@noble/curves 1.6.0 → 1.7.0

package/src/abstract/weierstrass.ts

@@ -37,7 +37,7 @@ export type BasicWCurve<T> = BasicCurve<T> & {
 
 type Entropy = Hex | boolean;
 export type SignOpts = { lowS?: boolean; extraEntropy?: Entropy; prehash?: boolean };
-export type VerOpts = { lowS?: boolean; prehash?: boolean };
+export type VerOpts = { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' | undefined };
 
 function validateSigVerOpts(opts: SignOpts | VerOpts) {
   if (opts.lowS !== undefined) abool('lowS', opts.lowS);
@@ -123,14 +123,14 @@ function validatePointOpts<T>(curve: CurvePointsType<T>) {
   const { endo, Fp, a } = opts;
   if (endo) {
     if (!Fp.eql(a, Fp.ZERO)) {
-      throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
+      throw new Error('invalid endomorphism, can only be defined for Koblitz curves that have a=0');
     }
     if (
       typeof endo !== 'object' ||
       typeof endo.beta !== 'bigint' ||
       typeof endo.splitScalar !== 'function'
     ) {
-      throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
+      throw new Error('invalid endomorphism, expected beta: bigint and splitScalar: function');
     }
   }
   return Object.freeze({ ...opts } as const);
@@ -171,7 +171,8 @@ export const DER = {
       if ((len.length / 2) & 0b1000_0000) throw new E('tlv.encode: long form length too big');
       // length of length with long form flag
       const lenLen = dataLen > 127 ? ut.numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
-      return `${ut.numberToHexUnpadded(tag)}${lenLen}${len}${data}`;
+      const t = ut.numberToHexUnpadded(tag);
+      return t + lenLen + len + data;
     },
     // v - value, l - left bytes (unparsed)
     decode(tag: number, data: Uint8Array): { v: Uint8Array; l: Uint8Array } {
@@ -211,14 +212,14 @@ export const DER = {
       let hex = ut.numberToHexUnpadded(num);
       // Pad with zero byte if negative flag is present
       if (Number.parseInt(hex[0], 16) & 0b1000) hex = '00' + hex;
-      if (hex.length & 1) throw new E('unexpected assertion');
+      if (hex.length & 1) throw new E('unexpected DER parsing assertion: unpadded hex');
       return hex;
     },
     decode(data: Uint8Array): bigint {
       const { Err: E } = DER;
-      if (data[0] & 0b1000_0000) throw new E('Invalid signature integer: negative');
+      if (data[0] & 0b1000_0000) throw new E('invalid signature integer: negative');
       if (data[0] === 0x00 && !(data[1] & 0b1000_0000))
-        throw new E('Invalid signature integer: unnecessary leading zero');
+        throw new E('invalid signature integer: unnecessary leading zero');
       return b2n(data);
     },
   },
@@ -228,15 +229,17 @@ export const DER = {
     const data = typeof hex === 'string' ? h2b(hex) : hex;
     ut.abytes(data);
     const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
-    if (seqLeftBytes.length) throw new E('Invalid signature: left bytes after parsing');
+    if (seqLeftBytes.length) throw new E('invalid signature: left bytes after parsing');
     const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
     const { v: sBytes, l: sLeftBytes } = tlv.decode(0x02, rLeftBytes);
-    if (sLeftBytes.length) throw new E('Invalid signature: left bytes after parsing');
+    if (sLeftBytes.length) throw new E('invalid signature: left bytes after parsing');
     return { r: int.decode(rBytes), s: int.decode(sBytes) };
   },
   hexFromSig(sig: { r: bigint; s: bigint }): string {
     const { _tlv: tlv, _int: int } = DER;
-    const seq = `${tlv.encode(0x02, int.encode(sig.r))}${tlv.encode(0x02, int.encode(sig.s))}`;
+    const rs = tlv.encode(0x02, int.encode(sig.r));
+    const ss = tlv.encode(0x02, int.encode(sig.s));
+    const seq = rs + ss;
     return tlv.encode(0x30, seq);
   },
 };
@@ -295,7 +298,8 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     if (lengths && typeof key !== 'bigint') {
       if (ut.isBytes(key)) key = ut.bytesToHex(key);
       // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
-      if (typeof key !== 'string' || !lengths.includes(key.length)) throw new Error('Invalid key');
+      if (typeof key !== 'string' || !lengths.includes(key.length))
+        throw new Error('invalid private key');
       key = key.padStart(nByteLength * 2, '0');
     }
     let num: bigint;
@@ -305,7 +309,9 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
           ? key
           : ut.bytesToNumberBE(ensureBytes('private key', key, nByteLength));
     } catch (error) {
-      throw new Error(`private key must be ${nByteLength} bytes, hex or bigint, not ${typeof key}`);
+      throw new Error(
+        'invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key
+      );
     }
     if (wrapPrivateKey) num = mod.mod(num, N); // disabled by default, enabled for BLS
     ut.aInRange('private key', num, _1n, N); // num in range [1..N-1]
@@ -342,7 +348,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     if (p.is0()) {
       // (0, 1, 0) aka ZERO is invalid in most contexts.
       // In BLS, ZERO can be serialized, so we allow it.
-      // (0, 0, 0) is wrong representation of ZERO and is always invalid.
+      // (0, 0, 0) is invalid representation of ZERO.
       if (CURVE.allowInfinityPoint && !Fp.is0(p.py)) return;
       throw new Error('bad point: ZERO');
     }
@@ -423,7 +429,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     }
 
