@noble/curves 1.8.1 → 1.8.2

package/src/abstract/weierstrass.ts

@@ -1,6 +1,19 @@
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
  *
+ * ### Parameters
+ *
+ * To initialize a weierstrass curve, one needs to pass following params:
+ *
+ * * a: formula param
+ * * b: formula param
+ * * Fp: finite Field over which we'll do calculations. Can be complex (Fp2, Fp12)
+ * * n: Curve prime subgroup order, total count of valid points in the field
+ * * Gx: Base point (x, y) aka generator point x coordinate
+ * * Gy: ...y coordinate
+ * * h: cofactor, usually 1. h*n = curve group order (n is only subgroup order)
+ * * lowS: whether to enable (default) or disable "low-s" non-malleable signatures
+ *
  * ### Design rationale for types
  *
  * * Interaction between classes from different curves should fail:
@@ -25,26 +38,23 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// prettier-ignore
 import {
-  type AffinePoint,
-  type BasicCurve,
-  type Group,
-  type GroupConstructor,
-  pippenger,
-  validateBasic,
-  wNAF,
-} from './curve.js';
+  type AffinePoint, type BasicCurve, type Group, type GroupConstructor,
+  pippenger, validateBasic, wNAF,
+} from './curve.ts';
+// prettier-ignore
+import {
+  Field, type IField, getMinHashLength, invert, mapHashToField, mod, validateField,
+} from './modular.ts';
+// prettier-ignore
 import {
-  Field,
-  type IField,
-  getMinHashLength,
-  invert,
-  mapHashToField,
-  mod,
-  validateField,
-} from './modular.js';
-import * as ut from './utils.js';
-import { type CHash, type Hex, type PrivKey, abool, ensureBytes, memoized } from './utils.js';
+  type CHash, type Hex, type PrivKey,
+  aInRange, abool,
+  bitMask,
+  bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes,
+  inRange, isBytes, memoized, numberToBytesBE, numberToHexUnpadded, validateObject
+} from './utils.ts';
 
 export type { AffinePoint };
 type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
@@ -68,7 +78,7 @@ export type BasicWCurve<T> = BasicCurve<T> & {
   clearCofactor?: (c: ProjConstructor<T>, point: ProjPointType<T>) => ProjPointType<T>;
 };
 
-type Entropy = Hex | boolean;
+export type Entropy = Hex | boolean;
 export type SignOpts = { lowS?: boolean; extraEntropy?: Entropy; prehash?: boolean };
 export type VerOpts = { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' | undefined };
 
@@ -119,7 +129,7 @@ export type CurvePointsTypeWithLength<T> = Readonly<
 
 function validatePointOpts<T>(curve: CurvePointsType<T>): CurvePointsTypeWithLength<T> {
   const opts = validateBasic(curve);
-  ut.validateObject(
+  validateObject(
     opts,
     {
       a: 'field',
@@ -159,8 +169,6 @@ export type CurvePointsRes<T> = {
   isWithinCurveOrder: (num: bigint) => boolean;
 };
 
