@noble/curves 1.9.0 → 1.9.2

package/src/abstract/bls.ts

@@ -1,5 +1,4 @@
 /**
- * BLS (Barreto-Lynn-Scott) family of pairing-friendly curves.
  * BLS != BLS.
  * The file implements BLS (Boneh-Lynn-Shacham) signatures.
  * Used in both BLS (Barreto-Lynn-Scott) and BN (Barreto-Naehrig)
@@ -10,28 +9,39 @@
  * - Gt, created by bilinear (ate) pairing e(G1, G2), consists of p-th roots of unity in
  *   Fq^k where k is embedding degree. Only degree 12 is currently supported, 24 is not.
  * Pairing is used to aggregate and verify signatures.
- * There are two main ways to use it:
- * 1. Fp for short private keys, Fp₂ for signatures
- * 2. Fp for short signatures, Fp₂ for private keys
+ * There are two modes of operation:
+ * - Long signatures:  X-byte keys + 2X-byte sigs (G1 keys + G2 sigs).
+ * - Short signatures: 2X-byte keys + X-byte sigs (G2 keys + G1 sigs).
  * @module
  **/
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// TODO: import { AffinePoint } from './curve.ts';
 import {
+  abytes,
+  ensureBytes,
+  memoized,
+  randomBytes,
+  type CHash,
+  type Hex,
+  type PrivKey,
+} from '../utils.ts';
+import { normalizeZ } from './curve.ts';
+import {
+  createHasher,
+  type H2CHasher,
+  type H2CHashOpts,
+  type H2COpts,
   type H2CPointConstructor,
   type htfBasicOpts,
-  type Opts as HTFOpts,
   type MapToCurve,
-  createHasher,
 } from './hash-to-curve.ts';
-import { type IField, getMinHashLength, mapHashToField } from './modular.ts';
-import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6 } from './tower.ts';
-import { type CHash, type Hex, type PrivKey, ensureBytes, memoized } from './utils.ts';
+import { getMinHashLength, mapHashToField, type IField } from './modular.ts';
+import type { Fp12, Fp12Bls, Fp2, Fp2Bls, Fp6Bls } from './tower.ts';
 import {
+  weierstrassPoints,
   type CurvePointsRes,
   type CurvePointsType,
+  type ProjConstructor,
   type ProjPointType,
-  weierstrassPoints,
 } from './weierstrass.ts';
 
 type Fp = bigint; // Can be different field?
@@ -42,13 +52,19 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 export type TwistType = 'multiplicative' | 'divisive';
 
 export type ShortSignatureCoder<Fp> = {
+  fromBytes(bytes: Uint8Array): ProjPointType<Fp>;
   fromHex(hex: Hex): ProjPointType<Fp>;
+  toBytes(point: ProjPointType<Fp>): Uint8Array;
+  /** @deprecated use `toBytes` */
   toRawBytes(point: ProjPointType<Fp>): Uint8Array;
   toHex(point: ProjPointType<Fp>): string;
 };
 
 export type SignatureCoder<Fp> = {
+  fromBytes(bytes: Uint8Array): ProjPointType<Fp>;
   fromHex(hex: Hex): ProjPointType<Fp>;
+  toBytes(point: ProjPointType<Fp>): Uint8Array;
+  /** @deprecated use `toBytes` */
   toRawBytes(point: ProjPointType<Fp>): Uint8Array;
   toHex(point: ProjPointType<Fp>): string;
 };
@@ -69,21 +85,21 @@ export type PostPrecomputeFn = (
   pointAdd: PostPrecomputePointAddFn
 ) => void;
 export type CurveType = {
-  G1: Omit<CurvePointsType<Fp>, 'n'> & {
+  G1: CurvePointsType<Fp> & {
     ShortSignature: SignatureCoder<Fp>;
     mapToCurve: MapToCurve<Fp>;
-    htfDefaults: HTFOpts;
+    htfDefaults: H2COpts;
   };
-  G2: Omit<CurvePointsType<Fp2>, 'n'> & {
+  G2: CurvePointsType<Fp2> & {
     Signature: SignatureCoder<Fp2>;
     mapToCurve: MapToCurve<Fp2>;
-    htfDefaults: HTFOpts;
+    htfDefaults: H2COpts;
   };
   fields: {
     Fp: IField<Fp>;
     Fr: IField<bigint>;
     Fp2: Fp2Bls;
-    Fp6: IField<Fp6>;
+    Fp6: Fp6Bls;
     Fp12: Fp12Bls;
   };
   params: {
@@ -92,12 +108,12 @@ export type CurveType = {
     // Can be different from 'X' (seed) param!
     ateLoopSize: bigint;
     xNegative: boolean;
-    r: bigint;
+    r: bigint; // TODO: remove
     twistType: TwistType; // BLS12-381: Multiplicative, BN254: Divisive
   };
-  htfDefaults: HTFOpts;
+  htfDefaults: H2COpts;
   hash: CHash; // Because we need outputLen for DRBG
-  randomBytes: (bytesLength?: number) => Uint8Array;
+  randomBytes?: (bytesLength?: number) => Uint8Array;
   // This is super ugly hack for untwist point in BN254 after miller loop
   postPrecompute?: PostPrecomputeFn;
 };
@@ -106,22 +122,38 @@ type PrecomputeSingle = [Fp2, Fp2, Fp2][];
 type Precompute = PrecomputeSingle[];
 
