@noble/curves 0.5.1 → 0.5.2

package/lib/bls12-381.d.ts

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { CurveFn } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
 declare const Fp: Readonly<mod.Field<bigint> & Required<Pick<mod.Field<bigint>, "isOdd">>>;

package/lib/bls12-381.js

@@ -1,7 +1,17 @@
 "use strict";
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bls12_381 = void 0;
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// The pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to:
+// - Construct zk-SNARKs at the 128-bit security
+// - Use threshold signatures, which allows a user to sign lots of messages with one signature and verify them swiftly in a batch, using Boneh-Lynn-Shacham signature scheme.
+// Differences from @noble/bls12-381 1.4:
+// - PointG1 -> G1.Point
+// - PointG2 -> G2.Point
+// - PointG2.fromSignature -> Signature.decode
+// - PointG2.toSignature ->  Signature.encode
+// - Fixed Fp2 ORDER
+// - Points now have only two coordinates
 const sha256_1 = require("@noble/hashes/sha256");
 const utils_1 = require("@noble/hashes/utils");
 const bls_js_1 = require("./abstract/bls.js");
@@ -10,13 +20,6 @@ const utils_js_1 = require("./abstract/utils.js");
 // Types
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js");
-// Differences from bls12-381:
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// Points now have only two coordinates
 // CURVE FIELDS
 // Finite field over p.
 const Fp = mod.Fp(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn);
@@ -100,6 +103,8 @@ const Fp2 = {
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
+        if (Fp2.equals(num, Fp2.ZERO))
+            return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
         // https://eprint.iacr.org/2012/685.pdf applicable?

package/lib/ed25519.js

@@ -225,13 +225,13 @@ const D_MINUS_ONE_SQ = BigInt('4044083434630853685810104246932319082624839914623
 // Calculates 1/√(number)
 const invertSqrt = (number) => uvRatio(_1n, number);
 const MAX_255B = BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const bytes255ToNumberLE = (bytes) => exports.ed25519.utils.mod((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B);
+const bytes255ToNumberLE = (bytes) => exports.ed25519.CURVE.Fp.create((0, utils_js_1.bytesToNumberLE)(bytes) & MAX_255B);
 // Computes Elligator map for Ristretto
 // https://ristretto.group/formulas/elligator.html
 function calcElligatorRistrettoMap(r0) {
     const { d } = exports.ed25519.CURVE;
     const P = exports.ed25519.CURVE.Fp.ORDER;
-    const { mod } = exports.ed25519.utils;
+    const mod = exports.ed25519.CURVE.Fp.create;
     const r = mod(SQRT_M1 * r0 * r0); // 1
     const Ns = mod((r + _1n) * ONE_MINUS_D_SQ); // 2
     let c = BigInt(-1); // 3
@@ -289,7 +289,7 @@ class RistrettoPoint {
         hex = (0, utils_js_1.ensureBytes)(hex, 32);
         const { a, d } = exports.ed25519.CURVE;
         const P = exports.ed25519.CURVE.Fp.ORDER;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         const emsg = 'RistrettoPoint.fromHex: the hex is not valid encoding of RistrettoPoint';
         const s = bytes255ToNumberLE(hex);
         // 1. Check that s_bytes is the canonical encoding of a field element, or else abort.
