@noble/curves 0.4.0 → 0.5.1

package/lib/{bls.d.ts → abstract/bls.d.ts}

@@ -1,7 +1,8 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import * as mod from './modular.js';
 import * as utils from './utils.js';
 import { Hex, PrivKey } from './utils.js';
-import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hashToCurve.js';
+import { htfOpts, stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
 import { CurvePointsType, PointType, CurvePointsRes } from './weierstrass.js';
 declare type Fp = bigint;
 export declare type SignatureCoder<Fp2> = {

package/lib/{bls.js → abstract/bls.js}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bls = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
 // NOTE: only 12 supported for now
 // Constructed from pair of weierstrass curves, based pairing logic
@@ -8,7 +9,7 @@ const mod = require("./modular.js");
 const utils_js_1 = require("./utils.js");
 // Types
 const utils_js_2 = require("./utils.js");
-const hashToCurve_js_1 = require("./hashToCurve.js");
+const hash_to_curve_js_1 = require("./hash-to-curve.js");
 const weierstrass_js_1 = require("./weierstrass.js");
 function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
@@ -30,33 +31,33 @@ function bls(CURVE) {
             // Double
             let t0 = Fp2.square(Ry); // Ry²
             let t1 = Fp2.square(Rz); // Rz²
-            let t2 = Fp2.multiplyByB(Fp2.multiply(t1, 3n)); // 3 * T1 * B
-            let t3 = Fp2.multiply(t2, 3n); // 3 * T2
-            let t4 = Fp2.subtract(Fp2.subtract(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
+            let t3 = Fp2.mul(t2, 3n); // 3 * T2
+            let t4 = Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
             ell_coeff.push([
-                Fp2.subtract(t2, t0),
-                Fp2.multiply(Fp2.square(Rx), 3n),
+                Fp2.sub(t2, t0),
+                Fp2.mul(Fp2.square(Rx), 3n),
                 Fp2.negate(t4), // -T4
             ]);
-            Rx = Fp2.div(Fp2.multiply(Fp2.multiply(Fp2.subtract(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
-            Ry = Fp2.subtract(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.multiply(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
-            Rz = Fp2.multiply(t0, t4); // T0 * T4
+            Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+            Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Rz = Fp2.mul(t0, t4); // T0 * T4
             if ((0, utils_js_1.bitGet)(CURVE.x, i)) {
                 // Addition
-                let t0 = Fp2.subtract(Ry, Fp2.multiply(Qy, Rz)); // Ry - Qy * Rz
-                let t1 = Fp2.subtract(Rx, Fp2.multiply(Qx, Rz)); // Rx - Qx * Rz
+                let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
+                let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
                 ell_coeff.push([
-                    Fp2.subtract(Fp2.multiply(t0, Qx), Fp2.multiply(t1, Qy)),
+                    Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)),
                     Fp2.negate(t0),
                     t1, // T1
                 ]);
                 let t2 = Fp2.square(t1); // T1²
-                let t3 = Fp2.multiply(t2, t1); // T2 * T1
-                let t4 = Fp2.multiply(t2, Rx); // T2 * Rx
-                let t5 = Fp2.add(Fp2.subtract(t3, Fp2.multiply(t4, 2n)), Fp2.multiply(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
-                Rx = Fp2.multiply(t1, t5); // T1 * T5
-                Ry = Fp2.subtract(Fp2.multiply(Fp2.subtract(t4, t5), t0), Fp2.multiply(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
-                Rz = Fp2.multiply(Rz, t3); // Rz * T3
+                let t3 = Fp2.mul(t2, t1); // T2 * T1
+                let t4 = Fp2.mul(t2, Rx); // T2 * Rx