 export type CurveFn = {
+  longSignatures: BLSSigs<bigint, Fp2>;
+  shortSignatures: BLSSigs<Fp2, bigint>;
+
+  millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
+  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
+  pairingBatch: (
+    pairs: { g1: ProjPointType<Fp>; g2: ProjPointType<Fp2> }[],
+    withFinalExponent?: boolean
+  ) => Fp12;
+
+  /** @deprecated use `longSignatures.getPublicKey` */
   getPublicKey: (privateKey: PrivKey) => Uint8Array;
+  /** @deprecated use `shortSignatures.getPublicKey` */
   getPublicKeyForShortSignatures: (privateKey: PrivKey) => Uint8Array;
+  /** @deprecated use `longSignatures.sign` */
   sign: {
     (message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
     (message: ProjPointType<Fp2>, privateKey: PrivKey, htfOpts?: htfBasicOpts): ProjPointType<Fp2>;
   };
+  /** @deprecated use `shortSignatures.sign` */
   signShortSignature: {
     (message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
     (message: ProjPointType<Fp>, privateKey: PrivKey, htfOpts?: htfBasicOpts): ProjPointType<Fp>;
   };
+  /** @deprecated use `longSignatures.verify` */
   verify: (
     signature: Hex | ProjPointType<Fp2>,
     message: Hex | ProjPointType<Fp2>,
     publicKey: Hex | ProjPointType<Fp>,
     htfOpts?: htfBasicOpts
   ) => boolean;
+  /** @deprecated use `shortSignatures.verify` */
   verifyShortSignature: (
     signature: Hex | ProjPointType<Fp>,
     message: Hex | ProjPointType<Fp>,
@@ -134,38 +166,45 @@ export type CurveFn = {
     publicKeys: (Hex | ProjPointType<Fp>)[],
     htfOpts?: htfBasicOpts
   ) => boolean;
+  /** @deprecated use `longSignatures.aggregatePublicKeys` */
   aggregatePublicKeys: {
     (publicKeys: Hex[]): Uint8Array;
     (publicKeys: ProjPointType<Fp>[]): ProjPointType<Fp>;
   };
+  /** @deprecated use `longSignatures.aggregateSignatures` */
   aggregateSignatures: {
     (signatures: Hex[]): Uint8Array;
     (signatures: ProjPointType<Fp2>[]): ProjPointType<Fp2>;
   };
+  /** @deprecated use `shortSignatures.aggregateSignatures` */
   aggregateShortSignatures: {
     (signatures: Hex[]): Uint8Array;
     (signatures: ProjPointType<Fp>[]): ProjPointType<Fp>;
   };
-  millerLoopBatch: (pairs: [Precompute, Fp, Fp][]) => Fp12;
-  pairing: (P: ProjPointType<Fp>, Q: ProjPointType<Fp2>, withFinalExponent?: boolean) => Fp12;
-  pairingBatch: (
-    pairs: { g1: ProjPointType<Fp>; g2: ProjPointType<Fp2> }[],
-    withFinalExponent?: boolean
-  ) => Fp12;
-  G1: CurvePointsRes<Fp> & ReturnType<typeof createHasher<Fp>>;
-  G2: CurvePointsRes<Fp2> & ReturnType<typeof createHasher<Fp2>>;
+  /** @deprecated use `curves.G1` and `curves.G2` */
+  G1: CurvePointsRes<Fp> & H2CHasher<Fp>;
+  G2: CurvePointsRes<Fp2> & H2CHasher<Fp2>;
+  /** @deprecated use `longSignatures.Signature` */
   Signature: SignatureCoder<Fp2>;
+  /** @deprecated use `shortSignatures.Signature` */
   ShortSignature: ShortSignatureCoder<Fp>;
   params: {
     ateLoopSize: bigint;
     r: bigint;
+    twistType: TwistType;
+    /** @deprecated */
     G1b: bigint;
+    /** @deprecated */
     G2b: Fp2;
   };
+  curves: {
+    G1: ProjConstructor<bigint>;
+    G2: ProjConstructor<Fp2>;
+  };
   fields: {
     Fp: IField<Fp>;
     Fp2: Fp2Bls;
-    Fp6: IField<Fp6>;
+    Fp6: Fp6Bls;
     Fp12: Fp12Bls;
     Fr: IField<bigint>;
   };
@@ -175,6 +214,21 @@ export type CurveFn = {
   };
 };
 
