ${montgomeryBytes} or ${fieldLen} bytes, got ${len}`);
     return bytesToNumberLE(adjustScalarBytes(bytes));
   }
-  // Multiply point u by scalar
+  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
-  function scalarMult(u: Hex, scalar: Hex): Uint8Array {
     const pointU = decodeUCoordinate(u);
     const _scalar = decodeScalar(scalar);
     const pu = montgomeryLadder(pointU, _scalar);
@@ -195,19 +170,18 @@ export function montgomery(curveDef: CurveType): CurveFn {
     if (pu === _0n) throw new Error('Invalid private or public key received');
     return encodeUCoordinate(pu);
   }
-  // Multiply base point by scalar
+  // Computes public key from private. By doing scalar multiplication of base point.
+  const GuBytes = encodeUCoordinate(CURVE.Gu);
   function scalarMultBase(scalar: Hex): Uint8Array {
-    return scalarMult(CURVE.Gu, scalar);
+    return scalarMult(scalar, GuBytes);
   }
 
   return {
-    // NOTE: we can get 'y' coordinate from 'u', but Point.fromHex also wants 'x' coordinate oddity flag, and we cannot get 'x' without knowing 'v'
-    // Need to add generic conversion between twisted edwards and complimentary curve for JubJub
     scalarMult,
     scalarMultBase,
-    // NOTE: these function work on complimentary montgomery curve
+    getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
-    // getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(publicKey, privateKey),
     getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    Gu: CURVE.Gu,
+    utils: { randomPrivateKey: () => CURVE.randomBytes!(CURVE.nByteLength) },
+    GuBytes: GuBytes,
   };
 }

src/abstract/poseidon.ts

@@ -0,0 +1,118 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
+import { IField, FpPow, validateField } from './modular.js';
+// We don't provide any constants, since different implementations use different constants.
+// For reference constants see './test/poseidon.test.js'.
+export type PoseidonOpts = {
+  Fp: IField<bigint>;
+  t: number;
+  roundsFull: number;
+  roundsPartial: number;
+  sboxPower?: number;
+  reversePartialPowIdx?: boolean; // Hack for stark
+  mds: bigint[][];
+  roundConstants: bigint[][];
+};
+
+export function validateOpts(opts: PoseidonOpts) {
+  const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
+  const { roundsFull, roundsPartial, sboxPower, t } = opts;
+
+  validateField(Fp);
+  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error(`Poseidon: invalid param ${i}=${opts[i]} (${typeof opts[i]})`);
+  }
+
+  // MDS is TxT matrix
+  if (!Array.isArray(mds) || mds.length !== t) throw new Error('Poseidon: wrong MDS matrix');
+  const _mds = mds.map((mdsRow) => {
+    if (!Array.isArray(mdsRow) || mdsRow.length !== t)
+      throw new Error(`Poseidon MDS matrix row: ${mdsRow}`);
+    return mdsRow.map((i) => {
+      if (typeof i !== 'bigint') throw new Error(`Poseidon MDS matrix value=${i}`);
+      return Fp.create(i);
+    });
+  });
+
+  if (rev !== undefined && typeof rev !== 'boolean')
+    throw new Error(`Poseidon: invalid param reversePartialPowIdx=${rev}`);
+
+  if (roundsFull % 2 !== 0) throw new Error(`Poseidon roundsFull is not even: ${roundsFull}`);
+  const rounds = roundsFull + roundsPartial;
+
+  if (!Array.isArray(rc) || rc.length !== rounds)
+    throw new Error('Poseidon: wrong round constants');
+  const roundConstants = rc.map((rc) => {
+    if (!Array.isArray(rc) || rc.length !== t)
+      throw new Error(`Poseidon wrong round constants: ${rc}`);
+    return rc.map((i) => {
+      if (typeof i !== 'bigint' || !Fp.isValid(i))
+        throw new Error(`Poseidon wrong round constant=${i}`);
+      return Fp.create(i);
+    });
+  });
+
+  if (!sboxPower || ![3, 5, 7].includes(sboxPower))
+    throw new Error(`Poseidon wrong sboxPower=${sboxPower}`);
+  const _sboxPower = BigInt(sboxPower);
+  let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
+  // Unwrapped sbox power for common cases (195->142μs)
+  if (sboxPower === 3) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(n), n);
+  else if (sboxPower === 5) sboxFn = (n: bigint) => Fp.mul(Fp.sqrN(Fp.sqrN(n)), n);
+
+  return Object.freeze({ ...opts, rounds, sboxFn, roundConstants, mds: _mds });
+}
+
+export function splitConstants(rc: bigint[], t: number) {
+  if (typeof t !== 'number') throw new Error('poseidonSplitConstants: wrong t');
+  if (!Array.isArray(rc) || rc.length % t) throw new Error('poseidonSplitConstants: wrong rc');
+  const res = [];
+  let tmp = [];
+  for (let i = 0; i < rc.length; i++) {
+    tmp.push(rc[i]);
+    if (tmp.length === t) {
+      res.push(tmp);
+      tmp = [];
+    }
+  }
+  return res;
+}
+
+export function poseidon(opts: PoseidonOpts) {
+  const _opts = validateOpts(opts);
+  const { Fp, mds, roundConstants, rounds, roundsPartial, sboxFn, t } = _opts;
+  const halfRoundsFull = _opts.roundsFull / 2;
+  const partialIdx = _opts.reversePartialPowIdx ? t - 1 : 0;
+  const poseidonRound = (values: bigint[], isFull: boolean, idx: number) => {
+    values = values.map((i, j) => Fp.add(i, roundConstants[idx][j]));
+
+    if (isFull) values = values.map((i) => sboxFn(i));
+    else values[partialIdx] = sboxFn(values[partialIdx]);
+    // Matrix multiplication
+    values = mds.map((i) => i.reduce((acc, i, j) => Fp.add(acc, Fp.mulN(i, values[j])), Fp.ZERO));
+    return values;
+  };
+  const poseidonHash = function poseidonHash(values: bigint[]) {
+    if (!Array.isArray(values) || values.length !== t)
+      throw new Error(`Poseidon: wrong values (expected array of bigints with length ${t})`);
+    values = values.map((i) => {
+      if (typeof i !== 'bigint') throw new Error(`Poseidon: wrong value=${i} (${typeof i})`);
+      return Fp.create(i);
+    });
+    let round = 0;
+    // Apply r_f/2 full rounds.
+    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
+    // Apply r_p partial rounds.
+    for (let i = 0; i < roundsPartial; i++) values = poseidonRound(values, false, round++);
+    // Apply r_f/2 full rounds.
+    for (let i = 0; i < halfRoundsFull; i++) values = poseidonRound(values, true, round++);
+
+    if (round !== rounds)
+      throw new Error(`Poseidon: wrong number of rounds: last round=${round}, total=${rounds}`);
+    return values;
+  };
+  // For verification in tests
+  poseidonHash.roundConstants = roundConstants;
+  return poseidonHash;
+}

src/abstract/utils.ts

@@ -0,0 +1,315 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// 100 lines of code in the file are duplicated from noble-hashes (utils).
+// This is OK: `abstract` directory does not use noble-hashes.
+// User may opt-in into using different hashing library. This way, noble-hashes
+// won't be included into their bundle.
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _2n = BigInt(2);
+export type Hex = Uint8Array | string; // hex strings are accepted for simplicity
+export type PrivKey = Hex | bigint; // bigints are accepted to ease learning curve
+export type CHash = {
+  (message: Uint8Array | string): Uint8Array;
+  blockLen: number;
+  outputLen: number;
+  create(opts?: { dkLen?: number }): any; // For shake
+};
+export type FHash = (message: Uint8Array | string) => Uint8Array;
+
+export function isBytes(a: unknown): a is Uint8Array {
+  return (
+    a instanceof Uint8Array ||
+    (a != null && typeof a === 'object' && a.constructor.name === 'Uint8Array')
+  );
+}
+
+// Array where index 0xf0 (240) is mapped to string 'f0'
+const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
+  i.toString(16).padStart(2, '0')
+);
+/**
+ * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
+ */
+export function bytesToHex(bytes: Uint8Array): string {
+  if (!isBytes(bytes)) throw new Error('Uint8Array expected');
+  // pre-caching improves the speed 6x
+  let hex = '';
+  for (let i = 0; i < bytes.length; i++) {
+    hex += hexes[bytes[i]];
+  }
+  return hex;
+}
+
+export function numberToHexUnpadded(num: number | bigint): string {
+  const hex = num.toString(16);
+  return hex.length & 1 ? `0${hex}` : hex;
+}
+
+export function hexToNumber(hex: string): bigint {
+  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  // Big Endian
+  return BigInt(hex === '' ? '0' : `0x${hex}`);
+}
+
+// We use optimized technique to convert hex string to byte array
+const asciis = { _0: 48, _9: 57, _A: 65, _F: 70, _a: 97, _f: 102 } as const;
+function asciiToBase16(char: number): number | undefined {
+  if (char >= asciis._0 && char <= asciis._9) return char - asciis._0;
+  if (char >= asciis._A && char <= asciis._F) return char - (asciis._A - 10);
+  if (char >= asciis._a && char <= asciis._f) return char - (asciis._a - 10);
+  return;
+}
+
+/**
+ * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+ */
+export function hexToBytes(hex: string): Uint8Array {
+  if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
+  const hl = hex.length;
+  const al = hl / 2;
+  if (hl % 2) throw new Error('padded hex string expected, got unpadded hex of length ' + hl);
+  const array = new Uint8Array(al);
+  for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
+    const n1 = asciiToBase16(hex.charCodeAt(hi));
+    const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
+    if (n1 === undefined || n2 === undefined) {
+      const char = hex[hi] + hex[hi + 1];
+      throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
+    }
+    array[ai] = n1 * 16 + n2;
+  }
+  return array;
+}
+
+// BE: Big Endian, LE: Little Endian
+export function bytesToNumberBE(bytes: Uint8Array): bigint {
+  return hexToNumber(bytesToHex(bytes));
+}
+export function bytesToNumberLE(bytes: Uint8Array): bigint {
+  if (!isBytes(bytes)) throw new Error('Uint8Array expected');
+  return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
+}
+
+export function numberToBytesBE(n: number | bigint, len: number): Uint8Array {
+  return hexToBytes(n.toString(16).padStart(len * 2, '0'));
+}
+export function numberToBytesLE(n: number | bigint, len: number): Uint8Array {
+  return numberToBytesBE(n, len).reverse();
+}
+// Unpadded, rarely used
+export function numberToVarBytesBE(n: number | bigint): Uint8Array {
+  return hexToBytes(numberToHexUnpadded(n));
+}
+
+/**
+ * Takes hex string or Uint8Array, converts to Uint8Array.
