@hfunlabs/hyperliquid 0.30.0-hfunlabs.1 → 0.30.2-hfunlabs.2

package/src/deps/jsr.io/@noble/curves/2.0.1/src/abstract/modular.ts

@@ -0,0 +1,621 @@
+/**
+ * Utils for modular division and fields.
+ * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
+ * There is no division: it is replaced by modular multiplicative inverse.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import {
+  abytes,
+  anumber,
+  bytesToNumberBE,
+  bytesToNumberLE,
+  numberToBytesBE,
+  numberToBytesLE,
+  validateObject,
+} from '../utils.js';
+
+// Numbers aren't used in x25519 / x448 builds
+// prettier-ignore
+const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2);
+// prettier-ignore
+const _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
+// prettier-ignore
+const _7n = /* @__PURE__ */ BigInt(7), _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
+const _16n = /* @__PURE__ */ BigInt(16);
+
+// Calculates a modulo b
+export function mod(a: bigint, b: bigint): bigint {
+  const result = a % b;
+  return result >= _0n ? result : b + result;
+}
+/**
+ * Efficiently raise num to power and do modular division.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+ * @example
+ * pow(2n, 6n, 11n) // 64n % 11n == 9n
+ */
+export function pow(num: bigint, power: bigint, modulo: bigint): bigint {
+  return FpPow(Field(modulo), num, power);
+}
+
+/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
+export function pow2(x: bigint, power: bigint, modulo: bigint): bigint {
+  let res = x;
+  while (power-- > _0n) {
+    res *= res;
+    res %= modulo;
+  }
+  return res;
+}
+
+/**
+ * Inverses number over modulo.
+ * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
+ */
+export function invert(number: bigint, modulo: bigint): bigint {
+  if (number === _0n) throw new Error('invert: expected non-zero number');
+  if (modulo <= _0n) throw new Error('invert: expected positive modulus, got ' + modulo);
+  // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
+  let a = mod(number, modulo);
+  let b = modulo;
+  // prettier-ignore
+  let x = _0n, y = _1n, u = _1n, v = _0n;
+  while (a !== _0n) {
+    // JIT applies optimization if those two lines follow each other
+    const q = b / a;
+    const r = b % a;
+    const m = x - u * q;
+    const n = y - v * q;
+    // prettier-ignore
+    b = a, a = r, x = u, y = v, u = m, v = n;
+  }
+  const gcd = b;
+  if (gcd !== _1n) throw new Error('invert: does not exist');
+  return mod(x, modulo);
+}
+
+function assertIsSquare<T>(Fp: IField<T>, root: T, n: T): void {
+  if (!Fp.eql(Fp.sqr(root), n)) throw new Error('Cannot find square root');
+}
+
+// Not all roots are possible! Example which will throw:
+// const NUM =
+// n = 72057594037927816n;
+// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
+function sqrt3mod4<T>(Fp: IField<T>, n: T) {
+  const p1div4 = (Fp.ORDER + _1n) / _4n;
+  const root = Fp.pow(n, p1div4);
+  assertIsSquare(Fp, root, n);
+  return root;
+}
+
+function sqrt5mod8<T>(Fp: IField<T>, n: T) {
+  const p5div8 = (Fp.ORDER - _5n) / _8n;
+  const n2 = Fp.mul(n, _2n);
+  const v = Fp.pow(n2, p5div8);
+  const nv = Fp.mul(n, v);
+  const i = Fp.mul(Fp.mul(nv, _2n), v);
+  const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+  assertIsSquare(Fp, root, n);
+  return root;
+}
+
+// Based on RFC9380, Kong algorithm
+// prettier-ignore
+function sqrt9mod16(P: bigint): <T>(Fp: IField<T>, n: T) => T {
+  const Fp_ = Field(P);
+  const tn = tonelliShanks(P);
+  const c1 = tn(Fp_, Fp_.neg(Fp_.ONE));//  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+  const c2 = tn(Fp_, c1);              //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+  const c3 = tn(Fp_, Fp_.neg(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+  const c4 = (P + _7n) / _16n;         //  4. c4 = (q + 7) / 16        # Integer arithmetic
