@noble/curves 1.1.0 → 1.3.0

package/src/bls12-381.ts

@@ -1,15 +1,9 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 
-// bls12-381 pairing-friendly Barreto-Lynn-Scott elliptic curve construction allows to:
-// - Construct zk-SNARKs at the 128-bit security
-// - Use threshold signatures, which allows a user to sign lots of messages with one signature and
-//   verify them swiftly in a batch, using Boneh-Lynn-Shacham signature scheme.
-//
-// The library uses G1 for public keys and G2 for signatures. Support for G1 signatures is planned.
-// Compatible with Algorand, Chia, Dfinity, Ethereum, FIL, Zcash. Matches specs
-// [pairing-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
-// [bls-sigs-04](https://tools.ietf.org/html/draft-irtf-cfrg-bls-signature-04),
-// [hash-to-curve-12](https://tools.ietf.org/html/draft-irtf-cfrg-hash-to-curve-12).
+// bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
+// - Construct zk-SNARKs at the 120-bit security
+// - Efficiently verify N aggregate signatures with 1 pairing and N ec additions:
+//   the Boneh-Lynn-Shacham signature scheme is orders of magnitude more efficient than Schnorr
 //
 // ### Summary
 // 1. BLS Relies on Bilinear Pairing (expensive)
@@ -25,8 +19,17 @@
 // - `S = pk x H(m)` - signing
 // - `e(P, H(m)) == e(G, S)` - verification using pairings
 // - `e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))` - signature aggregation
-// Filecoin uses little endian byte arrays for private keys -
-// so ensure to reverse byte order if you'll use it with FIL.
+//
+// ### Compatibility and notes
+// 1. It is compatible with Algorand, Chia, Dfinity, Ethereum, Filecoin, ZEC
+//    Filecoin uses little endian byte arrays for private keys - make sure to reverse byte order.
+// 2. Some projects use G2 for public keys and G1 for signatures. It's called "short signature"
+// 3. Curve security level is about 120 bits as per Barbulescu-Duquesne 2017
+//    https://hal.science/hal-01534101/file/main.pdf
+// 4. Compatible with specs:
+// [cfrg-pairing-friendly-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
+// [cfrg-bls-signature-05](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05),
+// [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
 import { sha256 } from '@noble/hashes/sha256';
 import { randomBytes } from '@noble/hashes/utils';
 import { bls, CurveFn } from './abstract/bls.js';
@@ -37,7 +40,6 @@ import {
   numberToBytesBE,
   bytesToNumberBE,
   bitLen,
-  bitSet,
   bitGet,
   Hex,
   bitMask,
@@ -177,7 +179,7 @@ const Fp2: mod.IField<Fp2> & Fp2Utils = {
     if (im1 > im2 || (im1 === im2 && re1 > re2)) return x1;
     return x2;
   },
-  // Same as sgn0_fp2 in draft-irtf-cfrg-hash-to-curve-16
+  // Same as sgn0_m_eq_2 in RFC 9380
   isOdd: (x: Fp2) => {
     const { re: x0, im: x1 } = Fp2.reim(x);
     const sign_0 = x0 % _2n;
@@ -780,8 +782,7 @@ const FP12_FROBENIUS_COEFFICIENTS = [
 
 // HashToCurve
 
-// 3-isogeny map from E' to E
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#appendix-E.3
+// 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
 const isogenyMapG2 = isogenyMap(
   Fp2,
   [
@@ -985,7 +986,7 @@ function G2psi2(c: ProjConstructor<Fp2>, P: ProjPointType<Fp2>) {
 //
 // Parameter definitions are in section 5.3 of the spec unless otherwise noted.
 // Parameter values come from section 8.8.2 of the spec.
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-8.8.2
+// https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2
 //
 // Base field F is GF(p^m)
 // p = 0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab
@@ -1017,11 +1018,41 @@ const htfDefaults = Object.freeze({
 
