@noble/curves 0.5.1 → 0.6.0

package/lib/bls12-381.d.ts

@@ -1,3 +1,4 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { CurveFn } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
 declare const Fp: Readonly<mod.Field<bigint> & Required<Pick<mod.Field<bigint>, "isOdd">>>;

package/lib/bls12-381.js

@@ -1,7 +1,17 @@
 "use strict";
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bls12_381 = void 0;
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// The pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to:
+// - Construct zk-SNARKs at the 128-bit security
+// - Use threshold signatures, which allows a user to sign lots of messages with one signature and verify them swiftly in a batch, using Boneh-Lynn-Shacham signature scheme.
+// Differences from @noble/bls12-381 1.4:
+// - PointG1 -> G1.Point
+// - PointG2 -> G2.Point
+// - PointG2.fromSignature -> Signature.decode
+// - PointG2.toSignature ->  Signature.encode
+// - Fixed Fp2 ORDER
+// - Points now have only two coordinates
 const sha256_1 = require("@noble/hashes/sha256");
 const utils_1 = require("@noble/hashes/utils");
 const bls_js_1 = require("./abstract/bls.js");
@@ -10,13 +20,6 @@ const utils_js_1 = require("./abstract/utils.js");
 // Types
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js");
-// Differences from bls12-381:
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// Points now have only two coordinates
 // CURVE FIELDS
 // Finite field over p.
 const Fp = mod.Fp(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn);
@@ -65,24 +68,24 @@ const Fp2 = {
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
-    isZero: ({ c0, c1 }) => Fp.isZero(c0) && Fp.isZero(c1),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.equals(c0, r0) && Fp.equals(c1, r1),
-    negate: ({ c0, c1 }) => ({ c0: Fp.negate(c0), c1: Fp.negate(c1) }),
+    is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
+    neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp2, nums),
     // Normalized
     add: Fp2Add,
     sub: Fp2Subtract,
     mul: Fp2Multiply,
-    square: Fp2Square,
+    sqr: Fp2Square,
     // NonNormalized stuff
     addN: Fp2Add,
     subN: Fp2Subtract,
     mulN: Fp2Multiply,
-    squareN: Fp2Square,
+    sqrN: Fp2Square,
     // Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
-    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp2.invert(rhs)),
-    invert: ({ c0: a, c1: b }) => {
+    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp2.inv(rhs)),
+    inv: ({ c0: a, c1: b }) => {
         // We wish to find the multiplicative inverse of a nonzero
         // element a + bu in Fp2. We leverage an identity
         //
@@ -96,10 +99,12 @@ const Fp2 = {
         // This gives that (a - bu)/(a² + b²) is the inverse
         // of (a + bu). Importantly, this can be computing using
         // only a single inversion in Fp.
-        const factor = Fp.invert(Fp.create(a * a + b * b));
+        const factor = Fp.inv(Fp.create(a * a + b * b));
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
+        if (Fp2.eql(num, Fp2.ZERO))
+            return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
         // https://eprint.iacr.org/2012/685.pdf applicable?
@@ -107,9 +112,9 @@ const Fp2 = {
         // https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1
         // Inspired by https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99
         const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + 8n) / 16n);
-        const check = Fp2.div(Fp2.square(candidateSqrt), num); // candidateSqrt.square().div(this);
+        const check = Fp2.div(Fp2.sqr(candidateSqrt), num); // candidateSqrt.square().div(this);
         const R = FP2_ROOTS_OF_UNITY;
-        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.equals(r, check));
+        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.eql(r, check));
         if (!divisor)
             throw new Error('No root');
         const index = R.indexOf(divisor);
@@ -117,7 +122,7 @@ const Fp2 = {
         if (!root)
             throw new Error('Invalid root');
         const x1 = Fp2.div(candidateSqrt, root);
-        const x2 = Fp2.negate(x1);
+        const x2 = Fp2.neg(x1);
         const { re: re1, im: im1 } = Fp2.reim(x1);
         const { re: re2, im: im2 } = Fp2.reim(x2);
         if (im1 > im2 || (im1 === im2 && re1 > re2))
@@ -228,15 +233,15 @@ const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
     };
 };
 const Fp6Square = ({ c0, c1, c2 }) => {
-    let t0 = Fp2.square(c0); // c0²
+    let t0 = Fp2.sqr(c0); // c0²
     let t1 = Fp2.mul(Fp2.mul(c0, c1), 2n); // 2 * c0 * c1
     let t3 = Fp2.mul(Fp2.mul(c1, c2), 2n); // 2 * c1 * c2
-    let t4 = Fp2.square(c2); // c2²
+    let t4 = Fp2.sqr(c2); // c2²
     return {
         c0: Fp2.add(Fp2.mulByNonresidue(t3), t0),
         c1: Fp2.add(Fp2.mulByNonresidue(t4), t1),
         // T1 + (c0 - c1 + c2)² + T3 - T0 - T4
-        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.square(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
+        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
 };
 const Fp6 = {
@@ -248,32 +253,32 @@ const Fp6 = {
     ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
-    isZero: ({ c0, c1, c2 }) => Fp2.isZero(c0) && Fp2.isZero(c1) && Fp2.isZero(c2),
-    negate: ({ c0, c1, c2 }) => ({ c0: Fp2.negate(c0), c1: Fp2.negate(c1), c2: Fp2.negate(c2) }),
