@noble/curves 0.3.1 → 0.4.0

package/README.md

@@ -45,9 +45,9 @@ The library does not have an entry point. It allows you to select specific primi
 
 ```ts
 import { weierstrass } from '@noble/curves/weierstrass'; // Short Weierstrass curve
-import { concatBytes, randomBytes } from '@noble/curves/utils';
 import { sha256 } from '@noble/hashes/sha256';
 import { hmac } from '@noble/hashes/hmac';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
 
 const secp256k1 = weierstrass({
   a: 0n,
@@ -126,6 +126,7 @@ const ed25519 = twistedEdwards({
   Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n,
   Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
   hash: sha512,
+  randomBytes,
   adjustScalarBytes(bytes) { // optional
     bytes[0] &= 248;
     bytes[31] &= 127;

package/lib/bls.d.ts

@@ -0,0 +1,79 @@
+import * as mod from './modular.js';
+import * as utils from './utils.js';
+import { Hex, PrivKey } from './utils.js';
+import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { CurvePointsType, PointType, CurvePointsRes } from './weierstrass.js';
+declare type Fp = bigint;
+export declare type SignatureCoder<Fp2> = {
+    decode(hex: Hex): PointType<Fp2>;
+    encode(point: PointType<Fp2>): Uint8Array;
+};
+export declare type CurveType<Fp, Fp2, Fp6, Fp12> = {
+    r: bigint;
+    G1: Omit<CurvePointsType<Fp>, 'n'>;
+    G2: Omit<CurvePointsType<Fp2>, 'n'> & {
+        Signature: SignatureCoder<Fp2>;
+    };
+    x: bigint;
+    Fp: mod.Field<Fp>;
+    Fr: mod.Field<bigint>;
+    Fp2: mod.Field<Fp2> & {
+        reim: (num: Fp2) => {
+            re: bigint;
+            im: bigint;
+        };
+        multiplyByB: (num: Fp2) => Fp2;
+        frobeniusMap(num: Fp2, power: number): Fp2;
+    };
+    Fp6: mod.Field<Fp6>;
+    Fp12: mod.Field<Fp12> & {
+        frobeniusMap(num: Fp12, power: number): Fp12;
+        multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
+        conjugate(num: Fp12): Fp12;
+        finalExponentiate(num: Fp12): Fp12;
+    };
+    htfDefaults: htfOpts;
+    hash: utils.CHash;
+    randomBytes: (bytesLength?: number) => Uint8Array;
+};
+export declare type CurveFn<Fp, Fp2, Fp6, Fp12> = {
+    CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
+    Fr: mod.Field<bigint>;
+    Fp: mod.Field<Fp>;
+    Fp2: mod.Field<Fp2>;
+    Fp6: mod.Field<Fp6>;
+    Fp12: mod.Field<Fp12>;
+    G1: CurvePointsRes<Fp>;
+    G2: CurvePointsRes<Fp2>;
+    Signature: SignatureCoder<Fp2>;
+    millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
+    calcPairingPrecomputes: (x: Fp2, y: Fp2) => [Fp2, Fp2, Fp2][];
+    pairing: (P: PointType<Fp>, Q: PointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+    getPublicKey: (privateKey: PrivKey) => Uint8Array;
+    sign: {
+        (message: Hex, privateKey: PrivKey): Uint8Array;
+        (message: PointType<Fp2>, privateKey: PrivKey): PointType<Fp2>;
+    };
+    verify: (signature: Hex | PointType<Fp2>, message: Hex | PointType<Fp2>, publicKey: Hex | PointType<Fp>) => boolean;
+    aggregatePublicKeys: {
+        (publicKeys: Hex[]): Uint8Array;
+        (publicKeys: PointType<Fp>[]): PointType<Fp>;
+    };
+    aggregateSignatures: {
+        (signatures: Hex[]): Uint8Array;
+        (signatures: PointType<Fp2>[]): PointType<Fp2>;
+    };
+    verifyBatch: (signature: Hex | PointType<Fp2>, messages: (Hex | PointType<Fp2>)[], publicKeys: (Hex | PointType<Fp>)[]) => boolean;
+    utils: {