+                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                Rx = Fp2.mul(t1, t5); // T1 * T5
+                Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+                Rz = Fp2.mul(Rz, t3); // Rz * T3
             }
         }
         return ell_coeff;
@@ -67,11 +68,11 @@ function bls(CURVE) {
         let f12 = Fp12.ONE;
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
-            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.multiply(E[1], Px), Fp2.multiply(E[2], Py));
+            f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
             if ((0, utils_js_1.bitGet)(CURVE.x, i)) {
                 j += 1;
                 const F = ell[j];
-                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.multiply(F[1], Px), Fp2.multiply(F[2], Py));
+                f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
             }
             if (i !== 0)
                 f12 = Fp12.square(f12);
@@ -97,10 +98,10 @@ function bls(CURVE) {
         hexToBytes: utils_js_2.hexToBytes,
         bytesToHex: utils_js_2.bytesToHex,
         mod: mod.mod,
-        stringToBytes: hashToCurve_js_1.stringToBytes,
+        stringToBytes: hash_to_curve_js_1.stringToBytes,
         // TODO: do we need to export it here?
-        hashToField: (msg, count, options = {}) => (0, hashToCurve_js_1.hash_to_field)(msg, count, { ...CURVE.htfDefaults, ...options }),
-        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => (0, hashToCurve_js_1.expand_message_xmd)(msg, DST, lenInBytes, H),
+        hashToField: (msg, count, options = {}) => (0, hash_to_curve_js_1.hash_to_field)(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => (0, hash_to_curve_js_1.expand_message_xmd)(msg, DST, lenInBytes, H),
         /**
          * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
          * and convert them into private key, with the modulo bias being negligible.
@@ -220,7 +221,7 @@ function bls(CURVE) {
         // and do one exp after multiplying 2 points.
         const ePHm = pairing(P.negate(), Hm, false);
         const eGS = pairing(G, S, false);
-        const exp = Fp12.finalExponentiate(Fp12.multiply(eGS, ePHm));
+        const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
         return Fp12.equals(exp, Fp12.ONE);
     }
     function aggregatePublicKeys(publicKeys) {
@@ -228,7 +229,7 @@ function bls(CURVE) {
             throw new Error('Expected non-empty array');
         const agg = publicKeys
             .map(normP1)
-            .reduce((sum, p) => sum.add(G1.JacobianPoint.fromAffine(p)), G1.JacobianPoint.ZERO);
+            .reduce((sum, p) => sum.add(G1.ProjectivePoint.fromAffine(p)), G1.ProjectivePoint.ZERO);
         const aggAffine = agg.toAffine();
         if (publicKeys[0] instanceof G1.Point) {
             aggAffine.assertValidity();
@@ -242,7 +243,7 @@ function bls(CURVE) {
             throw new Error('Expected non-empty array');
         const agg = signatures
             .map(normP2)
-            .reduce((sum, s) => sum.add(G2.JacobianPoint.fromAffine(s)), G2.JacobianPoint.ZERO);
+            .reduce((sum, s) => sum.add(G2.ProjectivePoint.fromAffine(s)), G2.ProjectivePoint.ZERO);
         const aggAffine = agg.toAffine();
         if (signatures[0] instanceof G2.Point) {
             aggAffine.assertValidity();
@@ -269,7 +270,7 @@ function bls(CURVE) {
                 paired.push(pairing(groupPublicKey, message, false));
             }
             paired.push(pairing(G1.Point.BASE.negate(), sig, false));
-            const product = paired.reduce((a, b) => Fp12.multiply(a, b), Fp12.ONE);
+            const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
             const exp = Fp12.finalExponentiate(product);
             return Fp12.equals(exp, Fp12.ONE);
         }

