@noble/curves 0.5.2 → 0.6.1

package/lib/bls12-381.js

@@ -68,24 +68,24 @@ const Fp2 = {
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
-    isZero: ({ c0, c1 }) => Fp.isZero(c0) && Fp.isZero(c1),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.equals(c0, r0) && Fp.equals(c1, r1),
-    negate: ({ c0, c1 }) => ({ c0: Fp.negate(c0), c1: Fp.negate(c1) }),
+    is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
+    neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp2, nums),
     // Normalized
     add: Fp2Add,
     sub: Fp2Subtract,
     mul: Fp2Multiply,
-    square: Fp2Square,
+    sqr: Fp2Square,
     // NonNormalized stuff
     addN: Fp2Add,
     subN: Fp2Subtract,
     mulN: Fp2Multiply,
-    squareN: Fp2Square,
+    sqrN: Fp2Square,
     // Why inversion for bigint inside Fp instead of Fp2? it is even used in that context?
-    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp2.invert(rhs)),
-    invert: ({ c0: a, c1: b }) => {
+    div: (lhs, rhs) => Fp2.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp2.inv(rhs)),
+    inv: ({ c0: a, c1: b }) => {
         // We wish to find the multiplicative inverse of a nonzero
         // element a + bu in Fp2. We leverage an identity
         //
@@ -99,11 +99,11 @@ const Fp2 = {
         // This gives that (a - bu)/(a² + b²) is the inverse
         // of (a + bu). Importantly, this can be computing using
         // only a single inversion in Fp.
-        const factor = Fp.invert(Fp.create(a * a + b * b));
+        const factor = Fp.inv(Fp.create(a * a + b * b));
         return { c0: Fp.mul(factor, Fp.create(a)), c1: Fp.mul(factor, Fp.create(-b)) };
     },
     sqrt: (num) => {
-        if (Fp2.equals(num, Fp2.ZERO))
+        if (Fp2.eql(num, Fp2.ZERO))
             return Fp2.ZERO; // Algo doesn't handles this case
         // TODO: Optimize this line. It's extremely slow.
         // Speeding this up would boost aggregateSignatures.
@@ -112,9 +112,9 @@ const Fp2 = {
         // https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1
         // Inspired by https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99
         const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + 8n) / 16n);
-        const check = Fp2.div(Fp2.square(candidateSqrt), num); // candidateSqrt.square().div(this);
+        const check = Fp2.div(Fp2.sqr(candidateSqrt), num); // candidateSqrt.square().div(this);
         const R = FP2_ROOTS_OF_UNITY;
-        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.equals(r, check));
+        const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.eql(r, check));
         if (!divisor)
             throw new Error('No root');
         const index = R.indexOf(divisor);
@@ -122,7 +122,7 @@ const Fp2 = {
         if (!root)
             throw new Error('Invalid root');
         const x1 = Fp2.div(candidateSqrt, root);
-        const x2 = Fp2.negate(x1);
+        const x2 = Fp2.neg(x1);
         const { re: re1, im: im1 } = Fp2.reim(x1);
         const { re: re2, im: im2 } = Fp2.reim(x2);
         if (im1 > im2 || (im1 === im2 && re1 > re2))
@@ -233,15 +233,15 @@ const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
     };
 };
 const Fp6Square = ({ c0, c1, c2 }) => {
-    let t0 = Fp2.square(c0); // c0²
+    let t0 = Fp2.sqr(c0); // c0²
     let t1 = Fp2.mul(Fp2.mul(c0, c1), 2n); // 2 * c0 * c1
     let t3 = Fp2.mul(Fp2.mul(c1, c2), 2n); // 2 * c1 * c2
-    let t4 = Fp2.square(c2); // c2²
+    let t4 = Fp2.sqr(c2); // c2²
     return {
         c0: Fp2.add(Fp2.mulByNonresidue(t3), t0),
         c1: Fp2.add(Fp2.mulByNonresidue(t4), t1),
         // T1 + (c0 - c1 + c2)² + T3 - T0 - T4
-        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.square(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
+        c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
 };
 const Fp6 = {
@@ -253,32 +253,32 @@ const Fp6 = {
     ONE: { c0: Fp2.ONE, c1: Fp2.ZERO, c2: Fp2.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
-    isZero: ({ c0, c1, c2 }) => Fp2.isZero(c0) && Fp2.isZero(c1) && Fp2.isZero(c2),
-    negate: ({ c0, c1, c2 }) => ({ c0: Fp2.negate(c0), c1: Fp2.negate(c1), c2: Fp2.negate(c2) }),
-    equals: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.equals(c0, r0) && Fp2.equals(c1, r1) && Fp2.equals(c2, r2),