-const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
-
 export class DERErr extends Error {
   constructor(m = '') {
     super(m);
@@ -203,11 +211,11 @@ export const DER: IDER = {
       if (tag < 0 || tag > 256) throw new E('tlv.encode: wrong tag');
       if (data.length & 1) throw new E('tlv.encode: unpadded data');
       const dataLen = data.length / 2;
-      const len = ut.numberToHexUnpadded(dataLen);
+      const len = numberToHexUnpadded(dataLen);
       if ((len.length / 2) & 0b1000_0000) throw new E('tlv.encode: long form length too big');
       // length of length with long form flag
-      const lenLen = dataLen > 127 ? ut.numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
-      const t = ut.numberToHexUnpadded(tag);
+      const lenLen = dataLen > 127 ? numberToHexUnpadded((len.length / 2) | 0b1000_0000) : '';
+      const t = numberToHexUnpadded(tag);
       return t + lenLen + len + data;
     },
     // v - value, l - left bytes (unparsed)
@@ -245,7 +253,7 @@ export const DER: IDER = {
     encode(num: bigint): string {
       const { Err: E } = DER;
       if (num < _0n) throw new E('integer: negative integers are not allowed');
-      let hex = ut.numberToHexUnpadded(num);
+      let hex = numberToHexUnpadded(num);
       // Pad with zero byte if negative flag is present
       if (Number.parseInt(hex[0], 16) & 0b1000) hex = '00' + hex;
       if (hex.length & 1) throw new E('unexpected DER parsing assertion: unpadded hex');
@@ -256,14 +264,13 @@ export const DER: IDER = {
       if (data[0] & 0b1000_0000) throw new E('invalid signature integer: negative');
       if (data[0] === 0x00 && !(data[1] & 0b1000_0000))
         throw new E('invalid signature integer: unnecessary leading zero');
-      return b2n(data);
+      return bytesToNumberBE(data);
     },
   },
   toSig(hex: string | Uint8Array): { r: bigint; s: bigint } {
     // parse DER signature
     const { Err: E, _int: int, _tlv: tlv } = DER;
-    const data = typeof hex === 'string' ? h2b(hex) : hex;
-    ut.abytes(data);
+    const data = ensureBytes('signature', hex);
     const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
     if (seqLeftBytes.length) throw new E('invalid signature: left bytes after parsing');
     const { v: rBytes, l: rLeftBytes } = tlv.decode(0x02, seqBytes);
@@ -293,7 +300,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     CURVE.toBytes ||
     ((_c: ProjConstructor<T>, point: ProjPointType<T>, _isCompressed: boolean) => {
       const a = point.toAffine();
-      return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
+      return concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
     });
   const fromBytes =
     CURVE.fromBytes ||
@@ -307,7 +314,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     });
 
   /**
-   * y² = x³ + ax + b: Short weierstrass curve formula
+   * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
    * @returns y²
    */
   function weierstrassEquation(x: T): T {
@@ -325,14 +332,14 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
 
   // Valid group elements reside in range 1..n-1
   function isWithinCurveOrder(num: bigint): boolean {
-    return ut.inRange(num, _1n, CURVE.n);
+    return inRange(num, _1n, CURVE.n);
   }
   // Validates if priv key is valid and converts it to bigint.
   // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
   function normPrivateKeyToScalar(key: PrivKey): bigint {
     const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
     if (lengths && typeof key !== 'bigint') {
-      if (ut.isBytes(key)) key = ut.bytesToHex(key);
+      if (isBytes(key)) key = bytesToHex(key);
       // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
       if (typeof key !== 'string' || !lengths.includes(key.length))
         throw new Error('invalid private key');
@@ -343,18 +350,18 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
       num =
         typeof key === 'bigint'
           ? key
-          : ut.bytesToNumberBE(ensureBytes('private key', key, nByteLength));
+          : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
     } catch (error) {
       throw new Error(
         'invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key
       );
     }
     if (wrapPrivateKey) num = mod(num, N); // disabled by default, enabled for BLS
-    ut.aInRange('private key', num, _1n, N); // num in range [1..N-1]
+    aInRange('private key', num, _1n, N); // num in range [1..N-1]
     return num;
   }
 
-  function assertPrjPoint(other: unknown) {
+  function aprjpoint(other: unknown) {
     if (!(other instanceof Point)) throw new Error('ProjectivePoint expected');
   }
 
@@ -407,15 +414,17 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
   class Point implements ProjPointType<T> {
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    readonly px: T;
+    readonly py: T;
+    readonly pz: T;
 
-    constructor(
-      readonly px: T,
-      readonly py: T,
-      readonly pz: T
-    ) {
+    constructor(px: T, py: T, pz: T) {
       if (px == null || !Fp.isValid(px)) throw new Error('x required');
       if (py == null || !Fp.isValid(py)) throw new Error('y required');
       if (pz == null || !Fp.isValid(pz)) throw new Error('z required');
+      this.px = px;
+      this.py = py;
+      this.pz = pz;
       Object.freeze(this);
     }
 