+type BLSInput = Hex | Uint8Array;
+export interface BLSSigs<P, S> {
+  getPublicKey(privateKey: PrivKey): ProjPointType<P>;
+  sign(hashedMessage: ProjPointType<S>, privateKey: PrivKey): ProjPointType<S>;
+  verify(
+    signature: ProjPointType<S> | BLSInput,
+    message: ProjPointType<S>,
+    publicKey: ProjPointType<P> | BLSInput
+  ): boolean;
+  aggregatePublicKeys(publicKeys: (ProjPointType<P> | BLSInput)[]): ProjPointType<P>;
+  aggregateSignatures(signatures: (ProjPointType<S> | BLSInput)[]): ProjPointType<S>;
+  hash(message: Uint8Array, DST?: string | Uint8Array, hashOpts?: H2CHashOpts): ProjPointType<S>;
+  Signature: SignatureCoder<S>;
+}
+
 // Not used with BLS12-381 (no sequential `11` in X). Useful for other curves.
 function NAfDecomposition(a: bigint) {
   const res = [];
@@ -189,31 +243,32 @@ function NAfDecomposition(a: bigint) {
   return res;
 }
 
+// G1_Point: ProjConstructor<bigint>, G2_Point: ProjConstructor<Fp2>,
 export function bls(CURVE: CurveType): CurveFn {
   // Fields are specific for curve, so for now we'll need to pass them with opts
   const { Fp, Fr, Fp2, Fp6, Fp12 } = CURVE.fields;
   const BLS_X_IS_NEGATIVE = CURVE.params.xNegative;
   const TWIST: TwistType = CURVE.params.twistType;
   // Point on G1 curve: (x, y)
-  const G1_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G1 });
+  const G1_ = weierstrassPoints(CURVE.G1);
   const G1 = Object.assign(
     G1_,
-    createHasher(G1_.ProjectivePoint, CURVE.G1.mapToCurve, {
+    createHasher(G1_.Point, CURVE.G1.mapToCurve, {
       ...CURVE.htfDefaults,
       ...CURVE.G1.htfDefaults,
     })
   );
   // Point on G2 curve (complex numbers): (x₁, x₂+i), (y₁, y₂+i)
-  const G2_ = weierstrassPoints({ n: Fr.ORDER, ...CURVE.G2 });
+  const G2_ = weierstrassPoints(CURVE.G2);
   const G2 = Object.assign(
     G2_,
-    createHasher(G2_.ProjectivePoint as H2CPointConstructor<Fp2>, CURVE.G2.mapToCurve, {
+    createHasher(G2_.Point as H2CPointConstructor<Fp2>, CURVE.G2.mapToCurve, {
       ...CURVE.htfDefaults,
       ...CURVE.G2.htfDefaults,
     })
   );
-  type G1 = typeof G1.ProjectivePoint.BASE;
-  type G2 = typeof G2.ProjectivePoint.BASE;
+  type G1 = typeof G1.Point.BASE;
+  type G2 = typeof G2.Point.BASE;
 
