npmpackage.info

Gathering detailed insights and metrics for @noble/curves

Other packages similar to @noble/curves

noble-curves-extended

0.2.4

This project extends @noble/curves to allow randomBytes to be specified externally

@openpgp/noble-curves

1.3.0

Audited & minimal JS implementation of elliptic curve cryptography

polyfill-crypto-methods

1.0.0

Polyfill for Crypto instance methods of Web Crypto API

unsea

1.1.2

Platform-agnostic cryptographic utility toolkit for ephemeral identity, secure messaging, and portable key management — built on WebCrypto + noble-curves.

Gathering detailed insights and metrics for @noble/curves

@noble/curves - 2.0.0 | npmpackage.info

@noble/curves

Audited & minimal JS implementation of elliptic curve cryptography.

2.0.0

818

MIT

TypeScript

1.18 MB

243,310,658

Installations

npm install @noble/curves

Developer Guide

BETA

Typescript

Yes

Module System

ESM

Min. Node Version

>= 20.19.0

Node Version

24.6.0

NPM Version

11.5.1 Pull Requests

Open

0

Total

49

Closed

15

Merged

34

Issues

Open

2

Total

133

Closed

131

Releases

2.0.0

Updated on Aug 25, 2025

1.9.7

Updated on Aug 15, 2025

1.9.6

Updated on Jul 30, 2025

1.9.5

Updated on Jul 29, 2025

1.9.4

Updated on Jul 17, 2025

1.9.3

Updated on Jul 16, 2025

View All 43 releases

Languages

TypeScript

JavaScript

TypeScript (91.61%)

JavaScript (8.34%)

Go (0.06%)

Developer

paulmillr

Download Statistics

Total Downloads

243,310,658

Last Day

347,269

Last Week

6,249,443

Last Month

26,776,007

Last Year

184,914,808

GitHub Statistics

MIT License

818 Stars

963 Commits

79 Forks

11 Watchers

3 Branches

21 Contributors

Updated on Aug 30, 2025

Sponsor this package

https://paulmillr.com/funding/

Maintainers

View All 21 Contributors

Package Meta Information

Latest Version

2.0.0

Package Id

@noble/curves@2.0.0

Unpacked Size

1.18 MB

Size

293.04 kB

File Count

108

NPM Version

11.5.1

Node Version

24.6.0

Published on

Aug 25, 2025

Total Downloads

Cumulative downloads

Total Downloads

243,310,658

Last Day

0.9%

347,269

Compared to previous day

Last Week

-4.4%

6,249,443

Compared to previous week

Last Month

6.1%

26,776,007

Compared to previous month

Last Year

236.1%

184,914,808

Compared to previous year

Weekly Downloads

Monthly Downloads

Yearly Downloads

Dependencies

@noble/hashes

Dev Dependencies

@paulmillr/jsbt @types/node fast-check prettier typescript

noble-curves

Audited & minimal JS implementation of elliptic curve cryptography.

🔒 Audited by independent security firms
🔻 Tree-shakeable: unused code is excluded from your builds
🏎 Fast: hand-optimized for caveats of JS engines
🔍 Reliable: cross-library / wycheproof tests and fuzzing ensure correctness
➰ Weierstrass, Edwards, Montgomery curves; ECDSA, EdDSA, Schnorr, BLS signatures
✍️ ECDH, hash-to-curve, OPRF, Poseidon ZK-friendly hash
🔖 Non-repudiation (SUF-CMA, SBS) & consensus-friendliness (ZIP215) in ed25519, ed448
🥈 Optional, friendly wrapper over native WebCrypto
🪶 29KB (gzipped) including bundled hashes, 11KB for single-curve build

Curves have 5kb sister projects secp256k1 & ed25519. They have smaller attack surface, but less features.

Take a glance at GitHub Discussions for questions and support.

This library belongs to noble cryptography

noble cryptography — high-security, easily auditable set of contained cryptographic libraries and tools.

Zero or minimal dependencies
Highly readable TypeScript / JS code
PGP-signed releases and transparent NPM builds
All libraries: ciphers, curves, hashes, post-quantum, 5kb secp256k1 / ed25519
Check out homepage for reading resources, documentation and apps built with noble

Usage

npm install @noble/curves

deno add jsr:@noble/curves

We support all major platforms and runtimes. For React Native, you may need a polyfill for getRandomValues. A standalone file noble-curves.js is also available.

