@aztec/foundation 4.0.0-nightly.20250907 → 4.0.0-nightly.20260107

package/src/crypto/ecdsa/signature.ts

@@ -1,6 +1,6 @@
 import { toBufferBE } from '@aztec/foundation/bigint-buffer';
-import { randomBytes } from '@aztec/foundation/crypto';
-import { Fr } from '@aztec/foundation/fields';
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { Fr } from '@aztec/foundation/curves/bn254';
 import { mapTuple } from '@aztec/foundation/serialize';
 
 import type { Signature } from '../signature/index.js';

package/src/crypto/grumpkin/index.ts

@@ -1,36 +1,34 @@
 import { BarretenbergSync } from '@aztec/bb.js';
-import { Fr, type GrumpkinScalar, Point } from '@aztec/foundation/fields';
+import { Fr } from '@aztec/foundation/curves/bn254';
+import type { GrumpkinScalar } from '@aztec/foundation/curves/grumpkin';
+import { Point } from '@aztec/foundation/curves/grumpkin';
 
 /**
  * Grumpkin elliptic curve operations.
  */
 export class Grumpkin {
   // prettier-ignore
-  static generator = Point.fromBuffer(Buffer.from([
+  static readonly generator = Point.fromBuffer(Buffer.from([
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xcf, 0x13, 0x5e, 0x75, 0x06, 0xa4, 0x5d, 0x63,
     0x2d, 0x27, 0x0d, 0x45, 0xf1, 0x18, 0x12, 0x94, 0x83, 0x3f, 0xc4, 0x8d, 0x82, 0x3f, 0x27, 0x2c,
   ]));
 
-  /**
-   * Point generator
-   * @returns The generator for the curve.
-   */
-  public generator(): Point {
-    return Grumpkin.generator;
-  }
-
   /**
    * Multiplies a point by a scalar (adds the point `scalar` amount of times).
    * @param point - Point to multiply.
    * @param scalar - Scalar to multiply by.
    * @returns Result of the multiplication.
    */
-  public async mul(point: Point, scalar: GrumpkinScalar): Promise<Point> {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('ecc_grumpkin__mul', [point.toBuffer(), scalar.toBuffer()], [64]);
-    return Point.fromBuffer(Buffer.from(result));
+  public static async mul(point: Point, scalar: GrumpkinScalar): Promise<Point> {
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.grumpkinMul({
+      point: { x: point.x.toBuffer(), y: point.y.toBuffer() },
+      scalar: scalar.toBuffer(),
+    });
+    return Point.fromBuffer(Buffer.concat([Buffer.from(response.point.x), Buffer.from(response.point.y)]));
   }
 
   /**
@@ -39,10 +37,14 @@ export class Grumpkin {
    * @param b - Point b to add to a
    * @returns Result of the addition.
    */
-  public async add(a: Point, b: Point): Promise<Point> {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('ecc_grumpkin__add', [a.toBuffer(), b.toBuffer()], [64]);
-    return Point.fromBuffer(Buffer.from(result));
+  public static async add(a: Point, b: Point): Promise<Point> {
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.grumpkinAdd({
+      pointA: { x: a.x.toBuffer(), y: a.y.toBuffer() },
+      pointB: { x: b.x.toBuffer(), y: b.y.toBuffer() },
+    });
+    return Point.fromBuffer(Buffer.concat([Buffer.from(response.point.x), Buffer.from(response.point.y)]));
   }
 
