@noble/curves 0.5.0 → 0.5.1

package/lib/ed25519.js

@@ -81,7 +81,74 @@ exports.ED25519_TORSION_SUBGROUP = [
     '0000000000000000000000000000000000000000000000000000000000000000',
     'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
-const Fp = (0, modular_js_1.Fp)(ED25519_P);
+const Fp = (0, modular_js_1.Fp)(ED25519_P, undefined, true);
+// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
+// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
+// SageMath returns different root first and everything falls apart
+const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
+const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
+const ELL2_C3 = Fp.sqrt(Fp.negate(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
+const ELL2_J = BigInt(486662);
+// prettier-ignore
+function map_to_curve_elligator2_curve25519(u) {
+    let tv1 = Fp.square(u); //  1.  tv1 = u^2
+    tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
+    let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
+    let x1n = Fp.negate(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.square(xd); //  5.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
+    let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.square(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.square(tv3); //  12. tv2 = tv3^2           # gxd^4
+    tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
+    tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
+    tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
+    let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
+    y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
+    let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
+    tv2 = Fp.square(y11); //  19. tv2 = y11^2
+    tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
+    let e1 = Fp.equals(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
+    let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
+    let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
+    y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
+    let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
+    let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
+    tv2 = Fp.square(y21); //  28. tv2 = y21^2
+    tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
+    let e2 = Fp.equals(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
+    tv2 = Fp.square(y1); //  32. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
+    let e3 = Fp.equals(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
+    let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.negate(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
+}
+const ELL2_C1_EDWARDS = (0, modular_js_1.FpSqrtEven)(Fp, Fp.negate(BigInt(486664))); // sgn0(c1) MUST equal 0
+function map_to_curve_elligator2_edwards25519(u) {
+    const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
+    let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
+    xn = Fp.mul(xn, ELL2_C1_EDWARDS); //  3.  xn = xn * c1
+    let xd = Fp.mul(xMd, yMn); //  4.  xd = xMd * yMn    # xn / xd = c1 * xM / yM
+    let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
+    let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
+    let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
+    let e = Fp.equals(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
+    xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
+    yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
+    yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
+    const inv = Fp.invertBatch([xd, yd]); // batch division
+    return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
+}
 const ED25519_DEF = {
     // Param: a
     a: BigInt(-1),
@@ -110,14 +177,10 @@ const ED25519_DEF = {
         p: Fp.ORDER,
         m: 1,
         k: 128,
-        expand: true,
+        expand: 'xmd',
         hash: sha512_1.sha512,
     },
-    mapToCurve: (scalars) => {
-        throw new Error('Not supported yet');
-        // const { x, y } = calcElligatorRistrettoMap(scalars[0]).toAffine();
-        // return { x, y };
-    },
+    mapToCurve: (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]),
 };
 exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF);
 function ed25519_domain(data, ctx, phflag) {

package/lib/ed448.js

@@ -48,13 +48,87 @@ function adjustScalarBytes(bytes) {
     bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
     return bytes;
 }
+const Fp = (0, modular_js_1.Fp)(ed448P, 456, true);
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.square(u); // 1.  tv1 = u^2
+    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.square(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
     // -39081. Negative number is P - number
     d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
     // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
-    Fp: (0, modular_js_1.Fp)(ed448P, 456),
+    Fp,
     // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
     n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
     nBitLength: 456,
@@ -94,6 +168,15 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: (0, modular_js_1.mod)(x2 * v, P) === u, value: x };
     },
+    htfDefaults: {
+        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+        p: Fp.ORDER,
+        m: 1,
+        k: 224,
+        expand: 'xof',
+        hash: sha3_1.shake256,
+    },
+    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 exports.ed448 = (0, edwards_js_1.twistedEdwards)(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default

