@noble/curves 0.5.1 → 0.6.0

package/lib/esm/bls12-381.js

@@ -1,19 +1,22 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// The pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to:
+// - Construct zk-SNARKs at the 128-bit security
+// - Use threshold signatures, which allows a user to sign lots of messages with one signature and verify them swiftly in a batch, using Boneh-Lynn-Shacham signature scheme.
+// Differences from @noble/bls12-381 1.4:
+// - PointG1 -> G1.Point
+// - PointG2 -> G2.Point
+// - PointG2.fromSignature -> Signature.decode
+// - PointG2.toSignature ->  Signature.encode
+// - Fixed Fp2 ORDER
+// - Points now have only two coordinates
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
-import { concatBytes, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js';
+import { concatBytes as concatB, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js';
 // Types
 import { mapToCurveSimpleSWU, } from './abstract/weierstrass.js';
 import { isogenyMap } from './abstract/hash-to-curve.js';
-// Differences from bls12-381:
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// Points now have only two coordinates
 // CURVE FIELDS
 // Finite field over p.
 const Fp = mod.Fp(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn);
@@ -62,24 +65,24 @@ const Fp2 = {
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
-    isZero: ({ c0, c1 }) => Fp.isZero(c0) && Fp.isZero(c1),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.equals(c0, r0) && Fp.equals(c1, r1),
-    negate: ({ c0, c1 }) => ({ c0: Fp.negate(c0), c1: Fp.negate(c1) }),
+    is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
+    neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp2, nums),
     // Normalized
     add: Fp2Add,
     sub: Fp2Subtract,
     mul: Fp2Multiply,
-    square: Fp2Square,
+    sqr: Fp2Square,
     // NonNormalized stuff
     addN: Fp2Add,
     subN: Fp2Subtract,
     mulN: Fp2Multiply,
-    squareN: Fp2Square,
+    sqrN: Fp2Square,
     // Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
-    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp2.invert(rhs)),
-    invert: ({ c0: a, c1: b }) => {
+    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp2.inv(rhs)),
+    inv: ({ c0: a, c1: b }) => {
         // We wish to find the multiplicative inverse of a nonzero
         // element a + bu in Fp2. We leverage an identity
         //
@@ -93,10 +96,12 @@ const Fp2 = {
         // This gives that (a - bu)/(a² + b²) is the inverse
         // of (a + bu). Importantly, this can be computing using
         // only a single inversion in Fp.
-        const factor = Fp.invert(Fp.create(a * a + b * b));
+        const factor = Fp.inv(Fp.create(a * a + b * b));
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
+        if (Fp2.eql(num, Fp2.ZERO))
+            return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
         // https://eprint.iacr.org/2012/685.pdf applicable?
@@ -104,9 +109,9 @@ const Fp2 = {
         // https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1
         // Inspired by https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99
         const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + 8n) / 16n);
-        const check = Fp2.div(Fp2.square(candidateSqrt), num); // candidateSqrt.square().div(this);
+        const check = Fp2.div(Fp2.sqr(candidateSqrt), num); // candidateSqrt.square().div(this);
         const R = FP2_ROOTS_OF_UNITY;
-        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.equals(r, check));
+        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.eql(r, check));
         if (!divisor)
             throw new Error('No root');
         const index = R.indexOf(divisor);
@@ -114,7 +119,7 @@ const Fp2 = {
         if (!root)
             throw new Error('Invalid root');
         const x1 = Fp2.div(candidateSqrt, root);
-        const x2 = Fp2.negate(x1);
+        const x2 = Fp2.neg(x1);
         const { re: re1, im: im1 } = Fp2.reim(x1);
         const { re: re2, im: im2 } = Fp2.reim(x2);
         if (im1 > im2 || (im1 === im2 && re1 > re2))
@@ -135,7 +140,7 @@ const Fp2 = {
             throw new Error(`fromBytes wrong length=${b.length}`);
         return { c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)), c1: Fp.fromBytes(b.subarray(Fp.BYTES)) };
     },
-    toBytes: ({ c0, c1 }) => concatBytes(Fp.toBytes(c0), Fp.toBytes(c1)),
+    toBytes: ({ c0, c1 }) => concatB(Fp.toBytes(c0), Fp.toBytes(c1)),
     cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
         c0: Fp.cmov(c0, r0, c),
         c1: Fp.cmov(c1, r1, c),
@@ -225,15 +230,15 @@ const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
     };
 };
 const Fp6Square = ({ c0, c1, c2 }) => {
-    let t0 = Fp2.square(c0); // c0²
+    let t0 = Fp2.sqr(c0); // c0²
     let t1 = Fp2.mul(Fp2.mul(c0, c1), 2n); // 2 * c0 * c1
     let t3 = Fp2.mul(Fp2.mul(c1, c2), 2n); // 2 * c1 * c2
