@noble/curves 0.9.0 → 1.0.0

package/esm/bls12-381.js

@@ -6,7 +6,7 @@
 //
 // The library uses G1 for public keys and G2 for signatures. Support for G1 signatures is planned.
 // Compatible with Algorand, Chia, Dfinity, Ethereum, FIL, Zcash. Matches specs
-// [pairing-curves-10](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-10),
+// [pairing-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
 // [bls-sigs-04](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04),
 // [hash-to-curve-12](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-12).
 //
@@ -26,37 +26,25 @@
 // - `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
 // Filecoin uses little endian byte arrays for private keys -
 // so ensure to reverse byte order if you'll use it with FIL.
-//
-// ### Resources
-// - [BLS12-381 for the rest of us](https://hackmd.io/@benjaminion/bls12-381)
-// - [Key concepts of pairings](https://medium.com/@alonmuroch_65570/bls-signatures-part-2-key-concepts-of-pairings-27a8a9533d0c)
-// - Pairing over bls12-381:
-//   [part 1](https://research.nccgroup.com/2020/07/06/pairing-over-bls12-381-part-1-fields/),
-//   [part 2](https://research.nccgroup.com/2020/07/13/pairing-over-bls12-381-part-2-curves/),
-//   [part 3](https://research.nccgroup.com/2020/08/13/pairing-over-bls12-381-part-3-pairing/)
-// - [Estimating the bit security of pairing-friendly curves](https://research.nccgroup.com/2022/02/03/estimating-the-bit-security-of-pairing-friendly-curves/)
-//
-// ### Differences from @noble/bls12-381 1.4
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// - Points now have only two coordinates
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls } from './abstract/bls.js';
 import * as mod from './abstract/modular.js';
-import { concatBytes as concatB, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, } from './abstract/utils.js';
+import { concatBytes as concatB, ensureBytes, numberToBytesBE, bytesToNumberBE, bitLen, bitSet, bitGet, bitMask, bytesToHex, } from './abstract/utils.js';
 // Types
 import { mapToCurveSimpleSWU, } from './abstract/weierstrass.js';
 import { isogenyMap } from './abstract/hash-to-curve.js';
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
+// prettier-ignore
+const _8n = BigInt(8), _16n = BigInt(16);
 // CURVE FIELDS
 // Finite field over p.
-const Fp = mod.Field(0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn);
+const Fp = mod.Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
 // Finite field over r.
 // This particular field is not used anywhere in bls12-381, but it is still useful.
-const Fr = mod.Field(0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001n);
+const Fr = mod.Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'));
 const Fp2Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
     c0: Fp.add(c0, r0),
     c1: Fp.add(c1, r1),
@@ -88,8 +76,7 @@ const Fp2Square = ({ c0, c1 }) => {
 // G² - 1
 // h2q
 // NOTE: ORDER was wrong!
-const FP2_ORDER = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn **
-    2n;
+const FP2_ORDER = BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab') ** _2n;
 const Fp2 = {
     ORDER: FP2_ORDER,
     BITS: bitLen(FP2_ORDER),
@@ -142,7 +129,7 @@ const Fp2 = {
         // https://github.com/zkcrypto/bls12_381/blob/080eaa74ec0e394377caa1ba302c8c121df08b07/src/fp2.rs#L250
         // https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1
         // Inspired by https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99
-        const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + 8n) / 16n);
+        const candidateSqrt = Fp2.pow(num, (Fp2.ORDER + _8n) / _16n);
         const check = Fp2.div(Fp2.sqr(candidateSqrt), num); // candidateSqrt.square().div(this);
         const R = FP2_ROOTS_OF_UNITY;
         const divisor = [R[0], R[2], R[4], R[6]].find((r) => Fp2.eql(r, check));
@@ -163,10 +150,10 @@ const Fp2 = {
     // Same as sgn0_fp2 in draft-irtf-cfrg-hash-to-curve-16
     isOdd: (x) => {
         const { re: x0, im: x1 } = Fp2.reim(x);
-        const sign_0 = x0 % 2n;
-        const zero_0 = x0 === 0n;
-        const sign_1 = x1 % 2n;
-        return BigInt(sign_0 || (zero_0 && sign_1)) == 1n;
+        const sign_0 = x0 % _2n;
+        const zero_0 = x0 === _0n;
+        const sign_1 = x1 % _2n;
+        return BigInt(sign_0 || (zero_0 && sign_1)) == _1n;
     },
     // Bytes util
     fromBytes(b) {
@@ -187,8 +174,8 @@ const Fp2 = {
     // multiply by u + 1
     mulByNonresidue: ({ c0, c1 }) => ({ c0: Fp.sub(c0, c1), c1: Fp.add(c0, c1) }),
     multiplyByB: ({ c0, c1 }) => {
-        let t0 = Fp.mul(c0, 4n); // 4 * c0
-        let t1 = Fp.mul(c1, 4n); // 4 * c1
+        let t0 = Fp.mul(c0, _4n); // 4 * c0
+        let t1 = Fp.mul(c1, _4n); // 4 * c1
         // (T0-T1) + (T0+T1)*i
         return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
     },
@@ -206,30 +193,30 @@ const Fp2 = {
 // Finite extension field over irreducible polynominal.