@@ -321,7 +321,7 @@ class RistrettoPoint {
     toRawBytes() {
         let { x, y, z, t } = this.ep;
         const P = exports.ed25519.CURVE.Fp.ORDER;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         const u1 = mod(mod(z + y) * mod(z - y)); // 1
         const u2 = mod(x * y); // 2
         // Square root always exists
@@ -359,7 +359,7 @@ class RistrettoPoint {
         assertRstPoint(other);
         const a = this.ep;
         const b = other.ep;
-        const { mod } = exports.ed25519.utils;
+        const mod = exports.ed25519.CURVE.Fp.create;
         // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
         const one = mod(a.x * b.y) === mod(a.y * b.x);
         const two = mod(a.y * b.y) === mod(a.x * b.x);

package/lib/ed448.js

@@ -129,7 +129,8 @@ const ED448_DEF = {
     d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
     // Finite field 𝔽p over which we'll do calculations; 2n ** 448n - 2n ** 224n - 1n
     Fp,
-    // Subgroup order: how many points ed448 has; 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+    // Subgroup order: how many points curve has;
+    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
     n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
     nBitLength: 456,
     // Cofactor

package/lib/esm/abstract/bls.js

@@ -1,21 +1,11 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Barreto-Lynn-Scott Curves. A family of pairing friendly curves, with embedding degree = 12 or 24
-// NOTE: only 12 supported for now
-// Constructed from pair of weierstrass curves, based pairing logic
-import * as mod from './modular.js';
-import { ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitGet } from './utils.js';
-// Types
-import { hexToBytes, bytesToHex } from './utils.js';
-import { stringToBytes, hash_to_field, expand_message_xmd } from './hash-to-curve.js';
+import * as ut from './utils.js';
+import { stringToBytes, hash_to_field as hashToField, expand_message_xmd as expandMessageXMD, } from './hash-to-curve.js';
 import { weierstrassPoints } from './weierstrass.js';
 export function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
-    const Fp = CURVE.Fp;
-    const Fr = CURVE.Fr;
-    const Fp2 = CURVE.Fp2;
-    const Fp6 = CURVE.Fp6;
-    const Fp12 = CURVE.Fp12;
-    const BLS_X_LEN = bitLen(CURVE.x);
+    const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
+    const BLS_X_LEN = ut.bitLen(CURVE.x);
+    const groupLen = 32; // TODO: calculate; hardcoded for now
     // Pre-compute coefficients for sparse multiplication
     // Point addition and point double calculations is reused for coefficients
     function calcPairingPrecomputes(x, y) {
@@ -39,7 +29,7 @@ export function bls(CURVE) {
             Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
             Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
             Rz = Fp2.mul(t0, t4); // T0 * T4
-            if (bitGet(CURVE.x, i)) {
+            if (ut.bitGet(CURVE.x, i)) {
                 // Addition
                 let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
                 let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
@@ -60,13 +50,14 @@ export function bls(CURVE) {
         return ell_coeff;
     }
     function millerLoop(ell, g1) {
+        const { x } = CURVE;
         const Px = g1[0];
         const Py = g1[1];
         let f12 = Fp12.ONE;
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
             f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
-            if (bitGet(CURVE.x, i)) {
+            if (ut.bitGet(x, i)) {
                 j += 1;
                 const F = ell[j];
                 f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
@@ -76,79 +67,25 @@ export function bls(CURVE) {
         }
         return Fp12.conjugate(f12);
     }
-    // bls12-381 is a construction of two curves:
-    // 1. Fp: (x, y)
-    // 2. Fp₂: ((x₁, x₂+i), (y₁, y₂+i)) - (complex numbers)
-    //
-    // Bilinear Pairing (ate pairing) is used to combine both elements into a paired one:
-    //   Fp₁₂ = e(Fp, Fp2)
-    //   where Fp₁₂ = 12-degree polynomial
-    // Pairing is used to verify signatures.
-    //
-    // We are using Fp for private keys (shorter) and Fp2 for signatures (longer).
-    // Some projects may prefer to swap this relation, it is not supported for now.
-    const htfDefaults = { ...CURVE.htfDefaults };
-    function isWithinCurveOrder(num) {
-        return 0 < num && num < CURVE.r;
-    }
     const utils = {
-        hexToBytes: hexToBytes,
-        bytesToHex: bytesToHex,
-        mod: mod.mod,
-        stringToBytes,
+        hexToBytes: ut.hexToBytes,
+        bytesToHex: ut.bytesToHex,
+        stringToBytes: stringToBytes,
         // TODO: do we need to export it here?
-        hashToField: (msg, count, options = {}) => hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
-        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expand_message_xmd(msg, DST, lenInBytes, H),
-        /**
-         * Can take 40 or more bytes of uniform input e.g. from CSPRNG or KDF
-         * and convert them into private key, with the modulo bias being negligible.
