@noble/curves 0.5.0 → 0.5.2

package/lib/bls12-381.d.ts

@@ -1,6 +1,7 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { CurveFn } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
-declare const Fp: Readonly<mod.Field<bigint>>;
+declare const Fp: Readonly<mod.Field<bigint> & Required<Pick<mod.Field<bigint>, "isOdd">>>;
 declare type Fp = bigint;
 declare type BigintTuple = [bigint, bigint];
 declare type Fp2 = {

package/lib/bls12-381.js

@@ -1,7 +1,17 @@
 "use strict";
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bls12_381 = void 0;
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// The pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to:
+// - Construct zk-SNARKs at the 128-bit security
+// - Use threshold signatures, which allows a user to sign lots of messages with one signature and verify them swiftly in a batch, using Boneh-Lynn-Shacham signature scheme.
+// Differences from @noble/bls12-381 1.4:
+// - PointG1 -> G1.Point
+// - PointG2 -> G2.Point
+// - PointG2.fromSignature -> Signature.decode
+// - PointG2.toSignature ->  Signature.encode
+// - Fixed Fp2 ORDER
+// - Points now have only two coordinates
 const sha256_1 = require("@noble/hashes/sha256");
 const utils_1 = require("@noble/hashes/utils");
 const bls_js_1 = require("./abstract/bls.js");
@@ -10,13 +20,6 @@ const utils_js_1 = require("./abstract/utils.js");
 // Types
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js");
-// Differences from bls12-381:
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// Points now have only two coordinates
 // CURVE FIELDS
 // Finite field over p.
 const Fp = mod.Fp(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn);
@@ -100,6 +103,8 @@ const Fp2 = {
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
+        if (Fp2.equals(num, Fp2.ZERO))
+            return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
         // https://eprint.iacr.org/2012/685.pdf applicable?
@@ -818,7 +823,7 @@ const htfDefaults = {
     k: 128,
     // option to use a message that has already been processed by
     // expand_message_xmd
-    expand: true,
+    expand: 'xmd',
     // Hash functions for: expand_message_xmd is appropriate for use with a
     // wide range of hash functions, including SHA-2, SHA-3, BLAKE2, and others.
     // BBS+ uses blake2: https://github.com/hyperledger/aries-framework-go/issues/2247

package/lib/ed25519.js

@@ -81,7 +81,74 @@ exports.ED25519_TORSION_SUBGROUP = [
     '0000000000000000000000000000000000000000000000000000000000000000',
     'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
-const Fp = (0, modular_js_1.Fp)(ED25519_P);
+const Fp = (0, modular_js_1.Fp)(ED25519_P, undefined, true);
+// Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
+// NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
+// SageMath returns different root first and everything falls apart
+const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
+const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
+const ELL2_C3 = Fp.sqrt(Fp.negate(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
+const ELL2_J = BigInt(486662);
+// prettier-ignore
+function map_to_curve_elligator2_curve25519(u) {
+    let tv1 = Fp.square(u); //  1.  tv1 = u^2
+    tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
+    let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
+    let x1n = Fp.negate(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.square(xd); //  5.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
+    let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.square(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.square(tv3); //  12. tv2 = tv3^2           # gxd^4
+    tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
+    tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
+    tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
+    let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
+    y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
+    let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
+    tv2 = Fp.square(y11); //  19. tv2 = y11^2
+    tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
+    let e1 = Fp.equals(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
+    let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
+    let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
+    y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
+    let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
+    let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
+    tv2 = Fp.square(y21); //  28. tv2 = y21^2
+    tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
+    let e2 = Fp.equals(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
+    tv2 = Fp.square(y1); //  32. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
+    let e3 = Fp.equals(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
+    let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.negate(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
+}
+const ELL2_C1_EDWARDS = (0, modular_js_1.FpSqrtEven)(Fp, Fp.negate(BigInt(486664))); // sgn0(c1) MUST equal 0
+function map_to_curve_elligator2_edwards25519(u) {
+    const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
+    let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
+    xn = Fp.mul(xn, ELL2_C1_EDWARDS); //  3.  xn = xn * c1
+    let xd = Fp.mul(xMd, yMn); //  4.  xd = xMd * yMn    # xn / xd = c1 * xM / yM
+    let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
+    let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
+    let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
+    let e = Fp.equals(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
+    xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
+    yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
+    yd = Fp.cmov(yd, Fp.ONE, e); //  12. yd = CMOV(yd, 1, e)
+    const inv = Fp.invertBatch([xd, yd]); // batch division
+    return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
+}
 const ED25519_DEF = {
     // Param: a
     a: BigInt(-1),
@@ -110,14 +177,10 @@ const ED25519_DEF = {
         p: Fp.ORDER,
         m: 1,
         k: 128,
-        expand: true,
+        expand: 'xmd',
         hash: sha512_1.sha512,
     },
-    mapToCurve: (scalars) => {
-        throw new Error('Not supported yet');
-        // const { x, y } = calcElligatorRistrettoMap(scalars[0]).toAffine();
-        // return { x, y };
-    },
+    mapToCurve: (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]),
 };
 exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF);
 function ed25519_domain(data, ctx, phflag) {
@@ -162,13 +225,13 @@ const D_MINUS_ONE_SQ = BigInt('4044083434630853685810104246932319082624839914623
 // Calculates 1/√(number)
 const invertSqrt = (number) => uvRatio(_1n, number);
 const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const bytes255ToNumberLE = (bytes) => exports.ed25519.utils.mod((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B);
+const bytes255ToNumberLE = (bytes) => exports.ed25519.CURVE.Fp.create((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B);
 // Computes Elligator map for Ristretto
 // https://ristretto.group/formulas/elligator.html
 function calcElligatorRistrettoMap(r0) {
     const { d } = exports.ed25519.CURVE;
     const P = exports.ed25519.CURVE.Fp.ORDER;
-    const { mod } = exports.ed25519.utils;
+    const mod = exports.ed25519.CURVE.Fp.create;
     const r = mod(SQRT_M1 * r0 * r0); // 1
     const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
     let c = BigInt(-1); // 3
@@ -226,7 +289,7 @@ class RistrettoPoint {
         hex = (0, utils_js_1.ensureBytes)(hex, 32);
         const { a, d } = exports.ed25519.CURVE;
         const P = exports.ed25519.CURVE.Fp.ORDER;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
         const s = bytes255ToNumberLE(hex);
         // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
@@ -258,7 +321,7 @@ class RistrettoPoint {
     toRawBytes() {
         let { x, y, z, t } = this.ep;
         const P = exports.ed25519.CURVE.Fp.ORDER;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         const u1 = mod(mod(z + y) * mod(z - y)); // 1
         const u2 = mod(x * y); // 2
         // Square root always exists
@@ -296,7 +359,7 @@ class RistrettoPoint {
         assertRstPoint(other);
         const a = this.ep;
         const b = other.ep;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
         const one = mod(a.x * b.y) === mod(a.y * b.x);
         const two = mod(a.y * b.y) === mod(a.x * b.x);

