@noble/curves 1.8.0 → 1.8.2

package/src/abstract/weierstrass.ts

@@ -1,6 +1,19 @@
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
  *
+ * ### Parameters
+ *
+ * To initialize a weierstrass curve, one needs to pass following params:
+ *
+ * * a: formula param
+ * * b: formula param
+ * * Fp: finite Field over which we'll do calculations. Can be complex (Fp2, Fp12)
+ * * n: Curve prime subgroup order, total count of valid points in the field
+ * * Gx: Base point (x, y) aka generator point x coordinate
+ * * Gy: ...y coordinate
+ * * h: cofactor, usually 1. h*n = curve group order (n is only subgroup order)
+ * * lowS: whether to enable (default) or disable "low-s" non-malleable signatures
+ *
  * ### Design rationale for types
  *
  * * Interaction between classes from different curves should fail:
@@ -25,18 +38,23 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// prettier-ignore
 import {
-  AffinePoint,
-  BasicCurve,
-  Group,
-  GroupConstructor,
-  validateBasic,
-  wNAF,
-  pippenger,
-} from './curve.js';
-import * as mod from './modular.js';
-import * as ut from './utils.js';
-import { CHash, Hex, PrivKey, ensureBytes, memoized, abool } from './utils.js';
+  type AffinePoint, type BasicCurve, type Group, type GroupConstructor,
+  pippenger, validateBasic, wNAF,
+} from './curve.ts';
+// prettier-ignore
+import {
+  Field, type IField, getMinHashLength, invert, mapHashToField, mod, validateField,
+} from './modular.ts';
+// prettier-ignore
+import {
+  type CHash, type Hex, type PrivKey,
+  aInRange, abool,
+  bitMask,
+  bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes,
+  inRange, isBytes, memoized, numberToBytesBE, numberToHexUnpadded, validateObject
+} from './utils.ts';
 
 export type { AffinePoint };
 type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
@@ -60,7 +78,7 @@ export type BasicWCurve<T> = BasicCurve<T> & {
   clearCofactor?: (c: ProjConstructor<T>, point: ProjPointType<T>) => ProjPointType<T>;
 };
 
-type Entropy = Hex | boolean;
+export type Entropy = Hex | boolean;
 export type SignOpts = { lowS?: boolean; extraEntropy?: Entropy; prehash?: boolean };
 export type VerOpts = { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' | undefined };
 
@@ -111,7 +129,7 @@ export type CurvePointsTypeWithLength<T> = Readonly<
 
 function validatePointOpts<T>(curve: CurvePointsType<T>): CurvePointsTypeWithLength<T> {
   const opts = validateBasic(curve);
-  ut.validateObject(
+  validateObject(
     opts,
     {
       a: 'field',
@@ -151,8 +169,6 @@ export type CurvePointsRes<T> = {
   isWithinCurveOrder: (num: bigint) => boolean;
 };
 
-const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
-
 export class DERErr extends Error {
   constructor(m = '') {
     super(m);
@@ -195,11 +211,11 @@ export const DER: IDER = {
       if (tag < 0 || tag > 256) throw new E('tlv.encode: wrong tag');
       if (data.length & 1) throw new E('tlv.encode: unpadded data');
       const dataLen = data.length / 2;
-      const len = ut.numberToHexUnpadded(dataLen);
+      const len = numberToHexUnpadded(dataLen);
       if ((len.length / 2) & 0b1000_0000) throw new E('tlv.encode: long form length too big');
       // length of length with long form flag
-      const lenLen = dataLen > 127 ? ut.numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
-      const t = ut.numberToHexUnpadded(tag);
+      const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
+      const t = numberToHexUnpadded(tag);
       return t + lenLen + len + data;
     },
     // v - value, l - left bytes (unparsed)
@@ -237,7 +253,7 @@ export const DER: IDER = {
     encode(num: bigint): string {
       const { Err: E } = DER;
       if (num < _0n) throw new E('integer: negative integers are not allowed');
-      let hex = ut.numberToHexUnpadded(num);
+      let hex = numberToHexUnpadded(num);
       // Pad with zero byte if negative flag is present
       if (Number.parseInt(hex[0], 16) & 0b1000) hex = '00' + hex;
       if (hex.length & 1) throw new E('unexpected DER parsing assertion: unpadded hex');
@@ -248,14 +264,13 @@ export const DER: IDER = {
       if (data[0] & 0b1000_0000) throw new E('invalid signature integer: negative');
       if (data[0] === 0x00 && !(data[1] & 0b1000_0000))
         throw new E('invalid signature integer: unnecessary leading zero');
-      return b2n(data);
+      return bytesToNumberBE(data);
     },
   },
   toSig(hex: string | Uint8Array): { r: bigint; s: bigint } {
     // parse DER signature
     const { Err: E, _int: int, _tlv: tlv } = DER;
-    const data = typeof hex === 'string' ? h2b(hex) : hex;
-    ut.abytes(data);
+    const data = ensureBytes('signature', hex);
     const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
     if (seqLeftBytes.length) throw new E('invalid signature: left bytes after parsing');
     const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
@@ -279,13 +294,13 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n =
 export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T> {
   const CURVE = validatePointOpts(opts);
   const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
-  const Fn = mod.Field(CURVE.n, CURVE.nBitLength);
+  const Fn = Field(CURVE.n, CURVE.nBitLength);
 
