@noble/curves 1.8.1 → 1.9.0

package/abstract/weierstrass.js

@@ -8,6 +8,19 @@ exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU;
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
  *
+ * ### Parameters
+ *
+ * To initialize a weierstrass curve, one needs to pass following params:
+ *
+ * * a: formula param
+ * * b: formula param
+ * * Fp: finite Field over which we'll do calculations. Can be complex (Fp2, Fp12)
+ * * n: Curve prime subgroup order, total count of valid points in the field
+ * * Gx: Base point (x, y) aka generator point x coordinate
+ * * Gy: ...y coordinate
+ * * h: cofactor, usually 1. h*n = curve group order (n is only subgroup order)
+ * * lowS: whether to enable (default) or disable "low-s" non-malleable signatures
+ *
  * ### Design rationale for types
  *
  * * Interaction between classes from different curves should fail:
@@ -32,19 +45,21 @@ exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU;
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const curve_js_1 = require("./curve.js");
-const modular_js_1 = require("./modular.js");
-const ut = require("./utils.js");
-const utils_js_1 = require("./utils.js");
+// prettier-ignore
+const curve_ts_1 = require("./curve.js");
+// prettier-ignore
+const modular_ts_1 = require("./modular.js");
+// prettier-ignore
+const utils_ts_1 = require("./utils.js");
 function validateSigVerOpts(opts) {
     if (opts.lowS !== undefined)
-        (0, utils_js_1.abool)('lowS', opts.lowS);
+        (0, utils_ts_1.abool)('lowS', opts.lowS);
     if (opts.prehash !== undefined)
-        (0, utils_js_1.abool)('prehash', opts.prehash);
+        (0, utils_ts_1.abool)('prehash', opts.prehash);
 }
 function validatePointOpts(curve) {
-    const opts = (0, curve_js_1.validateBasic)(curve);
-    ut.validateObject(opts, {
+    const opts = (0, curve_ts_1.validateBasic)(curve);
+    (0, utils_ts_1.validateObject)(opts, {
         a: 'field',
         b: 'field',
     }, {
@@ -69,7 +84,6 @@ function validatePointOpts(curve) {
     }
     return Object.freeze({ ...opts });
 }
-const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
 class DERErr extends Error {
     constructor(m = '') {
         super(m);
@@ -95,12 +109,12 @@ exports.DER = {
             if (data.length & 1)
                 throw new E('tlv.encode: unpadded data');
             const dataLen = data.length / 2;
-            const len = ut.numberToHexUnpadded(dataLen);
+            const len = (0, utils_ts_1.numberToHexUnpadded)(dataLen);
             if ((len.length / 2) & 128)
                 throw new E('tlv.encode: long form length too big');
             // length of length with long form flag
-            const lenLen = dataLen > 127 ? ut.numberToHexUnpadded((len.length / 2) | 128) : '';
-            const t = ut.numberToHexUnpadded(tag);
+            const lenLen = dataLen > 127 ? (0, utils_ts_1.numberToHexUnpadded)((len.length / 2) | 128) : '';
+            const t = (0, utils_ts_1.numberToHexUnpadded)(tag);
             return t + lenLen + len + data;
         },
         // v - value, l - left bytes (unparsed)
@@ -149,7 +163,7 @@ exports.DER = {
             const { Err: E } = exports.DER;
             if (num < _0n)
                 throw new E('integer: negative integers are not allowed');
-            let hex = ut.numberToHexUnpadded(num);
+            let hex = (0, utils_ts_1.numberToHexUnpadded)(num);
             // Pad with zero byte if negative flag is present
             if (Number.parseInt(hex[0], 16) & 0b1000)
                 hex = '00' + hex;
@@ -163,14 +177,13 @@ exports.DER = {
                 throw new E('invalid signature integer: negative');
             if (data[0] === 0x00 && !(data[1] & 128))
                 throw new E('invalid signature integer: unnecessary leading zero');
-            return b2n(data);
+            return (0, utils_ts_1.bytesToNumberBE)(data);
         },
     },
     toSig(hex) {
         // parse DER signature