-    let t4 = Fp2.square(c2); // c2²
+    let t4 = Fp2.sqr(c2); // c2²
     return {
         c0: Fp2.add(Fp2.mulByNonresidue(t3), t0),
         c1: Fp2.add(Fp2.mulByNonresidue(t4), t1),
         // T1 + (c0 - c1 + c2)² + T3 - T0 - T4
-        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.square(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
+        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
 };
 const Fp6 = {
@@ -245,32 +250,32 @@ const Fp6 = {
     ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
-    isZero: ({ c0, c1, c2 }) => Fp2.isZero(c0) && Fp2.isZero(c1) && Fp2.isZero(c2),
-    negate: ({ c0, c1, c2 }) => ({ c0: Fp2.negate(c0), c1: Fp2.negate(c1), c2: Fp2.negate(c2) }),
-    equals: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.equals(c0, r0) && Fp2.equals(c1, r1) && Fp2.equals(c2, r2),
+    is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
+    eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
     sqrt: () => {
         throw new Error('Not implemented');
     },
     // Do we need division by bigint at all? Should be done via order:
-    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp6.invert(rhs)),
+    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp6.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp6, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp6, nums),
     // Normalized
     add: Fp6Add,
     sub: Fp6Subtract,
     mul: Fp6Multiply,
-    square: Fp6Square,
+    sqr: Fp6Square,
     // NonNormalized stuff
     addN: Fp6Add,
     subN: Fp6Subtract,
     mulN: Fp6Multiply,
-    squareN: Fp6Square,
-    invert: ({ c0, c1, c2 }) => {
-        let t0 = Fp2.sub(Fp2.square(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
-        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.square(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
-        let t2 = Fp2.sub(Fp2.square(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
+    sqrN: Fp6Square,
+    inv: ({ c0, c1, c2 }) => {
+        let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
+        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
+        let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
         // 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
-        let t4 = Fp2.invert(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
+        let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
         return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
     },
     // Bytes utils
@@ -283,7 +288,7 @@ const Fp6 = {
             c2: Fp2.fromBytes(b.subarray(2 * Fp2.BYTES)),
         };
     },
-    toBytes: ({ c0, c1, c2 }) => concatBytes(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)),
+    toBytes: ({ c0, c1, c2 }) => concatB(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)),
     cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({
         c0: Fp2.cmov(c0, r0, c),
         c1: Fp2.cmov(c1, r1, c),
@@ -411,11 +416,11 @@ const Fp12Square = ({ c0, c1 }) => {
     }; // AB + AB
 };
 function Fp4Square(a, b) {
-    const a2 = Fp2.square(a);
-    const b2 = Fp2.square(b);
+    const a2 = Fp2.sqr(a);
+    const b2 = Fp2.sqr(b);
     return {
         first: Fp2.add(Fp2.mulByNonresidue(b2), a2),
-        second: Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
+        second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
 }
 const Fp12 = {
@@ -427,29 +432,29 @@ const Fp12 = {
     ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
-    isZero: ({ c0, c1 }) => Fp6.isZero(c0) && Fp6.isZero(c1),
-    negate: ({ c0, c1 }) => ({ c0: Fp6.negate(c0), c1: Fp6.negate(c1) }),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.equals(c0, r0) && Fp6.equals(c1, r1),
+    is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: () => {
         throw new Error('Not implemented');
     },
-    invert: ({ c0, c1 }) => {
-        let t = Fp6.invert(Fp6.sub(Fp6.square(c0), Fp6.mulByNonresidue(Fp6.square(c1)))); // 1 / (c0² - c1² * v)
-        return { c0: Fp6.mul(c0, t), c1: Fp6.negate(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
+    inv: ({ c0, c1 }) => {
+        let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
+        return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
     },
-    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp12.invert(rhs)),
+    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp12.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp12, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp12, nums),
     // Normalized
     add: Fp12Add,
     sub: Fp12Subtract,
     mul: Fp12Multiply,
-    square: Fp12Square,
+    sqr: Fp12Square,
     // NonNormalized stuff
     addN: Fp12Add,
     subN: Fp12Subtract,
     mulN: Fp12Multiply,
-    squareN: Fp12Square,
+    sqrN: Fp12Square,
     // Bytes utils
     fromBytes: (b) => {
         if (b.length !== Fp12.BYTES)
