@noble/curves 1.8.2 → 1.9.1

package/src/abstract/montgomery.ts

@@ -5,7 +5,7 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { mod, pow } from './modular.ts';
+import { mod } from './modular.ts';
 import {
   aInRange,
   bytesToNumberLE,
@@ -16,19 +16,15 @@ import {
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
+const _2n = BigInt(2);
 type Hex = string | Uint8Array;
 
 export type CurveType = {
   P: bigint; // finite field prime
-  nByteLength: number;
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
-  a: bigint;
-  montgomeryBits: number;
-  powPminus2?: (x: bigint) => bigint;
-  xyToU?: (x: bigint, y: bigint) => bigint;
-  Gu: bigint;
-  randomBytes?: (bytesLength?: number) => Uint8Array;
+  type: 'x25519' | 'x448';
+  adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
+  powPminus2: (x: bigint) => bigint;
+  randomBytes: (bytesLength?: number) => Uint8Array;
 };
 
 export type CurveFn = {
@@ -41,66 +37,87 @@ export type CurveFn = {
 };
 
 function validateOpts(curve: CurveType) {
-  validateObject(
-    curve,
-    {
-      a: 'bigint',
-    },
-    {
-      montgomeryBits: 'isSafeInteger',
-      nByteLength: 'isSafeInteger',
-      adjustScalarBytes: 'function',
-      domain: 'function',
-      powPminus2: 'function',
-      Gu: 'bigint',
-    }
-  );
-  // Set defaults
+  validateObject(curve, {
+    adjustScalarBytes: 'function',
+    powPminus2: 'function',
+  });
   return Object.freeze({ ...curve } as const);
 }
 
-// Uses only one coordinate instead of two
 export function montgomery(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef);
-  const { P } = CURVE;
+  const { P, type, adjustScalarBytes, powPminus2 } = CURVE;
+  const is25519 = type === 'x25519';
+  if (!is25519 && type !== 'x448') throw new Error('invalid type');
+
+  const montgomeryBits = is25519 ? 255 : 448;
+  const fieldLen = is25519 ? 32 : 56;
+  const Gu = is25519 ? BigInt(9) : BigInt(5);
+  // RFC 7748 #5:
+  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
+  // (156326 - 2) / 4 = 39081 for curve448/X448
+  // const a = is25519 ? 156326n : 486662n;
+  const a24 = is25519 ? BigInt(121665) : BigInt(39081);
+  // RFC: x25519 "the resulting integer is of the form 2^254 plus
+  // eight times a value between 0 and 2^251 - 1 (inclusive)"
+  // x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
+  const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
+  const maxAdded = is25519
+    ? BigInt(8) * _2n ** BigInt(251) - _1n
+    : BigInt(4) * _2n ** BigInt(445) - _1n;
+  const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
   const modP = (n: bigint) => mod(n, P);
-  const montgomeryBits = CURVE.montgomeryBits;
-  const montgomeryBytes = Math.ceil(montgomeryBits / 8);
-  const fieldLen = CURVE.nByteLength;
-  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
-  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => pow(x, P - BigInt(2), P));
+  const GuBytes = encodeU(Gu);
+  function encodeU(u: bigint): Uint8Array {
+    return numberToBytesLE(modP(u), fieldLen);
+  }
+  function decodeU(u: Hex): bigint {
+    const _u = ensureBytes('u coordinate', u, fieldLen);
+    // RFC: When receiving such an array, implementations of X25519
+    // (but not X448) MUST mask the most significant bit in the final byte.
+    if (is25519) _u[31] &= 127; // 0b0111_1111
+    // RFC: Implementations MUST accept non-canonical values and process them as
+    // if they had been reduced modulo the field prime.  The non-canonical
+    // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
+    // - 1 through 2^448 - 1 for X448.
+    return modP(bytesToNumberLE(_u));
+  }
+  function decodeScalar(scalar: Hex): bigint {
+    return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
+  }
+  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
+    const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
+    // Some public keys are useless, of low-order. Curve author doesn't think
+    // it needs to be validated, but we do it nonetheless.
+    // https://cr.yp.to/ecdh.html#validate
+    if (pu === _0n) throw new Error('invalid private or public key received');
+    return encodeU(pu);
+  }
+  // Computes public key from private. By doing scalar multiplication of base point.
+  function scalarMultBase(scalar: Hex): Uint8Array {
+    return scalarMult(scalar, GuBytes);
+  }
 