package/lib/{edwards.d.ts → abstract/edwards.d.ts}

@@ -2,6 +2,7 @@
 import * as mod from './modular.js';
 import { BasicCurve, Hex, PrivKey } from './utils.js';
 import { Group, GroupConstructor } from './group.js';
+import { htfOpts } from './hash-to-curve.js';
 export declare type CHash = {
     (message: Uint8Array | string): Uint8Array;
     blockLen: number;
@@ -20,6 +21,12 @@ export declare type CurveType = BasicCurve<bigint> & {
         value: bigint;
     };
     preHash?: CHash;
+    clearCofactor?: (c: ExtendedPointConstructor, point: ExtendedPointType) => ExtendedPointType;
+    htfDefaults?: htfOpts;
+    mapToCurve?: (scalar: bigint[]) => {
+        x: bigint;
+        y: bigint;
+    };
 };
 declare function validateOpts(curve: CurveType): Readonly<{
     readonly nBitLength: number;
@@ -43,6 +50,12 @@ declare function validateOpts(curve: CurveType): Readonly<{
         value: bigint;
     }) | undefined;
     readonly preHash?: CHash | undefined;
+    readonly clearCofactor?: ((c: ExtendedPointConstructor, point: ExtendedPointType) => ExtendedPointType) | undefined;
+    readonly htfDefaults?: htfOpts | undefined;
+    readonly mapToCurve?: ((scalar: bigint[]) => {
+        x: bigint;
+        y: bigint;
+    }) | undefined;
 }>;
 export interface SignatureType {
     readonly r: PointType;
@@ -65,6 +78,7 @@ export interface ExtendedPointType extends Group<ExtendedPointType> {
     isSmallOrder(): boolean;
     isTorsionFree(): boolean;
     toAffine(invZ?: bigint): PointType;
+    clearCofactor(): ExtendedPointType;
 }
 export interface ExtendedPointConstructor extends GroupConstructor<ExtendedPointType> {
     new (x: bigint, y: bigint, z: bigint, t: bigint): ExtendedPointType;
@@ -79,11 +93,14 @@ export interface PointType extends Group<PointType> {
     toRawBytes(isCompressed?: boolean): Uint8Array;
     toHex(isCompressed?: boolean): string;
     isTorsionFree(): boolean;
+    clearCofactor(): PointType;
 }
 export interface PointConstructor extends GroupConstructor<PointType> {
     new (x: bigint, y: bigint): PointType;
     fromHex(hex: Hex): PointType;
     fromPrivateKey(privateKey: PrivKey): PointType;
+    hashToCurve(msg: Hex, options?: Partial<htfOpts>): PointType;
+    encodeToCurve(msg: Hex, options?: Partial<htfOpts>): PointType;
 }
 export declare type PubKey = Hex | PointType;
 export declare type SigType = Hex | SignatureType;

package/lib/{edwards.js → abstract/edwards.js}

@@ -1,6 +1,6 @@
 "use strict";
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
+// Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.twistedEdwards = void 0;
 // Differences from @noble/ed25519 1.7:
@@ -13,6 +13,7 @@ exports.twistedEdwards = void 0;
 const mod = require("./modular.js");
 const utils_js_1 = require("./utils.js"); // TODO: import * as u from './utils.js'?
 const group_js_1 = require("./group.js");
+const hash_to_curve_js_1 = require("./hash-to-curve.js");
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
@@ -31,12 +32,20 @@ function validateOpts(curve) {
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
-    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio']) {
+    for (const fn of [
+        'adjustScalarBytes',
+        'domain',
+        'uvRatio',
+        'mapToCurve',
+        'clearCofactor',
+    ]) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
+    if (opts.htfDefaults !== undefined)
+        (0, hash_to_curve_js_1.validateHTFOpts)(opts.htfDefaults);
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -156,7 +165,7 @@ function twistedEdwards(curveDef) {
                 const B = modP((Y1 + X1) * (Y2 - X2));
                 const F = modP(B - A);
                 if (F === _0n)
-                    return this.double(); // Same point.
+                    return this.double(); // Same point. Tests say it doesn't affect timing
                 const C = modP(Z1 * _2n * T2);
                 const D = modP(T1 * _2n * Z2);
                 const E = D + C;
@@ -173,7 +182,6 @@ function twistedEdwards(curveDef) {
             const C = modP(T1 * d * T2); // C = T1*d*T2
             const D = modP(Z1 * Z2); // D = Z1*Z2
             const E = modP((X1 + Y1) * (X2 + Y2) - A - B); // E = (X1+Y1)*(X2+Y2)-A-B
-            // TODO: do we need to check for same point here? Looks like working without it
             const F = D - C; // F = D-C
             const G = D + C; // G = D+C
             const H = modP(B - a * A); // H = B-a*A
@@ -247,6 +255,15 @@ function twistedEdwards(curveDef) {
                 throw new Error('invZ was invalid');
             return new Point(ax, ay);
         }
+        clearCofactor() {
+            if (CURVE.h === _1n)
+                return this; // Fast-path
+            // clear_cofactor(P) := h_eff * P
+            // hEff = h for ed25519/ed448. Maybe worth moving to params?
+            if (CURVE.clearCofactor)
+                return CURVE.clearCofactor(ExtendedPoint, this);
+            return this.multiplyUnsafe(CURVE.h);
+        }
     }
     ExtendedPoint.BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     ExtendedPoint.ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
@@ -355,6 +372,30 @@ function twistedEdwards(curveDef) {
         multiply(scalar) {
             return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
         }
+        clearCofactor() {
+            return ExtendedPoint.fromAffine(this).clearCofactor().toAffine();
+        }
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        static hashToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 2, { ...CURVE.htfDefaults, ...options });
+            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
+            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
+            const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
+            return p;
+        }
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        static encodeToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 1, { ...CURVE.htfDefaults, ...options });
+            const { x, y } = CURVE.mapToCurve(u[0]);
+            return new Point(x, y).clearCofactor();
+        }
     }
     // Base point aka generator
     // public_key = Point.BASE * private_key

