@noble/curves 1.0.0 → 1.2.0

package/src/abstract/utils.ts

@@ -1,13 +1,14 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// 100 lines of code in the file are duplicated from noble-hashes (utils).
+// This is OK: `abstract` directory does not use noble-hashes.
+// User may opt-in into using different hashing library. This way, noble-hashes
+// won't be included into their bundle.
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const u8a = (a: any): a is Uint8Array => a instanceof Uint8Array;
-
-// We accept hex strings besides Uint8Array for simplicity
-export type Hex = Uint8Array | string;
-// Very few implementations accept numbers, we do it to ease learning curve
-export type PrivKey = Hex | bigint;
+export type Hex = Uint8Array | string; // hex strings are accepted for simplicity
+export type PrivKey = Hex | bigint; // bigints are accepted to ease learning curve
 export type CHash = {
   (message: Uint8Array | string): Uint8Array;
   blockLen: number;
@@ -16,7 +17,12 @@ export type CHash = {
 };
 export type FHash = (message: Uint8Array | string) => Uint8Array;
 
-const hexes = Array.from({ length: 256 }, (v, i) => i.toString(16).padStart(2, '0'));
+const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) =>
+  i.toString(16).padStart(2, '0')
+);
+/**
+ * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
+ */
 export function bytesToHex(bytes: Uint8Array): string {
   if (!u8a(bytes)) throw new Error('Uint8Array expected');
   // pre-caching improves the speed 6x
@@ -38,22 +44,25 @@ export function hexToNumber(hex: string): bigint {
   return BigInt(hex === '' ? '0' : `0x${hex}`);
 }
 
-// Caching slows it down 2-3x
+/**
+ * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
+ */
 export function hexToBytes(hex: string): Uint8Array {
   if (typeof hex !== 'string') throw new Error('hex string expected, got ' + typeof hex);
-  if (hex.length % 2) throw new Error('hex string is invalid: unpadded ' + hex.length);
-  const array = new Uint8Array(hex.length / 2);
+  const len = hex.length;
+  if (len % 2) throw new Error('padded hex string expected, got unpadded hex of length ' + len);
+  const array = new Uint8Array(len / 2);
   for (let i = 0; i < array.length; i++) {
     const j = i * 2;
     const hexByte = hex.slice(j, j + 2);
     const byte = Number.parseInt(hexByte, 16);
-    if (Number.isNaN(byte) || byte < 0) throw new Error('invalid byte sequence');
+    if (Number.isNaN(byte) || byte < 0) throw new Error('Invalid byte sequence');
     array[i] = byte;
   }
   return array;
 }
 
-// Big Endian
+// BE: Big Endian, LE: Little Endian
 export function bytesToNumberBE(bytes: Uint8Array): bigint {
   return hexToNumber(bytesToHex(bytes));
 }
@@ -62,12 +71,26 @@ export function bytesToNumberLE(bytes: Uint8Array): bigint {
   return hexToNumber(bytesToHex(Uint8Array.from(bytes).reverse()));
 }
 
-export const numberToBytesBE = (n: bigint, len: number) =>
-  hexToBytes(n.toString(16).padStart(len * 2, '0'));
-export const numberToBytesLE = (n: bigint, len: number) => numberToBytesBE(n, len).reverse();
-// Returns variable number bytes (minimal bigint encoding?)
-export const numberToVarBytesBE = (n: bigint) => hexToBytes(numberToHexUnpadded(n));
+export function numberToBytesBE(n: number | bigint, len: number): Uint8Array {
+  return hexToBytes(n.toString(16).padStart(len * 2, '0'));
+}
+export function numberToBytesLE(n: number | bigint, len: number): Uint8Array {
+  return numberToBytesBE(n, len).reverse();
+}
+// Unpadded, rarely used
+export function numberToVarBytesBE(n: number | bigint): Uint8Array {
+  return hexToBytes(numberToHexUnpadded(n));
+}
 