1// import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
2import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
3import { ed25519, ed25519ph, ed25519ctx, x25519, ristretto255 } from '@noble/curves/ed25519.js';
4import { ed448, ed448ph, x448, decaf448 } from '@noble/curves/ed448.js';
5import { p256, p384, p521 } from '@noble/curves/nist.js';
6import { bls12_381 } from '@noble/curves/bls12-381.js';
7import { bn254 } from '@noble/curves/bn254.js';
8import { jubjub, babyjubjub, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 } from '@noble/curves/misc.js';
9
10// hash-to-curve
11import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
12import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
13import { ristretto255_hasher } from '@noble/curves/ed25519.js';
14import { decaf448_hasher } from '@noble/curves/ed448.js';
15
16// OPRFs
17import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
18import { ristretto255_oprf } from '@noble/curves/ed25519.js';
19import { decaf448_oprf } from '@noble/curves/ed448.js';
20
21// utils
22import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
23import { Field } from '@noble/curves/abstract/modular.js';
24import { weierstrass, ecdsa } from '@noble/curves/abstract/weierstrass.js';
25import { edwards, eddsa } from '@noble/curves/abstract/edwards.js';
26import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
27import { FFT, poly } from '@noble/curves/abstract/fft.js';

Examples
Internals
Security
Speed
Contributing & testing
Upgrading

ECDSA, EdDSA, Schnorr signatures

secp256k1, p256, p384, p521, ed25519, ed448, brainpool

1import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
2import { p256, p384, p521 } from '@noble/curves/nist.js';
3import { ed25519 } from '@noble/curves/ed25519.js';
4import { ed448 } from '@noble/curves/ed448.js';
5import { brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 } from '@noble/curves/misc.js';
6for (const curve of [
7  secp256k1, schnorr,
8  p256, p384, p521,
9  ed25519, ed448,
10  brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
11]) {
12  const { secretKey, publicKey } = curve.keygen();
13  const msg = new TextEncoder().encode('hello noble');
14  const sig = curve.sign(msg, secretKey);
15  const isValid = curve.verify(sig, msg, publicKey);
16  console.log(curve, secretKey, publicKey, sig, isValid);
17}
18
19// Specific private key
20import { hexToBytes } from '@noble/curves/utils.js';
21const secret2 = hexToBytes('46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236');
22const pub2 = secp256k1.getPublicKey(secret2);

ECDSA signatures use deterministic k, conforming to RFC 6979. EdDSA conforms to RFC 8032. Schnorr (secp256k1-only) conforms to BIP 340.

ristretto255, decaf448

1import { ristretto255, ristretto255_hasher, ristretto255_oprf } from '@noble/curves/ed25519.js';
2import { decaf448, decaf448_hasher, decaf448_oprf } from '@noble/curves/ed448.js';
3
4console.log(ristretto255.Point, decaf448.Point);

Check out RFC 9496 more info on ristretto255 & decaf448. Check out separate documentation for Point, hasher and oprf.

Prehashed signing

1import { secp256k1 } from '@noble/curves/secp256k1.js';
2import { keccak256 } from '@noble/hashes/sha3.js';
3const { secretKey } = curve.keygen();
4const msg = new TextEncoder().encode('hello noble');
5// prehash: true (default) - hash using secp256k1.hash (sha256)
6const sig = secp256k1.sign(msg, secretKey);
7// prehash: false - hash using custom hash
8const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });

ECDSA sign() allows providing prehash: false, which enables using custom hashes.

A ECDSA signature is not just "math over elliptic curve points". It's actually math + hashing: p256 is in fact p256 point + sha256 hash. By default, we hash messages. To use custom hash methods, make sure to disable prehashing.

[!NOTE] Previously, in noble-curves v1, prehash: false was the default. Some other libraries (like libsecp256k1) have no prehashing.

Hedged ECDSA with noise

1import { secp256k1 } from '@noble/curves/secp256k1.js';
2const { secretKey } = curve.keygen();
3const msg = new TextEncoder().encode('hello noble');
4// extraEntropy: false - default, hedging disabled
5const sigNoisy = secp256k1.sign(msg, secretKey);
6// extraEntropy: true - fetch 32 random bytes from CSPRNG
7const sigNoisy = secp256k1.sign(msg, secretKey, { extraEntropy: true });
8// extraEntropy: bytes - specific extra entropy
9const ent = Uint8Array.from([0xca, 0xfe, 0x01, 0x23]);
10const sigNoisy2 = secp256k1.sign(msg, secretKey, { extraEntropy: ent });

ECDSA sign() allows providing extraEntropy, which switches sig generation to hedged mode.

By default, ECDSA signatures are generated deterministically, following RFC 6979. However, purely deterministic signatures are vulnerable to fault attacks. Newer signature schemes, such as BIP340 schnorr, switched to hedged signatures because of this. Hedging is basically incorporating some randomness into sig generation process.

For more info, check out Deterministic signatures are not your friends, RFC 6979 section 3.6, and cfrg-det-sigs-with-noise draft.

Consensus-friendliness vs e-voting

1import { ed25519 } from '@noble/curves/ed25519.js';
2const { secretKey, publicKey } = ed25519.keygen();
3const msg = new TextEncoder().encode('hello noble');
4const sig = ed25519.sign(msg, secretKey);
5// zip215: true
6const isValid = ed25519.verify(sig, msg, pub);
7// SBS / e-voting / RFC8032 / FIPS 186-5
8const isValidRfc = ed25519.verify(sig, msg, pub, { zip215: false });

In ed25519, there is an ability to choose between consensus-friendliness vs e-voting mode.

zip215: true is default behavior. It has slightly looser verification logic to be consensus-friendly, following ZIP215 rules
zip215: false switches verification criteria to strict RFC 8032 / FIPS 186-5 and additionally provides non-repudiation with SBS, which is useful for:
- Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
- E-voting: malicious voters may pick keys that allow repudiation in order to deny results
- Blockchains: transaction of amount X might also be valid for a different amount Y

Both modes have SUF-CMA (strong unforgeability under chosen message attacks).