package/lib/esm/abstract/hash-to-curve.js

@@ -10,7 +10,7 @@ export function validateHTFOpts(opts) {
         throw new Error('Invalid htf/m');
     if (typeof opts.k !== 'number')
         throw new Error('Invalid htf/k');
-    if (typeof opts.expand !== 'boolean')
+    if (opts.expand !== 'xmd' && opts.expand !== 'xof' && opts.expand !== undefined)
         throw new Error('Invalid htf/expand');
     if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
         throw new Error('Invalid htf/hash function');
@@ -75,13 +75,31 @@ export function expand_message_xmd(msg, DST, lenInBytes, H) {
     const pseudo_random_bytes = concatBytes(...b);
     return pseudo_random_bytes.slice(0, lenInBytes);
 }
-// hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
-// Inputs:
-// msg - a byte string containing the message to hash.
-// count - the number of elements of F to output.
-// Outputs:
-// [u_0, ..., u_(count - 1)], a list of field elements.
+export function expand_message_xof(msg, DST, lenInBytes, k, H) {
+    // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-5.3.3
+    // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
+    if (DST.length > 255) {
+        const dkLen = Math.ceil((2 * k) / 8);
+        DST = H.create({ dkLen }).update(stringToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
+    }
+    if (lenInBytes > 65535 || DST.length > 255)
+        throw new Error('expand_message_xof: invalid lenInBytes');
+    return (H.create({ dkLen: lenInBytes })
+        .update(msg)
+        .update(i2osp(lenInBytes, 2))
+        // 2. DST_prime = DST || I2OSP(len(DST), 1)
+        .update(DST)
+        .update(i2osp(DST.length, 1))
+        .digest());
+}
+/**
+ * Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
+ * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-5.3
+ * @param msg a byte string containing the message to hash
+ * @param count the number of elements of F to output
+ * @param options `{DST: string, p: bigint, m: number, k: number, expand: 'xmd' | 'xof', hash: H}`
+ * @returns [u_0, ..., u_(count - 1)], a list of field elements.
+ */
 export function hash_to_field(msg, count, options) {
     // if options is provided but incomplete, fill any missing fields with the
     // value in hftDefaults (ie hash to G2).
@@ -90,9 +108,12 @@ export function hash_to_field(msg, count, options) {
     const len_in_bytes = count * options.m * L;
     const DST = stringToBytes(options.DST);
     let pseudo_random_bytes = msg;
-    if (options.expand) {
+    if (options.expand === 'xmd') {
         pseudo_random_bytes = expand_message_xmd(msg, DST, len_in_bytes, options.hash);
     }
+    else if (options.expand === 'xof') {
+        pseudo_random_bytes = expand_message_xof(msg, DST, len_in_bytes, options.k, options.hash);
+    }
     const u = new Array(count);
     for (let i = 0; i < count; i++) {
         const e = new Array(options.m);