   const toBytes =
     CURVE.toBytes ||
     ((_c: ProjConstructor<T>, point: ProjPointType<T>, _isCompressed: boolean) => {
       const a = point.toAffine();
-      return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
+      return concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
     });
   const fromBytes =
     CURVE.fromBytes ||
@@ -299,7 +314,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     });
 
   /**
-   * y² = x³ + ax + b: Short weierstrass curve formula
+   * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
    * @returns y²
    */
   function weierstrassEquation(x: T): T {
@@ -317,14 +332,14 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
 
   // Valid group elements reside in range 1..n-1
   function isWithinCurveOrder(num: bigint): boolean {
-    return ut.inRange(num, _1n, CURVE.n);
+    return inRange(num, _1n, CURVE.n);
   }
   // Validates if priv key is valid and converts it to bigint.
   // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
   function normPrivateKeyToScalar(key: PrivKey): bigint {
     const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
     if (lengths && typeof key !== 'bigint') {
-      if (ut.isBytes(key)) key = ut.bytesToHex(key);
+      if (isBytes(key)) key = bytesToHex(key);
       // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
       if (typeof key !== 'string' || !lengths.includes(key.length))
         throw new Error('invalid private key');
@@ -335,18 +350,18 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
       num =
         typeof key === 'bigint'
           ? key
-          : ut.bytesToNumberBE(ensureBytes('private key', key, nByteLength));
+          : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
     } catch (error) {
       throw new Error(
         'invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key
       );
     }
-    if (wrapPrivateKey) num = mod.mod(num, N); // disabled by default, enabled for BLS
-    ut.aInRange('private key', num, _1n, N); // num in range [1..N-1]
+    if (wrapPrivateKey) num = mod(num, N); // disabled by default, enabled for BLS
+    aInRange('private key', num, _1n, N); // num in range [1..N-1]
     return num;
   }
 
-  function assertPrjPoint(other: unknown) {
+  function aprjpoint(other: unknown) {
     if (!(other instanceof Point)) throw new Error('ProjectivePoint expected');
   }
 
@@ -399,15 +414,17 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
   class Point implements ProjPointType<T> {
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    readonly px: T;
+    readonly py: T;
+    readonly pz: T;
 
-    constructor(
-      readonly px: T,
-      readonly py: T,
-      readonly pz: T
-    ) {
+    constructor(px: T, py: T, pz: T) {
       if (px == null || !Fp.isValid(px)) throw new Error('x required');
       if (py == null || !Fp.isValid(py)) throw new Error('y required');
       if (pz == null || !Fp.isValid(pz)) throw new Error('z required');
+      this.px = px;
+      this.py = py;
+      this.pz = pz;
       Object.freeze(this);
     }
 
@@ -481,7 +498,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      * Compare one point to another.
      */
     equals(other: Point): boolean {
-      assertPrjPoint(other);
+      aprjpoint(other);
       const { px: X1, py: Y1, pz: Z1 } = this;
       const { px: X2, py: Y2, pz: Z2 } = other;
       const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
@@ -544,7 +561,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     // https://eprint.iacr.org/2015/1060, algorithm 1
     // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
     add(other: Point): Point {
-      assertPrjPoint(other);
+      aprjpoint(other);
       const { px: X1, py: Y1, pz: Z1 } = this;
       const { px: X2, py: Y2, pz: Z2 } = other;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
@@ -611,7 +628,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      */
     multiplyUnsafe(sc: bigint): Point {
       const { endo, n: N } = CURVE;
-      ut.aInRange('scalar', sc, _0n, N);
+      aInRange('scalar', sc, _0n, N);
       const I = Point.ZERO;
       if (sc === _0n) return I;
       if (this.is0() || sc === _1n) return this;
@@ -649,7 +666,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      */
     multiply(scalar: bigint): Point {
       const { endo, n: N } = CURVE;
-      ut.aInRange('scalar', scalar, _1n, N);
+      aInRange('scalar', scalar, _1n, N);
       let point: Point, fake: Point; // Fake point is used to const-time mult
       if (endo) {
         const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
@@ -712,7 +729,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
 