+    is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
+    eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
     sqrt: () => {
         throw new Error('Not implemented');
     },
     // Do we need division by bigint at all? Should be done via order:
-    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp6.invert(rhs)),
+    div: (lhs, rhs) => Fp6.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp6.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp6, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp6, nums),
     // Normalized
     add: Fp6Add,
     sub: Fp6Subtract,
     mul: Fp6Multiply,
-    square: Fp6Square,
+    sqr: Fp6Square,
     // NonNormalized stuff
     addN: Fp6Add,
     subN: Fp6Subtract,
     mulN: Fp6Multiply,
-    squareN: Fp6Square,
-    invert: ({ c0, c1, c2 }) => {
-        let t0 = Fp2.sub(Fp2.square(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
-        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.square(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
-        let t2 = Fp2.sub(Fp2.square(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
+    sqrN: Fp6Square,
+    inv: ({ c0, c1, c2 }) => {
+        let t0 = Fp2.sub(Fp2.sqr(c0), Fp2.mulByNonresidue(Fp2.mul(c2, c1))); // c0² - c2 * c1 * (u + 1)
+        let t1 = Fp2.sub(Fp2.mulByNonresidue(Fp2.sqr(c2)), Fp2.mul(c0, c1)); // c2² * (u + 1) - c0 * c1
+        let t2 = Fp2.sub(Fp2.sqr(c1), Fp2.mul(c0, c2)); // c1² - c0 * c2
         // 1/(((c2 * T1 + c1 * T2) * v) + c0 * T0)
-        let t4 = Fp2.invert(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
+        let t4 = Fp2.inv(Fp2.add(Fp2.mulByNonresidue(Fp2.add(Fp2.mul(c2, t1), Fp2.mul(c1, t2))), Fp2.mul(c0, t0)));
         return { c0: Fp2.mul(t4, t0), c1: Fp2.mul(t4, t1), c2: Fp2.mul(t4, t2) };
     },
     // Bytes utils
@@ -419,11 +419,11 @@ const Fp12Square = ({ c0, c1 }) => {
     }; // AB + AB
 };
 function Fp4Square(a, b) {
-    const a2 = Fp2.square(a);
-    const b2 = Fp2.square(b);
+    const a2 = Fp2.sqr(a);
+    const b2 = Fp2.sqr(b);
     return {
         first: Fp2.add(Fp2.mulByNonresidue(b2), a2),
-        second: Fp2.sub(Fp2.sub(Fp2.square(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
+        second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
 }
 const Fp12 = {
@@ -435,29 +435,29 @@ const Fp12 = {
     ONE: { c0: Fp6.ONE, c1: Fp6.ZERO },
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
-    isZero: ({ c0, c1 }) => Fp6.isZero(c0) && Fp6.isZero(c1),
-    negate: ({ c0, c1 }) => ({ c0: Fp6.negate(c0), c1: Fp6.negate(c1) }),
-    equals: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.equals(c0, r0) && Fp6.equals(c1, r1),
+    is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
+    eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: () => {
         throw new Error('Not implemented');
     },
-    invert: ({ c0, c1 }) => {
-        let t = Fp6.invert(Fp6.sub(Fp6.square(c0), Fp6.mulByNonresidue(Fp6.square(c1)))); // 1 / (c0² - c1² * v)
-        return { c0: Fp6.mul(c0, t), c1: Fp6.negate(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
+    inv: ({ c0, c1 }) => {
+        let t = Fp6.inv(Fp6.sub(Fp6.sqr(c0), Fp6.mulByNonresidue(Fp6.sqr(c1)))); // 1 / (c0² - c1² * v)
+        return { c0: Fp6.mul(c0, t), c1: Fp6.neg(Fp6.mul(c1, t)) }; // ((C0 * T) * T) + (-C1 * T) * w
     },
-    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.invert(Fp.create(rhs)) : Fp12.invert(rhs)),
+    div: (lhs, rhs) => Fp12.mul(lhs, typeof rhs === 'bigint' ? Fp.inv(Fp.create(rhs)) : Fp12.inv(rhs)),
     pow: (num, power) => mod.FpPow(Fp12, num, power),
     invertBatch: (nums) => mod.FpInvertBatch(Fp12, nums),
     // Normalized
     add: Fp12Add,
     sub: Fp12Subtract,
     mul: Fp12Multiply,
-    square: Fp12Square,
+    sqr: Fp12Square,
     // NonNormalized stuff
     addN: Fp12Add,
     subN: Fp12Subtract,
     mulN: Fp12Multiply,
-    squareN: Fp12Square,
+    sqrN: Fp12Square,
     // Bytes utils
     fromBytes: (b) => {
         if (b.length !== Fp12.BYTES)
@@ -511,7 +511,7 @@ const Fp12 = {
         c0: Fp6.multiplyByFp2(c0, rhs),
         c1: Fp6.multiplyByFp2(c1, rhs),
     }),
-    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.negate(c1) }),
+    conjugate: ({ c0, c1 }) => ({ c0, c1: Fp6.neg(c1) }),
     // A cyclotomic group is a subgroup of Fp^n defined by