         const { Err: E, _int: int, _tlv: tlv } = exports.DER;
-        const data = typeof hex === 'string' ? h2b(hex) : hex;
-        ut.abytes(data);
+        const data = (0, utils_ts_1.ensureBytes)('signature', hex);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
             throw new E('invalid signature: left bytes after parsing');
@@ -194,11 +207,11 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n =
 function weierstrassPoints(opts) {
     const CURVE = validatePointOpts(opts);
     const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
-    const Fn = (0, modular_js_1.Field)(CURVE.n, CURVE.nBitLength);
+    const Fn = (0, modular_ts_1.Field)(CURVE.n, CURVE.nBitLength);
     const toBytes = CURVE.toBytes ||
         ((_c, point, _isCompressed) => {
             const a = point.toAffine();
-            return ut.concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
+            return (0, utils_ts_1.concatBytes)(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
         });
     const fromBytes = CURVE.fromBytes ||
         ((bytes) => {
@@ -210,7 +223,7 @@ function weierstrassPoints(opts) {
             return { x, y };
         });
     /**
-     * y² = x³ + ax + b: Short weierstrass curve formula
+     * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
      * @returns y²
      */
     function weierstrassEquation(x) {
@@ -227,15 +240,15 @@ function weierstrassPoints(opts) {
         throw new Error('bad generator point: equation left != right');
     // Valid group elements reside in range 1..n-1
     function isWithinCurveOrder(num) {
-        return ut.inRange(num, _1n, CURVE.n);
+        return (0, utils_ts_1.inRange)(num, _1n, CURVE.n);
     }
     // Validates if priv key is valid and converts it to bigint.
     // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
     function normPrivateKeyToScalar(key) {
         const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
         if (lengths && typeof key !== 'bigint') {
-            if (ut.isBytes(key))
-                key = ut.bytesToHex(key);
+            if ((0, utils_ts_1.isBytes)(key))
+                key = (0, utils_ts_1.bytesToHex)(key);
             // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
             if (typeof key !== 'string' || !lengths.includes(key.length))
                 throw new Error('invalid private key');
@@ -246,17 +259,17 @@ function weierstrassPoints(opts) {
             num =
                 typeof key === 'bigint'
                     ? key
-                    : ut.bytesToNumberBE((0, utils_js_1.ensureBytes)('private key', key, nByteLength));
+                    : (0, utils_ts_1.bytesToNumberBE)((0, utils_ts_1.ensureBytes)('private key', key, nByteLength));
         }
         catch (error) {
             throw new Error('invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key);
         }
         if (wrapPrivateKey)
-            num = (0, modular_js_1.mod)(num, N); // disabled by default, enabled for BLS
-        ut.aInRange('private key', num, _1n, N); // num in range [1..N-1]
+            num = (0, modular_ts_1.mod)(num, N); // disabled by default, enabled for BLS
+        (0, utils_ts_1.aInRange)('private key', num, _1n, N); // num in range [1..N-1]
         return num;
     }
-    function assertPrjPoint(other) {
+    function aprjpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
@@ -264,7 +277,7 @@ function weierstrassPoints(opts) {
     // Converts Projective point to affine (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     // (x, y, z) ∋ (x=x/z, y=y/z)
-    const toAffineMemo = (0, utils_js_1.memoized)((p, iz) => {
+    const toAffineMemo = (0, utils_ts_1.memoized)((p, iz) => {
         const { px: x, py: y, pz: z } = p;
         // Fast-path for normalized points
         if (Fp.eql(z, Fp.ONE))
@@ -285,7 +298,7 @@ function weierstrassPoints(opts) {
     });
     // NOTE: on exception this will crash 'cached' and no value will be set.
