@noble/curves 0.6.3 → 0.7.0

package/{lib/secp256k1.js → secp256k1.js}

@@ -1,21 +1,15 @@
 "use strict";
+var _a;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.encodeToCurve = exports.hashToCurve = exports.schnorr = exports.secp256k1 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha256_1 = require("@noble/hashes/sha256");
+const utils_1 = require("@noble/hashes/utils");
 const modular_js_1 = require("./abstract/modular.js");
-const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const utils_js_1 = require("./abstract/utils.js");
-const utils_1 = require("@noble/hashes/utils");
 const htf = require("./abstract/hash-to-curve.js");
-/**
- * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
- * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
- * Should always be used for Projective's double-and-add multiplication.
- * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
- * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
- */
+const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
 const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
 const _1n = BigInt(1);
@@ -51,23 +45,22 @@ function sqrtMod(y) {
 }
 const Fp = (0, modular_js_1.Fp)(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
-    // Params: a, b
-    // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
     a: BigInt(0),
     b: BigInt(7),
-    // Field over which we'll do calculations;
-    // 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
     Fp,
-    // Curve order, total count of valid points in the field
     n: secp256k1N,
     // Base point (x, y) aka generator point
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
     Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
     h: BigInt(1),
-    // Alllow only low-S signatures by default in sign() and verify()
     lowS: true,
+    /**
+     * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
+     * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
+     * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
+     * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
+     */
     endo: {
-        // Params taken from https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
         beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
         splitScalar: (k) => {
             const n = secp256k1N;
@@ -93,17 +86,11 @@ exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
         },
     },
 }, sha256_1.sha256);
-// Schnorr signatures are superior to ECDSA from above.
-// Below is Schnorr-specific code as per BIP0340.
+// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
 const fe = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
 const ge = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
-const TAGS = {
-    challenge: 'BIP0340/challenge',
-    aux: 'BIP0340/aux',
-    nonce: 'BIP0340/nonce',
-};
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
 const TAGGED_HASH_PREFIXES = {};
 function taggedHash(tag, ...messages) {
@@ -117,12 +104,12 @@ function taggedHash(tag, ...messages) {
 }
 const pointToBytes = (point) => point.toRawBytes(true).slice(1);
 const numTo32b = (n) => (0, utils_js_1.numberToBytesBE)(n, 32);
+const modP = (x) => (0, modular_js_1.mod)(x, secp256k1P);
 const modN = (x) => (0, modular_js_1.mod)(x, secp256k1N);
 const Point = exports.secp256k1.ProjectivePoint;
 const GmulAdd = (Q, a, b) => Point.BASE.multiplyAndAddUnsafe(Q, a, b);
-const hex32ToInt = (key) => (0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(key, 32));
 function schnorrGetExtPubKey(priv) {
-    let d = typeof priv === 'bigint' ? priv : hex32ToInt(priv);
+    const d = exports.secp256k1.utils.normPrivateKeyToScalar(priv);
     const point = Point.fromPrivateKey(d); // P = d'⋅G; 0 < d' < n check is done inside
     const scalar = point.hasEvenY() ? d : modN(-d); // d = d' if has_even_y(P), otherwise d = n-d'
     return { point, scalar, bytes: pointToBytes(point) };
@@ -130,31 +117,34 @@ function schnorrGetExtPubKey(priv) {
 function lift_x(x) {
     if (!fe(x))
         throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
-    const c = (0, modular_js_1.mod)(x * x * x + BigInt(7), secp256k1P); // Let c = x³ + 7 mod p.
+    const xx = modP(x * x);
+    const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
     let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
     if (y % 2n !== 0n)
-        y = (0, modular_js_1.mod)(-y, secp256k1P); // Return the unique point P such that x(P) = x and
+        y = modP(-y); // Return the unique point P such that x(P) = x and
     const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
     p.assertValidity();
     return p;
 }
 function challenge(...args) {
-    return modN((0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.challenge, ...args)));
+    return modN((0, utils_js_1.bytesToNumberBE)(taggedHash('BIP0340/challenge', ...args)));
 }
-// Schnorr's pubkey is just `x` of Point (BIP340)
+/**
+ * Schnorr public key is just `x` coordinate of Point as per BIP340.