+  return <T>(Fp: IField<T>, n: T) => {
+    let tv1 = Fp.pow(n, c4);           //  1. tv1 = x^c4
+    let tv2 = Fp.mul(tv1, c1);         //  2. tv2 = c1 * tv1
+    const tv3 = Fp.mul(tv1, c2);       //  3. tv3 = c2 * tv1
+    const tv4 = Fp.mul(tv1, c3);       //  4. tv4 = c3 * tv1
+    const e1 = Fp.eql(Fp.sqr(tv2), n); //  5.  e1 = (tv2^2) == x
+    const e2 = Fp.eql(Fp.sqr(tv3), n); //  6.  e2 = (tv3^2) == x
+    tv1 = Fp.cmov(tv1, tv2, e1);       //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+    tv2 = Fp.cmov(tv4, tv3, e2);       //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+    const e3 = Fp.eql(Fp.sqr(tv2), n); //  9.  e3 = (tv2^2) == x
+    const root = Fp.cmov(tv1, tv2, e3);// 10.  z = CMOV(tv1, tv2, e3)   # Select sqrt from tv1 & tv2
+    assertIsSquare(Fp, root, n);
+    return root;
+  };
+}
+
+/**
+ * Tonelli-Shanks square root search algorithm.
+ * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
+ * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
+ * @param P field order
+ * @returns function that takes field Fp (created from P) and number n
+ */
+export function tonelliShanks(P: bigint): <T>(Fp: IField<T>, n: T) => T {
+  // Initialization (precomputation).
+  // Caching initialization could boost perf by 7%.
+  if (P < _3n) throw new Error('sqrt is not defined for small field');
+  // Factor P - 1 = Q * 2^S, where Q is odd
+  let Q = P - _1n;
+  let S = 0;
+  while (Q % _2n === _0n) {
+    Q /= _2n;
+    S++;
+  }
+
+  // Find the first quadratic non-residue Z >= 2
+  let Z = _2n;
+  const _Fp = Field(P);
+  while (FpLegendre(_Fp, Z) === 1) {
+    // Basic primality test for P. After x iterations, chance of
+    // not finding quadratic non-residue is 2^x, so 2^1000.
+    if (Z++ > 1000) throw new Error('Cannot find square root: probably non-prime P');
+  }
+  // Fast-path; usually done before Z, but we do "primality test".
+  if (S === 1) return sqrt3mod4;
+
+  // Slow-path
+  // TODO: test on Fp2 and others
+  let cc = _Fp.pow(Z, Q); // c = z^Q
+  const Q1div2 = (Q + _1n) / _2n;
+  return function tonelliSlow<T>(Fp: IField<T>, n: T): T {
+    if (Fp.is0(n)) return n;
+    // Check if n is a quadratic residue using Legendre symbol
+    if (FpLegendre(Fp, n) !== 1) throw new Error('Cannot find square root');
+
+    // Initialize variables for the main loop
+    let M = S;
+    let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
+    let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor
+    let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
+
+    // Main loop
+    // while t != 1
+    while (!Fp.eql(t, Fp.ONE)) {
+      if (Fp.is0(t)) return Fp.ZERO; // if t=0 return R=0
+      let i = 1;
+
+      // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
+      let t_tmp = Fp.sqr(t); // t^(2^1)
+      while (!Fp.eql(t_tmp, Fp.ONE)) {
+        i++;
+        t_tmp = Fp.sqr(t_tmp); // t^(2^2)...
+        if (i === M) throw new Error('Cannot find square root');
+      }
+
+      // Calculate the exponent for b: 2^(M - i - 1)
+      const exponent = _1n << BigInt(M - i - 1); // bigint is important
+      const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
+
+      // Update variables
+      M = i;
+      c = Fp.sqr(b); // c = b^2
+      t = Fp.mul(t, c); // t = (t * b^2)
+      R = Fp.mul(R, b); // R = R*b
+    }
+    return R;
+  };
+}
+
+/**
+ * Square root for a finite field. Will try optimized versions first:
+ *
+ * 1. P ≡ 3 (mod 4)
+ * 2. P ≡ 5 (mod 8)
+ * 3. P ≡ 9 (mod 16)
+ * 4. Tonelli-Shanks algorithm
+ *
+ * Different algorithms can give different roots, it is up to user to decide which one they want.
+ * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
+ */
+export function FpSqrt(P: bigint): <T>(Fp: IField<T>, n: T) => T {
+  // P ≡ 3 (mod 4) => √n = n^((P+1)/4)
+  if (P % _4n === _3n) return sqrt3mod4;
+  // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
+  if (P % _8n === _5n) return sqrt5mod8;
+  // P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
+  if (P % _16n === _9n) return sqrt9mod16(P);
+  // Tonelli-Shanks algorithm
+  return tonelliShanks(P);
+}
+
+// Little-endian check for first LE bit (last BE bit);
+export const isNegativeLE = (num: bigint, modulo: bigint): boolean =>
+  (mod(num, modulo) & _1n) === _1n;
+
+/** Field is not always over prime: for example, Fp2 has ORDER(q)=p^m. */
+export interface IField<T> {
+  ORDER: bigint;
+  BYTES: number;
+  BITS: number;
+  isLE: boolean;
+  ZERO: T;
+  ONE: T;
+  // 1-arg
+  create: (num: T) => T;
+  isValid: (num: T) => boolean;
+  is0: (num: T) => boolean;
+  isValidNot0: (num: T) => boolean;
+  neg(num: T): T;
+  inv(num: T): T;
+  sqrt(num: T): T;
+  sqr(num: T): T;
+  // 2-args
+  eql(lhs: T, rhs: T): boolean;
+  add(lhs: T, rhs: T): T;
+  sub(lhs: T, rhs: T): T;
+  mul(lhs: T, rhs: T | bigint): T;
+  pow(lhs: T, power: bigint): T;
+  div(lhs: T, rhs: T | bigint): T;
+  // N for NonNormalized (for now)
+  addN(lhs: T, rhs: T): T;
+  subN(lhs: T, rhs: T): T;
+  mulN(lhs: T, rhs: T | bigint): T;
+  sqrN(num: T): T;
+
+  // Optional
+  // Should be same as sgn0 function in
+  // [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
+  // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
+  isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
+  // legendre?(num: T): T;
+  invertBatch: (lst: T[]) => T[];
+  toBytes(num: T): Uint8Array;
+  fromBytes(bytes: Uint8Array, skipValidation?: boolean): T;
+  // If c is False, CMOV returns a, otherwise it returns b.
+  cmov(a: T, b: T, c: boolean): T;
+}
+// prettier-ignore
+const FIELD_FIELDS = [
+  'create', 'isValid', 'is0', 'neg', 'inv', 'sqrt', 'sqr',
+  'eql', 'add', 'sub', 'mul', 'pow', 'div',
+  'addN', 'subN', 'mulN', 'sqrN'
+] as const;
+export function validateField<T>(field: IField<T>): IField<T> {
+  const initial = {
+    ORDER: 'bigint',
+    BYTES: 'number',
+    BITS: 'number',
+  } as Record<string, string>;
+  const opts = FIELD_FIELDS.reduce((map, val: string) => {
+    map[val] = 'function';
+    return map;
+  }, initial);
+  validateObject(field, opts);
+  // const max = 16384;
+  // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
+  // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
+  return field;
+}
+
+// Generic field functions
+
+/**
+ * Same as `pow` but for Fp: non-constant-time.
+ * Unsafe in some contexts: uses ladder, so can expose bigint bits.
+ */
+export function FpPow<T>(Fp: IField<T>, num: T, power: bigint): T {
+  if (power < _0n) throw new Error('invalid exponent, negatives unsupported');
+  if (power === _0n) return Fp.ONE;
+  if (power === _1n) return num;
+  let p = Fp.ONE;
+  let d = num;
+  while (power > _0n) {
+    if (power & _1n) p = Fp.mul(p, d);
+    d = Fp.sqr(d);
+    power >>= _1n;
+  }
+  return p;
+}
+
+/**
+ * Efficiently invert an array of Field elements.