     //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
     // The result of any pairing is in a cyclotomic subgroup
@@ -790,7 +790,7 @@ function G2psi(c, P) {
 // 1 / F2(2)^((p-1)/3) in GF(p²)
 const PSI2_C1 = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn;
 function psi2(x, y) {
-    return [Fp2.mul(x, PSI2_C1), Fp2.negate(y)];
+    return [Fp2.mul(x, PSI2_C1), Fp2.neg(y)];
 }
 function G2psi2(c, P) {
     const affine = P.toAffine();
@@ -812,6 +812,7 @@ const htfDefaults = {
     // defined in section 2.2.5
     // Use utils.getDSTLabel(), utils.setDSTLabel(value)
     DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
+    encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     // p: the characteristic of F
     //    where F is a finite field of characteristic p and order q = p^m
     p: Fp.ORDER,
@@ -878,7 +879,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         isTorsionFree: (c, point) => {
             // φ endomorphism
             const cubicRootOfUnityModP = 0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen;
-            const phi = new c(Fp.mul(point.x, cubicRootOfUnityModP), point.y, point.z);
+            const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
             // todo: unroll
             const xP = point.multiplyUnsafe(exports.bls12_381.CURVE.x).negate(); // [x]P
             const u2P = xP.multiplyUnsafe(exports.bls12_381.CURVE.x); // [u2]P
@@ -920,13 +921,13 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                     throw new Error('Invalid compressed G1 point');
                 const aflag = (0, utils_js_1.bitGet)(compressedValue, C_BIT_POS);
                 if ((y * 2n) / P !== aflag)
-                    y = Fp.negate(y);
+                    y = Fp.neg(y);
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
             else if (bytes.length === 96) {
                 // Check if the infinity flag is set
                 if ((bytes[0] & (1 << 6)) !== 0)
-                    return exports.bls12_381.G1.Point.ZERO;
+                    return exports.bls12_381.G1.ProjectivePoint.ZERO.toAffine();
                 const x = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
                 const y = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES));
                 return { x: Fp.create(x), y: Fp.create(y) };
@@ -937,7 +938,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 if (isZero)
                     return COMPRESSED_ZERO.slice();
@@ -1024,6 +1025,8 @@ exports.bls12_381 = (0, bls_js_1.bls)({
             const bitC = m_byte & 0x80; // compression bit
             const bitI = m_byte & 0x40; // point at infinity bit
             const bitS = m_byte & 0x20; // sign bit
+            const L = Fp.BYTES;
+            const slc = (b, from, to) => (0, utils_js_1.bytesToNumberBE)(b.slice(from, to));
             if (bytes.length === 96 && bitC) {
                 const { b } = exports.bls12_381.CURVE.G2;
                 const P = Fp.ORDER;
@@ -1035,13 +1038,13 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                     }
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x_1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
-                const x_0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES));
+                const x_1 = slc(bytes, 0, L);
+                const x_0 = slc(bytes, L, 2 * L);
                 const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
                 const right = Fp2.add(Fp2.pow(x, 3n), b); // y² = x³ + 4 * (u+1) = x³ + b
                 let y = Fp2.sqrt(right);
                 const Y_bit = y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P ? 1n : 0n;
-                y = bitS > 0 && Y_bit > 0 ? y : Fp2.negate(y);
+                y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
                 return { x, y };
             }
             else if (bytes.length === 192 && !bitC) {
@@ -1049,10 +1052,10 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 if ((bytes[0] & (1 << 6)) !== 0) {
                     return { x: Fp2.ZERO, y: Fp2.ZERO };
                 }
-                const x1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(0, Fp.BYTES));
-                const x0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(Fp.BYTES, 2 * Fp.BYTES));
