@noble/curves 0.9.1 → 1.0.0

package/src/abstract/edwards.ts

@@ -18,10 +18,13 @@ export type CurveType = BasicCurve<bigint> & {
   adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
   domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
   uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint }; // Ratio √(u/v)
-  preHash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
+  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
   mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
 };
 
+// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+const VERIFY_DEFAULT = { zip215: true };
+
 function validateOpts(curve: CurveType) {
   const opts = validateBasic(curve);
   ut.validateObject(
@@ -90,7 +93,15 @@ export type CurveFn = {
 // It is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
-  const { Fp, n: CURVE_ORDER, preHash, hash: cHash, randomBytes, nByteLength, h: cofactor } = CURVE;
+  const {
+    Fp,
+    n: CURVE_ORDER,
+    prehash: prehash,
+    hash: cHash,
+    randomBytes,
+    nByteLength,
+    h: cofactor,
+  } = CURVE;
   const MASK = _2n ** BigInt(nByteLength * 8);
   const modP = Fp.create; // Function overrides
 
@@ -344,7 +355,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
     // Converts hash string or Uint8Array to Point.
     // Uses algo from RFC8032 5.1.3.
-    static fromHex(hex: Hex, strict = true): Point {
+    static fromHex(hex: Hex, zip215 = false): Point {
       const { d, a } = CURVE;
       const len = Fp.BYTES;
       hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
@@ -356,8 +367,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
         // y=0 is allowed
       } else {
         // RFC8032 prohibits >= p, but ZIP215 doesn't
-        if (strict) assertInRange(y, Fp.ORDER); // strict=true [1..P-1] (2^255-19-1 for ed25519)
-        else assertInRange(y, MASK); // strict=false [1..MASK-1] (2^256-1 for ed25519)
+        if (zip215) assertInRange(y, MASK); // zip215=true [1..P-1] (2^255-19-1 for ed25519)
+        else assertInRange(y, Fp.ORDER); // zip215=false [1..MASK-1] (2^256-1 for ed25519)
       }
 
       // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
@@ -419,32 +430,43 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
   function hashDomainToScalar(context: Hex = new Uint8Array(), ...msgs: Uint8Array[]) {
     const msg = ut.concatBytes(...msgs);
-    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!preHash)));
+    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
   }
 
   /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, privKey: Hex, context?: Hex): Uint8Array {
+  function sign(msg: Hex, privKey: Hex, options: { context?: Hex } = {}): Uint8Array {
     msg = ensureBytes('message', msg);
-    if (preHash) msg = preHash(msg); // for ed25519ph etc.
+    if (prehash) msg = prehash(msg); // for ed25519ph etc.
     const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
-    const r = hashDomainToScalar(context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
+    const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
     const R = G.multiply(r).toRawBytes(); // R = rG
-    const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
+    const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
     const s = modN(r + k * scalar); // S = (r + k * s) mod L
     assertGE0(s); // 0 <= s < l
     const res = ut.concatBytes(R, ut.numberToBytesLE(s, Fp.BYTES));
     return ensureBytes('result', res, nByteLength * 2); // 64-byte signature
   }
 
-  function verify(sig: Hex, msg: Hex, publicKey: Hex, context?: Hex): boolean {
+  const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+  function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
+    const { context, zip215 } = options;
     const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
     sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
-    msg = ensureBytes('message', msg); // ZIP215 compliant, which means not fully RFC8032 compliant.
-    if (preHash) msg = preHash(msg); // for ed25519ph, etc
-    const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
-    const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
+    msg = ensureBytes('message', msg);
+    if (prehash) msg = prehash(msg); // for ed25519ph, etc
+
     const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
-    const SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+    // zip215: true is good for consensus-critical apps and allows points < 2^256
+    // zip215: false follows RFC8032 / NIST186-5 and restricts points to CURVE.p
+    let A, R, SB;
+    try {
+      A = Point.fromHex(publicKey, zip215);
+      R = Point.fromHex(sig.slice(0, len), zip215);
+      SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+    } catch (error) {
+      return false;
+    }
+
     const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
     // [8][S]B = [8]R + [8][k]A'

package/src/abstract/hash-to-curve.ts

@@ -17,7 +17,7 @@ export type Opts = {
   p: bigint;
   m: number;
   k: number;
-  expand?: 'xmd' | 'xof';
+  expand: 'xmd' | 'xof';
   hash: CHash;
 };
 