-         * As per FIPS 186 B.1.1.
-         * https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-         * @param hash hash output from sha512, or a similar function
-         * @returns valid private key
-         */
-        hashToPrivateKey: (hash) => {
-            hash = ensureBytes(hash);
-            if (hash.length < 40 || hash.length > 1024)
-                throw new Error('Expected 40-1024 bytes of private key as per FIPS 186');
-            //     hashToPrivateScalar(hash, CURVE.r)
-            // NOTE: doesn't add +/-1
-            const num = mod.mod(bytesToNumberBE(hash), CURVE.r);
-            // This should never happen
-            if (num === 0n || num === 1n)
-                throw new Error('Invalid private key');
-            return numberToBytesBE(num, 32);
-        },
-        randomBytes: (bytesLength = 32) => CURVE.randomBytes(bytesLength),
-        // NIST SP 800-56A rev 3, section 5.6.1.2.2
-        // https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/
-        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(40)),
-        getDSTLabel: () => htfDefaults.DST,
+        hashToField: (msg, count, options = {}) => hashToField(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => expandMessageXMD(msg, DST, lenInBytes, H),
+        hashToPrivateKey: (hash) => Fr.toBytes(ut.hashToPrivateScalar(hash, CURVE.r)),
+        randomBytes: (bytesLength = groupLen) => CURVE.randomBytes(bytesLength),
+        randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(groupLen + 8)),
+        getDSTLabel: () => CURVE.htfDefaults.DST,
         setDSTLabel(newLabel) {
             // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
             if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
                 throw new TypeError('Invalid DST');
             }
-            htfDefaults.DST = newLabel;
+            CURVE.htfDefaults.DST = newLabel;
         },
     };
-    function normalizePrivKey(key) {
-        let int;
-        if (key instanceof Uint8Array && key.length === 32)
-            int = bytesToNumberBE(key);
-        else if (typeof key === 'string' && key.length === 64)
-            int = BigInt(`0x${key}`);
-        else if (typeof key === 'number' && key > 0 && Number.isSafeInteger(key))
-            int = BigInt(key);
-        else if (typeof key === 'bigint' && key > 0n)
-            int = key;
-        else
-            throw new TypeError('Expected valid private key');
-        int = mod.mod(int, CURVE.r);
-        if (!isWithinCurveOrder(int))
-            throw new Error('Private key must be 0 < key < CURVE.r');
-        return int;
-    }
     // Point on G1 curve: (x, y)
     const G1 = weierstrassPoints({
         n: Fr.ORDER,
@@ -202,7 +139,7 @@ export function bls(CURVE) {
     function sign(message, privateKey) {
         const msgPoint = normP2Hash(message);
         msgPoint.assertValidity();
-        const sigPoint = msgPoint.multiply(normalizePrivKey(privateKey));
+        const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
         if (message instanceof G2.Point)
             return sigPoint;
         return Signature.encode(sigPoint);

package/lib/esm/abstract/edwards.js

@@ -1,41 +1,36 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
 // Differences from @noble/ed25519 1.7:
-// 1. Different field element lengths in ed448:
+// 1. Variable field element lengths between EDDSA/ECDH:
 //   EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
 // 2. Different addition formula (doubling is same)
 // 3. uvRatio differs between curves (half-expected, not only pow fn changes)
-// 4. Point decompression code is different too (unexpected), now using generalized formula
+// 4. Point decompression code is different (unexpected), now using generalized formula
 // 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
 import * as mod from './modular.js';
-import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js'; // TODO: import * as u from './utils.js'?
