@noble/curves 0.3.1 → 0.4.0

package/lib/esm/bls.js

@@ -0,0 +1,300 @@
+// Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
+// NOTE: only 12 supported for now
+// Constructed from pair of weierstrass curves, based pairing logic
+import * as mod from './modular.js';
+import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from './utils.js';
+// Types
+import { hexToBytes, bytesToHex } from './utils.js';
+import { stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { weierstrassPoints } from './weierstrass.js';
+export function bls(CURVE) {
+    // Fields looks pretty specific for curve, so for now we need to pass them with options
+    const Fp = CURVE.Fp;
+    const Fr = CURVE.Fr;
+    const Fp2 = CURVE.Fp2;
+    const Fp6 = CURVE.Fp6;
+    const Fp12 = CURVE.Fp12;
+    const BLS_X_LEN = bitLen(CURVE.x);
+    // Pre-compute coefficients for sparse multiplication
+    // Point addition and point double calculations is reused for coefficients
+    function calcPairingPrecomputes(x, y) {
+        // prettier-ignore
+        const Qx = x, Qy = y, Qz = Fp2.ONE;
+        // prettier-ignore
+        let Rx = Qx, Ry = Qy, Rz = Qz;
+        let ell_coeff = [];
+        for (let i = BLS_X_LEN - 2; i >= 0; i--) {
+            // Double
+            let t0 = Fp2.square(Ry); // Ry²
+            let t1 = Fp2.square(Rz); // Rz²
+            let t2 = Fp2.multiplyByB(Fp2.multiply(t1, 3n)); // 3 * T1 * B
+            let t3 = Fp2.multiply(t2, 3n); // 3 * T2
+            let t4 = Fp2.subtract(Fp2.subtract(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            ell_coeff.push([
+                Fp2.subtract(t2, t0),
+                Fp2.multiply(Fp2.square(Rx), 3n),
+                Fp2.negate(t4), // -T4
+            ]);
+            Rx = Fp2.div(Fp2.multiply(Fp2.multiply(Fp2.subtract(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+            Ry = Fp2.subtract(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.multiply(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Rz = Fp2.multiply(t0, t4); // T0 * T4
+            if (bitGet(CURVE.x, i)) {
+                // Addition
+                let t0 = Fp2.subtract(Ry, Fp2.multiply(Qy, Rz)); // Ry - Qy * Rz
+                let t1 = Fp2.subtract(Rx, Fp2.multiply(Qx, Rz)); // Rx - Qx * Rz
+                ell_coeff.push([
+                    Fp2.subtract(Fp2.multiply(t0, Qx), Fp2.multiply(t1, Qy)),
+                    Fp2.negate(t0),
+                    t1, // T1
+                ]);
+                let t2 = Fp2.square(t1); // T1²
+                let t3 = Fp2.multiply(t2, t1); // T2 * T1
+                let t4 = Fp2.multiply(t2, Rx); // T2 * Rx
+                let t5 = Fp2.add(Fp2.subtract(t3, Fp2.multiply(t4, 2n)), Fp2.multiply(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                Rx = Fp2.multiply(t1, t5); // T1 * T5
+                Ry = Fp2.subtract(Fp2.multiply(Fp2.subtract(t4, t5), t0), Fp2.multiply(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+                Rz = Fp2.multiply(Rz, t3); // Rz * T3
+            }
+        }
+        return ell_coeff;
+    }
+    function millerLoop(ell, g1) {
+        const Px = g1[0];
+        const Py = g1[1];
+        let f12 = Fp12.ONE;
+        for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
+            const E = ell[j];
+            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.multiply(E[1], Px), Fp2.multiply(E[2], Py));
+            if (bitGet(CURVE.x, i)) {
+                j += 1;
+                const F = ell[j];
+                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.multiply(F[1], Px), Fp2.multiply(F[2], Py));
+            }
+            if (i !== 0)
+                f12 = Fp12.square(f12);
+        }
+        return Fp12.conjugate(f12);
+    }
+    // bls12-381 is a construction of two curves:
+    // 1. Fp: (x, y)
+    // 2. Fp₂: ((x₁, x₂+i), (y₁, y₂+i)) - (complex numbers)
+    //
+    // Bilinear Pairing (ate pairing) is used to combine both elements into a paired one:
+    //   Fp₁₂ = e(Fp, Fp2)
+    //   where Fp₁₂ = 12-degree polynomial
+    // Pairing is used to verify signatures.