package/lib/esm/abstract/modular.js

@@ -1,10 +1,11 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// TODO: remove circular imports
 import * as utils from './utils.js';
 // Utilities for modular arithmetics and finite fields
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 // prettier-ignore
-const _4n = BigInt(4), _5n = BigInt(5), _7n = BigInt(7), _8n = BigInt(8);
+const _4n = BigInt(4), _5n = BigInt(5), _8n = BigInt(8);
 // prettier-ignore
 const _9n = BigInt(9), _16n = BigInt(16);
 // Calculates a modulo b
@@ -66,25 +67,66 @@ export function invert(number, modulo) {
         throw new Error('invert: does not exist');
     return mod(x, modulo);
 }
-/**
- * Calculates Legendre symbol (a | p), which denotes the value of a^((p-1)/2) (mod p).
- * * (a | p) ≡ 1    if a is a square (mod p)
- * * (a | p) ≡ -1   if a is not a square (mod p)
- * * (a | p) ≡ 0    if a ≡ 0 (mod p)
- */
-export function legendre(num, fieldPrime) {
-    return pow(num, (fieldPrime - _1n) / _2n, fieldPrime);
+// Tonelli-Shanks algorithm
+// https://eprint.iacr.org/2012/685.pdf (page 12)
+export function tonelliShanks(P) {
+    // Legendre constant: used to calculate Legendre symbol (a | p),
+    // which denotes the value of a^((p-1)/2) (mod p).
+    // (a | p) ≡ 1    if a is a square (mod p)
+    // (a | p) ≡ -1   if a is not a square (mod p)
+    // (a | p) ≡ 0    if a ≡ 0 (mod p)
+    const legendreC = (P - _1n) / _2n;
+    let Q, S, Z;
+    // Step 1: By factoring out powers of 2 from p - 1,
+    // find q and s such that p - 1 = q2s with q odd
+    for (Q = P - _1n, S = 0; Q % _2n === _0n; Q /= _2n, S++)
+        ;
+    // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
+    for (Z = _2n; Z < P && pow(Z, legendreC, P) !== P - _1n; Z++)
+        ;
+    // Fast-path
+    if (S === 1) {
+        const p1div4 = (P + _1n) / _4n;
+        return function tonelliFast(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
+    }
+    // Slow-path
+    const Q1div2 = (Q + _1n) / _2n;
+    return function tonelliSlow(Fp, n) {
+        // Step 0: Check that n is indeed a square: (n | p) must be ≡ 1
+        if (Fp.pow(n, legendreC) !== Fp.ONE)
+            throw new Error('Cannot find square root');
+        let s = S;
+        let c = pow(Z, Q, P);
+        let r = Fp.pow(n, Q1div2);
+        let t = Fp.pow(n, Q);
+        let t2 = Fp.ZERO;
+        while (!Fp.equals(Fp.sub(t, Fp.ONE), Fp.ZERO)) {
+            t2 = Fp.square(t);
+            let i;
+            for (i = 1; i < s; i++) {
+                // stop if t2-1 == 0
+                if (Fp.equals(Fp.sub(t2, Fp.ONE), Fp.ZERO))
+                    break;
+                // t2 *= t2
+                t2 = Fp.square(t2);
+            }
+            let b = pow(c, BigInt(1 << (s - i - 1)), P);
+            r = Fp.mul(r, b);
+            c = mod(b * b, P);
+            t = Fp.mul(t, c);
+            s = i;
+        }
+        return r;
+    };
 }
-/**
- * Calculates square root of a number in a finite field.
- * √a mod P
- */
-// TODO: rewrite as generic Fp function && remove bls versions
-export function sqrt(number, modulo) {
-    // prettier-ignore
-    const n = number;
-    const P = modulo;
-    const p1div4 = (P + _1n) / _4n;
+export function FpSqrt(P) {
+    // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
+    // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
     // P ≡ 3 (mod 4)
     // √n = n^((P+1)/4)
     if (P % _4n === _3n) {
@@ -92,50 +134,53 @@ export function sqrt(number, modulo) {
         // const ORDER =
         //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
         // const NUM = 72057594037927816n;
-        // TODO: fix sqrtMod in secp256k1
-        const root = pow(n, p1div4, P);
-        if (mod(root * root, modulo) !== number)
-            throw new Error('Cannot find square root');
-        return root;
+        const p1div4 = (P + _1n) / _4n;
+        return function sqrt3mod4(Fp, n) {
+            const root = Fp.pow(n, p1div4);
+            // Throw if root**2 != n
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
     }
-    // P ≡ 5 (mod 8)
+    // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
     if (P % _8n === _5n) {
-        const n2 = mod(n * _2n, P);
-        const v = pow(n2, (P - _5n) / _8n, P);
-        const nv = mod(n * v, P);
-        const i = mod(_2n * nv * v, P);
-        const r = mod(nv * (i - _1n), P);
-        return r;
+        const c1 = (P - _5n) / _8n;
+        return function sqrt5mod8(Fp, n) {
+            const n2 = Fp.mul(n, _2n);
+            const v = Fp.pow(n2, c1);