 // Encoding utils
 // Point on G1 curve: (x, y)
-const C_BIT_POS = Fp.BITS; // C_bit, compression bit for serialization flag
-const I_BIT_POS = Fp.BITS + 1; // I_bit, point-at-infinity bit for serialization flag
-const S_BIT_POS = Fp.BITS + 2; // S_bit, sign bit for serialization flag
+
 // Compressed point of infinity
-const COMPRESSED_ZERO = Fp.toBytes(bitSet(bitSet(_0n, I_BIT_POS, true), S_BIT_POS, true)); // set compressed & point-at-infinity bits
+const COMPRESSED_ZERO = setMask(Fp.toBytes(_0n), { infinity: true, compressed: true }); // set compressed & point-at-infinity bits
+
+function parseMask(bytes: Uint8Array) {
+  // Copy, so we can remove mask data. It will be removed also later, when Fp.create will call modulo.
+  bytes = bytes.slice();
+  const mask = bytes[0] & 0b1110_0000;
+  const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
+  const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
+  const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
+  bytes[0] &= 0b0001_1111; // clear mask (zero first 3 bits)
+  return { compressed, infinity, sort, value: bytes };
+}
+
+function setMask(
+  bytes: Uint8Array,
+  mask: { compressed?: boolean; infinity?: boolean; sort?: boolean }
+) {
+  if (bytes[0] & 0b1110_0000) throw new Error('setMask: non-empty mask');
+  if (mask.compressed) bytes[0] |= 0b1000_0000;
+  if (mask.infinity) bytes[0] |= 0b0100_0000;
+  if (mask.sort) bytes[0] |= 0b0010_0000;
+  return bytes;
+}
+
+function signatureG1ToRawBytes(point: ProjPointType<Fp>) {
+  point.assertValidity();
+  const isZero = point.equals(bls12_381.G1.ProjectivePoint.ZERO);
+  const { x, y } = point.toAffine();
+  if (isZero) return COMPRESSED_ZERO.slice();
+  const P = Fp.ORDER;
+  const sort = Boolean((y * _2n) / P);
+  return setMask(numberToBytesBE(x, Fp.BYTES), { compressed: true, sort });
+}
 
 function signatureG2ToRawBytes(point: ProjPointType<Fp2>) {
   // NOTE: by some reasons it was missed in bls12-381, looks like bug
@@ -1033,14 +1064,16 @@ function signatureG2ToRawBytes(point: ProjPointType<Fp2>) {
   const { re: x0, im: x1 } = Fp2.reim(x);
   const { re: y0, im: y1 } = Fp2.reim(y);
   const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
-  const aflag1 = Boolean((tmp / Fp.ORDER) & _1n);
-  const z1 = bitSet(bitSet(x1, 381, aflag1), S_BIT_POS, true);
+  const sort = Boolean((tmp / Fp.ORDER) & _1n);
   const z2 = x0;
-  return concatB(numberToBytesBE(z1, len), numberToBytesBE(z2, len));
+  return concatB(
+    setMask(numberToBytesBE(x1, len), { sort, compressed: true }),
+    numberToBytesBE(z2, len)
+  );
 }
 