   // Applies sparse multiplication as line function
   let lineFunction: (c0: Fp2, c1: Fp2, c2: Fp2, f: Fp12, Px: Fp, Py: Fp) => Fp12;
@@ -316,11 +371,18 @@ export function bls(CURVE: CurveType): CurveFn {
   function pairingBatch(pairs: PairingInput[], withFinalExponent: boolean = true) {
     const res: MillerInput = [];
     // Cache precomputed toAffine for all points
-    G1.ProjectivePoint.normalizeZ(pairs.map(({ g1 }) => g1));
-    G2.ProjectivePoint.normalizeZ(pairs.map(({ g2 }) => g2));
+    normalizeZ(
+      G1.Point,
+      'pz',
+      pairs.map(({ g1 }) => g1)
+    );
+    normalizeZ(
+      G2.Point,
+      'pz',
+      pairs.map(({ g2 }) => g2)
+    );
     for (const { g1, g2 } of pairs) {
-      if (g1.equals(G1.ProjectivePoint.ZERO) || g2.equals(G2.ProjectivePoint.ZERO))
-        throw new Error('pairing is not available for ZERO point');
+      if (g1.is0() || g2.is0()) throw new Error('pairing is not available for ZERO point');
       // This uses toAffine inside
       g1.assertValidity();
       g2.assertValidity();
@@ -334,60 +396,154 @@ export function bls(CURVE: CurveType): CurveFn {
     return pairingBatch([{ g1: Q, g2: P }], withFinalExponent);
   }
 
+  const rand = CURVE.randomBytes || randomBytes;
+
   const utils = {
     randomPrivateKey: (): Uint8Array => {
       const length = getMinHashLength(Fr.ORDER);
-      return mapHashToField(CURVE.randomBytes(length), Fr.ORDER);
+      return mapHashToField(rand(length), Fr.ORDER);
     },
     calcPairingPrecomputes,
   };
 
-  const { ShortSignature } = CURVE.G1;
-  const { Signature } = CURVE.G2;
+  function aNonEmpty(arr: any[]) {
+    if (!Array.isArray(arr) || arr.length === 0) throw new Error('expected non-empty array');
+  }
 
