@noble/curves 0.5.2 → 0.6.0

package/README.md

@@ -6,7 +6,9 @@ Minimal, auditable JS implementation of elliptic curve cryptography.
 - ECDSA, EdDSA, Schnorr, BLS signature schemes, ECDH key agreement
 - [hash to curve](https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/)
   for encoding or hashing an arbitrary string to a point on an elliptic curve
-- Auditable, [fast](#speed)
+- [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash
+- Auditable
+- 🏎 [Ultra-fast](#speed), hand-optimized for caveats of JS engines
 - 🔍 Unique tests ensure correctness. Wycheproof vectors included
 - 🔻 Tree-shaking-friendly: there is no entry point, which ensures small size of your app
 
@@ -24,7 +26,6 @@ Curves incorporate work from previous noble packages
 [ed25519](https://github.com/paulmillr/noble-ed25519),
 [bls12-381](https://github.com/paulmillr/noble-bls12-381)),
 which had security audits and were developed from 2019 to 2022.
-The goal is to replace them with lean UMD builds based on single-codebase noble-curves.
 
 ### This library belongs to _noble_ crypto
 
@@ -88,6 +89,7 @@ To define a custom curve, check out API below.
 - [abstract/montgomery: Montgomery curve](#abstractmontgomery-montgomery-curve)
 - [abstract/weierstrass: Short Weierstrass curve](#abstractweierstrass-short-weierstrass-curve)
 - [abstract/hash-to-curve: Hashing strings to curve points](#abstracthash-to-curve-hashing-strings-to-curve-points)
+- [abstract/poseidon: Poseidon hash](#abstractposeidon-poseidon-hash)
 - [abstract/modular](#abstractmodular)
 - [abstract/utils](#abstractutils)
 
@@ -302,13 +304,12 @@ const shared = secp256k1.getSharedSecret(key, someonesPubkey);
 export type CurveFn = {
   CURVE: ReturnType<typeof validateOpts>;
   getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  getSharedSecret: (privateA: PrivKey, publicB: PubKey, isCompressed?: boolean) => Uint8Array;
+  getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
   sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
-  signUnhashed: (msg: Uint8Array, privKey: PrivKey, opts?: SignOpts) => SignatureType;
   verify: (
     signature: Hex | SignatureType,
     msgHash: Hex,
-    publicKey: PubKey,
+    publicKey: Hex,
     opts?: { lowS?: boolean }
   ) => boolean;
   Point: PointConstructor;
@@ -370,6 +371,30 @@ hashes arbitrary-length byte strings to a list of one or more elements of a fini
     };
     ```
 
+### abstract/poseidon: Poseidon hash
+
+Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash.
+
+There are many poseidon instances with different constants. We don't provide them,
+but we provide ability to specify them manually. For actual usage, check out
+stark curve source code.
+
+```ts
+import { poseidon } from '@noble/curves/abstract/poseidon';
+
+type PoseidonOpts = {
+  Fp: Field<bigint>;
+  t: number;
+  roundsFull: number;
+  roundsPartial: number;
+  sboxPower?: number;
+  reversePartialPowIdx?: boolean; // Hack for stark
+  mds: bigint[][];
+  roundConstants: bigint[][];
+};
+const instance = poseidon(opts: PoseidonOpts);
+```
+
 ### abstract/modular
 
 Modular arithmetics utilities.