-                const y1 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(2 * Fp.BYTES, 3 * Fp.BYTES));
-                const y0 = (0, utils_js_1.bytesToNumberBE)(bytes.slice(3 * Fp.BYTES));
+                const x1 = slc(bytes, 0, L);
+                const x0 = slc(bytes, L, 2 * L);
+                const y1 = slc(bytes, 2 * L, 3 * L);
+                const y0 = slc(bytes, 3 * L, 4 * L);
                 return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
             }
             else {
@@ -1061,7 +1064,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
         },
         toBytes: (c, point, isCompressed) => {
             const isZero = point.equals(c.ZERO);
-            const { x, y } = point;
+            const { x, y } = point.toAffine();
             if (isCompressed) {
                 const P = Fp.ORDER;
                 if (isZero)
@@ -1093,7 +1096,7 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 // Indicates the infinity point
                 const bflag1 = (0, utils_js_1.bitGet)(z1, I_BIT_POS);
                 if (bflag1 === 1n)
-                    return exports.bls12_381.G2.Point.ZERO;
+                    return exports.bls12_381.G2.ProjectivePoint.ZERO;
                 const x1 = Fp.create(z1 & Fp.MASK);
                 const x2 = Fp.create(z2);
                 const x = Fp2.create({ c0: x2, c1: x1 });
@@ -1109,18 +1112,20 @@ exports.bls12_381 = (0, bls_js_1.bls)({
                 const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1;
                 const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1;
                 if (isGreater || isZero)
-                    y = Fp2.negate(y);
-                const point = new exports.bls12_381.G2.Point(x, y);
+                    y = Fp2.neg(y);
+                const point = exports.bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
+                // console.log('Signature.decode', point);
                 point.assertValidity();
                 return point;
             },
             encode(point) {
                 // NOTE: by some reasons it was missed in bls12-381, looks like bug
                 point.assertValidity();
-                if (point.equals(exports.bls12_381.G2.Point.ZERO))
+                if (point.equals(exports.bls12_381.G2.ProjectivePoint.ZERO))
                     return (0, utils_js_1.concatBytes)(COMPRESSED_ZERO, (0, utils_js_1.numberToBytesBE)(0n, Fp.BYTES));
-                const { re: x0, im: x1 } = Fp2.reim(point.x);
-                const { re: y0, im: y1 } = Fp2.reim(point.y);
+                const a = point.toAffine();
+                const { re: x0, im: x1 } = Fp2.reim(a.x);
+                const { re: y0, im: y1 } = Fp2.reim(a.y);
                 const tmp = y1 > 0n ? y1 * 2n : y0 * 2n;
                 const aflag1 = Boolean((tmp / Fp.ORDER) & 1n);
                 const z1 = (0, utils_js_1.bitSet)((0, utils_js_1.bitSet)(x1, 381, aflag1), S_BIT_POS, true);

package/lib/bn.js

@@ -2,8 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.bn254 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const sha256_1 = require("@noble/hashes/sha256");
+const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const modular_js_1 = require("./abstract/modular.js");
 /**

package/lib/ed25519.d.ts

@@ -1,11 +1,14 @@
-import { ExtendedPointType } from './abstract/edwards.js';
+import { ExtPointType } from './abstract/edwards.js';
 import { Hex } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 export declare const ED25519_TORSION_SUBGROUP: string[];
 export declare const ed25519: import("./abstract/edwards.js").CurveFn;
 export declare const ed25519ctx: import("./abstract/edwards.js").CurveFn;
 export declare const ed25519ph: import("./abstract/edwards.js").CurveFn;
 export declare const x25519: import("./abstract/montgomery.js").CurveFn;
-declare type ExtendedPoint = ExtendedPointType;
+declare const hashToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>, encodeToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>;
+export { hashToCurve, encodeToCurve };
+declare type ExtendedPoint = ExtPointType;
 /**
  * Each ed25519/ExtendedPoint has 8 different equivalent points. This can be
  * a source of bugs for protocols like ring signatures. Ristretto was created to solve this.