-  // cswap from RFC7748. But it is not from RFC7748!
-  /*
-    cswap(swap, x_2, x_3):
-         dummy = mask(swap) AND (x_2 XOR x_3)
-         x_2 = x_2 XOR dummy
-         x_3 = x_3 XOR dummy
-         Return (x_2, x_3)
-  Where mask(swap) is the all-1 or all-0 word of the same length as x_2
-   and x_3, computed, e.g., as mask(swap) = 0 - swap.
-  */
-  function cswap(swap: bigint, x_2: bigint, x_3: bigint): [bigint, bigint] {
+  // cswap from RFC7748 "example code"
+  function cswap(swap: bigint, x_2: bigint, x_3: bigint): { x_2: bigint; x_3: bigint } {
+    // dummy = mask(swap) AND (x_2 XOR x_3)
+    // Where mask(swap) is the all-1 or all-0 word of the same length as x_2
+    // and x_3, computed, e.g., as mask(swap) = 0 - swap.
     const dummy = modP(swap * (x_2 - x_3));
-    x_2 = modP(x_2 - dummy);
-    x_3 = modP(x_3 + dummy);
-    return [x_2, x_3];
+    x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
+    x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
+    return { x_2, x_3 };
   }
 
-  // x25519 from 4
-  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
-  const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
   /**
-   *
+   * Montgomery x-only multiplication ladder.
    * @param pointU u coordinate (x) on Montgomery Curve 25519
    * @param scalar by which the point would be multiplied
    * @returns new Point on Montgomery curve
    */
   function montgomeryLadder(u: bigint, scalar: bigint): bigint {
     aInRange('u', u, _0n, P);
-    aInRange('scalar', scalar, _0n, P);
-    // Section 5: Implementations MUST accept non-canonical values and process them as
-    // if they had been reduced modulo the field prime.
+    aInRange('scalar', scalar, minScalar, maxScalar);
     const k = scalar;
     const x_1 = u;
     let x_2 = _1n;
@@ -108,16 +125,11 @@ export function montgomery(curveDef: CurveType): CurveFn {
     let x_3 = u;
     let z_3 = _1n;
     let swap = _0n;
-    let sw: [bigint, bigint];
     for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
       const k_t = (k >> t) & _1n;
       swap ^= k_t;
-      sw = cswap(swap, x_2, x_3);
-      x_2 = sw[0];
-      x_3 = sw[1];
-      sw = cswap(swap, z_2, z_3);
-      z_2 = sw[0];
-      z_3 = sw[1];
+      ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+      ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
       swap = k_t;
 
       const A = x_2 + z_2;
@@ -136,53 +148,10 @@ export function montgomery(curveDef: CurveType): CurveFn {
       x_2 = modP(AA * BB);
       z_2 = modP(E * (AA + modP(a24 * E)));
     }
-    // (x_2, x_3) = cswap(swap, x_2, x_3)
-    sw = cswap(swap, x_2, x_3);
-    x_2 = sw[0];
-    x_3 = sw[1];
-    // (z_2, z_3) = cswap(swap, z_2, z_3)
-    sw = cswap(swap, z_2, z_3);
-    z_2 = sw[0];
-    z_3 = sw[1];
-    // z_2^(p - 2)
-    const z2 = powPminus2(z_2);
-    // Return x_2 * (z_2^(p - 2))
-    return modP(x_2 * z2);
-  }
-
-  function encodeUCoordinate(u: bigint): Uint8Array {
-    return numberToBytesLE(modP(u), montgomeryBytes);
-  }
-
-  function decodeUCoordinate(uEnc: Hex): bigint {
-    // Section 5: When receiving such an array, implementations of X25519
-    // MUST mask the most significant bit in the final byte.
-    const u = ensureBytes('u coordinate', uEnc, montgomeryBytes);
-    if (fieldLen === 32) u[31] &= 127; // 0b0111_1111
-    return bytesToNumberLE(u);
-  }
-  function decodeScalar(n: Hex): bigint {
-    const bytes = ensureBytes('scalar', n);
-    const len = bytes.length;
-    if (len !== montgomeryBytes && len !== fieldLen) {
-      let valid = '' + montgomeryBytes + ' or ' + fieldLen;
-      throw new Error('invalid scalar, expected ' + valid + ' bytes, got ' + len);
-    }
-    return bytesToNumberLE(adjustScalarBytes(bytes));
-  }
-  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
-    const pointU = decodeUCoordinate(u);
-    const _scalar = decodeScalar(scalar);
-    const pu = montgomeryLadder(pointU, _scalar);
-    // The result was not contributory
-    // https://cr.yp.to/ecdh.html#validate
-    if (pu === _0n) throw new Error('invalid private or public key received');
-    return encodeUCoordinate(pu);
-  }
-  // Computes public key from private. By doing scalar multiplication of base point.
-  const GuBytes = encodeUCoordinate(CURVE.Gu);
-  function scalarMultBase(scalar: Hex): Uint8Array {
-    return scalarMult(scalar, GuBytes);
+    ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+    ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+    const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
+    return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
 