-    equals: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.equals(c0, r0) && Fp2.equals(c1, r1) && Fp2.equals(c2, r2),
+    is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
+    eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
     sqrt: () => {
         throw new Error('Not implemented');
     },
     // Do we need division by bigint at all? Should be done via order:
-    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp6.invert(rhs)),
+    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp6.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp6, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp6, nums),
     // Normalized
     add: Fp6Add,
     sub: Fp6Subtract,
     mul: Fp6Multiply,
-    square: Fp6Square,
+    sqr: Fp6Square,
     // NonNormalized stuff
     addN: Fp6Add,
     subN: Fp6Subtract,
     mulN: Fp6Multiply,
-    squareN: Fp6Square,
-    invert: ({ c0, c1, c2 }) => {
-        let t0 = Fp2.sub(Fp2.square(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
-        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.square(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
-        let t2 = Fp2.sub(Fp2.square(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
+    sqrN: Fp6Square,
+    inv: ({ c0, c1, c2 }) => {
+        let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
+        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
+        let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
         // 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
-        let t4 = Fp2.invert(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
+        let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
         return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
     },
     // Bytes utils
@@ -414,11 +419,11 @@ const Fp12Square = ({ c0, c1 }) => {
     }; // AB + AB
 };
 function Fp4Square(a, b) {
-    const a2 = Fp2.square(a);
-    const b2 = Fp2.square(b);
+    const a2 = Fp2.sqr(a);
+    const b2 = Fp2.sqr(b);
     return {
         first: Fp2.add(Fp2.mulByNonresidue(b2), a2),
-        second: Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
+        second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
 }
 const Fp12 = {
@@ -430,29 +435,29 @@ const Fp12 = {
     ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
-    isZero: ({ c0, c1 }) => Fp6.isZero(c0) && Fp6.isZero(c1),
-    negate: ({ c0, c1 }) => ({ c0: Fp6.negate(c0), c1: Fp6.negate(c1) }),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.equals(c0, r0) && Fp6.equals(c1, r1),
+    is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: () => {
         throw new Error('Not implemented');
     },
-    invert: ({ c0, c1 }) => {
-        let t = Fp6.invert(Fp6.sub(Fp6.square(c0), Fp6.mulByNonresidue(Fp6.square(c1)))); // 1 / (c0² - c1² * v)
-        return { c0: Fp6.mul(c0, t), c1: Fp6.negate(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
+    inv: ({ c0, c1 }) => {
+        let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
+        return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
     },
-    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp12.invert(rhs)),
+    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp12.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp12, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp12, nums),
     // Normalized
     add: Fp12Add,
     sub: Fp12Subtract,
     mul: Fp12Multiply,
-    square: Fp12Square,
+    sqr: Fp12Square,
     // NonNormalized stuff
     addN: Fp12Add,
     subN: Fp12Subtract,
     mulN: Fp12Multiply,
-    squareN: Fp12Square,
+    sqrN: Fp12Square,
     // Bytes utils
     fromBytes: (b) => {
         if (b.length !== Fp12.BYTES)
@@ -506,7 +511,7 @@ const Fp12 = {
         c0: Fp6.multiplyByFp2(c0, rhs),
         c1: Fp6.multiplyByFp2(c1, rhs),
     }),
-    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.negate(c1) }),
+    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.neg(c1) }),
     // A cyclotomic group is a subgroup of Fp^n defined by
     //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
     // The result of any pairing is in a cyclotomic subgroup
@@ -785,7 +790,7 @@ function G2psi(c, P) {
 // 1 / F2(2)^((p-1)/3) in GF(p²)
 const PSI2_C1 = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn;
 function psi2(x, y) {
-    return [Fp2.mul(x, PSI2_C1), Fp2.negate(y)];
+    return [Fp2.mul(x, PSI2_C1), Fp2.neg(y)];
 }
 function G2psi2(c, P) {
     const affine = P.toAffine();
@@ -807,6 +812,7 @@ const htfDefaults = {
     // defined in section 2.2.5
     // Use utils.getDSTLabel(), utils.setDSTLabel(value)
     DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
+    encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     // p: the characteristic of F
     //    where F is a finite field of characteristic p and order q = p^m
     p: Fp.ORDER,
@@ -873,7 +879,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         isTorsionFree: (c, point) => {
             // φ endomorphism
             const cubicRootOfUnityModP = 0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen;
-            const phi = new c(Fp.mul(point.x, cubicRootOfUnityModP), point.y, point.z);
+            const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
             // todo: unroll
             const xP = point.multiplyUnsafe(exports.bls12_381.CURVE.x).negate(); // [x]P
             const u2P = xP.multiplyUnsafe(exports.bls12_381.CURVE.x); // [u2]P
