@noble/curves 1.9.0 → 1.9.2

package/src/abstract/montgomery.ts

@@ -5,29 +5,26 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { Field, mod } from './modular.ts';
 import {
+  _validateObject,
   aInRange,
   bytesToNumberLE,
   ensureBytes,
   numberToBytesLE,
-  validateObject,
-} from './utils.ts';
+  randomBytes,
+} from '../utils.ts';
+import { mod } from './modular.ts';
 
 const _0n = BigInt(0);
 const _1n = BigInt(1);
+const _2n = BigInt(2);
 type Hex = string | Uint8Array;
 
 export type CurveType = {
   P: bigint; // finite field prime
-  nByteLength: number;
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
-  a: bigint;
-  montgomeryBits: number;
-  powPminus2?: (x: bigint) => bigint;
-  xyToU?: (x: bigint, y: bigint) => bigint;
-  Gu: bigint;
+  type: 'x25519' | 'x448';
+  adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
+  powPminus2: (x: bigint) => bigint;
   randomBytes?: (bytesLength?: number) => Uint8Array;
 };
 
@@ -41,67 +38,88 @@ export type CurveFn = {
 };
 
 function validateOpts(curve: CurveType) {
-  validateObject(
-    curve,
-    {
-      a: 'bigint',
-    },
-    {
-      montgomeryBits: 'isSafeInteger',
-      nByteLength: 'isSafeInteger',
-      adjustScalarBytes: 'function',
-      domain: 'function',
-      powPminus2: 'function',
-      Gu: 'bigint',
-    }
-  );
-  // Set defaults
+  _validateObject(curve, {
+    adjustScalarBytes: 'function',
+    powPminus2: 'function',
+  });
   return Object.freeze({ ...curve } as const);
 }
 
-// Uses only one coordinate instead of two
 export function montgomery(curveDef: CurveType): CurveFn {
   const CURVE = validateOpts(curveDef);
-  const { P } = CURVE;
-  const Fp = Field(P);
+  const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
+  const is25519 = type === 'x25519';
+  if (!is25519 && type !== 'x448') throw new Error('invalid type');
+  const randomBytes_ = rand || randomBytes;
+
+  const montgomeryBits = is25519 ? 255 : 448;
+  const fieldLen = is25519 ? 32 : 56;
+  const Gu = is25519 ? BigInt(9) : BigInt(5);
+  // RFC 7748 #5:
+  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
+  // (156326 - 2) / 4 = 39081 for curve448/X448
+  // const a = is25519 ? 156326n : 486662n;
+  const a24 = is25519 ? BigInt(121665) : BigInt(39081);
+  // RFC: x25519 "the resulting integer is of the form 2^254 plus
+  // eight times a value between 0 and 2^251 - 1 (inclusive)"
+  // x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
+  const minScalar = is25519 ? _2n ** BigInt(254) : _2n ** BigInt(447);
+  const maxAdded = is25519
+    ? BigInt(8) * _2n ** BigInt(251) - _1n
+    : BigInt(4) * _2n ** BigInt(445) - _1n;
+  const maxScalar = minScalar + maxAdded + _1n; // (inclusive)
   const modP = (n: bigint) => mod(n, P);
-  const montgomeryBits = CURVE.montgomeryBits;
-  const montgomeryBytes = Math.ceil(montgomeryBits / 8);
-  const fieldLen = CURVE.nByteLength;
-  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
-  const powPminus2 = CURVE.powPminus2 || ((x: bigint) => Fp.pow(x, P - BigInt(2)));
+  const GuBytes = encodeU(Gu);
+  function encodeU(u: bigint): Uint8Array {
+    return numberToBytesLE(modP(u), fieldLen);
+  }
+  function decodeU(u: Hex): bigint {
+    const _u = ensureBytes('u coordinate', u, fieldLen);
+    // RFC: When receiving such an array, implementations of X25519
+    // (but not X448) MUST mask the most significant bit in the final byte.
+    if (is25519) _u[31] &= 127; // 0b0111_1111
+    // RFC: Implementations MUST accept non-canonical values and process them as
+    // if they had been reduced modulo the field prime.  The non-canonical
+    // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
+    // - 1 through 2^448 - 1 for X448.
+    return modP(bytesToNumberLE(_u));
+  }
+  function decodeScalar(scalar: Hex): bigint {
+    return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
+  }
+  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
+    const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
+    // Some public keys are useless, of low-order. Curve author doesn't think
+    // it needs to be validated, but we do it nonetheless.
+    // https://cr.yp.to/ecdh.html#validate
+    if (pu === _0n) throw new Error('invalid private or public key received');
+    return encodeU(pu);
+  }
+  // Computes public key from private. By doing scalar multiplication of base point.
+  function scalarMultBase(scalar: Hex): Uint8Array {
+    return scalarMult(scalar, GuBytes);
+  }
 