+ * Validates output length.
+ * Will throw error for other types.
+ * @param title descriptive title for an error e.g. 'private key'
+ * @param hex hex string or Uint8Array
+ * @param expectedLength optional, will compare to result array's length
+ * @returns
+ */
+export function ensureBytes(title: string, hex: Hex, expectedLength?: number): Uint8Array {
+  let res: Uint8Array;
+  if (typeof hex === 'string') {
+    try {
+      res = hexToBytes(hex);
+    } catch (e) {
+      throw new Error(`${title} must be valid hex string, got "${hex}". Cause: ${e}`);
+    }
+  } else if (isBytes(hex)) {
+    // Uint8Array.from() instead of hash.slice() because node.js Buffer
+    // is instance of Uint8Array, and its slice() creates **mutable** copy
+    res = Uint8Array.from(hex);
+  } else {
+    throw new Error(`${title} must be hex string or Uint8Array`);
+  }
+  const len = res.length;
+  if (typeof expectedLength === 'number' && len !== expectedLength)
+    throw new Error(`${title} expected ${expectedLength} bytes, got ${len}`);
+  return res;
+}
+
+/**
+ * Copies several Uint8Arrays into one.
+ */
+export function concatBytes(...arrays: Uint8Array[]): Uint8Array {
+  let sum = 0;
+  for (let i = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    if (!isBytes(a)) throw new Error('Uint8Array expected');
+    sum += a.length;
+  }
+  const res = new Uint8Array(sum);
+  for (let i = 0, pad = 0; i < arrays.length; i++) {
+    const a = arrays[i];
+    res.set(a, pad);
+    pad += a.length;
+  }
+  return res;
+}
+
+// Compares 2 u8a-s in kinda constant time
+export function equalBytes(a: Uint8Array, b: Uint8Array) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// Global symbols in both browsers and Node.js since v11
+// See https://github.com/microsoft/TypeScript/issues/31535
+declare const TextEncoder: any;
+
+/**
+ * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ */
+export function utf8ToBytes(str: string): Uint8Array {
+  if (typeof str !== 'string') throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+  return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
+}
+
+// Bit operations
+
+/**
+ * Calculates amount of bits in a bigint.
+ * Same as `n.toString(2).length`
+ */
+export function bitLen(n: bigint) {
+  let len;
+  for (len = 0; n > _0n; n >>= _1n, len += 1);
+  return len;
+}
+
+/**
+ * Gets single bit at position.
+ * NOTE: first bit position is 0 (same as arrays)
+ * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
+ */
+export function bitGet(n: bigint, pos: number) {
+  return (n >> BigInt(pos)) & _1n;
+}
+
+/**
+ * Sets single bit at position.
+ */
+export const bitSet = (n: bigint, pos: number, value: boolean) => {
+  return n | ((value ? _1n : _0n) << BigInt(pos));
+};
+
+/**
+ * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
+ * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
+ */
+export const bitMask = (n: number) => (_2n << BigInt(n - 1)) - _1n;
+
+// DRBG
+
+const u8n = (data?: any) => new Uint8Array(data); // creates Uint8Array
+const u8fr = (arr: any) => Uint8Array.from(arr); // another shortcut
+type Pred<T> = (v: Uint8Array) => T | undefined;
+/**
+ * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+ * @returns function that will call DRBG until 2nd arg returns something meaningful
+ * @example
+ *   const drbg = createHmacDRBG<Key>(32, 32, hmac);
+ *   drbg(seed, bytesToKey); // bytesToKey must return Key or undefined
+ */
+export function createHmacDrbg<T>(
+  hashLen: number,
+  qByteLen: number,
+  hmacFn: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array
+): (seed: Uint8Array, predicate: Pred<T>) => T {
+  if (typeof hashLen !== 'number' || hashLen < 2) throw new Error('hashLen must be a number');
+  if (typeof qByteLen !== 'number' || qByteLen < 2) throw new Error('qByteLen must be a number');
+  if (typeof hmacFn !== 'function') throw new Error('hmacFn must be a function');
+  // Step B, Step C: set hashLen to 8*ceil(hlen/8)
+  let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
+  let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
+  let i = 0; // Iterations counter, will throw when over 1000
+  const reset = () => {
+    v.fill(1);
+    k.fill(0);
+    i = 0;
+  };
+  const h = (...b: Uint8Array[]) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
+  const reseed = (seed = u8n()) => {
+    // HMAC-DRBG reseed() function. Steps D-G
+    k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)
+    v = h(); // v = hmac(k || v)
+    if (seed.length === 0) return;
+    k = h(u8fr([0x01]), seed); // k = hmac(k || v || 0x01 || seed)
+    v = h(); // v = hmac(k || v)
+  };
+  const gen = () => {
+    // HMAC-DRBG generate() function
+    if (i++ >= 1000) throw new Error('drbg: tried 1000 values');
+    let len = 0;
+    const out: Uint8Array[] = [];
+    while (len < qByteLen) {
+      v = h();
+      const sl = v.slice();
+      out.push(sl);
+      len += v.length;
+    }
+    return concatBytes(...out);
+  };
+  const genUntil = (seed: Uint8Array, pred: Pred<T>): T => {
+    reset();
+    reseed(seed); // Steps D-G
+    let res: T | undefined = undefined; // Step H: grind until k is in [1..n-1]
+    while (!(res = pred(gen()))) reseed();
+    reset();
+    return res;
+  };
+  return genUntil;
+}
+
+// Validating curves and fields
+
+const validatorFns = {
+  bigint: (val: any) => typeof val === 'bigint',
+  function: (val: any) => typeof val === 'function',
+  boolean: (val: any) => typeof val === 'boolean',
+  string: (val: any) => typeof val === 'string',
+  stringOrUint8Array: (val: any) => typeof val === 'string' || isBytes(val),
+  isSafeInteger: (val: any) => Number.isSafeInteger(val),
+  array: (val: any) => Array.isArray(val),
+  field: (val: any, object: any) => (object as any).Fp.isValid(val),
+  hash: (val: any) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
+} as const;
+type Validator = keyof typeof validatorFns;
+type ValMap<T extends Record<string, any>> = { [K in keyof T]?: Validator };
+// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
+
+export function validateObject<T extends Record<string, any>>(
+  object: T,
+  validators: ValMap<T>,
+  optValidators: ValMap<T> = {}
+) {
+  const checkField = (fieldName: keyof T, type: Validator, isOptional: boolean) => {
+    const checkVal = validatorFns[type];
+    if (typeof checkVal !== 'function')
+      throw new Error(`Invalid validator "${type}", expected function`);
+
+    const val = object[fieldName as keyof typeof object];
+    if (isOptional && val === undefined) return;
+    if (!checkVal(val, object)) {
+      throw new Error(
+        `Invalid param ${String(fieldName)}=${val} (${typeof val}), expected ${type}`
+      );
+    }
+  };
+  for (const [fieldName, type] of Object.entries(validators)) checkField(fieldName, type!, false);
+  for (const [fieldName, type] of Object.entries(optValidators)) checkField(fieldName, type!, true);
+  return object;
+}
+// validate type tests
+// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
+// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
+// // Should fail type-check
+// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
+// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
+// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
+// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });

src/bn254.ts

@@ -0,0 +1,22 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
+import { getHash } from './_shortw_utils.js';
+import { Field } from './abstract/modular.js';
+/**
+ * bn254 pairing-friendly curve.
+ * Previously known as alt_bn_128, when it had 128-bit security.
+ * Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
+ * so the naming has been adjusted to its prime bit count
+ * https://hal.science/hal-01534101/file/main.pdf
+ */
+export const bn254 = weierstrass({
+  a: BigInt(0),
+  b: BigInt(3),
+  Fp: Field(BigInt('0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47')),
+  n: BigInt('0x30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001'),
+  Gx: BigInt(1),
+  Gy: BigInt(2),
+  h: BigInt(1),
+  ...getHash(sha256),
+});

src/ed25519.ts

@@ -0,0 +1,497 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha512 } from '@noble/hashes/sha512';
+import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import { montgomery } from './abstract/montgomery.js';
+import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.js';
+import {
+  bytesToHex,
+  bytesToNumberLE,
+  ensureBytes,
+  equalBytes,
+  Hex,
+  numberToBytesLE,
+} from './abstract/utils.js';
+import { createHasher, htfBasicOpts, expand_message_xmd } from './abstract/hash-to-curve.js';
+import { AffinePoint, Group } from './abstract/curve.js';
+
+/**
+ * ed25519 Twisted Edwards curve with following addons:
+ * - X25519 ECDH
+ * - Ristretto cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ */
+
+const ED25519_P = BigInt(
+  '57896044618658097711785492504343953926634992332820282019728792003956564819949'
+);
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const ED25519_SQRT_M1 = BigInt(
+  '19681161376707505956807079304988542015446066515923890162744021073123829784752'
+);
+
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _5n = BigInt(5);
+// prettier-ignore
+const _10n = BigInt(10), _20n = BigInt(20), _40n = BigInt(40), _80n = BigInt(80);
+
+function ed25519_pow_2_252_3(x: bigint) {
+  const P = ED25519_P;
+  const x2 = (x * x) % P;
+  const b2 = (x2 * x) % P; // x^3, 11
+  const b4 = (pow2(b2, _2n, P) * b2) % P; // x^15, 1111
+  const b5 = (pow2(b4, _1n, P) * x) % P; // x^31
+  const b10 = (pow2(b5, _5n, P) * b5) % P;
+  const b20 = (pow2(b10, _10n, P) * b10) % P;
+  const b40 = (pow2(b20, _20n, P) * b20) % P;
+  const b80 = (pow2(b40, _40n, P) * b40) % P;
+  const b160 = (pow2(b80, _80n, P) * b80) % P;
+  const b240 = (pow2(b160, _80n, P) * b80) % P;
+  const b250 = (pow2(b240, _10n, P) * b10) % P;
+  const pow_p_5_8 = (pow2(b250, _2n, P) * x) % P;
+  // ^ To pow to (p+3)/8, multiply it by x.