ECDH: Diffie-Hellman shared secrets

1import { secp256k1 } from '@noble/curves/secp256k1.js';
2import { x25519 } from '@noble/curves/ed25519.js';
3import { x448 } from '@noble/curves/ed448.js';
4import { p256, p384, p521 } from '@noble/curves/nist.js';
5
6for (const curve of [secp256k1, schnorr, x25519, x448, p256, p384, p521]) {
7  const alice = curve.keygen();
8  const bob = curve.keygen();
9  const sharedKey = curve.getSharedSecret(alice.secretKey, bob.publicKey);
10  console.log('alice', alice, 'bob', bob, 'shared', sharedKey);
11}
12
13// x25519 & x448 specific methods
14import { ed25519 } from '@noble/curves/ed25519.js';
15const alice = ed25519.keygen();
16const bob = ed25519.keygen();
17const aliceSecX = ed25519.utils.toMontgomerySecret(alice.secretKey);
18const bobPubX = ed25519.utils.toMontgomery(bob.publicKey);
19const sharedKey = x25519.getSharedSecret(aliceSecX, bobPubX);

We provide ECDH over all Weierstrass curves, and over 2 Montgomery curves X25519 (Curve25519) & X448 (Curve448), conforming to RFC 7748.

In Weierstrass curves, shared secrets:

Include y-parity bytes: use key.slice(1) to strip it
Are not hashed: use hashing or KDF on top, like sha256(shared) or hkdf(shared)

webcrypto: Friendly wrapper

[!NOTE] Webcrypto methods are always async.

webcrypto signatures

1import { ed25519, ed448, p256, p384, p521 } from './src/webcrypto.ts';
2
3(async () => {
4  for (let [name, curve] of Object.entries({ p256, p384, p521, ed25519, ed448 })) {
5    console.log('curve', name);
6    if (!await curve.isSupported()) {
7      console.log('is not supported, skipping');
8      continue;
9    }
10    const keys = await curve.keygen();
11    const msg = new TextEncoder().encode('hello noble');
12    const sig = await curve.sign(msg, keys.secretKey);
13    const isValid = await curve.verify(sig, msg, keys.publicKey);
14    console.log({
15      keys, msg, sig, isValid
16    });
17  }
18})();

webcrypto ecdh

1import { p256, p384, p521, x25519, x448 } from './src/webcrypto.ts';
2
3(async () => {
4  for (let [name, curve] of Object.entries({ p256, p384, p521, x25519, x448 })) {
5    console.log('curve', name);
6    if (!await curve.isSupported()) {
7      console.log('is not supported, skipping');
8      continue;
9    }
10    const alice = await curve.keygen();
11    const bob = await curve.keygen();
12    const shared = await curve.getSharedSecret(alice.secretKey, bob.publicKey);
13    const shared2 = await curve.getSharedSecret(bob.secretKey, alice.publicKey);
14    console.log({shared});
15  }
16})();

Key conversion from noble to webcrypto and back

1import { p256 as p256n } from './src/nist.ts';
2import { p256 } from './src/webcrypto.ts';
3(async () => {
4  const nobleKeys = p256n.keygen();
5  // convert noble keys to webcrypto
6  const webKeys = {
7    secretKey: await p256.utils.convertSecretKey(nobleKeys.secretKey, 'raw', 'pkcs8'),
8    publicKey: await p256.utils.convertPublicKey(nobleKeys.publicKey, 'raw', 'spki')
9  };
10  // convert webcrypto keys to noble
11  const nobleKeys2 = {
12    secretKey: await p256.utils.convertSecretKey(webKeys.secretKey, 'pkcs8', 'raw'),
13    publicKey: await p256.utils.convertPublicKey(webKeys.publicKey, 'spki', 'raw')
14  };
15})();

Check out micro-key-producer for pure JS key conversion utils.

BLS signatures, bls12-381, bn254 aka alt_bn128

1import { bls12_381 } from '@noble/curves/bls12-381.js';
2
3// G1 pubkeys, G2 sigs
4const blsl = bls12_381.longSignatures;
5const { secretKey, publicKey } = blsl.keygen();
6// const publicKey = blsl.getPublicKey(secretKey);
7const msg = new TextEncoder().encode('hello noble');
8// default DST
9const msgp = blsl.hash(msg);
10// custom DST (Ethereum)
11const msgpd = blsl.hash(msg, 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_');
12const signature = blsl.sign(msgp, secretKey);
13const isValid = blsl.verify(signature, msgp, publicKey);
14console.log('long', { publicKey, signature, isValid });
15
16// G1 sigs, G2 pubkeys
17const blss = bls12_381.shortSignatures;
18const publicKey2 = blss.getPublicKey(secretKey);
19const msgp2 = blss.hash(msg, 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_');
20const signature2 = blss.sign(msgp2, secretKey);
21const isValid2 = blss.verify(signature2, msgp2, publicKey);
22console.log({ publicKey2, signature2, isValid2 });
23
24// Aggregation
25const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([
26  bls12_381.utils.randomSecretKey(),
27  bls12_381.utils.randomSecretKey(),
28]);
29// const aggregatedSig = bls.aggregateSignatures(sigs)
30
31// Pairings, with and without final exponentiation
32// bls.pairing(PointG1, PointG2);
33// bls.pairing(PointG1, PointG2, false);
34// bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2));
35
36// Others
37// bls.G1.Point.BASE, bls.G2.Point.BASE;
38// bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr;