     // Otherwise true will be return
-    const assertValidMemo = (0, utils_js_1.memoized)((p) => {
+    const assertValidMemo = (0, utils_ts_1.memoized)((p) => {
         if (p.is0()) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
@@ -314,15 +327,15 @@ function weierstrassPoints(opts) {
      */
     class Point {
         constructor(px, py, pz) {
-            this.px = px;
-            this.py = py;
-            this.pz = pz;
             if (px == null || !Fp.isValid(px))
                 throw new Error('x required');
-            if (py == null || !Fp.isValid(py))
+            if (py == null || !Fp.isValid(py) || Fp.is0(py))
                 throw new Error('y required');
             if (pz == null || !Fp.isValid(pz))
                 throw new Error('z required');
+            this.px = px;
+            this.py = py;
+            this.pz = pz;
             Object.freeze(this);
         }
         // Does not validate if the point is on-curve.
@@ -352,7 +365,7 @@ function weierstrassPoints(opts) {
          * Optimization: converts a list of projective points to a list of identical points with Z=1.
          */
         static normalizeZ(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.pz));
+            const toInv = (0, modular_ts_1.FpInvertBatch)(Fp, points.map((p) => p.pz));
             return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
         }
         /**
@@ -360,7 +373,7 @@ function weierstrassPoints(opts) {
          * @param hex short/long ECDSA hex
          */
         static fromHex(hex) {
-            const P = Point.fromAffine(fromBytes((0, utils_js_1.ensureBytes)('pointHex', hex)));
+            const P = Point.fromAffine(fromBytes((0, utils_ts_1.ensureBytes)('pointHex', hex)));
             P.assertValidity();
             return P;
         }
@@ -370,7 +383,7 @@ function weierstrassPoints(opts) {
         }
         // Multiscalar Multiplication
         static msm(points, scalars) {
-            return (0, curve_js_1.pippenger)(Point, Fn, points, scalars);
+            return (0, curve_ts_1.pippenger)(Point, Fn, points, scalars);
         }
         // "Private method", don't use it directly
         _setWindowSize(windowSize) {
@@ -390,7 +403,7 @@ function weierstrassPoints(opts) {
          * Compare one point to another.
          */
         equals(other) {
-            assertPrjPoint(other);
+            aprjpoint(other);
             const { px: X1, py: Y1, pz: Z1 } = this;
             const { px: X2, py: Y2, pz: Z2 } = other;
             const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
@@ -450,7 +463,7 @@ function weierstrassPoints(opts) {
         // https://eprint.iacr.org/2015/1060, algorithm 1
         // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
         add(other) {
-            assertPrjPoint(other);
+            aprjpoint(other);
             const { px: X1, py: Y1, pz: Z1 } = this;
             const { px: X2, py: Y2, pz: Z2 } = other;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
@@ -514,7 +527,7 @@ function weierstrassPoints(opts) {
          */
         multiplyUnsafe(sc) {
             const { endo, n: N } = CURVE;
-            ut.aInRange('scalar', sc, _0n, N);
+            (0, utils_ts_1.aInRange)('scalar', sc, _0n, N);
             const I = Point.ZERO;
             if (sc === _0n)
                 return I;
@@ -555,7 +568,7 @@ function weierstrassPoints(opts) {
          */
         multiply(scalar) {
             const { endo, n: N } = CURVE;
-            ut.aInRange('scalar', scalar, _1n, N);
+            (0, utils_ts_1.aInRange)('scalar', scalar, _1n, N);
             let point, fake; // Fake point is used to const-time mult
             if (endo) {
                 const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
@@ -611,20 +624,19 @@ function weierstrassPoints(opts) {
             return this.multiplyUnsafe(CURVE.h);
         }
         toRawBytes(isCompressed = true) {
-            (0, utils_js_1.abool)('isCompressed', isCompressed);
+            (0, utils_ts_1.abool)('isCompressed', isCompressed);
             this.assertValidity();
             return toBytes(Point, this, isCompressed);
         }
         toHex(isCompressed = true) {
-            (0, utils_js_1.abool)('isCompressed', isCompressed);
-            return ut.bytesToHex(this.toRawBytes(isCompressed));
+            (0, utils_ts_1.abool)('isCompressed', isCompressed);