+        bytesToHex: typeof utils.bytesToHex;
+        hexToBytes: typeof utils.hexToBytes;
+        stringToBytes: typeof stringToBytes;
+        hashToField: typeof hash_to_field;
+        expandMessageXMD: typeof expand_message_xmd;
+        mod: typeof mod.mod;
+        getDSTLabel: () => string;
+        setDSTLabel(newLabel: string): void;
+    };
+};
+export declare function bls<Fp2, Fp6, Fp12>(CURVE: CurveType<Fp, Fp2, Fp6, Fp12>): CurveFn<Fp, Fp2, Fp6, Fp12>;
+export {};

package/lib/bls.js

@@ -0,0 +1,304 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bls = void 0;
+// Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
+// NOTE: only 12 supported for now
+// Constructed from pair of weierstrass curves, based pairing logic
+const mod = require("./modular.js");
+const utils_js_1 = require("./utils.js");
+// Types
+const utils_js_2 = require("./utils.js");
+const hashToCurve_js_1 = require("./hashToCurve.js");
+const weierstrass_js_1 = require("./weierstrass.js");
+function bls(CURVE) {
+    // Fields looks pretty specific for curve, so for now we need to pass them with options
+    const Fp = CURVE.Fp;
+    const Fr = CURVE.Fr;
+    const Fp2 = CURVE.Fp2;
+    const Fp6 = CURVE.Fp6;
+    const Fp12 = CURVE.Fp12;
+    const BLS_X_LEN = (0, utils_js_1.bitLen)(CURVE.x);
+    // Pre-compute coefficients for sparse multiplication
+    // Point addition and point double calculations is reused for coefficients
+    function calcPairingPrecomputes(x, y) {
+        // prettier-ignore
+        const Qx = x, Qy = y, Qz = Fp2.ONE;
+        // prettier-ignore
+        let Rx = Qx, Ry = Qy, Rz = Qz;
+        let ell_coeff = [];
+        for (let i = BLS_X_LEN - 2; i >= 0; i--) {
+            // Double
+            let t0 = Fp2.square(Ry); // Ry²
+            let t1 = Fp2.square(Rz); // Rz²
+            let t2 = Fp2.multiplyByB(Fp2.multiply(t1, 3n)); // 3 * T1 * B
+            let t3 = Fp2.multiply(t2, 3n); // 3 * T2
+            let t4 = Fp2.subtract(Fp2.subtract(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            ell_coeff.push([
+                Fp2.subtract(t2, t0),
+                Fp2.multiply(Fp2.square(Rx), 3n),
+                Fp2.negate(t4), // -T4
+            ]);
+            Rx = Fp2.div(Fp2.multiply(Fp2.multiply(Fp2.subtract(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+            Ry = Fp2.subtract(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.multiply(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Rz = Fp2.multiply(t0, t4); // T0 * T4
+            if ((0, utils_js_1.bitGet)(CURVE.x, i)) {
+                // Addition
+                let t0 = Fp2.subtract(Ry, Fp2.multiply(Qy, Rz)); // Ry - Qy * Rz
+                let t1 = Fp2.subtract(Rx, Fp2.multiply(Qx, Rz)); // Rx - Qx * Rz
+                ell_coeff.push([
+                    Fp2.subtract(Fp2.multiply(t0, Qx), Fp2.multiply(t1, Qy)),
+                    Fp2.negate(t0),
+                    t1, // T1
+                ]);
+                let t2 = Fp2.square(t1); // T1²
+                let t3 = Fp2.multiply(t2, t1); // T2 * T1
+                let t4 = Fp2.multiply(t2, Rx); // T2 * Rx
+                let t5 = Fp2.add(Fp2.subtract(t3, Fp2.multiply(t4, 2n)), Fp2.multiply(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                Rx = Fp2.multiply(t1, t5); // T1 * T5