@@ -145,10 +145,11 @@ export function hash_to_field(msg: Uint8Array, count: number, options: Opts): bi
     prb = expand_message_xmd(msg, DST, len_in_bytes, hash);
   } else if (expand === 'xof') {
     prb = expand_message_xof(msg, DST, len_in_bytes, k, hash);
-  } else if (expand === undefined) {
+  } else if (expand === '_internal_pass') {
+    // for internal tests only
     prb = msg;
   } else {
-    throw new Error('expand must be "xmd", "xof" or undefined');
+    throw new Error('expand must be "xmd" or "xof"');
   }
   const u = new Array(count);
   for (let i = 0; i < count; i++) {

package/src/abstract/utils.ts

@@ -123,12 +123,12 @@ export function utf8ToBytes(str: string): Uint8Array {
 // Amount of bits inside bigint (Same as n.toString(2).length)
 export function bitLen(n: bigint) {
   let len;
-  for (len = 0; n > 0n; n >>= _1n, len += 1);
+  for (len = 0; n > _0n; n >>= _1n, len += 1);
   return len;
 }
 // Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
 // Same as !!+Array.from(n.toString(2)).reverse()[pos]
-export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & 1n;
+export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & _1n;
 // Sets single bit at position
 export const bitSet = (n: bigint, pos: number, value: boolean) =>
   n | ((value ? _1n : _0n) << BigInt(pos));

package/src/abstract/weierstrass.ts

@@ -131,7 +131,7 @@ export type CurvePointsRes<T> = {
 
 // ASN.1 DER encoding utilities
 const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
-const DER = {
+export const DER = {
   // asn.1 DER encoding utils
   Err: class DERErr extends Error {
     constructor(m = '') {
@@ -144,9 +144,13 @@ const DER = {
     const len = data[1];
     const res = data.subarray(2, len + 2);
     if (!len || res.length !== len) throw new E('Invalid signature integer: wrong length');
-    if (res[0] === 0x00 && res[1] <= 0x7f)
-      throw new E('Invalid signature integer: trailing length');
-    // ^ Weird condition: not about length, but about first bytes of number.
+    // https://crypto.stackexchange.com/a/57734 Leftmost bit of first byte is 'negative' flag,
+    // since we always use positive integers here. It must always be empty:
+    // - add zero byte if exists
+    // - if next byte doesn't have a flag, leading zero is not allowed (minimal encoding)
+    if (res[0] & 0b10000000) throw new E('Invalid signature integer: negative');
+    if (res[0] === 0x00 && !(res[1] & 0b10000000))
+      throw new E('Invalid signature integer: unnecessary leading zero');
     return { d: b2n(res), l: data.subarray(len + 2) }; // d is data, l is left
   },
   toSig(hex: string | Uint8Array): { r: bigint; s: bigint } {
@@ -163,7 +167,8 @@ const DER = {
     return { r, s };
   },
   hexFromSig(sig: { r: bigint; s: bigint }): string {
-    const slice = (s: string): string => (Number.parseInt(s[0], 16) >= 8 ? '00' + s : s); // slice DER
+    // Add leading zero if first byte has negative bit enabled. More details in '_parseInt'
+    const slice = (s: string): string => (Number.parseInt(s[0], 16) & 0b1000 ? '00' + s : s);
     const h = (num: number | bigint) => {
       const hex = num.toString(16);
       return hex.length & 1 ? `0${hex}` : hex;
@@ -213,6 +218,12 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
     const x3 = Fp.mul(x2, x); // x2 * x
     return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
   }
+  // Validate whether the passed curve params are valid.
+  // We check if curve equation works for generator point.
+  // `assertValidity()` won't work: `isTorsionFree()` is not available at this point in bls12-381.
+  // ProjectivePoint class has not been initialized yet.
+  if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
+    throw new Error('bad generator point: equation left != right');
 