package/lib/{group.d.ts → abstract/group.d.ts}

@@ -22,8 +22,9 @@ export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: n
     precomputeWindow(elm: T, W: number): Group<T>[];
     /**
      * Implements w-ary non-adjacent form for calculating ec multiplication.
-     * @param n
+     * @param W window size
      * @param affinePoint optional 2d point to save cached precompute windows on it.
+     * @param n bits
      * @returns real and fake (for const-time) points
      */
     wNAF(W: number, precomputes: T[], n: bigint): {

package/lib/{group.js → abstract/group.js}

@@ -1,8 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.wNAF = void 0;
-/*! @noble/curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Default group related functions
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Abelian group utilities
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 // Not big, but pretty complex and it is easy to break stuff. To avoid too much copy paste
@@ -55,8 +55,9 @@ function wNAF(c, bits) {
         },
         /**
          * Implements w-ary non-adjacent form for calculating ec multiplication.
-         * @param n
+         * @param W window size
          * @param affinePoint optional 2d point to save cached precompute windows on it.
+         * @param n bits
          * @returns real and fake (for const-time) points
          */
         wNAF(W, precomputes, n) {

package/lib/abstract/hash-to-curve.d.ts

@@ -0,0 +1,28 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { CHash } from './utils.js';
+import * as mod from './modular.js';
+export declare type htfOpts = {
+    DST: string;
+    p: bigint;
+    m: number;
+    k: number;
+    expand?: 'xmd' | 'xof';
+    hash: CHash;
+};
+export declare function validateHTFOpts(opts: htfOpts): void;
+export declare function stringToBytes(str: string): Uint8Array;
+export declare function expand_message_xmd(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, H: CHash): Uint8Array;
+export declare function expand_message_xof(msg: Uint8Array, DST: Uint8Array, lenInBytes: number, k: number, H: CHash): Uint8Array;
+/**
+ * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
+ * @param msg a byte string containing the message to hash
+ * @param count the number of elements of F to output
+ * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
+ * @returns [u_0, ..., u_(count - 1)], a list of field elements.
+ */
+export declare function hash_to_field(msg: Uint8Array, count: number, options: htfOpts): bigint[][];
+export declare function isogenyMap<T, F extends mod.Field<T>>(field: F, map: [T[], T[], T[], T[]]): (x: T, y: T) => {
+    x: T;
+    y: T;
+};

