All modules: sort import alphabetically

src/_shortw_utils.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac';
 import { concatBytes, randomBytes } from '@noble/hashes/utils';
-import { weierstrass, CurveType } from './abstract/weierstrass.js';
 import { CHash } from './abstract/utils.js';
+import { CurveType, weierstrass } from './abstract/weierstrass.js';
 
 // connects noble-curves to noble-hashes
 export function getHash(hash: CHash) {

src/abstract/bls.ts

@@ -1,16 +1,5 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-/**
- * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
- * Implements BLS (Boneh-Lynn-Shacham) signatures.
- * Consists of two curves: G1 and G2:
- * - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
- * - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
- * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
- * Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
- * Pairing is used to aggregate and verify signatures.
- * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
- * Some projects may prefer to swap this relation, it is not supported for now.
- */
+// BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
 import { AffinePoint } from './curve.js';
 import { IField, getMinHashLength, mapHashToField } from './modular.js';
 import { Hex, PrivKey, CHash, bitLen, bitGet, ensureBytes } from './utils.js';
@@ -26,6 +15,19 @@ import {
  weierstrassPoints,
 } from './weierstrass.js';
 
+/**
+ * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
+ * Implements BLS (Boneh-Lynn-Shacham) signatures.
+ * Consists of two curves: G1 and G2:
+ * - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
+ * - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
+ * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
+ * Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
+ * Pairing is used to aggregate and verify signatures.
+ * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
+ * Some projects may prefer to swap this relation, it is not supported for now.
+ **/
+
 type Fp = bigint; // Can be different field?
 
 // prettier-ignore

src/abstract/edwards.ts

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
+import { AffinePoint, BasicCurve, Group, GroupConstructor, validateBasic, wNAF } from './curve.js';
 import { mod } from './modular.js';
 import * as ut from './utils.js';
 import { ensureBytes, FHash, Hex } from './utils.js';
-import { Group, GroupConstructor, wNAF, BasicCurve, validateBasic, AffinePoint } from './curve.js';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -372,7 +372,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
  // y=0 is allowed
  } else {
  // RFC8032 prohibits >= p, but ZIP215 doesn't
- if (zip215) assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
+ if (zip215)
+ assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
  else assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
  }
 

src/abstract/hash-to-curve.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import type { Group, GroupConstructor, AffinePoint } from './curve.js';
-import { mod, IField } from './modular.js';
+import type { AffinePoint, Group, GroupConstructor } from './curve.js';
+import { IField, mod } from './modular.js';
 import type { CHash } from './utils.js';
-import { bytesToNumberBE, abytes, concatBytes, utf8ToBytes, validateObject } from './utils.js';
+import { abytes, bytesToNumberBE, concatBytes, utf8ToBytes, validateObject } from './utils.js';
 
 /**
  * * `DST` is a domain separation tag, defined in section 2.2.5

src/abstract/modular.ts

@@ -2,11 +2,11 @@
 // Utilities for modular arithmetics and finite fields
 import {
  bitMask,
- numberToBytesBE,
- numberToBytesLE,
  bytesToNumberBE,
  bytesToNumberLE,
  ensureBytes,
+ numberToBytesBE,
+ numberToBytesLE,
  validateObject,
 } from './utils.js';
 // prettier-ignore

src/abstract/poseidon.ts

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Poseidon Hash: https://eprint.iacr.org/2019/458.pdf, https://www.poseidon-hash.info
-import { IField, FpPow, validateField } from './modular.js';
+import { FpPow, IField, validateField } from './modular.js';
 // We don't provide any constants, since different implementations use different constants.
 // For reference constants see './test/poseidon.test.js'.
 export type PoseidonOpts = {

src/abstract/weierstrass.ts

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Short Weierstrass curve. The formula is: y² = x³ + ax + b
+import { AffinePoint, BasicCurve, Group, GroupConstructor, validateBasic, wNAF } from './curve.js';
 import * as mod from './modular.js';
 import * as ut from './utils.js';
 import { CHash, Hex, PrivKey, ensureBytes } from './utils.js';
-import { Group, GroupConstructor, wNAF, BasicCurve, validateBasic, AffinePoint } from './curve.js';
 
 export type { AffinePoint };
 type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;