     // Multiscalar Multiplication
-    static msm(points: Point[], scalars: bigint[]) {
+    static msm(points: Point[], scalars: bigint[]): Point {
       return pippenger(Point, Fn, points, scalars);
     }
 
@@ -576,14 +582,17 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      * an exposed private key e.g. sig verification, which works over *public* keys.
      */
     multiplyUnsafe(sc: bigint): Point {
-      ut.aInRange('scalar', sc, _0n, CURVE.n);
+      const { endo, n: N } = CURVE;
+      ut.aInRange('scalar', sc, _0n, N);
       const I = Point.ZERO;
       if (sc === _0n) return I;
-      if (sc === _1n) return this;
-      const { endo } = CURVE;
-      if (!endo) return wnaf.unsafeLadder(this, sc);
+      if (this.is0() || sc === _1n) return this;
+
+      // Case a: no endomorphism. Case b: has precomputes.
+      if (!endo || wnaf.hasPrecomputes(this))
+        return wnaf.wNAFCachedUnsafe(this, sc, Point.normalizeZ);
 
-      // Apply endomorphism
+      // Case c: endomorphism
       let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
       let k1p = I;
       let k2p = I;
@@ -826,8 +835,10 @@ export function weierstrass(curveDef: CurveType): CurveFn {
         const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
         return { x, y };
       } else {
+        const cl = compressedLen;
+        const ul = uncompressedLen;
         throw new Error(
-          `Point of length ${len} was invalid. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes`
+          'invalid Point, expected length of ' + cl + ', or uncompressed ' + ul + ', got ' + len
         );
       }
     },
@@ -1007,6 +1018,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   const bits2int =
     CURVE.bits2int ||
     function (bytes: Uint8Array): bigint {
+      // Our custom check "just in case"
+      if (bytes.length > 8192) throw new Error('input is too large');
       // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
       // for some cases, since bytes.length * 8 is not actual bitLength.
       const num = ut.bytesToNumberBE(bytes); // check for == u8 done here
@@ -1024,7 +1037,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
    * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
    */
   function int2octets(num: bigint): Uint8Array {
-    ut.aInRange(`num < 2^${CURVE.nBitLength}`, num, _0n, ORDER_MASK);
+    ut.aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
     // works with order, can have different size than numToField!
     return ut.numberToBytesBE(num, CURVE.nByteLength);
   }
@@ -1032,8 +1045,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   // Steps A, D of RFC6979 3.2
   // Creates RFC6979 seed; converts msg/privKey to numbers.
   // Used only in sign, not in verify.
-  // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order, this will be wrong at least for P521.
-  // Also it can be bigger for P224 + SHA256
+  // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
+  // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
   function prepSig(msgHash: Hex, privateKey: PrivKey, opts = defaultSigOpts) {
     if (['recovered', 'canonical'].some((k) => k in opts))
       throw new Error('sign() legacy options not supported');
@@ -1131,34 +1144,43 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     const sg = signature;
     msgHash = ensureBytes('msgHash', msgHash);
     publicKey = ensureBytes('publicKey', publicKey);
-    if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
+    const { lowS, prehash, format } = opts;
+
+    // Verify opts, deduce signature format
     validateSigVerOpts(opts);
-    const { lowS, prehash } = opts;
+    if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
+    if (format !== undefined && format !== 'compact' && format !== 'der')
+      throw new Error('format must be compact or der');
+    const isHex = typeof sg === 'string' || ut.isBytes(sg);
+    const isObj =
+      !isHex &&
+      !format &&
+      typeof sg === 'object' &&
+      sg !== null &&
+      typeof sg.r === 'bigint' &&
+      typeof sg.s === 'bigint';
+    if (!isHex && !isObj)
+      throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
 