+                Ry = Fp2.subtract(Fp2.multiply(Fp2.subtract(t4, t5), t0), Fp2.multiply(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+                Rz = Fp2.multiply(Rz, t3); // Rz * T3
+            }
+        }
+        return ell_coeff;
+    }
+    function millerLoop(ell, g1) {
+        const Px = g1[0];
+        const Py = g1[1];
+        let f12 = Fp12.ONE;
+        for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
+            const E = ell[j];
+            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.multiply(E[1], Px), Fp2.multiply(E[2], Py));
+            if ((0, utils_js_1.bitGet)(CURVE.x, i)) {
+                j += 1;
+                const F = ell[j];
+                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.multiply(F[1], Px), Fp2.multiply(F[2], Py));
+            }
+            if (i !== 0)
+                f12 = Fp12.square(f12);
+        }
+        return Fp12.conjugate(f12);
+    }
+    // bls12-381 is a construction of two curves:
+    // 1. Fp: (x, y)
+    // 2. Fp₂: ((x₁, x₂+i), (y₁, y₂+i)) - (complex numbers)
+    //
+    // Bilinear Pairing (ate pairing) is used to combine both elements into a paired one:
+    //   Fp₁₂ = e(Fp, Fp2)
+    //   where Fp₁₂ = 12-degree polynomial
+    // Pairing is used to verify signatures.
+    //
+    // We are using Fp for private keys (shorter) and Fp2 for signatures (longer).
+    // Some projects may prefer to swap this relation, it is not supported for now.
+    const htfDefaults = { ...CURVE.htfDefaults };
+    function isWithinCurveOrder(num) {
+        return 0 < num && num < CURVE.r;
+    }
+    const utils = {
+        hexToBytes: utils_js_2.hexToBytes,
+        bytesToHex: utils_js_2.bytesToHex,
+        mod: mod.mod,
+        stringToBytes: hashToCurve_js_1.stringToBytes,
+        // TODO: do we need to export it here?
+        hashToField: (msg, count, options = {}) => (0, hashToCurve_js_1.hash_to_field)(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => (0, hashToCurve_js_1.expand_message_xmd)(msg, DST, lenInBytes, H),
+        /**
+         * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
+         * and convert them into private key, with the modulo bias being negligible.
+         * As per FIPS 186 B.1.1.
+         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+         * @param hash hash output from sha512, or a similar function
+         * @returns valid private key
+         */
+        hashToPrivateKey: (hash) => {
+            hash = (0, utils_js_1.ensureBytes)(hash);
+            if (hash.length < 40 || hash.length > 1024)
+                throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
+            //     hashToPrivateScalar(hash, CURVE.r)
+            // NOTE: doesn't add +/-1
+            const num = mod.mod((0, utils_js_1.bytesToNumberBE)(hash), CURVE.r);
+            // This should never happen
+            if (num === 0n || num === 1n)
+                throw new Error('Invalid private key');
+            return (0, utils_js_1.numberToBytesBE)(num, 32);
+        },
+        randomBytes: (bytesLength = 32) => CURVE.randomBytes(bytesLength),
+        // NIST SP 800-56A rev 3, section 5.6.1.2.2
+        // https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(40)),
+        getDSTLabel: () => htfDefaults.DST,
+        setDSTLabel(newLabel) {
+            // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
+            if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