+  return { pow_p_5_8, b2 };
+}
+
+function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
+  // Section 5: For X25519, in order to decode 32 random bytes as an integer scalar,
+  // set the three least significant bits of the first byte
+  bytes[0] &= 248; // 0b1111_1000
+  // and the most significant bit of the last to zero,
+  bytes[31] &= 127; // 0b0111_1111
+  // set the second most significant bit of the last byte to 1
+  bytes[31] |= 64; // 0b0100_0000
+  return bytes;
+}
+
+// sqrt(u/v)
+function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
+  const P = ED25519_P;
+  const v3 = mod(v * v * v, P); // v³
+  const v7 = mod(v3 * v3 * v, P); // v⁷
+  // (p+3)/8 and (p-5)/8
+  const pow = ed25519_pow_2_252_3(u * v7).pow_p_5_8;
+  let x = mod(u * v3 * pow, P); // (uv³)(uv⁷)^(p-5)/8
+  const vx2 = mod(v * x * x, P); // vx²
+  const root1 = x; // First root candidate
+  const root2 = mod(x * ED25519_SQRT_M1, P); // Second root candidate
+  const useRoot1 = vx2 === u; // If vx² = u (mod p), x is a square root
+  const useRoot2 = vx2 === mod(-u, P); // If vx² = -u, set x <-- x * 2^((p-1)/4)
+  const noRoot = vx2 === mod(-u * ED25519_SQRT_M1, P); // There is no valid root, vx² = -u√(-1)
+  if (useRoot1) x = root1;
+  if (useRoot2 || noRoot) x = root2; // We return root2 anyway, for const-time
+  if (isNegativeLE(x, P)) x = mod(-x, P);
+  return { isValid: useRoot1 || useRoot2, value: x };
+}
+
+// Just in case
+export const ED25519_TORSION_SUBGROUP = [
+  '0100000000000000000000000000000000000000000000000000000000000000',
+  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
+  '0000000000000000000000000000000000000000000000000000000000000080',
+  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05',
+  'ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f',
+  '26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85',
+  '0000000000000000000000000000000000000000000000000000000000000000',
+  'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
+];
+
+const Fp = Field(ED25519_P, undefined, true);
+
+const ed25519Defaults = {
+  // Param: a
+  a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
+  // d is equal to -121665/121666 over finite field.
+  // Negative number is P - number, and division is invert(number, P)
+  d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+  // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
+  Fp,
+  // Subgroup order: how many points curve has
+  // 2n**252n + 27742317777372353535851937790883648493n;
+  n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+  // Cofactor
+  h: BigInt(8),
+  // Base point (x, y) aka generator point
+  Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+  Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+  hash: sha512,
+  randomBytes,
+  adjustScalarBytes,
+  // dom2
+  // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+  // Constant-time, u/√v
+  uvRatio,
+} as const;
+
+export const ed25519 = /* @__PURE__ */ twistedEdwards(ed25519Defaults);
+
+function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
+  if (ctx.length > 255) throw new Error('Context is too big');
+  return concatBytes(
+    utf8ToBytes('SigEd25519 no Ed25519 collisions'),
+    new Uint8Array([phflag ? 1 : 0, ctx.length]),
+    ctx,
+    data
+  );
+}
+
+export const ed25519ctx = /* @__PURE__ */ twistedEdwards({
+  ...ed25519Defaults,
+  domain: ed25519_domain,
+});
+export const ed25519ph = /* @__PURE__ */ twistedEdwards({
+  ...ed25519Defaults,
+  domain: ed25519_domain,
+  prehash: sha512,
+});
+
+export const x25519 = /* @__PURE__ */ (() =>
+  montgomery({
+    P: ED25519_P,
+    a: BigInt(486662),
+    montgomeryBits: 255, // n is 253 bits
+    nByteLength: 32,
+    Gu: BigInt(9),
+    powPminus2: (x: bigint): bigint => {
+      const P = ED25519_P;
+      // x^(p-2) aka x^(2^255-21)
+      const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+      return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+    randomBytes,
+  }))();
+
+/**
+ * Converts ed25519 public key to x25519 public key. Uses formula:
+ * * `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+ * * `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+ * @example
+ *   const someonesPub = ed25519.getPublicKey(ed25519.utils.randomPrivateKey());
+ *   const aPriv = x25519.utils.randomPrivateKey();
+ *   x25519.getSharedSecret(aPriv, edwardsToMontgomeryPub(someonesPub))
+ */
+export function edwardsToMontgomeryPub(edwardsPub: Hex): Uint8Array {
+  const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((_1n + y) * Fp.inv(_1n - y)));
+}
+export const edwardsToMontgomery = edwardsToMontgomeryPub; // deprecated
+
+/**
+ * Converts ed25519 secret key to x25519 secret key.
+ * @example
+ *   const someonesPub = x25519.getPublicKey(x25519.utils.randomPrivateKey());
+ *   const aPriv = ed25519.utils.randomPrivateKey();
+ *   x25519.getSharedSecret(edwardsToMontgomeryPriv(aPriv), someonesPub)
+ */
+export function edwardsToMontgomeryPriv(edwardsPriv: Uint8Array): Uint8Array {
+  const hashed = ed25519Defaults.hash(edwardsPriv.subarray(0, 32));
+  return ed25519Defaults.adjustScalarBytes(hashed).subarray(0, 32);
+}
+
+// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
+// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
+// SageMath returns different root first and everything falls apart
+
+const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
+
+const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
+const ELL2_C3 = Fp.sqrt(Fp.neg(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
+const ELL2_J = BigInt(486662);
+
+// prettier-ignore
+function map_to_curve_elligator2_curve25519(u: bigint) {
+  let tv1 = Fp.sqr(u);       //  1.  tv1 = u^2
+  tv1 = Fp.mul(tv1, _2n);       //  2.  tv1 = 2 * tv1
+  let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
+  let x1n = Fp.neg(ELL2_J);  //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+  let tv2 = Fp.sqr(xd);      //  5.  tv2 = xd^2
+  let gxd = Fp.mul(tv2, xd);    //  6.  gxd = tv2 * xd        # gxd = xd^3
+  let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
+  gx1 = Fp.mul(gx1, x1n);       //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
+  gx1 = Fp.add(gx1, tv2);       //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
+  gx1 = Fp.mul(gx1, x1n);       //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+  let tv3 = Fp.sqr(gxd);     //  11. tv3 = gxd^2
+  tv2 = Fp.sqr(tv3);         //  12. tv2 = tv3^2           # gxd^4
+  tv3 = Fp.mul(tv3, gxd);       //  13. tv3 = tv3 * gxd       # gxd^3
+  tv3 = Fp.mul(tv3, gx1);       //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
+  tv2 = Fp.mul(tv2, tv3);       //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
+  let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
+  y11 = Fp.mul(y11, tv3);       //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
+  let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
+  tv2 = Fp.sqr(y11);         //  19. tv2 = y11^2
+  tv2 = Fp.mul(tv2, gxd);       //  20. tv2 = tv2 * gxd
+  let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
+  let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
+  let x2n = Fp.mul(x1n, tv1);   //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
+  let y21 = Fp.mul(y11, u);     //  24. y21 = y11 * u
+  y21 = Fp.mul(y21, ELL2_C2);   //  25. y21 = y21 * c2
+  let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
+  let gx2 = Fp.mul(gx1, tv1);   //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
+  tv2 = Fp.sqr(y21);         //  28. tv2 = y21^2
+  tv2 = Fp.mul(tv2, gxd);       //  29. tv2 = tv2 * gxd
+  let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
+  let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
+  tv2 = Fp.sqr(y1);          //  32. tv2 = y1^2
+  tv2 = Fp.mul(tv2, gxd);       //  33. tv2 = tv2 * gxd
+  let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
+  let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
+  let y = Fp.cmov(y2, y1, e3);  //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
+  let e4 = Fp.isOdd(y);         //  37.  e4 = sgn0(y) == 1        # Fix sign of y
+  y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+  return { xMn: xn, xMd: xd, yMn: y, yMd: _1n }; //  39. return (xn, xd, y, 1)
+}
+
+const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
+function map_to_curve_elligator2_edwards25519(u: bigint) {
+  const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) =
+  // map_to_curve_elligator2_curve25519(u)
+  let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
+  xn = Fp.mul(xn, ELL2_C1_EDWARDS); //  3.  xn = xn * c1
+  let xd = Fp.mul(xMd, yMn); //  4.  xd = xMd * yMn    # xn / xd = c1 * xM / yM
+  let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
+  let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
+  let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
+  let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+  xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
+  xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
+  yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
+  yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
+
+  const inv = Fp.invertBatch([xd, yd]); // batch division
+  return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
+}
+
+const htf = /* @__PURE__ */ (() =>
+  createHasher(
+    ed25519.ExtendedPoint,
+    (scalars: bigint[]) => map_to_curve_elligator2_edwards25519(scalars[0]),
+    {
+      DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+      encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
+      p: Fp.ORDER,
+      m: 1,
+      k: 128,
+      expand: 'xmd',
+      hash: sha512,
+    }
+  ))();
+export const hashToCurve = /* @__PURE__ */ (() => htf.hashToCurve)();
+export const encodeToCurve = /* @__PURE__ */ (() => htf.encodeToCurve)();
+
+function assertRstPoint(other: unknown) {
+  if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');
+}
+
+// √(-1) aka √(a) aka 2^((p-1)/4)
+const SQRT_M1 = ED25519_SQRT_M1;
+// √(ad - 1)
+const SQRT_AD_MINUS_ONE = BigInt(
+  '25063068953384623474111414158702152701244531502492656460079210482610430750235'
+);
+// 1 / √(a-d)
+const INVSQRT_A_MINUS_D = BigInt(
+  '54469307008909316920995813868745141605393597292927456921205312896311721017578'
+);
+// 1-d²
+const ONE_MINUS_D_SQ = BigInt(
+  '1159843021668779879193775521855586647937357759715417654439879720876111806838'
+);
+// (d-1)²
+const D_MINUS_ONE_SQ = BigInt(
+  '40440834346308536858101042469323190826248399146238708352240133220865137265952'
+);
+// Calculates 1/√(number)
+const invertSqrt = (number: bigint) => uvRatio(_1n, number);
+
+const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+const bytes255ToNumberLE = (bytes: Uint8Array) =>
+  ed25519.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_255B);
+
+type ExtendedPoint = ExtPointType;
+
+// Computes Elligator map for Ristretto
+// https://ristretto.group/formulas/elligator.html
+function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
+  const { d } = ed25519.CURVE;
+  const P = ed25519.CURVE.Fp.ORDER;
+  const mod = ed25519.CURVE.Fp.create;
+  const r = mod(SQRT_M1 * r0 * r0); // 1
+  const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
+  let c = BigInt(-1); // 3
+  const D = mod((c - d * r) * mod(r + d)); // 4
+  let { isValid: Ns_D_is_sq, value: s } = uvRatio(Ns, D); // 5
+  let s_ = mod(s * r0); // 6
+  if (!isNegativeLE(s_, P)) s_ = mod(-s_);
+  if (!Ns_D_is_sq) s = s_; // 7
+  if (!Ns_D_is_sq) c = r; // 8
+  const Nt = mod(c * (r - _1n) * D_MINUS_ONE_SQ - D); // 9
+  const s2 = s * s;
+  const W0 = mod((s + s) * D); // 10
+  const W1 = mod(Nt * SQRT_AD_MINUS_ONE); // 11
+  const W2 = mod(_1n - s2); // 12
+  const W3 = mod(_1n + s2); // 13
+  return new ed25519.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+}
+
+/**
+ * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
+ * Ristretto point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+class RistPoint implements Group<RistPoint> {
+  static BASE: RistPoint;
+  static ZERO: RistPoint;
+  // Private property to discourage combining ExtendedPoint + RistrettoPoint
+  // Always use Ristretto encoding/decoding instead.