     let _sig: Signature | undefined = undefined;
     let P: ProjPointType<bigint>;
     try {
-      if (typeof sg === 'string' || ut.isBytes(sg)) {
+      if (isObj) _sig = new Signature(sg.r, sg.s);
+      if (isHex) {
         // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
         // Since DER can also be 2*nByteLength bytes, we check for it first.
         try {
-          _sig = Signature.fromDER(sg);
+          if (format !== 'compact') _sig = Signature.fromDER(sg);
         } catch (derError) {
           if (!(derError instanceof DER.Err)) throw derError;
-          _sig = Signature.fromCompact(sg);
         }
-      } else if (typeof sg === 'object' && typeof sg.r === 'bigint' && typeof sg.s === 'bigint') {
-        const { r, s } = sg;
-        _sig = new Signature(r, s);
-      } else {
-        throw new Error('PARSE');
+        if (!_sig && format !== 'der') _sig = Signature.fromCompact(sg);
       }
       P = Point.fromHex(publicKey);
     } catch (error) {
-      if ((error as Error).message === 'PARSE')
-        throw new Error(`signature must be Signature instance, Uint8Array or hex string`);
       return false;
     }
+    if (!_sig) return false;
     if (lowS && _sig.hasHighS()) return false;
     if (prehash) msgHash = CURVE.hash(msgHash);
     const { r, s } = _sig;

package/src/bls12-381.ts

@@ -56,7 +56,7 @@ bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction all
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
-/* 
+/*
 Embedding degree (k): 12
 Seed (X): -15132376222941642752
 Fr:  (x⁴-x²+1)
@@ -509,7 +509,7 @@ export const bls12_381: CurveFn = bls({
         }
         const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
-        if (!y) throw new Error('Invalid compressed G1 point');
+        if (!y) throw new Error('invalid compressed G1 point');
         if ((y * _2n) / P !== BigInt(sort)) y = Fp.neg(y);
         return { x: Fp.create(x), y: Fp.create(y) };
       } else if (value.length === 96 && !compressed) {
@@ -522,7 +522,7 @@ export const bls12_381: CurveFn = bls({
         }
         return { x: Fp.create(x), y: Fp.create(y) };
       } else {
-        throw new Error('Invalid point G1, expected 48/96 bytes');
+        throw new Error('invalid point G1, expected 48/96 bytes');
       }
     },
     toBytes: (c, point, isCompressed) => {
@@ -553,7 +553,7 @@ export const bls12_381: CurveFn = bls({
         const x = Fp.create(compressedValue & Fp.MASK);
         const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381.params.G1b)); // y² = x³ + b
         let y = Fp.sqrt(right);
-        if (!y) throw new Error('Invalid compressed G1 point');
+        if (!y) throw new Error('invalid compressed G1 point');
         const aflag = BigInt(sort);
         if ((y * _2n) / P !== aflag) y = Fp.neg(y);
         const point = bls12_381.G1.ProjectivePoint.fromAffine({ x, y });
@@ -644,7 +644,7 @@ export const bls12_381: CurveFn = bls({
         (!compressed && infinity && sort) || // 01100000
         (sort && infinity && compressed) // 11100000
       ) {
-        throw new Error('Invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
+        throw new Error('invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
       }
       const L = Fp.BYTES;
       const slc = (b: Uint8Array, from: number, to?: number) => bytesToNumberBE(b.slice(from, to));
@@ -654,7 +654,7 @@ export const bls12_381: CurveFn = bls({
         if (infinity) {
           // check that all bytes are 0
           if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
-            throw new Error('Invalid compressed G2 point');
+            throw new Error('invalid compressed G2 point');
           }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
@@ -669,7 +669,7 @@ export const bls12_381: CurveFn = bls({
       } else if (value.length === 192 && !compressed) {
         if (infinity) {
           if (value.reduce((p, c) => (p !== 0 ? c + 1 : c), 0) > 0) {
-            throw new Error('Invalid uncompressed G2 point');
+            throw new Error('invalid uncompressed G2 point');
           }
           return { x: Fp2.ZERO, y: Fp2.ZERO };
         }
@@ -679,7 +679,7 @@ export const bls12_381: CurveFn = bls({
         const y0 = slc(value, 3 * L, 4 * L);
         return { x: Fp2.fromBigTuple([x0, x1]), y: Fp2.fromBigTuple([y0, y1]) };
       } else {
-        throw new Error('Invalid point G2, expected 96/192 bytes');
+        throw new Error('invalid point G2, expected 96/192 bytes');
       }
     },
     toBytes: (c, point, isCompressed) => {
@@ -712,7 +712,7 @@ export const bls12_381: CurveFn = bls({
         const P = Fp.ORDER;
         const half = value.length / 2;
         if (half !== 48 && half !== 96)
-          throw new Error('Invalid compressed signature length, must be 96 or 192');
+          throw new Error('invalid compressed signature length, must be 96 or 192');
         const z1 = bytesToNumberBE(value.slice(0, half));
         const z2 = bytesToNumberBE(value.slice(half));
         // Indicates the infinity point