   // Valid group elements reside in range 1..n-1
   function isWithinCurveOrder(num: bigint): boolean {
@@ -591,7 +602,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
   }
   const _bits = CURVE.nBitLength;
   const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-
+  // Validate if generator point is on curve
   return {
     CURVE,
     ProjectivePoint: Point as ProjConstructor<T>,
@@ -1107,7 +1118,7 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
     tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
     tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
     // 17. for i in (c1, c1 - 1, ..., 2):
-    for (let i = c1; i > 1; i--) {
+    for (let i = c1; i > _1n; i--) {
       let tv5 = _2n ** (i - _2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
       let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
       const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1

package/src/bls12-381.ts

@@ -7,7 +7,7 @@
 //
 // The library uses G1 for public keys and G2 for signatures. Support for G1 signatures is planned.
 // Compatible with Algorand, Chia, Dfinity, Ethereum, FIL, Zcash. Matches specs
-// [pairing-curves-10](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-10),
+// [pairing-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
 // [bls-sigs-04](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04),
 // [hash-to-curve-12](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-12).
 //
@@ -27,24 +27,6 @@
 // - `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
 // Filecoin uses little endian byte arrays for private keys -
 // so ensure to reverse byte order if you'll use it with FIL.
-//
-// ### Resources
-// - [BLS12-381 for the rest of us](https://hackmd.io/@benjaminion/bls12-381)
-// - [Key concepts of pairings](https://medium.com/@alonmuroch_65570/bls-signatures-part-2-key-concepts-of-pairings-27a8a9533d0c)
-// - Pairing over bls12-381:
-//   [part 1](https://research.nccgroup.com/2020/07/06/pairing-over-bls12-381-part-1-fields/),
-//   [part 2](https://research.nccgroup.com/2020/07/13/pairing-over-bls12-381-part-2-curves/),
-//   [part 3](https://research.nccgroup.com/2020/08/13/pairing-over-bls12-381-part-3-pairing/)
-// - [Estimating the bit security of pairing-friendly curves](https://research.nccgroup.com/2022/02/03/estimating-the-bit-security-of-pairing-friendly-curves/)
-//
-// ### Differences from @noble/bls12-381 1.4
-// - PointG1 -> G1.Point
-// - PointG2 -> G2.Point
-// - PointG2.fromSignature -> Signature.decode
-// - PointG2.toSignature ->  Signature.encode
-// - Fixed Fp2 ORDER
-// - Points now have only two coordinates
-
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls, CurveFn } from './abstract/bls.js';
@@ -59,6 +41,7 @@ import {
   bitGet,
   Hex,
   bitMask,
+  bytesToHex,
 } from './abstract/utils.js';
 // Types
 import {
@@ -72,8 +55,8 @@ import { isogenyMap } from './abstract/hash-to-curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
-const _8n = BigInt(8),
-  _16n = BigInt(16);
+// prettier-ignore
+const _8n = BigInt(8), _16n = BigInt(16);
 
 // CURVE FIELDS
 // Finite field over p.
@@ -950,9 +933,9 @@ const isogenyMapG1 = isogenyMap(
 
 // SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i
 const G2_SWU = mapToCurveSimpleSWU(Fp2, {
-  A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(240n) }), // A' = 240 * I
-  B: Fp2.create({ c0: Fp.create(1012n), c1: Fp.create(1012n) }), // B' = 1012 * (1 + I)
-  Z: Fp2.create({ c0: Fp.create(-2n), c1: Fp.create(-1n) }), // Z: -(2 + I)
+  A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
+  B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
+  Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)
 });
 // Optimized SWU Map - Fp to G1
 const G1_SWU = mapToCurveSimpleSWU(Fp, {
@@ -966,7 +949,7 @@ const G1_SWU = mapToCurveSimpleSWU(Fp, {
       '0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0'
     )
   ),
-  Z: Fp.create(11n),
+  Z: Fp.create(BigInt(11)),
 });
 
 // Endomorphisms (for fast cofactor clearing)
@@ -1042,7 +1025,23 @@ const C_BIT_POS = Fp.BITS; // C_bit, compression bit for serialization flag
 const I_BIT_POS = Fp.BITS + 1; // I_bit, point-at-infinity bit for serialization flag
 const S_BIT_POS = Fp.BITS + 2; // S_bit, sign bit for serialization flag
 // Compressed point of infinity
-const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits
+const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(_0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits
+
+function signatureG2ToRawBytes(point: ProjPointType<Fp2>) {
+  // NOTE: by some reasons it was missed in bls12-381, looks like bug
+  point.assertValidity();
+  const len = Fp.BYTES;
+  if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
+    return concatB(COMPRESSED_ZERO, numberToBytesBE(_0n, len));
+  const { x, y } = point.toAffine();
+  const { re: x0, im: x1 } = Fp2.reim(x);
+  const { re: y0, im: y1 } = Fp2.reim(y);
+  const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
+  const aflag1 = Boolean((tmp / Fp.ORDER) & _1n);
+  const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
+  const z2 = x0;
+  return concatB(numberToBytesBE(z1, len), numberToBytesBE(z2, len));
+}
 
 // To verify curve parameters, see pairing-friendly-curves spec:
 // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09
@@ -1056,13 +1055,13 @@ const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(0n, I_BIT_POS, true), S_BIT_POS
 // Here goes constants && point encoding format
 export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
   // Fields
-  Fr,
-  Fp,
-  Fp2,
-  Fp6,
-  Fp12,
-  // order; z⁴ − z² + 1
-  r: Fr.ORDER, // Same as N in other curves
+  fields: {
+    Fp,
+    Fp2,
+    Fp6,
+    Fp12,
+    Fr,
+  },
   // G1 is the order-q subgroup of E1(Fp) : y² = x³ + 4, #E1(Fp) = h1q, where
   // characteristic; z + (z⁴ - z² + 1)(z - 1)²/3
   G1: {
@@ -1095,8 +1094,8 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       const phi = new c(Fp.mul(point.px, cubicRootOfUnityModP), point.py, point.pz);
 
       // todo: unroll
-      const xP = point.multiplyUnsafe(bls12_381.CURVE.x).negate(); // [x]P
-      const u2P = xP.multiplyUnsafe(bls12_381.CURVE.x); // [u2]P
+      const xP = point.multiplyUnsafe(bls12_381.params.x).negate(); // [x]P
+      const u2P = xP.multiplyUnsafe(bls12_381.params.x); // [u2]P
       return u2P.equals(phi);
 