 // To verify curve parameters, see pairing-friendly-curves spec:
-// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-09
+// https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11
 // Basic math is done over finite fields over p.
 // More complicated math is done over polynominal extension fields.
 // To simplify calculations in Fp12, we construct extension tower:
@@ -1075,7 +1108,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     ),
     a: Fp.ZERO,
     b: _4n,
-    htfDefaults: { ...htfDefaults, m: 1 },
+    htfDefaults: { ...htfDefaults, m: 1, DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_' },
     wrapPrivateKey: true,
     allowInfinityPoint: true,
     // Checks is the point resides in prime-order subgroup.
@@ -1108,7 +1141,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     },
     // Clear cofactor of G1
     // https://eprint.iacr.org/2019/403
-    clearCofactor: (c, point) => {
+    clearCofactor: (_c, point) => {
       // return this.multiplyUnsafe(CURVE.h);
       return point.multiplyUnsafe(bls12_381.params.x).add(point); // x*P + P
     },
@@ -1117,26 +1150,30 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       return isogenyMapG1(x, y);
     },
     fromBytes: (bytes: Uint8Array): AffinePoint<Fp> => {
-      bytes = bytes.slice();
-      if (bytes.length === 48) {
+      const { compressed, infinity, sort, value } = parseMask(bytes);
+      if (value.length === 48 && compressed) {
         // TODO: Fp.bytes
         const P = Fp.ORDER;
-        const compressedValue = bytesToNumberBE(bytes);
-        const bflag = bitGet(compressedValue, I_BIT_POS);
+        const compressedValue = bytesToNumberBE(value);
         // Zero
-        if (bflag === _1n) return { x: _0n, y: _0n };
         const x = Fp.create(compressedValue & Fp.MASK);
+        if (infinity) {
+          if (x !== _0n) throw new Error('G1: non-empty compressed point at infinity');
+          return { x: _0n, y: _0n };
+        }
         const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
         if (!y) throw new Error('Invalid compressed G1 point');
-        const aflag = bitGet(compressedValue, C_BIT_POS);
-        if ((y * _2n) / P !== aflag) y = Fp.neg(y);
+        if ((y * _2n) / P !== BigInt(sort)) y = Fp.neg(y);
         return { x: Fp.create(x), y: Fp.create(y) };
-      } else if (bytes.length === 96) {
+      } else if (value.length === 96 && !compressed) {
         // Check if the infinity flag is set
-        if ((bytes[0] & (1 << 6)) !== 0) return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
-        const x = bytesToNumberBE(bytes.subarray(0, Fp.BYTES));
-        const y = bytesToNumberBE(bytes.subarray(Fp.BYTES));
+        const x = bytesToNumberBE(value.subarray(0, Fp.BYTES));
+        const y = bytesToNumberBE(value.subarray(Fp.BYTES));
+        if (infinity) {
+          if (x !== _0n || y !== _0n) throw new Error('G1: non-empty point at infinity');
+          return bls12_381.G1.ProjectivePoint.ZERO.toAffine();
+        }
         return { x: Fp.create(x), y: Fp.create(y) };
       } else {
         throw new Error('Invalid point G1, expected 48/96 bytes');
@@ -1148,10 +1185,8 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       if (isCompressed) {
         if (isZero) return COMPRESSED_ZERO.slice();
         const P = Fp.ORDER;
-        let num;
-        num = bitSet(x, C_BIT_POS, Boolean((y * _2n) / P)); // set aflag
-        num = bitSet(num, S_BIT_POS, true);
-        return numberToBytesBE(num, Fp.BYTES);
+        const sort = Boolean((y * _2n) / P);
+        return setMask(numberToBytesBE(x, Fp.BYTES), { compressed: true, sort });
       } else {
         if (isZero) {
           // 2x PUBLIC_KEY_LENGTH
@@ -1162,6 +1197,30 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
         }
       }
     },
+    ShortSignature: {
+      fromHex(hex: Hex): ProjPointType<Fp> {
+        const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex, 48));
+        const P = Fp.ORDER;
+        const compressedValue = bytesToNumberBE(value);
+        // Zero
+        if (infinity) return bls12_381.G1.ProjectivePoint.ZERO;
+        const x = Fp.create(compressedValue & Fp.MASK);
+        const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
+        let y = Fp.sqrt(right);
+        if (!y) throw new Error('Invalid compressed G1 point');
+        const aflag = BigInt(sort);
+        if ((y * _2n) / P !== aflag) y = Fp.neg(y);
+        const point = bls12_381.G1.ProjectivePoint.fromAffine({ x, y });
+        point.assertValidity();
+        return point;
+      },
+      toRawBytes(point: ProjPointType<Fp>) {
+        return signatureG1ToRawBytes(point);
+      },
+      toHex(point: ProjPointType<Fp>) {
+        return bytesToHex(signatureG1ToRawBytes(point));
+      },
+    },
   },
   // G2 is the order-q subgroup of E2(Fp²) : y² = x³+4(1+√−1),
   // where Fp2 is Fp[√−1]/(x2+1). #E2(Fp2 ) = h2q, where
@@ -1233,45 +1292,45 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       return Q;                               // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
     },
     fromBytes: (bytes: Uint8Array): AffinePoint<Fp2> => {
-      bytes = bytes.slice();
-      const m_byte = bytes[0] & 0xe0;
-      if (m_byte === 0x20 || m_byte === 0x60 || m_byte === 0xe0) {
