@noble/curves 0.9.0 → 1.0.0

package/src/abstract/bls.ts

@@ -24,13 +24,16 @@ import {
 
 type Fp = bigint; // Can be different field?
 
+// prettier-ignore
+const _2n = BigInt(2), _3n = BigInt(3);
+
 export type SignatureCoder<Fp2> = {
-  decode(hex: Hex): ProjPointType<Fp2>;
-  encode(point: ProjPointType<Fp2>): Uint8Array;
+  fromHex(hex: Hex): ProjPointType<Fp2>;
+  toRawBytes(point: ProjPointType<Fp2>): Uint8Array;
+  toHex(point: ProjPointType<Fp2>): string;
 };
 
 export type CurveType<Fp, Fp2, Fp6, Fp12> = {
-  r: bigint;
   G1: Omit<CurvePointsType<Fp>, 'n'> & {
     mapToCurve: htf.MapToCurve<Fp>;
     htfDefaults: htf.Opts;
@@ -40,20 +43,25 @@ export type CurveType<Fp, Fp2, Fp6, Fp12> = {
     mapToCurve: htf.MapToCurve<Fp2>;
     htfDefaults: htf.Opts;
   };
-  x: bigint;
-  Fp: IField<Fp>;
-  Fr: IField<bigint>;
-  Fp2: IField<Fp2> & {
-    reim: (num: Fp2) => { re: bigint; im: bigint };
-    multiplyByB: (num: Fp2) => Fp2;
-    frobeniusMap(num: Fp2, power: number): Fp2;
+  fields: {
+    Fp: IField<Fp>;
+    Fr: IField<bigint>;
+    Fp2: IField<Fp2> & {
+      reim: (num: Fp2) => { re: bigint; im: bigint };
+      multiplyByB: (num: Fp2) => Fp2;
+      frobeniusMap(num: Fp2, power: number): Fp2;
+    };
+    Fp6: IField<Fp6>;
+    Fp12: IField<Fp12> & {
+      frobeniusMap(num: Fp12, power: number): Fp12;
+      multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
+      conjugate(num: Fp12): Fp12;
+      finalExponentiate(num: Fp12): Fp12;
+    };
   };
-  Fp6: IField<Fp6>;
-  Fp12: IField<Fp12> & {
-    frobeniusMap(num: Fp12, power: number): Fp12;
-    multiplyBy014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
-    conjugate(num: Fp12): Fp12;
-    finalExponentiate(num: Fp12): Fp12;
+  params: {
+    x: bigint;
+    r: bigint;
   };
   htfDefaults: htf.Opts;
   hash: CHash; // Because we need outputLen for DRBG
@@ -61,18 +69,6 @@ export type CurveType<Fp, Fp2, Fp6, Fp12> = {
 };
 
 export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
-  CURVE: CurveType<Fp, Fp2, Fp6, Fp12>;
-  Fr: IField<bigint>;
-  Fp: IField<Fp>;
-  Fp2: IField<Fp2>;
-  Fp6: IField<Fp6>;
-  Fp12: IField<Fp12>;
-  G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
-  G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
-  Signature: SignatureCoder<Fp2>;
-  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
-  calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
-  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
   getPublicKey: (privateKey: PrivKey) => Uint8Array;
   sign: {
     (message: Hex, privateKey: PrivKey): Uint8Array;
@@ -83,6 +79,11 @@ export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
     message: Hex | ProjPointType<Fp2>,
     publicKey: Hex | ProjPointType<Fp>
   ) => boolean;
+  verifyBatch: (
+    signature: Hex | ProjPointType<Fp2>,
+    messages: (Hex | ProjPointType<Fp2>)[],
+    publicKeys: (Hex | ProjPointType<Fp>)[]
+  ) => boolean;
   aggregatePublicKeys: {
     (publicKeys: Hex[]): Uint8Array;
     (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
@@ -91,22 +92,36 @@ export type CurveFn<Fp, Fp2, Fp6, Fp12> = {
     (signatures: Hex[]): Uint8Array;
     (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
   };
-  verifyBatch: (
-    signature: Hex | ProjPointType<Fp2>,
-    messages: (Hex | ProjPointType<Fp2>)[],
-    publicKeys: (Hex | ProjPointType<Fp>)[]
-  ) => boolean;
+  millerLoop: (ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]) => Fp12;
+  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+  G1: CurvePointsRes<Fp> & ReturnType<typeof htf.createHasher<Fp>>;
+  G2: CurvePointsRes<Fp2> & ReturnType<typeof htf.createHasher<Fp2>>;
+  Signature: SignatureCoder<Fp2>;
+  params: {
+    x: bigint;
+    r: bigint;
+    G1b: bigint;
+    G2b: Fp2;
+  };
+  fields: {
+    Fp: IField<Fp>;
+    Fp2: IField<Fp2>;
+    Fp6: IField<Fp6>;
+    Fp12: IField<Fp12>;
+    Fr: IField<bigint>;
+  };
   utils: {
     randomPrivateKey: () => Uint8Array;
+    calcPairingPrecomputes: (p: AffinePoint<Fp2>) => [Fp2, Fp2, Fp2][];
   };
 };
 