   /**
@@ -51,35 +53,26 @@ export class Grumpkin {
    * @param scalar - Scalar to multiply by.
    * @returns Points multiplied by the scalar.
    */
-  public async batchMul(points: Point[], scalar: GrumpkinScalar) {
-    const concatenatedPoints: Buffer = Buffer.concat(points.map(point => point.toBuffer()));
-
-    const pointsByteLength = points.length * Point.SIZE_IN_BYTES;
-
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api
-      .getWasm()
-      .callWasmExport(
-        'ecc_grumpkin__batch_mul',
-        [concatenatedPoints, scalar.toBuffer(), points.length],
-        [pointsByteLength],
-      );
+  public static async batchMul(points: Point[], scalar: GrumpkinScalar) {
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.grumpkinBatchMul({
+      points: points.map(p => ({ x: p.x.toBuffer(), y: p.y.toBuffer() })),
+      scalar: scalar.toBuffer(),
+    });
 
-    const parsedResult: Point[] = [];
-    for (let i = 0; i < pointsByteLength; i += 64) {
-      parsedResult.push(Point.fromBuffer(Buffer.from(result.subarray(i, i + 64))));
-    }
-    return parsedResult;
+    return response.points.map(p => Point.fromBuffer(Buffer.concat([Buffer.from(p.x), Buffer.from(p.y)])));
   }
 
   /**
    * Gets a random field element.
    * @returns Random field element.
    */
-  public async getRandomFr(): Promise<Fr> {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('ecc_grumpkin__get_random_scalar_mod_circuit_modulus', [], [32]);
-    return Fr.fromBuffer(Buffer.from(result));
+  public static async getRandomFr(): Promise<Fr> {
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.grumpkinGetRandomFr({ dummy: 0 });
+    return Fr.fromBuffer(Buffer.from(response.value));
   }
 
   /**
@@ -87,11 +80,10 @@ export class Grumpkin {
    * @param uint512Buf - The buffer to convert.
    * @returns Buffer representation of the field element.
    */
-  public async reduce512BufferToFr(uint512Buf: Buffer): Promise<Fr> {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api
-      .getWasm()
-      .callWasmExport('ecc_grumpkin__reduce512_buffer_mod_circuit_modulus', [uint512Buf], [32]);
-    return Fr.fromBuffer(Buffer.from(result));
+  public static async reduce512BufferToFr(uint512Buf: Buffer): Promise<Fr> {
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.grumpkinReduce512({ input: uint512Buf });
+    return Fr.fromBuffer(Buffer.from(response.value));
   }
 }

package/src/crypto/keys/index.ts

@@ -1,10 +1,10 @@
-import { BarretenbergSync, RawBuffer } from '@aztec/bb.js';
+import { BarretenbergSync } from '@aztec/bb.js';
 
-import { Fr } from '../../fields/fields.js';
+import { Fr } from '../../curves/bn254/field.js';
 
 export async function vkAsFieldsMegaHonk(input: Buffer): Promise<Fr[]> {
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const result = api.acirVkAsFieldsMegaHonk(new RawBuffer(input));
-
-  return result.map(bbFr => Fr.fromBuffer(Buffer.from(bbFr.toBuffer()))); // TODO(#4189): remove this conversion
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.megaVkAsFields({ verificationKey: input });
+  return response.fields.map(field => Fr.fromBuffer(Buffer.from(field)));
 }

package/src/crypto/pedersen/pedersen.wasm.ts

@@ -1,6 +1,6 @@
-import { BarretenbergSync, Fr as FrBarretenberg } from '@aztec/bb.js';
+import { BarretenbergSync } from '@aztec/bb.js';
 
-import { Fr } from '../../fields/fields.js';
+import { Fr } from '../../curves/bn254/field.js';
 import { type Fieldable, serializeToFields } from '../../serialize/serialize.js';
 
 /**
@@ -12,14 +12,13 @@ export async function pedersenCommit(input: Buffer[], offset = 0) {
     throw new Error('All Pedersen Commit input buffers must be <= 32 bytes.');
   }
   input = input.map(i => (i.length < 32 ? Buffer.concat([Buffer.alloc(32 - i.length, 0), i]) : i));
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const point = api.pedersenCommit(
-    input.map(i => new FrBarretenberg(i)),
-    offset,
-  );
-  // toBuffer returns Uint8Arrays (browser/worker-boundary friendly).
-  // TODO: rename toTypedArray()?
-  return [Buffer.from(point.x.toBuffer()), Buffer.from(point.y.toBuffer())];
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.pedersenCommit({
+    inputs: input,
+    hashIndex: offset,
+  });
+  return [Buffer.from(response.point.x), Buffer.from(response.point.y)];
 }
 