   type G1Hex = Hex | G1;
   type G2Hex = Hex | G2;
   function normP1(point: G1Hex): G1 {
-    return point instanceof G1.ProjectivePoint ? (point as G1) : G1.ProjectivePoint.fromHex(point);
+    return point instanceof G1.Point ? (point as G1) : G1.Point.fromHex(point);
   }
+  function normP2(point: G2Hex): G2 {
+    return point instanceof G2.Point ? point : Signature.fromHex(point);
+  }
+
+  // TODO: add verifyBatch, fix types, Export Signature property,
+  // actually expose the generated APIs
+  function createBls<P, S>(PubCurve: any, SigCurve: any): BLSSigs<P, S> {
+    type PubPoint = ProjPointType<P>;
+    type SigPoint = ProjPointType<S>;
+    function normPub(point: PubPoint | BLSInput): PubPoint {
+      return point instanceof PubCurve.Point ? (point as PubPoint) : PubCurve.Point.fromHex(point);
+    }
+    function normSig(point: SigPoint | BLSInput): SigPoint {
+      return point instanceof SigCurve.Point ? (point as SigPoint) : SigCurve.Point.fromHex(point);
+    }
+    function amsg(m: unknown): SigPoint {
+      if (!(m instanceof SigCurve.Point))
+        throw new Error(`expected valid message hashed to ${isLongSigs ? 'G2' : 'G1'} curve`);
+      return m as any;
+    }
+
+    // TODO: is this always ok?
+    const isLongSigs = SigCurve.Point.Fp.BYTES > PubCurve.Point.Fp.BYTES;
+    return {
+      // P = pk x G
+      getPublicKey(privateKey: PrivKey): PubPoint {
+        return PubCurve.Point.fromPrivateKey(privateKey);
+      },
+      // S = pk x H(m)
+      sign(message: SigPoint, privateKey: PrivKey, unusedArg?: any): SigPoint {
+        if (unusedArg != null) throw new Error('sign() expects 2 arguments');
+        amsg(message).assertValidity();
+        return message.multiply(PubCurve.normPrivateKeyToScalar(privateKey));
+      },
+      // Checks if pairing of public key & hash is equal to pairing of generator & signature.
+      // e(P, H(m)) == e(G, S)
+      // e(S, G) == e(H(m), P)
+      verify(
+        signature: SigPoint | BLSInput,
+        message: SigPoint,
+        publicKey: PubPoint | BLSInput,
+        unusedArg?: any
+      ): boolean {
+        if (unusedArg != null) throw new Error('verify() expects 3 arguments');
+        signature = normSig(signature);
+        publicKey = normPub(publicKey);
+        const P = publicKey.negate();
+        const G = PubCurve.Point.BASE;
+        const Hm = amsg(message);
+        const S = signature;
+        // This code was changed in 1.9.x:
+        // Before it was G.negate() in G2, now it's always pubKey.negate
+        // TODO: understand if this is OK?
+        // prettier-ignore
+        const exp_ = isLongSigs ? [
+          { g1: P, g2: Hm },
+          { g1: G, g2: S }
+        ] : [
+          { g1: Hm, g2: P },
+          { g1: S, g2: G }
+        ];
+        // TODO
+        // @ts-ignore
+        const exp = pairingBatch(exp_);
+        return Fp12.eql(exp, Fp12.ONE);
+      },
+
+      // Adds a bunch of public key points together.
+      // pk1 + pk2 + pk3 = pkA
+      aggregatePublicKeys(publicKeys: (PubPoint | BLSInput)[]): PubPoint {
+        aNonEmpty(publicKeys);
+        publicKeys = publicKeys.map((pub) => normPub(pub));
+        const agg = publicKeys.reduce((sum, p) => sum.add(p), PubCurve.Point.ZERO);
+        agg.assertValidity();
+        return agg;
+      },
+
+      // Adds a bunch of signature points together.
+      // pk1 + pk2 + pk3 = pkA
+      aggregateSignatures(signatures: (SigPoint | BLSInput)[]): SigPoint {
+        aNonEmpty(signatures);
+        signatures = signatures.map((sig) => normSig(sig));
+        const agg = signatures.reduce((sum, s) => sum.add(s), SigCurve.Point.ZERO);
+        agg.assertValidity();
+        return agg;
+      },
+
+      hash(messageBytes: Uint8Array, DST?: string | Uint8Array): SigPoint {
+        abytes(messageBytes);
+        const opts = DST ? { DST } : undefined;
+        return SigCurve.hashToCurve(messageBytes, opts);
+      },
+
+      // @ts-ignore
+      Signature: isLongSigs ? CURVE.G2.Signature : CURVE.G1.ShortSignature,
+    };
+  }
+
+  const longSignatures = createBls<bigint, Fp2>(G1, G2);
+  const shortSignatures = createBls<Fp2, bigint>(G2, G1);
+
+  // LEGACY code
+  const { ShortSignature } = CURVE.G1;
+  const { Signature } = CURVE.G2;
+
   function normP1Hash(point: G1Hex, htfOpts?: htfBasicOpts): G1 {
-    return point instanceof G1.ProjectivePoint
+    return point instanceof G1.Point
       ? point
-      : (G1.hashToCurve(ensureBytes('point', point), htfOpts) as G1);
-  }
-  function normP2(point: G2Hex): G2 {
-    return point instanceof G2.ProjectivePoint ? point : Signature.fromHex(point);
+      : shortSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
   }
   function normP2Hash(point: G2Hex, htfOpts?: htfBasicOpts): G2 {
-    return point instanceof G2.ProjectivePoint
+    return point instanceof G2.Point
       ? point
-      : (G2.hashToCurve(ensureBytes('point', point), htfOpts) as G2);
+      : longSignatures.hash(ensureBytes('point', point), htfOpts?.DST);
   }
 