@@ -42,7 +45,6 @@ export declare class RistrettoPoint {
     equals(other: RistrettoPoint): boolean;
     add(other: RistrettoPoint): RistrettoPoint;
     subtract(other: RistrettoPoint): RistrettoPoint;
-    multiply(scalar: number | bigint): RistrettoPoint;
-    multiplyUnsafe(scalar: number | bigint): RistrettoPoint;
+    multiply(scalar: bigint): RistrettoPoint;
+    multiplyUnsafe(scalar: bigint): RistrettoPoint;
 }
-export {};

package/lib/ed25519.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RistrettoPoint = exports.x25519 = exports.ed25519ph = exports.ed25519ctx = exports.ed25519 = exports.ED25519_TORSION_SUBGROUP = void 0;
+exports.RistrettoPoint = exports.encodeToCurve = exports.hashToCurve = exports.x25519 = exports.ed25519ph = exports.ed25519ctx = exports.ed25519 = exports.ED25519_TORSION_SUBGROUP = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha512_1 = require("@noble/hashes/sha512");
 const utils_1 = require("@noble/hashes/utils");
@@ -8,6 +8,7 @@ const edwards_js_1 = require("./abstract/edwards.js");
 const montgomery_js_1 = require("./abstract/montgomery.js");
 const modular_js_1 = require("./abstract/modular.js");
 const utils_js_1 = require("./abstract/utils.js");
+const htf = require("./abstract/hash-to-curve.js");
 /**
  * ed25519 Twisted Edwards curve with following addons:
  * - X25519 ECDH
@@ -82,57 +83,107 @@ exports.ED25519_TORSION_SUBGROUP = [
     'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa',
 ];
 const Fp = (0, modular_js_1.Fp)(ED25519_P, undefined, true);
+const ED25519_DEF = {
+    // Param: a
+    a: BigInt(-1),
+    // Equal to -121665/121666 over finite field.
+    // Negative number is P - number, and division is invert(number, P)
+    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
+    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
+    Fp,
+    // Subgroup order: how many points ed25519 has
+    // 2n ** 252n + 27742317777372353535851937790883648493n;
+    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
+    // Cofactor
+    h: BigInt(8),
+    // Base point (x, y) aka generator point
+    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
+    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+    hash: sha512_1.sha512,
+    randomBytes: utils_1.randomBytes,
+    adjustScalarBytes,
+    // dom2
+    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
+    // Constant-time, u/√v
+    uvRatio,
+};
+exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF);
+function ed25519_domain(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('Context is too big');
+    return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+exports.ed25519ctx = (0, edwards_js_1.twistedEdwards)({ ...ED25519_DEF, domain: ed25519_domain });
+exports.ed25519ph = (0, edwards_js_1.twistedEdwards)({
+    ...ED25519_DEF,
+    domain: ed25519_domain,
+    preHash: sha512_1.sha512,
+});
+exports.x25519 = (0, montgomery_js_1.montgomery)({
+    P: ED25519_P,
+    a24: BigInt('121665'),
+    montgomeryBits: 255,
+    nByteLength: 32,
+    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
+    powPminus2: (x) => {
+        const P = ED25519_P;
+        // x^(p-2) aka x^(2^255-21)