 // Fp(u) / (u² - β) where β = -1
 const FP2_FROBENIUS_COEFFICIENTS = [
-    0x1n,
-    0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaan,
+    BigInt('0x1'),
+    BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa'),
 ].map((item) => Fp.create(item));
 // For Fp2 roots of unity.
-const rv1 = 0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09n;
+const rv1 = BigInt('0x6af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09');
 // const ev1 =
-//   0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90n;
+//   BigInt('0x699be3b8c6870965e5bf892ad5d2cc7b0e85a117402dfd83b7f4a947e02d978498255a2aaec0ac627b5afbdf1bf1c90');
 // const ev2 =
-//   0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5n;
+//   BigInt('0x8157cd83046453f5dd0972b6e3949e4288020b5b8a9cc99ca07e27089a2ce2436d965026adad3ef7baba37f2183e9b5');
 // const ev3 =
-//   0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17n;
+//   BigInt('0xab1c2ffdd6c253ca155231eb3e71ba044fd562f6f72bc5bad5ec46a0b7a3b0247cf08ce6c6317f40edbc653a72dee17');
 // const ev4 =
-//   0xaa404866706722864480885d68ad0ccac1967c7544b447873cc37e0181271e006df72162a3d3e0287bf597fbf7f8fc1n;
+//   BigInt('0xaa404866706722864480885d68ad0ccac1967c7544b447873cc37e0181271e006df72162a3d3e0287bf597fbf7f8fc1');
 // Eighth roots of unity, used for computing square roots in Fp2.
 // To verify or re-calculate:
 // Array(8).fill(new Fp2([1n, 1n])).map((fp2, k) => fp2.pow(Fp2.ORDER * BigInt(k) / 8n))
 const FP2_ROOTS_OF_UNITY = [
-    [1n, 0n],
+    [_1n, _0n],
     [rv1, -rv1],
-    [0n, 1n],
+    [_0n, _1n],
     [rv1, rv1],
-    [-1n, 0n],
+    [-_1n, _0n],
     [-rv1, rv1],
-    [0n, -1n],
+    [_0n, -_1n],
     [-rv1, -rv1],
 ].map((pair) => Fp2.fromBigTuple(pair));
 const Fp6Add = ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) => ({
@@ -265,8 +252,8 @@ const Fp6Multiply = ({ c0, c1, c2 }, rhs) => {
 };
 const Fp6Square = ({ c0, c1, c2 }) => {
     let t0 = Fp2.sqr(c0); // c0²
-    let t1 = Fp2.mul(Fp2.mul(c0, c1), 2n); // 2 * c0 * c1
-    let t3 = Fp2.mul(Fp2.mul(c1, c2), 2n); // 2 * c1 * c2
+    let t1 = Fp2.mul(Fp2.mul(c0, c1), _2n); // 2 * c0 * c1
+    let t3 = Fp2.mul(Fp2.mul(c1, c2), _2n); // 2 * c1 * c2
     let t4 = Fp2.sqr(c2); // c2²
     return {
         c0: Fp2.add(Fp2.mulByNonresidue(t3), t0),
@@ -376,50 +363,50 @@ const Fp6 = {
     }),
 };
 const FP6_FROBENIUS_COEFFICIENTS_1 = [
-    [0x1n, 0x0n],
+    [BigInt('0x1'), BigInt('0x0')],
     [
-        0x0n,
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn,
+        BigInt('0x0'),
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac'),
     ],
     [
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen,
-        0x0n,
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'),
+        BigInt('0x0'),
     ],
-    [0x0n, 0x1n],
+    [BigInt('0x0'), BigInt('0x1')],
     [
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn,
-        0x0n,
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac'),
+        BigInt('0x0'),
     ],
     [
-        0x0n,
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen,
+        BigInt('0x0'),
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'),
     ],
 ].map((pair) => Fp2.fromBigTuple(pair));
 const FP6_FROBENIUS_COEFFICIENTS_2 = [
-    [0x1n, 0x0n],
+    [BigInt('0x1'), BigInt('0x0')],
     [
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaadn,
-        0x0n,
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad'),
+        BigInt('0x0'),
     ],
     [
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn,
-        0x0n,
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac'),
+        BigInt('0x0'),
     ],
     [
-        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaan,
-        0x0n,
+        BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa'),
+        BigInt('0x0'),
     ],
     [
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen,
-        0x0n,