+            const nv = Fp.mul(n, v);
+            const i = Fp.mul(Fp.mul(nv, _2n), v);
+            const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+            if (!Fp.equals(Fp.square(root), n))
+                throw new Error('Cannot find square root');
+            return root;
+        };
     }
-    // Other cases: Tonelli-Shanks algorithm
-    if (legendre(n, P) !== _1n)
-        throw new Error('Cannot find square root');
-    let q, s, z;
-    for (q = P - _1n, s = 0; q % _2n === _0n; q /= _2n, s++)
-        ;
-    if (s === 1)
-        return pow(n, p1div4, P);
-    for (z = _2n; z < P && legendre(z, P) !== P - _1n; z++)
-        ;
-    let c = pow(z, q, P);
-    let r = pow(n, (q + _1n) / _2n, P);
-    let t = pow(n, q, P);
-    let t2 = _0n;
-    while (mod(t - _1n, P) !== _0n) {
-        t2 = mod(t * t, P);
-        let i;
-        for (i = 1; i < s; i++) {
-            if (mod(t2 - _1n, P) === _0n)
-                break;
-            t2 = mod(t2 * t2, P);
-        }
-        let b = pow(c, BigInt(1 << (s - i - 1)), P);
-        r = mod(r * b, P);
-        c = mod(b * b, P);
-        t = mod(t * c, P);
-        s = i;
+    // P ≡ 9 (mod 16)
+    if (P % _16n === _9n) {
+        // NOTE: tonelli is too slow for bls-Fp2 calculations even on start
+        // Means we cannot use sqrt for constants at all!
+        //
+        // const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+        // const c2 = Fp.sqrt(c1);                //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+        // const c3 = Fp.sqrt(Fp.negate(c1));     //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+        // const c4 = (P + _7n) / _16n;           //  4. c4 = (q + 7) / 16        # Integer arithmetic
+        // sqrt = (x) => {
+        //   let tv1 = Fp.pow(x, c4);             //  1. tv1 = x^c4
+        //   let tv2 = Fp.mul(c1, tv1);           //  2. tv2 = c1 * tv1
+        //   const tv3 = Fp.mul(c2, tv1);         //  3. tv3 = c2 * tv1
+        //   let tv4 = Fp.mul(c3, tv1);           //  4. tv4 = c3 * tv1
+        //   const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
+        //   const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
+        //   tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+        //   tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+        //   const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
+        //   return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
+        // }
     }
-    return r;
+    // Other cases: Tonelli-Shanks algorithm
+    return tonelliShanks(P);
 }
 // Little-endian check for first LE bit (last BE bit);
 export const isNegativeLE = (num, modulo) => (mod(num, modulo) & _1n) === _1n;
@@ -202,17 +247,21 @@ export function FpInvertBatch(f, nums) {
 export function FpDiv(f, lhs, rhs) {
     return f.mul(lhs, typeof rhs === 'bigint' ? invert(rhs, f.ORDER) : f.invert(rhs));
 }
-// NOTE: very fragile, always bench. Major performance points:
-// - NonNormalized ops
-// - Object.freeze
-// - same shape of object (don't add/remove keys)
+// This function returns True whenever the value x is a square in the field F.
+export function FpIsSquare(f) {
+    const legendreConst = (f.ORDER - _1n) / _2n; // Integer arithmetic
+    return (x) => {
+        const p = f.pow(x, legendreConst);
+        return f.equals(p, f.ZERO) || f.equals(p, f.ONE);
+    };
+}
 export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     if (ORDER <= _0n)
         throw new Error(`Expected Fp ORDER > 0, got ${ORDER}`);
     const { nBitLength: BITS, nByteLength: BYTES } = utils.nLength(ORDER, bitLen);
     if (BYTES > 2048)
         throw new Error('Field lengths over 2048 bytes are not supported');
-    const sqrtP = (num) => sqrt(num, ORDER);
+    const sqrtP = FpSqrt(ORDER);
     const f = Object.freeze({
         ORDER,
         BITS,
@@ -242,7 +291,7 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
         invert: (num) => invert(num, ORDER),
-        sqrt: redef.sqrt || sqrtP,
+        sqrt: redef.sqrt || ((n) => sqrtP(f, n)),
         invertBatch: (lst) => FpInvertBatch(f, lst),
         // TODO: do we really need constant cmov?
         // We don't have const-time bigints anyway, so probably will be not very useful
@@ -256,87 +305,15 @@ export function Fp(ORDER, bitLen, isLE = false, redef = {}) {
     });
     return Object.freeze(f);
 }
-// TODO: re-use in bls/generic sqrt for field/etc?
-// Something like sqrtUnsafe which always returns value, but sqrt throws exception if non-square
-// From draft-irtf-cfrg-hash-to-curve-16