package/lib/{hashToCurve.js → abstract/hash-to-curve.js}

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.hash_to_field = exports.expand_message_xmd = exports.stringToBytes = exports.validateHTFOpts = void 0;
+exports.isogenyMap = exports.hash_to_field = exports.expand_message_xof = exports.expand_message_xmd = exports.stringToBytes = exports.validateHTFOpts = void 0;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const utils_js_1 = require("./utils.js");
 const mod = require("./modular.js");
 function validateHTFOpts(opts) {
@@ -12,13 +13,14 @@ function validateHTFOpts(opts) {
         throw new Error('Invalid htf/m');
     if (typeof opts.k !== 'number')
         throw new Error('Invalid htf/k');
-    if (typeof opts.expand !== 'boolean')
+    if (opts.expand !== 'xmd' && opts.expand !== 'xof' && opts.expand !== undefined)
         throw new Error('Invalid htf/expand');
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
 }
 exports.validateHTFOpts = validateHTFOpts;
 // UTF8 to ui8a
+// TODO: looks broken, ASCII only, why not TextEncoder/TextDecoder? it is in hashes anyway
 function stringToBytes(str) {
     const bytes = new Uint8Array(str.length);
     for (let i = 0; i < str.length; i++)
@@ -61,7 +63,7 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
     if (DST.length > 255)
         DST = H((0, utils_js_1.concatBytes)(stringToBytes('H2C-OVERSIZE-DST-'), DST));
     const b_in_bytes = H.outputLen;
-    const r_in_bytes = b_in_bytes * 2;
+    const r_in_bytes = H.blockLen;
     const ell = Math.ceil(lenInBytes / b_in_bytes);
     if (ell > 255)
         throw new Error('Invalid xmd length');
@@ -79,13 +81,32 @@ function expand_message_xmd(msg, DST, lenInBytes, H) {
     return pseudo_random_bytes.slice(0, lenInBytes);
 }
 exports.expand_message_xmd = expand_message_xmd;
-// hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
-// Inputs:
-// msg - a byte string containing the message to hash.
-// count - the number of elements of F to output.
-// Outputs:
-// [u_0, ..., u_(count - 1)], a list of field elements.
+function expand_message_xof(msg, DST, lenInBytes, k, H) {
+    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
+    // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
+    if (DST.length > 255) {
+        const dkLen = Math.ceil((2 * k) / 8);
+        DST = H.create({ dkLen }).update(stringToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
+    }
+    if (lenInBytes > 65535 || DST.length > 255)
+        throw new Error('expand_message_xof: invalid lenInBytes');
+    return (H.create({ dkLen: lenInBytes })
+        .update(msg)
+        .update(i2osp(lenInBytes, 2))
+        // 2. DST_prime = DST || I2OSP(len(DST), 1)
+        .update(DST)
+        .update(i2osp(DST.length, 1))
+        .digest());
+}
+exports.expand_message_xof = expand_message_xof;
+/**
+ * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
+ * @param msg a byte string containing the message to hash
+ * @param count the number of elements of F to output
+ * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
+ * @returns [u_0, ..., u_(count - 1)], a list of field elements.
+ */
 function hash_to_field(msg, count, options) {
     // if options is provided but incomplete, fill any missing fields with the
     // value in hftDefaults (ie hash to G2).
@@ -94,9 +115,12 @@ function hash_to_field(msg, count, options) {
     const len_in_bytes = count * options.m * L;
     const DST = stringToBytes(options.DST);
     let pseudo_random_bytes = msg;
-    if (options.expand) {
+    if (options.expand === 'xmd') {
         pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
     }
+    else if (options.expand === 'xof') {
+        pseudo_random_bytes = expand_message_xof(msg, DST, len_in_bytes, options.k, options.hash);
+    }
     const u = new Array(count);
     for (let i = 0; i < count; i++) {
         const e = new Array(options.m);
@@ -110,3 +134,14 @@ function hash_to_field(msg, count, options) {
     return u;
 }
 exports.hash_to_field = hash_to_field;
+function isogenyMap(field, map) {
+    // Make same order as in spec
+    const COEFF = map.map((i) => Array.from(i).reverse());
+    return (x, y) => {
+        const [xNum, xDen, yNum, yDen] = COEFF.map((val) => val.reduce((acc, i) => field.add(field.mul(acc, x), i)));
+        x = field.div(xNum, xDen); // xNum / xDen
+        y = field.mul(y, field.div(yNum, yDen)); // y * (yNum / yDev)
+        return { x, y };
+    };
+}
+exports.isogenyMap = isogenyMap;