+    //
+    // We are using Fp for private keys (shorter) and Fp2 for signatures (longer).
+    // Some projects may prefer to swap this relation, it is not supported for now.
+    const htfDefaults = { ...CURVE.htfDefaults };
+    function isWithinCurveOrder(num) {
+        return 0 < num && num < CURVE.r;
+    }
+    const utils = {
+        hexToBytes: hexToBytes,
+        bytesToHex: bytesToHex,
+        mod: mod.mod,
+        stringToBytes,
+        // TODO: do we need to export it here?
+        hashToField: (msg, count, options = {}) => hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expand_message_xmd(msg, DST, lenInBytes, H),
+        /**
+         * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
+         * and convert them into private key, with the modulo bias being negligible.
+         * As per FIPS 186 B.1.1.
+         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+         * @param hash hash output from sha512, or a similar function
+         * @returns valid private key
+         */
+        hashToPrivateKey: (hash) => {
+            hash = ensureBytes(hash);
+            if (hash.length < 40 || hash.length > 1024)
+                throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
+            //     hashToPrivateScalar(hash, CURVE.r)
+            // NOTE: doesn't add +/-1
+            const num = mod.mod(bytesToNumberBE(hash), CURVE.r);
+            // This should never happen
+            if (num === 0n || num === 1n)
+                throw new Error('Invalid private key');
+            return numberToBytesBE(num, 32);
+        },
+        randomBytes: (bytesLength = 32) => CURVE.randomBytes(bytesLength),
+        // NIST SP 800-56A rev 3, section 5.6.1.2.2
+        // https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
+        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(40)),
+        getDSTLabel: () => htfDefaults.DST,
+        setDSTLabel(newLabel) {
+            // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
+            if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
+                throw new TypeError('Invalid DST');
+            }
+            htfDefaults.DST = newLabel;
+        },
+    };
+    function normalizePrivKey(key) {
+        let int;
+        if (key instanceof Uint8Array && key.length === 32)
+            int = bytesToNumberBE(key);
+        else if (typeof key === 'string' && key.length === 64)
+            int = BigInt(`0x${key}`);
+        else if (typeof key === 'number' && key > 0 && Number.isSafeInteger(key))
+            int = BigInt(key);
+        else if (typeof key === 'bigint' && key > 0n)
+            int = key;
+        else
+            throw new TypeError('Expected valid private key');
+        int = mod.mod(int, CURVE.r);
+        if (!isWithinCurveOrder(int))
+            throw new Error('Private key must be 0 < key < CURVE.r');
+        return int;
+    }
+    // Point on G1 curve: (x, y)
+    const G1 = weierstrassPoints({
+        n: Fr.ORDER,
+        ...CURVE.G1,
+    });
+    function pairingPrecomputes(point) {
+        const p = point;
+        if (p._PPRECOMPUTES)
+            return p._PPRECOMPUTES;
+        p._PPRECOMPUTES = calcPairingPrecomputes(p.x, p.y);
+        return p._PPRECOMPUTES;
+    }
+    function clearPairingPrecomputes(point) {
+        const p = point;
+        p._PPRECOMPUTES = undefined;
+    }
+    clearPairingPrecomputes;
+    function millerLoopG1(Q, P) {
+        return millerLoop(pairingPrecomputes(P), [Q.x, Q.y]);
+    }
+    // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
+    const G2 = weierstrassPoints({
+        n: Fr.ORDER,
+        ...CURVE.G2,
+    });
+    const { Signature } = CURVE.G2;
+    // Calculates bilinear pairing
+    function pairing(P, Q, withFinalExponent = true) {
+        if (P.equals(G1.Point.ZERO) || Q.equals(G2.Point.ZERO))
+            throw new Error('No pairings at point of Infinity');
+        P.assertValidity();
+        Q.assertValidity();
+        // Performance: 9ms for millerLoop and ~14ms for exp.
+        const looped = millerLoopG1(P, Q);
+        return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
+    }
+    function normP1(point) {
+        return point instanceof G1.Point ? point : G1.Point.fromHex(point);
+    }
+    function normP2(point) {
+        return point instanceof G2.Point ? point : Signature.decode(point);
+    }
+    function normP2Hash(point) {
+        return point instanceof G2.Point ? point : G2.Point.hashToCurve(point);
+    }
+    // Multiplies generator by private key.