   return {
@@ -190,7 +159,7 @@ export function montgomery(curveDef: CurveType): CurveFn {
     scalarMultBase,
     getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
     getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    utils: { randomPrivateKey: () => CURVE.randomBytes!(CURVE.nByteLength) },
-    GuBytes: GuBytes,
+    utils: { randomPrivateKey: () => CURVE.randomBytes!(fieldLen) },
+    GuBytes: GuBytes.slice(),
   };
 }

package/src/abstract/poseidon.ts

@@ -7,19 +7,127 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { FpPow, type IField, validateField } from './modular.ts';
+import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
+import { bitGet } from './utils.ts';
 
-export type PoseidonOpts = {
+// Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
+function grainLFSR(state: number[]): () => boolean {
+  let pos = 0;
+  if (state.length !== 80) throw new Error('grainLFRS: wrong state length, should be 80 bits');
+  const getBit = (): boolean => {
+    const r = (offset: number) => state[(pos + offset) % 80];
+    const bit = r(62) ^ r(51) ^ r(38) ^ r(23) ^ r(13) ^ r(0);
+    state[pos] = bit;
+    pos = ++pos % 80;
+    return !!bit;
+  };
+  for (let i = 0; i < 160; i++) getBit();
+  return () => {
+    // https://en.wikipedia.org/wiki/Shrinking_generator
+    while (true) {
+      const b1 = getBit();
+      const b2 = getBit();
+      if (!b1) continue;
+      return b2;
+    }
+  };
+}
+
+export type PoseidonBasicOpts = {
   Fp: IField<bigint>;
-  t: number;
+  t: number; // t = rate + capacity
   roundsFull: number;
   roundsPartial: number;
+  isSboxInverse?: boolean;
+};
+
+function validateBasicOpts(opts: PoseidonBasicOpts) {
+  const { Fp, roundsFull } = opts;
+  validateField(Fp);
+  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error('invalid number ' + i);
+  }
+  if (opts.isSboxInverse !== undefined && typeof opts.isSboxInverse !== 'boolean')
+    throw new Error(`Poseidon: invalid param isSboxInverse=${opts.isSboxInverse}`);
+  if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
+}
+
+function poseidonGrain(opts: PoseidonBasicOpts) {
+  validateBasicOpts(opts);
+  const { Fp } = opts;
+  const state = Array(80).fill(1);
+  let pos = 0;
+  const writeBits = (value: bigint, bitCount: number) => {
+    for (let i = bitCount - 1; i >= 0; i--) state[pos++] = Number(bitGet(value, i));
+  };
+  const _0n = BigInt(0);
+  const _1n = BigInt(1);
+  writeBits(_1n, 2); // prime field
+  writeBits(opts.isSboxInverse ? _1n : _0n, 4); // b2..b5
+  writeBits(BigInt(Fp.BITS), 12); // b6..b17
+  writeBits(BigInt(opts.t), 12); // b18..b29
+  writeBits(BigInt(opts.roundsFull), 10); // b30..b39
+  writeBits(BigInt(opts.roundsPartial), 10); // b40..b49
+
+  const getBit = grainLFSR(state);
+  return (count: number, reject: boolean): bigint[] => {
+    const res: bigint[] = [];
+    for (let i = 0; i < count; i++) {
+      while (true) {
+        let num = _0n;
+        for (let i = 0; i < Fp.BITS; i++) {
+          num <<= _1n;
+          if (getBit()) num |= _1n;
+        }
+        if (reject && num >= Fp.ORDER) continue; // rejection sampling
+        res.push(Fp.create(num));
+        break;
+      }
+    }
+    return res;
+  };
+}
+
+export type PoseidonGrainOpts = PoseidonBasicOpts & {
   sboxPower?: number;
-  reversePartialPowIdx?: boolean; // Hack for stark
-  mds: bigint[][];
-  roundConstants: bigint[][];
 };
 