+                throw new TypeError('Invalid DST');
+            }
+            htfDefaults.DST = newLabel;
+        },
+    };
+    function normalizePrivKey(key) {
+        let int;
+        if (key instanceof Uint8Array && key.length === 32)
+            int = (0, utils_js_1.bytesToNumberBE)(key);
+        else if (typeof key === 'string' && key.length === 64)
+            int = BigInt(`0x${key}`);
+        else if (typeof key === 'number' && key > 0 && Number.isSafeInteger(key))
+            int = BigInt(key);
+        else if (typeof key === 'bigint' && key > 0n)
+            int = key;
+        else
+            throw new TypeError('Expected valid private key');
+        int = mod.mod(int, CURVE.r);
+        if (!isWithinCurveOrder(int))
+            throw new Error('Private key must be 0 < key < CURVE.r');
+        return int;
+    }
+    // Point on G1 curve: (x, y)
+    const G1 = (0, weierstrass_js_1.weierstrassPoints)({
+        n: Fr.ORDER,
+        ...CURVE.G1,
+    });
+    function pairingPrecomputes(point) {
+        const p = point;
+        if (p._PPRECOMPUTES)
+            return p._PPRECOMPUTES;
+        p._PPRECOMPUTES = calcPairingPrecomputes(p.x, p.y);
+        return p._PPRECOMPUTES;
+    }
+    function clearPairingPrecomputes(point) {
+        const p = point;
+        p._PPRECOMPUTES = undefined;
+    }
+    clearPairingPrecomputes;
+    function millerLoopG1(Q, P) {
+        return millerLoop(pairingPrecomputes(P), [Q.x, Q.y]);
+    }
+    // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
+    const G2 = (0, weierstrass_js_1.weierstrassPoints)({
+        n: Fr.ORDER,
+        ...CURVE.G2,
+    });
+    const { Signature } = CURVE.G2;
+    // Calculates bilinear pairing
+    function pairing(P, Q, withFinalExponent = true) {
+        if (P.equals(G1.Point.ZERO) || Q.equals(G2.Point.ZERO))
+            throw new Error('No pairings at point of Infinity');
+        P.assertValidity();
+        Q.assertValidity();
+        // Performance: 9ms for millerLoop and ~14ms for exp.
+        const looped = millerLoopG1(P, Q);
+        return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
+    }
+    function normP1(point) {
+        return point instanceof G1.Point ? point : G1.Point.fromHex(point);
+    }
+    function normP2(point) {
+        return point instanceof G2.Point ? point : Signature.decode(point);
+    }
+    function normP2Hash(point) {
+        return point instanceof G2.Point ? point : G2.Point.hashToCurve(point);
+    }
+    // Multiplies generator by private key.
+    // P = pk x G
+    function getPublicKey(privateKey) {
+        return G1.Point.fromPrivateKey(privateKey).toRawBytes(true);
+    }
+    function sign(message, privateKey) {
+        const msgPoint = normP2Hash(message);
+        msgPoint.assertValidity();
+        const sigPoint = msgPoint.multiply(normalizePrivKey(privateKey));
+        if (message instanceof G2.Point)
+            return sigPoint;
+        return Signature.encode(sigPoint);
+    }
+    // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+    // e(P, H(m)) == e(G, S)
+    function verify(signature, message, publicKey) {
+        const P = normP1(publicKey);
+        const Hm = normP2Hash(message);
+        const G = G1.Point.BASE;
+        const S = normP2(signature);
+        // Instead of doing 2 exponentiations, we use property of billinear maps
+        // and do one exp after multiplying 2 points.