 /**
@@ -30,19 +29,24 @@ export async function pedersenCommit(input: Buffer[], offset = 0) {
  */
 export async function pedersenHash(input: Fieldable[], index = 0): Promise<Fr> {
   const inputFields = serializeToFields(input);
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const hash = api.pedersenHash(
-    inputFields.map(i => new FrBarretenberg(i.toBuffer())), // TODO(#4189): remove this stupid conversion
-    index,
-  );
-  return Fr.fromBuffer(Buffer.from(hash.toBuffer()));
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.pedersenHash({
+    inputs: inputFields.map(i => i.toBuffer()),
+    hashIndex: index,
+  });
+  return Fr.fromBuffer(Buffer.from(response.hash));
 }
 
 /**
  * Create a pedersen hash from an arbitrary length buffer.
  */
 export async function pedersenHashBuffer(input: Buffer, index = 0) {
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const result = api.pedersenHashBuffer(input, index);
-  return Buffer.from(result.toBuffer());
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.pedersenHashBuffer({
+    input,
+    hashIndex: index,
+  });
+  return Buffer.from(response.hash);
 }

package/src/crypto/poseidon/index.ts

@@ -1,6 +1,6 @@
-import { BarretenbergSync, Fr as FrBarretenberg } from '@aztec/bb.js';
+import { BarretenbergSync } from '@aztec/bb.js';
 
-import { Fr } from '../../fields/fields.js';
+import { Fr } from '../../curves/bn254/field.js';
 import { type Fieldable, serializeToFields } from '../../serialize/serialize.js';
 
 /**
@@ -10,11 +10,12 @@ import { type Fieldable, serializeToFields } from '../../serialize/serialize.js'
  */
 export async function poseidon2Hash(input: Fieldable[]): Promise<Fr> {
   const inputFields = serializeToFields(input);
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const hash = api.poseidon2Hash(
-    inputFields.map(i => new FrBarretenberg(i.toBuffer())), // TODO(#4189): remove this stupid conversion
-  );
-  return Fr.fromBuffer(Buffer.from(hash.toBuffer()));
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.poseidon2Hash({
+    inputs: inputFields.map(i => i.toBuffer()),
+  });
+  return Fr.fromBuffer(Buffer.from(response.hash));
 }
 
 /**
@@ -26,19 +27,22 @@ export async function poseidon2Hash(input: Fieldable[]): Promise<Fr> {
 export async function poseidon2HashWithSeparator(input: Fieldable[], separator: number): Promise<Fr> {
   const inputFields = serializeToFields(input);
   inputFields.unshift(new Fr(separator));
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-
-  const hash = api.poseidon2Hash(
-    inputFields.map(i => new FrBarretenberg(i.toBuffer())), // TODO(#4189): remove this stupid conversion
-  );
-  return Fr.fromBuffer(Buffer.from(hash.toBuffer()));
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.poseidon2Hash({
+    inputs: inputFields.map(i => i.toBuffer()),
+  });
+  return Fr.fromBuffer(Buffer.from(response.hash));
 }
 
 export async function poseidon2HashAccumulate(input: Fieldable[]): Promise<Fr> {
   const inputFields = serializeToFields(input);
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const result = api.poseidon2HashAccumulate(inputFields.map(i => new FrBarretenberg(i.toBuffer())));
-  return Fr.fromBuffer(Buffer.from(result.toBuffer()));
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.poseidon2HashAccumulate({
+    inputs: inputFields.map(i => i.toBuffer()),
+  });
+  return Fr.fromBuffer(Buffer.from(response.hash));
 }
 