+type PoseidonConstants = { mds: bigint[][]; roundConstants: bigint[][] };
+
+// NOTE: this is not standard but used often for constant generation for poseidon
+// (grain LFRS-like structure)
+export function grainGenConstants(opts: PoseidonGrainOpts, skipMDS: number = 0): PoseidonConstants {
+  const { Fp, t, roundsFull, roundsPartial } = opts;
+  const rounds = roundsFull + roundsPartial;
+  const sample = poseidonGrain(opts);
+  const roundConstants: bigint[][] = [];
+  for (let r = 0; r < rounds; r++) roundConstants.push(sample(t, true));
+  if (skipMDS > 0) for (let i = 0; i < skipMDS; i++) sample(2 * t, false);
+  const xs = sample(t, false);
+  const ys = sample(t, false);
+  // Construct MDS Matrix M[i][j] = 1 / (xs[i] + ys[j])
+  const mds: bigint[][] = [];
+  for (let i = 0; i < t; i++) {
+    const row: bigint[] = [];
+    for (let j = 0; j < t; j++) {
+      const xy = Fp.add(xs[i], ys[j]);
+      if (Fp.is0(xy))
+        throw new Error(`Error generating MDS matrix: xs[${i}] + ys[${j}] resulted in zero.`);
+      row.push(xy);
+    }
+    mds.push(FpInvertBatch(Fp, row));
+  }
+
+  return { roundConstants, mds };
+}
+
+export type PoseidonOpts = PoseidonBasicOpts &
+  PoseidonConstants & {
+    sboxPower?: number;
+    reversePartialPowIdx?: boolean; // Hack for stark
+  };
+
 export function validateOpts(opts: PoseidonOpts): Readonly<{
   rounds: number;
   sboxFn: (n: bigint) => bigint;
@@ -32,15 +140,10 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
   sboxPower?: number;
   reversePartialPowIdx?: boolean; // Hack for stark
 }> {
+  validateBasicOpts(opts);
   const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
   const { roundsFull, roundsPartial, sboxPower, t } = opts;
 
-  validateField(Fp);
-  for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
-  }
-
   // MDS is TxT matrix
   if (!Array.isArray(mds) || mds.length !== t) throw new Error('Poseidon: invalid MDS matrix');
   const _mds = mds.map((mdsRow) => {
@@ -68,7 +171,7 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
     });
   });
 
-  if (!sboxPower || ![3, 5, 7].includes(sboxPower)) throw new Error('invalid sboxPower');
+  if (!sboxPower || ![3, 5, 7, 17].includes(sboxPower)) throw new Error('invalid sboxPower');
   const _sboxPower = BigInt(sboxPower);
   let sboxFn = (n: bigint) => FpPow(Fp, n, _sboxPower);
   // Unwrapped sbox power for common cases (195->142μs)
@@ -134,3 +237,95 @@ export function poseidon(opts: PoseidonOpts): {
   poseidonHash.roundConstants = roundConstants;
   return poseidonHash;
 }
+
+export class PoseidonSponge {
+  private Fp: IField<bigint>;
+  readonly rate: number;
+  readonly capacity: number;
+  readonly hash: ReturnType<typeof poseidon>;
+  private state: bigint[]; // [...capacity, ...rate]
+  private pos = 0;
+  private isAbsorbing = true;
+
+  constructor(
+    Fp: IField<bigint>,
+    rate: number,
+    capacity: number,
+    hash: ReturnType<typeof poseidon>
+  ) {
+    this.Fp = Fp;
+    this.hash = hash;
+    this.rate = rate;
+    this.capacity = capacity;
+    this.state = new Array(rate + capacity);
+    this.clean();
+  }
+  private process(): void {
+    this.state = this.hash(this.state);
+  }
+  absorb(input: bigint[]): void {
+    for (const i of input)
+      if (typeof i !== 'bigint' || !this.Fp.isValid(i)) throw new Error('invalid input: ' + i);
+    for (let i = 0; i < input.length; ) {
+      if (!this.isAbsorbing || this.pos === this.rate) {
+        this.process();
+        this.pos = 0;
+        this.isAbsorbing = true;
+      }
+      const chunk = Math.min(this.rate - this.pos, input.length - i);
+      for (let j = 0; j < chunk; j++) {
+        const idx = this.capacity + this.pos++;
+        this.state[idx] = this.Fp.add(this.state[idx], input[i++]);
+      }
+    }
+  }
+  squeeze(count: number): bigint[] {
+    const res: bigint[] = [];
+    while (res.length < count) {
+      if (this.isAbsorbing || this.pos === this.rate) {
+        this.process();
+        this.pos = 0;
+        this.isAbsorbing = false;
+      }
+      const chunk = Math.min(this.rate - this.pos, count - res.length);
+      for (let i = 0; i < chunk; i++) res.push(this.state[this.capacity + this.pos++]);
+    }
+    return res;
+  }
+  clean(): void {
+    this.state.fill(this.Fp.ZERO);
+    this.isAbsorbing = true;
+    this.pos = 0;
+  }
+  clone(): PoseidonSponge {
+    const c = new PoseidonSponge(this.Fp, this.rate, this.capacity, this.hash);
+    c.pos = this.pos;
+    c.state = [...this.state];
+    return c;
+  }
+}
+
+export type PoseidonSpongeOpts = Omit<PoseidonOpts, 't'> & {
+  rate: number;
+  capacity: number;
+};
+
+/**
+ * The method is not defined in spec, but nevertheless used often.
+ * Check carefully for compatibility: there are many edge cases, like absorbing an empty array.
+ * We cross-test against:
+ * - https://github.com/ProvableHQ/snarkVM/tree/staging/algorithms
+ * - https://github.com/arkworks-rs/crypto-primitives/tree/main
+ */
+export function poseidonSponge(opts: PoseidonSpongeOpts): () => PoseidonSponge {
+  for (const i of ['rate', 'capacity'] as const) {
+    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
+      throw new Error('invalid number ' + i);
+  }
+  const { rate, capacity } = opts;
+  const t = opts.rate + opts.capacity;
+  // Re-use hash instance between multiple instances
+  const hash = poseidon({ ...opts, t });
+  const { Fp } = opts;
+  return () => new PoseidonSponge(Fp, rate, capacity, hash);
+}