+import * as ut from './utils.js';
+import { ensureBytes } from './utils.js';
 import { wNAF } from './group.js';
-import { hash_to_field, validateHTFOpts } from './hash-to-curve.js';
+import { hash_to_field as hashToField, validateHTFOpts } from './hash-to-curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
-// Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve) {
-    const opts = utilOpts(curve);
-    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+    const opts = ut.validateOpts(curve);
+    if (typeof opts.hash !== 'function' || !ut.isPositiveInt(opts.hash.outputLen))
         throw new Error('Invalid hash function');
     for (const i of ['a', 'd']) {
-        if (typeof opts[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
+        const val = opts[i];
+        if (typeof val !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     for (const fn of ['randomBytes']) {
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
-    for (const fn of [
-        'adjustScalarBytes',
-        'domain',
-        'uvRatio',
-        'mapToCurve',
-        'clearCofactor',
-    ]) {
+    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio', 'mapToCurve']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
@@ -51,34 +46,27 @@ export function twistedEdwards(curveDef) {
     const CURVE = validateOpts(curveDef);
     const Fp = CURVE.Fp;
     const CURVE_ORDER = CURVE.n;
-    const fieldLen = Fp.BYTES; // 32 (length of one field element)
-    if (fieldLen > 2048)
-        throw new Error('Field lengths over 2048 are not supported');
-    const groupLen = CURVE.nByteLength;
-    // (2n ** 256n).toString(16);
-    const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
+    const maxGroupElement = _2n ** BigInt(CURVE.nByteLength * 8);
     // Function overrides
     const { randomBytes } = CURVE;
     const modP = Fp.create;
     // sqrt(u/v)
-    function _uvRatio(u, v) {
-        try {
-            const value = Fp.sqrt(u * Fp.invert(v));
-            return { isValid: true, value };
-        }
-        catch (e) {
-            return { isValid: false, value: _0n };
-        }
-    }
-    const uvRatio = CURVE.uvRatio || _uvRatio;
-    const _adjustScalarBytes = (bytes) => bytes; // NOOP
-    const adjustScalarBytes = CURVE.adjustScalarBytes || _adjustScalarBytes;
-    function _domain(data, ctx, phflag) {
-        if (ctx.length || phflag)
-            throw new Error('Contexts/pre-hash are not supported');
-        return data;
-    }
-    const domain = CURVE.domain || _domain; // NOOP
+    const uvRatio = CURVE.uvRatio ||
+        ((u, v) => {
+            try {
+                return { isValid: true, value: Fp.sqrt(u * Fp.invert(v)) };
+            }
+            catch (e) {
+                return { isValid: false, value: _0n };
+            }
+        });
+    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
+    const domain = CURVE.domain ||
+        ((data, ctx, phflag) => {
+            if (ctx.length || phflag)
+                throw new Error('Contexts/pre-hash are not supported');
+            return data;
+        }); // NOOP
     /**
      * Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
      * Default Point works in affine coordinates: (x, y)
@@ -215,26 +203,28 @@ export function twistedEdwards(curveDef) {
         // Non-constant-time multiplication. Uses double-and-add algorithm.
         // It's faster, but should only be used when you don't care about
         // an exposed private key e.g. sig verification.
-        // Allows scalar bigger than curve order, but less than 2^256
         multiplyUnsafe(scalar) {
             let n = normalizeScalar(scalar, CURVE_ORDER, false);
-            const G = ExtendedPoint.BASE;
             const P0 = ExtendedPoint.ZERO;
             if (n === _0n)
                 return P0;
             if (this.equals(P0) || n === _1n)
                 return this;
-            if (this.equals(G))
+            if (this.equals(ExtendedPoint.BASE))
                 return this.wNAF(n);
             return wnaf.unsafeLadder(this, n);
         }
+        // Checks if point is of small order.
+        // If you add something to small order point, you will have "dirty"
+        // point with torsion component.
         // Multiplies point by cofactor and checks if the result is 0.
         isSmallOrder() {
             return this.multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
         }
-        // Multiplies point by a very big scalar n and checks if the result is 0.
+        // Multiplies point by curve order (very big scalar CURVE.n) and checks if the result is 0.