See abstract/bls. For example usage, check out the implementation of BLS EVM precompiles.

The BN254 API mirrors BLS. The curve was previously called alt_bn128. The implementation is compatible with EIP-196 and EIP-197.

For BN254 usage, check out the implementation of bn254 EVM precompiles. We don't implement Point methods toBytes. To work around this limitation, has to initialize points on their own from BigInts. Reason it's not implemented is because there is no standard. Points of divergence:

Endianness: LE vs BE (byte-swapped)
Flags as first hex bits (similar to BLS) vs no-flags
Imaginary part last in G2 vs first (c0, c1 vs c1, c0)

hash-to-curve: hashing to curve points

1import { bls12_381 } from './src/bls12-381.ts';
2import { ed25519_hasher, ristretto255_hasher } from './src/ed25519.ts';
3import { decaf448_hasher, ed448_hasher } from './src/ed448.ts';
4import { p256_hasher, p384_hasher, p521_hasher } from './src/nist.ts';
5import { secp256k1_hasher } from './src/secp256k1.ts';
6
7const h = {
8  secp256k1_hasher,
9  p256_hasher, p384_hasher, p521_hasher,
10  ed25519_hasher,
11  ed448_hasher,
12  ristretto255_hasher,
13  decaf448_hasher,
14  bls_G1: bls12_381.G1,
15  bls_G2: bls12_381.G2
16};
17
18const msg = Uint8Array.from([0xca, 0xfe, 0x01, 0x23]);
19console.log('msg', msg);
20for (let [name, c] of Object.entries(h)) {
21  const hashToCurve = c.hashToCurve(msg).toHex();
22  const hashToCurve_customDST = c.hashToCurve(msg, { DST: 'hello noble' }).toHex();
23  const encodeToCurve = 'encodeToCurve' in c ? c.encodeToCurve(msg).toHex() : undefined;
24  // ristretto255, decaf448 only
25  const deriveToCurve = 'deriveToCurve' in c ?
26    c.deriveToCurve!(new Uint8Array(c.Point.Fp.BYTES * 2)).toHex() : undefined;
27  const hashToScalar = c.hashToScalar(msg);
28  console.log({
29    name, hashToCurve, hashToCurve_customDST, encodeToCurve, deriveToCurve, hashToScalar
30  });
31}
32
33// abstract methods
34import { expand_message_xmd, expand_message_xof, hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';

The module allows to hash arbitrary strings to elliptic curve points. Implements RFC 9380.

[!NOTE] Why is p256_hasher separate from p256? The methods reside in separate _hasher namespace for tree-shaking: this way users who don't need hash-to-curve, won't have it in their builds.

OPRFs

1import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
2import { ristretto255_oprf } from '@noble/curves/ed25519.js';
3import { decaf448_orpf } from '@noble/curves/ed448.js';

We provide OPRFs (oblivious pseudorandom functions), conforming to RFC 9497.

OPRF allows to interactively create an Output = PRF(Input, serverSecretKey):

Server cannot calculate Output by itself: it doesn't know Input
Client cannot calculate Output by itself: it doesn't know server secretKey
An attacker interception the communication can't restore Input/Output/serverSecretKey and can't link Input to some value.

poseidon: Poseidon hash

Implements Poseidon ZK-friendly hash: permutation and sponge.

There are many poseidon variants with different constants. We don't provide them: you should construct them manually. Check out scure-starknet package for a proper example.

1import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
2
3const rate = 2;
4const capacity = 1;
5const { mds, roundConstants } = poseidon.grainGenConstants({
6  Fp,
7  t: rate + capacity,
8  roundsFull: 8,
9  roundsPartial: 31,
10});
11const opts = {
12  Fp,
13  rate,
14  capacity,
15  sboxPower: 17,
16  mds,
17  roundConstants,
18  roundsFull: 8,
19  roundsPartial: 31,
20};
21const permutation = poseidon.poseidon(opts);
22const sponge = poseidon.poseidonSponge(opts); // use carefully, not specced

fft: Fast Fourier Transform

1import * as fft from '@noble/curves/abstract/fft.js';
2import { bls12_381 } from '@noble/curves/bls12-381.js';
3const Fr = bls12_381.fields.Fr;
4const roots = fft.rootsOfUnity(Fr, 7n);
5const fftFr = fft.FFT(roots, Fr);

Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields. API may change at any time. The code has not been audited. Feature requests are welcome.

utils: byte shuffling, conversion

1import { bytesToHex, concatBytes, equalBytes, hexToBytes } from '@noble/curves/abstract/utils.js';
2
3bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23]));
4hexToBytes('cafe0123');
5concatBytes(Uint8Array.from([0xca, 0xfe]), Uint8Array.from([0x01, 0x23]));
6equalBytes(Uint8Array.of(0xca), Uint8Array.of(0xca));

Internals

Elliptic curve Point math

1import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
2import { p256, p384, p521 } from '@noble/curves/nist.js';
3import { ed25519, ristretto255 } from '@noble/curves/ed25519.js';
4import { ed448, decaf448 } from '@noble/curves/ed448.js';
5import { bls12_381 } from '@noble/curves/bls12-381.js'
6import { bn254 } from '@noble/curves/bn254.js';
7import { jubjub, babyjubjub } from '@noble/curves/misc.js';
8
9const curves = [
10  secp256k1, schnorr, p256, p384, p521, ed25519, ed448,
11  ristretto255, decaf448,
12  bls12_381.G1, bls12_381.G2, bn254.G1, bn254.G2,
13  jubjub, babyjubjub
14];
15for (const curve of curves) {
16  const { Point } = curve;
17  const { BASE, ZERO, Fp, Fn } = Point;
18  const p = BASE.multiply(2n);
19
20  // Initialization
21  if (info.type === 'weierstrass') {
22    // projective (homogeneous) coordinates: (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
23    const p_ = new Point(BASE.X, BASE.Y, BASE.Z);
24  } else if (info.type === 'edwards') {
25    // extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z)
26    const p_ = new Point(BASE.X, BASE.Y, BASE.Z, BASE.T);
27  }
28
29  // Math
30  const p1 = p.add(p);
31  const p2 = p.double();
32  const p3 = p.subtract(p);
33  const p4 = p.negate();
34  const p5 = p.multiply(451n);
35
36  // MSM (multi-scalar multiplication)
37  const pa = [BASE, BASE.multiply(2n), BASE.multiply(4n), BASE.multiply(8n)];
38  const p6 = Point.msm(pa, [3n, 5n, 7n, 11n]);
39  const _true3 = p6.equals(BASE.multiply(129n)); // 129*G
40
41  const pcl = p.clearCofactor();
42  console.log(p.isTorsionFree(), p.isSmallOrder());
43
44  const r1 = p.toBytes();
45  const r1_ = Point.fromBytes(r1);
46  const r2 = p.toAffine();
47  const { x, y } = r2;
48  const r2_ = Point.fromAffine(r2);
49}

modular: Modular arithmetics & finite fields

1import { mod, invert, Field } from '@noble/curves/abstract/modular.js';
2
3// Finite Field utils
4const fp = Field(2n ** 255n - 19n); // Finite field over 2^255-19
5fp.mul(591n, 932n); // multiplication
6fp.pow(481n, 11024858120n); // exponentiation
7fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17)
8fp.inv(5n); // modular inverse
9fp.sqrt(21n); // square root
10
11// Non-Field generic utils are also available
12mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
13invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse

All arithmetics is done with JS bigints over finite fields, which is defined from modular sub-module.

Field operations are not constant-time: see security. The fact is mostly irrelevant, but the important method to keep in mind is pow, which may leak exponent bits, when used naïvely.

weierstrass: Custom Weierstrass curve

1import { weierstrass } from '@noble/curves/abstract/weierstrass.js';
2// NIST secp192r1 aka p192. https://www.secg.org/sec2-v2.pdf
3const p192_CURVE = {
4  p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
5  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
6  h: 1n,
7  a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
8  b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
9  Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
10  Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
11};
12const p192_Point = weierstrass(p192_CURVE);

Short Weierstrass curve's formula is y² = x³ + ax + b. weierstrass expects arguments a, b, field characteristic p, curve order n, cofactor h and coordinates Gx, Gy of generator point.

edwards: Custom Edwards curve

1import { edwards } from '@noble/curves/abstract/edwards.js';
2const ed25519_CURVE = {
3  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
4  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
5  h: 8n,
6  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
7  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
8  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
9  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n,
10};
11const ed25519_Point = edwards(ed25519_CURVE);

Twisted Edwards curve's formula is ax² + y² = 1 + dx²y². You must specify a, d, field characteristic p, curve order n (sometimes named as L), cofactor h and coordinates Gx, Gy of generator point.