-        throw new Error('Invalid encoding flag: ' + m_byte);
+      const { compressed, infinity, sort, value } = parseMask(bytes);
+      if (
+        (!compressed && !infinity && sort) || // 00100000
+        (!compressed && infinity && sort) || // 01100000
+        (sort && infinity && compressed) // 11100000
+      ) {
+        throw new Error('Invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
       }
-      const bitC = m_byte & 0x80; // compression bit
-      const bitI = m_byte & 0x40; // point at infinity bit
-      const bitS = m_byte & 0x20; // sign bit
       const L = Fp.BYTES;
       const slc = (b: Uint8Array, from: number, to?: number) => bytesToNumberBE(b.slice(from, to));
-      if (bytes.length === 96 && bitC) {
+      if (value.length === 96 && compressed) {
         const b = bls12_381.params.G2b;
         const P = Fp.ORDER;
-
-        bytes[0] = bytes[0] & 0x1f; // clear flags
-        if (bitI) {
+        if (infinity) {
           // check that all bytes are 0
-          if (bytes.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
+          if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
             throw new Error('Invalid compressed G2 point');
           }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
-        const x_1 = slc(bytes, 0, L);
-        const x_0 = slc(bytes, L, 2 * L);
+        const x_1 = slc(value, 0, L);
+        const x_0 = slc(value, L, 2 * L);
         const x = Fp2.create({ c0: Fp.create(x_0), c1: Fp.create(x_1) });
         const right = Fp2.add(Fp2.pow(x, _3n), b); // y² = x³ + 4 * (u+1) = x³ + b
         let y = Fp2.sqrt(right);
         const Y_bit = y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P ? _1n : _0n;
-        y = bitS > 0 && Y_bit > 0 ? y : Fp2.neg(y);
+        y = sort && Y_bit > 0 ? y : Fp2.neg(y);
         return { x, y };
-      } else if (bytes.length === 192 && !bitC) {
-        // Check if the infinity flag is set
-        if ((bytes[0] & (1 << 6)) !== 0) {
+      } else if (value.length === 192 && !compressed) {
+        if (infinity) {
+          if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
+            throw new Error('Invalid uncompressed G2 point');
+          }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
-        const x1 = slc(bytes, 0, L);
-        const x0 = slc(bytes, L, 2 * L);
-        const y1 = slc(bytes, 2 * L, 3 * L);
-        const y0 = slc(bytes, 3 * L, 4 * L);
+        const x1 = slc(value, 0, L);
+        const x0 = slc(value, L, 2 * L);
+        const y1 = slc(value, 2 * L, 3 * L);
+        const y0 = slc(value, 3 * L, 4 * L);
         return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
       } else {
         throw new Error('Invalid point G2, expected 96/192 bytes');
@@ -1284,10 +1343,10 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
       if (isCompressed) {
         if (isZero) return concatB(COMPRESSED_ZERO, numberToBytesBE(_0n, len));
         const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
-        // set compressed & sign bits (looks like different offsets than for G1/Fp?)
-        let x_1 = bitSet(x.c1, C_BIT_POS, flag);
-        x_1 = bitSet(x_1, S_BIT_POS, true);
-        return concatB(numberToBytesBE(x_1, len), numberToBytesBE(x.c0, len));
+        return concatB(
+          setMask(numberToBytesBE(x.c1, len), { compressed: true, sort: flag }),
+          numberToBytesBE(x.c0, len)
+        );
       } else {
         if (isZero) return concatB(new Uint8Array([0x40]), new Uint8Array(4 * len - 1)); // bytes[0] |= 1 << 6;
         const { re: x0, im: x1 } = Fp2.reim(x);
@@ -1303,17 +1362,15 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
     Signature: {
       // TODO: Optimize, it's very slow because of sqrt.
       fromHex(hex: Hex): ProjPointType<Fp2> {
-        hex = ensureBytes('signatureHex', hex);
+        const { infinity, sort, value } = parseMask(ensureBytes('signatureHex', hex));
         const P = Fp.ORDER;
         const half = hex.length / 2;
         if (half !== 48 && half !== 96)
           throw new Error('Invalid compressed signature length, must be 96 or 192');
-        const z1 = bytesToNumberBE(hex.slice(0, half));
-        const z2 = bytesToNumberBE(hex.slice(half));
+        const z1 = bytesToNumberBE(value.slice(0, half));
+        const z2 = bytesToNumberBE(value.slice(half));
         // Indicates the infinity point
-        const bflag1 = bitGet(z1, I_BIT_POS);
-        if (bflag1 === _1n) return bls12_381.G2.ProjectivePoint.ZERO;
-
+        if (infinity) return bls12_381.G2.ProjectivePoint.ZERO;
         const x1 = Fp.create(z1 & Fp.MASK);
         const x2 = Fp.create(z2);
         const x = Fp2.create({ c0: x2, c1: x1 });
@@ -1325,7 +1382,7 @@ export const bls12_381: CurveFn<Fp, Fp2, Fp6, Fp12> = bls({
         // Choose the y whose leftmost bit of the imaginary part is equal to the a_flag1
         // If y1 happens to be zero, then use the bit of y0
         const { re: y0, im: y1 } = Fp2.reim(y);
-        const aflag1 = bitGet(z1, 381);
+        const aflag1 = BigInt(sort);
         const isGreater = y1 > _0n && (y1 * _2n) / P !== aflag1;
         const isZero = y1 === _0n && (y0 * _2n) / P !== aflag1;
         if (isGreater || isZero) y = Fp2.neg(y);