@@ -915,13 +921,13 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                     throw new Error('Invalid compressed G1 point');
                 const aflag = (0, utils_js_1.bitGet)(compressedValue, C_BIT_POS);
                 if ((y * 2n) / P !== aflag)
-                    y = Fp.negate(y);
+                    y = Fp.neg(y);
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
             else if (bytes.length === 96) {
                 // Check if the infinity flag is set
                 if ((bytes[0] & (1 << 6)) !== 0)
-                    return exports.bls12_381.G1.Point.ZERO;
+                    return exports.bls12_381.G1.ProjectivePoint.ZERO.toAffine();
                 const x = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
                 const y = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES));
                 return { x: Fp.create(x), y: Fp.create(y) };
@@ -932,7 +938,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 if (isZero)
                     return COMPRESSED_ZERO.slice();
@@ -1019,6 +1025,8 @@ exports.bls12_381 = (0, bls_js_1.bls)({
             const bitC = m_byte & 0x80; // compression bit
             const bitI = m_byte & 0x40; // point at infinity bit
             const bitS = m_byte & 0x20; // sign bit
+            const L = Fp.BYTES;
+            const slc = (b, from, to) => (0, utils_js_1.bytesToNumberBE)(b.slice(from, to));
             if (bytes.length === 96 && bitC) {
                 const { b } = exports.bls12_381.CURVE.G2;
                 const P = Fp.ORDER;
@@ -1030,13 +1038,13 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                     }
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x_1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
-                const x_0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES));
+                const x_1 = slc(bytes, 0, L);
+                const x_0 = slc(bytes, L, 2 * L);
                 const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
                 const right = Fp2.add(Fp2.pow(x, 3n), b); // y² = x³ + 4 * (u+1) = x³ + b
                 let y = Fp2.sqrt(right);
                 const Y_bit = y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P ? 1n : 0n;
-                y = bitS > 0 && Y_bit > 0 ? y : Fp2.negate(y);
+                y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
                 return { x, y };
             }
             else if (bytes.length === 192 && !bitC) {
@@ -1044,10 +1052,10 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 if ((bytes[0] & (1 << 6)) !== 0) {
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
-                const x0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES, 2 * Fp.BYTES));
-                const y1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(2 * Fp.BYTES, 3 * Fp.BYTES));
-                const y0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(3 * Fp.BYTES));
+                const x1 = slc(bytes, 0, L);
+                const x0 = slc(bytes, L, 2 * L);
+                const y1 = slc(bytes, 2 * L, 3 * L);
+                const y0 = slc(bytes, 3 * L, 4 * L);
                 return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
             }
             else {
@@ -1056,7 +1064,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 const P = Fp.ORDER;
                 if (isZero)
@@ -1088,7 +1096,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 // Indicates the infinity point
                 const bflag1 = (0, utils_js_1.bitGet)(z1, I_BIT_POS);
                 if (bflag1 === 1n)
-                    return exports.bls12_381.G2.Point.ZERO;
+                    return exports.bls12_381.G2.ProjectivePoint.ZERO;
                 const x1 = Fp.create(z1 & Fp.MASK);
                 const x2 = Fp.create(z2);
                 const x = Fp2.create({ c0: x2, c1: x1 });
@@ -1104,18 +1112,20 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1;
                 const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1;
                 if (isGreater || isZero)
-                    y = Fp2.negate(y);
-                const point = new exports.bls12_381.G2.Point(x, y);
+                    y = Fp2.neg(y);
+                const point = exports.bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
+                // console.log('Signature.decode', point);
                 point.assertValidity();
                 return point;
             },
             encode(point) {
                 // NOTE: by some reasons it was missed in bls12-381, looks like bug
                 point.assertValidity();
-                if (point.equals(exports.bls12_381.G2.Point.ZERO))
+                if (point.equals(exports.bls12_381.G2.ProjectivePoint.ZERO))
                     return (0, utils_js_1.concatBytes)(COMPRESSED_ZERO, (0, utils_js_1.numberToBytesBE)(0n, Fp.BYTES));
-                const { re: x0, im: x1 } = Fp2.reim(point.x);
-                const { re: y0, im: y1 } = Fp2.reim(point.y);
+                const a = point.toAffine();
+                const { re: x0, im: x1 } = Fp2.reim(a.x);
+                const { re: y0, im: y1 } = Fp2.reim(a.y);
                 const tmp = y1 > 0n ? y1 * 2n : y0 * 2n;
                 const aflag1 = Boolean((tmp / Fp.ORDER) & 1n);
                 const z1 = (0, utils_js_1.bitSet)((0, utils_js_1.bitSet)(x1, 381, aflag1), S_BIT_POS, true);