 export function bls<Fp2, Fp6, Fp12>(
   CURVE: CurveType<Fp, Fp2, Fp6, Fp12>
 ): CurveFn<Fp, Fp2, Fp6, Fp12> {
-  // Fields looks pretty specific for curve, so for now we need to pass them with opts
-  const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE;
-  const BLS_X_LEN = bitLen(CURVE.x);
+  // Fields are specific for curve, so for now we'll need to pass them with opts
+  const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE.fields;
+  const BLS_X_LEN = bitLen(CURVE.params.x);
   const groupLen = 32; // TODO: calculate; hardcoded for now
 
   // Pre-compute coefficients for sparse multiplication
@@ -122,18 +137,18 @@ export function bls<Fp2, Fp6, Fp12>(
       // Double
       let t0 = Fp2.sqr(Ry); // Ry²
       let t1 = Fp2.sqr(Rz); // Rz²
-      let t2 = Fp2.multiplyByB(Fp2.mul(t1, 3n)); // 3 * T1 * B
-      let t3 = Fp2.mul(t2, 3n); // 3 * T2
+      let t2 = Fp2.multiplyByB(Fp2.mul(t1, _3n)); // 3 * T1 * B
+      let t3 = Fp2.mul(t2, _3n); // 3 * T2
       let t4 = Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(Ry, Rz)), t1), t0); // (Ry + Rz)² - T1 - T0
       ell_coeff.push([
         Fp2.sub(t2, t0), // T2 - T0
-        Fp2.mul(Fp2.sqr(Rx), 3n), // 3 * Rx²
+        Fp2.mul(Fp2.sqr(Rx), _3n), // 3 * Rx²
         Fp2.neg(t4), // -T4
       ]);
-      Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), 2n); // ((T0 - T3) * Rx * Ry) / 2
-      Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), 2n)), Fp2.mul(Fp2.sqr(t2), 3n)); // ((T0 + T3) / 2)² - 3 * T2²
+      Rx = Fp2.div(Fp2.mul(Fp2.mul(Fp2.sub(t0, t3), Rx), Ry), _2n); // ((T0 - T3) * Rx * Ry) / 2
+      Ry = Fp2.sub(Fp2.sqr(Fp2.div(Fp2.add(t0, t3), _2n)), Fp2.mul(Fp2.sqr(t2), _3n)); // ((T0 + T3) / 2)² - 3 * T2²
       Rz = Fp2.mul(t0, t4); // T0 * T4
-      if (bitGet(CURVE.x, i)) {
+      if (bitGet(CURVE.params.x, i)) {
         // Addition
         let t0 = Fp2.sub(Ry, Fp2.mul(Qy, Rz)); // Ry - Qy * Rz
         let t1 = Fp2.sub(Rx, Fp2.mul(Qx, Rz)); // Rx - Qx * Rz
@@ -145,7 +160,7 @@ export function bls<Fp2, Fp6, Fp12>(
         let t2 = Fp2.sqr(t1); // T1²
         let t3 = Fp2.mul(t2, t1); // T2 * T1
         let t4 = Fp2.mul(t2, Rx); // T2 * Rx
-        let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, 2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
+        let t5 = Fp2.add(Fp2.sub(t3, Fp2.mul(t4, _2n)), Fp2.mul(Fp2.sqr(t0), Rz)); // T3 - 2 * T4 + T0² * Rz
         Rx = Fp2.mul(t1, t5); // T1 * T5
         Ry = Fp2.sub(Fp2.mul(Fp2.sub(t4, t5), t0), Fp2.mul(t3, Ry)); // (T4 - T5) * T0 - T3 * Ry
         Rz = Fp2.mul(Rz, t3); // Rz * T3
@@ -155,7 +170,7 @@ export function bls<Fp2, Fp6, Fp12>(
   }
 