+ */
 function schnorrGetPublicKey(privateKey) {
     return schnorrGetExtPubKey(privateKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
-// Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
-// auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous
+/**
+ * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
+ * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
+ */
 function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) {
-    if (message == null)
-        throw new Error(`sign: Expected valid message, not "${message}"`);
-    const m = (0, utils_js_1.ensureBytes)(message); // checks for isWithinCurveOrder
-    const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey);
-    const a = (0, utils_js_1.ensureBytes)(auxRand, 32); // Auxiliary random data a: a 32-byte array
-    const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
-    const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
+    const m = (0, utils_js_1.ensureBytes)('message', message);
+    const { bytes: px, scalar: d } = schnorrGetExtPubKey(privateKey); // checks for isWithinCurveOrder
+    const a = (0, utils_js_1.ensureBytes)('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+    const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
+    const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
     const k_ = modN((0, utils_js_1.bytesToNumberBE)(rand)); // Let k' = int(rand) mod n
     if (k_ === _0n)
         throw new Error('sign failed: k is zero'); // Fail if k' = 0.
@@ -169,20 +159,21 @@ function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)
     return sig;
 }
 /**
- * Verifies Schnorr signature synchronously.
+ * Verifies Schnorr signature.
  */
 function schnorrVerify(signature, message, publicKey) {
+    const sig = (0, utils_js_1.ensureBytes)('signature', signature, 64);
+    const m = (0, utils_js_1.ensureBytes)('message', message);
+    const pub = (0, utils_js_1.ensureBytes)('publicKey', publicKey, 32);
     try {
-        const P = lift_x(hex32ToInt(publicKey)); // P = lift_x(int(pk)); fail if that fails
-        const sig = (0, utils_js_1.ensureBytes)(signature, 64);
+        const P = lift_x((0, utils_js_1.bytesToNumberBE)(pub)); // P = lift_x(int(pk)); fail if that fails
         const r = (0, utils_js_1.bytesToNumberBE)(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
         if (!fe(r))
             return false;
         const s = (0, utils_js_1.bytesToNumberBE)(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
         if (!ge(s))
             return false;
-        const m = (0, utils_js_1.ensureBytes)(message);
-        const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
+        const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
         const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
         if (!R || !R.hasEvenY() || R.toAffine().x !== r)
             return false; // -eP == (n-e)P
@@ -197,6 +188,7 @@ exports.schnorr = {
     sign: schnorrSign,
     verify: schnorrVerify,
     utils: {
+        randomPrivateKey: exports.secp256k1.utils.randomPrivateKey,
         getExtendedPublicKey: schnorrGetExtPubKey,
         lift_x,
         pointToBytes,
@@ -240,7 +232,7 @@ const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, {
     B: BigInt('1771'),
     Z: Fp.create(BigInt('-11')),
 });
-const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.secp256k1.ProjectivePoint, (scalars) => {
+_a = htf.createHasher(exports.secp256k1.ProjectivePoint, (scalars) => {
     const { x, y } = mapSWU(Fp.create(scalars[0]));
     return isoMap(x, y);
 }, {
@@ -251,6 +243,5 @@ const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.secp256k1.Project
     k: 128,
     expand: 'xmd',
     hash: sha256_1.sha256,
-});
-exports.hashToCurve = hashToCurve;
-exports.encodeToCurve = encodeToCurve;
+}), exports.hashToCurve = _a.hashToCurve, exports.encodeToCurve = _a.encodeToCurve;
+//# sourceMappingURL=secp256k1.js.map