package/lib/bn.js

@@ -2,8 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bn254 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const sha256_1 = require("@noble/hashes/sha256");
+const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const modular_js_1 = require("./abstract/modular.js");
 /**

package/lib/ed25519.d.ts

@@ -1,11 +1,14 @@
-import { ExtendedPointType } from './abstract/edwards.js';
+import { ExtPointType } from './abstract/edwards.js';
 import { Hex } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 export declare const ED25519_TORSION_SUBGROUP: string[];
 export declare const ed25519: import("./abstract/edwards.js").CurveFn;
 export declare const ed25519ctx: import("./abstract/edwards.js").CurveFn;
 export declare const ed25519ph: import("./abstract/edwards.js").CurveFn;
 export declare const x25519: import("./abstract/montgomery.js").CurveFn;
-declare type ExtendedPoint = ExtendedPointType;
+declare const hashToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>, encodeToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>;
+export { hashToCurve, encodeToCurve };
+declare type ExtendedPoint = ExtPointType;
 /**
  * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
@@ -42,7 +45,6 @@ export declare class RistrettoPoint {
     equals(other: RistrettoPoint): boolean;
     add(other: RistrettoPoint): RistrettoPoint;
     subtract(other: RistrettoPoint): RistrettoPoint;
-    multiply(scalar: number | bigint): RistrettoPoint;
-    multiplyUnsafe(scalar: number | bigint): RistrettoPoint;
+    multiply(scalar: bigint): RistrettoPoint;
+    multiplyUnsafe(scalar: bigint): RistrettoPoint;
 }
-export {};