   function millerLoop(ell: [Fp2, Fp2, Fp2][], g1: [Fp, Fp]): Fp12 {
-    const { x } = CURVE;
+    const { x } = CURVE.params;
     const Px = g1[0];
     const Py = g1[1];
     let f12 = Fp12.ONE;
@@ -174,8 +189,9 @@ export function bls<Fp2, Fp6, Fp12>(
 
   const utils = {
     randomPrivateKey: (): Uint8Array => {
-      return Fr.toBytes(hashToPrivateScalar(CURVE.randomBytes(groupLen + 8), CURVE.r));
+      return Fr.toBytes(hashToPrivateScalar(CURVE.randomBytes(groupLen + 8), CURVE.params.r));
     },
+    calcPairingPrecomputes,
   };
 
   // Point on G1 curve: (x, y)
@@ -236,7 +252,7 @@ export function bls<Fp2, Fp6, Fp12>(
     return point instanceof G1.ProjectivePoint ? (point as G1) : G1.ProjectivePoint.fromHex(point);
   }
   function normP2(point: G2Hex): G2 {
-    return point instanceof G2.ProjectivePoint ? point : Signature.decode(point);
+    return point instanceof G2.ProjectivePoint ? point : Signature.fromHex(point);
   }
   function normP2Hash(point: G2Hex, htfOpts?: htf.htfBasicOpts): G2 {
     return point instanceof G2.ProjectivePoint
@@ -259,7 +275,7 @@ export function bls<Fp2, Fp6, Fp12>(
     msgPoint.assertValidity();
     const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
     if (message instanceof G2.ProjectivePoint) return sigPoint;
-    return Signature.encode(sigPoint);
+    return Signature.toRawBytes(sigPoint);
   }
 
   // Checks if pairing of public key & hash is equal to pairing of generator & signature.
@@ -309,7 +325,7 @@ export function bls<Fp2, Fp6, Fp12>(
       aggAffine.assertValidity();
       return aggAffine;
     }
-    return Signature.encode(aggAffine);
+    return Signature.toRawBytes(aggAffine);
   }
 
   // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
@@ -353,24 +369,30 @@ export function bls<Fp2, Fp6, Fp12>(
   G1.ProjectivePoint.BASE._setWindowSize(4);
 
   return {
-    CURVE,
-    Fr,
-    Fp,
-    Fp2,
-    Fp6,
-    Fp12,
-    G1,
-    G2,
-    Signature,
-    millerLoop,
-    calcPairingPrecomputes,
-    pairing,
     getPublicKey,
     sign,
     verify,
+    verifyBatch,
     aggregatePublicKeys,
     aggregateSignatures,
-    verifyBatch,
+    millerLoop,
+    pairing,
+    G1,
+    G2,
+    Signature,
+    fields: {
+      Fr,
+      Fp,
+      Fp2,
+      Fp6,
+      Fp12,
+    },
+    params: {
+      x: CURVE.params.x,
+      r: CURVE.params.r,
+      G1b: CURVE.G1.b,
+      G2b: CURVE.G2.b,
+    },
     utils,
   };
 }

package/src/abstract/edwards.ts

@@ -5,11 +5,9 @@ import * as ut from './utils.js';
 import { ensureBytes, FHash, Hex } from './utils.js';
 import { Group, GroupConstructor, wNAF, BasicCurve, validateBasic, AffinePoint } from './curve.js';
 
-// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const _8n = BigInt(8);
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
 
 // Edwards curves must declare params a & d.
 export type CurveType = BasicCurve<bigint> & {
@@ -20,10 +18,13 @@ export type CurveType = BasicCurve<bigint> & {
   adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
   domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
   uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint }; // Ratio √(u/v)
-  preHash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
+  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
   mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
 };
 
+// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+const VERIFY_DEFAULT = { zip215: true };
+
 function validateOpts(curve: CurveType) {
   const opts = validateBasic(curve);
   ut.validateObject(
@@ -51,6 +52,8 @@ export interface ExtPointType extends Group<ExtPointType> {
   readonly ey: bigint;
   readonly ez: bigint;
   readonly et: bigint;
+  get x(): bigint;
+  get y(): bigint;
   assertValidity(): void;
   multiply(scalar: bigint): ExtPointType;
   multiplyUnsafe(scalar: bigint): ExtPointType;
@@ -58,6 +61,8 @@ export interface ExtPointType extends Group<ExtPointType> {
   isTorsionFree(): boolean;
   clearCofactor(): ExtPointType;
   toAffine(iz?: bigint): AffinePoint<bigint>;
+  toRawBytes(isCompressed?: boolean): Uint8Array;
+  toHex(isCompressed?: boolean): string;
 }
 // Static methods of Extended Point with coordinates in X, Y, Z, T
 export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
@@ -88,7 +93,15 @@ export type CurveFn = {
 // It is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
-  const { Fp, n: CURVE_ORDER, preHash, hash: cHash, randomBytes, nByteLength, h: cofactor } = CURVE;
+  const {
+    Fp,
+    n: CURVE_ORDER,
+    prehash: prehash,
+    hash: cHash,
+    randomBytes,
+    nByteLength,
+    h: cofactor,
+  } = CURVE;
   const MASK = _2n ** BigInt(nByteLength * 8);
   const modP = Fp.create; // Function overrides
 
@@ -109,7 +122,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
       return data;
     }); // NOOP
-  const inBig = (n: bigint) => typeof n === 'bigint' && 0n < n; // n in [1..]
+  const inBig = (n: bigint) => typeof n === 'bigint' && _0n < n; // n in [1..]
   const inRange = (n: bigint, max: bigint) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
   const in0MaskRange = (n: bigint) => n === _0n || inRange(n, MASK); // n in [0..MASK-1]
   function assertInRange(n: bigint, max: bigint) {
@@ -297,8 +310,9 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Non-constant-time multiplication. Uses double-and-add algorithm.
     // It's faster, but should only be used when you don't care about
     // an exposed private key e.g. sig verification.
+    // Does NOT allow scalars higher than CURVE.n.
     multiplyUnsafe(scalar: bigint): Point {
-      let n = assertGE0(scalar);
+      let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
       if (n === _0n) return I;
       if (this.equals(I) || n === _1n) return this;
       if (this.equals(G)) return this.wNAF(n).p;
@@ -341,7 +355,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
     // Converts hash string or Uint8Array to Point.
     // Uses algo from RFC8032 5.1.3.
-    static fromHex(hex: Hex, strict = true): Point {
+    static fromHex(hex: Hex, zip215 = false): Point {
       const { d, a } = CURVE;
       const len = Fp.BYTES;
       hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
@@ -353,8 +367,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
         // y=0 is allowed
       } else {
         // RFC8032 prohibits >= p, but ZIP215 doesn't
-        if (strict) assertInRange(y, Fp.ORDER); // strict=true [1..P-1] (2^255-19-1 for ed25519)
-        else assertInRange(y, MASK); // strict=false [1..MASK-1] (2^256-1 for ed25519)
+        if (zip215) assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
+        else assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
       }
 
       // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
@@ -416,32 +430,43 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
   function hashDomainToScalar(context: Hex = new Uint8Array(), ...msgs: Uint8Array[]) {
     const msg = ut.concatBytes(...msgs);
-    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!preHash)));
+    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
   }
 
   /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, privKey: Hex, context?: Hex): Uint8Array {
+  function sign(msg: Hex, privKey: Hex, options: { context?: Hex } = {}): Uint8Array {
     msg = ensureBytes('message', msg);
-    if (preHash) msg = preHash(msg); // for ed25519ph etc.
+    if (prehash) msg = prehash(msg); // for ed25519ph etc.
     const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
-    const r = hashDomainToScalar(context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
+    const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
     const R = G.multiply(r).toRawBytes(); // R = rG
-    const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
+    const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
     const s = modN(r + k * scalar); // S = (r + k * s) mod L
     assertGE0(s); // 0 <= s < l
     const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
     return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
   }
 