src/bls12-381.ts

@@ -1,58 +1,60 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-
-// bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
-// - Construct zk-SNARKs at the 120-bit security
-// - Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
-// the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
-//
-// ### Summary
-// 1. BLS Relies on Bilinear Pairing (expensive)
-// 2. Private Keys: 32 bytes
-// 3. Public Keys: 48 bytes: 381 bit affine x coordinate, encoded into 48 big-endian bytes.
-// 4. Signatures: 96 bytes: two 381 bit integers (affine x coordinate), encoded into two 48 big-endian byte arrays.
-// - The signature is a point on the G2 subgroup, which is defined over a finite field
-// with elements twice as big as the G1 curve (G2 is over Fp2 rather than Fp. Fp2 is analogous to the complex numbers).
-// 5. The 12 stands for the Embedding degree.
-//
-// ### Formulas
-// - `P = pk x G` - public keys
-// - `S = pk x H(m)` - signing
-// - `e(P, H(m)) == e(G, S)` - verification using pairings
-// - `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
-//
-// ### Compatibility and notes
-// 1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC
-// Filecoin uses little endian byte arrays for private keys - make sure to reverse byte order.
-// 2. Some projects use G2 for public keys and G1 for signatures. It's called "short signature"
-// 3. Curve security level is about 120 bits as per Barbulescu-Duquesne 2017
-// https://hal.science/hal-01534101/file/main.pdf
-// 4. Compatible with specs:
-// [cfrg-pairing-friendly-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
-// [cfrg-bls-signature-05](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05),
-// [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls, CurveFn } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
 import {
- concatBytes as concatB,
- ensureBytes,
- numberToBytesBE,
- bytesToNumberBE,
- bitLen,
  bitGet,
- Hex,
+ bitLen,
  bitMask,
  bytesToHex,
+ bytesToNumberBE,
+ concatBytes as concatB,
+ ensureBytes,
+ Hex,
+ numberToBytesBE,
 } from './abstract/utils.js';
 // Types
+import { isogenyMap } from './abstract/hash-to-curve.js';
 import {
- ProjPointType,
- ProjConstructor,
- mapToCurveSimpleSWU,
  AffinePoint,
+ mapToCurveSimpleSWU,
+ ProjConstructor,
+ ProjPointType,
 } from './abstract/weierstrass.js';
-import { isogenyMap } from './abstract/hash-to-curve.js';
+
+/*
+bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
+- Construct zk-SNARKs at the 120-bit security
+- Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
+ the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
+
+### Summary
+1. BLS Relies on Bilinear Pairing (expensive)
+2. Private Keys: 32 bytes
+3. Public Keys: 48 bytes: 381 bit affine x coordinate, encoded into 48 big-endian bytes.
+4. Signatures: 96 bytes: two 381 bit integers (affine x coordinate), encoded into two 48 big-endian byte arrays.
+ - The signature is a point on the G2 subgroup, which is defined over a finite field
+ with elements twice as big as the G1 curve (G2 is over Fp2 rather than Fp. Fp2 is analogous to the complex numbers).
+5. The 12 stands for the Embedding degree.
+
+### Formulas
+- `P = pk x G` - public keys
+- `S = pk x H(m)` - signing
+- `e(P, H(m)) == e(G, S)` - verification using pairings
+- `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
+
+### Compatibility and notes
+1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC
+ Filecoin uses little endian byte arrays for private keys - make sure to reverse byte order.
+2. Some projects use G2 for public keys and G1 for signatures. It's called "short signature"
+3. Curve security level is about 120 bits as per Barbulescu-Duquesne 2017
+ https://hal.science/hal-01534101/file/main.pdf
+4. Compatible with specs:
+[cfrg-pairing-friendly-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
+[cfrg-bls-signature-05](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05),
+[RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
+*/
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -503,9 +505,9 @@ const BLS_X_LEN = bitLen(BLS_X);
 
 // prettier-ignore
 type BigintTwelve = [
-  bigint, bigint, bigint, bigint, bigint, bigint,
-  bigint, bigint, bigint, bigint, bigint, bigint
- ];
+ bigint, bigint, bigint, bigint, bigint, bigint,
+ bigint, bigint, bigint, bigint, bigint, bigint
+];
 const Fp12Add = ({ c0, c1 }: Fp12, { c0: r0, c1: r1 }: Fp12) => ({
  c0: Fp6.add(c0, r0),
  c1: Fp6.add(c1, r1),

src/bn254.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
-import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
 import { Field } from './abstract/modular.js';
+import { weierstrass } from './abstract/weierstrass.js';
 /**
  * bn254 pairing-friendly curve.
  * Previously known as alt_bn_128, when it had 128-bit security.

src/ed25519.ts

@@ -1,9 +1,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { AffinePoint, Group } from './abstract/curve.js';
 import { ExtPointType, twistedEdwards } from './abstract/edwards.js';
-import { montgomery } from './abstract/montgomery.js';
+import { createHasher, expand_message_xmd, htfBasicOpts } from './abstract/hash-to-curve.js';
 import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.js';
+import { montgomery } from './abstract/montgomery.js';
 import {
  bytesToHex,
  bytesToNumberLE,
@@ -12,8 +14,6 @@ import {
  Hex,
  numberToBytesLE,
 } from './abstract/utils.js';
-import { createHasher, htfBasicOpts, expand_message_xmd } from './abstract/hash-to-curve.js';
-import { AffinePoint, Group } from './abstract/curve.js';
 