     toHex(isCompressed = true): string {
       abool('isCompressed', isCompressed);
-      return ut.bytesToHex(this.toRawBytes(isCompressed));
+      return bytesToHex(this.toRawBytes(isCompressed));
     }
   }
   const _bits = CURVE.nBitLength;
@@ -769,7 +786,7 @@ function validateOpts(
   curve: CurveType
 ): Readonly<CurveType & { nByteLength: number; nBitLength: number }> {
   const opts = validateBasic(curve);
-  ut.validateObject(
+  validateObject(
     opts,
     {
       hash: 'hash',
@@ -815,10 +832,10 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
 
   function modN(a: bigint) {
-    return mod.mod(a, CURVE_ORDER);
+    return mod(a, CURVE_ORDER);
   }
   function invN(a: bigint) {
-    return mod.invert(a, CURVE_ORDER);
+    return invert(a, CURVE_ORDER);
   }
 
   const {
@@ -831,7 +848,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     toBytes(_c, point, isCompressed: boolean): Uint8Array {
       const a = point.toAffine();
       const x = Fp.toBytes(a.x);
-      const cat = ut.concatBytes;
+      const cat = concatBytes;
       abool('isCompressed', isCompressed);
       if (isCompressed) {
         return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
@@ -845,8 +862,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const tail = bytes.subarray(1);
       // this.assertValidity() is done inside of fromHex
       if (len === compressedLen && (head === 0x02 || head === 0x03)) {
-        const x = ut.bytesToNumberBE(tail);
-        if (!ut.inRange(x, _1n, Fp.ORDER)) throw new Error('Point is not on curve');
+        const x = bytesToNumberBE(tail);
+        if (!inRange(x, _1n, Fp.ORDER)) throw new Error('Point is not on curve');
         const y2 = weierstrassEquation(x); // y² = x³ + ax + b
         let y: bigint;
         try {
@@ -873,8 +890,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       }
     },
   });
-  const numToNByteStr = (num: bigint): string =>
-    ut.bytesToHex(ut.numberToBytesBE(num, CURVE.nByteLength));
+  const numToNByteHex = (num: bigint): string =>
+    bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
 
   function isBiggerThanHalfOrder(number: bigint) {
     const HALF = CURVE_ORDER >> _1n;
@@ -885,18 +902,22 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     return isBiggerThanHalfOrder(s) ? modN(-s) : s;
   }
   // slice bytes num
-  const slcNum = (b: Uint8Array, from: number, to: number) => ut.bytesToNumberBE(b.slice(from, to));
+  const slcNum = (b: Uint8Array, from: number, to: number) => bytesToNumberBE(b.slice(from, to));
 
   /**
    * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
    */
   class Signature implements SignatureType {
-    constructor(
-      readonly r: bigint,
-      readonly s: bigint,
-      readonly recovery?: number
-    ) {
-      this.assertValidity();
+    readonly r: bigint;
+    readonly s: bigint;
+    readonly recovery?: number;
+    constructor(r: bigint, s: bigint, recovery?: number) {
+      aInRange('r', r, _1n, CURVE_ORDER); // r in [1..N]
+      aInRange('s', s, _1n, CURVE_ORDER); // s in [1..N]
+      this.r = r;
+      this.s = s;
+      if (recovery != null) this.recovery = recovery;
+      Object.freeze(this);
     }
 
     // pair (bytes of r, bytes of s)
@@ -913,10 +934,11 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return new Signature(r, s);
     }
 
-    assertValidity(): void {
-      ut.aInRange('r', this.r, _1n, CURVE_ORDER); // r in [1..N]
-      ut.aInRange('s', this.s, _1n, CURVE_ORDER); // s in [1..N]
-    }
+    /**
+     * @todo remove
+     * @deprecated
+     */
+    assertValidity(): void {}
 