 /**
@@ -50,11 +54,14 @@ export async function poseidon2Permutation(input: Fieldable[]): Promise<Fr[]> {
   const inputFields = serializeToFields(input);
   // We'd like this assertion but it's not possible to use it in the browser.
   // assert(input.length === 4, 'Input state must be of size 4');
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const res = api.poseidon2Permutation(inputFields.map(i => new FrBarretenberg(i.toBuffer())));
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.poseidon2Permutation({
+    inputs: inputFields.map(i => i.toBuffer()),
+  });
   // We'd like this assertion but it's not possible to use it in the browser.
-  // assert(res.length === 4, 'Output state must be of size 4');
-  return res.map(o => Fr.fromBuffer(Buffer.from(o.toBuffer())));
+  // assert(response.outputs.length === 4, 'Output state must be of size 4');
+  return response.outputs.map(o => Fr.fromBuffer(Buffer.from(o)));
 }
 
 export async function poseidon2HashBytes(input: Buffer): Promise<Fr> {
@@ -68,10 +75,11 @@ export async function poseidon2HashBytes(input: Buffer): Promise<Fr> {
     inputFields.push(Fr.fromBuffer(fieldBytes));
   }
 
-  const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-  const res = api.poseidon2Hash(
-    inputFields.map(i => new FrBarretenberg(i.toBuffer())), // TODO(#4189): remove this stupid conversion
-  );
+  await BarretenbergSync.initSingleton();
+  const api = BarretenbergSync.getSingleton();
+  const response = api.poseidon2Hash({
+    inputs: inputFields.map(i => i.toBuffer()),
+  });
 
-  return Fr.fromBuffer(Buffer.from(res.toBuffer()));
+  return Fr.fromBuffer(Buffer.from(response.hash));
 }

package/src/crypto/schnorr/index.ts

@@ -1,8 +1,7 @@
 import { BarretenbergSync } from '@aztec/bb.js';
-import { type GrumpkinScalar, Point } from '@aztec/foundation/fields';
-import { numToInt32BE } from '@aztec/foundation/serialize';
+import type { GrumpkinScalar } from '@aztec/foundation/curves/grumpkin';
+import { Point } from '@aztec/foundation/curves/grumpkin';
 
-import { concatenateUint8Arrays } from '../serialize.js';
 import { SchnorrSignature } from './signature.js';
 
 export * from './signature.js';
@@ -17,9 +16,10 @@ export class Schnorr {
    * @returns A grumpkin public key.
    */
   public async computePublicKey(privateKey: GrumpkinScalar): Promise<Point> {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('schnorr_compute_public_key', [privateKey.toBuffer()], [64]);
-    return Point.fromBuffer(Buffer.from(result));
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.schnorrComputePublicKey({ privateKey: privateKey.toBuffer() });
+    return Point.fromBuffer(Buffer.concat([Buffer.from(response.publicKey.x), Buffer.from(response.publicKey.y)]));
   }
 
   /**
@@ -29,12 +29,13 @@ export class Schnorr {
    * @returns A Schnorr signature of the form (s, e).
    */
   public async constructSignature(msg: Uint8Array, privateKey: GrumpkinScalar) {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const messageArray = concatenateUint8Arrays([numToInt32BE(msg.length), msg]);
-    const [s, e] = api
-      .getWasm()
-      .callWasmExport('schnorr_construct_signature', [messageArray, privateKey.toBuffer()], [32, 32]);
-    return new SchnorrSignature(Buffer.from([...s, ...e]));
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.schnorrConstructSignature({
+      message: msg,
+      privateKey: privateKey.toBuffer(),
+    });
+    return new SchnorrSignature(Buffer.from([...response.s, ...response.e]));
   }
 