@@ -489,7 +498,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      * Compare one point to another.
      */
     equals(other: Point): boolean {
-      assertPrjPoint(other);
+      aprjpoint(other);
       const { px: X1, py: Y1, pz: Z1 } = this;
       const { px: X2, py: Y2, pz: Z2 } = other;
       const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
@@ -552,7 +561,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
     // https://eprint.iacr.org/2015/1060, algorithm 1
     // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
     add(other: Point): Point {
-      assertPrjPoint(other);
+      aprjpoint(other);
       const { px: X1, py: Y1, pz: Z1 } = this;
       const { px: X2, py: Y2, pz: Z2 } = other;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
@@ -619,7 +628,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      */
     multiplyUnsafe(sc: bigint): Point {
       const { endo, n: N } = CURVE;
-      ut.aInRange('scalar', sc, _0n, N);
+      aInRange('scalar', sc, _0n, N);
       const I = Point.ZERO;
       if (sc === _0n) return I;
       if (this.is0() || sc === _1n) return this;
@@ -657,7 +666,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
      */
     multiply(scalar: bigint): Point {
       const { endo, n: N } = CURVE;
-      ut.aInRange('scalar', scalar, _1n, N);
+      aInRange('scalar', scalar, _1n, N);
       let point: Point, fake: Point; // Fake point is used to const-time mult
       if (endo) {
         const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
@@ -720,7 +729,7 @@ export function weierstrassPoints<T>(opts: CurvePointsType<T>): CurvePointsRes<T
 
     toHex(isCompressed = true): string {
       abool('isCompressed', isCompressed);
-      return ut.bytesToHex(this.toRawBytes(isCompressed));
+      return bytesToHex(this.toRawBytes(isCompressed));
     }
   }
   const _bits = CURVE.nBitLength;
@@ -777,7 +786,7 @@ function validateOpts(
   curve: CurveType
 ): Readonly<CurveType & { nByteLength: number; nBitLength: number }> {
   const opts = validateBasic(curve);
-  ut.validateObject(
+  validateObject(
     opts,
     {
       hash: 'hash',
@@ -839,7 +848,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     toBytes(_c, point, isCompressed: boolean): Uint8Array {
       const a = point.toAffine();
       const x = Fp.toBytes(a.x);
-      const cat = ut.concatBytes;
+      const cat = concatBytes;
       abool('isCompressed', isCompressed);
       if (isCompressed) {
         return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
@@ -853,8 +862,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const tail = bytes.subarray(1);
       // this.assertValidity() is done inside of fromHex
       if (len === compressedLen && (head === 0x02 || head === 0x03)) {
-        const x = ut.bytesToNumberBE(tail);
-        if (!ut.inRange(x, _1n, Fp.ORDER)) throw new Error('Point is not on curve');
+        const x = bytesToNumberBE(tail);
+        if (!inRange(x, _1n, Fp.ORDER)) throw new Error('Point is not on curve');
         const y2 = weierstrassEquation(x); // y² = x³ + ax + b
         let y: bigint;
         try {
@@ -881,8 +890,8 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       }
     },
   });
-  const numToNByteStr = (num: bigint): string =>
-    ut.bytesToHex(ut.numberToBytesBE(num, CURVE.nByteLength));
+  const numToNByteHex = (num: bigint): string =>
+    bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
 
   function isBiggerThanHalfOrder(number: bigint) {
     const HALF = CURVE_ORDER >> _1n;
@@ -893,18 +902,22 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     return isBiggerThanHalfOrder(s) ? modN(-s) : s;
   }
   // slice bytes num
-  const slcNum = (b: Uint8Array, from: number, to: number) => ut.bytesToNumberBE(b.slice(from, to));
+  const slcNum = (b: Uint8Array, from: number, to: number) => bytesToNumberBE(b.slice(from, to));
 
   /**
    * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
    */
   class Signature implements SignatureType {
-    constructor(
-      readonly r: bigint,
-      readonly s: bigint,
-      readonly recovery?: number
-    ) {
-      this.assertValidity();
+    readonly r: bigint;
+    readonly s: bigint;
+    readonly recovery?: number;
+    constructor(r: bigint, s: bigint, recovery?: number) {
+      aInRange('r', r, _1n, CURVE_ORDER); // r in [1..N]
+      aInRange('s', s, _1n, CURVE_ORDER); // s in [1..N]
+      this.r = r;
+      this.s = s;
+      if (recovery != null) this.recovery = recovery;
+      Object.freeze(this);
     }
 
     // pair (bytes of r, bytes of s)
@@ -921,10 +934,11 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return new Signature(r, s);
     }
 
