@noble/curves 0.5.2 → 0.6.1

package/lib/esm/bls12-381.js

@@ -13,7 +13,7 @@ import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
-import { concatBytes, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js';
+import { concatBytes as concatB, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js';
 // Types
 import { mapToCurveSimpleSWU, } from './abstract/weierstrass.js';
 import { isogenyMap } from './abstract/hash-to-curve.js';
@@ -65,24 +65,24 @@ const Fp2 = {
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
-    isZero: ({ c0, c1 }) => Fp.isZero(c0) && Fp.isZero(c1),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.equals(c0, r0) && Fp.equals(c1, r1),
-    negate: ({ c0, c1 }) => ({ c0: Fp.negate(c0), c1: Fp.negate(c1) }),
+    is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
+    neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp2, nums),
     // Normalized
     add: Fp2Add,
     sub: Fp2Subtract,
     mul: Fp2Multiply,
-    square: Fp2Square,
+    sqr: Fp2Square,
     // NonNormalized stuff
     addN: Fp2Add,
     subN: Fp2Subtract,
     mulN: Fp2Multiply,
-    squareN: Fp2Square,
+    sqrN: Fp2Square,
     // Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
-    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp2.invert(rhs)),
-    invert: ({ c0: a, c1: b }) => {
+    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp2.inv(rhs)),
+    inv: ({ c0: a, c1: b }) => {
         // We wish to find the multiplicative inverse of a nonzero
         // element a + bu in Fp2. We leverage an identity
         //
@@ -96,11 +96,11 @@ const Fp2 = {
         // This gives that (a - bu)/(a² + b²) is the inverse
         // of (a + bu). Importantly, this can be computing using
         // only a single inversion in Fp.
-        const factor = Fp.invert(Fp.create(a * a + b * b));
+        const factor = Fp.inv(Fp.create(a * a + b * b));
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
-        if (Fp2.equals(num, Fp2.ZERO))
+        if (Fp2.eql(num, Fp2.ZERO))
             return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
@@ -109,9 +109,9 @@ const Fp2 = {
         // https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1
         // Inspired by https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99
         const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + 8n) / 16n);
-        const check = Fp2.div(Fp2.square(candidateSqrt), num); // candidateSqrt.square().div(this);
+        const check = Fp2.div(Fp2.sqr(candidateSqrt), num); // candidateSqrt.square().div(this);
         const R = FP2_ROOTS_OF_UNITY;
-        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.equals(r, check));
+        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.eql(r, check));
         if (!divisor)
             throw new Error('No root');
         const index = R.indexOf(divisor);
@@ -119,7 +119,7 @@ const Fp2 = {
         if (!root)
             throw new Error('Invalid root');
         const x1 = Fp2.div(candidateSqrt, root);
-        const x2 = Fp2.negate(x1);
+        const x2 = Fp2.neg(x1);
         const { re: re1, im: im1 } = Fp2.reim(x1);
         const { re: re2, im: im2 } = Fp2.reim(x2);
         if (im1 > im2 || (im1 === im2 && re1 > re2))
@@ -140,7 +140,7 @@ const Fp2 = {
             throw new Error(`fromBytes wrong length=${b.length}`);
         return { c0: Fp.fromBytes(b.subarray(0, Fp.BYTES)), c1: Fp.fromBytes(b.subarray(Fp.BYTES)) };
     },
-    toBytes: ({ c0, c1 }) => concatBytes(Fp.toBytes(c0), Fp.toBytes(c1)),
+    toBytes: ({ c0, c1 }) => concatB(Fp.toBytes(c0), Fp.toBytes(c1)),
     cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
         c0: Fp.cmov(c0, r0, c),
         c1: Fp.cmov(c1, r1, c),
@@ -230,15 +230,15 @@ const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
     };
 };
 const Fp6Square = ({ c0, c1, c2 }) => {