     addRecoveryBit(recovery: number): RecoveredSignature {
       return new Signature(this.r, this.s, recovery) as RecoveredSignature;
@@ -929,7 +951,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
       if (radj >= Fp.ORDER) throw new Error('recovery id 2 or 3 invalid');
       const prefix = (rec & 1) === 0 ? '02' : '03';
-      const R = Point.fromHex(prefix + numToNByteStr(radj));
+      const R = Point.fromHex(prefix + numToNByteHex(radj));
       const ir = invN(radj); // r^-1
       const u1 = modN(-h * ir); // -hr^-1
       const u2 = modN(s * ir); // sr^-1
@@ -950,7 +972,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 
     // DER-encoded
     toDERRawBytes() {
-      return ut.hexToBytes(this.toDERHex());
+      return hexToBytes(this.toDERHex());
     }
     toDERHex() {
       return DER.hexFromSig({ r: this.r, s: this.s });
@@ -958,10 +980,10 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 
     // padded bytes of r, then padded bytes of s
     toCompactRawBytes() {
-      return ut.hexToBytes(this.toCompactHex());
+      return hexToBytes(this.toCompactHex());
     }
     toCompactHex() {
-      return numToNByteStr(this.r) + numToNByteStr(this.s);
+      return numToNByteHex(this.r) + numToNByteHex(this.s);
     }
   }
   type RecoveredSignature = Signature & { recovery: number };
@@ -982,8 +1004,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
      * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
      */
     randomPrivateKey: (): Uint8Array => {
-      const length = mod.getMinHashLength(CURVE.n);
-      return mod.mapHashToField(CURVE.randomBytes(length), CURVE.n);
+      const length = getMinHashLength(CURVE.n);
+      return mapHashToField(CURVE.randomBytes(length), CURVE.n);
     },
 
     /**
@@ -1015,7 +1037,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
    * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
    */
   function isProbPub(item: PrivKey | PubKey): boolean {
-    const arr = ut.isBytes(item);
+    const arr = isBytes(item);
     const str = typeof item === 'string';
     const len = (arr || str) && (item as Hex).length;
     if (arr) return len === compressedLen || len === uncompressedLen;
@@ -1052,7 +1074,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       if (bytes.length > 8192) throw new Error('input is too large');
       // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
       // for some cases, since bytes.length * 8 is not actual bitLength.
-      const num = ut.bytesToNumberBE(bytes); // check for == u8 done here
+      const num = bytesToNumberBE(bytes); // check for == u8 done here
       const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
       return delta > 0 ? num >> BigInt(delta) : num;
     };
@@ -1062,14 +1084,14 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return modN(bits2int(bytes)); // can't use bytesToNumberBE here
     };
   // NOTE: pads output with zero as per spec
-  const ORDER_MASK = ut.bitMask(CURVE.nBitLength);
+  const ORDER_MASK = bitMask(CURVE.nBitLength);
   /**
    * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
    */
   function int2octets(num: bigint): Uint8Array {
-    ut.aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
+    aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
     // works with order, can have different size than numToField!
-    return ut.numberToBytesBE(num, CURVE.nByteLength);
+    return numberToBytesBE(num, CURVE.nByteLength);
   }
 
   // Steps A, D of RFC6979 3.2
@@ -1099,7 +1121,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
-    const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2
+    const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
     const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
     // Converts signature params into point w r/s, checks result for validity.
     function k2sig(kBytes: Uint8Array): RecoveredSignature | undefined {
@@ -1144,7 +1166,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   function sign(msgHash: Hex, privKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
     const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
     const C = CURVE;
-    const drbg = ut.createHmacDrbg<RecoveredSignature>(C.hash.outputLen, C.nByteLength, C.hmac);
+    const drbg = createHmacDrbg<RecoveredSignature>(C.hash.outputLen, C.nByteLength, C.hmac);
     return drbg(seed, k2sig); // Steps B, C, D, E, F, G
   }
 
@@ -1181,7 +1203,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
     if (format !== undefined && format !== 'compact' && format !== 'der')
       throw new Error('format must be compact or der');
-    const isHex = typeof sg === 'string' || ut.isBytes(sg);
+    const isHex = typeof sg === 'string' || isBytes(sg);
     const isObj =
       !isHex &&
       !format &&
@@ -1245,7 +1267,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
  * @returns
  */
 export function SWUFpSqrtRatio<T>(
-  Fp: mod.IField<T>,
+  Fp: IField<T>,
   Z: T
 ): (u: T, v: T) => { isValid: boolean; value: T } {
   // Generic implementation
@@ -1320,14 +1342,14 @@ export function SWUFpSqrtRatio<T>(
  * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
  */
 export function mapToCurveSimpleSWU<T>(
-  Fp: mod.IField<T>,
+  Fp: IField<T>,
   opts: {
     A: T;
     B: T;
     Z: T;
   }
 ): (u: T) => { x: T; y: T } {
-  mod.validateField(Fp);
+  validateField(Fp);
   if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
     throw new Error('mapToCurveSimpleSWU: invalid opts');
   const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);