+  constructor(private readonly ep: ExtendedPoint) {}
+
+  static fromAffine(ap: AffinePoint<bigint>) {
+    return new RistPoint(ed25519.ExtendedPoint.fromAffine(ap));
+  }
+
+  /**
+   * Takes uniform output of 64-byte hash function like sha512 and converts it to `RistrettoPoint`.
+   * The hash-to-group operation applies Elligator twice and adds the results.
+   * **Note:** this is one-way map, there is no conversion from point to hash.
+   * https://ristretto.group/formulas/elligator.html
+   * @param hex 64-byte output of a hash function
+   */
+  static hashToCurve(hex: Hex): RistPoint {
+    hex = ensureBytes('ristrettoHash', hex, 64);
+    const r1 = bytes255ToNumberLE(hex.slice(0, 32));
+    const R1 = calcElligatorRistrettoMap(r1);
+    const r2 = bytes255ToNumberLE(hex.slice(32, 64));
+    const R2 = calcElligatorRistrettoMap(r2);
+    return new RistPoint(R1.add(R2));
+  }
+
+  /**
+   * Converts ristretto-encoded string to ristretto point.
+   * https://ristretto.group/formulas/decoding.html
+   * @param hex Ristretto-encoded 32 bytes. Not every 32-byte string is valid ristretto encoding
+   */
+  static fromHex(hex: Hex): RistPoint {
+    hex = ensureBytes('ristrettoHex', hex, 32);
+    const { a, d } = ed25519.CURVE;
+    const P = ed25519.CURVE.Fp.ORDER;
+    const mod = ed25519.CURVE.Fp.create;
+    const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
+    const s = bytes255ToNumberLE(hex);
+    // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+    // 3. Check that s is non-negative, or else abort
+    if (!equalBytes(numberToBytesLE(s, 32), hex) || isNegativeLE(s, P)) throw new Error(emsg);
+    const s2 = mod(s * s);
+    const u1 = mod(_1n + a * s2); // 4 (a is -1)
+    const u2 = mod(_1n - a * s2); // 5
+    const u1_2 = mod(u1 * u1);
+    const u2_2 = mod(u2 * u2);
+    const v = mod(a * d * u1_2 - u2_2); // 6
+    const { isValid, value: I } = invertSqrt(mod(v * u2_2)); // 7
+    const Dx = mod(I * u2); // 8
+    const Dy = mod(I * Dx * v); // 9
+    let x = mod((s + s) * Dx); // 10
+    if (isNegativeLE(x, P)) x = mod(-x); // 10
+    const y = mod(u1 * Dy); // 11
+    const t = mod(x * y); // 12
+    if (!isValid || isNegativeLE(t, P) || y === _0n) throw new Error(emsg);
+    return new RistPoint(new ed25519.ExtendedPoint(x, y, _1n, t));
+  }
+
+  /**
+   * Encodes ristretto point to Uint8Array.
+   * https://ristretto.group/formulas/encoding.html
+   */
+  toRawBytes(): Uint8Array {
+    let { ex: x, ey: y, ez: z, et: t } = this.ep;
+    const P = ed25519.CURVE.Fp.ORDER;
+    const mod = ed25519.CURVE.Fp.create;
+    const u1 = mod(mod(z + y) * mod(z - y)); // 1
+    const u2 = mod(x * y); // 2
+    // Square root always exists
+    const u2sq = mod(u2 * u2);
+    const { value: invsqrt } = invertSqrt(mod(u1 * u2sq)); // 3
+    const D1 = mod(invsqrt * u1); // 4
+    const D2 = mod(invsqrt * u2); // 5
+    const zInv = mod(D1 * D2 * t); // 6
+    let D: bigint; // 7
+    if (isNegativeLE(t * zInv, P)) {
+      let _x = mod(y * SQRT_M1);
+      let _y = mod(x * SQRT_M1);
+      x = _x;
+      y = _y;
+      D = mod(D1 * INVSQRT_A_MINUS_D);
+    } else {
+      D = D2; // 8
+    }
+    if (isNegativeLE(x * zInv, P)) y = mod(-y); // 9
+    let s = mod((z - y) * D); // 10 (check footer's note, no sqrt(-a))
+    if (isNegativeLE(s, P)) s = mod(-s);
+    return numberToBytesLE(s, 32); // 11
+  }
+
+  toHex(): string {
+    return bytesToHex(this.toRawBytes());
+  }
+
+  toString(): string {
+    return this.toHex();
+  }
+
+  // Compare one point to another.
+  equals(other: RistPoint): boolean {
+    assertRstPoint(other);
+    const { ex: X1, ey: Y1 } = this.ep;
+    const { ex: X2, ey: Y2 } = other.ep;
+    const mod = ed25519.CURVE.Fp.create;
+    // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
+    const one = mod(X1 * Y2) === mod(Y1 * X2);
+    const two = mod(Y1 * Y2) === mod(X1 * X2);
+    return one || two;
+  }
+
+  add(other: RistPoint): RistPoint {
+    assertRstPoint(other);
+    return new RistPoint(this.ep.add(other.ep));
+  }
+
+  subtract(other: RistPoint): RistPoint {
+    assertRstPoint(other);
+    return new RistPoint(this.ep.subtract(other.ep));
+  }
+
+  multiply(scalar: bigint): RistPoint {
+    return new RistPoint(this.ep.multiply(scalar));
+  }
+
+  multiplyUnsafe(scalar: bigint): RistPoint {
+    return new RistPoint(this.ep.multiplyUnsafe(scalar));
+  }
+
+  double(): RistPoint {
+    return new RistPoint(this.ep.double());
+  }
+
+  negate(): RistPoint {
+    return new RistPoint(this.ep.negate());
+  }
+}
+export const RistrettoPoint = /* @__PURE__ */ (() => {
+  if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.ExtendedPoint.BASE);
+  if (!RistPoint.ZERO) RistPoint.ZERO = new RistPoint(ed25519.ExtendedPoint.ZERO);
+  return RistPoint;
+})();
+
+// Hashing to ristretto255. https://www.rfc-editor.org/rfc/rfc9380#appendix-B
+export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts) => {
+  const d = options.DST;
+  const DST = typeof d === 'string' ? utf8ToBytes(d) : d;
+  const uniform_bytes = expand_message_xmd(msg, DST, 64, sha512);
+  const P = RistPoint.hashToCurve(uniform_bytes);
+  return P;
+};
+export const hash_to_ristretto255 = hashToRistretto255; // legacy

src/ed448.ts

@@ -0,0 +1,480 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { shake256 } from '@noble/hashes/sha3';
+import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
+import { ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import { mod, pow2, Field, isNegativeLE } from './abstract/modular.js';
+import { montgomery } from './abstract/montgomery.js';
+import { createHasher, htfBasicOpts, expand_message_xof } from './abstract/hash-to-curve.js';
+import {
+  bytesToHex,
+  bytesToNumberLE,
+  ensureBytes,
+  equalBytes,
+  Hex,
+  numberToBytesLE,
+} from './abstract/utils.js';
+import { AffinePoint, Group } from './abstract/curve.js';
+
+/**
+ * Edwards448 (not Ed448-Goldilocks) curve with following addons:
+ * - X448 ECDH
+ * - Decaf cofactor elimination
+ * - Elligator hash-to-group / point indistinguishability
+ * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
+ */
+
+const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
+const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
+const ed448P = BigInt(
+  '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439'
+);
+
+// prettier-ignore
+const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4), _11n = BigInt(11);
+// prettier-ignore
+const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
+
+// powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
+// Used for efficient square root calculation.
+// ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
+function ed448_pow_Pminus3div4(x: bigint): bigint {
+  const P = ed448P;
+  const b2 = (x * x * x) % P;
+  const b3 = (b2 * b2 * x) % P;
+  const b6 = (pow2(b3, _3n, P) * b3) % P;
+  const b9 = (pow2(b6, _3n, P) * b3) % P;
+  const b11 = (pow2(b9, _2n, P) * b2) % P;
+  const b22 = (pow2(b11, _11n, P) * b11) % P;
+  const b44 = (pow2(b22, _22n, P) * b22) % P;
+  const b88 = (pow2(b44, _44n, P) * b44) % P;
+  const b176 = (pow2(b88, _88n, P) * b88) % P;
+  const b220 = (pow2(b176, _44n, P) * b44) % P;
+  const b222 = (pow2(b220, _2n, P) * b2) % P;
+  const b223 = (pow2(b222, _1n, P) * x) % P;
+  return (pow2(b223, _223n, P) * b222) % P;
+}
+
+function adjustScalarBytes(bytes: Uint8Array): Uint8Array {
+  // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
+  // significant bit of the last byte to 1.