-    let t0 = Fp2.square(c0); // c0²
+    let t0 = Fp2.sqr(c0); // c0²
     let t1 = Fp2.mul(Fp2.mul(c0, c1), 2n); // 2 * c0 * c1
     let t3 = Fp2.mul(Fp2.mul(c1, c2), 2n); // 2 * c1 * c2
-    let t4 = Fp2.square(c2); // c2²
+    let t4 = Fp2.sqr(c2); // c2²
     return {
         c0: Fp2.add(Fp2.mulByNonresidue(t3), t0),
         c1: Fp2.add(Fp2.mulByNonresidue(t4), t1),
         // T1 + (c0 - c1 + c2)² + T3 - T0 - T4
-        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.square(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
+        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
 };
 const Fp6 = {
@@ -250,32 +250,32 @@ const Fp6 = {
     ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
-    isZero: ({ c0, c1, c2 }) => Fp2.isZero(c0) && Fp2.isZero(c1) && Fp2.isZero(c2),
-    negate: ({ c0, c1, c2 }) => ({ c0: Fp2.negate(c0), c1: Fp2.negate(c1), c2: Fp2.negate(c2) }),
-    equals: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.equals(c0, r0) && Fp2.equals(c1, r1) && Fp2.equals(c2, r2),
+    is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
+    eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
     sqrt: () => {
         throw new Error('Not implemented');
     },
     // Do we need division by bigint at all? Should be done via order:
-    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp6.invert(rhs)),
+    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp6.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp6, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp6, nums),
     // Normalized
     add: Fp6Add,
     sub: Fp6Subtract,
     mul: Fp6Multiply,
-    square: Fp6Square,
+    sqr: Fp6Square,
     // NonNormalized stuff
     addN: Fp6Add,
     subN: Fp6Subtract,
     mulN: Fp6Multiply,
-    squareN: Fp6Square,
-    invert: ({ c0, c1, c2 }) => {
-        let t0 = Fp2.sub(Fp2.square(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
-        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.square(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
-        let t2 = Fp2.sub(Fp2.square(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
+    sqrN: Fp6Square,
+    inv: ({ c0, c1, c2 }) => {
+        let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
+        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
+        let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
         // 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
-        let t4 = Fp2.invert(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
+        let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
         return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
     },
     // Bytes utils
@@ -288,7 +288,7 @@ const Fp6 = {
             c2: Fp2.fromBytes(b.subarray(2 * Fp2.BYTES)),
         };
     },
-    toBytes: ({ c0, c1, c2 }) => concatBytes(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)),
+    toBytes: ({ c0, c1, c2 }) => concatB(Fp2.toBytes(c0), Fp2.toBytes(c1), Fp2.toBytes(c2)),
     cmov: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }, c) => ({
         c0: Fp2.cmov(c0, r0, c),
         c1: Fp2.cmov(c1, r1, c),
@@ -416,11 +416,11 @@ const Fp12Square = ({ c0, c1 }) => {
     }; // AB + AB
 };
 function Fp4Square(a, b) {
-    const a2 = Fp2.square(a);
-    const b2 = Fp2.square(b);
+    const a2 = Fp2.sqr(a);
+    const b2 = Fp2.sqr(b);
     return {
         first: Fp2.add(Fp2.mulByNonresidue(b2), a2),
-        second: Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
+        second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
 }
 const Fp12 = {
@@ -432,29 +432,29 @@ const Fp12 = {
     ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
-    isZero: ({ c0, c1 }) => Fp6.isZero(c0) && Fp6.isZero(c1),