+            return (0, utils_ts_1.bytesToHex)(this.toRawBytes(isCompressed));
         }
     }
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
     const _bits = CURVE.nBitLength;
-    const wnaf = (0, curve_js_1.wNAF)(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-    // Validate if generator point is on curve
+    const wnaf = (0, curve_ts_1.wNAF)(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
     return {
         CURVE,
         ProjectivePoint: Point,
@@ -634,8 +646,8 @@ function weierstrassPoints(opts) {
     };
 }
 function validateOpts(curve) {
-    const opts = (0, curve_js_1.validateBasic)(curve);
-    ut.validateObject(opts, {
+    const opts = (0, curve_ts_1.validateBasic)(curve);
+    (0, utils_ts_1.validateObject)(opts, {
         hash: 'hash',
         hmac: 'function',
         randomBytes: 'function',
@@ -659,18 +671,18 @@ function weierstrass(curveDef) {
     const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
     const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
     function modN(a) {
-        return (0, modular_js_1.mod)(a, CURVE_ORDER);
+        return (0, modular_ts_1.mod)(a, CURVE_ORDER);
     }
     function invN(a) {
-        return (0, modular_js_1.invert)(a, CURVE_ORDER);
+        return (0, modular_ts_1.invert)(a, CURVE_ORDER);
     }
     const { ProjectivePoint: Point, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder, } = weierstrassPoints({
         ...CURVE,
         toBytes(_c, point, isCompressed) {
             const a = point.toAffine();
             const x = Fp.toBytes(a.x);
-            const cat = ut.concatBytes;
-            (0, utils_js_1.abool)('isCompressed', isCompressed);
+            const cat = utils_ts_1.concatBytes;
+            (0, utils_ts_1.abool)('isCompressed', isCompressed);
             if (isCompressed) {
                 return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
             }
@@ -684,8 +696,8 @@ function weierstrass(curveDef) {
             const tail = bytes.subarray(1);
             // this.assertValidity() is done inside of fromHex
             if (len === compressedLen && (head === 0x02 || head === 0x03)) {
-                const x = ut.bytesToNumberBE(tail);
-                if (!ut.inRange(x, _1n, Fp.ORDER))
+                const x = (0, utils_ts_1.bytesToNumberBE)(tail);
+                if (!(0, utils_ts_1.inRange)(x, _1n, Fp.ORDER))
                     throw new Error('Point is not on curve');
                 const y2 = weierstrassEquation(x); // y² = x³ + ax + b
                 let y;
@@ -715,7 +727,7 @@ function weierstrass(curveDef) {
             }
         },
     });
-    const numToNByteStr = (num) => ut.bytesToHex(ut.numberToBytesBE(num, CURVE.nByteLength));
+    const numToNByteHex = (num) => (0, utils_ts_1.bytesToHex)((0, utils_ts_1.numberToBytesBE)(num, CURVE.nByteLength));
     function isBiggerThanHalfOrder(number) {
         const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
@@ -724,46 +736,50 @@ function weierstrass(curveDef) {
         return isBiggerThanHalfOrder(s) ? modN(-s) : s;
     }
     // slice bytes num
-    const slcNum = (b, from, to) => ut.bytesToNumberBE(b.slice(from, to));
+    const slcNum = (b, from, to) => (0, utils_ts_1.bytesToNumberBE)(b.slice(from, to));
     /**
      * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
      */
     class Signature {
         constructor(r, s, recovery) {
+            (0, utils_ts_1.aInRange)('r', r, _1n, CURVE_ORDER); // r in [1..N]
+            (0, utils_ts_1.aInRange)('s', s, _1n, CURVE_ORDER); // s in [1..N]
             this.r = r;
             this.s = s;
-            this.recovery = recovery;
-            this.assertValidity();
+            if (recovery != null)
+                this.recovery = recovery;
+            Object.freeze(this);
         }
         // pair (bytes of r, bytes of s)
         static fromCompact(hex) {
             const l = CURVE.nByteLength;
-            hex = (0, utils_js_1.ensureBytes)('compactSignature', hex, l * 2);
+            hex = (0, utils_ts_1.ensureBytes)('compactSignature', hex, l * 2);
             return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
         }
         // DER encoded ECDSA signature
         // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
         static fromDER(hex) {
-            const { r, s } = exports.DER.toSig((0, utils_js_1.ensureBytes)('DER', hex));