+        // Returns `false` is the point is dirty.
         isTorsionFree() {
-            return this.multiplyUnsafe(CURVE_ORDER).equals(ExtendedPoint.ZERO);
+            return wnaf.unsafeLadder(this, CURVE_ORDER).equals(ExtendedPoint.ZERO);
         }
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
@@ -253,18 +243,15 @@ export function twistedEdwards(curveDef) {
             return new Point(ax, ay);
         }
         clearCofactor() {
-            if (CURVE.h === _1n)
-                return this; // Fast-path
-            // clear_cofactor(P) := h_eff * P
-            // hEff = h for ed25519/ed448. Maybe worth moving to params?
-            if (CURVE.clearCofactor)
-                return CURVE.clearCofactor(ExtendedPoint, this);
-            return this.multiplyUnsafe(CURVE.h);
+            const { h: cofactor } = CURVE;
+            if (cofactor === _1n)
+                return this;
+            return this.multiplyUnsafe(cofactor);
         }
     }
     ExtendedPoint.BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     ExtendedPoint.ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
-    const wnaf = wNAF(ExtendedPoint, groupLen * 8);
+    const wnaf = wNAF(ExtendedPoint, CURVE.nByteLength * 8);
     function assertExtPoint(other) {
         if (!(other instanceof ExtendedPoint))
             throw new TypeError('ExtendedPoint expected');
@@ -288,20 +275,21 @@ export function twistedEdwards(curveDef) {
         // Uses algo from RFC8032 5.1.3.
         static fromHex(hex, strict = true) {
             const { d, a } = CURVE;
-            hex = ensureBytes(hex, fieldLen);
+            const len = Fp.BYTES;
+            hex = ensureBytes(hex, len);
             // 1.  First, interpret the string as an integer in little-endian
             // representation. Bit 255 of this number is the least significant
             // bit of the x-coordinate and denote this value x_0.  The
             // y-coordinate is recovered simply by clearing this bit.  If the
             // resulting value is >= p, decoding fails.
             const normed = hex.slice();
-            const lastByte = hex[fieldLen - 1];
-            normed[fieldLen - 1] = lastByte & ~0x80;
-            const y = bytesToNumberLE(normed);
+            const lastByte = hex[len - 1];
+            normed[len - 1] = lastByte & ~0x80;
+            const y = ut.bytesToNumberLE(normed);
             if (strict && y >= Fp.ORDER)
                 throw new Error('Expected 0 < hex < P');
             if (!strict && y >= maxGroupElement)
-                throw new Error('Expected 0 < hex < 2**256');
+                throw new Error('Expected 0 < hex < CURVE.n');
             // 2.  To recover the x-coordinate, the curve equation implies
             // Ed25519: x² = (y² - 1) / (d y² + 1) (mod p).
             // Ed448: x² = (y² - 1) / (d y² - 1) (mod p).
@@ -333,14 +321,16 @@ export function twistedEdwards(curveDef) {
         // When compressing point, it's enough to only store its y coordinate
         // and use the last byte to encode sign of x.
         toRawBytes() {
-            const bytes = numberToBytesLE(this.y, fieldLen);
-            bytes[fieldLen - 1] |= this.x & _1n ? 0x80 : 0;
+            const bytes = ut.numberToBytesLE(this.y, Fp.BYTES);
+            bytes[Fp.BYTES - 1] |= this.x & _1n ? 0x80 : 0;
             return bytes;
         }
         // Same as toRawBytes, but returns string.
         toHex() {
-            return bytesToHex(this.toRawBytes());
+            return ut.bytesToHex(this.toRawBytes());
         }
+        // Determines if point is in prime-order subgroup.