+        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
+        return (0, modular_js_1.mod)((0, modular_js_1.pow2)(pow_p_5_8, BigInt(3), P) * b2, P);
+    },
+    adjustScalarBytes,
+});
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart
 const ELL2_C1 = (Fp.ORDER + BigInt(3)) / BigInt(8); // 1. c1 = (q + 3) / 8       # Integer arithmetic
 const ELL2_C2 = Fp.pow(_2n, ELL2_C1); // 2. c2 = 2^c1
-const ELL2_C3 = Fp.sqrt(Fp.negate(Fp.ONE)); // 3. c3 = sqrt(-1)
+const ELL2_C3 = Fp.sqrt(Fp.neg(Fp.ONE)); // 3. c3 = sqrt(-1)
 const ELL2_C4 = (Fp.ORDER - BigInt(5)) / BigInt(8); // 4. c4 = (q - 5) / 8       # Integer arithmetic
 const ELL2_J = BigInt(486662);
 // prettier-ignore
 function map_to_curve_elligator2_curve25519(u) {
-    let tv1 = Fp.square(u); //  1.  tv1 = u^2
+    let tv1 = Fp.sqr(u); //  1.  tv1 = u^2
     tv1 = Fp.mul(tv1, _2n); //  2.  tv1 = 2 * tv1
     let xd = Fp.add(tv1, Fp.ONE); //  3.   xd = tv1 + 1         # Nonzero: -1 is square (mod p), tv1 is not
-    let x1n = Fp.negate(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
-    let tv2 = Fp.square(xd); //  5.  tv2 = xd^2
+    let x1n = Fp.neg(ELL2_J); //  4.  x1n = -J              # x1 = x1n / xd = -J / (1 + 2 * u^2)
+    let tv2 = Fp.sqr(xd); //  5.  tv2 = xd^2
     let gxd = Fp.mul(tv2, xd); //  6.  gxd = tv2 * xd        # gxd = xd^3
     let gx1 = Fp.mul(tv1, ELL2_J); //  7.  gx1 = J * tv1         # x1n + J * xd
     gx1 = Fp.mul(gx1, x1n); //  8.  gx1 = gx1 * x1n       # x1n^2 + J * x1n * xd
     gx1 = Fp.add(gx1, tv2); //  9.  gx1 = gx1 + tv2       # x1n^2 + J * x1n * xd + xd^2
     gx1 = Fp.mul(gx1, x1n); //  10. gx1 = gx1 * x1n       # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); //  11. tv3 = gxd^2
-    tv2 = Fp.square(tv3); //  12. tv2 = tv3^2           # gxd^4
+    let tv3 = Fp.sqr(gxd); //  11. tv3 = gxd^2
+    tv2 = Fp.sqr(tv3); //  12. tv2 = tv3^2           # gxd^4
     tv3 = Fp.mul(tv3, gxd); //  13. tv3 = tv3 * gxd       # gxd^3
     tv3 = Fp.mul(tv3, gx1); //  14. tv3 = tv3 * gx1       # gx1 * gxd^3
     tv2 = Fp.mul(tv2, tv3); //  15. tv2 = tv2 * tv3       # gx1 * gxd^7
     let y11 = Fp.pow(tv2, ELL2_C4); //  16. y11 = tv2^c4        # (gx1 * gxd^7)^((p - 5) / 8)
     y11 = Fp.mul(y11, tv3); //  17. y11 = y11 * tv3       # gx1*gxd^3*(gx1*gxd^7)^((p-5)/8)
     let y12 = Fp.mul(y11, ELL2_C3); //  18. y12 = y11 * c3
-    tv2 = Fp.square(y11); //  19. tv2 = y11^2
+    tv2 = Fp.sqr(y11); //  19. tv2 = y11^2
     tv2 = Fp.mul(tv2, gxd); //  20. tv2 = tv2 * gxd
-    let e1 = Fp.equals(tv2, gx1); //  21.  e1 = tv2 == gx1
+    let e1 = Fp.eql(tv2, gx1); //  21.  e1 = tv2 == gx1
     let y1 = Fp.cmov(y12, y11, e1); //  22.  y1 = CMOV(y12, y11, e1)  # If g(x1) is square, this is its sqrt
     let x2n = Fp.mul(x1n, tv1); //  23. x2n = x1n * tv1       # x2 = x2n / xd = 2 * u^2 * x1n / xd
     let y21 = Fp.mul(y11, u); //  24. y21 = y11 * u
     y21 = Fp.mul(y21, ELL2_C2); //  25. y21 = y21 * c2
     let y22 = Fp.mul(y21, ELL2_C3); //  26. y22 = y21 * c3
     let gx2 = Fp.mul(gx1, tv1); //  27. gx2 = gx1 * tv1       # g(x2) = gx2 / gxd = 2 * u^2 * g(x1)
-    tv2 = Fp.square(y21); //  28. tv2 = y21^2
+    tv2 = Fp.sqr(y21); //  28. tv2 = y21^2