package/lib/ed448.js

@@ -48,14 +48,89 @@ function adjustScalarBytes(bytes) {
     bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
     return bytes;
 }
+const Fp = (0, modular_js_1.Fp)(ed448P, 456, true);
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.square(u); // 1.  tv1 = u^2
+    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.square(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
     // -39081. Negative number is P - number
     d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
     // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
-    Fp: (0, modular_js_1.Fp)(ed448P, 456),
-    // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    Fp,
+    // Subgroup order: how many points curve has;
+    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
     n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
     nBitLength: 456,
     // Cofactor
@@ -94,6 +169,15 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: (0, modular_js_1.mod)(x2 * v, P) === u, value: x };
     },
+    htfDefaults: {
+        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+        p: Fp.ORDER,
+        m: 1,
+        k: 224,
+        expand: 'xof',
+        hash: sha3_1.shake256,
+    },
+    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 exports.ed448 = (0, edwards_js_1.twistedEdwards)(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default

package/lib/esm/abstract/bls.js

@@ -1,21 +1,11 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
-// NOTE: only 12 supported for now
-// Constructed from pair of weierstrass curves, based pairing logic
-import * as mod from './modular.js';
-import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from './utils.js';
-// Types
-import { hexToBytes, bytesToHex } from './utils.js';
-import { stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
+import * as ut from './utils.js';
+import { stringToBytes, hash_to_field as hashToField, expand_message_xmd as expandMessageXMD, } from './hash-to-curve.js';
 import { weierstrassPoints } from './weierstrass.js';
 export function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
-    const Fp = CURVE.Fp;
-    const Fr = CURVE.Fr;
-    const Fp2 = CURVE.Fp2;
-    const Fp6 = CURVE.Fp6;
-    const Fp12 = CURVE.Fp12;
-    const BLS_X_LEN = bitLen(CURVE.x);
+    const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
+    const BLS_X_LEN = ut.bitLen(CURVE.x);
+    const groupLen = 32; // TODO: calculate; hardcoded for now
     // Pre-compute coefficients for sparse multiplication
     // Point addition and point double calculations is reused for coefficients
     function calcPairingPrecomputes(x, y) {
@@ -39,7 +29,7 @@ export function bls(CURVE) {
             Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
             Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
             Rz = Fp2.mul(t0, t4); // T0 * T4
-            if (bitGet(CURVE.x, i)) {
+            if (ut.bitGet(CURVE.x, i)) {
                 // Addition
                 let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
                 let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
@@ -60,13 +50,14 @@ export function bls(CURVE) {
         return ell_coeff;
     }
     function millerLoop(ell, g1) {
+        const { x } = CURVE;
         const Px = g1[0];
         const Py = g1[1];
         let f12 = Fp12.ONE;
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
             f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
-            if (bitGet(CURVE.x, i)) {
+            if (ut.bitGet(x, i)) {
                 j += 1;
                 const F = ell[j];
                 f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
@@ -76,79 +67,25 @@ export function bls(CURVE) {
         }
         return Fp12.conjugate(f12);
     }
-    // bls12-381 is a construction of two curves:
-    // 1. Fp: (x, y)
-    // 2. Fp₂: ((x₁, x₂+i), (y₁, y₂+i)) - (complex numbers)
-    //
-    // Bilinear Pairing (ate pairing) is used to combine both elements into a paired one:
-    //   Fp₁₂ = e(Fp, Fp2)
-    //   where Fp₁₂ = 12-degree polynomial