       // https://eprint.iacr.org/2019/814.pdf
@@ -1115,21 +1114,23 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     // https://eprint.iacr.org/2019/403
     clearCofactor: (c, point) => {
       // return this.multiplyUnsafe(CURVE.h);
-      return point.multiplyUnsafe(bls12_381.CURVE.x).add(point); // x*P + P
+      return point.multiplyUnsafe(bls12_381.params.x).add(point); // x*P + P
     },
     mapToCurve: (scalars: bigint[]) => {
       const { x, y } = G1_SWU(Fp.create(scalars[0]));
       return isogenyMapG1(x, y);
     },
     fromBytes: (bytes: Uint8Array): AffinePoint<Fp> => {
+      bytes = bytes.slice();
       if (bytes.length === 48) {
+        // TODO: Fp.bytes
         const P = Fp.ORDER;
         const compressedValue = bytesToNumberBE(bytes);
         const bflag = bitGet(compressedValue, I_BIT_POS);
         // Zero
         if (bflag === _1n) return { x: _0n, y: _0n };
         const x = Fp.create(compressedValue & Fp.MASK);
-        const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.CURVE.G1.b)); // y² = x³ + b
+        const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
         if (!y) throw new Error('Invalid compressed G1 point');
         const aflag = bitGet(compressedValue, C_BIT_POS);
@@ -1138,8 +1139,8 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       } else if (bytes.length === 96) {
         // Check if the infinity flag is set
         if ((bytes[0] & (1 << 6)) !== 0) return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
-        const x = bytesToNumberBE(bytes.slice(0, Fp.BYTES));
-        const y = bytesToNumberBE(bytes.slice(Fp.BYTES));
+        const x = bytesToNumberBE(bytes.subarray(0, Fp.BYTES));
+        const y = bytesToNumberBE(bytes.subarray(Fp.BYTES));
         return { x: Fp.create(x), y: Fp.create(y) };
       } else {
         throw new Error('Invalid point G1, expected 48/96 bytes');
@@ -1212,7 +1213,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     // It returns false for shitty points.
     // https://eprint.iacr.org/2021/1130.pdf
     isTorsionFree: (c, P): boolean => {
-      return P.multiplyUnsafe(bls12_381.CURVE.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
+      return P.multiplyUnsafe(bls12_381.params.x).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
       // Older version: https://eprint.iacr.org/2019/814.pdf
       // Ψ²(P) => Ψ³(P) => [z]Ψ³(P) where z = -x => [z]Ψ³(P) - Ψ²(P) + P == O
       // return P.psi2().psi().mulNegX().subtract(psi2).add(P).isZero();
@@ -1222,7 +1223,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     // https://eprint.iacr.org/2017/419.pdf
     // prettier-ignore
     clearCofactor: (c, P) => {
-      const { x } = bls12_381.CURVE;
+      const x = bls12_381.params.x;
       let t1 = P.multiplyUnsafe(x).negate();  // [-x]P
       let t2 = G2psi(c, P);                   // Ψ(P)
       let t3 = P.double();                    // 2P
@@ -1236,6 +1237,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       return Q;                               // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
     },
     fromBytes: (bytes: Uint8Array): AffinePoint<Fp2> => {
+      bytes = bytes.slice();
       const m_byte = bytes[0] & 0xe0;
       if (m_byte === 0x20 || m_byte === 0x60 || m_byte === 0xe0) {
         throw new Error('Invalid encoding flag: ' + m_byte);
@@ -1246,7 +1248,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       const L = Fp.BYTES;
       const slc = (b: Uint8Array, from: number, to?: number) => bytesToNumberBE(b.slice(from, to));
       if (bytes.length === 96 && bitC) {
-        const { b } = bls12_381.CURVE.G2;
+        const b = bls12_381.params.G2b;
         const P = Fp.ORDER;
 