package/src/bn254.ts

@@ -3,7 +3,7 @@ import { sha256 } from '@noble/hashes/sha256';
 import { getHash } from './_shortw_utils.js';
 import { weierstrass } from './abstract/weierstrass.js';
 import { randomBytes } from '@noble/hashes/utils';
-import { bls, CurveFn } from './abstract/bls.js';
+import { bls, CurveFn, PostPrecomputeFn, PostPrecomputePointAddFn } from './abstract/bls.js';
 import { Field } from './abstract/modular.js';
 import { bitGet, bitLen, notImplemented } from './abstract/utils.js';
 import { tower12, psiFrobenius } from './abstract/tower.js';
@@ -148,6 +148,20 @@ const htfDefaults = Object.freeze({
   hash: sha256,
 } as const);
 
+export const _postPrecompute: PostPrecomputeFn = (
+  Rx: Fp2,
+  Ry: Fp2,
+  Rz: Fp2,
+  Qx: Fp2,
+  Qy: Fp2,
+  pointAdd: PostPrecomputePointAddFn
+) => {
+  const q = psi(Qx, Qy);
+  ({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
+  const q2 = psi(q[0], q[1]);
+  pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
+};
+
 /**
  * bn254 (a.k.a. alt_bn128) pairing-friendly curve.
  * Contains G1 / G2 operations and pairings.
@@ -212,12 +226,7 @@ export const bn254: CurveFn = bls({
   hash: sha256,
   randomBytes,
 
-  postPrecompute: (Rx, Ry, Rz, Qx, Qy, pointAdd) => {
-    const q = psi(Qx, Qy);
-    ({ Rx, Ry, Rz } = pointAdd(Rx, Ry, Rz, q[0], q[1]));
-    const q2 = psi(q[0], q[1]);
-    pointAdd(Rx, Ry, Rz, q2[0], Fp2.neg(q2[1]));
-  },
+  postPrecompute: _postPrecompute,
 });
 
 /**

package/src/ed448.ts

@@ -120,7 +120,7 @@ const ED448_DEF = {
   adjustScalarBytes,
   // dom4
   domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-    if (ctx.length > 255) throw new Error(`Context is too big: ${ctx.length}`);
+    if (ctx.length > 255) throw new Error('context must be smaller than 255, got: ' + ctx.length);
     return concatBytes(
       utf8ToBytes('SigEd448'),
       new Uint8Array([phflag ? 1 : 0, ctx.length]),

package/src/p256.ts

@@ -8,15 +8,15 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // NIST secp256r1 aka p256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 
-const Fp = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A = Fp.create(BigInt('-3'));
+const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
+const CURVE_A = Fp256.create(BigInt('-3'));
 const CURVE_B = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
 
 // prettier-ignore
 export const p256 = createCurve({
   a: CURVE_A, // Equation params: a, b
   b: CURVE_B,
-  Fp, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
+  Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
   // Curve order, total count of valid points in the field
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
   // Base (generator) point (x, y)
@@ -28,17 +28,17 @@ export const p256 = createCurve({
 export const secp256r1 = p256;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp256, {
     A: CURVE_A,
     B: CURVE_B,
-    Z: Fp.create(BigInt('-10')),
+    Z: Fp256.create(BigInt('-10')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P256_XMD:SHA-256_SSWU_RO_',
     encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp256.ORDER,
     m: 1,
     k: 128,
     expand: 'xmd',

package/src/p384.ts

@@ -11,8 +11,8 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp = Field(P);
-const CURVE_A = Fp.create(BigInt('-3'));
+const Fp384 = Field(P);
+const CURVE_A = Fp384.create(BigInt('-3'));
 // prettier-ignore
 const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
 