     tv2 = Fp.mul(tv2, gxd); //  29. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx2); //  30.  e2 = tv2 == gx2
+    let e2 = Fp.eql(tv2, gx2); //  30.  e2 = tv2 == gx2
     let y2 = Fp.cmov(y22, y21, e2); //  31.  y2 = CMOV(y22, y21, e2)  # If g(x2) is square, this is its sqrt
-    tv2 = Fp.square(y1); //  32. tv2 = y1^2
+    tv2 = Fp.sqr(y1); //  32. tv2 = y1^2
     tv2 = Fp.mul(tv2, gxd); //  33. tv2 = tv2 * gxd
-    let e3 = Fp.equals(tv2, gx1); //  34.  e3 = tv2 == gx1
+    let e3 = Fp.eql(tv2, gx1); //  34.  e3 = tv2 == gx1
     let xn = Fp.cmov(x2n, x1n, e3); //  35.  xn = CMOV(x2n, x1n, e3)  # If e3, x = x1, else x = x2
     let y = Fp.cmov(y2, y1, e3); //  36.   y = CMOV(y2, y1, e3)    # If e3, y = y1, else y = y2
     let e4 = Fp.isOdd(y); //  37.  e4 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
+    y = Fp.cmov(y, Fp.neg(y), e3 !== e4); //  38.   y = CMOV(y, -y, e3 XOR e4)
     return { xMn: xn, xMd: xd, yMn: y, yMd: 1n }; //  39. return (xn, xd, y, 1)
 }
-const ELL2_C1_EDWARDS = (0, modular_js_1.FpSqrtEven)(Fp, Fp.negate(BigInt(486664))); // sgn0(c1) MUST equal 0
+const ELL2_C1_EDWARDS = (0, modular_js_1.FpSqrtEven)(Fp, Fp.neg(BigInt(486664))); // sgn0(c1) MUST equal 0
 function map_to_curve_elligator2_edwards25519(u) {
     const { xMn, xMd, yMn, yMd } = map_to_curve_elligator2_curve25519(u); //  1.  (xMn, xMd, yMn, yMd) = map_to_curve_elligator2_curve25519(u)
     let xn = Fp.mul(xMn, yMd); //  2.  xn = xMn * yMd
@@ -141,7 +192,7 @@ function map_to_curve_elligator2_edwards25519(u) {
     let yn = Fp.sub(xMn, xMd); //  5.  yn = xMn - xMd
     let yd = Fp.add(xMn, xMd); //  6.  yd = xMn + xMd    # (n / d - 1) / (n / d + 1) = (n - d) / (n + d)
     let tv1 = Fp.mul(xd, yd); //  7. tv1 = xd * yd
-    let e = Fp.equals(tv1, Fp.ZERO); //  8.   e = tv1 == 0
+    let e = Fp.eql(tv1, Fp.ZERO); //  8.   e = tv1 == 0
     xn = Fp.cmov(xn, Fp.ZERO, e); //  9.  xn = CMOV(xn, 0, e)
     xd = Fp.cmov(xd, Fp.ONE, e); //  10. xd = CMOV(xd, 1, e)
     yn = Fp.cmov(yn, Fp.ONE, e); //  11. yn = CMOV(yn, 1, e)
@@ -149,68 +200,20 @@ function map_to_curve_elligator2_edwards25519(u) {
     const inv = Fp.invertBatch([xd, yd]); // batch division
     return { x: Fp.mul(xn, inv[0]), y: Fp.mul(yn, inv[1]) }; //  13. return (xn, xd, yn, yd)
 }
-const ED25519_DEF = {
-    // Param: a
-    a: BigInt(-1),
-    // Equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
-    d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
-    Fp,
-    // Subgroup order: how many points ed25519 has
-    // 2n ** 252n + 27742317777372353535851937790883648493n;
-    n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
-    h: BigInt(8),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
-    Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.ed25519.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]), {
+    DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
+    encodeDST: 'edwards25519_XMD:SHA-512_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
     hash: sha512_1.sha512,
-    randomBytes: utils_1.randomBytes,
-    adjustScalarBytes,
-    // dom2
-    // Ratio of u to v. Allows us to combine inversion and square root. Uses algo from RFC8032 5.1.3.