   /**
@@ -45,11 +46,14 @@ export class Schnorr {
    * @returns True or false.
    */
   public async verifySignature(msg: Uint8Array, pubKey: Point, sig: SchnorrSignature) {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const messageArray = concatenateUint8Arrays([numToInt32BE(msg.length), msg]);
-    const [result] = api
-      .getWasm()
-      .callWasmExport('schnorr_verify_signature', [messageArray, pubKey.toBuffer(), sig.s, sig.e], [1]);
-    return result[0] === 1;
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.schnorrVerifySignature({
+      message: msg,
+      publicKey: { x: pubKey.x.toBuffer(), y: pubKey.y.toBuffer() },
+      s: sig.s,
+      e: sig.e,
+    });
+    return response.verified;
   }
 }

package/src/crypto/schnorr/signature.ts

@@ -1,5 +1,5 @@
-import { randomBytes } from '@aztec/foundation/crypto';
-import { Fr } from '@aztec/foundation/fields';
+import { randomBytes } from '@aztec/foundation/crypto/random';
+import { Fr } from '@aztec/foundation/curves/bn254';
 import { BufferReader, mapTuple } from '@aztec/foundation/serialize';
 
 import type { Signature } from '../signature/index.js';

package/src/crypto/secp256k1/index.ts

@@ -27,9 +27,13 @@ export class Secp256k1 {
    * @returns Result of the multiplication.
    */
   public async mul(point: Uint8Array, scalar: Uint8Array) {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('ecc_secp256k1__mul', [point, scalar], [64]);
-    return Buffer.from(result);
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.secp256k1Mul({
+      point: { x: point.subarray(0, 32), y: point.subarray(32, 64) },
+      scalar,
+    });
+    return Buffer.concat([Buffer.from(response.point.x), Buffer.from(response.point.y)]);
   }
 
   /**
@@ -37,9 +41,10 @@ export class Secp256k1 {
    * @returns Random field element.
    */
   public async getRandomFr() {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api.getWasm().callWasmExport('ecc_secp256k1__get_random_scalar_mod_circuit_modulus', [], [32]);
-    return Buffer.from(result);
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.secp256k1GetRandomFr({ dummy: 0 });
+    return Buffer.from(response.value);
   }
 
   /**
@@ -48,10 +53,9 @@ export class Secp256k1 {
    * @returns Buffer representation of the field element.
    */
   public async reduce512BufferToFr(uint512Buf: Buffer) {
-    const api = await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
-    const [result] = api
-      .getWasm()
-      .callWasmExport('ecc_secp256k1__reduce512_buffer_mod_circuit_modulus', [uint512Buf], [32]);
-    return Buffer.from(result);
+    await BarretenbergSync.initSingleton();
+    const api = BarretenbergSync.getSingleton();
+    const response = api.secp256k1Reduce512({ input: uint512Buf });
+    return Buffer.from(response.value);
   }
 }

package/src/crypto/secp256k1-signer/utils.ts

@@ -7,6 +7,27 @@ import { keccak256 } from '../keccak/index.js';
 
 const ETH_SIGN_PREFIX = '\x19Ethereum Signed Message:\n32';
 