-  // Multiplies generator (G1) by private key.
-  // P = pk x G
   function getPublicKey(privateKey: PrivKey): Uint8Array {
-    return G1.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+    return longSignatures.getPublicKey(privateKey).toBytes(true);
   }
-
-  // Multiplies generator (G2) by private key.
-  // P = pk x G
   function getPublicKeyForShortSignatures(privateKey: PrivKey): Uint8Array {
-    return G2.ProjectivePoint.fromPrivateKey(privateKey).toRawBytes(true);
+    return shortSignatures.getPublicKey(privateKey).toBytes(true);
   }
-
-  // Executes `hashToCurve` on the message and then multiplies the result by private key.
-  // S = pk x H(m)
   function sign(message: Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array;
   function sign(message: G2, privateKey: PrivKey, htfOpts?: htfBasicOpts): G2;
   function sign(message: G2Hex, privateKey: PrivKey, htfOpts?: htfBasicOpts): Uint8Array | G2 {
-    const msgPoint = normP2Hash(message, htfOpts);
-    msgPoint.assertValidity();
-    const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
-    if (message instanceof G2.ProjectivePoint) return sigPoint;
-    return Signature.toRawBytes(sigPoint);
+    const Hm = normP2Hash(message, htfOpts);
+    const S = longSignatures.sign(Hm, privateKey);
+    return message instanceof G2.Point ? S : Signature.toBytes(S);
   }
-
   function signShortSignature(
     message: Hex,
     privateKey: PrivKey,
@@ -399,104 +555,52 @@ export function bls(CURVE: CurveType): CurveFn {
     privateKey: PrivKey,
     htfOpts?: htfBasicOpts
   ): Uint8Array | G1 {
-    const msgPoint = normP1Hash(message, htfOpts);
-    msgPoint.assertValidity();
-    const sigPoint = msgPoint.multiply(G1.normPrivateKeyToScalar(privateKey));
-    if (message instanceof G1.ProjectivePoint) return sigPoint;
-    return ShortSignature.toRawBytes(sigPoint);
+    const Hm = normP1Hash(message, htfOpts);
+    const S = shortSignatures.sign(Hm, privateKey);
+    return message instanceof G1.Point ? S : ShortSignature.toBytes(S);
   }
-
-  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
-  // e(P, H(m)) == e(G, S)
   function verify(
     signature: G2Hex,
     message: G2Hex,
     publicKey: G1Hex,
     htfOpts?: htfBasicOpts
   ): boolean {
-    const P = normP1(publicKey);
     const Hm = normP2Hash(message, htfOpts);
-    const G = G1.ProjectivePoint.BASE;
-    const S = normP2(signature);
-    const exp = pairingBatch([
-      { g1: P.negate(), g2: Hm }, // ePHM = pairing(P.negate(), Hm, false);
-      { g1: G, g2: S }, // eGS = pairing(G, S, false);
-    ]);
-    return Fp12.eql(exp, Fp12.ONE);
+    return longSignatures.verify(signature, Hm, publicKey);
   }
-
-  // Checks if pairing of public key & hash is equal to pairing of generator & signature.
-  // e(S, G) == e(H(m), P)
   function verifyShortSignature(
     signature: G1Hex,
     message: G1Hex,
     publicKey: G2Hex,
     htfOpts?: htfBasicOpts
   ): boolean {
-    const P = normP2(publicKey);
     const Hm = normP1Hash(message, htfOpts);
-    const G = G2.ProjectivePoint.BASE;
-    const S = normP1(signature);
-    const exp = pairingBatch([
-      { g1: Hm, g2: P }, // eHmP = pairing(Hm, P, false);
-      { g1: S, g2: G.negate() }, // eSG = pairing(S, G.negate(), false);
-    ]);
-    return Fp12.eql(exp, Fp12.ONE);
-  }
-
-  function aNonEmpty(arr: any[]) {
-    if (!Array.isArray(arr) || arr.length === 0) throw new Error('expected non-empty array');
+    return shortSignatures.verify(signature, Hm, publicKey);
   }
-
-  // Adds a bunch of public key points together.
-  // pk1 + pk2 + pk3 = pkA
   function aggregatePublicKeys(publicKeys: Hex[]): Uint8Array;
   function aggregatePublicKeys(publicKeys: G1[]): G1;
   function aggregatePublicKeys(publicKeys: G1Hex[]): Uint8Array | G1 {
-    aNonEmpty(publicKeys);
-    const agg = publicKeys.map(normP1).reduce((sum, p) => sum.add(p), G1.ProjectivePoint.ZERO);
-    const aggAffine = agg; //.toAffine();
-    if (publicKeys[0] instanceof G1.ProjectivePoint) {
-      aggAffine.assertValidity();
-      return aggAffine;
-    }
-    // toRawBytes ensures point validity
-    return aggAffine.toRawBytes(true);
+    const agg = longSignatures.aggregatePublicKeys(publicKeys);
+    return publicKeys[0] instanceof G1.Point ? agg : agg.toBytes(true);
   }
-
-  // Adds a bunch of signature points together.
   function aggregateSignatures(signatures: Hex[]): Uint8Array;
   function aggregateSignatures(signatures: G2[]): G2;
   function aggregateSignatures(signatures: G2Hex[]): Uint8Array | G2 {
-    aNonEmpty(signatures);
-    const agg = signatures.map(normP2).reduce((sum, s) => sum.add(s), G2.ProjectivePoint.ZERO);
-    const aggAffine = agg; //.toAffine();
-    if (signatures[0] instanceof G2.ProjectivePoint) {
-      aggAffine.assertValidity();
-      return aggAffine;
-    }
-    return Signature.toRawBytes(aggAffine);
+    const agg = longSignatures.aggregateSignatures(signatures);
+    return signatures[0] instanceof G2.Point ? agg : Signature.toBytes(agg);
   }
-
-  // Adds a bunch of signature points together.
   function aggregateShortSignatures(signatures: Hex[]): Uint8Array;
   function aggregateShortSignatures(signatures: G1[]): G1;
   function aggregateShortSignatures(signatures: G1Hex[]): Uint8Array | G1 {
-    aNonEmpty(signatures);
-    const agg = signatures.map(normP1).reduce((sum, s) => sum.add(s), G1.ProjectivePoint.ZERO);
-    const aggAffine = agg; //.toAffine();
-    if (signatures[0] instanceof G1.ProjectivePoint) {
-      aggAffine.assertValidity();
-      return aggAffine;
-    }
-    return ShortSignature.toRawBytes(aggAffine);
+    const agg = shortSignatures.aggregateSignatures(signatures);
+    return signatures[0] instanceof G1.Point ? agg : ShortSignature.toBytes(agg);
   }
 