@@ -459,6 +484,25 @@ verify
   noble x 698 ops/sec @ 1ms/op
 ```
 
+## Upgrading
+
+Differences from @noble/secp256k1 1.7:
+
+1. Different double() formula (but same addition)
+2. Different sqrt() function
+3. DRBG supports outputLen bigger than outputLen of hmac
+4. Support for different hash functions
+
+Differences from @noble/ed25519 1.7:
+
+1. Variable field element lengths between EDDSA/ECDH:
+  EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
+2. Different addition formula (doubling is same)
+3. uvRatio differs between curves (half-expected, not only pow fn changes)
+4. Point decompression code is different (unexpected), now using generalized formula
+5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
+
+
 ## Contributing & testing
 
 1. Clone the repository

package/lib/_shortw_utils.d.ts

@@ -32,37 +32,26 @@ export declare function createCurve(curveDef: CurveDef, defHash: CHash): Readonl
                 k2: bigint;
             };
         } | undefined;
-        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => boolean) | undefined;
-        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => import("./abstract/weierstrass.js").ProjectivePointType<bigint>) | undefined;
-        readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
-        readonly mapToCurve?: ((scalar: bigint[]) => {
-            x: bigint;
-            y: bigint;
-        }) | undefined;
+        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => boolean) | undefined;
+        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => import("./abstract/weierstrass.js").ProjPointType<bigint>) | undefined;
         lowS: boolean;
         readonly hash: CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
-        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
+        readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;
     getPublicKey: (privateKey: import("./abstract/utils.js").PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
-    getSharedSecret: (privateA: import("./abstract/utils.js").PrivKey, publicB: import("./abstract/weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
+    getSharedSecret: (privateA: import("./abstract/utils.js").PrivKey, publicB: import("./abstract/utils.js").Hex, isCompressed?: boolean | undefined) => Uint8Array;
     sign: (msgHash: import("./abstract/utils.js").Hex, privKey: import("./abstract/utils.js").PrivKey, opts?: import("./abstract/weierstrass.js").SignOpts | undefined) => import("./abstract/weierstrass.js").SignatureType;
-    signUnhashed: (msg: Uint8Array, privKey: import("./abstract/utils.js").PrivKey, opts?: import("./abstract/weierstrass.js").SignOpts | undefined) => import("./abstract/weierstrass.js").SignatureType;
-    verify: (signature: import("./abstract/utils.js").Hex | import("./abstract/weierstrass.js").SignatureType, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/weierstrass.js").PubKey, opts?: {
-        lowS?: boolean | undefined;
-    } | undefined) => boolean;
-    Point: import("./abstract/weierstrass.js").PointConstructor<bigint>;
-    ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>;
+    verify: (signature: import("./abstract/utils.js").Hex | {
+        r: bigint;
+        s: bigint;
+    }, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/utils.js").Hex, opts?: import("./abstract/weierstrass.js").VerOpts | undefined) => boolean;
+    ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>;
     Signature: import("./abstract/weierstrass.js").SignatureConstructor;
     utils: {
-        _bigintToBytes: (num: bigint) => Uint8Array;
-        _bigintToString: (num: bigint) => string;
         _normalizePrivateKey: (key: import("./abstract/utils.js").PrivKey) => bigint;
-        _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => import("./abstract/weierstrass.js").PointType<bigint>;
-        _isWithinCurveOrder: (num: bigint) => boolean;
-        _isValidFieldElement: (num: bigint) => boolean;
-        _weierstrassEquation: (x: bigint) => bigint;
         isValidPrivateKey(privateKey: import("./abstract/utils.js").PrivKey): boolean;
         hashToPrivateKey: (hash: import("./abstract/utils.js").Hex) => Uint8Array;
         randomPrivateKey: () => Uint8Array;

package/lib/abstract/bls.d.ts

@@ -11,26 +11,31 @@
  * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
  * Some projects may prefer to swap this relation, it is not supported for now.