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'),
+        BigInt('0x0'),
     ],
     [
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffffn,
-        0x0n,
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff'),
+        BigInt('0x0'),
     ],
 ].map((pair) => Fp2.fromBigTuple(pair));
 // The BLS parameter x for BLS12-381
-const BLS_X = 0xd201000000010000n;
+const BLS_X = BigInt('0xd201000000010000');
 const BLS_X_LEN = bitLen(BLS_X);
 const Fp12Add = ({ c0, c1 }, { c0: r0, c1: r1 }) => ({
     c0: Fp6.add(c0, r0),
@@ -556,14 +543,14 @@ const Fp12 = {
         let t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
         return {
             c0: Fp6.create({
-                c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), 2n), t3),
-                c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), 2n), t5),
-                c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), 2n), t7),
+                c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3),
+                c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5),
+                c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
             }),
             c1: Fp6.create({
-                c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), 2n), t9),
-                c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), 2n), t4),
-                c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), 2n), t6),
+                c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9),
+                c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4),
+                c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
             }),
         }; // 2 * (T6 + c1c2) + T6
     },
@@ -599,50 +586,50 @@ const Fp12 = {
     },
 };
 const FP12_FROBENIUS_COEFFICIENTS = [
-    [0x1n, 0x0n],
+    [BigInt('0x1'), BigInt('0x0')],
     [
-        0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8n,
-        0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3n,
+        BigInt('0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8'),
+        BigInt('0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3'),
     ],
     [
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffffn,
-        0x0n,
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffeffff'),
+        BigInt('0x0'),
     ],
     [
-        0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2n,
-        0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09n,
+        BigInt('0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2'),
+        BigInt('0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09'),
     ],
     [
-        0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen,
-        0x0n,
+        BigInt('0x00000000000000005f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe'),
+        BigInt('0x0'),
     ],
     [
-        0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995n,
-        0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116n,
+        BigInt('0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995'),
+        BigInt('0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116'),
     ],
     [
-        0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaan,
-        0x0n,
+        BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaaa'),
+        BigInt('0x0'),
     ],
     [
-        0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3n,
-        0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8n,
+        BigInt('0x00fc3e2b36c4e03288e9e902231f9fb854a14787b6c7b36fec0c8ec971f63c5f282d5ac14d6c7ec22cf78a126ddc4af3'),
+        BigInt('0x1904d3bf02bb0667c231beb4202c0d1f0fd603fd3cbd5f4f7b2443d784bab9c4f67ea53d63e7813d8d0775ed92235fb8'),
     ],
     [
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn,
-        0x0n,
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac'),