@@ -459,7 +464,7 @@ const Fp12 = {
             c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
         };
     },
-    toBytes: ({ c0, c1 }) => concatBytes(Fp6.toBytes(c0), Fp6.toBytes(c1)),
+    toBytes: ({ c0, c1 }) => concatB(Fp6.toBytes(c0), Fp6.toBytes(c1)),
     cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
         c0: Fp6.cmov(c0, r0, c),
         c1: Fp6.cmov(c1, r1, c),
@@ -503,7 +508,7 @@ const Fp12 = {
         c0: Fp6.multiplyByFp2(c0, rhs),
         c1: Fp6.multiplyByFp2(c1, rhs),
     }),
-    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.negate(c1) }),
+    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.neg(c1) }),
     // A cyclotomic group is a subgroup of Fp^n defined by
     //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
     // The result of any pairing is in a cyclotomic subgroup
@@ -782,7 +787,7 @@ function G2psi(c, P) {
 // 1 / F2(2)^((p-1)/3) in GF(p²)
 const PSI2_C1 = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn;
 function psi2(x, y) {
-    return [Fp2.mul(x, PSI2_C1), Fp2.negate(y)];
+    return [Fp2.mul(x, PSI2_C1), Fp2.neg(y)];
 }
 function G2psi2(c, P) {
     const affine = P.toAffine();
@@ -804,6 +809,7 @@ const htfDefaults = {
     // defined in section 2.2.5
     // Use utils.getDSTLabel(), utils.setDSTLabel(value)
     DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
+    encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     // p: the characteristic of F
     //    where F is a finite field of characteristic p and order q = p^m
     p: Fp.ORDER,
@@ -870,7 +876,7 @@ export const bls12_381 = bls({
         isTorsionFree: (c, point) => {
             // φ endomorphism
             const cubicRootOfUnityModP = 0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen;
-            const phi = new c(Fp.mul(point.x, cubicRootOfUnityModP), point.y, point.z);
+            const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
             // todo: unroll
             const xP = point.multiplyUnsafe(bls12_381.CURVE.x).negate(); // [x]P
             const u2P = xP.multiplyUnsafe(bls12_381.CURVE.x); // [u2]P
@@ -912,13 +918,13 @@ export const bls12_381 = bls({
                     throw new Error('Invalid compressed G1 point');
                 const aflag = bitGet(compressedValue, C_BIT_POS);
                 if ((y * 2n) / P !== aflag)
-                    y = Fp.negate(y);
+                    y = Fp.neg(y);
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
             else if (bytes.length === 96) {
                 // Check if the infinity flag is set
                 if ((bytes[0] & (1 << 6)) !== 0)
-                    return bls12_381.G1.Point.ZERO;
+                    return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
                 const x = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
                 const y = bytesToNumberBE(bytes.slice(Fp.BYTES));
                 return { x: Fp.create(x), y: Fp.create(y) };
@@ -929,7 +935,7 @@ export const bls12_381 = bls({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 if (isZero)
                     return COMPRESSED_ZERO.slice();
@@ -942,11 +948,11 @@ export const bls12_381 = bls({
             else {
                 if (isZero) {
                     // 2x PUBLIC_KEY_LENGTH
-                    const x = concatBytes(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1));
+                    const x = concatB(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1));
                     return x;
                 }
                 else {
-                    return concatBytes(numberToBytesBE(x, Fp.BYTES), numberToBytesBE(y, Fp.BYTES));
+                    return concatB(numberToBytesBE(x, Fp.BYTES), numberToBytesBE(y, Fp.BYTES));
                 }
             }
         },
@@ -1016,6 +1022,8 @@ export const bls12_381 = bls({
             const bitC = m_byte & 0x80; // compression bit
             const bitI = m_byte & 0x40; // point at infinity bit
             const bitS = m_byte & 0x20; // sign bit
+            const L = Fp.BYTES;
+            const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
             if (bytes.length === 96 && bitC) {
                 const { b } = bls12_381.CURVE.G2;
                 const P = Fp.ORDER;
@@ -1027,13 +1035,13 @@ export const bls12_381 = bls({
                     }
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x_1 = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-                const x_0 = bytesToNumberBE(bytes.slice(Fp.BYTES));
+                const x_1 = slc(bytes, 0, L);
+                const x_0 = slc(bytes, L, 2 * L);
                 const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
                 const right = Fp2.add(Fp2.pow(x, 3n), b); // y² = x³ + 4 * (u+1) = x³ + b
                 let y = Fp2.sqrt(right);
                 const Y_bit = y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P ? 1n : 0n;