package/secp256k1.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secp256k1.js","sourceRoot":"","sources":["src/secp256k1.ts"],"names":[],"mappings":";;;;AAAA,sEAAsE;AACtE,iDAA8C;AAC9C,+CAAkD;AAClD,sDAA+D;AAC/D,8DAA4F;AAE5F,kDAAiG;AACjG,mDAAmD;AACnD,yDAAiD;AAEjD,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,UAAU,GAAG,MAAM,CAAC,oEAAoE,CAAC,CAAC;AAChG,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;AAE/D;;;GAGG;AACH,SAAS,OAAO,CAAC,CAAS;IACxB,MAAM,CAAC,GAAG,UAAU,CAAC;IACrB,kBAAkB;IAClB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC7E,kBAAkB;IAClB,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU;IACtC,MAAM,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM;IACpC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,CAAC,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,IAAA,iBAAI,EAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACzE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,EAAE,GAAG,IAAA,eAAK,EAAC,UAAU,EAAE,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAGzD,QAAA,SAAS,GAAG,IAAA,8BAAW,EAClC;IACE,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,EAAE;IACF,CAAC,EAAE,UAAU;IACb,wCAAwC;IACxC,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,EAAE,EAAE,MAAM,CAAC,+EAA+E,CAAC;IAC3F,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACZ,IAAI,EAAE,IAAI;IACV;;;;;OAKG;IACH,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC,oEAAoE,CAAC;QAClF,WAAW,EAAE,CAAC,CAAS,EAAE,EAAE;YACzB,MAAM,CAAC,GAAG,UAAU,CAAC;YACrB,MAAM,EAAE,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YACxD,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,oCAAoC,CAAC,CAAC;YAC/D,MAAM,EAAE,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC;YACzD,MAAM,EAAE,GAAG,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,MAAM,CAAC,qCAAqC,CAAC,CAAC,CAAC,0BAA0B;YAE3F,MAAM,EAAE,GAAG,UAAU,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YACjC,MAAM,EAAE,GAAG,UAAU,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAClC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACvC,IAAI,EAAE,GAAG,IAAA,gBAAG,EAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;YACpC,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,MAAM,KAAK,GAAG,EAAE,GAAG,SAAS,CAAC;YAC7B,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,KAAK;gBAAE,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,EAAE,GAAG,SAAS,IAAI,EAAE,GAAG,SAAS,EAAE;gBACpC,MAAM,IAAI,KAAK,CAAC,sCAAsC,GAAG,CAAC,CAAC,CAAC;aAC7D;YACD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAClC,CAAC;KACF;CACF,EACD,eAAM,CACP,CAAC;AAEF,+FAA+F;AAC/F,iEAAiE;AACjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;AACtB,MAAM,EAAE,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC;AAC7E,MAAM,EAAE,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC;AAC7E,wFAAwF;AACxF,MAAM,oBAAoB,GAAkC,EAAE,CAAC;AAC/D,SAAS,UAAU,CAAC,GAAW,EAAE,GAAG,QAAsB;IACxD,IAAI,IAAI,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,IAAI,KAAK,SAAS,EAAE;QACtB,MAAM,IAAI,GAAG,IAAA,eAAM,EAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,IAAI,GAAG,IAAA,sBAAW,EAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QAC/B,oBAAoB,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;KAClC;IACD,OAAO,IAAA,eAAM,EAAC,IAAA,sBAAW,EAAC,IAAI,EAAE,GAAG,QAAQ,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,YAAY,GAAG,CAAC,KAAwB,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnF,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,0BAAe,EAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACvD,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAA,gBAAG,EAAC,CAAC,EAAE,UAAU,CAAC,CAAC;AAC/C,MAAM,KAAK,GAAG,iBAAS,CAAC,eAAe,CAAC;AACxC,MAAM,OAAO,GAAG,CAAC,CAAoB,EAAE,CAAS,EAAE,CAAS,EAAE,EAAE,CAC7D,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;AAC3C,SAAS,mBAAmB,CAAC,IAAa;IACxC,MAAM,CAAC,GAAG,iBAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,4CAA4C;IACnF,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,8CAA8C;IAC9F,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;AACvD,CAAC;AACD,SAAS,MAAM,CAAC,CAAS;IACvB,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,iBAAiB;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,MAAM,CAAC,GAAG,IAAI,CAAC,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,wBAAwB;IAC5D,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,2BAA2B;IAC/C,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE;QAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,mDAAmD;IACpF,MAAM,CAAC,GAAG,IAAI,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,mDAAmD;IACnF,CAAC,CAAC,cAAc,EAAE,CAAC;IACnB,OAAO,CAAC,CAAC;AACX,CAAC;AACD,SAAS,SAAS,CAAC,GAAG,IAAkB;IACtC,OAAO,IAAI,CAAC,IAAA,0BAAe,EAAC,UAAU,CAAC,mBAAmB,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,UAAe;IAC1C,OAAO,mBAAmB,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