-    assertValidity(): void {
-      ut.aInRange('r', this.r, _1n, CURVE_ORDER); // r in [1..N]
-      ut.aInRange('s', this.s, _1n, CURVE_ORDER); // s in [1..N]
-    }
+    /**
+     * @todo remove
+     * @deprecated
+     */
+    assertValidity(): void {}
 
     addRecoveryBit(recovery: number): RecoveredSignature {
       return new Signature(this.r, this.s, recovery) as RecoveredSignature;
@@ -937,7 +951,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
       if (radj >= Fp.ORDER) throw new Error('recovery id 2 or 3 invalid');
       const prefix = (rec & 1) === 0 ? '02' : '03';
-      const R = Point.fromHex(prefix + numToNByteStr(radj));
+      const R = Point.fromHex(prefix + numToNByteHex(radj));
       const ir = invN(radj); // r^-1
       const u1 = modN(-h * ir); // -hr^-1
       const u2 = modN(s * ir); // sr^-1
@@ -958,7 +972,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 
     // DER-encoded
     toDERRawBytes() {
-      return ut.hexToBytes(this.toDERHex());
+      return hexToBytes(this.toDERHex());
     }
     toDERHex() {
       return DER.hexFromSig({ r: this.r, s: this.s });
@@ -966,10 +980,10 @@ export function weierstrass(curveDef: CurveType): CurveFn {
 
     // padded bytes of r, then padded bytes of s
     toCompactRawBytes() {
-      return ut.hexToBytes(this.toCompactHex());
+      return hexToBytes(this.toCompactHex());
     }
     toCompactHex() {
-      return numToNByteStr(this.r) + numToNByteStr(this.s);
+      return numToNByteHex(this.r) + numToNByteHex(this.s);
     }
   }
   type RecoveredSignature = Signature & { recovery: number };
@@ -1023,7 +1037,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
    * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
    */
   function isProbPub(item: PrivKey | PubKey): boolean {
-    const arr = ut.isBytes(item);
+    const arr = isBytes(item);
     const str = typeof item === 'string';
     const len = (arr || str) && (item as Hex).length;
     if (arr) return len === compressedLen || len === uncompressedLen;
@@ -1060,7 +1074,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       if (bytes.length > 8192) throw new Error('input is too large');
       // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
       // for some cases, since bytes.length * 8 is not actual bitLength.
-      const num = ut.bytesToNumberBE(bytes); // check for == u8 done here
+      const num = bytesToNumberBE(bytes); // check for == u8 done here
       const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
       return delta > 0 ? num >> BigInt(delta) : num;
     };
@@ -1070,14 +1084,14 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       return modN(bits2int(bytes)); // can't use bytesToNumberBE here
     };
   // NOTE: pads output with zero as per spec
-  const ORDER_MASK = ut.bitMask(CURVE.nBitLength);
+  const ORDER_MASK = bitMask(CURVE.nBitLength);
   /**
    * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
    */
   function int2octets(num: bigint): Uint8Array {
-    ut.aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
+    aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
     // works with order, can have different size than numToField!
-    return ut.numberToBytesBE(num, CURVE.nByteLength);
+    return numberToBytesBE(num, CURVE.nByteLength);
   }
 
   // Steps A, D of RFC6979 3.2
@@ -1107,7 +1121,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
       const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
-    const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2
+    const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
     const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
     // Converts signature params into point w r/s, checks result for validity.
     function k2sig(kBytes: Uint8Array): RecoveredSignature | undefined {
@@ -1152,7 +1166,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
   function sign(msgHash: Hex, privKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
     const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
     const C = CURVE;
-    const drbg = ut.createHmacDrbg<RecoveredSignature>(C.hash.outputLen, C.nByteLength, C.hmac);
+    const drbg = createHmacDrbg<RecoveredSignature>(C.hash.outputLen, C.nByteLength, C.hmac);
     return drbg(seed, k2sig); // Steps B, C, D, E, F, G
   }
 