+            const { r, s } = exports.DER.toSig((0, utils_ts_1.ensureBytes)('DER', hex));
             return new Signature(r, s);
         }
-        assertValidity() {
-            ut.aInRange('r', this.r, _1n, CURVE_ORDER); // r in [1..N]
-            ut.aInRange('s', this.s, _1n, CURVE_ORDER); // s in [1..N]
-        }
+        /**
+         * @todo remove
+         * @deprecated
+         */
+        assertValidity() { }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
         recoverPublicKey(msgHash) {
             const { r, s, recovery: rec } = this;
-            const h = bits2int_modN((0, utils_js_1.ensureBytes)('msgHash', msgHash)); // Truncate hash
+            const h = bits2int_modN((0, utils_ts_1.ensureBytes)('msgHash', msgHash)); // Truncate hash
             if (rec == null || ![0, 1, 2, 3].includes(rec))
                 throw new Error('recovery id invalid');
             const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
             if (radj >= Fp.ORDER)
                 throw new Error('recovery id 2 or 3 invalid');
             const prefix = (rec & 1) === 0 ? '02' : '03';
-            const R = Point.fromHex(prefix + numToNByteStr(radj));
+            const R = Point.fromHex(prefix + numToNByteHex(radj));
             const ir = invN(radj); // r^-1
             const u1 = modN(-h * ir); // -hr^-1
             const u2 = modN(s * ir); // sr^-1
@@ -782,17 +798,17 @@ function weierstrass(curveDef) {
         }
         // DER-encoded
         toDERRawBytes() {
-            return ut.hexToBytes(this.toDERHex());
+            return (0, utils_ts_1.hexToBytes)(this.toDERHex());
         }
         toDERHex() {
-            return exports.DER.hexFromSig({ r: this.r, s: this.s });
+            return exports.DER.hexFromSig(this);
         }
         // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
-            return ut.hexToBytes(this.toCompactHex());
+            return (0, utils_ts_1.hexToBytes)(this.toCompactHex());
         }
         toCompactHex() {
-            return numToNByteStr(this.r) + numToNByteStr(this.s);
+            return numToNByteHex(this.r) + numToNByteHex(this.s);
         }
     }
     const utils = {
@@ -811,8 +827,8 @@ function weierstrass(curveDef) {
          * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
          */
         randomPrivateKey: () => {
-            const length = (0, modular_js_1.getMinHashLength)(CURVE.n);
-            return (0, modular_js_1.mapHashToField)(CURVE.randomBytes(length), CURVE.n);
+            const length = (0, modular_ts_1.getMinHashLength)(CURVE.n);
+            return (0, modular_ts_1.mapHashToField)(CURVE.randomBytes(length), CURVE.n);
         },
         /**
          * Creates precompute table for an arbitrary EC point. Makes point "cached".
@@ -841,7 +857,7 @@ function weierstrass(curveDef) {
      * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
      */
     function isProbPub(item) {
-        const arr = ut.isBytes(item);
+        const arr = (0, utils_ts_1.isBytes)(item);
         const str = typeof item === 'string';
         const len = (arr || str) && item.length;
         if (arr)
@@ -881,7 +897,7 @@ function weierstrass(curveDef) {
                 throw new Error('input is too large');
             // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
             // for some cases, since bytes.length * 8 is not actual bitLength.
-            const num = ut.bytesToNumberBE(bytes); // check for == u8 done here
+            const num = (0, utils_ts_1.bytesToNumberBE)(bytes); // check for == u8 done here
             const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
             return delta > 0 ? num >> BigInt(delta) : num;
         };
@@ -890,14 +906,14 @@ function weierstrass(curveDef) {
             return modN(bits2int(bytes)); // can't use bytesToNumberBE here
         };
     // NOTE: pads output with zero as per spec
-    const ORDER_MASK = ut.bitMask(CURVE.nBitLength);
+    const ORDER_MASK = (0, utils_ts_1.bitMask)(CURVE.nBitLength);
     /**
      * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
      */
     function int2octets(num) {
-        ut.aInRange('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
+        (0, utils_ts_1.aInRange)('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
         // works with order, can have different size than numToField!