-                y = bitS > 0 && Y_bit > 0 ? y : Fp2.negate(y);
+                y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
                 return { x, y };
             }
             else if (bytes.length === 192 && !bitC) {
@@ -1041,10 +1049,10 @@ export const bls12_381 = bls({
                 if ((bytes[0] & (1 << 6)) !== 0) {
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x1 = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-                const x0 = bytesToNumberBE(bytes.slice(Fp.BYTES, 2 * Fp.BYTES));
-                const y1 = bytesToNumberBE(bytes.slice(2 * Fp.BYTES, 3 * Fp.BYTES));
-                const y0 = bytesToNumberBE(bytes.slice(3 * Fp.BYTES));
+                const x1 = slc(bytes, 0, L);
+                const x0 = slc(bytes, L, 2 * L);
+                const y1 = slc(bytes, 2 * L, 3 * L);
+                const y0 = slc(bytes, 3 * L, 4 * L);
                 return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
             }
             else {
@@ -1053,23 +1061,23 @@ export const bls12_381 = bls({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 const P = Fp.ORDER;
                 if (isZero)
-                    return concatBytes(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
+                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
                 const flag = Boolean(y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P);
                 // set compressed & sign bits (looks like different offsets than for G1/Fp?)
                 let x_1 = bitSet(x.c1, C_BIT_POS, flag);
                 x_1 = bitSet(x_1, S_BIT_POS, true);
-                return concatBytes(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
+                return concatB(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
             }
             else {
                 if (isZero)
-                    return concatBytes(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
+                    return concatB(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
                 const { re: x0, im: x1 } = Fp2.reim(x);
                 const { re: y0, im: y1 } = Fp2.reim(y);
-                return concatBytes(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES));
+                return concatB(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES));
             }
         },
         Signature: {
@@ -1085,7 +1093,7 @@ export const bls12_381 = bls({
                 // Indicates the infinity point
                 const bflag1 = bitGet(z1, I_BIT_POS);
                 if (bflag1 === 1n)
-                    return bls12_381.G2.Point.ZERO;
+                    return bls12_381.G2.ProjectivePoint.ZERO;
                 const x1 = Fp.create(z1 & Fp.MASK);
                 const x2 = Fp.create(z2);
                 const x = Fp2.create({ c0: x2, c1: x1 });
@@ -1101,23 +1109,25 @@ export const bls12_381 = bls({
                 const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1;
                 const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1;
                 if (isGreater || isZero)
-                    y = Fp2.negate(y);
-                const point = new bls12_381.G2.Point(x, y);
+                    y = Fp2.neg(y);
+                const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
+                // console.log('Signature.decode', point);
                 point.assertValidity();
                 return point;
             },
             encode(point) {
                 // NOTE: by some reasons it was missed in bls12-381, looks like bug
                 point.assertValidity();
-                if (point.equals(bls12_381.G2.Point.ZERO))
-                    return concatBytes(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
-                const { re: x0, im: x1 } = Fp2.reim(point.x);
-                const { re: y0, im: y1 } = Fp2.reim(point.y);
+                if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
+                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
+                const a = point.toAffine();
+                const { re: x0, im: x1 } = Fp2.reim(a.x);
+                const { re: y0, im: y1 } = Fp2.reim(a.y);
                 const tmp = y1 > 0n ? y1 * 2n : y0 * 2n;
                 const aflag1 = Boolean((tmp / Fp.ORDER) & 1n);
                 const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
                 const z2 = x0;
-                return concatBytes(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
+                return concatB(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
             },
         },
     },

package/lib/esm/bn.js

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { weierstrass } from './abstract/weierstrass.js';
 import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
 import { Fp } from './abstract/modular.js';
 /**