+        BigInt('0x0'),
     ],
     [
-        0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09n,
-        0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2n,
+        BigInt('0x06af0e0437ff400b6831e36d6bd17ffe48395dabc2d3435e77f76e17009241c5ee67992f72ec05f4c81084fbede3cc09'),
+        BigInt('0x135203e60180a68ee2e9c448d77a2cd91c3dedd930b1cf60ef396489f61eb45e304466cf3e67fa0af1ee7b04121bdea2'),
     ],
     [
-        0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaadn,
-        0x0n,
+        BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaad'),
+        BigInt('0x0'),
     ],
     [
-        0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116n,
-        0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995n,
+        BigInt('0x05b2cfd9013a5fd8df47fa6b48b1e045f39816240c0b8fee8beadf4d8e9c0566c63a3e6e257f87329b18fae980078116'),
+        BigInt('0x144e4211384586c16bd3ad4afa99cc9170df3560e77982d0db45f3536814f0bd5871c1908bd478cd1ee605167ff82995'),
     ],
 ].map((n) => Fp2.fromBigTuple(n));
 // END OF CURVE FIELDS
@@ -789,15 +776,15 @@ const isogenyMapG1 = isogenyMap(Fp, [
 ].map((i) => i.map((j) => BigInt(j))));
 // SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i
 const G2_SWU = mapToCurveSimpleSWU(Fp2, {
-    A: Fp2.create({ c0: Fp.create(0n), c1: Fp.create(240n) }),
-    B: Fp2.create({ c0: Fp.create(1012n), c1: Fp.create(1012n) }),
-    Z: Fp2.create({ c0: Fp.create(-2n), c1: Fp.create(-1n) }), // Z: -(2 + I)
+    A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }),
+    B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }),
+    Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
 });
 // Optimized SWU Map - Fp to G1
 const G1_SWU = mapToCurveSimpleSWU(Fp, {
-    A: Fp.create(0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1dn),
-    B: Fp.create(0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0n),
-    Z: Fp.create(11n),
+    A: Fp.create(BigInt('0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d')),
+    B: Fp.create(BigInt('0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0')),
+    Z: Fp.create(BigInt(11)),
 });
 // Endomorphisms (for fast cofactor clearing)
 // Ψ(P) endomorphism
@@ -819,7 +806,7 @@ function G2psi(c, P) {
 }
 // Ψ²(P) endomorphism
 // 1 / F2(2)^((p-1)/3) in GF(p²)
-const PSI2_C1 = 0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaacn;
+const PSI2_C1 = BigInt('0x1a0111ea397fe699ec02408663d4de85aa0d857d89759ad4897d29650fb85f9b409427eb4f49fffd8bfd00000000aaac');
 function psi2(x, y) {
     return [Fp2.mul(x, PSI2_C1), Fp2.neg(y)];
 }
@@ -867,7 +854,22 @@ const C_BIT_POS = Fp.BITS; // C_bit, compression bit for serialization flag
 const I_BIT_POS = Fp.BITS + 1; // I_bit, point-at-infinity bit for serialization flag
 const S_BIT_POS = Fp.BITS + 2; // S_bit, sign bit for serialization flag
 // Compressed point of infinity
-const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits
+const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(_0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits
+function signatureG2ToRawBytes(point) {
+    // NOTE: by some reasons it was missed in bls12-381, looks like bug
+    point.assertValidity();
+    const len = Fp.BYTES;
+    if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
+        return concatB(COMPRESSED_ZERO, numberToBytesBE(_0n, len));
+    const { x, y } = point.toAffine();
+    const { re: x0, im: x1 } = Fp2.reim(x);
+    const { re: y0, im: y1 } = Fp2.reim(y);
+    const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
+    const aflag1 = Boolean((tmp / Fp.ORDER) & _1n);
+    const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
+    const z2 = x0;
+    return concatB(numberToBytesBE(z1, len), numberToBytesBE(z2, len));
+}
 // To verify curve parameters, see pairing-friendly-curves spec:
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09
 // Basic math is done over finite fields over p.