  */
-import * as mod from './modular.js';
-import * as ut from './utils.js';
-import { Hex, PrivKey } from './utils.js';
-import { htfOpts, stringToBytes, hash_to_field as hashToField, expand_message_xmd as expandMessageXMD } from './hash-to-curve.js';
-import { CurvePointsType, PointType, CurvePointsRes } from './weierstrass.js';
+import { AffinePoint } from './curve.js';
+import { Field } from './modular.js';
+import { Hex, PrivKey, CHash } from './utils.js';
+import * as htf from './hash-to-curve.js';
+import { CurvePointsType, ProjPointType as ProjPointType, CurvePointsRes } from './weierstrass.js';
 declare type Fp = bigint;
 export declare type SignatureCoder<Fp2> = {
-    decode(hex: Hex): PointType<Fp2>;
-    encode(point: PointType<Fp2>): Uint8Array;
+    decode(hex: Hex): ProjPointType<Fp2>;
+    encode(point: ProjPointType<Fp2>): Uint8Array;
 };
 export declare type CurveType<Fp, Fp2, Fp6, Fp12> = {
     r: bigint;
-    G1: Omit<CurvePointsType<Fp>, 'n'>;
+    G1: Omit<CurvePointsType<Fp>, 'n'> & {
+        mapToCurve: htf.MapToCurve<Fp>;
+        htfDefaults: htf.Opts;
+    };
     G2: Omit<CurvePointsType<Fp2>, 'n'> & {
         Signature: SignatureCoder<Fp2>;
+        mapToCurve: htf.MapToCurve<Fp2>;
+        htfDefaults: htf.Opts;
     };
     x: bigint;
-    Fp: mod.Field<Fp>;
-    Fr: mod.Field<bigint>;
-    Fp2: mod.Field<Fp2> & {
+    Fp: Field<Fp>;
+    Fr: Field<bigint>;
+    Fp2: Field<Fp2> & {
         reim: (num: Fp2) => {
             re: bigint;
             im: bigint;
@@ -38,51 +43,53 @@ export declare type CurveType<Fp, Fp2, Fp6, Fp12> = {
         multiplyByB: (num: Fp2) => Fp2;
         frobeniusMap(num: Fp2, power: number): Fp2;
     };
-    Fp6: mod.Field<Fp6>;
-    Fp12: mod.Field<Fp12> & {
+    Fp6: Field<Fp6>;
+    Fp12: Field<Fp12> & {
         frobeniusMap(num: Fp12, power: number): Fp12;
         multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
         conjugate(num: Fp12): Fp12;
         finalExponentiate(num: Fp12): Fp12;
     };
-    htfDefaults: htfOpts;
-    hash: ut.CHash;
+    htfDefaults: htf.Opts;
+    hash: CHash;
     randomBytes: (bytesLength?: number) => Uint8Array;
 };
 export declare type CurveFn<Fp, Fp2, Fp6, Fp12> = {
     CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
-    Fr: mod.Field<bigint>;
-    Fp: mod.Field<Fp>;
-    Fp2: mod.Field<Fp2>;
-    Fp6: mod.Field<Fp6>;
-    Fp12: mod.Field<Fp12>;
+    Fr: Field<bigint>;
+    Fp: Field<Fp>;
+    Fp2: Field<Fp2>;
+    Fp6: Field<Fp6>;
+    Fp12: Field<Fp12>;
     G1: CurvePointsRes<Fp>;
     G2: CurvePointsRes<Fp2>;
     Signature: SignatureCoder<Fp2>;
     millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
-    calcPairingPrecomputes: (x: Fp2, y: Fp2) => [Fp2, Fp2, Fp2][];
-    pairing: (P: PointType<Fp>, Q: PointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+    calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
+    hashToCurve: {
+        G1: ReturnType<(typeof htf.hashToCurve<Fp>)>;
+        G2: ReturnType<(typeof htf.hashToCurve<Fp2>)>;
+    };
+    pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
     getPublicKey: (privateKey: PrivKey) => Uint8Array;
     sign: {
         (message: Hex, privateKey: PrivKey): Uint8Array;
-        (message: PointType<Fp2>, privateKey: PrivKey): PointType<Fp2>;
+        (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
     };
-    verify: (signature: Hex | PointType<Fp2>, message: Hex | PointType<Fp2>, publicKey: Hex | PointType<Fp>) => boolean;
+    verify: (signature: Hex | ProjPointType<Fp2>, message: Hex | ProjPointType<Fp2>, publicKey: Hex | ProjPointType<Fp>) => boolean;
     aggregatePublicKeys: {
         (publicKeys: Hex[]): Uint8Array;
-        (publicKeys: PointType<Fp>[]): PointType<Fp>;
+        (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
     };
     aggregateSignatures: {
         (signatures: Hex[]): Uint8Array;
-        (signatures: PointType<Fp2>[]): PointType<Fp2>;
+        (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
     };
-    verifyBatch: (signature: Hex | PointType<Fp2>, messages: (Hex | PointType<Fp2>)[], publicKeys: (Hex | PointType<Fp>)[]) => boolean;