@@ -1189,7 +1203,7 @@ export function weierstrass(curveDef: CurveType): CurveFn {
     if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
     if (format !== undefined && format !== 'compact' && format !== 'der')
       throw new Error('format must be compact or der');
-    const isHex = typeof sg === 'string' || ut.isBytes(sg);
+    const isHex = typeof sg === 'string' || isBytes(sg);
     const isObj =
       !isHex &&
       !format &&

package/src/bls12-381.ts

@@ -29,7 +29,7 @@
  * 4. Compatible with specs:
  *    [cfrg-pairing-friendly-curves-11](https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11),
  *    [cfrg-bls-signature-05](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05),
- *    [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
+ *    RFC 9380.
  *
  * ### Params
  * To verify curve parameters, see
@@ -59,10 +59,10 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
-import { bls, type CurveFn } from './abstract/bls.js';
-import * as mod from './abstract/modular.js';
+import { bls, type CurveFn } from './abstract/bls.ts';
+import { Field } from './abstract/modular.ts';
 import {
   bitGet,
   bitLen,
@@ -72,16 +72,16 @@ import {
   ensureBytes,
   type Hex,
   numberToBytesBE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 // Types
-import { isogenyMap } from './abstract/hash-to-curve.js';
-import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.js';
-import { psiFrobenius, tower12 } from './abstract/tower.js';
+import { isogenyMap } from './abstract/hash-to-curve.ts';
+import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
+import { psiFrobenius, tower12 } from './abstract/tower.ts';
 import {
   type AffinePoint,
   mapToCurveSimpleSWU,
   type ProjPointType,
-} from './abstract/weierstrass.js';
+} from './abstract/weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -164,7 +164,7 @@ const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
 
 // Finite field over r.
 // This particular field is not used anywhere in bls12-381, but it is still useful.
-const Fr = mod.Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'));
+const Fr = Field(BigInt('0x73eda753299d7d483339d80809a1d80553bda402fffe5bfeffffffff00000001'));
 
 // END OF CURVE FIELDS
 

package/src/bn254.ts

@@ -45,20 +45,20 @@ Ate loop size: 6x+2
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha256';
+import { sha256 } from '@noble/hashes/sha2';
 import { randomBytes } from '@noble/hashes/utils';
-import { getHash } from './_shortw_utils.js';
+import { getHash } from './_shortw_utils.ts';
 import {
   bls,
   type CurveFn as BLSCurveFn,
   type PostPrecomputeFn,
   type PostPrecomputePointAddFn,
-} from './abstract/bls.js';
-import { Field } from './abstract/modular.js';
-import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.js';
-import { psiFrobenius, tower12 } from './abstract/tower.js';
-import { bitGet, bitLen, notImplemented } from './abstract/utils.js';
-import { type CurveFn, weierstrass } from './abstract/weierstrass.js';
+} from './abstract/bls.ts';
+import { Field } from './abstract/modular.ts';
+import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
+import { psiFrobenius, tower12 } from './abstract/tower.ts';
+import { bitGet, bitLen, notImplemented } from './abstract/utils.ts';
+import { type CurveFn, weierstrass } from './abstract/weierstrass.ts';
 // prettier-ignore
 const _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 const _6n = BigInt(6);

package/src/ed25519.ts

@@ -6,18 +6,18 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha512 } from '@noble/hashes/sha512';
+import { sha512 } from '@noble/hashes/sha2';
 import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { type AffinePoint, type Group, pippenger } from './abstract/curve.js';
-import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.js';
+import { type AffinePoint, type Group, pippenger } from './abstract/curve.ts';
+import { type CurveFn, type ExtPointType, twistedEdwards } from './abstract/edwards.ts';
 import {
   createHasher,
   expand_message_xmd,
   type htfBasicOpts,
   type HTFMethod,
-} from './abstract/hash-to-curve.js';
-import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.js';
-import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.js';
+} from './abstract/hash-to-curve.ts';
+import { Field, FpSqrtEven, isNegativeLE, mod, pow2 } from './abstract/modular.ts';
+import { montgomery, type CurveFn as XCurveFn } from './abstract/montgomery.ts';
 import {
   bytesToHex,
   bytesToNumberLE,
@@ -25,12 +25,14 @@ import {
   equalBytes,
   type Hex,
   numberToBytesLE,
-} from './abstract/utils.js';
+} from './abstract/utils.ts';
 