-    negate: ({ c0, c1 }) => ({ c0: Fp6.negate(c0), c1: Fp6.negate(c1) }),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.equals(c0, r0) && Fp6.equals(c1, r1),
+    is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: () => {
         throw new Error('Not implemented');
     },
-    invert: ({ c0, c1 }) => {
-        let t = Fp6.invert(Fp6.sub(Fp6.square(c0), Fp6.mulByNonresidue(Fp6.square(c1)))); // 1 / (c0² - c1² * v)
-        return { c0: Fp6.mul(c0, t), c1: Fp6.negate(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
+    inv: ({ c0, c1 }) => {
+        let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
+        return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
     },
-    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp12.invert(rhs)),
+    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp12.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp12, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp12, nums),
     // Normalized
     add: Fp12Add,
     sub: Fp12Subtract,
     mul: Fp12Multiply,
-    square: Fp12Square,
+    sqr: Fp12Square,
     // NonNormalized stuff
     addN: Fp12Add,
     subN: Fp12Subtract,
     mulN: Fp12Multiply,
-    squareN: Fp12Square,
+    sqrN: Fp12Square,
     // Bytes utils
     fromBytes: (b) => {
         if (b.length !== Fp12.BYTES)
@@ -464,7 +464,7 @@ const Fp12 = {
             c1: Fp6.fromBytes(b.subarray(Fp6.BYTES)),
         };
     },
-    toBytes: ({ c0, c1 }) => concatBytes(Fp6.toBytes(c0), Fp6.toBytes(c1)),
+    toBytes: ({ c0, c1 }) => concatB(Fp6.toBytes(c0), Fp6.toBytes(c1)),
     cmov: ({ c0, c1 }, { c0: r0, c1: r1 }, c) => ({
         c0: Fp6.cmov(c0, r0, c),
         c1: Fp6.cmov(c1, r1, c),
@@ -508,7 +508,7 @@ const Fp12 = {
         c0: Fp6.multiplyByFp2(c0, rhs),
         c1: Fp6.multiplyByFp2(c1, rhs),
     }),
-    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.negate(c1) }),
+    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.neg(c1) }),
     // A cyclotomic group is a subgroup of Fp^n defined by
     //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
     // The result of any pairing is in a cyclotomic subgroup
@@ -787,7 +787,7 @@ function G2psi(c, P) {
 // 1 / F2(2)^((p-1)/3) in GF(p²)
 const PSI2_C1 = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn;
 function psi2(x, y) {
-    return [Fp2.mul(x, PSI2_C1), Fp2.negate(y)];
+    return [Fp2.mul(x, PSI2_C1), Fp2.neg(y)];
 }
 function G2psi2(c, P) {
     const affine = P.toAffine();
@@ -809,6 +809,7 @@ const htfDefaults = {
     // defined in section 2.2.5
     // Use utils.getDSTLabel(), utils.setDSTLabel(value)
     DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
+    encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     // p: the characteristic of F
     //    where F is a finite field of characteristic p and order q = p^m
     p: Fp.ORDER,
@@ -875,7 +876,7 @@ export const bls12_381 = bls({
         isTorsionFree: (c, point) => {
             // φ endomorphism
             const cubicRootOfUnityModP = 0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen;
-            const phi = new c(Fp.mul(point.x, cubicRootOfUnityModP), point.y, point.z);
+            const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
             // todo: unroll
             const xP = point.multiplyUnsafe(bls12_381.CURVE.x).negate(); // [x]P
             const u2P = xP.multiplyUnsafe(bls12_381.CURVE.x); // [u2]P
@@ -917,13 +918,13 @@ export const bls12_381 = bls({
                     throw new Error('Invalid compressed G1 point');
                 const aflag = bitGet(compressedValue, C_BIT_POS);
                 if ((y * 2n) / P !== aflag)
-                    y = Fp.negate(y);
+                    y = Fp.neg(y);
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
             else if (bytes.length === 96) {
                 // Check if the infinity flag is set
                 if ((bytes[0] & (1 << 6)) !== 0)