package/lib/{modular.d.ts → abstract/modular.d.ts}

@@ -8,17 +8,8 @@ export declare function mod(a: bigint, b: bigint): bigint;
 export declare function pow(num: bigint, power: bigint, modulo: bigint): bigint;
 export declare function pow2(x: bigint, power: bigint, modulo: bigint): bigint;
 export declare function invert(number: bigint, modulo: bigint): bigint;
-/**
- * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
- * * (a | p) ≡ 1    if a is a square (mod p)
- * * (a | p) ≡ -1   if a is not a square (mod p)
- * * (a | p) ≡ 0    if a ≡ 0 (mod p)
- */
-export declare function legendre(num: bigint, fieldPrime: bigint): bigint;
-/**
- * Calculates square root of a number in a finite field.
- */
-export declare function sqrt(number: bigint, modulo: bigint): bigint;
+export declare function tonelliShanks(P: bigint): <T>(Fp: Field<T>, n: T) => T;
+export declare function FpSqrt(P: bigint): <T>(Fp: Field<T>, n: T) => T;
 export declare const isNegativeLE: (num: bigint, modulo: bigint) => boolean;
 export interface Field<T> {
     ORDER: bigint;
@@ -36,13 +27,13 @@ export interface Field<T> {
     square(num: T): T;
     equals(lhs: T, rhs: T): boolean;
     add(lhs: T, rhs: T): T;
-    subtract(lhs: T, rhs: T): T;
-    multiply(lhs: T, rhs: T | bigint): T;
+    sub(lhs: T, rhs: T): T;
+    mul(lhs: T, rhs: T | bigint): T;
     pow(lhs: T, power: bigint): T;
     div(lhs: T, rhs: T | bigint): T;
     addN(lhs: T, rhs: T): T;
-    subtractN(lhs: T, rhs: T): T;
-    multiplyN(lhs: T, rhs: T | bigint): T;
+    subN(lhs: T, rhs: T): T;
+    mulN(lhs: T, rhs: T | bigint): T;
     squareN(num: T): T;
     isOdd?(num: T): boolean;
     legendre?(num: T): T;
@@ -50,9 +41,15 @@ export interface Field<T> {
     invertBatch: (lst: T[]) => T[];
     toBytes(num: T): Uint8Array;
     fromBytes(bytes: Uint8Array): T;
+    cmov(a: T, b: T, c: boolean): T;
 }
 export declare function validateField<T>(field: Field<T>): void;
 export declare function FpPow<T>(f: Field<T>, num: T, power: bigint): T;
 export declare function FpInvertBatch<T>(f: Field<T>, nums: T[]): T[];
 export declare function FpDiv<T>(f: Field<T>, lhs: T, rhs: T | bigint): T;
-export declare function Fp(ORDER: bigint, bitLen?: number, isLE?: boolean, redef?: Partial<Field<bigint>>): Readonly<Field<bigint>>;
+export declare function FpIsSquare<T>(f: Field<T>): (x: T) => boolean;
+declare type FpField = Field<bigint> & Required<Pick<Field<bigint>, 'isOdd'>>;
+export declare function Fp(ORDER: bigint, bitLen?: number, isLE?: boolean, redef?: Partial<Field<bigint>>): Readonly<FpField>;
+export declare function FpSqrtOdd<T>(Fp: Field<T>, elm: T): T;
+export declare function FpSqrtEven<T>(Fp: Field<T>, elm: T): T;
+export {};