+ * Exception-free. Will return `undefined` for 0 elements.
+ * @param passZero map 0 to 0 (instead of undefined)
+ */
+export function FpInvertBatch<T>(Fp: IField<T>, nums: T[], passZero = false): T[] {
+  const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
+  // Walk from first to last, multiply them by each other MOD p
+  const multipliedAcc = nums.reduce((acc, num, i) => {
+    if (Fp.is0(num)) return acc;
+    inverted[i] = acc;
+    return Fp.mul(acc, num);
+  }, Fp.ONE);
+  // Invert last element
+  const invertedAcc = Fp.inv(multipliedAcc);
+  // Walk from last to first, multiply them by inverted each other MOD p
+  nums.reduceRight((acc, num, i) => {
+    if (Fp.is0(num)) return acc;
+    inverted[i] = Fp.mul(acc, inverted[i]);
+    return Fp.mul(acc, num);
+  }, invertedAcc);
+  return inverted;
+}
+
+// TODO: remove
+export function FpDiv<T>(Fp: IField<T>, lhs: T, rhs: T | bigint): T {
+  return Fp.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, Fp.ORDER) : Fp.inv(rhs));
+}
+
+/**
+ * Legendre symbol.
+ * Legendre constant is used to calculate Legendre symbol (a | p)
+ * which denotes the value of a^((p-1)/2) (mod p).
+ *
+ * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
+ * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
+ * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+ */
+export function FpLegendre<T>(Fp: IField<T>, n: T): -1 | 0 | 1 {
+  // We can use 3rd argument as optional cache of this value
+  // but seems unneeded for now. The operation is very fast.
+  const p1mod2 = (Fp.ORDER - _1n) / _2n;
+  const powered = Fp.pow(n, p1mod2);
+  const yes = Fp.eql(powered, Fp.ONE);
+  const zero = Fp.eql(powered, Fp.ZERO);
+  const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+  if (!yes && !zero && !no) throw new Error('invalid Legendre symbol result');
+  return yes ? 1 : zero ? 0 : -1;
+}
+
+// This function returns True whenever the value x is a square in the field F.
+export function FpIsSquare<T>(Fp: IField<T>, n: T): boolean {
+  const l = FpLegendre(Fp, n);
+  return l === 1;
+}
+
+export type NLength = { nByteLength: number; nBitLength: number };
+// CURVE.n lengths
+export function nLength(n: bigint, nBitLength?: number): NLength {
+  // Bit size, byte size of CURVE.n
+  if (nBitLength !== undefined) anumber(nBitLength);
+  const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
+  const nByteLength = Math.ceil(_nBitLength / 8);
+  return { nBitLength: _nBitLength, nByteLength };
+}
+
+type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
+type SqrtFn = (n: bigint) => bigint;
+type FieldOpts = Partial<{
+  isLE: boolean;
+  BITS: number;
+  sqrt: SqrtFn;
+  allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
+  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+}>;
+class _Field implements IField<bigint> {
+  readonly ORDER: bigint;
+  readonly BITS: number;
+  readonly BYTES: number;
+  readonly isLE: boolean;
+  readonly ZERO = _0n;
+  readonly ONE = _1n;
+  readonly _lengths?: number[];
+  private _sqrt: ReturnType<typeof FpSqrt> | undefined; // cached sqrt
+  private readonly _mod?: boolean;
+  constructor(ORDER: bigint, opts: FieldOpts = {}) {
+    if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
+    let _nbitLength: number | undefined = undefined;
+    this.isLE = false;
+    if (opts != null && typeof opts === 'object') {
+      if (typeof opts.BITS === 'number') _nbitLength = opts.BITS;
+      if (typeof opts.sqrt === 'function') this.sqrt = opts.sqrt;
+      if (typeof opts.isLE === 'boolean') this.isLE = opts.isLE;
+      if (opts.allowedLengths) this._lengths = opts.allowedLengths?.slice();
+      if (typeof opts.modFromBytes === 'boolean') this._mod = opts.modFromBytes;