-export function FpSqrt(Fp) {
-    // NOTE: it requires another sqrt for constant precomputes, but no need for roots of unity,
-    // probably we can simply bls code using it
-    const q = Fp.ORDER;
-    const squareConst = (q - _1n) / _2n;
-    // is_square(x) := { True,  if x^((q - 1) / 2) is 0 or 1 in F;
-    //                 { False, otherwise.
-    let isSquare = (x) => {
-        const p = Fp.pow(x, squareConst);
-        return Fp.equals(p, Fp.ZERO) || Fp.equals(p, Fp.ONE);
-    };
-    // Constant-time Tonelli-Shanks algorithm
-    let l = _0n;
-    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
-        l += _1n;
-    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-    const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
-    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-    //  4. c4, a non-square value in F
-    //  5. c5 = c4^c2 in F
-    let c4 = Fp.ONE;
-    while (isSquare(c4))
-        c4 = Fp.add(c4, Fp.ONE);
-    const c5 = Fp.pow(c4, c2);
-    let sqrt = (x) => {
-        let z = Fp.pow(x, c3); // 1.  z = x^c3
-        let t = Fp.square(z); // 2.  t = z * z
-        t = Fp.mul(t, x); // 3.  t = t * x
-        z = Fp.mul(z, x); // 4.  z = z * x
-        let b = t; // 5.  b = t
-        let c = c5; // 6.  c = c5
-        // 7.  for i in (c1, c1 - 1, ..., 2):
-        for (let i = c1; i > 1; i--) {
-            // 8.    for j in (1, 2, ..., i - 2):
-            // 9.      b = b * b
-            for (let j = _1n; j < i - _1n; i++)
-                b = Fp.square(b);
-            const e = Fp.equals(b, Fp.ONE); // 10.   e = b == 1
-            const zt = Fp.mul(z, c); // 11.   zt = z * c
-            z = Fp.cmov(zt, z, e); // 12.   z = CMOV(zt, z, e)
-            c = Fp.square(c); // 13.   c = c * c
-            let tt = Fp.mul(t, c); // 14.   tt = t * c
-            t = Fp.cmov(tt, t, e); // 15.   t = CMOV(tt, t, e)
-            b = t; // 16.   b = t
-        }
-        return z; // 17. return z
-    };
-    if (q % _4n === _3n) {
-        const c1 = (q + _1n) / _4n; // 1. c1 = (q + 1) / 4     # Integer arithmetic
-        sqrt = (x) => Fp.pow(x, c1);
-    }
-    else if (q % _8n === _5n) {
-        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-        const c2 = (q + _3n) / _8n; //  2. c2 = (q + 3) / 8     # Integer arithmetic
-        sqrt = (x) => {
-            let tv1 = Fp.pow(x, c2); //  1. tv1 = x^c2
-            let tv2 = Fp.mul(tv1, c1); //  2. tv2 = tv1 * c1
-            let e = Fp.equals(Fp.square(tv1), x); //  3.   e = (tv1^2) == x
-            return Fp.cmov(tv2, tv1, e); //  4.   z = CMOV(tv2, tv1, e)
-        };
-    }
-    else if (Fp.ORDER % _16n === _9n) {
-        const c1 = Fp.sqrt(Fp.negate(Fp.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
-        const c2 = Fp.sqrt(c1); //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
-        const c3 = Fp.sqrt(Fp.negate(c1)); //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
-        const c4 = (Fp.ORDER + _7n) / _16n; //  4. c4 = (q + 7) / 16         # Integer arithmetic
-        sqrt = (x) => {
-            let tv1 = Fp.pow(x, c4); //  1. tv1 = x^c4
-            let tv2 = Fp.mul(c1, tv1); //  2. tv2 = c1 * tv1
-            const tv3 = Fp.mul(c2, tv1); //  3. tv3 = c2 * tv1
-            let tv4 = Fp.mul(c3, tv1); //  4. tv4 = c3 * tv1
-            const e1 = Fp.equals(Fp.square(tv2), x); //  5.  e1 = (tv2^2) == x
-            const e2 = Fp.equals(Fp.square(tv3), x); //  6.  e2 = (tv3^2) == x
-            tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
-            tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
-            const e3 = Fp.equals(Fp.square(tv2), x); //  9.  e3 = (tv2^2) == x
-            return Fp.cmov(tv1, tv2, e3); //  10.  z = CMOV(tv1, tv2, e3)  # Select the sqrt from tv1 and tv2
-        };
-    }
-    return { sqrt, isSquare };
+export function FpSqrtOdd(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? root : Fp.negate(root);
+}
+export function FpSqrtEven(Fp, elm) {
+    if (!Fp.isOdd)
+        throw new Error(`Field doesn't have isOdd`);
+    const root = Fp.sqrt(elm);
+    return Fp.isOdd(root) ? Fp.negate(root) : root;
 }

package/lib/esm/bls12-381.js

@@ -815,7 +815,7 @@ const htfDefaults = {
     k: 128,
     // option to use a message that has already been processed by
     // expand_message_xmd
-    expand: true,
+    expand: 'xmd',
     // Hash functions for: expand_message_xmd is appropriate for use with a
     // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
     // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247