         bytes[0] = bytes[0] & 0x1f; // clear flags
@@ -1280,31 +1282,31 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       }
     },
     toBytes: (c, point, isCompressed) => {
+      const { BYTES: len, ORDER: P } = Fp;
       const isZero = point.equals(c.ZERO);
       const { x, y } = point.toAffine();
       if (isCompressed) {
-        const P = Fp.ORDER;
-        if (isZero) return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
+        if (isZero) return concatB(COMPRESSED_ZERO, numberToBytesBE(_0n, len));
         const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
         // set compressed & sign bits (looks like different offsets than for G1/Fp?)
         let x_1 = bitSet(x.c1, C_BIT_POS, flag);
         x_1 = bitSet(x_1, S_BIT_POS, true);
-        return concatB(numberToBytesBE(x_1, Fp.BYTES), numberToBytesBE(x.c0, Fp.BYTES));
+        return concatB(numberToBytesBE(x_1, len), numberToBytesBE(x.c0, len));
       } else {
-        if (isZero) return concatB(new Uint8Array([0x40]), new Uint8Array(4 * Fp.BYTES - 1)); // bytes[0] |= 1 << 6;
+        if (isZero) return concatB(new Uint8Array([0x40]), new Uint8Array(4 * len - 1)); // bytes[0] |= 1 << 6;
         const { re: x0, im: x1 } = Fp2.reim(x);
         const { re: y0, im: y1 } = Fp2.reim(y);
         return concatB(
-          numberToBytesBE(x1, Fp.BYTES),
-          numberToBytesBE(x0, Fp.BYTES),
-          numberToBytesBE(y1, Fp.BYTES),
-          numberToBytesBE(y0, Fp.BYTES)
+          numberToBytesBE(x1, len),
+          numberToBytesBE(x0, len),
+          numberToBytesBE(y1, len),
+          numberToBytesBE(y0, len)
         );
       }
     },
     Signature: {
       // TODO: Optimize, it's very slow because of sqrt.
-      decode(hex: Hex): ProjPointType<Fp2> {
+      fromHex(hex: Hex): ProjPointType<Fp2> {
         hex = ensureBytes('signatureHex', hex);
         const P = Fp.ORDER;
         const half = hex.length / 2;
@@ -1319,7 +1321,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
         const x1 = Fp.create(z1 & Fp.MASK);
         const x2 = Fp.create(z2);
         const x = Fp2.create({ c0: x2, c1: x1 });
-        const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381.CURVE.G2.b); // y² = x³ + 4
+        const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381.params.G2b); // y² = x³ + 4
         // The slow part
         let y = Fp2.sqrt(y2);
         if (!y) throw new Error('Failed to find a square root');
@@ -1335,24 +1337,18 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
         point.assertValidity();
         return point;
       },
-      encode(point: ProjPointType<Fp2>) {
-        // NOTE: by some reasons it was missed in bls12-381, looks like bug
-        point.assertValidity();
-        if (point.equals(bls12_381.G2.ProjectivePoint.ZERO))
-          return concatB(COMPRESSED_ZERO, numberToBytesBE(0n, Fp.BYTES));
-        const a = point.toAffine();
-        const { re: x0, im: x1 } = Fp2.reim(a.x);
-        const { re: y0, im: y1 } = Fp2.reim(a.y);
-        const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
-        const aflag1 = Boolean((tmp / Fp.ORDER) & _1n);
-        const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
-        const z2 = x0;
-        return concatB(numberToBytesBE(z1, Fp.BYTES), numberToBytesBE(z2, Fp.BYTES));
+      toRawBytes(point: ProjPointType<Fp2>) {
+        return signatureG2ToRawBytes(point);
+      },
+      toHex(point: ProjPointType<Fp2>) {
+        return bytesToHex(signatureG2ToRawBytes(point));
       },
     },
   },
-  // The BLS parameter x for BLS12-381
-  x: BLS_X,
+  params: {
+    x: BLS_X, // The BLS parameter x for BLS12-381
+    r: Fr.ORDER, // order; z⁴ − z² + 1; CURVE.n from other curves
+  },
   htfDefaults,
   hash: sha256,
   randomBytes,

package/src/ed25519.ts

@@ -95,15 +95,15 @@ export const ED25519_TORSION_SUBGROUP = [
 
 const Fp = Field(ED25519_P, undefined, true);
 
-const ED25519_DEF = {
+const ed25519Defaults = {
   // Param: a
-  a: BigInt(-1),
-  // Equal to -121665/121666 over finite field.
+  a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
+  // d is equal to -121665/121666 over finite field.
   // Negative number is P - number, and division is invert(number, P)
   d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
   // Finite field 𝔽p over which we'll do calculations; 2n ** 255n - 19n
   Fp,
-  // Subgroup order: how many points ed25519 has
+  // Subgroup order: how many points curve has
   // 2n ** 252n + 27742317777372353535851937790883648493n;
   n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
   // Cofactor
@@ -120,7 +120,7 @@ const ED25519_DEF = {
   uvRatio,
 } as const;
 