@@ -20,7 +20,7 @@ const CURVE_B = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe814112031408
 export const p384 = createCurve({
   a: CURVE_A, // Equation params: a, b
   b: CURVE_B,
-  Fp, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+  Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
   // Curve order, total count of valid points in the field.
   n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
   // Base (generator) point (x, y)
@@ -32,17 +32,17 @@ export const p384 = createCurve({
 export const secp384r1 = p384;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp384, {
     A: CURVE_A,
     B: CURVE_B,
-    Z: Fp.create(BigInt('-12')),
+    Z: Fp384.create(BigInt('-12')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P384_XMD:SHA-384_SSWU_RO_',
     encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp384.ORDER,
     m: 1,
     k: 192,
     expand: 'xmd',

package/src/p521.ts

@@ -12,14 +12,14 @@ import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
 // Field over which we'll do calculations.
 // prettier-ignore
 const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp = Field(P);
+const Fp521 = Field(P);
 
 const CURVE = {
-  a: Fp.create(BigInt('-3')),
+  a: Fp521.create(BigInt('-3')),
   b: BigInt(
     '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
   ),
-  Fp,
+  Fp: Fp521,
   n: BigInt(
     '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
   ),
@@ -36,7 +36,7 @@ const CURVE = {
 export const p521 = createCurve({
   a: CURVE.a, // Equation params: a, b
   b: CURVE.b,
-  Fp, // Field: 2n**521n - 1n
+  Fp: Fp521, // Field: 2n**521n - 1n
   // Curve order, total count of valid points in the field
   n: CURVE.n,
   Gx: CURVE.Gx, // Base point (x, y) aka generator point
@@ -48,17 +48,17 @@ export const p521 = createCurve({
 export const secp521r1 = p521;
 
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fp521, {
     A: CURVE.a,
     B: CURVE.b,
-    Z: Fp.create(BigInt('-4')),
+    Z: Fp521.create(BigInt('-4')),
   }))();
 
 const htf = /* @__PURE__ */ (() =>
   createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => mapSWU(scalars[0]), {
     DST: 'P521_XMD:SHA-512_SSWU_RO_',
     encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
-    p: Fp.ORDER,
+    p: Fp521.ORDER,
     m: 1,
     k: 256,
     expand: 'xmd',

package/src/secp256k1.ts

@@ -45,11 +45,11 @@ function sqrtMod(y: bigint): bigint {
   const t1 = (pow2(b223, _23n, P) * b22) % P;
   const t2 = (pow2(t1, _6n, P) * b2) % P;
   const root = pow2(t2, _2n, P);
-  if (!Fp.eql(Fp.sqr(root), y)) throw new Error('Cannot find square root');
+  if (!Fpk1.eql(Fpk1.sqr(root), y)) throw new Error('Cannot find square root');
   return root;
 }
 
-const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
 
 /**
  * secp256k1 short weierstrass curve and ECDSA signatures over it.
@@ -58,7 +58,7 @@ export const secp256k1 = createCurve(
   {
     a: BigInt(0), // equation params: a, b
     b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
-    Fp, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
+    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
     n: secp256k1N, // Curve order, total count of valid points in the field
     // Base point (x, y) aka generator point
     Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
@@ -228,7 +228,7 @@ export const schnorr = /* @__PURE__ */ (() => ({
 
 const isoMap = /* @__PURE__ */ (() =>
   isogenyMap(
-    Fp,
+    Fpk1,
     [
       // xNum
       [
@@ -260,22 +260,22 @@ const isoMap = /* @__PURE__ */ (() =>
     ].map((i) => i.map((j) => BigInt(j))) as [bigint[], bigint[], bigint[], bigint[]]
   ))();
 const mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp, {
+  mapToCurveSimpleSWU(Fpk1, {
     A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
     B: BigInt('1771'),
-    Z: Fp.create(BigInt('-11')),
+    Z: Fpk1.create(BigInt('-11')),
   }))();
 const htf = /* @__PURE__ */ (() =>
   createHasher(
     secp256k1.ProjectivePoint,
     (scalars: bigint[]) => {
-      const { x, y } = mapSWU(Fp.create(scalars[0]));
+      const { x, y } = mapSWU(Fpk1.create(scalars[0]));
       return isoMap(x, y);
     },
     {
       DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
       encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
-      p: Fp.ORDER,
+      p: Fpk1.ORDER,
       m: 1,
       k: 128,
       expand: 'xmd',