+    verifyBatch: (signature: Hex | ProjPointType<Fp2>, messages: (Hex | ProjPointType<Fp2>)[], publicKeys: (Hex | ProjPointType<Fp>)[]) => boolean;
     utils: {
-        stringToBytes: typeof stringToBytes;
-        hashToField: typeof hashToField;
-        expandMessageXMD: typeof expandMessageXMD;
-        getDSTLabel: () => string;
-        setDSTLabel(newLabel: string): void;
+        stringToBytes: typeof htf.stringToBytes;
+        hashToField: typeof htf.hash_to_field;
+        expandMessageXMD: typeof htf.expand_message_xmd;
     };
 };
 export declare function bls<Fp2, Fp6, Fp12>(CURVE: CurveType<Fp, Fp2, Fp6, Fp12>): CurveFn<Fp, Fp2, Fp6, Fp12>;

package/lib/abstract/bls.js

@@ -1,17 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bls = void 0;
-const ut = require("./utils.js");
-const hash_to_curve_js_1 = require("./hash-to-curve.js");
+const modular_js_1 = require("./modular.js");
+const utils_js_1 = require("./utils.js");
+const htf = require("./hash-to-curve.js");
 const weierstrass_js_1 = require("./weierstrass.js");
 function bls(CURVE) {
     // Fields looks pretty specific for curve, so for now we need to pass them with options
     const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
-    const BLS_X_LEN = ut.bitLen(CURVE.x);
+    const BLS_X_LEN = (0, utils_js_1.bitLen)(CURVE.x);
     const groupLen = 32; // TODO: calculate; hardcoded for now
     // Pre-compute coefficients for sparse multiplication
     // Point addition and point double calculations is reused for coefficients
-    function calcPairingPrecomputes(x, y) {
+    function calcPairingPrecomputes(p) {
+        const { x, y } = p;
         // prettier-ignore
         const Qx = x, Qy = y, Qz = Fp2.ONE;
         // prettier-ignore
@@ -19,32 +21,32 @@ function bls(CURVE) {
         let ell_coeff = [];
         for (let i = BLS_X_LEN - 2; i >= 0; i--) {
             // Double
-            let t0 = Fp2.square(Ry); // Ry²
-            let t1 = Fp2.square(Rz); // Rz²
+            let t0 = Fp2.sqr(Ry); // Ry²
+            let t1 = Fp2.sqr(Rz); // Rz²
             let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
             let t3 = Fp2.mul(t2, 3n); // 3 * T2
-            let t4 = Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+            let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
             ell_coeff.push([
                 Fp2.sub(t2, t0),
-                Fp2.mul(Fp2.square(Rx), 3n),
-                Fp2.negate(t4), // -T4
+                Fp2.mul(Fp2.sqr(Rx), 3n),
+                Fp2.neg(t4), // -T4
             ]);
             Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
-            Ry = Fp2.sub(Fp2.square(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.square(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+            Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
             Rz = Fp2.mul(t0, t4); // T0 * T4
-            if (ut.bitGet(CURVE.x, i)) {
+            if ((0, utils_js_1.bitGet)(CURVE.x, i)) {
                 // Addition
                 let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
                 let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
                 ell_coeff.push([
                     Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)),
-                    Fp2.negate(t0),
+                    Fp2.neg(t0),
                     t1, // T1
                 ]);
-                let t2 = Fp2.square(t1); // T1²
+                let t2 = Fp2.sqr(t1); // T1²
                 let t3 = Fp2.mul(t2, t1); // T2 * T1
                 let t4 = Fp2.mul(t2, Rx); // T2 * Rx
-                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.square(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+                let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
                 Rx = Fp2.mul(t1, t5); // T1 * T5
                 Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
                 Rz = Fp2.mul(Rz, t3); // Rz * T3
@@ -60,115 +62,114 @@ function bls(CURVE) {