+/**
+ * Takes hex string or Uint8Array, converts to Uint8Array.
+ * Validates output length.
+ * Will throw error for other types.
+ * @param title descriptive title for an error e.g. 'private key'
+ * @param hex hex string or Uint8Array
+ * @param expectedLength optional, will compare to result array's length
+ * @returns
+ */
 export function ensureBytes(title: string, hex: Hex, expectedLength?: number): Uint8Array {
   let res: Uint8Array;
   if (typeof hex === 'string') {
@@ -89,11 +112,13 @@ export function ensureBytes(title: string, hex: Hex, expectedLength?: number): U
   return res;
 }
 
-// Copies several Uint8Arrays into one.
-export function concatBytes(...arrs: Uint8Array[]): Uint8Array {
-  const r = new Uint8Array(arrs.reduce((sum, a) => sum + a.length, 0));
+/**
+ * Copies several Uint8Arrays into one.
+ */
+export function concatBytes(...arrays: Uint8Array[]): Uint8Array {
+  const r = new Uint8Array(arrays.reduce((sum, a) => sum + a.length, 0));
   let pad = 0; // walk through each item, ensure they have proper type
-  arrs.forEach((a) => {
+  arrays.forEach((a) => {
     if (!u8a(a)) throw new Error('Uint8Array expected');
     r.set(a, pad);
     pad += a.length;
@@ -111,29 +136,47 @@ export function equalBytes(b1: Uint8Array, b2: Uint8Array) {
 // Global symbols in both browsers and Node.js since v11
 // See https://github.com/microsoft/TypeScript/issues/31535
 declare const TextEncoder: any;
+
+/**
+ * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
+ */
 export function utf8ToBytes(str: string): Uint8Array {
-  if (typeof str !== 'string') {
-    throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
-  }
-  return new TextEncoder().encode(str);
+  if (typeof str !== 'string') throw new Error(`utf8ToBytes expected string, got ${typeof str}`);
+  return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
 }
 
 // Bit operations
 
-// Amount of bits inside bigint (Same as n.toString(2).length)
+/**
+ * Calculates amount of bits in a bigint.
+ * Same as `n.toString(2).length`
+ */
 export function bitLen(n: bigint) {
   let len;
   for (len = 0; n > _0n; n >>= _1n, len += 1);
   return len;
 }
-// Gets single bit at position. NOTE: first bit position is 0 (same as arrays)
-// Same as !!+Array.from(n.toString(2)).reverse()[pos]
-export const bitGet = (n: bigint, pos: number) => (n >> BigInt(pos)) & _1n;
-// Sets single bit at position
-export const bitSet = (n: bigint, pos: number, value: boolean) =>
-  n | ((value ? _1n : _0n) << BigInt(pos));
-// Return mask for N bits (Same as BigInt(`0b${Array(i).fill('1').join('')}`))
-// Not using ** operator with bigints for old engines.
+
+/**
+ * Gets single bit at position.
+ * NOTE: first bit position is 0 (same as arrays)
+ * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
+ */
+export function bitGet(n: bigint, pos: number) {
+  return (n >> BigInt(pos)) & _1n;
+}
+
+/**
+ * Sets single bit at position.
+ */
+export const bitSet = (n: bigint, pos: number, value: boolean) => {
+  return n | ((value ? _1n : _0n) << BigInt(pos));
+};
+
+/**
+ * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
+ * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
+ */
 export const bitMask = (n: number) => (_2n << BigInt(n - 1)) - _1n;
 
 // DRBG
@@ -205,6 +248,7 @@ const validatorFns = {
   function: (val: any) => typeof val === 'function',
   boolean: (val: any) => typeof val === 'boolean',
   string: (val: any) => typeof val === 'string',
+  stringOrUint8Array: (val: any) => typeof val === 'string' || val instanceof Uint8Array,
   isSafeInteger: (val: any) => Number.isSafeInteger(val),
   array: (val: any) => Array.isArray(val),
   field: (val: any, object: any) => (object as any).Fp.isValid(val),

package/src/abstract/weierstrass.ts

@@ -193,7 +193,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
 
   const toBytes =
     CURVE.toBytes ||
-    ((c: ProjConstructor<T>, point: ProjPointType<T>, isCompressed: boolean) => {
+    ((_c: ProjConstructor<T>, point: ProjPointType<T>, _isCompressed: boolean) => {
       const a = point.toAffine();
       return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
     });
@@ -333,9 +333,11 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>) {
 