Custom ECDSA instance

1import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
2import { sha256 } from '@noble/hashes/sha2.js';
3const p192_sha256 = ecdsa(p192_Point, sha256);
4// or
5const p192_sha224 = ecdsa(p192.Point, sha224);
6
7const keys = p192_sha256.keygen();
8const msg = new TextEncoder().encode('custom curve');
9const sig = p192_sha256.sign(msg, keys.secretKey);
10const isValid = p192_sha256.verify(sig, msg, keys.publicKey);

Security

The library has been independently audited:

at version 1.6.0, in Sep 2024, by Cure53
- PDFs: website, in-repo
- Changes since audit
- Scope: ed25519, ed448, their add-ons, bls12-381, bn254, hash-to-curve, low-level primitives bls, tower, edwards, montgomery.
- The audit has been funded by OpenSats
at version 1.2.0, in Sep 2023, by Kudelski Security
- PDFs: in-repo
- Changes since audit
- Scope: scure-starknet and its related abstract modules of noble-curves: curve, modular, poseidon, weierstrass
- The audit has been funded by Starkware
at version 0.7.3, in Feb 2023, by Trail of Bits
- PDFs: website, in-repo
- Changes since audit
- Scope: abstract modules curve, hash-to-curve, modular, poseidon, utils, weierstrass and top-level modules _shortw_utils and secp256k1
- The audit has been funded by Ryan Shea

It is tested against property-based, cross-library and Wycheproof vectors, and is being fuzzed in the separate repo.

If you see anything unusual: investigate and report.

Constant-timeness

We're targetting algorithmic constant time. JIT-compiler and Garbage Collector make "constant time" extremely hard to achieve timing attack resistance in a scripting language. Which means any other JS library can't have constant-timeness. Even statically typed Rust, a language without GC, makes it harder to achieve constant-time for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones. Use low-level libraries & languages.

Memory dumping

Use low-level languages instead of JS / WASM if your goal is absolute security.

The library mostly uses Uint8Arrays and bigints.

Uint8Arrays have .fill(0) which instructs to fill content with zeroes but there are no guarantees in JS
bigints are immutable and don't have a method to zeroize their content: a user needs to wait until the next garbage collection cycle
hex strings are also immutable: there is no way to zeroize them
await fn() will write all internal variables to memory. With async functions there are no guarantees when the code chunk would be executed. Which means attacker can have plenty of time to read data from memory.

This means some secrets could stay in memory longer than anticipated. However, if an attacker can read application memory, it's doomed anyway: there is no way to guarantee anything about zeroizing sensitive data without complex tests-suite which will dump process memory and verify that there is no sensitive data left. For JS it means testing all browsers (including mobile). And, of course, it will be useless without using the same test-suite in the actual application that consumes the library.

Supply chain security

Commits are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
Releases are transparent and built on GitHub CI. Make sure to verify provenance logs
- Use GitHub CLI to verify single-file builds: gh attestation verify --owner paulmillr noble-curves.js
Rare releasing is followed to ensure less re-audit need for end-users
Dependencies are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
- We make sure to use as few dependencies as possible
- Automatic dep updates are prevented by locking-down version ranges; diffs are checked with npm-diff
Dev Dependencies are disabled for end-users; they are only used to develop / build the source code

For this package, there is 1 dependency; and a few dev dependencies:

noble-hashes provides cryptographic hashing functionality
micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size

Randomness

We're deferring to built-in crypto.getRandomValues which is considered cryptographically secure (CSPRNG).

In the past, browsers had bugs that made it weak: it may happen again. Implementing a userspace CSPRNG to get resilient to the weakness is even worse: there is no reliable userspace source of quality entropy.

Quantum computers

Cryptographically relevant quantum computer, if built, will allow to break elliptic curve cryptography (both ECDSA / EdDSA & ECDH) using Shor's algorithm.

Consider switching to newer / hybrid algorithms, such as SPHINCS+. They are available in noble-post-quantum.

NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH) after 2035. Australian ASD prohibits it after 2030.

Speed

1npm run bench

noble-curves spends 10+ ms to generate 20MB+ of base point precomputes. This is done one-time per curve.

The generation is deferred until any method (pubkey, sign, verify) is called. User can force precompute generation by manually calling Point.BASE.precompute(windowSize, false). Check out the source code.

Benchmark results on Apple M4:

# secp256k1
init 10ms
getPublicKey x 9,099 ops/sec @ 109μs/op
sign x 7,182 ops/sec @ 139μs/op
verify x 1,188 ops/sec @ 841μs/op
recoverPublicKey x 1,265 ops/sec @ 790μs/op
getSharedSecret x 735 ops/sec @ 1ms/op
schnorr.sign x 957 ops/sec @ 1ms/op
schnorr.verify x 1,210 ops/sec @ 825μs/op

# ed25519
init 14ms
getPublicKey x 14,216 ops/sec @ 70μs/op
sign x 6,849 ops/sec @ 145μs/op
verify x 1,400 ops/sec @ 713μs/op

# ed448
init 37ms
getPublicKey x 5,273 ops/sec @ 189μs/op
sign x 2,494 ops/sec @ 400μs/op
verify x 476 ops/sec @ 2ms/op

# p256
init 17ms
getPublicKey x 8,977 ops/sec @ 111μs/op
sign x 7,236 ops/sec @ 138μs/op
verify x 877 ops/sec @ 1ms/op

# p384
init 42ms
getPublicKey x 4,084 ops/sec @ 244μs/op
sign x 3,247 ops/sec @ 307μs/op
verify x 331 ops/sec @ 3ms/op

# p521
init 83ms
getPublicKey x 2,049 ops/sec @ 487μs/op
sign x 1,748 ops/sec @ 571μs/op
verify x 170 ops/sec @ 5ms/op

# ristretto255
add x 931,966 ops/sec @ 1μs/op
multiply x 15,444 ops/sec @ 64μs/op
encode x 21,367 ops/sec @ 46μs/op
decode x 21,715 ops/sec @ 46μs/op