-        return ut.numberToBytesBE(num, CURVE.nByteLength);
+        return (0, utils_ts_1.numberToBytesBE)(num, CURVE.nByteLength);
     }
     // Steps A, D of RFC6979 3.2
     // Creates RFC6979 seed; converts msg/privKey to numbers.
@@ -911,10 +927,10 @@ function weierstrass(curveDef) {
         let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
         if (lowS == null)
             lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
-        msgHash = (0, utils_js_1.ensureBytes)('msgHash', msgHash);
+        msgHash = (0, utils_ts_1.ensureBytes)('msgHash', msgHash);
         validateSigVerOpts(opts);
         if (prehash)
-            msgHash = (0, utils_js_1.ensureBytes)('prehashed msgHash', hash(msgHash));
+            msgHash = (0, utils_ts_1.ensureBytes)('prehashed msgHash', hash(msgHash));
         // We can't later call bits2octets, since nested bits2int is broken for curves
         // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
@@ -925,9 +941,9 @@ function weierstrass(curveDef) {
         if (ent != null && ent !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
             const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
-            seedArgs.push((0, utils_js_1.ensureBytes)('extraEntropy', e)); // check for being bytes
+            seedArgs.push((0, utils_ts_1.ensureBytes)('extraEntropy', e)); // check for being bytes
         }
-        const seed = ut.concatBytes(...seedArgs); // Step D of RFC6979 3.2
+        const seed = (0, utils_ts_1.concatBytes)(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
         // Converts signature params into point w r/s, checks result for validity.
         function k2sig(kBytes) {
@@ -974,7 +990,7 @@ function weierstrass(curveDef) {
     function sign(msgHash, privKey, opts = defaultSigOpts) {
         const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
         const C = CURVE;
-        const drbg = ut.createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
+        const drbg = (0, utils_ts_1.createHmacDrbg)(C.hash.outputLen, C.nByteLength, C.hmac);
         return drbg(seed, k2sig); // Steps B, C, D, E, F, G
     }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
@@ -995,8 +1011,8 @@ function weierstrass(curveDef) {
      */
     function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
         const sg = signature;
-        msgHash = (0, utils_js_1.ensureBytes)('msgHash', msgHash);
-        publicKey = (0, utils_js_1.ensureBytes)('publicKey', publicKey);
+        msgHash = (0, utils_ts_1.ensureBytes)('msgHash', msgHash);
+        publicKey = (0, utils_ts_1.ensureBytes)('publicKey', publicKey);
         const { lowS, prehash, format } = opts;
         // Verify opts, deduce signature format
         validateSigVerOpts(opts);
@@ -1004,7 +1020,7 @@ function weierstrass(curveDef) {
             throw new Error('options.strict was renamed to lowS');
         if (format !== undefined && format !== 'compact' && format !== 'der')
             throw new Error('format must be compact or der');
-        const isHex = typeof sg === 'string' || ut.isBytes(sg);
+        const isHex = typeof sg === 'string' || (0, utils_ts_1.isBytes)(sg);
         const isObj = !isHex &&
             !format &&
             typeof sg === 'object' &&
@@ -1148,7 +1164,7 @@ function SWUFpSqrtRatio(Fp, Z) {
  * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
  */
 function mapToCurveSimpleSWU(Fp, opts) {
-    (0, modular_js_1.validateField)(Fp);
+    (0, modular_ts_1.validateField)(Fp);
     if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
         throw new Error('mapToCurveSimpleSWU: invalid opts');
     const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);
@@ -1183,7 +1199,8 @@ function mapToCurveSimpleSWU(Fp, opts) {
         y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
         const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23.  e1 = sgn0(u) == sgn0(y)
         y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
-        x = Fp.div(x, tv4); // 25.   x = x / tv4
+        const tv4_inv = (0, modular_ts_1.FpInvertBatch)(Fp, [tv4], true)[0];
+        x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
         return { x, y };
     };
 }