+        // Returns `false` is the point is dirty.
         isTorsionFree() {
             return ExtendedPoint.fromAffine(this).isTorsionFree();
         }
@@ -375,22 +365,22 @@ export function twistedEdwards(curveDef) {
         // Encodes byte string to elliptic curve
         // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
         static hashToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
+            const { mapToCurve, htfDefaults } = CURVE;
+            if (!mapToCurve)
                 throw new Error('No mapToCurve defined for curve');
-            msg = ensureBytes(msg);
-            const u = hash_to_field(msg, 2, { ...CURVE.htfDefaults, ...options });
-            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
-            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
+            const u = hashToField(ensureBytes(msg), 2, { ...htfDefaults, ...options });
+            const { x: x0, y: y0 } = mapToCurve(u[0]);
+            const { x: x1, y: y1 } = mapToCurve(u[1]);
             const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
             return p;
         }
         // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
         static encodeToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
+            const { mapToCurve, htfDefaults } = CURVE;
+            if (!mapToCurve)
                 throw new Error('No mapToCurve defined for curve');
-            msg = ensureBytes(msg);
-            const u = hash_to_field(msg, 1, { ...CURVE.htfDefaults, ...options });
-            const { x, y } = CURVE.mapToCurve(u[0]);
+            const u = hashToField(ensureBytes(msg), 1, { ...htfDefaults, ...options });
+            const { x, y } = mapToCurve(u[0]);
             return new Point(x, y).clearCofactor();
         }
     }
@@ -410,9 +400,10 @@ export function twistedEdwards(curveDef) {
             this.assertValidity();
         }
         static fromHex(hex) {
-            const bytes = ensureBytes(hex, 2 * fieldLen);
-            const r = Point.fromHex(bytes.slice(0, fieldLen), false);
-            const s = bytesToNumberLE(bytes.slice(fieldLen, 2 * fieldLen));
+            const len = Fp.BYTES;
+            const bytes = ensureBytes(hex, 2 * len);
+            const r = Point.fromHex(bytes.slice(0, len), false);
+            const s = ut.bytesToNumberLE(bytes.slice(len, 2 * len));
             return new Signature(r, s);
         }
         assertValidity() {
@@ -424,15 +415,15 @@ export function twistedEdwards(curveDef) {
             return this;
         }
         toRawBytes() {
-            return concatBytes(this.r.toRawBytes(), numberToBytesLE(this.s, fieldLen));
+            return ut.concatBytes(this.r.toRawBytes(), ut.numberToBytesLE(this.s, Fp.BYTES));
         }
         toHex() {
-            return bytesToHex(this.toRawBytes());
+            return ut.bytesToHex(this.toRawBytes());
         }
     }
     // Little-endian SHA512 with modulo n
-    function modlLE(hash) {
-        return mod.mod(bytesToNumberLE(hash), CURVE_ORDER);
+    function modnLE(hash) {
+        return mod.mod(ut.bytesToNumberLE(hash), CURVE_ORDER);
     }
     /**
      * Checks for num to be in range:
@@ -443,7 +434,7 @@ export function twistedEdwards(curveDef) {
     function normalizeScalar(num, max, strict = true) {
         if (!max)
             throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
+        if (ut.isPositiveInt(num))
             num = BigInt(num);
         if (typeof num === 'bigint' && num < max) {
             if (strict) {
@@ -455,36 +446,30 @@ export function twistedEdwards(curveDef) {
                     return num;
             }
         }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
+        throw new TypeError(`Expected valid scalar: 0 < scalar < ${max}`);
     }
-    function checkPrivateKey(key) {
+    /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
+    function getExtendedPublicKey(key) {
+        const groupLen = CURVE.nByteLength;
         // Normalize bigint / number / string to Uint8Array
-        key =
-            typeof key === 'bigint' || typeof key === 'number'
-                ? numberToBytesLE(normalizeScalar(key, maxGroupElement), groupLen)
-                : ensureBytes(key);
-        if (key.length !== groupLen)
-            throw new Error(`Expected ${groupLen} bytes, got ${key.length}`);
-        return key;
-    }
-    // Takes 64 bytes
-    function getKeyFromHash(hashed) {
-        // First 32 bytes of 64b uniformingly random input are taken,
-        // clears 3 bits of it to produce a random field element.