+        const ePHm = pairing(P.negate(), Hm, false);
+        const eGS = pairing(G, S, false);
+        const exp = Fp12.finalExponentiate(Fp12.multiply(eGS, ePHm));
+        return Fp12.equals(exp, Fp12.ONE);
+    }
+    function aggregatePublicKeys(publicKeys) {
+        if (!publicKeys.length)
+            throw new Error('Expected non-empty array');
+        const agg = publicKeys
+            .map(normP1)
+            .reduce((sum, p) => sum.add(G1.JacobianPoint.fromAffine(p)), G1.JacobianPoint.ZERO);
+        const aggAffine = agg.toAffine();
+        if (publicKeys[0] instanceof G1.Point) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        // toRawBytes ensures point validity
+        return aggAffine.toRawBytes(true);
+    }
+    function aggregateSignatures(signatures) {
+        if (!signatures.length)
+            throw new Error('Expected non-empty array');
+        const agg = signatures
+            .map(normP2)
+            .reduce((sum, s) => sum.add(G2.JacobianPoint.fromAffine(s)), G2.JacobianPoint.ZERO);
+        const aggAffine = agg.toAffine();
+        if (signatures[0] instanceof G2.Point) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        return Signature.encode(aggAffine);
+    }
+    // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
+    // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+    function verifyBatch(signature, messages, publicKeys) {
+        if (!messages.length)
+            throw new Error('Expected non-empty messages array');
+        if (publicKeys.length !== messages.length)
+            throw new Error('Pubkey count should equal msg count');
+        const sig = normP2(signature);
+        const nMessages = messages.map(normP2Hash);
+        const nPublicKeys = publicKeys.map(normP1);
+        try {
+            const paired = [];
+            for (const message of new Set(nMessages)) {
+                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.Point.ZERO);
+                // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
+                // Possible to batch pairing for same msg with different groupPublicKey here
+                paired.push(pairing(groupPublicKey, message, false));
+            }
+            paired.push(pairing(G1.Point.BASE.negate(), sig, false));
+            const product = paired.reduce((a, b) => Fp12.multiply(a, b), Fp12.ONE);
+            const exp = Fp12.finalExponentiate(product);
+            return Fp12.equals(exp, Fp12.ONE);
+        }
+        catch {
+            return false;
+        }
+    }
+    // Pre-compute points. Refer to README.
+    G1.Point.BASE._setWindowSize(4);
+    return {
+        CURVE,
+        Fr,
+        Fp,
+        Fp2,
+        Fp6,
+        Fp12,
+        G1,
+        G2,
+        Signature,
+        millerLoop,
+        calcPairingPrecomputes,
+        pairing,
+        getPublicKey,
+        sign,
+        verify,
+        aggregatePublicKeys,
+        aggregateSignatures,
+        verifyBatch,
+        utils,
+    };
+}
+exports.bls = bls;

package/lib/edwards.d.ts

@@ -1,4 +1,5 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import * as mod from './modular.js';
 import { BasicCurve, Hex, PrivKey } from './utils.js';
 import { Group, GroupConstructor } from './group.js';
 export declare type CHash = {
@@ -7,11 +8,11 @@ export declare type CHash = {
     outputLen: number;
     create(): any;
 };
-export declare type CurveType = BasicCurve & {
+export declare type CurveType = BasicCurve<bigint> & {
     a: bigint;
     d: bigint;
     hash: CHash;
-    randomBytes?: (bytesLength?: number) => Uint8Array;
+    randomBytes: (bytesLength?: number) => Uint8Array;
     adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
     domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
     uvRatio?: (u: bigint, v: bigint) => {
@@ -23,15 +24,18 @@ export declare type CurveType = BasicCurve & {
 declare function validateOpts(curve: CurveType): Readonly<{
     readonly nBitLength: number;
     readonly nByteLength: number;
-    readonly P: bigint;
+    readonly Fp: mod.Field<bigint>;
     readonly n: bigint;
     readonly h: bigint;
+    readonly hEff?: bigint | undefined;
     readonly Gx: bigint;
     readonly Gy: bigint;
+    readonly wrapPrivateKey?: boolean | undefined;
+    readonly allowInfinityPoint?: boolean | undefined;
     readonly a: bigint;
     readonly d: bigint;
     readonly hash: CHash;
-    randomBytes: (bytesLength?: number | undefined) => Uint8Array;