+// 2n**255n - 19n
 const ED25519_P = BigInt(
   '57896044618658097711785492504343953926634992332820282019728792003956564819949'
 );
 // √(-1) aka √(a) aka 2^((p-1)/4)
+// Fp.sqrt(Fp.neg(1))
 const ED25519_SQRT_M1 = /* @__PURE__ */ BigInt(
   '19681161376707505956807079304988542015446066515923890162744021073123829784752'
 );
@@ -91,7 +93,7 @@ function uvRatio(u: bigint, v: bigint): { isValid: boolean; value: bigint } {
   return { isValid: useRoot1 || useRoot2, value: x };
 }
 
-// Just in case
+/** Weird / bogus points, useful for debugging. */
 export const ED25519_TORSION_SUBGROUP: string[] = [
   '0100000000000000000000000000000000000000000000000000000000000000',
   'c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a',
@@ -107,19 +109,15 @@ const Fp = /* @__PURE__ */ (() => Field(ED25519_P, undefined, true))();
 
 const ed25519Defaults = /* @__PURE__ */ (() =>
   ({
-    // Param: a
-    a: BigInt(-1), // Fp.create(-1) is proper; our way still works and is faster
-    // d is equal to -121665/121666 over finite field.
-    // Negative number is P - number, and division is invert(number, P)
+    // Removing Fp.create() will still work, and is 10% faster on sign
+    a: Fp.create(BigInt(-1)),
+    // d is -121665/121666 a.k.a. Fp.neg(121665 * Fp.inv(121666))
     d: BigInt('37095705934669439343138083508754565189542113879843219016388785533085940283555'),
-    // Finite field 𝔽p over which we'll do calculations; 2n**255n - 19n
+    // Finite field 2n**255n - 19n
     Fp,
-    // Subgroup order: how many points curve has
-    // 2n**252n + 27742317777372353535851937790883648493n;
+    // Subgroup order 2n**252n + 27742317777372353535851937790883648493n;
     n: BigInt('7237005577332262213973186563042994240857116359379907606001950938285454250989'),
-    // Cofactor
     h: _8n,
-    // Base point (x, y) aka generator point
     Gx: BigInt('15112221349535400772501151409588531511454012693041857206046113283949847762202'),
     Gy: BigInt('46316835694926478169428394003475163141307993866256225615783033603165251855960'),
     hash: sha512,
@@ -313,7 +311,7 @@ const htf = /* @__PURE__ */ (() =>
 export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.hashToCurve)();
 export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => htf.encodeToCurve)();
 
-function assertRstPoint(other: unknown) {
+function aristp(other: unknown) {
   if (!(other instanceof RistPoint)) throw new Error('RistrettoPoint expected');
 }
 
@@ -380,9 +378,12 @@ function calcElligatorRistrettoMap(r0: bigint): ExtendedPoint {
 class RistPoint implements Group<RistPoint> {
   static BASE: RistPoint;
   static ZERO: RistPoint;
+  private readonly ep: ExtendedPoint;
   // Private property to discourage combining ExtendedPoint + RistrettoPoint
   // Always use Ristretto encoding/decoding instead.
-  constructor(private readonly ep: ExtendedPoint) {}
+  constructor(ep: ExtendedPoint) {
+    this.ep = ep;
+  }
 
   static fromAffine(ap: AffinePoint<bigint>): RistPoint {
     return new RistPoint(ed25519.ExtendedPoint.fromAffine(ap));
@@ -483,7 +484,7 @@ class RistPoint implements Group<RistPoint> {
 
   // Compare one point to another.
   equals(other: RistPoint): boolean {
-    assertRstPoint(other);
+    aristp(other);
     const { ex: X1, ey: Y1 } = this.ep;
     const { ex: X2, ey: Y2 } = other.ep;
     const mod = ed25519.CURVE.Fp.create;
@@ -494,12 +495,12 @@ class RistPoint implements Group<RistPoint> {
   }
 
   add(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.add(other.ep));
   }
 
   subtract(other: RistPoint): RistPoint {
-    assertRstPoint(other);
+    aristp(other);
     return new RistPoint(this.ep.subtract(other.ep));
   }
 
@@ -533,5 +534,6 @@ export const hashToRistretto255 = (msg: Uint8Array, options: htfBasicOpts): Rist
   const P = RistPoint.hashToCurve(uniform_bytes);
   return P;
 };
+/** @deprecated */
 export const hash_to_ristretto255: (msg: Uint8Array, options: htfBasicOpts) => RistPoint =
   hashToRistretto255; // legacy