     // A point on curve is valid if it conforms to equation.
     assertValidity(): void {
-      // Zero is valid point too!
       if (this.is0()) {
-        if (CURVE.allowInfinityPoint) return;
+        // (0, 1, 0) aka ZERO is invalid in most contexts.
+        // In BLS, ZERO can be serialized, so we allow it.
+        // (0, 0, 0) is wrong representation of ZERO and is always invalid.
+        if (CURVE.allowInfinityPoint && !Fp.is0(this.py)) return;
         throw new Error('bad point: ZERO');
       }
       // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
@@ -618,7 +620,7 @@ export interface SignatureType {
   readonly s: bigint;
   readonly recovery?: number;
   assertValidity(): void;
-  addRecoveryBit(recovery: number): SignatureType;
+  addRecoveryBit(recovery: number): RecoveredSignatureType;
   hasHighS(): boolean;
   normalizeS(): SignatureType;
   recoverPublicKey(msgHash: Hex): ProjPointType<bigint>;
@@ -628,6 +630,9 @@ export interface SignatureType {
   toDERRawBytes(isCompressed?: boolean): Uint8Array;
   toDERHex(isCompressed?: boolean): string;
 }
+export type RecoveredSignatureType = SignatureType & {
+  readonly recovery: number;
+};
 // Static methods
 export type SignatureConstructor = {
   new (r: bigint, s: bigint): SignatureType;
@@ -669,7 +674,7 @@ export type CurveFn = {
   CURVE: ReturnType<typeof validateOpts>;
   getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
   getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
-  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
+  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => RecoveredSignatureType;
   verify: (signature: Hex | SignatureLike, msgHash: Hex, publicKey: Hex, opts?: VerOpts) => boolean;
   ProjectivePoint: ProjConstructor<bigint>;
   Signature: SignatureConstructor;
@@ -704,7 +709,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     isWithinCurveOrder,
   } = weierstrassPoints({
     ...CURVE,
-    toBytes(c, point, isCompressed: boolean): Uint8Array {
+    toBytes(_c, point, isCompressed: boolean): Uint8Array {
       const a = point.toAffine();
       const x = Fp.toBytes(a.x);
       const cat = ut.concatBytes;
@@ -782,8 +787,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       if (!isWithinCurveOrder(this.s)) throw new Error('s must be 0 < s < CURVE.n');
     }
 
-    addRecoveryBit(recovery: number) {
-      return new Signature(this.r, this.s, recovery);
+    addRecoveryBit(recovery: number): RecoveredSignature {
+      return new Signature(this.r, this.s, recovery) as RecoveredSignature;
     }
 
     recoverPublicKey(msgHash: Hex): typeof Point.BASE {
@@ -828,6 +833,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return numToNByteStr(this.r) + numToNByteStr(this.s);
     }
   }
+  type RecoveredSignature = Signature & { recovery: number };
 
   const utils = {
     isValidPrivateKey(privateKey: PrivKey) {
@@ -841,13 +847,12 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     normPrivateKeyToScalar: normPrivateKeyToScalar,
 
     /**
-     * Produces cryptographically secure private key from random of size (nBitLength+64)
-     * as per FIPS 186 B.4.1 with modulo bias being neglible.
+     * Produces cryptographically secure private key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
      */
     randomPrivateKey: (): Uint8Array => {
-      const rand = CURVE.randomBytes(Fp.BYTES + 8);
-      const num = mod.hashToPrivateScalar(rand, CURVE_ORDER);
-      return ut.numberToBytesBE(num, CURVE.nByteLength);
+      const length = mod.getMinHashLength(CURVE.n);
+      return mod.mapHashToField(CURVE.randomBytes(length), CURVE.n);
     },
 