,oDAAoD;AACpG,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAClB,OAAY,EACZ,UAAmB,EACnB,UAAe,IAAA,mBAAW,EAAC,EAAE,CAAC;IAE9B,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,UAAU,CAAC,CAAC,CAAC,gCAAgC;IAClG,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,2CAA2C;IAC1F,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,IAAA,0BAAe,EAAC,UAAU,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,yDAAyD;IAChI,MAAM,IAAI,GAAG,UAAU,CAAC,eAAe,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,4CAA4C;IAChG,MAAM,EAAE,GAAG,IAAI,CAAC,IAAA,0BAAe,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,2BAA2B;IACnE,IAAI,EAAE,KAAK,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC,kBAAkB;IAC7E,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC,CAAC,gBAAgB;IACpF,MAAM,CAAC,GAAG,SAAS,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gEAAgE;IAChG,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,+CAA+C;IAC/E,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3B,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,iEAAiE;IACjE,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACpF,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,SAAc,EAAE,OAAY,EAAE,SAAc;IACjE,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,CAAC,GAAG,IAAA,sBAAW,EAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAA,sBAAW,EAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IACpD,IAAI;QACF,MAAM,CAAC,GAAG,MAAM,CAAC,IAAA,0BAAe,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAClF,MAAM,CAAC,GAAG,IAAA,0BAAe,EAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,yCAAyC;QACzF,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzB,MAAM,CAAC,GAAG,IAAA,0BAAe,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAC3F,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACzB,MAAM,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,0CAA0C;QAChG,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB;QACnD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC,CAAC,gBAAgB;QAC/E,OAAO,IAAI,CAAC,CAAC,yDAAyD;KACvE;IAAC,OAAO,KAAK,EAAE;QACd,OAAO,KAAK,CAAC;KACd;AACH,CAAC;AAEY,QAAA,OAAO,GAAG;IACrB,YAAY,EAAE,mBAAmB;IACjC,IAAI,EAAE,WAAW;IACjB,MAAM,EAAE,aAAa;IACrB,KAAK,EAAE;QACL,gBAAgB,EAAE,iBAAS,CAAC,KAAK,CAAC,gBAAgB;QAClD,oBAAoB,EAAE,mBAAmB;QACzC,MAAM;QACN,YAAY;QACZ,eAAe,EAAf,0BAAe;QACf,eAAe,EAAf,0BAAe;QACf,UAAU;QACV,GAAG,EAAH,gBAAG;KACJ;CACF,CAAC;AAEF,MAAM,MAAM,GAAG,GAAG,CAAC,UAAU,CAC3B,EAAE,EACF;IACE,OAAO;IACP;QACE,oEAAoE;QACpE,mEAAmE;QACnE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;KACrE;IACD,OAAO;IACP;QACE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE;QACpE,oEAAoE,EAAE,SAAS;KAChF;CACF,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAA6B,CAClE,CAAC;AACF,MAAM,MAAM,GAAG,IAAA,oCAAmB,EAAC,EAAE,EAAE;IACrC,CAAC,EAAE,MAAM,CAAC,oEAAoE,CAAC;IAC/E,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC;IACjB,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;CAC5B,CAAC,CAAC;AACU,KAAiC,GAAG,CAAC,YAAY,CAC5D,iBAAS,CAAC,eAAe,EACzB,CAAC,OAAiB,EAAE,EAAE;IACpB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,OAAO,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtB,CAAC,EACD;IACE,GAAG,EAAE,gCAAgC;IACrC,SAAS,EAAE,gCAAgC;IAC3C,CAAC,EAAE,EAAE,CAAC,KAAK;IACX,CAAC,EAAE,CAAC;IACJ,CAAC,EAAE,GAAG;IACN,MAAM,EAAE,KAAK;IACb,IAAI,EAAE,eAAM;CACb,CACF,EAfc,mBAAW,mBAAE,qBAAa,oBAevC"}

package/src/_shortw_utils.ts

@@ -0,0 +1,20 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
+import { weierstrass, CurveType } from './abstract/weierstrass.js';
+import { CHash } from './abstract/utils.js';
+
+// connects noble-curves to noble-hashes
+export function getHash(hash: CHash) {
+  return {
+    hash,
+    hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(hash, key, concatBytes(...msgs)),
+    randomBytes,
+  };
+}
+// Same API as @noble/hashes, with ability to create curve with custom hash
+type CurveDef = Readonly<Omit<CurveType, 'hash' | 'hmac' | 'randomBytes'>>;
+export function createCurve(curveDef: CurveDef, defHash: CHash) {
+  const create = (hash: CHash) => weierstrass({ ...curveDef, ...getHash(hash) });
+  return Object.freeze({ ...create(defHash), create });
+}

package/src/abstract/bls.ts

@@ -0,0 +1,376 @@
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/**
+ * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
+ * Implements BLS (Boneh-Lynn-Shacham) signatures.