-    // Pairing is used to verify signatures.
-    //
-    // We are using Fp for private keys (shorter) and Fp2 for signatures (longer).
-    // Some projects may prefer to swap this relation, it is not supported for now.
-    const htfDefaults = { ...CURVE.htfDefaults };
-    function isWithinCurveOrder(num) {
-        return 0 < num && num < CURVE.r;
-    }
     const utils = {
-        hexToBytes: hexToBytes,
-        bytesToHex: bytesToHex,
-        mod: mod.mod,
-        stringToBytes,
+        hexToBytes: ut.hexToBytes,
+        bytesToHex: ut.bytesToHex,
+        stringToBytes: stringToBytes,
         // TODO: do we need to export it here?
-        hashToField: (msg, count, options = {}) => hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
-        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expand_message_xmd(msg, DST, lenInBytes, H),
-        /**
-         * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
-         * and convert them into private key, with the modulo bias being negligible.
-         * As per FIPS 186 B.1.1.
-         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-         * @param hash hash output from sha512, or a similar function
-         * @returns valid private key
-         */
-        hashToPrivateKey: (hash) => {
-            hash = ensureBytes(hash);
-            if (hash.length < 40 || hash.length > 1024)
-                throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
-            //     hashToPrivateScalar(hash, CURVE.r)
-            // NOTE: doesn't add +/-1
-            const num = mod.mod(bytesToNumberBE(hash), CURVE.r);
-            // This should never happen
-            if (num === 0n || num === 1n)
-                throw new Error('Invalid private key');
-            return numberToBytesBE(num, 32);
-        },
-        randomBytes: (bytesLength = 32) => CURVE.randomBytes(bytesLength),
-        // NIST SP 800-56A rev 3, section 5.6.1.2.2
-        // https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(40)),
-        getDSTLabel: () => htfDefaults.DST,
+        hashToField: (msg, count, options = {}) => hashToField(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expandMessageXMD(msg, DST, lenInBytes, H),
+        hashToPrivateKey: (hash) => Fr.toBytes(ut.hashToPrivateScalar(hash, CURVE.r)),
+        randomBytes: (bytesLength = groupLen) => CURVE.randomBytes(bytesLength),
+        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(groupLen + 8)),
+        getDSTLabel: () => CURVE.htfDefaults.DST,
         setDSTLabel(newLabel) {
             // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
             if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
                 throw new TypeError('Invalid DST');
             }
-            htfDefaults.DST = newLabel;
+            CURVE.htfDefaults.DST = newLabel;
         },
     };
-    function normalizePrivKey(key) {
-        let int;
-        if (key instanceof Uint8Array && key.length === 32)
-            int = bytesToNumberBE(key);
-        else if (typeof key === 'string' && key.length === 64)
-            int = BigInt(`0x${key}`);
-        else if (typeof key === 'number' && key > 0 && Number.isSafeInteger(key))
-            int = BigInt(key);
-        else if (typeof key === 'bigint' && key > 0n)
-            int = key;
-        else
-            throw new TypeError('Expected valid private key');
-        int = mod.mod(int, CURVE.r);
-        if (!isWithinCurveOrder(int))
-            throw new Error('Private key must be 0 < key < CURVE.r');
-        return int;
-    }
     // Point on G1 curve: (x, y)
     const G1 = weierstrassPoints({
         n: Fr.ORDER,
@@ -202,7 +139,7 @@ export function bls(CURVE) {
     function sign(message, privateKey) {
         const msgPoint = normP2Hash(message);
         msgPoint.assertValidity();
-        const sigPoint = msgPoint.multiply(normalizePrivKey(privateKey));
+        const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
         if (message instanceof G2.Point)
             return sigPoint;
         return Signature.encode(sigPoint);