package/src/abstract/tower.ts

@@ -88,7 +88,7 @@ export function psiFrobenius(
   PSI2_X: Fp2;
   PSI2_Y: Fp2;
 } {
-  // Ψ endomorphism
+  // GLV endomorphism Ψ(P)
   const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
   const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
   function psi(x: Fp2, y: Fp2): [Fp2, Fp2] {
@@ -167,7 +167,6 @@ export function tower12(opts: Tower12Opts): {
   // Fp
   const Fp = mod.Field(ORDER);
   const FpNONRESIDUE = Fp.create(opts.NONRESIDUE || BigInt(-1));
-  const FpLegendre = mod.FpLegendre(ORDER);
   const Fpdiv2 = Fp.div(Fp.ONE, _2n); // 1/2
 
   // Fp2
@@ -265,14 +264,14 @@ export function tower12(opts: Tower12Opts): {
       const { c0, c1 } = num;
       if (Fp.is0(c1)) {
         // if c0 is quadratic residue
-        if (Fp.eql(FpLegendre(Fp, c0), Fp.ONE)) return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
+        if (mod.FpLegendre(Fp, c0) === 1) return Fp2.create({ c0: Fp.sqrt(c0), c1: Fp.ZERO });
         else return Fp2.create({ c0: Fp.ZERO, c1: Fp.sqrt(Fp.div(c0, FpNONRESIDUE)) });
       }
       const a = Fp.sqrt(Fp.sub(Fp.sqr(c0), Fp.mul(Fp.sqr(c1), FpNONRESIDUE)));
       let d = Fp.mul(Fp.add(a, c0), Fpdiv2);
-      const legendre = FpLegendre(Fp, d);
+      const legendre = mod.FpLegendre(Fp, d);
       // -1, Quadratic non residue
-      if (!Fp.is0(legendre) && !Fp.eql(legendre, Fp.ONE)) d = Fp.sub(d, a);
+      if (legendre === -1) d = Fp.sub(d, a);
       const a0 = Fp.sqrt(d);
       const candidateSqrt = Fp2.create({ c0: a0, c1: Fp.div(Fp.mul(c1, Fpdiv2), a0) });
       if (!Fp2.eql(Fp2.sqr(candidateSqrt), num)) throw new Error('Cannot find square root');

package/src/abstract/utils.ts

@@ -32,6 +32,7 @@ export function abool(title: string, value: boolean): void {
   if (typeof value !== 'boolean') throw new Error(title + ' boolean expected, got ' + value);
 }
 
+// Used in weierstrass, der
 export function numberToHexUnpadded(num: number | bigint): string {
   const hex = num.toString(16);
   return hex.length & 1 ? '0' + hex : hex;
@@ -217,6 +218,7 @@ export function aInRange(title: string, n: bigint, min: bigint, max: bigint): vo
 /**
  * Calculates amount of bits in a bigint.
  * Same as `n.toString(2).length`
+ * TODO: merge with nLength in modular
  */
 export function bitLen(n: bigint): number {
   let len;