+ * Consists of two curves: G1 and G2:
+ * - G1 is a subgroup of (x, y) E(Fq) over y² = x³ + 4.
+ * - G2 is a subgroup of ((x₁, x₂+i), (y₁, y₂+i)) E(Fq²) over y² = x³ + 4(1 + i) where i is √-1
+ * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
+ *   Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
+ * Pairing is used to aggregate and verify signatures.
+ * We are using Fp for private keys (shorter) and Fp₂ for signatures (longer).
+ * Some projects may prefer to swap this relation, it is not supported for now.
+ */
+import { AffinePoint } from './curve.js';
+import { Field, hashToPrivateScalar } from './modular.js';
+import { Hex, PrivKey, CHash, bitLen, bitGet, ensureBytes } from './utils.js';
+import * as htf from './hash-to-curve.js';
+import {
+  CurvePointsType,
+  ProjPointType as ProjPointType,
+  CurvePointsRes,
+  weierstrassPoints,
+} from './weierstrass.js';
+
+type Fp = bigint; // Can be different field?
+
+export type SignatureCoder<Fp2> = {
+  decode(hex: Hex): ProjPointType<Fp2>;
+  encode(point: ProjPointType<Fp2>): Uint8Array;
+};
+
+export type CurveType<Fp, Fp2, Fp6, Fp12> = {
+  r: bigint;
+  G1: Omit<CurvePointsType<Fp>, 'n'> & {
+    mapToCurve: htf.MapToCurve<Fp>;
+    htfDefaults: htf.Opts;
+  };
+  G2: Omit<CurvePointsType<Fp2>, 'n'> & {
+    Signature: SignatureCoder<Fp2>;
+    mapToCurve: htf.MapToCurve<Fp2>;
+    htfDefaults: htf.Opts;
+  };
+  x: bigint;
+  Fp: Field<Fp>;
+  Fr: Field<bigint>;
+  Fp2: Field<Fp2> & {
+    reim: (num: Fp2) => { re: bigint; im: bigint };
+    multiplyByB: (num: Fp2) => Fp2;
+    frobeniusMap(num: Fp2, power: number): Fp2;
+  };
+  Fp6: Field<Fp6>;
+  Fp12: Field<Fp12> & {
+    frobeniusMap(num: Fp12, power: number): Fp12;
+    multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
+    conjugate(num: Fp12): Fp12;
+    finalExponentiate(num: Fp12): Fp12;
+  };
+  htfDefaults: htf.Opts;
+  hash: CHash; // Because we need outputLen for DRBG
+  randomBytes: (bytesLength?: number) => Uint8Array;
+};
+
+export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
+  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
+  Fr: Field<bigint>;
+  Fp: Field<Fp>;
+  Fp2: Field<Fp2>;
+  Fp6: Field<Fp6>;
+  Fp12: Field<Fp12>;
+  G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
+  G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
+  Signature: SignatureCoder<Fp2>;
+  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
+  calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
+  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+  getPublicKey: (privateKey: PrivKey) => Uint8Array;
+  sign: {
+    (message: Hex, privateKey: PrivKey): Uint8Array;
+    (message: ProjPointType<Fp2>, privateKey: PrivKey): ProjPointType<Fp2>;
+  };
+  verify: (
+    signature: Hex | ProjPointType<Fp2>,
+    message: Hex | ProjPointType<Fp2>,
+    publicKey: Hex | ProjPointType<Fp>
+  ) => boolean;
+  aggregatePublicKeys: {
+    (publicKeys: Hex[]): Uint8Array;
+    (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
+  };
+  aggregateSignatures: {
+    (signatures: Hex[]): Uint8Array;
+    (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
+  };
+  verifyBatch: (
+    signature: Hex | ProjPointType<Fp2>,
+    messages: (Hex | ProjPointType<Fp2>)[],
+    publicKeys: (Hex | ProjPointType<Fp>)[]
+  ) => boolean;