     /**
@@ -960,12 +965,12 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     if (ent != null) {
       // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
       const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
-      seedArgs.push(ensureBytes('extraEntropy', e, Fp.BYTES)); // check for being of size BYTES
+      seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
     const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2
     const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
     // Converts signature params into point w r/s, checks result for validity.
-    function k2sig(kBytes: Uint8Array): Signature | undefined {
+    function k2sig(kBytes: Uint8Array): RecoveredSignature | undefined {
       // RFC 6979 Section 3.2, step 3: k = bits2int(T)
       const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
       if (!isWithinCurveOrder(k)) return; // Important: all mod() calls here must be done over N
@@ -984,7 +989,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
         normS = normalizeS(s); // if lowS was passed, ensure s is always
         recovery ^= 1; // // in the bottom half of N
       }
-      return new Signature(r, normS, recovery); // use normS, not s
+      return new Signature(r, normS, recovery) as RecoveredSignature; // use normS, not s
     }
     return { seed, k2sig };
   }
@@ -992,18 +997,22 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   const defaultVerOpts: VerOpts = { lowS: CURVE.lowS, prehash: false };
 
   /**
-   * Signs message hash (not message: you need to hash it by yourself).
+   * Signs message hash with a private key.
    * ```
    * sign(m, d, k) where
    *   (x, y) = G × k
    *   r = x mod n
    *   s = (m + dr)/k mod n
    * ```
-   * @param opts `lowS, extraEntropy, prehash`
+   * @param msgHash NOT message. msg needs to be hashed to `msgHash`, or use `prehash`.
+   * @param privKey private key
+   * @param opts lowS for non-malleable sigs. extraEntropy for mixing randomness into k. prehash will hash first arg.
+   * @returns signature with recovery param
    */
-  function sign(msgHash: Hex, privKey: PrivKey, opts = defaultSigOpts): Signature {
+  function sign(msgHash: Hex, privKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
     const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
-    const drbg = ut.createHmacDrbg<Signature>(CURVE.hash.outputLen, CURVE.nByteLength, CURVE.hmac);
+    const C = CURVE;
+    const drbg = ut.createHmacDrbg<RecoveredSignature>(C.hash.outputLen, C.nByteLength, C.hmac);
     return drbg(seed, k2sig); // Steps B, C, D, E, F, G
   }
 
@@ -1084,20 +1093,29 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   };
 }
 
-// Implementation of the Shallue and van de Woestijne method for any Weierstrass curve
-// TODO: check if there is a way to merge this with uvRatio in Edwards && move to modular?
-// b = True and y = sqrt(u / v) if (u / v) is square in F, and
-// b = False and y = sqrt(Z * (u / v)) otherwise.
+/**
+ * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
+ * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
+ * b = True and y = sqrt(u / v) if (u / v) is square in F, and
+ * b = False and y = sqrt(Z * (u / v)) otherwise.
+ * @param Fp
+ * @param Z
+ * @returns
+ */
 export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
   // Generic implementation
   const q = Fp.ORDER;
   let l = _0n;
   for (let o = q - _1n; o % _2n === _0n; o /= _2n) l += _1n;
   const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-  const c2 = (q - _1n) / _2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
+  // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
+  // 2n ** c1 == 2n << (c1-1)
+  const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
+  const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
+  const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
   const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-  const c4 = _2n ** c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
-  const c5 = _2n ** (c1 - _1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
+  const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+  const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
   const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
   const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
   let sqrtRatio = (u: T, v: T): { isValid: boolean; value: T } => {
@@ -1119,7 +1137,8 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
     tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
     // 17. for i in (c1, c1 - 1, ..., 2):
     for (let i = c1; i > _1n; i--) {
-      let tv5 = _2n ** (i - _2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
+      let tv5 = i - _2n; // 18.    tv5 = i - 2
+      tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
       let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
       const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
       tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
@@ -1151,7 +1170,10 @@ export function SWUFpSqrtRatio<T>(Fp: mod.IField<T>, Z: T) {
   // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
   return sqrtRatio;
 }
-// From draft-irtf-cfrg-hash-to-curve-16
+/**
+ * Simplified Shallue-van de Woestijne-Ulas Method
+ * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
+ */
 export function mapToCurveSimpleSWU<T>(
   Fp: mod.IField<T>,
   opts: {