-export const ed25519 = twistedEdwards(ED25519_DEF);
+export const ed25519 = twistedEdwards(ed25519Defaults);
 function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   if (ctx.length > 255) throw new Error('Context is too big');
   return concatBytes(
@@ -130,11 +130,11 @@ function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
     data
   );
 }
-export const ed25519ctx = twistedEdwards({ ...ED25519_DEF, domain: ed25519_domain });
+export const ed25519ctx = twistedEdwards({ ...ed25519Defaults, domain: ed25519_domain });
 export const ed25519ph = twistedEdwards({
-  ...ED25519_DEF,
+  ...ed25519Defaults,
   domain: ed25519_domain,
-  preHash: sha512,
+  prehash: sha512,
 });
 
 export const x25519 = montgomery({
@@ -153,6 +153,20 @@ export const x25519 = montgomery({
   randomBytes,
 });
 
+/**
+ * Converts ed25519 public key to x25519 public key. Uses formula:
+ * * `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+ * * `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+ * @example
+ *   const aPub = ed25519.getPublicKey(utils.randomPrivateKey());
+ *   x25519.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
+ */
+export function edwardsToMontgomery(edwardsPub: Hex): Uint8Array {
+  const { y } = ed25519.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+}
+
 // Hash To Curve Elligator2 Map (NOTE: different from ristretto255 elligator)
 // NOTE: very important part is usage of FpSqrtEven for ELL2_C1_EDWARDS, since
 // SageMath returns different root first and everything falls apart

package/src/ed448.ts

@@ -120,7 +120,7 @@ const ED448_DEF = {
 
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
-export const ed448ph = twistedEdwards({ ...ED448_DEF, preHash: shake256_64 });
+export const ed448ph = twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
 
 export const x448 = montgomery({
   a: BigInt(156326),
@@ -136,22 +136,22 @@ export const x448 = montgomery({
   },
   adjustScalarBytes,
   randomBytes,
-  // The 4-isogeny maps between the Montgomery curve and this Edwards
-  // curve are:
-  //   (u, v) = (y^2/x^2, (2 - x^2 - y^2)*y/x^3)
-  //   (x, y) = (4*v*(u^2 - 1)/(u^4 - 2*u^2 + 4*v^2 + 1),
-  //             -(u^5 - 2*u^3 - 4*u*v^2 + u)/
-  //             (u^5 - 2*u^2*v^2 - 2*u^3 - 2*v^2 + u))
-  // xyToU: (p: PointType) => {
-  //   const P = ed448P;
-  //   const { x, y } = p;
-  //   if (x === _0n) throw new Error(`Point with x=0 doesn't have mapping`);
-  //   const invX = invert(x * x, P); // x^2
-  //   const u = mod(y * y * invX, P); // (y^2/x^2)
-  //   return numberToBytesLE(u, 56);
-  // },
 });
 
+/**
+ * Converts edwards448 public key to x448 public key. Uses formula:
+ * * `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+ * * `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+ * @example
+ *   const aPub = ed448.getPublicKey(utils.randomPrivateKey());
+ *   x448.getSharedSecret(edwardsToMontgomery(aPub), edwardsToMontgomery(someonesPub))
+ */
+export function edwardsToMontgomery(edwardsPub: string | Uint8Array): Uint8Array {
+  const { y } = ed448.ExtendedPoint.fromHex(edwardsPub);
+  const _1n = BigInt(1);
+  return Fp.toBytes(Fp.create((y - _1n) * Fp.inv(y + _1n)));
+}
+
 // Hash To Curve Elligator2 Map
 const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
 const ELL2_J = BigInt(156326);