package/src/bls12-381.ts

@@ -1,24 +1,3 @@
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { randomBytes } from '@noble/hashes/utils';
-import { bls, CurveFn } from './abstract/bls.js';
-import * as mod from './abstract/modular.js';
-import {
-  bitGet,
-  bitLen,
-  bytesToHex,
-  bytesToNumberBE,
-  concatBytes as concatB,
-  ensureBytes,
-  Hex,
-  numberToBytesBE,
-} from './abstract/utils.js';
-// Types
-import { isogenyMap } from './abstract/hash-to-curve.js';
-import { AffinePoint, mapToCurveSimpleSWU, ProjPointType } from './abstract/weierstrass.js';
-import { tower12, psiFrobenius } from './abstract/tower.js';
-import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
-
 /**
  * bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
  * * Construct zk-SNARKs at the ~120-bit security
@@ -50,7 +29,7 @@ import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
  * 4. Compatible with specs:
  *    [cfrg-pairing-friendly-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
  *    [cfrg-bls-signature-05](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05),
- *    [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
+ *    RFC 9380.
  *
  * ### Params
  * To verify curve parameters, see
@@ -58,11 +37,6 @@ import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
  * Basic math is done over finite fields over p.
  * More complicated math is done over polynominal extension fields.
  * To simplify calculations in Fp12, we construct extension tower:
- * - Fp₁₂ = Fp₆² => Fp₂³
- * - Fp(u) / (u² - β) where β = -1
- * - Fp₂(v) / (v³ - ξ) where ξ = u + 1
- * - Fp₆(w) / (w² - γ) where γ = v
- * Here goes constants && point encoding format
  *
  * Embedding degree (k): 12
  * Seed (X): -15132376222941642752
@@ -73,6 +47,10 @@ import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
  * Ate loop size: X
  *
  * ### Towers
+ * - Fp₁₂ = Fp₆² => Fp₂³
+ * - Fp(u) / (u² - β) where β = -1
+ * - Fp₂(v) / (v³ - ξ) where ξ = u + 1
+ * - Fp₆(w) / (w² - γ) where γ = v
  * - Fp²[u] = Fp/u²+1
  * - Fp⁶[v] = Fp²/v³-1-u
  * - Fp¹²[w] = Fp⁶/w²-v
@@ -80,6 +58,30 @@ import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
  * @todo construct bls & bn fp/fr from seed.
  * @module
  */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { sha256 } from '@noble/hashes/sha2';
+import { randomBytes } from '@noble/hashes/utils';
+import { bls, type CurveFn } from './abstract/bls.ts';
+import { Field } from './abstract/modular.ts';
+import {
+  bitGet,
+  bitLen,
+  bytesToHex,
+  bytesToNumberBE,
+  concatBytes as concatB,
+  ensureBytes,
+  type Hex,
+  numberToBytesBE,
+} from './abstract/utils.ts';
+// Types
+import { isogenyMap } from './abstract/hash-to-curve.ts';
+import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
+import { psiFrobenius, tower12 } from './abstract/tower.ts';
+import {
+  type AffinePoint,
+  mapToCurveSimpleSWU,
+  type ProjPointType,
+} from './abstract/weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -162,7 +164,7 @@ const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
 
 // Finite field over r.
 // This particular field is not used anywhere in bls12-381, but it is still useful.
-const Fr = mod.Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'));
+const Fr = Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'));
 
 // END OF CURVE FIELDS
 

package/src/bn254.ts

@@ -45,24 +45,22 @@ Ate loop size: 6x+2
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
-import { getHash } from './_shortw_utils.js';
-import { CurveFn, weierstrass } from './abstract/weierstrass.js';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
+import { getHash } from './_shortw_utils.ts';
 import {
   bls,
-  CurveFn as BLSCurveFn,
-  PostPrecomputeFn,
-  PostPrecomputePointAddFn,
-} from './abstract/bls.js';
-import { Field } from './abstract/modular.js';
-import { bitGet, bitLen, notImplemented } from './abstract/utils.js';
-import { tower12, psiFrobenius } from './abstract/tower.js';
-// Types
-import type { Fp, Fp2, Fp6, Fp12 } from './abstract/tower.js';
+  type CurveFn as BLSCurveFn,
+  type PostPrecomputeFn,
+  type PostPrecomputePointAddFn,
+} from './abstract/bls.ts';
+import { Field } from './abstract/modular.ts';
+import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
+import { psiFrobenius, tower12 } from './abstract/tower.ts';
+import { bitGet, bitLen, notImplemented } from './abstract/utils.ts';
+import { type CurveFn, weierstrass } from './abstract/weierstrass.ts';
 // prettier-ignore
 const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
-// prettier-ignore
 const _6n = BigInt(6);
 
 const BN_X = BigInt('4965661367192848881');