-                    return bls12_381.G1.Point.ZERO;
+                    return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
                 const x = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
                 const y = bytesToNumberBE(bytes.slice(Fp.BYTES));
                 return { x: Fp.create(x), y: Fp.create(y) };
@@ -934,7 +935,7 @@ export const bls12_381 = bls({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 if (isZero)
                     return COMPRESSED_ZERO.slice();
@@ -947,11 +948,11 @@ export const bls12_381 = bls({
             else {
                 if (isZero) {
                     // 2x PUBLIC_KEY_LENGTH
-                    const x = concatBytes(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1));
+                    const x = concatB(new Uint8Array([0x40]), new Uint8Array(2 * Fp.BYTES - 1));
                     return x;
                 }
                 else {
-                    return concatBytes(numberToBytesBE(x, Fp.BYTES), numberToBytesBE(y, Fp.BYTES));
+                    return concatB(numberToBytesBE(x, Fp.BYTES), numberToBytesBE(y, Fp.BYTES));
                 }
             }
         },
@@ -1021,6 +1022,8 @@ export const bls12_381 = bls({
             const bitC = m_byte & 0x80; // compression bit
             const bitI = m_byte & 0x40; // point at infinity bit
             const bitS = m_byte & 0x20; // sign bit
+            const L = Fp.BYTES;
+            const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
             if (bytes.length === 96 && bitC) {
                 const { b } = bls12_381.CURVE.G2;
                 const P = Fp.ORDER;
@@ -1032,13 +1035,13 @@ export const bls12_381 = bls({
                     }
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x_1 = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-                const x_0 = bytesToNumberBE(bytes.slice(Fp.BYTES));
+                const x_1 = slc(bytes, 0, L);
+                const x_0 = slc(bytes, L, 2 * L);
                 const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
                 const right = Fp2.add(Fp2.pow(x, 3n), b); // y² = x³ + 4 * (u+1) = x³ + b
                 let y = Fp2.sqrt(right);
                 const Y_bit = y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P ? 1n : 0n;
-                y = bitS > 0 && Y_bit > 0 ? y : Fp2.negate(y);
+                y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
                 return { x, y };
             }
             else if (bytes.length === 192 && !bitC) {
@@ -1046,10 +1049,10 @@ export const bls12_381 = bls({
                 if ((bytes[0] & (1 << 6)) !== 0) {
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x1 = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-                const x0 = bytesToNumberBE(bytes.slice(Fp.BYTES, 2 * Fp.BYTES));
-                const y1 = bytesToNumberBE(bytes.slice(2 * Fp.BYTES, 3 * Fp.BYTES));
-                const y0 = bytesToNumberBE(bytes.slice(3 * Fp.BYTES));
+                const x1 = slc(bytes, 0, L);
+                const x0 = slc(bytes, L, 2 * L);
+                const y1 = slc(bytes, 2 * L, 3 * L);
+                const y0 = slc(bytes, 3 * L, 4 * L);
                 return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
             }
             else {
@@ -1058,23 +1061,23 @@ export const bls12_381 = bls({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 const P = Fp.ORDER;
                 if (isZero)
-                    return concatBytes(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
+                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
                 const flag = Boolean(y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P);
                 // set compressed & sign bits (looks like different offsets than for G1/Fp?)