+    // P = pk x G
+    function getPublicKey(privateKey) {
+        return G1.Point.fromPrivateKey(privateKey).toRawBytes(true);
+    }
+    function sign(message, privateKey) {
+        const msgPoint = normP2Hash(message);
+        msgPoint.assertValidity();
+        const sigPoint = msgPoint.multiply(normalizePrivKey(privateKey));
+        if (message instanceof G2.Point)
+            return sigPoint;
+        return Signature.encode(sigPoint);
+    }
+    // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+    // e(P, H(m)) == e(G, S)
+    function verify(signature, message, publicKey) {
+        const P = normP1(publicKey);
+        const Hm = normP2Hash(message);
+        const G = G1.Point.BASE;
+        const S = normP2(signature);
+        // Instead of doing 2 exponentiations, we use property of billinear maps
+        // and do one exp after multiplying 2 points.
+        const ePHm = pairing(P.negate(), Hm, false);
+        const eGS = pairing(G, S, false);
+        const exp = Fp12.finalExponentiate(Fp12.multiply(eGS, ePHm));
+        return Fp12.equals(exp, Fp12.ONE);
+    }
+    function aggregatePublicKeys(publicKeys) {
+        if (!publicKeys.length)
+            throw new Error('Expected non-empty array');
+        const agg = publicKeys
+            .map(normP1)
+            .reduce((sum, p) => sum.add(G1.JacobianPoint.fromAffine(p)), G1.JacobianPoint.ZERO);
+        const aggAffine = agg.toAffine();
+        if (publicKeys[0] instanceof G1.Point) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        // toRawBytes ensures point validity
+        return aggAffine.toRawBytes(true);
+    }
+    function aggregateSignatures(signatures) {
+        if (!signatures.length)
+            throw new Error('Expected non-empty array');
+        const agg = signatures
+            .map(normP2)
+            .reduce((sum, s) => sum.add(G2.JacobianPoint.fromAffine(s)), G2.JacobianPoint.ZERO);
+        const aggAffine = agg.toAffine();
+        if (signatures[0] instanceof G2.Point) {
+            aggAffine.assertValidity();
+            return aggAffine;
+        }
+        return Signature.encode(aggAffine);
+    }
+    // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
+    // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+    function verifyBatch(signature, messages, publicKeys) {
+        if (!messages.length)
+            throw new Error('Expected non-empty messages array');
+        if (publicKeys.length !== messages.length)
+            throw new Error('Pubkey count should equal msg count');
+        const sig = normP2(signature);
+        const nMessages = messages.map(normP2Hash);
+        const nPublicKeys = publicKeys.map(normP1);
+        try {
+            const paired = [];
+            for (const message of new Set(nMessages)) {
+                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.Point.ZERO);
+                // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
+                // Possible to batch pairing for same msg with different groupPublicKey here
+                paired.push(pairing(groupPublicKey, message, false));
+            }
+            paired.push(pairing(G1.Point.BASE.negate(), sig, false));
+            const product = paired.reduce((a, b) => Fp12.multiply(a, b), Fp12.ONE);
+            const exp = Fp12.finalExponentiate(product);
+            return Fp12.equals(exp, Fp12.ONE);
+        }
+        catch {
+            return false;
+        }
+    }
+    // Pre-compute points. Refer to README.
+    G1.Point.BASE._setWindowSize(4);
+    return {
+        CURVE,
+        Fr,
+        Fp,
+        Fp2,
+        Fp6,
+        Fp12,
+        G1,
+        G2,
+        Signature,
+        millerLoop,
+        calcPairingPrecomputes,
+        pairing,
+        getPublicKey,
+        sign,
+        verify,
+        aggregatePublicKeys,
+        aggregateSignatures,
+        verifyBatch,
+        utils,
+    };
+}

package/lib/esm/edwards.js

@@ -8,7 +8,7 @@
 // 4. Point decompression code is different too (unexpected), now using generalized formula
 // 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
 import * as mod from './modular.js';
-import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, randomBytes as utilRandomBytes, } from './utils.js'; // TODO: import * as u from './utils.js'?