+        const keyb = typeof key === 'bigint' || typeof key === 'number'
+            ? ut.numberToBytesLE(normalizeScalar(key, maxGroupElement), groupLen)
+            : key;
+        // Hash private key with curve's hash function to produce uniformingly random input
+        // We check byte lengths e.g.: ensureBytes(64, hash(ensureBytes(32, key)))
+        const hashed = ensureBytes(CURVE.hash(ensureBytes(keyb, groupLen)), 2 * groupLen);
+        // First half's bits are cleared to produce a random field element.
         const head = adjustScalarBytes(hashed.slice(0, groupLen));
-        // Second 32 bytes is called key prefix (5.1.6)
+        // Second half is called key prefix (5.1.6)
         const prefix = hashed.slice(groupLen, 2 * groupLen);
         // The actual private scalar
-        const scalar = modlLE(head);
+        const scalar = modnLE(head);
         // Point on Edwards curve aka public key
         const point = Point.BASE.multiply(scalar);
+        // Uint8Array representation
         const pointBytes = point.toRawBytes();
         return { head, prefix, scalar, point, pointBytes };
     }
-    /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
-    function getExtendedPublicKey(key) {
-        return getKeyFromHash(CURVE.hash(checkPrivateKey(key)));
-    }
     /**
      * Calculates ed25519 public key. RFC8032 5.1.5
      * 1. private key is hashed with sha512, then first 32 bytes are taken from the hash
@@ -496,7 +481,7 @@ export function twistedEdwards(curveDef) {
     const EMPTY = new Uint8Array();
     function hashDomainToScalar(message, context = EMPTY) {
         context = ensureBytes(context);
-        return modlLE(CURVE.hash(domain(message, context, !!CURVE.preHash)));
+        return modnLE(CURVE.hash(domain(message, context, !!CURVE.preHash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
     function sign(message, privateKey, context) {
@@ -504,9 +489,9 @@ export function twistedEdwards(curveDef) {
         if (CURVE.preHash)
             message = CURVE.preHash(message);
         const { prefix, scalar, pointBytes } = getExtendedPublicKey(privateKey);
-        const r = hashDomainToScalar(concatBytes(prefix, message), context);
+        const r = hashDomainToScalar(ut.concatBytes(prefix, message), context);
         const R = Point.BASE.multiply(r); // R = rG
-        const k = hashDomainToScalar(concatBytes(R.toRawBytes(), pointBytes, message), context); // k = hash(R+P+msg)
+        const k = hashDomainToScalar(ut.concatBytes(R.toRawBytes(), pointBytes, message), context); // k = hash(R+P+msg)
         const s = mod.mod(r + k * scalar, CURVE_ORDER); // s = r + kp
         return new Signature(R, s).toRawBytes();
     }
@@ -545,27 +530,25 @@ export function twistedEdwards(curveDef) {
             throw new Error(`Wrong signature: ${sig}`);
         const { r, s } = sig;
         const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
-        const k = hashDomainToScalar(concatBytes(r.toRawBytes(), publicKey.toRawBytes(), message), context);
+        const k = hashDomainToScalar(ut.concatBytes(r.toRawBytes(), publicKey.toRawBytes(), message), context);
         const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
         const RkA = ExtendedPoint.fromAffine(r).add(kA);
         // [8][S]B = [8]R + [8][k]A'
-        return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
+        return RkA.subtract(SB).clearCofactor().equals(ExtendedPoint.ZERO);
     }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
     Point.BASE._setWindowSize(8);
     const utils = {
         getExtendedPublicKey,
-        mod: modP,
-        invert: Fp.invert,
         /**
          * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
          */
-        hashToPrivateScalar: (hash) => hashToPrivateScalar(hash, CURVE_ORDER, true),
+        hashToPrivateScalar: (hash) => ut.hashToPrivateScalar(hash, CURVE_ORDER, true),
         /**
          * ed25519 private keys are uniform 32-bit strings. We do not need to check for
          * modulo bias like we do in secp256k1 randomPrivateKey()
          */
-        randomPrivateKey: () => randomBytes(fieldLen),
+        randomPrivateKey: () => randomBytes(Fp.BYTES),
         /**
          * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
          * values. This slows down first getPublicKey() by milliseconds (see Speed section),