@@ -880,26 +882,26 @@ const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(0n, I_BIT_POS, true), S_BIT_POS
 // Here goes constants && point encoding format
 export const bls12_381 = bls({
     // Fields
-    Fr,
-    Fp,
-    Fp2,
-    Fp6,
-    Fp12,
-    // order; z⁴ − z² + 1
-    r: Fr.ORDER,
+    fields: {
+        Fp,
+        Fp2,
+        Fp6,
+        Fp12,
+        Fr,
+    },
     // G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
     // characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
     G1: {
         Fp,
         // cofactor; (z - 1)²/3
-        h: 0x396c8c005555e1568c00aaab0000aaabn,
+        h: BigInt('0x396c8c005555e1568c00aaab0000aaab'),
         // generator's coordinates
         // x = 3685416753713387016781088315183077757961620795782546409894578378688607592378376318836054947676345821548104185464507
         // y = 1339506544944476473020471379941921221584933875938349620426543736416511423956333506472724655353366534992391756441569
-        Gx: 0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bbn,
-        Gy: 0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1n,
+        Gx: BigInt('0x17f1d3a73197d7942695638c4fa9ac0fc3688c4f9774b905a14e3a3f171bac586c55e83ff97a1aeffb3af00adb22c6bb'),
+        Gy: BigInt('0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'),
         a: Fp.ZERO,
-        b: 4n,
+        b: _4n,
         htfDefaults: { ...htfDefaults, m: 1 },
         wrapPrivateKey: true,
         allowInfinityPoint: true,
@@ -909,15 +911,15 @@ export const bls12_381 = bls({
         // https://eprint.iacr.org/2021/1130.pdf
         isTorsionFree: (c, point) => {
             // φ endomorphism
-            const cubicRootOfUnityModP = 0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffen;
+            const cubicRootOfUnityModP = BigInt('0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe');
             const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
             // todo: unroll
-            const xP = point.multiplyUnsafe(bls12_381.CURVE.x).negate(); // [x]P
-            const u2P = xP.multiplyUnsafe(bls12_381.CURVE.x); // [u2]P
+            const xP = point.multiplyUnsafe(bls12_381.params.x).negate(); // [x]P
+            const u2P = xP.multiplyUnsafe(bls12_381.params.x); // [u2]P
             return u2P.equals(phi);
             // https://eprint.iacr.org/2019/814.pdf
             // (z² − 1)/3
-            // const c1 = 0x396c8c005555e1560000000055555555n;
+            // const c1 = BigInt('0x396c8c005555e1560000000055555555');
             // const P = this;
             // const S = P.sigma();
             // const Q = S.double();
@@ -931,27 +933,29 @@ export const bls12_381 = bls({
         // https://eprint.iacr.org/2019/403
         clearCofactor: (c, point) => {
             // return this.multiplyUnsafe(CURVE.h);
-            return point.multiplyUnsafe(bls12_381.CURVE.x).add(point); // x*P + P
+            return point.multiplyUnsafe(bls12_381.params.x).add(point); // x*P + P
         },
         mapToCurve: (scalars) => {
             const { x, y } = G1_SWU(Fp.create(scalars[0]));
             return isogenyMapG1(x, y);
         },
         fromBytes: (bytes) => {
+            bytes = bytes.slice();
             if (bytes.length === 48) {
+                // TODO: Fp.bytes
                 const P = Fp.ORDER;
                 const compressedValue = bytesToNumberBE(bytes);
                 const bflag = bitGet(compressedValue, I_BIT_POS);
                 // Zero
-                if (bflag === 1n)
-                    return { x: 0n, y: 0n };
+                if (bflag === _1n)
+                    return { x: _0n, y: _0n };
                 const x = Fp.create(compressedValue & Fp.MASK);
-                const right = Fp.add(Fp.pow(x, 3n), Fp.create(bls12_381.CURVE.G1.b)); // y² = x³ + b
+                const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
                 let y = Fp.sqrt(right);
                 if (!y)
                     throw new Error('Invalid compressed G1 point');
                 const aflag = bitGet(compressedValue, C_BIT_POS);
-                if ((y * 2n) / P !== aflag)
+                if ((y * _2n) / P !== aflag)
                     y = Fp.neg(y);
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
@@ -959,8 +963,8 @@ export const bls12_381 = bls({
                 // Check if the infinity flag is set
                 if ((bytes[0] & (1 << 6)) !== 0)
                     return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
-                const x = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-                const y = bytesToNumberBE(bytes.slice(Fp.BYTES));
+                const x = bytesToNumberBE(bytes.subarray(0, Fp.BYTES));
+                const y = bytesToNumberBE(bytes.subarray(Fp.BYTES));
                 return { x: Fp.create(x), y: Fp.create(y) };
             }
             else {
@@ -975,7 +979,7 @@ export const bls12_381 = bls({
                     return COMPRESSED_ZERO.slice();
                 const P = Fp.ORDER;
                 let num;
-                num = bitSet(x, C_BIT_POS, Boolean((y * 2n) / P)); // set aflag
+                num = bitSet(x, C_BIT_POS, Boolean((y * _2n) / P)); // set aflag
                 num = bitSet(num, S_BIT_POS, true);