+import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js'; // TODO: import * as u from './utils.js'?
 import { wNAF } from './group.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
@@ -24,32 +24,37 @@ function validateOpts(curve) {
         if (typeof opts[i] !== 'bigint')
             throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    for (const fn of ['adjustScalarBytes', 'domain', 'randomBytes', 'uvRatio']) {
+    for (const fn of ['randomBytes']) {
+        if (typeof opts[fn] !== 'function')
+            throw new Error(`Invalid ${fn} function`);
+    }
+    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
     // Set defaults
-    return Object.freeze({ randomBytes: utilRandomBytes, ...opts });
+    return Object.freeze({ ...opts });
 }
 // NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef) {
     const CURVE = validateOpts(curveDef);
+    const Fp = CURVE.Fp;
     const CURVE_ORDER = CURVE.n;
-    const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
+    const fieldLen = Fp.BYTES; // 32 (length of one field element)
     if (fieldLen > 2048)
         throw new Error('Field lengths over 2048 are not supported');
     const groupLen = CURVE.nByteLength;
     // (2n ** 256n).toString(16);
     const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
     // Function overrides
-    const { P, randomBytes } = CURVE;
-    const modP = (a) => mod.mod(a, P);
+    const { randomBytes } = CURVE;
+    const modP = Fp.create;
     // sqrt(u/v)
     function _uvRatio(u, v) {
         try {
-            const value = mod.sqrt(u * mod.invert(v, P), P);
+            const value = Fp.sqrt(u * Fp.invert(v));
             return { isValid: true, value };
         }
         catch (e) {
@@ -89,7 +94,7 @@ export function twistedEdwards(curveDef) {
         // invert on all of them. invert is very slow operation,
         // so this improves performance massively.
         static toAffineBatch(points) {
-            const toInv = mod.invertBatch(points.map((p) => p.z), P);
+            const toInv = Fp.invertBatch(points.map((p) => p.z));
             return points.map((p, i) => p.toAffine(toInv[i]));
         }
         static normalizeZ(points) {
@@ -229,7 +234,7 @@ export function twistedEdwards(curveDef) {
             const { x, y, z } = this;
             const is0 = this.equals(ExtendedPoint.ZERO);
             if (invZ == null)
-                invZ = is0 ? _8n : mod.invert(z, P); // 8 was chosen arbitrarily
+                invZ = is0 ? _8n : Fp.invert(z); // 8 was chosen arbitrarily
             const ax = modP(x * invZ);
             const ay = modP(y * invZ);
             const zz = modP(z * invZ);
@@ -265,7 +270,7 @@ export function twistedEdwards(curveDef) {
         // Converts hash string or Uint8Array to Point.
         // Uses algo from RFC8032 5.1.3.
         static fromHex(hex, strict = true) {
-            const { d, P, a } = CURVE;
+            const { d, a } = CURVE;
             hex = ensureBytes(hex, fieldLen);
             // 1.  First, interpret the string as an integer in little-endian
             // representation. Bit 255 of this number is the least significant
@@ -276,7 +281,7 @@ export function twistedEdwards(curveDef) {
             const lastByte = hex[fieldLen - 1];
             normed[fieldLen - 1] = lastByte & ~0x80;
             const y = bytesToNumberLE(normed);
-            if (strict && y >= P)
+            if (strict && y >= Fp.ORDER)
                 throw new Error('Expected 0 < hex < P');
             if (!strict && y >= maxGroupElement)
                 throw new Error('Expected 0 < hex < 2**256');
@@ -510,7 +515,7 @@ export function twistedEdwards(curveDef) {
     const utils = {
         getExtendedPublicKey,
         mod: modP,
-        invert: (a, m = CURVE.P) => mod.invert(a, m),
+        invert: Fp.invert,
         /**
          * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
          */

package/lib/esm/group.js

@@ -9,8 +9,6 @@ export function wNAF(c, bits) {
         return condition ? neg : item;
     };
     const opts = (W) => {
-        if (256 % W)
-            throw new Error('Invalid precomputation window, must be power of 2');
         const windows = Math.ceil(bits / W) + 1; // +1, because
         const windowSize = 2 ** (W - 1); // -1 because we skip zero
         return { windows, windowSize };
@@ -59,6 +57,8 @@ export function wNAF(c, bits) {