+/** Signature recovery options */
+type RecoveryOpts = {
+  /**
+   * Whether to allow s-values in the high half of the curve (s >= CURVE.n/2).
+   * These are discouraged by EIP2 to prevent signature malleability, and outright
+   * rejected in OpenZeppelin's ECDSA recover, which we use in our Rollup contract.
+   */
+  allowMalleable?: boolean;
+  /**
+   * Whether to allow an y-parity 0-1 bit instead of the standard v value 27-28.
+   */
+  allowYParityAsV?: boolean;
+};
+
+export class Secp256k1Error extends Error {
+  constructor(message: string, opts?: { cause: unknown }) {
+    super(message, opts);
+    this.name = 'Secp256k1Error';
+  }
+}
+
 // We just hash the message to make it easier to work with in the smart contract.
 export function makeEthSignDigest(message: Buffer32): Buffer32 {
   const prefix = Buffer.from(ETH_SIGN_PREFIX);
@@ -46,19 +67,38 @@ export function addressFromPrivateKey(privateKey: Buffer): EthAddress {
  * Recovers an address from a hash and a signature.
  * @param hash - The hash to recover the address from.
  * @param signature - The signature to recover the address from.
+ * @param opts - Recovery options.
  * @returns The address.
+ * @throws Error if signature recovery fails or if signature is malleable and allowMalleable is false.
  */
-export function recoverAddress(hash: Buffer32, signature: Signature): EthAddress {
+export function recoverAddress(hash: Buffer32, signature: Signature, opts?: RecoveryOpts): EthAddress {
   try {
-    const publicKey = recoverPublicKey(hash, signature);
+    const publicKey = recoverPublicKey(hash, signature, opts);
     return publicKeyToAddress(publicKey);
-  } catch (err) {
-    throw new Error(
-      `Error recovering Ethereum address from hash ${hash.toString()} and signature ${signature.toString()}: ${err}`,
+  } catch (err: unknown) {
+    throw new Secp256k1Error(
+      `Error recovering Ethereum address from hash ${hash.toString()} and signature ${signature.toString()}`,
+      { cause: err },
     );
   }
 }
 
+/**
+ * Safely attempts to recover an address from a hash and a signature.
+ * @param hash - The hash to recover the address from.
+ * @param signature - The signature to recover the address from.
+ * @param opts - Recovery options.
+ * @returns The address if recovery succeeds, undefined otherwise.
+ */
+export function tryRecoverAddress(hash: Buffer32, signature: Signature, opts?: RecoveryOpts): EthAddress | undefined {
+  try {
+    const publicKey = recoverPublicKey(hash, signature, opts);
+    return publicKeyToAddress(publicKey);
+  } catch {
+    return undefined;
+  }
+}
+
 /**
  * @attribution - viem
  * Converts a yParityOrV value to a recovery bit.
@@ -75,7 +115,7 @@ export function toRecoveryBit(yParityOrV: number) {
   if (yParityOrV === 28) {
     return 1;
   }
-  throw new Error('Invalid yParityOrV value');
+  throw new Secp256k1Error(`Invalid yParityOrV value ${yParityOrV}`);
 }
 
 /**
@@ -89,16 +129,84 @@ export function signMessage(message: Buffer32, privateKey: Buffer) {
   return new Signature(Buffer32.fromBigInt(r), Buffer32.fromBigInt(s), recovery ? 28 : 27);
 }
 