+    readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
     readonly adjustScalarBytes?: ((bytes: Uint8Array) => Uint8Array) | undefined;
     readonly domain?: ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array) | undefined;
     readonly uvRatio?: ((u: bigint, v: bigint) => {
@@ -92,8 +96,8 @@ export declare type CurveFn = {
     ExtendedPoint: ExtendedPointConstructor;
     Signature: SignatureConstructor;
     utils: {
-        mod: (a: bigint, b?: bigint) => bigint;
-        invert: (number: bigint, modulo?: bigint) => bigint;
+        mod: (a: bigint) => bigint;
+        invert: (number: bigint) => bigint;
         randomPrivateKey: () => Uint8Array;
         getExtendedPublicKey: (key: PrivKey) => {
             head: Uint8Array;

package/lib/edwards.js

@@ -27,32 +27,37 @@ function validateOpts(curve) {
         if (typeof opts[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const fn of ['adjustScalarBytes', 'domain', 'randomBytes', 'uvRatio']) {
+    for (const fn of ['randomBytes']) {
+        if (typeof opts[fn] !== 'function')
+            throw new Error(`Invalid ${fn} function`);
+    }
+    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
     // Set defaults
-    return Object.freeze({ randomBytes: utils_js_1.randomBytes, ...opts });
+    return Object.freeze({ ...opts });
 }
 // NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
 function twistedEdwards(curveDef) {
     const CURVE = validateOpts(curveDef);
+    const Fp = CURVE.Fp;
     const CURVE_ORDER = CURVE.n;
-    const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
+    const fieldLen = Fp.BYTES; // 32 (length of one field element)
     if (fieldLen > 2048)
         throw new Error('Field lengths over 2048 are not supported');
     const groupLen = CURVE.nByteLength;
     // (2n ** 256n).toString(16);
     const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
     // Function overrides
-    const { P, randomBytes } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const { randomBytes } = CURVE;
+    const modP = Fp.create;
     // sqrt(u/v)
     function _uvRatio(u, v) {
         try {
-            const value = mod.sqrt(u * mod.invert(v, P), P);
+            const value = Fp.sqrt(u * Fp.invert(v));
             return { isValid: true, value };
         }
         catch (e) {
@@ -92,7 +97,7 @@ function twistedEdwards(curveDef) {
         // invert on all of them. invert is very slow operation,
         // so this improves performance massively.
         static toAffineBatch(points) {
-            const toInv = mod.invertBatch(points.map((p) => p.z), P);
+            const toInv = Fp.invertBatch(points.map((p) => p.z));
             return points.map((p, i) => p.toAffine(toInv[i]));
         }
         static normalizeZ(points) {
@@ -232,7 +237,7 @@ function twistedEdwards(curveDef) {
             const { x, y, z } = this;
             const is0 = this.equals(ExtendedPoint.ZERO);
             if (invZ == null)
-                invZ = is0 ? _8n : mod.invert(z, P); // 8 was chosen arbitrarily
+                invZ = is0 ? _8n : Fp.invert(z); // 8 was chosen arbitrarily
             const ax = modP(x * invZ);
             const ay = modP(y * invZ);
             const zz = modP(z * invZ);
@@ -268,7 +273,7 @@ function twistedEdwards(curveDef) {
         // Converts hash string or Uint8Array to Point.
         // Uses algo from RFC8032 5.1.3.
         static fromHex(hex, strict = true) {
-            const { d, P, a } = CURVE;
+            const { d, a } = CURVE;
             hex = (0, utils_js_1.ensureBytes)(hex, fieldLen);
             // 1.  First, interpret the string as an integer in little-endian
             // representation. Bit 255 of this number is the least significant
@@ -279,7 +284,7 @@ function twistedEdwards(curveDef) {
             const lastByte = hex[fieldLen - 1];
             normed[fieldLen - 1] = lastByte & ~0x80;
             const y = (0, utils_js_1.bytesToNumberLE)(normed);
-            if (strict && y >= P)
+            if (strict && y >= Fp.ORDER)
                 throw new Error('Expected 0 < hex < P');
             if (!strict && y >= maxGroupElement)
                 throw new Error('Expected 0 < hex < 2**256');
@@ -513,7 +518,7 @@ function twistedEdwards(curveDef) {
     const utils = {
         getExtendedPublicKey,
         mod: modP,
-        invert: (a, m = CURVE.P) => mod.invert(a, m),
+        invert: Fp.invert,
         /**
          * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
          */