                 let x_1 = bitSet(x.c1, C_BIT_POS, flag);
                 x_1 = bitSet(x_1, S_BIT_POS, true);
-                return concatBytes(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
+                return concatB(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
             }
             else {
                 if (isZero)
-                    return concatBytes(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
+                    return concatB(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
                 const { re: x0, im: x1 } = Fp2.reim(x);
                 const { re: y0, im: y1 } = Fp2.reim(y);
-                return concatBytes(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES));
+                return concatB(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES));
             }
         },
         Signature: {
@@ -1090,7 +1093,7 @@ export const bls12_381 = bls({
                 // Indicates the infinity point
                 const bflag1 = bitGet(z1, I_BIT_POS);
                 if (bflag1 === 1n)
-                    return bls12_381.G2.Point.ZERO;
+                    return bls12_381.G2.ProjectivePoint.ZERO;
                 const x1 = Fp.create(z1 & Fp.MASK);
                 const x2 = Fp.create(z2);
                 const x = Fp2.create({ c0: x2, c1: x1 });
@@ -1106,23 +1109,25 @@ export const bls12_381 = bls({
                 const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1;
                 const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1;
                 if (isGreater || isZero)
-                    y = Fp2.negate(y);
-                const point = new bls12_381.G2.Point(x, y);
+                    y = Fp2.neg(y);
+                const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
+                // console.log('Signature.decode', point);
                 point.assertValidity();
                 return point;
             },
             encode(point) {
                 // NOTE: by some reasons it was missed in bls12-381, looks like bug
                 point.assertValidity();
-                if (point.equals(bls12_381.G2.Point.ZERO))
-                    return concatBytes(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
-                const { re: x0, im: x1 } = Fp2.reim(point.x);
-                const { re: y0, im: y1 } = Fp2.reim(point.y);
+                if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
+                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
+                const a = point.toAffine();
+                const { re: x0, im: x1 } = Fp2.reim(a.x);
+                const { re: y0, im: y1 } = Fp2.reim(a.y);
                 const tmp = y1 > 0n ? y1 * 2n : y0 * 2n;
                 const aflag1 = Boolean((tmp / Fp.ORDER) & 1n);
                 const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
                 const z2 = x0;
-                return concatBytes(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
+                return concatB(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
             },
         },
     },

package/lib/esm/bn.js

@@ -1,6 +1,6 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { weierstrass } from './abstract/weierstrass.js';
 import { sha256 } from '@noble/hashes/sha256';
+import { weierstrass } from './abstract/weierstrass.js';
 import { getHash } from './_shortw_utils.js';
 import { Fp } from './abstract/modular.js';
 /**

package/lib/esm/ed25519.js

@@ -5,6 +5,7 @@ import { twistedEdwards } from './abstract/edwards.js';
 import { montgomery } from './abstract/montgomery.js';
 import { mod, pow2, isNegativeLE, Fp as Field, FpSqrtEven } from './abstract/modular.js';
 import { ensureBytes, equalBytes, bytesToHex, bytesToNumberLE, numberToBytesLE, } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * ed25519 Twisted Edwards curve with following addons:
  * - X25519 ECDH
@@ -79,57 +80,107 @@ export const ED25519_TORSION_SUBGROUP = [
     'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
 const Fp = Field(ED25519_P, undefined, true);
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    Fp,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512,
+    randomBytes,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+};
+export const ed25519 = twistedEdwards(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
+export const ed25519ph = twistedEdwards({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512,
+});
+export const x25519 = montgomery({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart
 const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
 const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
-const ELL2_C3 = Fp.sqrt(Fp.negate(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C3 = Fp.sqrt(Fp.neg(Fp.ONE)); // 3. c3 = sqrt(-1)
 const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
 const ELL2_J = BigInt(486662);
 // prettier-ignore
 function map_to_curve_elligator2_curve25519(u) {
-    let tv1 = Fp.square(u); //  1.  tv1 = u^2
+    let tv1 = Fp.sqr(u); //  1.  tv1 = u^2
     tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
     let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
-    let x1n = Fp.negate(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
-    let tv2 = Fp.square(xd); //  5.  tv2 = xd^2
+    let x1n = Fp.neg(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.sqr(xd); //  5.  tv2 = xd^2
     let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
     let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
     gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
     gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
     gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); //  11. tv3 = gxd^2
-    tv2 = Fp.square(tv3); //  12. tv2 = tv3^2           # gxd^4
+    let tv3 = Fp.sqr(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.sqr(tv3); //  12. tv2 = tv3^2           # gxd^4
     tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
     tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
     tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
     let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
     y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
     let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
-    tv2 = Fp.square(y11); //  19. tv2 = y11^2
+    tv2 = Fp.sqr(y11); //  19. tv2 = y11^2
     tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
-    let e1 = Fp.equals(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
     let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
     let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
     let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
     y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
     let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
     let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
-    tv2 = Fp.square(y21); //  28. tv2 = y21^2
+    tv2 = Fp.sqr(y21); //  28. tv2 = y21^2
     tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
     let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
-    tv2 = Fp.square(y1); //  32. tv2 = y1^2
+    tv2 = Fp.sqr(y1); //  32. tv2 = y1^2
     tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
-    let e3 = Fp.equals(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
     let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
     let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
     let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
     return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
 }
-const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.negate(BigInt(486664))); // sgn0(c1) MUST equal 0
+const ELL2_C1_EDWARDS = FpSqrtEven(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
 function map_to_curve_elligator2_edwards25519(u) {
     const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
     let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
@@ -138,7 +189,7 @@ function map_to_curve_elligator2_edwards25519(u) {
     let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
     let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
     let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
-    let e = Fp.equals(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
     xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
     xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
     yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
@@ -146,68 +197,19 @@ function map_to_curve_elligator2_edwards25519(u) {
     const inv = Fp.invertBatch([xd, yd]); // batch division
     return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
 }
-const ED25519_DEF = {
-    // Param: a
-    a: BigInt(-1),
-    // Equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
-    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
-    Fp,
-    // Subgroup order: how many points ed25519 has
-    // 2n ** 252n + 27742317777372353535851937790883648493n;
-    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
-    h: BigInt(8),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
-    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(ed25519.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
+    DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+    encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
     hash: sha512,
-    randomBytes,
-    adjustScalarBytes,
-    // dom2
-    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
-    // Constant-time, u/√v
-    uvRatio,
-    htfDefaults: {
-        DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha512,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]),
-};
-export const ed25519 = twistedEdwards(ED25519_DEF);
-function ed25519_domain(data, ctx, phflag) {
-    if (ctx.length > 255)
-        throw new Error('Context is too big');
-    return concatBytes(utf8ToBytes('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
-}
-export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
-export const ed25519ph = twistedEdwards({
-    ...ED25519_DEF,
-    domain: ed25519_domain,
-    preHash: sha512,
-});
-export const x25519 = montgomery({
-    P: ED25519_P,
-    a24: BigInt('121665'),
-    montgomeryBits: 255,
-    nByteLength: 32,
-    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
-    powPminus2: (x) => {
-        const P = ED25519_P;
-        // x^(p-2) aka x^(2^255-21)
-        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
-        return mod(pow2(pow_p_5_8, BigInt(3), P) * b2, P);
-    },
-    adjustScalarBytes,
 });
+export { hashToCurve, encodeToCurve };
 function assertRstPoint(other) {
     if (!(other instanceof RistrettoPoint))
-        throw new TypeError('RistrettoPoint expected');
+        throw new Error('RistrettoPoint expected');
 }
 // √(-1) aka √(a) aka 2^((p-1)/4)
 const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
@@ -316,7 +318,7 @@ export class RistrettoPoint {
      * https://ristretto.group/formulas/encoding.html
      */
     toRawBytes() {
-        let { x, y, z, t } = this.ep;
+        let { ex: x, ey: y, ez: z, et: t } = this.ep;
         const P = ed25519.CURVE.Fp.ORDER;
         const mod = ed25519.CURVE.Fp.create;
         const u1 = mod(mod(z + y) * mod(z - y)); // 1
@@ -354,12 +356,12 @@ export class RistrettoPoint {
     // Compare one point to another.
     equals(other) {
         assertRstPoint(other);
-        const a = this.ep;
-        const b = other.ep;
+        const { ex: X1, ey: Y1 } = this.ep;
+        const { ex: X2, ey: Y2 } = this.ep;
         const mod = ed25519.CURVE.Fp.create;
         // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
-        const one = mod(a.x * b.y) === mod(a.y * b.x);
-        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        const one = mod(X1 * Y2) === mod(Y1 * X2);
+        const two = mod(Y1 * Y2) === mod(X1 * X2);
         return one || two;
     }
     add(other) {