+/**
+ * Flips an ECDSA signature.
+ * If the signature has a low s-value (s < CURVE.n/2), it flips it to high s-value (CURVE.n - s) and vice versa.
+ * Also flips the v value accordingly (27 <-> 28, or 0 <-> 1).
+ * This is useful for testing signature malleability handling.
+ * @param signature - The signature to flip.
+ * @returns A new signature with flipped s-value and v-value.
+ */
+export function flipSignature(signature: Signature): Signature {
+  const { r, s, v } = signature;
+  const sig = new secp256k1.Signature(r.toBigInt(), s.toBigInt());
+  const flippedS = secp256k1.CURVE.n - sig.s;
+
+  return new Signature(r, Buffer32.fromBigInt(flippedS), flipV(v));
+}
+
+/**
+ * Normalizes an ECDSA signature.
+ * If the signature has a high s-value (s >= CURVE.n/2), it flips it to low s-value (CURVE.n - s), and flips v accordingly.
+ * If the signature uses a recovery bit of 0/1, it is converted to a v-value 27/28 for ecrecover.
+ * @remarks This does not handle post EIP155 tx signatures which embed the chain id in v. Use it only for feeding into ECRECOVER precompiles.
+ * @param signature - The signature to normalize.
+ */
+export function normalizeSignature(signature: Signature): Signature {
+  const { r, s, v } = signature;
+  const sig = new secp256k1.Signature(r.toBigInt(), s.toBigInt());
+  if (sig.hasHighS()) {
+    const newV = flipV(v);
+    const newS = sig.normalizeS().s;
+    return new Signature(r, Buffer32.fromBigInt(newS), toVFromYParityOrV(newV));
+  }
+
+  return new Signature(r, s, toVFromYParityOrV(v));
+}
+
+/** Converts a yParityOrV value to a pre-EIP155 v-value 27-28. */
+function toVFromYParityOrV(yParityOrV: number): number {
+  if (yParityOrV === 0 || yParityOrV === 1) {
+    return yParityOrV + 27;
+  } else if (yParityOrV === 27 || yParityOrV === 28) {
+    return yParityOrV;
+  } else {
+    throw new Secp256k1Error(`Invalid yParityOrV value ${yParityOrV}`);
+  }
+}
+
+/** Flips the recovery bit or v-value */
+function flipV(v: number): number {
+  switch (v) {
+    case 27:
+      return 28;
+    case 28:
+      return 27;
+    case 0:
+      return 1;
+    case 1:
+      return 0;
+    default:
+      throw new Secp256k1Error(`Invalid v value ${v}`);
+  }
+}
+
 /**
  * Recovers a public key from a hash and a signature.
  * @param hash - The hash to recover the public key from.
  * @param signature - The signature to recover the public key from.
  * @returns The public key.
  */
-export function recoverPublicKey(hash: Buffer32, signature: Signature): Buffer {
+export function recoverPublicKey(hash: Buffer32, signature: Signature, opts: RecoveryOpts = {}): Buffer {
   const { r, s, v } = signature;
+  if (!opts.allowYParityAsV && v !== 27 && v !== 28) {
+    throw new Secp256k1Error(`Invalid v value ${v} (expected 27 or 28)`);
+  }
   const recoveryBit = toRecoveryBit(v);
   const sig = new secp256k1.Signature(r.toBigInt(), s.toBigInt()).addRecoveryBit(recoveryBit);
+  if (!opts.allowMalleable && sig.hasHighS()) {
+    throw new Secp256k1Error('Signature has high s-value (malleable signature)');
+  }
   const publicKey = sig.recoverPublicKey(hash.buffer).toHex(false);
   return Buffer.from(publicKey, 'hex');
 }

package/src/crypto/sha256/index.ts

@@ -1,7 +1,7 @@
 /* eslint-disable camelcase */
 import { default as hash } from 'hash.js';
 
-import { Fr } from '../../fields/fields.js';
+import { Fr } from '../../curves/bn254/field.js';
 import { truncateAndPad } from '../../serialize/free_funcs.js';
 import { type Bufferable, serializeToBuffer } from '../../serialize/serialize.js';
 import type { Hasher } from '../../trees/hasher.js';

package/src/crypto/sha512/index.ts

@@ -1,6 +1,6 @@
 import { default as hash } from 'hash.js';
 
-import { GrumpkinScalar } from '../../fields/fields.js';
+import { GrumpkinScalar } from '../../curves/grumpkin/index.js';
 import { type Bufferable, serializeToBuffer } from '../../serialize/serialize.js';
 
 export const sha512 = (data: Buffer) => Buffer.from(hash.sha512().update(data).digest());

package/src/crypto/signature/index.ts

@@ -1,4 +1,4 @@
-import type { Fr } from '@aztec/foundation/fields';
+import type { Fr } from '@aztec/foundation/curves/bn254';
 
 /**
  * Interface to represent a signature.

package/src/crypto/sync/index.ts

@@ -3,4 +3,4 @@ import { BarretenbergSync } from '@aztec/bb.js';
 export * from './poseidon/index.js';
 export * from './pedersen/index.js';
 
-await BarretenbergSync.initSingleton(process.env.BB_WASM_PATH);
+await BarretenbergSync.initSingleton();