                 return numberToBytesBE(num, Fp.BYTES);
             }
@@ -998,21 +1002,21 @@ export const bls12_381 = bls({
     G2: {
         Fp: Fp2,
         // cofactor
-        h: 0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5n,
+        h: BigInt('0x5d543a95414e7f1091d50792876a202cd91de4547085abaa68a205b2e5a7ddfa628f1cb4d9e82ef21537e293a6691ae1616ec6e786f0c70cf1c38e31c7238e5'),
         Gx: Fp2.fromBigTuple([
-            0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8n,
-            0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7en,
+            BigInt('0x024aa2b2f08f0a91260805272dc51051c6e47ad4fa403b02b4510b647ae3d1770bac0326a805bbefd48056c8c121bdb8'),
+            BigInt('0x13e02b6052719f607dacd3a088274f65596bd0d09920b61ab5da61bbdc7f5049334cf11213945d57e5ac7d055d042b7e'),
         ]),
         // y =
         // 927553665492332455747201965776037880757740193453592970025027978793976877002675564980949289727957565575433344219582,
         // 1985150602287291935568054521177171638300868978215655730859378665066344726373823718423869104263333984641494340347905
         Gy: Fp2.fromBigTuple([
-            0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801n,
-            0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79ben,
+            BigInt('0x0ce5d527727d6e118cc9cdc6da2e351aadfd9baa8cbdd3a76d429a695160d12c923ac9cc3baca289e193548608b82801'),
+            BigInt('0x0606c4a02ea734cc32acd2b02bc28b99cb3e287e85a763af267492ab572e99ab3f370d275cec1da1aaa9075ff05f79be'),
         ]),
         a: Fp2.ZERO,
-        b: Fp2.fromBigTuple([4n, 4n]),
-        hEff: 0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551n,
+        b: Fp2.fromBigTuple([4n, _4n]),
+        hEff: BigInt('0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'),
         htfDefaults: { ...htfDefaults },
         wrapPrivateKey: true,
         allowInfinityPoint: true,
@@ -1025,7 +1029,7 @@ export const bls12_381 = bls({
         // It returns false for shitty points.
         // https://eprint.iacr.org/2021/1130.pdf
         isTorsionFree: (c, P) => {
-            return P.multiplyUnsafe(bls12_381.CURVE.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
+            return P.multiplyUnsafe(bls12_381.params.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
             // Older version: https://eprint.iacr.org/2019/814.pdf
             // Ψ²(P) => Ψ³(P) => [z]Ψ³(P) where z = -x => [z]Ψ³(P) - Ψ²(P) + P == O
             // return P.psi2().psi().mulNegX().subtract(psi2).add(P).isZero();
@@ -1035,7 +1039,7 @@ export const bls12_381 = bls({
         // https://eprint.iacr.org/2017/419.pdf
         // prettier-ignore
         clearCofactor: (c, P) => {
-            const { x } = bls12_381.CURVE;
+            const x = bls12_381.params.x;
             let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
             let t2 = G2psi(c, P); // Ψ(P)
             let t3 = P.double(); // 2P
@@ -1049,6 +1053,7 @@ export const bls12_381 = bls({
             return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
         },
         fromBytes: (bytes) => {
+            bytes = bytes.slice();
             const m_byte = bytes[0] & 0xe0;
             if (m_byte === 0x20 || m_byte === 0x60 || m_byte === 0xe0) {
                 throw new Error('Invalid encoding flag: ' + m_byte);
@@ -1059,7 +1064,7 @@ export const bls12_381 = bls({
             const L = Fp.BYTES;
             const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
             if (bytes.length === 96 && bitC) {
-                const { b } = bls12_381.CURVE.G2;
+                const b = bls12_381.params.G2b;
                 const P = Fp.ORDER;
                 bytes[0] = bytes[0] & 0x1f; // clear flags
                 if (bitI) {
@@ -1072,9 +1077,9 @@ export const bls12_381 = bls({
                 const x_1 = slc(bytes, 0, L);
                 const x_0 = slc(bytes, L, 2 * L);
                 const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
-                const right = Fp2.add(Fp2.pow(x, 3n), b); // y² = x³ + 4 * (u+1) = x³ + b
+                const right = Fp2.add(Fp2.pow(x, _3n), b); // y² = x³ + 4 * (u+1) = x³ + b
                 let y = Fp2.sqrt(right);
-                const Y_bit = y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P ? 1n : 0n;
+                const Y_bit = y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P ? _1n : _0n;
                 y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
                 return { x, y };
             }
@@ -1094,29 +1099,29 @@ export const bls12_381 = bls({
             }
         },
         toBytes: (c, point, isCompressed) => {
+            const { BYTES: len, ORDER: P } = Fp;
             const isZero = point.equals(c.ZERO);
             const { x, y } = point.toAffine();
             if (isCompressed) {
-                const P = Fp.ORDER;
                 if (isZero)
-                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
-                const flag = Boolean(y.c1 === 0n ? (y.c0 * 2n) / P : (y.c1 * 2n) / P);
+                    return concatB(COMPRESSED_ZERO, numberToBytesBE(_0n, len));
+                const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
                 // set compressed & sign bits (looks like different offsets than for G1/Fp?)