 /**
  * ed25519 Twisted Edwards curve with following addons:

src/ed448.ts

@@ -1,10 +1,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
 import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/hashes/utils';
+import { AffinePoint, Group } from './abstract/curve.js';
 import { ExtPointType, twistedEdwards } from './abstract/edwards.js';
-import { mod, pow2, Field, isNegativeLE } from './abstract/modular.js';
+import { createHasher, expand_message_xof, htfBasicOpts } from './abstract/hash-to-curve.js';
+import { Field, isNegativeLE, mod, pow2 } from './abstract/modular.js';
 import { montgomery } from './abstract/montgomery.js';
-import { createHasher, htfBasicOpts, expand_message_xof } from './abstract/hash-to-curve.js';
 import {
  bytesToHex,
  bytesToNumberLE,
@@ -13,7 +14,6 @@ import {
  Hex,
  numberToBytesLE,
 } from './abstract/utils.js';
-import { AffinePoint, Group } from './abstract/curve.js';
 
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:

src/index.ts

@@ -1 +1 @@
-throw new Error('Incorrect usage. Import submodules instead');
+throw new Error('root module cannot be imported: import submodules instead. Check out README');

src/jubjub.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { blake2s } from '@noble/hashes/blake2s';
 import { sha512 } from '@noble/hashes/sha512';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
 import { twistedEdwards } from './abstract/edwards.js';
-import { blake2s } from '@noble/hashes/blake2s';
 import { Field } from './abstract/modular.js';
 
 /**

src/p256.ts

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
+import { createCurve } from './_shortw_utils.js';
+import { createHasher } from './abstract/hash-to-curve.js';
 import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-import { createHasher } from './abstract/hash-to-curve.js';
 
 // NIST secp256r1 aka p256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256

src/p384.ts

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
+import { createCurve } from './_shortw_utils.js';
+import { createHasher } from './abstract/hash-to-curve.js';
 import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-import { createHasher } from './abstract/hash-to-curve.js';
 
 // NIST secp384r1 aka p384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384

src/p521.ts

@@ -1,9 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { createCurve } from './_shortw_utils.js';
 import { sha512 } from '@noble/hashes/sha512';
+import { createCurve } from './_shortw_utils.js';
+import { createHasher } from './abstract/hash-to-curve.js';
 import { Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-import { createHasher } from './abstract/hash-to-curve.js';
 
 // NIST secp521r1 aka p521
 // Note that it's 521, which differs from 512 of its hash function.

src/pasta.ts

@@ -1,8 +1,8 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
-import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
-import * as mod from './abstract/modular.js';
+import { Field, mod } from './abstract/modular.js';
+import { weierstrass } from './abstract/weierstrass.js';
 
 export const p = BigInt('0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001');
 export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001');
@@ -11,9 +11,9 @@ export const q = BigInt('0x40000000000000000000000000000000224698fc0994a8dd8c46e
 export const pallas = weierstrass({
  a: BigInt(0),
  b: BigInt(5),
- Fp: mod.Field(p),
+ Fp: Field(p),
  n: q,
- Gx: mod.mod(BigInt(-1), p),
+ Gx: mod(BigInt(-1), p),
  Gy: BigInt(2),
  h: BigInt(1),
  ...getHash(sha256),
@@ -22,9 +22,9 @@ export const pallas = weierstrass({
 export const vesta = weierstrass({
  a: BigInt(0),
  b: BigInt(5),
- Fp: mod.Field(q),
+ Fp: Field(q),
  n: p,
- Gx: mod.mod(BigInt(-1), q),
+ Gx: mod(BigInt(-1), q),
  Gy: BigInt(2),
  h: BigInt(1),
  ...getHash(sha256),

src/secp256k1.ts

@@ -1,12 +1,12 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
+import { createCurve } from './_shortw_utils.js';
+import { createHasher, isogenyMap } from './abstract/hash-to-curve.js';
 import { Field, mod, pow2 } from './abstract/modular.js';
-import { ProjPointType as PointType, mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 import type { Hex, PrivKey } from './abstract/utils.js';
 import { bytesToNumberBE, concatBytes, ensureBytes, numberToBytesBE } from './abstract/utils.js';
-import { createHasher, isogenyMap } from './abstract/hash-to-curve.js';
-import { createCurve } from './_shortw_utils.js';
+import { ProjPointType as PointType, mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');