+  bytes[0] &= 252; // 0b11111100
+  // and the most significant bit of the last byte to 1.
+  bytes[55] |= 128; // 0b10000000
+  // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
+  bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
+  return bytes;
+}
+
+// Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
+// Uses algo from RFC8032 5.1.3.
+function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
+  const P = ed448P;
+  // https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
+  // To compute the square root of (u/v), the first step is to compute the
+  //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
+  // following trick, to use a single modular powering for both the
+  // inversion of v and the square root:
+  // x = (u/v)^((p+1)/4)   = u³v(u⁵v³)^((p-3)/4)   (mod p)
+  const u2v = mod(u * u * v, P); // u²v
+  const u3v = mod(u2v * u, P); // u³v
+  const u5v3 = mod(u3v * u2v * v, P); // u⁵v³
+  const root = ed448_pow_Pminus3div4(u5v3);
+  const x = mod(u3v * root, P);
+  // Verify that root is exists
+  const x2 = mod(x * x, P); // x²
+  // If vx² = u, the recovered x-coordinate is x.  Otherwise, no
+  // square root exists, and the decoding fails.
+  return { isValid: mod(x2 * v, P) === u, value: x };
+}
+
+const Fp = Field(ed448P, 456, true);
+
+const ED448_DEF = {
+  // Param: a
+  a: BigInt(1),
+  // -39081. Negative number is P - number
+  d: BigInt(
+    '726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'
+  ),
+  // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
+  Fp,
+  // Subgroup order: how many points curve has;
+  // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+  n: BigInt(
+    '181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'
+  ),
+  // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+  nBitLength: 456,
+  // Cofactor
+  h: BigInt(4),
+  // Base point (x, y) aka generator point
+  Gx: BigInt(
+    '224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'
+  ),
+  Gy: BigInt(
+    '298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'
+  ),
+  // SHAKE256(dom4(phflag,context)||x, 114)
+  hash: shake256_114,
+  randomBytes,
+  adjustScalarBytes,
+  // dom4
+  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
+    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
+    return concatBytes(
+      utf8ToBytes('SigEd448'),
+      new Uint8Array([phflag ? 1 : 0, ctx.length]),
+      ctx,
+      data
+    );
+  },
+  uvRatio,
+} as const;
+
+export const ed448 = /* @__PURE__ */ twistedEdwards(ED448_DEF);
+// NOTE: there is no ed448ctx, since ed448 supports ctx by default
+export const ed448ph = /* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
+
+export const x448 = /* @__PURE__ */ (() =>
+  montgomery({
+    a: BigInt(156326),
+    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
+    montgomeryBits: 448,
+    nByteLength: 56,
+    P: ed448P,
+    Gu: BigInt(5),
+    powPminus2: (x: bigint): bigint => {
+      const P = ed448P;
+      const Pminus3div4 = ed448_pow_Pminus3div4(x);
+      const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
+      return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
+    },
+    adjustScalarBytes,
+    randomBytes,
+  }))();
+
+/**
+ * Converts edwards448 public key to x448 public key. Uses formula:
+ * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+ * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+ * @example
+ *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
+ *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
+ */
+export function edwardsToMontgomeryPub(edwardsPub: string | Uint8Array): Uint8Array {
+  const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+}
+
+export const edwardsToMontgomery = edwardsToMontgomeryPub; // deprecated
+// TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
+
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+
+function map_to_curve_elligator2_curve448(u: bigint) {
+  let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+  let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+  tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+  let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+  let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+  let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+  let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+  let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+  gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+  gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+  gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+  let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+  tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+  tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+  let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+  y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+  let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+  let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+  y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+  tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+  tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+  let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+  let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+  let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+  let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+  y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+  return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+
+function map_to_curve_elligator2_edwards448(u: bigint) {
+  let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+  let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+  let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+  let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+  let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+  let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+  let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+  let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+  xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+  xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+  xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+  xEn = Fp.mul(xEn, _4n); // 12. xEn = xEn * 4
+  tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+  tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+  let tv3 = Fp.mul(yn2, _4n); // 15. tv3 = 4 * yn2
+  let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+  tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+  let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+  tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+  let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+  let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+  yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+  yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+  tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+  tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+  tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+  tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+  tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+  let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+  tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+  yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+  tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+  let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+  xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+  xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+  yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+  yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+
+  const inv = Fp.invertBatch([xEd, yEd]); // batch division
+  return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+
+const htf = /* @__PURE__ */ (() =>
+  createHasher(
+    ed448.ExtendedPoint,
+    (scalars: bigint[]) => map_to_curve_elligator2_edwards448(scalars[0]),
+    {
+      DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+      encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+      p: Fp.ORDER,
+      m: 1,
+      k: 224,
+      expand: 'xof',
+      hash: shake256,
+    }
+  ))();
+export const hashToCurve = /* @__PURE__ */ (() => htf.hashToCurve)();
+export const encodeToCurve = /* @__PURE__ */ (() => htf.encodeToCurve)();
+
+function assertDcfPoint(other: unknown) {
+  if (!(other instanceof DcfPoint)) throw new Error('DecafPoint expected');
+}
+
+// 1-d
+const ONE_MINUS_D = BigInt('39082');
+// 1-2d
+const ONE_MINUS_TWO_D = BigInt('78163');
+// √(-d)
+const SQRT_MINUS_D = BigInt(
+  '98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214'
+);
+// 1 / √(-d)
+const INVSQRT_MINUS_D = BigInt(
+  '315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716'
+);
+// Calculates 1/√(number)
+const invertSqrt = (number: bigint) => uvRatio(_1n, number);
+
+const MAX_448B = BigInt(
+  '0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
+);
+const bytes448ToNumberLE = (bytes: Uint8Array) =>
+  ed448.CURVE.Fp.create(bytesToNumberLE(bytes) & MAX_448B);
+
+type ExtendedPoint = ExtPointType;
+
+// Computes Elligator map for Decaf
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+function calcElligatorDecafMap(r0: bigint): ExtendedPoint {
+  const { d } = ed448.CURVE;
+  const P = ed448.CURVE.Fp.ORDER;
+  const mod = ed448.CURVE.Fp.create;
+
+  const r = mod(-(r0 * r0)); // 1
+  const u0 = mod(d * (r - _1n)); // 2
+  const u1 = mod((u0 + _1n) * (u0 - r)); // 3
+
+  const { isValid: was_square, value: v } = uvRatio(ONE_MINUS_TWO_D, mod((r + _1n) * u1)); // 4
+
+  let v_prime = v; // 5
+  if (!was_square) v_prime = mod(r0 * v);
+
+  let sgn = _1n; // 6
+  if (!was_square) sgn = mod(-_1n);
+
+  const s = mod(v_prime * (r + _1n)); // 7
+  let s_abs = s;
+  if (isNegativeLE(s, P)) s_abs = mod(-s);
+
+  const s2 = s * s;
+  const W0 = mod(s_abs * _2n); // 8
+  const W1 = mod(s2 + _1n); // 9
+  const W2 = mod(s2 - _1n); // 10
+  const W3 = mod(v_prime * s * (r - _1n) * ONE_MINUS_TWO_D + sgn); // 11
+  return new ed448.ExtendedPoint(mod(W0 * W3), mod(W2 * W1), mod(W1 * W3), mod(W0 * W2));
+}
+
+/**
+ * Each ed448/ExtendedPoint has 4 different equivalent points. This can be
+ * a source of bugs for protocols like ring signatures. Decaf was created to solve this.
+ * Decaf point operates in X:Y:Z:T extended coordinates like ExtendedPoint,
+ * but it should work in its own namespace: do not combine those two.
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
+ */
+class DcfPoint implements Group<DcfPoint> {
+  static BASE: DcfPoint;
+  static ZERO: DcfPoint;
+  // Private property to discourage combining ExtendedPoint + DecafPoint
+  // Always use Decaf encoding/decoding instead.
+  constructor(private readonly ep: ExtendedPoint) {}
+
+  static fromAffine(ap: AffinePoint<bigint>) {
+    return new DcfPoint(ed448.ExtendedPoint.fromAffine(ap));
+  }
+
+  /**
+   * Takes uniform output of 112-byte hash function like shake256 and converts it to `DecafPoint`.
+   * The hash-to-group operation applies Elligator twice and adds the results.
+   * **Note:** this is one-way map, there is no conversion from point to hash.
+   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2
+   * @param hex 112-byte output of a hash function
+   */
+  static hashToCurve(hex: Hex): DcfPoint {
+    hex = ensureBytes('decafHash', hex, 112);
+    const r1 = bytes448ToNumberLE(hex.slice(0, 56));
+    const R1 = calcElligatorDecafMap(r1);
+    const r2 = bytes448ToNumberLE(hex.slice(56, 112));
+    const R2 = calcElligatorDecafMap(r2);
+    return new DcfPoint(R1.add(R2));
+  }
+
+  /**
+   * Converts decaf-encoded string to decaf point.
+   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-decode-2
+   * @param hex Decaf-encoded 56 bytes. Not every 56-byte string is valid decaf encoding
+   */
+  static fromHex(hex: Hex): DcfPoint {
+    hex = ensureBytes('decafHex', hex, 56);
+    const { d } = ed448.CURVE;
+    const P = ed448.CURVE.Fp.ORDER;
+    const mod = ed448.CURVE.Fp.create;
+    const emsg = 'DecafPoint.fromHex: the hex is not valid encoding of DecafPoint';
+    const s = bytes448ToNumberLE(hex);
+
+    // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
+    // 2. Check that s is non-negative, or else abort
+    if (!equalBytes(numberToBytesLE(s, 56), hex) || isNegativeLE(s, P)) throw new Error(emsg);
+
+    const s2 = mod(s * s); // 1
+    const u1 = mod(_1n + s2); // 2
+    const u1sq = mod(u1 * u1);
+    const u2 = mod(u1sq - _4n * d * s2); // 3
+
+    const { isValid, value: invsqrt } = invertSqrt(mod(u2 * u1sq)); // 4
+
+    let u3 = mod((s + s) * invsqrt * u1 * SQRT_MINUS_D); // 5
+    if (isNegativeLE(u3, P)) u3 = mod(-u3);
+
+    const x = mod(u3 * invsqrt * u2 * INVSQRT_MINUS_D); // 6
+    const y = mod((_1n - s2) * invsqrt * u1); // 7
+    const t = mod(x * y); // 8
+
+    if (!isValid) throw new Error(emsg);
+    return new DcfPoint(new ed448.ExtendedPoint(x, y, _1n, t));
+  }
+
+  /**
+   * Encodes decaf point to Uint8Array.