         for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
             const E = ell[j];
             f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
-            if (ut.bitGet(x, i)) {
+            if ((0, utils_js_1.bitGet)(x, i)) {
                 j += 1;
                 const F = ell[j];
                 f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
             }
             if (i !== 0)
-                f12 = Fp12.square(f12);
+                f12 = Fp12.sqr(f12);
         }
         return Fp12.conjugate(f12);
     }
     const utils = {
-        hexToBytes: ut.hexToBytes,
-        bytesToHex: ut.bytesToHex,
-        stringToBytes: hash_to_curve_js_1.stringToBytes,
+        hexToBytes: utils_js_1.hexToBytes,
+        bytesToHex: utils_js_1.bytesToHex,
+        stringToBytes: htf.stringToBytes,
         // TODO: do we need to export it here?
-        hashToField: (msg, count, options = {}) => (0, hash_to_curve_js_1.hash_to_field)(msg, count, { ...CURVE.htfDefaults, ...options }),
-        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => (0, hash_to_curve_js_1.expand_message_xmd)(msg, DST, lenInBytes, H),
-        hashToPrivateKey: (hash) => Fr.toBytes(ut.hashToPrivateScalar(hash, CURVE.r)),
+        hashToField: (msg, count, options = {}) => htf.hash_to_field(msg, count, { ...CURVE.htfDefaults, ...options }),
+        expandMessageXMD: (msg, DST, lenInBytes, H = CURVE.hash) => htf.expand_message_xmd(msg, DST, lenInBytes, H),
+        hashToPrivateKey: (hash) => Fr.toBytes((0, modular_js_1.hashToPrivateScalar)(hash, CURVE.r)),
         randomBytes: (bytesLength = groupLen) => CURVE.randomBytes(bytesLength),
         randomPrivateKey: () => utils.hashToPrivateKey(utils.randomBytes(groupLen + 8)),
-        getDSTLabel: () => CURVE.htfDefaults.DST,
-        setDSTLabel(newLabel) {
-            // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3.1
-            if (typeof newLabel !== 'string' || newLabel.length > 2048 || newLabel.length === 0) {
-                throw new TypeError('Invalid DST');
-            }
-            CURVE.htfDefaults.DST = newLabel;
-        },
     };
     // Point on G1 curve: (x, y)
     const G1 = (0, weierstrass_js_1.weierstrassPoints)({
         n: Fr.ORDER,
         ...CURVE.G1,
     });
+    const G1HashToCurve = htf.hashToCurve(G1.ProjectivePoint, CURVE.G1.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G1.htfDefaults,
+    });
     function pairingPrecomputes(point) {
         const p = point;
         if (p._PPRECOMPUTES)
             return p._PPRECOMPUTES;
-        p._PPRECOMPUTES = calcPairingPrecomputes(p.x, p.y);
+        p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
         return p._PPRECOMPUTES;
     }
-    function clearPairingPrecomputes(point) {
-        const p = point;
-        p._PPRECOMPUTES = undefined;
-    }
-    clearPairingPrecomputes;
-    function millerLoopG1(Q, P) {
-        return millerLoop(pairingPrecomputes(P), [Q.x, Q.y]);
-    }
+    // TODO: export
+    // function clearPairingPrecomputes(point: G2) {
+    //   const p = point as G2 & withPairingPrecomputes;
+    //   p._PPRECOMPUTES = undefined;
+    // }
     // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
     const G2 = (0, weierstrass_js_1.weierstrassPoints)({
         n: Fr.ORDER,
         ...CURVE.G2,
     });
+    const C = G2.ProjectivePoint; // TODO: fix
+    const G2HashToCurve = htf.hashToCurve(C, CURVE.G2.mapToCurve, {
+        ...CURVE.htfDefaults,
+        ...CURVE.G2.htfDefaults,
+    });
     const { Signature } = CURVE.G2;
     // Calculates bilinear pairing
-    function pairing(P, Q, withFinalExponent = true) {
-        if (P.equals(G1.Point.ZERO) || Q.equals(G2.Point.ZERO))
-            throw new Error('No pairings at point of Infinity');
-        P.assertValidity();
+    function pairing(Q, P, withFinalExponent = true) {
+        if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
+            throw new Error('pairing is not available for ZERO point');
         Q.assertValidity();
+        P.assertValidity();
         // Performance: 9ms for millerLoop and ~14ms for exp.