-  function verify(sig: Hex, msg: Hex, publicKey: Hex, context?: Hex): boolean {
+  const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+  function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
+    const { context, zip215 } = options;
     const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
     sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
-    msg = ensureBytes('message', msg); // ZIP215 compliant, which means not fully RFC8032 compliant.
-    if (preHash) msg = preHash(msg); // for ed25519ph, etc
-    const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
-    const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
-    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
-    const SB = G.multiplyUnsafe(s);
+    msg = ensureBytes('message', msg);
+    if (prehash) msg = prehash(msg); // for ed25519ph, etc
+
+    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
+    // zip215: true is good for consensus-critical apps and allows points < 2^256
+    // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
+    let A, R, SB;
+    try {
+      A = Point.fromHex(publicKey, zip215);
+      R = Point.fromHex(sig.slice(0, len), zip215);
+      SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+    } catch (error) {
+      return false;
+    }
+
     const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
     // [8][S]B = [8]R + [8][k]A'

package/src/abstract/hash-to-curve.ts

@@ -17,7 +17,7 @@ export type Opts = {
   p: bigint;
   m: number;
   k: number;
-  expand?: 'xmd' | 'xof';
+  expand: 'xmd' | 'xof';
   hash: CHash;
 };
 
@@ -145,10 +145,11 @@ export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bi
     prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
   } else if (expand === 'xof') {
     prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
-  } else if (expand === undefined) {
+  } else if (expand === '_internal_pass') {
+    // for internal tests only
     prb = msg;
   } else {
-    throw new Error('expand must be "xmd", "xof" or undefined');
+    throw new Error('expand must be "xmd" or "xof"');
   }
   const u = new Array(count);
   for (let i = 0; i < count; i++) {

package/src/abstract/modular.ts

@@ -275,7 +275,7 @@ export function FpPow<T>(f: IField<T>, num: T, power: bigint): T {
   while (power > _0n) {
     if (power & _1n) p = f.mul(p, d);
     d = f.sqr(d);
-    power >>= 1n;
+    power >>= _1n;
   }
   return p;
 }

package/src/abstract/utils.ts

@@ -123,12 +123,12 @@ export function utf8ToBytes(str: string): Uint8Array {
 // Amount of bits inside bigint (Same as n.toString(2).length)
 export function bitLen(n: bigint) {
   let len;
-  for (len = 0; n > 0n; n >>= _1n, len += 1);
+  for (len = 0; n > _0n; n >>= _1n, len += 1);
   return len;
 }
 // Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
 // Same as !!+Array.from(n.toString(2)).reverse()[pos]
-export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & 1n;
+export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & _1n;
 // Sets single bit at position
 export const bitSet = (n: bigint, pos: number, value: boolean) =>
   n | ((value ? _1n : _0n) << BigInt(pos));

package/src/abstract/weierstrass.ts

@@ -58,6 +58,8 @@ export interface ProjPointType<T> extends Group<ProjPointType<T>> {
   readonly px: T;
   readonly py: T;
   readonly pz: T;
+  get x(): T;
+  get y(): T;
   multiply(scalar: bigint): ProjPointType<T>;
   toAffine(iz?: T): AffinePoint<T>;
   isTorsionFree(): boolean;
@@ -129,7 +131,7 @@ export type CurvePointsRes<T> = {
 
 // ASN.1 DER encoding utilities
 const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
-const DER = {
+export const DER = {
   // asn.1 DER encoding utils
   Err: class DERErr extends Error {
     constructor(m = '') {
@@ -142,9 +144,13 @@ const DER = {
     const len = data[1];
     const res = data.subarray(2, len + 2);
     if (!len || res.length !== len) throw new E('Invalid signature integer: wrong length');
-    if (res[0] === 0x00 && res[1] <= 0x7f)
-      throw new E('Invalid signature integer: trailing length');
-    // ^ Weird condition: not about length, but about first bytes of number.
+    // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+    // since we always use positive integers here. It must always be empty:
+    // - add zero byte if exists
+    // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+    if (res[0] & 0b10000000) throw new E('Invalid signature integer: negative');
+    if (res[0] === 0x00 && !(res[1] & 0b10000000))
+      throw new E('Invalid signature integer: unnecessary leading zero');
     return { d: b2n(res), l: data.subarray(len + 2) }; // d is data, l is left
   },
   toSig(hex: string | Uint8Array): { r: bigint; s: bigint } {
@@ -161,7 +167,8 @@ const DER = {
     return { r, s };
   },
   hexFromSig(sig: { r: bigint; s: bigint }): string {
-    const slice = (s: string): string => (Number.parseInt(s[0], 16) >= 8 ? '00' + s : s); // slice DER
+    // Add leading zero if first byte has negative bit enabled. More details in '_parseInt'
+    const slice = (s: string): string => (Number.parseInt(s[0], 16) & 0b1000 ? '00' + s : s);
     const h = (num: number | bigint) => {
       const hex = num.toString(16);
       return hex.length & 1 ? `0${hex}` : hex;
@@ -176,9 +183,9 @@ const DER = {
   },
 };
 
-// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
-const _0n = BigInt(0);
-const _1n = BigInt(1);
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
 export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   const CURVE = validatePointOpts(opts);
@@ -211,6 +218,12 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
     const x3 = Fp.mul(x2, x); // x2 * x
     return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
   }
+  // Validate whether the passed curve params are valid.
+  // We check if curve equation works for generator point.
+  // `assertValidity()` won't work: `isTorsionFree()` is not available at this point in bls12-381.
+  // ProjectivePoint class has not been initialized yet.
+  if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
+    throw new Error('bad generator point: equation left != right');
 
   // Valid group elements reside in range 1..n-1
   function isWithinCurveOrder(num: bigint): boolean {
@@ -365,7 +378,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
     // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
     double() {
       const { a, b } = CURVE;
-      const b3 = Fp.mul(b, 3n);
+      const b3 = Fp.mul(b, _3n);
       const { px: X1, py: Y1, pz: Z1 } = this;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       let t0 = Fp.mul(X1, X1); // step 1
@@ -412,7 +425,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
       const { px: X2, py: Y2, pz: Z2 } = other;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       const a = CURVE.a;
-      const b3 = Fp.mul(CURVE.b, 3n);
+      const b3 = Fp.mul(CURVE.b, _3n);
       let t0 = Fp.mul(X1, X2); // step 1
       let t1 = Fp.mul(Y1, Y2);
       let t2 = Fp.mul(Z1, Z2);
@@ -589,7 +602,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   }
   const _bits = CURVE.nBitLength;
   const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-
+  // Validate if generator point is on curve
   return {
     CURVE,
     ProjectivePoint: Point as ProjConstructor<T>,
@@ -1078,15 +1091,15 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
   // Generic implementation
   const q = Fp.ORDER;
-  let l = 0n;
-  for (let o = q - 1n; o % 2n === 0n; o /= 2n) l += 1n;
+  let l = _0n;
+  for (let o = q - _1n; o % _2n === _0n; o /= _2n) l += _1n;
   const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-  const c2 = (q - 1n) / 2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
-  const c3 = (c2 - 1n) / 2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-  const c4 = 2n ** c1 - 1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
-  const c5 = 2n ** (c1 - 1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
+  const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
+  const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+  const c4 = _2n ** c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+  const c5 = _2n ** (c1 - _1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
   const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
-  const c7 = Fp.pow(Z, (c2 + 1n) / 2n); // 7. c7 = Z^((c2 + 1) / 2)
+  const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
   let sqrtRatio = (u: T, v: T): { isValid: boolean; value: T } => {
     let tv1 = c6; // 1. tv1 = c6
     let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
@@ -1105,8 +1118,8 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
     tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
     tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
     // 17. for i in (c1, c1 - 1, ..., 2):
-    for (let i = c1; i > 1; i--) {
-      let tv5 = 2n ** (i - 2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
+    for (let i = c1; i > _1n; i--) {
+      let tv5 = _2n ** (i - _2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
       let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
       const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
       tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
@@ -1117,9 +1130,9 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
     }
     return { isValid: isQR, value: tv3 };
   };
-  if (Fp.ORDER % 4n === 3n) {
+  if (Fp.ORDER % _4n === _3n) {
     // sqrt_ratio_3mod4(u, v)
-    const c1 = (Fp.ORDER - 3n) / 4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+    const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
     const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
     sqrtRatio = (u: T, v: T) => {
       let tv1 = Fp.sqr(v); // 1. tv1 = v^2
@@ -1135,7 +1148,7 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
     };
   }
   // No curves uses that
-  // if (Fp.ORDER % 8n === 5n) // sqrt_ratio_5mod8
+  // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
   return sqrtRatio;
 }
 // From draft-irtf-cfrg-hash-to-curve-16