# decaf448
add x 478,011 ops/sec @ 2μs/op
multiply x 416 ops/sec @ 2ms/op
encode x 8,562 ops/sec @ 116μs/op
decode x 8,636 ops/sec @ 115μs/op

# ECDH
x25519 x 1,981 ops/sec @ 504μs/op
x448 x 743 ops/sec @ 1ms/op
secp256k1 x 728 ops/sec @ 1ms/op
p256 x 705 ops/sec @ 1ms/op
p384 x 268 ops/sec @ 3ms/op
p521 x 137 ops/sec @ 7ms/op

# hash-to-curve
hashToPrivateScalar x 1,754,385 ops/sec @ 570ns/op
hash_to_field x 135,703 ops/sec @ 7μs/op
hashToCurve secp256k1 x 3,194 ops/sec @ 313μs/op
hashToCurve p256 x 5,962 ops/sec @ 167μs/op
hashToCurve p384 x 2,230 ops/sec @ 448μs/op
hashToCurve p521 x 1,063 ops/sec @ 940μs/op
hashToCurve ed25519 x 4,047 ops/sec @ 247μs/op
hashToCurve ed448 x 1,691 ops/sec @ 591μs/op
hash_to_ristretto255 x 8,733 ops/sec @ 114μs/op
hash_to_decaf448 x 3,882 ops/sec @ 257μs/op

# modular over secp256k1 P field
invert a x 866,551 ops/sec @ 1μs/op
invert b x 693,962 ops/sec @ 1μs/op
sqrt p = 3 mod 4 x 25,738 ops/sec @ 38μs/op
sqrt tonneli-shanks x 847 ops/sec @ 1ms/op

# bls12-381
init 22ms
getPublicKey x 1,325 ops/sec @ 754μs/op
sign x 80 ops/sec @ 12ms/op
verify x 62 ops/sec @ 15ms/op
pairing x 166 ops/sec @ 6ms/op
pairing10 x 54 ops/sec @ 18ms/op ± 23.48% (15ms..36ms)
MSM 4096 scalars x points 3286ms
aggregatePublicKeys/8 x 173 ops/sec @ 5ms/op
aggregatePublicKeys/32 x 46 ops/sec @ 21ms/op
aggregatePublicKeys/128 x 11 ops/sec @ 84ms/op
aggregatePublicKeys/512 x 2 ops/sec @ 335ms/op
aggregatePublicKeys/2048 x 0 ops/sec @ 1346ms/op
aggregateSignatures/8 x 82 ops/sec @ 12ms/op
aggregateSignatures/32 x 21 ops/sec @ 45ms/op
aggregateSignatures/128 x 5 ops/sec @ 178ms/op
aggregateSignatures/512 x 1 ops/sec @ 705ms/op
aggregateSignatures/2048 x 0 ops/sec @ 2823ms/op

Upgrading

Supported node.js versions:

v2 (2025-08): v20.19+ (ESM-only)
v1 (2023-04): v14.21+ (ESM & CJS)

Changelog of curves v1 to curves v2

v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future. We tried to keep v2 as much backwards-compatible as possible.

To simplify upgrading, upgrade first to curves 1.9.x. It would show deprecations in vscode-like text editor. Fix them first.

The package is now ESM-only. ESM can finally be loaded from common.js on node v20.19+
.js extension must be used for all modules
- Old: @noble/curves/ed25519
- New: @noble/curves/ed25519.js
- This simplifies working in browsers natively without transpilers

New features:

webcrypto: create friendly noble-like wrapper over built-in WebCrypto
oprf: implement RFC 9497 OPRFs (oblivious pseudorandom functions)
- We support p256, p384, p521, ristretto255 and decaf448
weierstrass, edwards: add isValidSecretKey, isValidPublicKey
misc: add Brainpool curves: brainpoolP256r1, brainpoolP384r1, brainpoolP512r1

Changes:

Most methods now expect Uint8Array, string hex inputs are prohibited
- The change simplifies reasoning, improves security and reduces malleability
- Point.fromHex now expects string-only hex inputs, use Point.fromBytes for Uint8Array
Breaking changes of ECDSA (secp256k1, p256, p384...):
- sign, verify: Switch to prehashed messages. Instead of messageHash, the methods now expect unhashed message. To bring back old behavior, use option {prehash: false}
- sign, verify: Switch to lowS signatures by default. This change doesn't affect secp256k1, which has been using lowS since beginning. To bring back old behavior, use option {lowS: true}
- sign, verify: Switch to Uint8Array signatures (format: 'compact') by default.
- verify: der format must be explicitly specified in {format: 'der'}. This reduces malleability
- verify: prohibit Signature-instance signature. User must now always do signature.toBytes()
Breaking changes of BLS signatures (bls12-381, bn254):
- Move getPublicKey, sign, verify, signShortSignature etc into two new namespaces: bls.longSignatures (G1 pubkeys, G2 sigs) and bls.shortSignatures (G1 sigs, G2 pubkeys).
- verifyBatch now expects array of inputs {message: ..., publicKey: ...}[]
Curve changes:
- Massively simplify curve creation, split it into point creation & sig generator creation
- New methods are weierstrass() + ecdsa() / edwards() + eddsa()
- weierstrass / edwards expect simplified curve params (Fp became p)
- ecdsa / eddsa expect Point class and hash
- Remove unnecessary Fn argument in pippenger
modular changes:
- Field#fromBytes() now validates elements to be in 0..order-1 range
Massively improve error messages, make them more descriptive

Renamings:

Module changes
- p256, p384, p521 modules have been moved into nist
- jubjub module has been moved into misc
Point changes
- ExtendedPoint, ProjectivePoint => Point
- Point coordinates (projective / extended) from px/ex, py/ey, pz/ez, et => X, Y, Z, T
- Point.normalizeZ, Point.msm => separate methods in abstract/curve.js submodule
- Point.fromPrivateKey() got removed, use Point.BASE.multiply() and Point.Fn.fromBytes(secretKey)
- toRawBytes, fromRawBytes => toBytes, fromBytes
- RistrettoPoint => ristretto255.Point, DecafPoiont => decaf448.Point
Signature (ECDSA) changes
- toCompactRawBytes, toDERRawBytes => toBytes('compact'), toBytes('der')
- toCompactHex, toDERHex => toHex('compact'), toHex('der')
- fromCompact, fromDER => fromBytes(format), fromHex(format)
utils changes
- randomPrivateKey => randomSecretKey
- utils.precompute, Point#_setWindowSize => Point#precompute
- edwardsToMontgomery => utils.toMontgomery
- edwardsToMontgomeryPriv => utils.toMontgomerySecret
Rename all curve-specific hash-to-curve methods to *curve*_hasher. Example: secp256k1.hashToCurve => secp256k1_hasher.hashToCurve()
Massive type renamings and improvements

Removed features:

Point#multiplyAndAddUnsafe, Point#hasEvenY
CURVE property with all kinds of random stuff. Point.CURVE() now replaces it, but only provides curve parameters
Remove pasta, bn254_weierstrass (NOT pairing-based bn254) curves
Field.MASK
utils.normPrivateKeyToScalar

noble-secp256k1 v1 to curves v1

Previously, the library was split into single-feature packages noble-secp256k1, noble-ed25519 and noble-bls12-381.

Curves continue their original work. The single-feature packages changed their direction towards providing minimal 5kb implementations of cryptography, which means they have less features.

getPublicKey
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set argument isCompressed to false: getPublicKey(priv, false)
sign
- is now sync
- now returns Signature instance with { r, s, recovery } properties
- canonical option was renamed to lowS
- recovered option has been removed because recovery bit is always returned now
- der option has been removed. There are 2 options:
  1. Use compact encoding: fromCompact, toCompactRawBytes, toCompactHex. Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
  2. If you must use DER encoding, switch to noble-curves (see above).
verify
- is now sync
- strict option was renamed to lowS
getSharedSecret
- now produce 33-byte compressed signatures by default
- to use old behavior, which produced 65-byte uncompressed keys, set argument isCompressed to false: getSharedSecret(a, b, false)
recoverPublicKey(msg, sig, rec) was changed to sig.recoverPublicKey(msg)
number type for private keys have been removed: use bigint instead
Point (2d xy) has been changed to ProjectivePoint (3d xyz)
utils were split into utils (same api as in noble-curves) and etc (hmacSha256Sync and others)

noble-ed25519 v1 to curves v1

Upgrading from @noble/ed25519:

Methods are now sync by default
bigint is no longer allowed in getPublicKey, sign, verify. Reason: ed25519 is LE, can lead to bugs
Point (2d xy) has been changed to ExtendedPoint (xyzt)
Signature was removed: just use raw bytes or hex now
utils were split into utils (same api as in noble-curves) and etc (sha512Sync and others)
getSharedSecret was moved to x25519 module
toX25519 has been moved to edwardsToMontgomeryPub and edwardsToMontgomeryPriv methods

noble-bls12-381 to curves v1

Upgrading from @noble/bls12-381:

Methods and classes were renamed:
- PointG1 -> G1.Point, PointG2 -> G2.Point
- PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
Fp2 ORDER was corrected

Contributing & testing

npm install && npm run build && npm test will build the code and run tests.
npm run lint / npm run format will run linter / fix linter issues.
npm run bench will run benchmarks
npm run build:release will build single file

See paulmillr.com/noble for useful resources, articles, documentation and demos related to the library.

MuSig2 signature scheme and BIP324 ElligatorSwift mapping for secp256k1 are available in a separate package.

License

The MIT License (MIT)

See LICENSE file.

No vulnerabilities found.