package/src/bn254.ts

@@ -6,8 +6,9 @@ import { Field } from './abstract/modular.js';
 /**
  * bn254 pairing-friendly curve.
  * Previously known as alt_bn_128, when it had 128-bit security.
- * Recent research shown it's weaker, the naming has been adjusted to its prime bit count.
- * https://github.com/zcash/zcash/issues/2502
+ * Barbulescu-Duquesne 2017 shown it's weaker: just about 100 bits,
+ * so the naming has been adjusted to its prime bit count
+ * https://hal.science/hal-01534101/file/main.pdf
  */
 export const bn254 = weierstrass({
   a: BigInt(0),

package/src/ed25519.ts

@@ -13,7 +13,7 @@ import {
   numberToBytesLE,
 } from './abstract/utils.js';
 import { createHasher, htfBasicOpts, expand_message_xmd } from './abstract/hash-to-curve.js';
-import { AffinePoint } from './abstract/curve.js';
+import { AffinePoint, Group } from './abstract/curve.js';
 
 /**
  * ed25519 Twisted Edwards curve with following addons:
@@ -123,7 +123,7 @@ const ed25519Defaults = {
   uvRatio,
 } as const;
 
-export const ed25519 = twistedEdwards(ed25519Defaults);
+export const ed25519 = /* @__PURE__ */ twistedEdwards(ed25519Defaults);
 
 function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   if (ctx.length > 255) throw new Error('Context is too big');
@@ -135,8 +135,11 @@ function ed25519_domain(data: Uint8Array, ctx: Uint8Array, phflag: boolean) {
   );
 }
 
-export const ed25519ctx = twistedEdwards({ ...ed25519Defaults, domain: ed25519_domain });
-export const ed25519ph = twistedEdwards({
+export const ed25519ctx = /* @__PURE__ */ twistedEdwards({
+  ...ed25519Defaults,
+  domain: ed25519_domain,
+});
+export const ed25519ph = /* @__PURE__ */ twistedEdwards({
   ...ed25519Defaults,
   domain: ed25519_domain,
   prehash: sha512,
@@ -340,7 +343,7 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
  * but it should work in its own namespace: do not combine those two.
  * https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448
  */
-class RistPoint {
+class RistPoint implements Group<RistPoint> {
   static BASE: RistPoint;
   static ZERO: RistPoint;
   // Private property to discourage combining ExtendedPoint + RistrettoPoint
@@ -468,6 +471,14 @@ class RistPoint {
   multiplyUnsafe(scalar: bigint): RistPoint {
     return new RistPoint(this.ep.multiplyUnsafe(scalar));
   }
+
+  double(): RistPoint {
+    return new RistPoint(this.ep.double());
+  }
+
+  negate(): RistPoint {
+    return new RistPoint(this.ep.negate());
+  }
 }
 export const RistrettoPoint = /* @__PURE__ */ (() => {
   if (!RistPoint.BASE) RistPoint.BASE = new RistPoint(ed25519.ExtendedPoint.BASE);
@@ -475,12 +486,12 @@ export const RistrettoPoint = /* @__PURE__ */ (() => {
   return RistPoint;
 })();
 
-// https://datatracker.ietf.org/doc/draft-irtf-cfrg-hash-to-curve/14/
-// Appendix B.  Hashing to ristretto255
-export const hash_to_ristretto255 = (msg: Uint8Array, options: htfBasicOpts) => {
+// Hashing to ristretto255. https://www.rfc-editor.org/rfc/rfc9380#appendix-B
+export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts) => {
   const d = options.DST;
   const DST = typeof d === 'string' ? utf8ToBytes(d) : d;
   const uniform_bytes = expand_message_xmd(msg, DST, 64, sha512);
   const P = RistPoint.hashToCurve(uniform_bytes);
   return P;
 };
+export const hash_to_ristretto255 = hashToRistretto255; // legacy