+   * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-encode-2
+   */
+  toRawBytes(): Uint8Array {
+    let { ex: x, ey: _y, ez: z, et: t } = this.ep;
+    const P = ed448.CURVE.Fp.ORDER;
+    const mod = ed448.CURVE.Fp.create;
+
+    const u1 = mod(mod(x + t) * mod(x - t)); // 1
+    const x2 = mod(x * x);
+    const { value: invsqrt } = invertSqrt(mod(u1 * ONE_MINUS_D * x2)); // 2
+
+    let ratio = mod(invsqrt * u1 * SQRT_MINUS_D); // 3
+    if (isNegativeLE(ratio, P)) ratio = mod(-ratio);
+
+    const u2 = mod(INVSQRT_MINUS_D * ratio * z - t); // 4
+
+    let s = mod(ONE_MINUS_D * invsqrt * x * u2); // 5
+    if (isNegativeLE(s, P)) s = mod(-s);
+
+    return numberToBytesLE(s, 56);
+  }
+
+  toHex(): string {
+    return bytesToHex(this.toRawBytes());
+  }
+
+  toString(): string {
+    return this.toHex();
+  }
+
+  // Compare one point to another.
+  // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2
+  equals(other: DcfPoint): boolean {
+    assertDcfPoint(other);
+    const { ex: X1, ey: Y1 } = this.ep;
+    const { ex: X2, ey: Y2 } = other.ep;
+    const mod = ed448.CURVE.Fp.create;
+    // (x1 * y2 == y1 * x2)
+    return mod(X1 * Y2) === mod(Y1 * X2);
+  }
+
+  add(other: DcfPoint): DcfPoint {
+    assertDcfPoint(other);
+    return new DcfPoint(this.ep.add(other.ep));
+  }
+
+  subtract(other: DcfPoint): DcfPoint {
+    assertDcfPoint(other);
+    return new DcfPoint(this.ep.subtract(other.ep));
+  }
+
+  multiply(scalar: bigint): DcfPoint {
+    return new DcfPoint(this.ep.multiply(scalar));
+  }
+
+  multiplyUnsafe(scalar: bigint): DcfPoint {
+    return new DcfPoint(this.ep.multiplyUnsafe(scalar));
+  }
+
+  double(): DcfPoint {
+    return new DcfPoint(this.ep.double());
+  }
+
+  negate(): DcfPoint {
+    return new DcfPoint(this.ep.negate());
+  }
+}
+
+export const DecafPoint = /* @__PURE__ */ (() => {
+  // decaf448 base point is ed448 base x 2
+  // https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699
+  if (!DcfPoint.BASE) DcfPoint.BASE = new DcfPoint(ed448.ExtendedPoint.BASE).multiply(_2n);
+  if (!DcfPoint.ZERO) DcfPoint.ZERO = new DcfPoint(ed448.ExtendedPoint.ZERO);
+  return DcfPoint;
+})();
+
+// Hashing to decaf448. https://www.rfc-editor.org/rfc/rfc9380#appendix-C
+export const hashToDecaf448 = (msg: Uint8Array, options: htfBasicOpts) => {
+  const d = options.DST;
+  const DST = typeof d === 'string' ? utf8ToBytes(d) : d;
+  const uniform_bytes = expand_message_xof(msg, DST, 112, 224, shake256);
+  const P = DcfPoint.hashToCurve(uniform_bytes);
+  return P;
+};
+export const hash_to_decaf448 = hashToDecaf448; // legacy

src/edwards.ts

@@ -1,684 +0,0 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
-
-// Differences from @noble/ed25519 1.7:
-// 1. Different field element lengths in ed448:
-//   EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
-// 2. Different addition formula (doubling is same)
-// 3. uvRatio differs between curves (half-expected, not only pow fn changes)
-// 4. Point decompression code is different too (unexpected), now using generalized formula
-// 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
-
-import * as mod from './modular.js';
-import {
-  bytesToHex,
-  concatBytes,
-  ensureBytes,
-  numberToBytesLE,
-  bytesToNumberLE,
-  hashToPrivateScalar,
-  BasicCurve,
-  validateOpts as utilOpts,
-  Hex,
-  PrivKey,
-} from './utils.js'; // TODO: import * as u from './utils.js'?
-import { Group, GroupConstructor, wNAF } from './group.js';
-
-// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const _8n = BigInt(8);
-
-export type CHash = {
-  (message: Uint8Array | string): Uint8Array;
-  blockLen: number;
-  outputLen: number;
-  create(): any;
-};
-
-export type CurveType = BasicCurve & {
-  // Params: a, d
-  a: bigint;
-  d: bigint;
-  // Hashes
-  hash: CHash; // Because we need outputLen for DRBG
-  randomBytes: (bytesLength?: number) => Uint8Array;
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
-  uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
-  preHash?: CHash;
-};
-
-// Should be separate from overrides, since overrides can use information about curve (for example nBits)
-function validateOpts(curve: CurveType) {
-  const opts = utilOpts(curve);
-  if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
-    throw new Error('Invalid hash function');
-  for (const i of ['a', 'd'] as const) {
-    if (typeof opts[i] !== 'bigint')
-      throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
-  }
-  for (const fn of ['randomBytes'] as const) {
-    if (typeof opts[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
-  }
-  for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio'] as const) {
-    if (opts[fn] === undefined) continue; // Optional
-    if (typeof opts[fn] !== 'function') throw new Error(`Invalid ${fn} function`);
-  }
-  // Set defaults
-  return Object.freeze({ ...opts } as const);
-}
-
-// Instance
-export interface SignatureType {
-  readonly r: PointType;
-  readonly s: bigint;
-  assertValidity(): SignatureType;
-  toRawBytes(): Uint8Array;
-  toHex(): string;
-}
-// Static methods
-export type SignatureConstructor = {
-  new (r: PointType, s: bigint): SignatureType;
-  fromHex(hex: Hex): SignatureType;
-};
-
-// Instance
-export interface ExtendedPointType extends Group<ExtendedPointType> {
-  readonly x: bigint;
-  readonly y: bigint;
-  readonly z: bigint;
-  readonly t: bigint;
-  multiply(scalar: number | bigint, affinePoint?: PointType): ExtendedPointType;
-  multiplyUnsafe(scalar: number | bigint): ExtendedPointType;
-  isSmallOrder(): boolean;
-  isTorsionFree(): boolean;
-  toAffine(invZ?: bigint): PointType;
-}
-// Static methods
-export interface ExtendedPointConstructor extends GroupConstructor<ExtendedPointType> {
-  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtendedPointType;
-  fromAffine(p: PointType): ExtendedPointType;
-  toAffineBatch(points: ExtendedPointType[]): PointType[];
-  normalizeZ(points: ExtendedPointType[]): ExtendedPointType[];
-}
-
-// Instance
-export interface PointType extends Group<PointType> {
-  readonly x: bigint;
-  readonly y: bigint;
-  _setWindowSize(windowSize: number): void;
-  toRawBytes(isCompressed?: boolean): Uint8Array;
-  toHex(isCompressed?: boolean): string;
-  isTorsionFree(): boolean;
-}
-// Static methods
-export interface PointConstructor extends GroupConstructor<PointType> {
-  new (x: bigint, y: bigint): PointType;
-  fromHex(hex: Hex): PointType;
-  fromPrivateKey(privateKey: PrivKey): PointType;
-}
-
-export type PubKey = Hex | PointType;
-export type SigType = Hex | SignatureType;
-
-export type CurveFn = {
-  CURVE: ReturnType<typeof validateOpts>;
-  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  sign: (message: Hex, privateKey: Hex) => Uint8Array;
-  verify: (sig: SigType, message: Hex, publicKey: PubKey) => boolean;
-  Point: PointConstructor;
-  ExtendedPoint: ExtendedPointConstructor;
-  Signature: SignatureConstructor;
-  utils: {
-    mod: (a: bigint, b?: bigint) => bigint;
-    invert: (number: bigint, modulo?: bigint) => bigint;
-    randomPrivateKey: () => Uint8Array;
-    getExtendedPublicKey: (key: PrivKey) => {
-      head: Uint8Array;
-      prefix: Uint8Array;
-      scalar: bigint;
-      point: PointType;
-      pointBytes: Uint8Array;
-    };
-  };
-};
-
-// NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
-export function twistedEdwards(curveDef: CurveType): CurveFn {
-  const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
-  const CURVE_ORDER = CURVE.n;
-  const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
-  if (fieldLen > 2048) throw new Error('Field lengths over 2048 are not supported');
-  const groupLen = CURVE.nByteLength;
-  // (2n ** 256n).toString(16);
-  const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
-
-  // Function overrides
-  const { P, randomBytes } = CURVE;
-  const modP = (a: bigint) => mod.mod(a, P);
-
-  // sqrt(u/v)
-  function _uvRatio(u: bigint, v: bigint) {
-    try {
-      const value = mod.sqrt(u * mod.invert(v, P), P);
-      return { isValid: true, value };
-    } catch (e) {
-      return { isValid: false, value: _0n };
-    }
-  }
-  const uvRatio = CURVE.uvRatio || _uvRatio;
-
-  const _adjustScalarBytes = (bytes: Uint8Array) => bytes; // NOOP
-  const adjustScalarBytes = CURVE.adjustScalarBytes || _adjustScalarBytes;
-  function _domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
-    if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
-    return data;
-  }
-  const domain = CURVE.domain || _domain; // NOOP
-
-  /**
-   * Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
-   * Default Point works in affine coordinates: (x, y)
-   * https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
-   */
-  class ExtendedPoint implements ExtendedPointType {
-    constructor(readonly x: bigint, readonly y: bigint, readonly z: bigint, readonly t: bigint) {}
-
-    static BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
-    static ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
-    static fromAffine(p: Point): ExtendedPoint {
-      if (!(p instanceof Point)) {
-        throw new TypeError('ExtendedPoint#fromAffine: expected Point');
-      }
-      if (p.equals(Point.ZERO)) return ExtendedPoint.ZERO;
-      return new ExtendedPoint(p.x, p.y, _1n, modP(p.x * p.y));
-    }
-    // Takes a bunch of Jacobian Points but executes only one
-    // invert on all of them. invert is very slow operation,
-    // so this improves performance massively.