package/src/bls12-381.ts

@@ -8,8 +8,8 @@
 // The library uses G1 for public keys and G2 for signatures. Support for G1 signatures is planned.
 // Compatible with Algorand, Chia, Dfinity, Ethereum, FIL, Zcash. Matches specs
 // [pairing-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
-// [bls-sigs-04](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04),
-// [hash-to-curve-12](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-12).
+// [bls-sigs-04](https:/cfrg-hash-to/tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04),
+// [hash-to-curve-12](https://tools.ietf.org/html/draft-irtf--curve-12).
 //
 // ### Summary
 // 1. BLS Relies on Bilinear Pairing (expensive)
@@ -60,11 +60,10 @@ const _8n = BigInt(8), _16n = BigInt(16);
 
 // CURVE FIELDS
 // Finite field over p.
-const Fp = mod.Field(
-  BigInt(
-    '0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'
-  )
+const Fp_raw = BigInt(
+  '0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'
 );
+const Fp = mod.Field(Fp_raw);
 type Fp = bigint;
 // Finite field over r.
 // This particular field is not used anywhere in bls12-381, but it is still useful.
@@ -110,10 +109,7 @@ type Fp2Utils = {
 // G² - 1
 // h2q
 // NOTE: ORDER was wrong!
-const FP2_ORDER =
-  BigInt(
-    '0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'
-  ) ** _2n;
+const FP2_ORDER = Fp_raw * Fp_raw;
 
 const Fp2: mod.IField<Fp2> & Fp2Utils = {
   ORDER: FP2_ORDER,
@@ -181,7 +177,7 @@ const Fp2: mod.IField<Fp2> & Fp2Utils = {
     if (im1 > im2 || (im1 === im2 && re1 > re2)) return x1;
     return x2;
   },
-  // Same as sgn0_fp2 in draft-irtf-cfrg-hash-to-curve-16
+  // Same as sgn0_m_eq_2 in RFC 9380
   isOdd: (x: Fp2) => {
     const { re: x0, im: x1 } = Fp2.reim(x);
     const sign_0 = x0 % _2n;
@@ -784,8 +780,7 @@ const FP12_FROBENIUS_COEFFICIENTS = [
 
 // HashToCurve
 
-// 3-isogeny map from E' to E
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#appendix-E.3
+// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
 const isogenyMapG2 = isogenyMap(
   Fp2,
   [
@@ -989,7 +984,7 @@ function G2psi2(c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) {
 //
 // Parameter definitions are in section 5.3 of the spec unless otherwise noted.
 // Parameter values come from section 8.8.2 of the spec.
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-8.8.2
+// https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2
 //
 // Base field F is GF(p^m)
 // p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
@@ -1044,7 +1039,7 @@ function signatureG2ToRawBytes(point: ProjPointType<Fp2>) {
 }
 
 // To verify curve parameters, see pairing-friendly-curves spec:
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11
 // Basic math is done over finite fields over p.
 // More complicated math is done over polynominal extension fields.
 // To simplify calculations in Fp12, we construct extension tower:
@@ -1112,7 +1107,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     },
     // Clear cofactor of G1
     // https://eprint.iacr.org/2019/403
-    clearCofactor: (c, point) => {
+    clearCofactor: (_c, point) => {
       // return this.multiplyUnsafe(CURVE.h);
       return point.multiplyUnsafe(bls12_381.params.x).add(point); // x*P + P
     },
@@ -1197,7 +1192,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       ),
     ]),
     a: Fp2.ZERO,
-    b: Fp2.fromBigTuple([4n, _4n]),
+    b: Fp2.fromBigTuple([_4n, _4n]),
     hEff: BigInt(
       '0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'
     ),