-    // Constant-time, u/√v
-    uvRatio,
-    htfDefaults: {
-        DST: 'edwards25519_XMD:SHA-512_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha512_1.sha512,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards25519(scalars[0]),
-};
-exports.ed25519 = (0, edwards_js_1.twistedEdwards)(ED25519_DEF);
-function ed25519_domain(data, ctx, phflag) {
-    if (ctx.length > 255)
-        throw new Error('Context is too big');
-    return (0, utils_1.concatBytes)((0, utils_1.utf8ToBytes)('SigEd25519 no Ed25519 collisions'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
-}
-exports.ed25519ctx = (0, edwards_js_1.twistedEdwards)({ ...ED25519_DEF, domain: ed25519_domain });
-exports.ed25519ph = (0, edwards_js_1.twistedEdwards)({
-    ...ED25519_DEF,
-    domain: ed25519_domain,
-    preHash: sha512_1.sha512,
-});
-exports.x25519 = (0, montgomery_js_1.montgomery)({
-    P: ED25519_P,
-    a24: BigInt('121665'),
-    montgomeryBits: 255,
-    nByteLength: 32,
-    Gu: '0900000000000000000000000000000000000000000000000000000000000000',
-    powPminus2: (x) => {
-        const P = ED25519_P;
-        // x^(p-2) aka x^(2^255-21)
-        const { pow_p_5_8, b2 } = ed25519_pow_2_252_3(x);
-        return (0, modular_js_1.mod)((0, modular_js_1.pow2)(pow_p_5_8, BigInt(3), P) * b2, P);
-    },
-    adjustScalarBytes,
 });
+exports.hashToCurve = hashToCurve;
+exports.encodeToCurve = encodeToCurve;
 function assertRstPoint(other) {
     if (!(other instanceof RistrettoPoint))
-        throw new TypeError('RistrettoPoint expected');
+        throw new Error('RistrettoPoint expected');
 }
 // √(-1) aka √(a) aka 2^((p-1)/4)
 const SQRT_M1 = BigInt('19681161376707505956807079304988542015446066515923890162744021073123829784752');
@@ -319,7 +322,7 @@ class RistrettoPoint {
      * https://ristretto.group/formulas/encoding.html
      */
     toRawBytes() {
-        let { x, y, z, t } = this.ep;
+        let { ex: x, ey: y, ez: z, et: t } = this.ep;
         const P = exports.ed25519.CURVE.Fp.ORDER;
         const mod = exports.ed25519.CURVE.Fp.create;
         const u1 = mod(mod(z + y) * mod(z - y)); // 1
@@ -357,12 +360,12 @@ class RistrettoPoint {
     // Compare one point to another.
     equals(other) {
         assertRstPoint(other);
-        const a = this.ep;
-        const b = other.ep;
+        const { ex: X1, ey: Y1 } = this.ep;
+        const { ex: X2, ey: Y2 } = this.ep;
         const mod = exports.ed25519.CURVE.Fp.create;
         // (x1 * y2 == y1 * x2) | (y1 * y2 == x1 * x2)
-        const one = mod(a.x * b.y) === mod(a.y * b.x);
-        const two = mod(a.y * b.y) === mod(a.x * b.x);
+        const one = mod(X1 * Y2) === mod(Y1 * X2);
+        const two = mod(Y1 * Y2) === mod(X1 * X2);
         return one || two;
     }
     add(other) {

package/lib/ed448.d.ts

@@ -1,3 +1,6 @@
+import * as htf from './abstract/hash-to-curve.js';
 export declare const ed448: import("./abstract/edwards.js").CurveFn;
 export declare const ed448ph: import("./abstract/edwards.js").CurveFn;
 export declare const x448: import("./abstract/montgomery.js").CurveFn;
+declare const hashToCurve: (msg: import("./abstract/utils.js").Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>, encodeToCurve: (msg: import("./abstract/utils.js").Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>;
+export { hashToCurve, encodeToCurve };