+  utils: {
+    randomPrivateKey: () => Uint8Array;
+  };
+};
+
+export function bls<Fp2, Fp6, Fp12>(
+  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>
+): CurveFn<Fp, Fp2, Fp6, Fp12> {
+  // Fields looks pretty specific for curve, so for now we need to pass them with opts
+  const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
+  const BLS_X_LEN = bitLen(CURVE.x);
+  const groupLen = 32; // TODO: calculate; hardcoded for now
+
+  // Pre-compute coefficients for sparse multiplication
+  // Point addition and point double calculations is reused for coefficients
+  function calcPairingPrecomputes(p: AffinePoint<Fp2>) {
+    const { x, y } = p;
+    // prettier-ignore
+    const Qx = x, Qy = y, Qz = Fp2.ONE;
+    // prettier-ignore
+    let Rx = Qx, Ry = Qy, Rz = Qz;
+    let ell_coeff: [Fp2, Fp2, Fp2][] = [];
+    for (let i = BLS_X_LEN - 2; i >= 0; i--) {
+      // Double
+      let t0 = Fp2.sqr(Ry); // Ry²
+      let t1 = Fp2.sqr(Rz); // Rz²
+      let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
+      let t3 = Fp2.mul(t2, 3n); // 3 * T2
+      let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
+      ell_coeff.push([
+        Fp2.sub(t2, t0), // T2 - T0
+        Fp2.mul(Fp2.sqr(Rx), 3n), // 3 * Rx²
+        Fp2.neg(t4), // -T4
+      ]);
+      Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
+      Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+      Rz = Fp2.mul(t0, t4); // T0 * T4
+      if (bitGet(CURVE.x, i)) {
+        // Addition
+        let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
+        let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
+        ell_coeff.push([
+          Fp2.sub(Fp2.mul(t0, Qx), Fp2.mul(t1, Qy)), // T0 * Qx - T1 * Qy
+          Fp2.neg(t0), // -T0
+          t1, // T1
+        ]);
+        let t2 = Fp2.sqr(t1); // T1²
+        let t3 = Fp2.mul(t2, t1); // T2 * T1
+        let t4 = Fp2.mul(t2, Rx); // T2 * Rx
+        let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+        Rx = Fp2.mul(t1, t5); // T1 * T5
+        Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
+        Rz = Fp2.mul(Rz, t3); // Rz * T3
+      }
+    }
+    return ell_coeff;
+  }
+
+  function millerLoop(ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]): Fp12 {
+    const { x } = CURVE;
+    const Px = g1[0];
+    const Py = g1[1];
+    let f12 = Fp12.ONE;
+    for (let j = 0, i = BLS_X_LEN - 2; i >= 0; i--, j++) {
+      const E = ell[j];
+      f12 = Fp12.multiplyBy014(f12, E[0], Fp2.mul(E[1], Px), Fp2.mul(E[2], Py));
+      if (bitGet(x, i)) {
+        j += 1;
+        const F = ell[j];
+        f12 = Fp12.multiplyBy014(f12, F[0], Fp2.mul(F[1], Px), Fp2.mul(F[2], Py));
+      }
+      if (i !== 0) f12 = Fp12.sqr(f12);
+    }
+    return Fp12.conjugate(f12);
+  }
+
+  const utils = {
+    randomPrivateKey: (): Uint8Array => {
+      return Fr.toBytes(hashToPrivateScalar(CURVE.randomBytes(groupLen + 8), CURVE.r));
+    },
+  };
+
+  // Point on G1 curve: (x, y)
+  const G1_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G1 });
+  const G1 = Object.assign(
+    G1_,
+    htf.createHasher(G1_.ProjectivePoint, CURVE.G1.mapToCurve, {
+      ...CURVE.htfDefaults,
+      ...CURVE.G1.htfDefaults,
+    })
+  );
+
+  // Sparse multiplication against precomputed coefficients
+  // TODO: replace with weakmap?