+    }
+    const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+    if (nByteLength > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+    this.ORDER = ORDER;
+    this.BITS = nBitLength;
+    this.BYTES = nByteLength;
+    this._sqrt = undefined;
+    Object.preventExtensions(this);
+  }
+
+  create(num: bigint) {
+    return mod(num, this.ORDER);
+  }
+  isValid(num: bigint) {
+    if (typeof num !== 'bigint')
+      throw new Error('invalid field element: expected bigint, got ' + typeof num);
+    return _0n <= num && num < this.ORDER; // 0 is valid element, but it's not invertible
+  }
+  is0(num: bigint) {
+    return num === _0n;
+  }
+  // is valid and invertible
+  isValidNot0(num: bigint) {
+    return !this.is0(num) && this.isValid(num);
+  }
+  isOdd(num: bigint) {
+    return (num & _1n) === _1n;
+  }
+  neg(num: bigint) {
+    return mod(-num, this.ORDER);
+  }
+  eql(lhs: bigint, rhs: bigint) {
+    return lhs === rhs;
+  }
+
+  sqr(num: bigint) {
+    return mod(num * num, this.ORDER);
+  }
+  add(lhs: bigint, rhs: bigint) {
+    return mod(lhs + rhs, this.ORDER);
+  }
+  sub(lhs: bigint, rhs: bigint) {
+    return mod(lhs - rhs, this.ORDER);
+  }
+  mul(lhs: bigint, rhs: bigint) {
+    return mod(lhs * rhs, this.ORDER);
+  }
+  pow(num: bigint, power: bigint): bigint {
+    return FpPow(this, num, power);
+  }
+  div(lhs: bigint, rhs: bigint) {
+    return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
+  }
+
+  // Same as above, but doesn't normalize
+  sqrN(num: bigint) {
+    return num * num;
+  }
+  addN(lhs: bigint, rhs: bigint) {
+    return lhs + rhs;
+  }
+  subN(lhs: bigint, rhs: bigint) {
+    return lhs - rhs;
+  }
+  mulN(lhs: bigint, rhs: bigint) {
+    return lhs * rhs;
+  }
+
+  inv(num: bigint) {
+    return invert(num, this.ORDER);
+  }
+  sqrt(num: bigint): bigint {
+    // Caching _sqrt speeds up sqrt9mod16 by 5x and tonneli-shanks by 10%
+    if (!this._sqrt) this._sqrt = FpSqrt(this.ORDER);
+    return this._sqrt(this, num);
+  }
+  toBytes(num: bigint) {
+    return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+  }
+  fromBytes(bytes: Uint8Array, skipValidation = false) {
+    abytes(bytes);
+    const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
+    if (allowedLengths) {
+      if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+        throw new Error(
+          'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
+        );
+      }
+      const padded = new Uint8Array(BYTES);
+      // isLE add 0 to right, !isLE to the left.
+      padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+      bytes = padded;
+    }
+    if (bytes.length !== BYTES)
+      throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
+    let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    if (modFromBytes) scalar = mod(scalar, ORDER);
+    if (!skipValidation)
+      if (!this.isValid(scalar))
+        throw new Error('invalid field element: outside of range 0..ORDER');
+    // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+    // protocol may allow non-reduced scalar that reduced later or changed some other way.
+    return scalar;
+  }
+  // TODO: we don't need it here, move out to separate fn
+  invertBatch(lst: bigint[]): bigint[] {
+    return FpInvertBatch(this, lst);
+  }
+  // We can't move this out because Fp6, Fp12 implement it
+  // and it's unclear what to return in there.
+  cmov(a: bigint, b: bigint, condition: boolean) {
+    return condition ? b : a;
+  }
+}
+
+/**
+ * Creates a finite field. Major performance optimizations:
+ * * 1. Denormalized operations like mulN instead of mul.
+ * * 2. Identical object shape: never add or remove keys.
+ * * 3. `Object.freeze`.