-    static toAffineBatch(points: ExtendedPoint[]): Point[] {
-      const toInv = mod.invertBatch(
-        points.map((p) => p.z),
-        P
-      );
-      return points.map((p, i) => p.toAffine(toInv[i]));
-    }
-
-    static normalizeZ(points: ExtendedPoint[]): ExtendedPoint[] {
-      return this.toAffineBatch(points).map(this.fromAffine);
-    }
-
-    // Compare one point to another.
-    equals(other: ExtendedPoint): boolean {
-      assertExtPoint(other);
-      const { x: X1, y: Y1, z: Z1 } = this;
-      const { x: X2, y: Y2, z: Z2 } = other;
-      const X1Z2 = modP(X1 * Z2);
-      const X2Z1 = modP(X2 * Z1);
-      const Y1Z2 = modP(Y1 * Z2);
-      const Y2Z1 = modP(Y2 * Z1);
-      return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
-    }
-
-    // Inverses point to one corresponding to (x, -y) in Affine coordinates.
-    negate(): ExtendedPoint {
-      return new ExtendedPoint(modP(-this.x), this.y, this.z, modP(-this.t));
-    }
-
-    // Fast algo for doubling Extended Point.
-    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
-    // Cost: 4M + 4S + 1*a + 6add + 1*2.
-    double(): ExtendedPoint {
-      const { a } = CURVE;
-      const { x: X1, y: Y1, z: Z1 } = this;
-      const A = modP(X1 * X1); // A = X12
-      const B = modP(Y1 * Y1); // B = Y12
-      const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
-      const D = modP(a * A); // D = a*A
-      const x1y1 = X1 + Y1;
-      const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
-      const G = D + B; // G = D+B
-      const F = G - C; // F = G-C
-      const H = D - B; // H = D-B
-      const X3 = modP(E * F); // X3 = E*F
-      const Y3 = modP(G * H); // Y3 = G*H
-      const T3 = modP(E * H); // T3 = E*H
-      const Z3 = modP(F * G); // Z3 = F*G
-      return new ExtendedPoint(X3, Y3, Z3, T3);
-    }
-
-    // Fast algo for adding 2 Extended Points.
-    // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
-    // Cost: 9M + 1*a + 1*d + 7add.
-    add(other: ExtendedPoint) {
-      assertExtPoint(other);
-      const { a, d } = CURVE;
-      const { x: X1, y: Y1, z: Z1, t: T1 } = this;
-      const { x: X2, y: Y2, z: Z2, t: T2 } = other;
-      // Faster algo for adding 2 Extended Points when curve's a=-1.
-      // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
-      // Cost: 8M + 8add + 2*2.
-      // Note: It does not check whether the `other` point is valid.
-      if (a === BigInt(-1)) {
-        const A = modP((Y1 - X1) * (Y2 + X2));
-        const B = modP((Y1 + X1) * (Y2 - X2));
-        const F = modP(B - A);
-        if (F === _0n) return this.double(); // Same point.
-        const C = modP(Z1 * _2n * T2);
-        const D = modP(T1 * _2n * Z2);
-        const E = D + C;
-        const G = B + A;
-        const H = D - C;
-        const X3 = modP(E * F);
-        const Y3 = modP(G * H);
-        const T3 = modP(E * H);
-        const Z3 = modP(F * G);
-        return new ExtendedPoint(X3, Y3, Z3, T3);
-      }
-      const A = modP(X1 * X2); // A = X1*X2
-      const B = modP(Y1 * Y2); // B = Y1*Y2
-      const C = modP(T1 * d * T2); // C = T1*d*T2
-      const D = modP(Z1 * Z2); // D = Z1*Z2
-      const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
-      // TODO: do we need to check for same point here? Looks like working without it
-      const F = D - C; // F = D-C
-      const G = D + C; // G = D+C
-      const H = modP(B - a * A); // H = B-a*A
-      const X3 = modP(E * F); // X3 = E*F
-      const Y3 = modP(G * H); // Y3 = G*H
-      const T3 = modP(E * H); // T3 = E*H
-      const Z3 = modP(F * G); // Z3 = F*G
-
-      return new ExtendedPoint(X3, Y3, Z3, T3);
-    }
-
-    subtract(other: ExtendedPoint): ExtendedPoint {
-      return this.add(other.negate());
-    }
-
-    private wNAF(n: bigint, affinePoint?: Point): ExtendedPoint {
-      if (!affinePoint && this.equals(ExtendedPoint.BASE)) affinePoint = Point.BASE;
-      const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
-      let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
-      if (!precomputes) {
-        precomputes = wnaf.precomputeWindow(this, W) as ExtendedPoint[];
-        if (affinePoint && W !== 1) {
-          precomputes = ExtendedPoint.normalizeZ(precomputes);
-          pointPrecomputes.set(affinePoint, precomputes);
-        }
-      }
-      const { p, f } = wnaf.wNAF(W, precomputes, n);
-      return ExtendedPoint.normalizeZ([p, f])[0];
-    }
-
-    // Constant time multiplication.
-    // Uses wNAF method. Windowed method may be 10% faster,
-    // but takes 2x longer to generate and consumes 2x memory.
-    multiply(scalar: number | bigint, affinePoint?: Point): ExtendedPoint {
-      return this.wNAF(normalizeScalar(scalar, CURVE_ORDER), affinePoint);
-    }
-
-    // Non-constant-time multiplication. Uses double-and-add algorithm.
-    // It's faster, but should only be used when you don't care about
-    // an exposed private key e.g. sig verification.
-    // Allows scalar bigger than curve order, but less than 2^256
-    multiplyUnsafe(scalar: number | bigint): ExtendedPoint {
-      let n = normalizeScalar(scalar, CURVE_ORDER, false);
-      const G = ExtendedPoint.BASE;
-      const P0 = ExtendedPoint.ZERO;
-      if (n === _0n) return P0;
-      if (this.equals(P0) || n === _1n) return this;
-      if (this.equals(G)) return this.wNAF(n);
-      return wnaf.unsafeLadder(this, n);
-    }
-
-    // Multiplies point by cofactor and checks if the result is 0.
-    isSmallOrder(): boolean {
-      return this.multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
-    }
-
-    // Multiplies point by a very big scalar n and checks if the result is 0.
-    isTorsionFree(): boolean {
-      return this.multiplyUnsafe(CURVE_ORDER).equals(ExtendedPoint.ZERO);
-    }
-
-    // Converts Extended point to default (x, y) coordinates.
-    // Can accept precomputed Z^-1 - for example, from invertBatch.
-    toAffine(invZ?: bigint): Point {
-      const { x, y, z } = this;
-      const is0 = this.equals(ExtendedPoint.ZERO);
-      if (invZ == null) invZ = is0 ? _8n : mod.invert(z, P); // 8 was chosen arbitrarily
-      const ax = modP(x * invZ);
-      const ay = modP(y * invZ);
-      const zz = modP(z * invZ);
-      if (is0) return Point.ZERO;
-      if (zz !== _1n) throw new Error('invZ was invalid');
-      return new Point(ax, ay);
-    }
-  }
-  const wnaf = wNAF(ExtendedPoint, groupLen * 8);
-
-  function assertExtPoint(other: unknown) {
-    if (!(other instanceof ExtendedPoint)) throw new TypeError('ExtendedPoint expected');
-  }
-  // Stores precomputed values for points.
-  const pointPrecomputes = new WeakMap<Point, ExtendedPoint[]>();
-
-  /**
-   * Default Point works in affine coordinates: (x, y)
-   */
-  class Point implements PointType {
-    // Base point aka generator
-    // public_key = Point.BASE * private_key
-    static BASE: Point = new Point(CURVE.Gx, CURVE.Gy);
-    // Identity point aka point at infinity
-    // point = point + zero_point
-    static ZERO: Point = new Point(_0n, _1n);
-    // We calculate precomputes for elliptic curve point multiplication
-    // using windowed method. This specifies window size and
-    // stores precomputed values. Usually only base point would be precomputed.
-    _WINDOW_SIZE?: number;
-
-    constructor(readonly x: bigint, readonly y: bigint) {}
-
-    // "Private method", don't use it directly.
-    _setWindowSize(windowSize: number) {
-      this._WINDOW_SIZE = windowSize;
-      pointPrecomputes.delete(this);
-    }
-
-    // Converts hash string or Uint8Array to Point.
-    // Uses algo from RFC8032 5.1.3.
-    static fromHex(hex: Hex, strict = true) {
-      const { d, P, a } = CURVE;
-      hex = ensureBytes(hex, fieldLen);
-      // 1.  First, interpret the string as an integer in little-endian
-      // representation. Bit 255 of this number is the least significant
-      // bit of the x-coordinate and denote this value x_0.  The
-      // y-coordinate is recovered simply by clearing this bit.  If the
-      // resulting value is >= p, decoding fails.
-      const normed = hex.slice();
-      const lastByte = hex[fieldLen - 1];
-      normed[fieldLen - 1] = lastByte & ~0x80;
-      const y = bytesToNumberLE(normed);
-
-      if (strict && y >= P) throw new Error('Expected 0 < hex < P');
-      if (!strict && y >= maxGroupElement) throw new Error('Expected 0 < hex < 2**256');
-
-      // 2.  To recover the x-coordinate, the curve equation implies
-      // Ed25519: x² = (y² - 1) / (d y² + 1) (mod p).