          * @returns real and fake (for const-time) points
          */
         wNAF(W, precomputes, n) {
+            // TODO: maybe check that scalar is less than group order? wNAF will fail otherwise
+            // But need to carefully remove other checks before wNAF. ORDER == bits here
             const { windows, windowSize } = opts(W);
             let p = c.ZERO;
             let f = c.BASE;

package/lib/esm/hashToCurve.js

@@ -0,0 +1,105 @@
+import { concatBytes } from './utils.js';
+import * as mod from './modular.js';
+export function validateHTFOpts(opts) {
+    if (typeof opts.DST !== 'string')
+        throw new Error('Invalid htf/DST');
+    if (typeof opts.p !== 'bigint')
+        throw new Error('Invalid htf/p');
+    if (typeof opts.m !== 'number')
+        throw new Error('Invalid htf/m');
+    if (typeof opts.k !== 'number')
+        throw new Error('Invalid htf/k');
+    if (typeof opts.expand !== 'boolean')
+        throw new Error('Invalid htf/expand');
+    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+        throw new Error('Invalid htf/hash function');
+}
+// UTF8 to ui8a
+export function stringToBytes(str) {
+    const bytes = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; i++)
+        bytes[i] = str.charCodeAt(i);
+    return bytes;
+}
+// Octet Stream to Integer (bytesToNumberBE)
+function os2ip(bytes) {
+    let result = 0n;
+    for (let i = 0; i < bytes.length; i++) {
+        result <<= 8n;
+        result += BigInt(bytes[i]);
+    }
+    return result;
+}
+// Integer to Octet Stream
+function i2osp(value, length) {
+    if (value < 0 || value >= 1 << (8 * length)) {
+        throw new Error(`bad I2OSP call: value=${value} length=${length}`);
+    }
+    const res = Array.from({ length }).fill(0);
+    for (let i = length - 1; i >= 0; i--) {
+        res[i] = value & 0xff;
+        value >>>= 8;
+    }
+    return new Uint8Array(res);
+}
+function strxor(a, b) {
+    const arr = new Uint8Array(a.length);
+    for (let i = 0; i < a.length; i++) {
+        arr[i] = a[i] ^ b[i];
+    }
+    return arr;
+}
+// Produces a uniformly random byte string using a cryptographic hash function H that outputs b bits
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.4.1
+export function expand_message_xmd(msg, DST, lenInBytes, H) {
+    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
+    if (DST.length > 255)
+        DST = H(concatBytes(stringToBytes('H2C-OVERSIZE-DST-'), DST));
+    const b_in_bytes = H.outputLen;
+    const r_in_bytes = b_in_bytes * 2;
+    const ell = Math.ceil(lenInBytes / b_in_bytes);
+    if (ell > 255)
+        throw new Error('Invalid xmd length');
+    const DST_prime = concatBytes(DST, i2osp(DST.length, 1));
+    const Z_pad = i2osp(0, r_in_bytes);
+    const l_i_b_str = i2osp(lenInBytes, 2);
+    const b = new Array(ell);
+    const b_0 = H(concatBytes(Z_pad, msg, l_i_b_str, i2osp(0, 1), DST_prime));
+    b[0] = H(concatBytes(b_0, i2osp(1, 1), DST_prime));
+    for (let i = 1; i <= ell; i++) {
+        const args = [strxor(b_0, b[i - 1]), i2osp(i + 1, 1), DST_prime];
+        b[i] = H(concatBytes(...args));
+    }
+    const pseudo_random_bytes = concatBytes(...b);
+    return pseudo_random_bytes.slice(0, lenInBytes);
+}
+// hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
+// Inputs:
+// msg - a byte string containing the message to hash.
+// count - the number of elements of F to output.
+// Outputs:
+// [u_0, ..., u_(count - 1)], a list of field elements.
+export function hash_to_field(msg, count, options) {
+    // if options is provided but incomplete, fill any missing fields with the
+    // value in hftDefaults (ie hash to G2).
+    const log2p = options.p.toString(2).length;
+    const L = Math.ceil((log2p + options.k) / 8); // section 5.1 of ietf draft link above
+    const len_in_bytes = count * options.m * L;
+    const DST = stringToBytes(options.DST);
+    let pseudo_random_bytes = msg;
+    if (options.expand) {
+        pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
+    }
+    const u = new Array(count);
+    for (let i = 0; i < count; i++) {
+        const e = new Array(options.m);
+        for (let j = 0; j < options.m; j++) {
+            const elm_offset = L * (j + i * options.m);
+            const tv = pseudo_random_bytes.subarray(elm_offset, elm_offset + L);
+            e[j] = mod.mod(os2ip(tv), options.p);
+        }
+        u[i] = e;
+    }
+    return u;
+}