-        const looped = millerLoopG1(P, Q);
+        const Qa = Q.toAffine();
+        const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
         return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
     }
     function normP1(point) {
-        return point instanceof G1.Point ? point : G1.Point.fromHex(point);
+        return point instanceof G1.ProjectivePoint ? point : G1.ProjectivePoint.fromHex(point);
     }
     function normP2(point) {
-        return point instanceof G2.Point ? point : Signature.decode(point);
+        return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
     }
-    function normP2Hash(point) {
-        return point instanceof G2.Point ? point : G2.Point.hashToCurve(point);
+    function normP2Hash(point, htfOpts) {
+        return point instanceof G2.ProjectivePoint
+            ? point
+            : G2HashToCurve.hashToCurve(point, htfOpts);
     }
     // Multiplies generator by private key.
     // P = pk x G
     function getPublicKey(privateKey) {
-        return G1.Point.fromPrivateKey(privateKey).toRawBytes(true);
+        return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
     }
-    function sign(message, privateKey) {
-        const msgPoint = normP2Hash(message);
+    function sign(message, privateKey, htfOpts) {
+        const msgPoint = normP2Hash(message, htfOpts);
         msgPoint.assertValidity();
         const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
-        if (message instanceof G2.Point)
+        if (message instanceof G2.ProjectivePoint)
             return sigPoint;
         return Signature.encode(sigPoint);
     }
     // Checks if pairing of public key & hash is equal to pairing of generator & signature.
     // e(P, H(m)) == e(G, S)
-    function verify(signature, message, publicKey) {
+    function verify(signature, message, publicKey, htfOpts) {
         const P = normP1(publicKey);
-        const Hm = normP2Hash(message);
-        const G = G1.Point.BASE;
+        const Hm = normP2Hash(message, htfOpts);
+        const G = G1.ProjectivePoint.BASE;
         const S = normP2(signature);
         // Instead of doing 2 exponentiations, we use property of billinear maps
         // and do one exp after multiplying 2 points.