-      // Ed448: x² = (y² - 1) / (d y² - 1) (mod p).
-      // For generic case:
-      // a*x²+y²=1+d*x²*y²
-      // -> y²-1 = d*x²*y²-a*x²
-      // -> y²-1 = x² (d*y²-a)
-      // -> x² = (y²-1) / (d*y²-a)
-
-      // The denominator is always non-zero mod p.  Let u = y² - 1 and v = d y² + 1.
-      const y2 = modP(y * y);
-      const u = modP(y2 - _1n);
-      const v = modP(d * y2 - a);
-      let { isValid, value: x } = uvRatio(u, v);
-      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
-      // 4.  Finally, use the x_0 bit to select the right square root.  If
-      // x = 0, and x_0 = 1, decoding fails.  Otherwise, if x_0 != x mod
-      // 2, set x <-- p - x.  Return the decoded point (x,y).
-      const isXOdd = (x & _1n) === _1n;
-      const isLastByteOdd = (lastByte & 0x80) !== 0;
-      if (isLastByteOdd !== isXOdd) x = modP(-x);
-      return new Point(x, y);
-    }
-
-    static fromPrivateKey(privateKey: PrivKey) {
-      return getExtendedPublicKey(privateKey).point;
-    }
-
-    // There can always be only two x values (x, -x) for any y
-    // When compressing point, it's enough to only store its y coordinate
-    // and use the last byte to encode sign of x.
-    toRawBytes(): Uint8Array {
-      const bytes = numberToBytesLE(this.y, fieldLen);
-      bytes[fieldLen - 1] |= this.x & _1n ? 0x80 : 0;
-      return bytes;
-    }
-
-    // Same as toRawBytes, but returns string.
-    toHex(): string {
-      return bytesToHex(this.toRawBytes());
-    }
-
-    isTorsionFree(): boolean {
-      return ExtendedPoint.fromAffine(this).isTorsionFree();
-    }
-
-    equals(other: Point): boolean {
-      if (!(other instanceof Point)) throw new TypeError('Point#equals: expected Point');
-      return this.x === other.x && this.y === other.y;
-    }
-
-    negate(): Point {
-      return new Point(modP(-this.x), this.y);
-    }
-
-    double(): Point {
-      return ExtendedPoint.fromAffine(this).double().toAffine();
-    }
-
-    add(other: Point) {
-      return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
-    }
-
-    subtract(other: Point) {
-      return this.add(other.negate());
-    }
-
-    /**
-     * Constant time multiplication.
-     * @param scalar Big-Endian number
-     * @returns new point
-     */
-    multiply(scalar: number | bigint): Point {
-      return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
-    }
-  }
-
-  /**
-   * EDDSA signature.
-   */
-  class Signature implements SignatureType {
-    constructor(readonly r: Point, readonly s: bigint) {
-      this.assertValidity();
-    }
-
-    static fromHex(hex: Hex) {
-      const bytes = ensureBytes(hex, 2 * fieldLen);
-      const r = Point.fromHex(bytes.slice(0, fieldLen), false);
-      const s = bytesToNumberLE(bytes.slice(fieldLen, 2 * fieldLen));
-      return new Signature(r, s);
-    }
-
-    assertValidity() {
-      const { r, s } = this;
-      if (!(r instanceof Point)) throw new Error('Expected Point instance');
-      // 0 <= s < l
-      normalizeScalar(s, CURVE_ORDER, false);
-      return this;
-    }
-
-    toRawBytes() {
-      return concatBytes(this.r.toRawBytes(), numberToBytesLE(this.s, fieldLen));
-    }
-
-    toHex() {
-      return bytesToHex(this.toRawBytes());
-    }
-  }
-
-  // Little-endian SHA512 with modulo n
-  function modlLE(hash: Uint8Array): bigint {
-    return mod.mod(bytesToNumberLE(hash), CURVE_ORDER);
-  }
-
-  /**
-   * Checks for num to be in range:
-   * For strict == true:  `0 <  num < max`.
-   * For strict == false: `0 <= num < max`.
-   * Converts non-float safe numbers to bigints.
-   */
-  function normalizeScalar(num: number | bigint, max: bigint, strict = true): bigint {
-    if (!max) throw new TypeError('Specify max value');
-    if (typeof num === 'number' && Number.isSafeInteger(num)) num = BigInt(num);
-    if (typeof num === 'bigint' && num < max) {
-      if (strict) {
-        if (_0n < num) return num;
-      } else {
-        if (_0n <= num) return num;
-      }
-    }
-    throw new TypeError('Expected valid scalar: 0 < scalar < max');
-  }
-
-  function checkPrivateKey(key: PrivKey) {
-    // Normalize bigint / number / string to Uint8Array
-    key =
-      typeof key === 'bigint' || typeof key === 'number'
-        ? numberToBytesLE(normalizeScalar(key, maxGroupElement), groupLen)
-        : ensureBytes(key);
-    if (key.length !== groupLen) throw new Error(`Expected ${groupLen} bytes, got ${key.length}`);
-    return key;
-  }
-
-  // Takes 64 bytes
-  function getKeyFromHash(hashed: Uint8Array) {
-    // First 32 bytes of 64b uniformingly random input are taken,
-    // clears 3 bits of it to produce a random field element.
-    const head = adjustScalarBytes(hashed.slice(0, groupLen));
-    // Second 32 bytes is called key prefix (5.1.6)
-    const prefix = hashed.slice(groupLen, 2 * groupLen);
-    // The actual private scalar
-    const scalar = modlLE(head);
-    // Point on Edwards curve aka public key
-    const point = Point.BASE.multiply(scalar);
-    const pointBytes = point.toRawBytes();
-    return { head, prefix, scalar, point, pointBytes };
-  }
-
-  /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
-  function getExtendedPublicKey(key: PrivKey) {
-    return getKeyFromHash(CURVE.hash(checkPrivateKey(key)));
-  }
-
-  /**
-   * Calculates ed25519 public key. RFC8032 5.1.5
-   * 1. private key is hashed with sha512, then first 32 bytes are taken from the hash
-   * 2. 3 least significant bits of the first byte are cleared
-   */
-  function getPublicKey(privateKey: PrivKey): Uint8Array {
-    return getExtendedPublicKey(privateKey).pointBytes;
-  }
-
-  const EMPTY = new Uint8Array();
-  function hashDomainToScalar(message: Uint8Array, context: Hex = EMPTY) {
-    context = ensureBytes(context);
-    return modlLE(CURVE.hash(domain(message, context, !!CURVE.preHash)));
-  }
-
-  /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(message: Hex, privateKey: Hex, context?: Hex): Uint8Array {
-    message = ensureBytes(message);
-    if (CURVE.preHash) message = CURVE.preHash(message);
-    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privateKey);
-    const r = hashDomainToScalar(concatBytes(prefix, message), context);
-    const R = Point.BASE.multiply(r); // R = rG
-    const k = hashDomainToScalar(concatBytes(R.toRawBytes(), pointBytes, message), context); // k = hash(R+P+msg)
-    const s = mod.mod(r + k * scalar, CURVE_ORDER); // s = r + kp
-    return new Signature(R, s).toRawBytes();
-  }
-
-  /**
-   * Verifies EdDSA signature against message and public key.
-   * An extended group equation is checked.
-   * RFC8032 5.1.7
-   * Compliant with ZIP215:
-   * 0 <= sig.R/publicKey < 2**256 (can be >= curve.P)
-   * 0 <= sig.s < l
-   * Not compliant with RFC8032: it's not possible to comply to both ZIP & RFC at the same time.
-   */
-  function verify(sig: SigType, message: Hex, publicKey: PubKey, context?: Hex): boolean {
-    message = ensureBytes(message);
-    if (CURVE.preHash) message = CURVE.preHash(message);
-    // When hex is passed, we check public key fully.
-    // When Point instance is passed, we assume it has already been checked, for performance.
-    // If user passes Point/Sig instance, we assume it has been already verified.
-    // We don't check its equations for performance. We do check for valid bounds for s though
-    // We always check for: a) s bounds. b) hex validity
-    if (publicKey instanceof Point) {
-      // ignore
-    } else if (publicKey instanceof Uint8Array || typeof publicKey === 'string') {
-      publicKey = Point.fromHex(publicKey, false);
-    } else {
-      throw new Error(`Invalid publicKey: ${publicKey}`);
-    }
-
-    if (sig instanceof Signature) sig.assertValidity();
-    else if (sig instanceof Uint8Array || typeof sig === 'string') sig = Signature.fromHex(sig);
-    else throw new Error(`Wrong signature: ${sig}`);
-
-    const { r, s } = sig;
-    const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
-    const k = hashDomainToScalar(
-      concatBytes(r.toRawBytes(), publicKey.toRawBytes(), message),
-      context
-    );
-    const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
-    const RkA = ExtendedPoint.fromAffine(r).add(kA);
-    // [8][S]B = [8]R + [8][k]A'
-    return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
-  }
-
-  // Enable precomputes. Slows down first publicKey computation by 20ms.
-  Point.BASE._setWindowSize(8);
-
-  const utils = {
-    getExtendedPublicKey,
-    mod: modP,
-    invert: (a: bigint, m = CURVE.P) => mod.invert(a, m),
-
-    /**
-     * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
-     */
-    hashToPrivateScalar: (hash: Hex): bigint => hashToPrivateScalar(hash, CURVE_ORDER, true),
-
-    /**
-     * ed25519 private keys are uniform 32-bit strings. We do not need to check for
-     * modulo bias like we do in secp256k1 randomPrivateKey()
-     */
-    randomPrivateKey: (): Uint8Array => randomBytes(fieldLen),
-
-    /**
-     * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
-     * values. This slows down first getPublicKey() by milliseconds (see Speed section),
-     * but allows to speed-up subsequent getPublicKey() calls up to 20x.
-     * @param windowSize 2, 4, 8, 16
-     */
-    precompute(windowSize = 8, point = Point.BASE): Point {
-      const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
-      cached._setWindowSize(windowSize);
-      cached.multiply(_2n);
-      return cached;
-    },
-  };
-
-  return {
-    CURVE,
-    getPublicKey,
-    sign,
-    verify,
-    ExtendedPoint,
-    Point,
-    Signature,
-    utils,
-  };
-}