+  type withPairingPrecomputes = { _PPRECOMPUTES: [Fp2, Fp2, Fp2][] | undefined };
+  function pairingPrecomputes(point: G2): [Fp2, Fp2, Fp2][] {
+    const p = point as G2 & withPairingPrecomputes;
+    if (p._PPRECOMPUTES) return p._PPRECOMPUTES;
+    p._PPRECOMPUTES = calcPairingPrecomputes(point.toAffine());
+    return p._PPRECOMPUTES;
+  }
+
+  // TODO: export
+  // function clearPairingPrecomputes(point: G2) {
+  //   const p = point as G2 & withPairingPrecomputes;
+  //   p._PPRECOMPUTES = undefined;
+  // }
+
+  // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
+  const G2_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G2 });
+  const G2 = Object.assign(
+    G2_,
+    htf.createHasher(G2_.ProjectivePoint as htf.H2CPointConstructor<Fp2>, CURVE.G2.mapToCurve, {
+      ...CURVE.htfDefaults,
+      ...CURVE.G2.htfDefaults,
+    })
+  );
+
+  const { Signature } = CURVE.G2;
+
+  // Calculates bilinear pairing
+  function pairing(Q: G1, P: G2, withFinalExponent: boolean = true): Fp12 {
+    if (Q.equals(G1.ProjectivePoint.ZERO) || P.equals(G2.ProjectivePoint.ZERO))
+      throw new Error('pairing is not available for ZERO point');
+    Q.assertValidity();
+    P.assertValidity();
+    // Performance: 9ms for millerLoop and ~14ms for exp.
+    const Qa = Q.toAffine();
+    const looped = millerLoop(pairingPrecomputes(P), [Qa.x, Qa.y]);
+    return withFinalExponent ? Fp12.finalExponentiate(looped) : looped;
+  }
+  type G1 = typeof G1.ProjectivePoint.BASE;
+  type G2 = typeof G2.ProjectivePoint.BASE;
+
+  type G1Hex = Hex | G1;
+  type G2Hex = Hex | G2;
+  function normP1(point: G1Hex): G1 {
+    return point instanceof G1.ProjectivePoint ? (point as G1) : G1.ProjectivePoint.fromHex(point);
+  }
+  function normP2(point: G2Hex): G2 {
+    return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
+  }
+  function normP2Hash(point: G2Hex, htfOpts?: htf.htfBasicOpts): G2 {
+    return point instanceof G2.ProjectivePoint
+      ? point
+      : (G2.hashToCurve(ensureBytes('point', point), htfOpts) as G2);
+  }
+
+  // Multiplies generator by private key.
+  // P = pk x G
+  function getPublicKey(privateKey: PrivKey): Uint8Array {
+    return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+  }
+
+  // Executes `hashToCurve` on the message and then multiplies the result by private key.
+  // S = pk x H(m)
+  function sign(message: Hex, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): Uint8Array;
+  function sign(message: G2, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): G2;
+  function sign(message: G2Hex, privateKey: PrivKey, htfOpts?: htf.htfBasicOpts): Uint8Array | G2 {
+    const msgPoint = normP2Hash(message, htfOpts);
+    msgPoint.assertValidity();
+    const sigPoint = msgPoint.multiply(G1.normalizePrivateKey(privateKey));
+    if (message instanceof G2.ProjectivePoint) return sigPoint;
+    return Signature.encode(sigPoint);
+  }
+
+  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+  // e(P, H(m)) == e(G, S)
+  function verify(
+    signature: G2Hex,
+    message: G2Hex,
+    publicKey: G1Hex,
+    htfOpts?: htf.htfBasicOpts
+  ): boolean {
+    const P = normP1(publicKey);
+    const Hm = normP2Hash(message, htfOpts);
+    const G = G1.ProjectivePoint.BASE;
+    const S = normP2(signature);
+    // Instead of doing 2 exponentiations, we use property of billinear maps
+    // and do one exp after multiplying 2 points.
