Provides the Pasta curves: Pallas, Vesta and their field elements Fp and Fq.

LTS Haskell 20.11:
Stackage Nightly 2022-11-17:
Latest on Hackage:

See all snapshots pasta-curves appears in

MIT licensed by Eric Schorn
Maintained by Eric Schorn
This version can be pinned in stack with:pasta-curves-,3057

Module documentation for


Stack CI Cabal CI Hackage Stackage Lts Stackage Nightly MIT license

This Haskell library provides the Pasta Curves consisting of: the Pallas curve and its Fp field element, the Vesta curve and its Fq field element, and a variety of supporting functionality such as point/element arithmetic, serialization, and hash-to-curve. The algorithms are NOT constant time.

Pallas is y2 = x3 + 5 over Fp(0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001). The order of the Pallas curve is 0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001.

Vesta is y2 = x3 + 5 over Fq(0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001). The order of the Vesta curve is 0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001.

The curves are designed such that the order of one matches the field characteristic of the other. For a brief introduction, see the Zcash blog titled “The Pasta Curves for Halo 2 and Beyond”. The reference Rust implementation (which inspired this implementation) can be found at:

Example usage of this library implementation:

$ cabal repl

ghci> a = 9 :: Fp

ghci> a*a

ghci> pointMul a base :: Vesta
Projective {_px = 0x3CDC6A090F2BB3B52714C083929B620FE24ADBCBBD420752108CD7C29E543E5E, 
            _py = 0x08795CD330B3CE5AA63BD2B18DE155AE3C96E8AF9DA2CC742C6BA1464E490161, 
            _pz = 0x1FA26F58F3A641ADFE81775D3D53378D6178B6CCBF14F9BD4AB5F10DEE28D878}

Copyright 2022 Eric Schorn; Licensed under the MIT License.



pasta-curves uses PVP Versioning. The changelog is available on GitHub.

  • Initially created.

  • Dropped (minimum required) cabal version to improve compatibility
  • Added functions to generate A) invertible random field element, and B) random Pallas/Vesta curve point
  • Added Bounded instances to field elements