         const ePHm = pairing(P.negate(), Hm, false);
         const eGS = pairing(G, S, false);
         const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
-        return Fp12.equals(exp, Fp12.ONE);
+        return Fp12.eql(exp, Fp12.ONE);
     }
     function aggregatePublicKeys(publicKeys) {
         if (!publicKeys.length)
             throw new Error('Expected non-empty array');
-        const agg = publicKeys
-            .map(normP1)
-            .reduce((sum, p) => sum.add(G1.ProjectivePoint.fromAffine(p)), G1.ProjectivePoint.ZERO);
-        const aggAffine = agg.toAffine();
-        if (publicKeys[0] instanceof G1.Point) {
+        const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (publicKeys[0] instanceof G1.ProjectivePoint) {
             aggAffine.assertValidity();
             return aggAffine;
         }
@@ -178,11 +179,9 @@ function bls(CURVE) {
     function aggregateSignatures(signatures) {
         if (!signatures.length)
             throw new Error('Expected non-empty array');
-        const agg = signatures
-            .map(normP2)
-            .reduce((sum, s) => sum.add(G2.ProjectivePoint.fromAffine(s)), G2.ProjectivePoint.ZERO);
-        const aggAffine = agg.toAffine();
-        if (signatures[0] instanceof G2.Point) {
+        const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
+        const aggAffine = agg; //.toAffine();
+        if (signatures[0] instanceof G2.ProjectivePoint) {
             aggAffine.assertValidity();
             return aggAffine;
         }
@@ -190,33 +189,34 @@ function bls(CURVE) {
     }
     // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
     // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
-    function verifyBatch(signature, messages, publicKeys) {
+    function verifyBatch(signature, messages, publicKeys, htfOpts) {
+        // @ts-ignore
+        // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
         if (!messages.length)
             throw new Error('Expected non-empty messages array');
         if (publicKeys.length !== messages.length)
             throw new Error('Pubkey count should equal msg count');
         const sig = normP2(signature);
-        const nMessages = messages.map(normP2Hash);
+        const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
         const nPublicKeys = publicKeys.map(normP1);
         try {
             const paired = [];
             for (const message of new Set(nMessages)) {
-                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.Point.ZERO);
+                const groupPublicKey = nMessages.reduce((groupPublicKey, subMessage, i) => subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey, G1.ProjectivePoint.ZERO);
                 // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
                 // Possible to batch pairing for same msg with different groupPublicKey here
                 paired.push(pairing(groupPublicKey, message, false));
             }
-            paired.push(pairing(G1.Point.BASE.negate(), sig, false));
+            paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
             const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
             const exp = Fp12.finalExponentiate(product);
-            return Fp12.equals(exp, Fp12.ONE);
+            return Fp12.eql(exp, Fp12.ONE);
         }
         catch {
             return false;
         }
     }
-    // Pre-compute points. Refer to README.
-    G1.Point.BASE._setWindowSize(4);
+    G1.ProjectivePoint.BASE._setWindowSize(4);
     return {
         CURVE,
         Fr,
@@ -229,6 +229,7 @@ function bls(CURVE) {
         Signature,
         millerLoop,
         calcPairingPrecomputes,
+        hashToCurve: { G1: G1HashToCurve, G2: G2HashToCurve },
         pairing,
         getPublicKey,
         sign,

package/lib/abstract/{group.d.ts → curve.d.ts}

@@ -1,15 +1,25 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { Field } from './modular.js';
+export declare type AffinePoint<T> = {
+    x: T;
+    y: T;
+} & {
+    z?: never;
+    t?: never;
+};
 export interface Group<T extends Group<T>> {
     double(): T;
     negate(): T;
     add(other: T): T;
     subtract(other: T): T;
     equals(other: T): boolean;
-    multiply(scalar: number | bigint): T;
+    multiply(scalar: bigint): T;
 }
 export declare type GroupConstructor<T> = {
     BASE: T;
     ZERO: T;
 };
+export declare type Mapper<T> = (i: T[]) => T[];
 export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: number): {
     constTimeNegate: (condition: boolean, item: T) => T;
     unsafeLadder(elm: T, n: bigint): T;
@@ -31,4 +41,24 @@ export declare function wNAF<T extends Group<T>>(c: GroupConstructor<T>, bits: n
         p: T;
         f: T;
     };
+    wNAFCached(P: T, precomputesMap: Map<T, T[]>, n: bigint, transform: Mapper<T>): {
+        p: T;
+        f: T;
+    };
+};
+export declare type AbstractCurve<T> = {
+    Fp: Field<T>;
+    n: bigint;
+    nBitLength?: number;
+    nByteLength?: number;
+    h: bigint;
+    hEff?: bigint;
+    Gx: T;
+    Gy: T;
+    wrapPrivateKey?: boolean;
+    allowInfinityPoint?: boolean;
 };
+export declare function validateAbsOpts<FP, T>(curve: AbstractCurve<FP> & T): Readonly<{
+    readonly nBitLength: number;
+    readonly nByteLength: number;
+} & AbstractCurve<FP> & T>;