   // https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407
   // e(G, S) = e(G, SUM(n)(Si)) = MUL(n)(e(G, Si))
+  // TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
   function verifyBatch(
     signature: G2Hex,
-    // TODO: maybe `{message: G2Hex, publicKey: G1Hex}[]` instead?
     messages: G2Hex[],
     publicKeys: G1Hex[],
     htfOpts?: htfBasicOpts
@@ -525,33 +629,27 @@ export function bls(CURVE: CurveType): CurveFn {
         const groupPublicKey = keys.reduce((acc, msg) => acc.add(msg));
         paired.push({ g1: groupPublicKey, g2: msg });
       }
-      paired.push({ g1: G1.ProjectivePoint.BASE.negate(), g2: sig });
+      paired.push({ g1: G1.Point.BASE.negate(), g2: sig });
       return Fp12.eql(pairingBatch(paired), Fp12.ONE);
     } catch {
       return false;
     }
   }
 
-  G1.ProjectivePoint.BASE._setWindowSize(4);
+  G1.Point.BASE.precompute(4);
 
   return {
-    getPublicKey,
-    getPublicKeyForShortSignatures,
-    sign,
-    signShortSignature,
-    verify,
-    verifyBatch,
-    verifyShortSignature,
-    aggregatePublicKeys,
-    aggregateSignatures,
-    aggregateShortSignatures,
+    longSignatures,
+    shortSignatures,
     millerLoopBatch,
     pairing,
     pairingBatch,
-    G1,
-    G2,
-    Signature,
-    ShortSignature,
+    // TODO!!!
+    verifyBatch,
+    curves: {
+      G1: G1_.Point,
+      G2: G2_.Point,
+    },
     fields: {
       Fr,
       Fp,
@@ -561,10 +659,27 @@ export function bls(CURVE: CurveType): CurveFn {
     },
     params: {
       ateLoopSize: CURVE.params.ateLoopSize,
+      twistType: CURVE.params.twistType,
+      // deprecated
       r: CURVE.params.r,
       G1b: CURVE.G1.b,
       G2b: CURVE.G2.b,
     },
     utils,
+
+    // deprecated
+    getPublicKey,
+    getPublicKeyForShortSignatures,
+    sign,
+    signShortSignature,
+    verify,
+    verifyShortSignature,
+    aggregatePublicKeys,
+    aggregateSignatures,
+    aggregateShortSignatures,
+    G1,
+    G2,
+    Signature,
+    ShortSignature,
   };
 }