+    const ePHm = pairing(P.negate(), Hm, false);
+    const eGS = pairing(G, S, false);
+    const exp = Fp12.finalExponentiate(Fp12.mul(eGS, ePHm));
+    return Fp12.eql(exp, Fp12.ONE);
+  }
+
+  // Adds a bunch of public key points together.
+  // pk1 + pk2 + pk3 = pkA
+  function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
+  function aggregatePublicKeys(publicKeys: G1[]): G1;
+  function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
+    if (!publicKeys.length) throw new Error('Expected non-empty array');
+    const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
+    const aggAffine = agg; //.toAffine();
+    if (publicKeys[0] instanceof G1.ProjectivePoint) {
+      aggAffine.assertValidity();
+      return aggAffine;
+    }
+    // toRawBytes ensures point validity
+    return aggAffine.toRawBytes(true);
+  }
+
+  // Adds a bunch of signature points together.
+  function aggregateSignatures(signatures: Hex[]): Uint8Array;
+  function aggregateSignatures(signatures: G2[]): G2;
+  function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
+    if (!signatures.length) throw new Error('Expected non-empty array');
+    const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
+    const aggAffine = agg; //.toAffine();
+    if (signatures[0] instanceof G2.ProjectivePoint) {
+      aggAffine.assertValidity();
+      return aggAffine;
+    }
+    return Signature.encode(aggAffine);
+  }
+
+  // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
+  // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+  function verifyBatch(
+    signature: G2Hex,
+    messages: G2Hex[],
+    publicKeys: G1Hex[],
+    htfOpts?: htf.htfBasicOpts
+  ): boolean {
+    // @ts-ignore
+    // console.log('verifyBatch', bytesToHex(signature as any), messages, publicKeys.map(bytesToHex));
+
+    if (!messages.length) throw new Error('Expected non-empty messages array');
+    if (publicKeys.length !== messages.length)
+      throw new Error('Pubkey count should equal msg count');
+    const sig = normP2(signature);
+    const nMessages = messages.map((i) => normP2Hash(i, htfOpts));
+    const nPublicKeys = publicKeys.map(normP1);
+    try {
+      const paired = [];
+      for (const message of new Set(nMessages)) {
+        const groupPublicKey = nMessages.reduce(
+          (groupPublicKey, subMessage, i) =>
+            subMessage === message ? groupPublicKey.add(nPublicKeys[i]) : groupPublicKey,
+          G1.ProjectivePoint.ZERO
+        );
+        // const msg = message instanceof PointG2 ? message : await PointG2.hashToCurve(message);
+        // Possible to batch pairing for same msg with different groupPublicKey here
+        paired.push(pairing(groupPublicKey, message, false));
+      }
+      paired.push(pairing(G1.ProjectivePoint.BASE.negate(), sig, false));
+      const product = paired.reduce((a, b) => Fp12.mul(a, b), Fp12.ONE);
+      const exp = Fp12.finalExponentiate(product);
+      return Fp12.eql(exp, Fp12.ONE);
+    } catch {
+      return false;
+    }
+  }
+
+  G1.ProjectivePoint.BASE._setWindowSize(4);
+
+  return {
+    CURVE,
+    Fr,
+    Fp,
+    Fp2,
+    Fp6,
+    Fp12,
+    G1,
+    G2,
+    Signature,
+    millerLoop,
+    calcPairingPrecomputes,
+    pairing,
+    getPublicKey,
+    sign,
+    verify,
+    aggregatePublicKeys,
+    aggregateSignatures,
+    verifyBatch,
+    utils,
+  };
+}