                 let x_1 = bitSet(x.c1, C_BIT_POS, flag);
                 x_1 = bitSet(x_1, S_BIT_POS, true);
-                return concatB(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
+                return concatB(numberToBytesBE(x_1, len), numberToBytesBE(x.c0, len));
             }
             else {
                 if (isZero)
-                    return concatB(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
+                    return concatB(new Uint8Array([0x40]), new Uint8Array(4 * len - 1)); // bytes[0] |= 1 << 6;
                 const { re: x0, im: x1 } = Fp2.reim(x);
                 const { re: y0, im: y1 } = Fp2.reim(y);
-                return concatB(numberToBytesBE(x1, Fp.BYTES), numberToBytesBE(x0, Fp.BYTES), numberToBytesBE(y1, Fp.BYTES), numberToBytesBE(y0, Fp.BYTES));
+                return concatB(numberToBytesBE(x1, len), numberToBytesBE(x0, len), numberToBytesBE(y1, len), numberToBytesBE(y0, len));
             }
         },
         Signature: {
             // TODO: Optimize, it's very slow because of sqrt.
-            decode(hex) {
+            fromHex(hex) {
                 hex = ensureBytes('signatureHex', hex);
                 const P = Fp.ORDER;
                 const half = hex.length / 2;
@@ -1126,12 +1131,12 @@ export const bls12_381 = bls({
                 const z2 = bytesToNumberBE(hex.slice(half));
                 // Indicates the infinity point
                 const bflag1 = bitGet(z1, I_BIT_POS);
-                if (bflag1 === 1n)
+                if (bflag1 === _1n)
                     return bls12_381.G2.ProjectivePoint.ZERO;
                 const x1 = Fp.create(z1 & Fp.MASK);
                 const x2 = Fp.create(z2);
                 const x = Fp2.create({ c0: x2, c1: x1 });
-                const y2 = Fp2.add(Fp2.pow(x, 3n), bls12_381.CURVE.G2.b); // y² = x³ + 4
+                const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381.params.G2b); // y² = x³ + 4
                 // The slow part
                 let y = Fp2.sqrt(y2);
                 if (!y)
@@ -1140,32 +1145,26 @@ export const bls12_381 = bls({
                 // If y1 happens to be zero, then use the bit of y0
                 const { re: y0, im: y1 } = Fp2.reim(y);
                 const aflag1 = bitGet(z1, 381);
-                const isGreater = y1 > 0n && (y1 * 2n) / P !== aflag1;
-                const isZero = y1 === 0n && (y0 * 2n) / P !== aflag1;
+                const isGreater = y1 > _0n && (y1 * _2n) / P !== aflag1;
+                const isZero = y1 === _0n && (y0 * _2n) / P !== aflag1;
                 if (isGreater || isZero)
                     y = Fp2.neg(y);
                 const point = bls12_381.G2.ProjectivePoint.fromAffine({ x, y });
                 point.assertValidity();
                 return point;
             },
-            encode(point) {
-                // NOTE: by some reasons it was missed in bls12-381, looks like bug
-                point.assertValidity();
-                if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
-                    return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
-                const a = point.toAffine();
-                const { re: x0, im: x1 } = Fp2.reim(a.x);
-                const { re: y0, im: y1 } = Fp2.reim(a.y);
-                const tmp = y1 > 0n ? y1 * 2n : y0 * 2n;
-                const aflag1 = Boolean((tmp / Fp.ORDER) & 1n);
-                const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
-                const z2 = x0;
-                return concatB(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
+            toRawBytes(point) {
+                return signatureG2ToRawBytes(point);
+            },
+            toHex(point) {
+                return bytesToHex(signatureG2ToRawBytes(point));
             },
         },
     },
-    // The BLS parameter x for BLS12-381
-    x: BLS_X,
+    params: {
+        x: BLS_X,
+        r: Fr.ORDER, // order; z⁴ − z² + 1; CURVE.n from other curves
+    },
     htfDefaults,
     hash: sha256,
     randomBytes,