+ * Fragile: always run a benchmark on a change.
+ * Security note: operations don't check 'isValid' for all elements for performance reasons,
+ * it is caller responsibility to check this.
+ * This is low-level code, please make sure you know what you're doing.
+ *
+ * Note about field properties:
+ * * CHARACTERISTIC p = prime number, number of elements in main subgroup.
+ * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
+ *
+ * @param ORDER field order, probably prime, or could be composite
+ * @param bitLen how many bits the field consumes
+ * @param isLE (default: false) if encoding / decoding should be in little-endian
+ * @param redef optional faster redefinitions of sqrt and other methods
+ */
+export function Field(ORDER: bigint, opts: FieldOpts = {}): Readonly<FpField> {
+  return new _Field(ORDER, opts);
+}
+
+// Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
+// This allows unsafe methods like ignore bias or zero. These unsafe, but often used in different protocols (if deterministic RNG).
+// which mean we cannot force this via opts.
+// Not sure what to do with randomBytes, we can accept it inside opts if wanted.
+// Probably need to export getMinHashLength somewhere?
+// random(bytes?: Uint8Array, unsafeAllowZero = false, unsafeAllowBias = false) {
+//   const LEN = !unsafeAllowBias ? getMinHashLength(ORDER) : BYTES;
+//   if (bytes === undefined) bytes = randomBytes(LEN); // _opts.randomBytes?
+//   const num = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+//   // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
+//   const reduced = unsafeAllowZero ? mod(num, ORDER) : mod(num, ORDER - _1n) + _1n;
+//   return reduced;
+// },
+
+export function FpSqrtOdd<T>(Fp: IField<T>, elm: T): T {
+  if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
+  const root = Fp.sqrt(elm);
+  return Fp.isOdd(root) ? root : Fp.neg(root);
+}
+
+export function FpSqrtEven<T>(Fp: IField<T>, elm: T): T {
+  if (!Fp.isOdd) throw new Error("Field doesn't have isOdd");
+  const root = Fp.sqrt(elm);
+  return Fp.isOdd(root) ? Fp.neg(root) : root;
+}
+
+/**
+ * Returns total number of bytes consumed by the field element.
+ * For example, 32 bytes for usual 256-bit weierstrass curve.
+ * @param fieldOrder number of field elements, usually CURVE.n
+ * @returns byte length of field
+ */
+export function getFieldBytesLength(fieldOrder: bigint): number {
+  if (typeof fieldOrder !== 'bigint') throw new Error('field order must be bigint');
+  const bitLength = fieldOrder.toString(2).length;
+  return Math.ceil(bitLength / 8);
+}
+
+/**
+ * Returns minimal amount of bytes that can be safely reduced
+ * by field order.
+ * Should be 2^-128 for 128-bit curve such as P256.
+ * @param fieldOrder number of field elements, usually CURVE.n
+ * @returns byte length of target hash
+ */
+export function getMinHashLength(fieldOrder: bigint): number {
+  const length = getFieldBytesLength(fieldOrder);
+  return length + Math.ceil(length / 2);
+}
+
+/**
+ * "Constant-time" private key generation utility.
+ * Can take (n + n/2) or more bytes of uniform input e.g. from CSPRNG or KDF
+ * and convert them into private scalar, with the modulo bias being negligible.
+ * Needs at least 48 bytes of input for 32-byte private key.
+ * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+ * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
+ * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
+ * @param hash hash output from SHA3 or a similar function
+ * @param groupOrder size of subgroup - (e.g. secp256k1.Point.Fn.ORDER)
+ * @param isLE interpret hash bytes as LE num
+ * @returns valid private scalar
+ */
+export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false): Uint8Array {
+  abytes(key);
+  const len = key.length;
+  const fieldLen = getFieldBytesLength(fieldOrder);
+  const minLen = getMinHashLength(fieldOrder);
+  // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
+  if (len < 16 || len < minLen || len > 1024)
+    throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
+  const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
+  // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
+  const reduced = mod(num, fieldOrder - _1n) + _1n;
+  return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
+}