-  // cswap from RFC7748. But it is not from RFC7748!
-  /*
-    cswap(swap, x_2, x_3):
-         dummy = mask(swap) AND (x_2 XOR x_3)
-         x_2 = x_2 XOR dummy
-         x_3 = x_3 XOR dummy
-         Return (x_2, x_3)
-  Where mask(swap) is the all-1 or all-0 word of the same length as x_2
-   and x_3, computed, e.g., as mask(swap) = 0 - swap.
-  */
-  function cswap(swap: bigint, x_2: bigint, x_3: bigint): [bigint, bigint] {
+  // cswap from RFC7748 "example code"
+  function cswap(swap: bigint, x_2: bigint, x_3: bigint): { x_2: bigint; x_3: bigint } {
+    // dummy = mask(swap) AND (x_2 XOR x_3)
+    // Where mask(swap) is the all-1 or all-0 word of the same length as x_2
+    // and x_3, computed, e.g., as mask(swap) = 0 - swap.
     const dummy = modP(swap * (x_2 - x_3));
-    x_2 = modP(x_2 - dummy);
-    x_3 = modP(x_3 + dummy);
-    return [x_2, x_3];
+    x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
+    x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
+    return { x_2, x_3 };
   }
 
-  // x25519 from 4
-  // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
-  const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
   /**
-   *
+   * Montgomery x-only multiplication ladder.
    * @param pointU u coordinate (x) on Montgomery Curve 25519
    * @param scalar by which the point would be multiplied
    * @returns new Point on Montgomery curve
    */
   function montgomeryLadder(u: bigint, scalar: bigint): bigint {
     aInRange('u', u, _0n, P);
-    aInRange('scalar', scalar, _0n, P);
-    // Section 5: Implementations MUST accept non-canonical values and process them as
-    // if they had been reduced modulo the field prime.
+    aInRange('scalar', scalar, minScalar, maxScalar);
     const k = scalar;
     const x_1 = u;
     let x_2 = _1n;
@@ -109,16 +127,11 @@ export function montgomery(curveDef: CurveType): CurveFn {
     let x_3 = u;
     let z_3 = _1n;
     let swap = _0n;
-    let sw: [bigint, bigint];
     for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
       const k_t = (k >> t) & _1n;
       swap ^= k_t;
-      sw = cswap(swap, x_2, x_3);
-      x_2 = sw[0];
-      x_3 = sw[1];
-      sw = cswap(swap, z_2, z_3);
-      z_2 = sw[0];
-      z_3 = sw[1];
+      ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+      ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
       swap = k_t;
 
       const A = x_2 + z_2;
@@ -137,53 +150,10 @@ export function montgomery(curveDef: CurveType): CurveFn {
       x_2 = modP(AA * BB);
       z_2 = modP(E * (AA + modP(a24 * E)));
     }
-    // (x_2, x_3) = cswap(swap, x_2, x_3)
-    sw = cswap(swap, x_2, x_3);
-    x_2 = sw[0];
-    x_3 = sw[1];
-    // (z_2, z_3) = cswap(swap, z_2, z_3)
-    sw = cswap(swap, z_2, z_3);
-    z_2 = sw[0];
-    z_3 = sw[1];
-    // z_2^(p - 2)
-    const z2 = powPminus2(z_2);
-    // Return x_2 * (z_2^(p - 2))
-    return modP(x_2 * z2);
-  }
-
-  function encodeUCoordinate(u: bigint): Uint8Array {
-    return numberToBytesLE(modP(u), montgomeryBytes);
-  }
-
-  function decodeUCoordinate(uEnc: Hex): bigint {
-    // Section 5: When receiving such an array, implementations of X25519
-    // MUST mask the most significant bit in the final byte.
-    const u = ensureBytes('u coordinate', uEnc, montgomeryBytes);
-    if (fieldLen === 32) u[31] &= 127; // 0b0111_1111
-    return bytesToNumberLE(u);
-  }
-  function decodeScalar(n: Hex): bigint {
-    const bytes = ensureBytes('scalar', n);
-    const len = bytes.length;
-    if (len !== montgomeryBytes && len !== fieldLen) {
-      let valid = '' + montgomeryBytes + ' or ' + fieldLen;
-      throw new Error('invalid scalar, expected ' + valid + ' bytes, got ' + len);
-    }
-    return bytesToNumberLE(adjustScalarBytes(bytes));
-  }
-  function scalarMult(scalar: Hex, u: Hex): Uint8Array {
-    const pointU = decodeUCoordinate(u);
-    const _scalar = decodeScalar(scalar);
-    const pu = montgomeryLadder(pointU, _scalar);
-    // The result was not contributory
-    // https://cr.yp.to/ecdh.html#validate
-    if (pu === _0n) throw new Error('invalid private or public key received');
-    return encodeUCoordinate(pu);
-  }
-  // Computes public key from private. By doing scalar multiplication of base point.
-  const GuBytes = encodeUCoordinate(CURVE.Gu);
-  function scalarMultBase(scalar: Hex): Uint8Array {
-    return scalarMult(scalar, GuBytes);
+    ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+    ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+    const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
+    return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
   }
 
   return {
@@ -191,7 +161,7 @@ export function montgomery(curveDef: CurveType): CurveFn {
     scalarMultBase,
     getSharedSecret: (privateKey: Hex, publicKey: Hex) => scalarMult(privateKey, publicKey),
     getPublicKey: (privateKey: Hex): Uint8Array => scalarMultBase(privateKey),
-    utils: { randomPrivateKey: () => CURVE.randomBytes!(CURVE.nByteLength) },
-    GuBytes: GuBytes,
+    utils: { randomPrivateKey: () => randomBytes_(fieldLen) },
+    GuBytes: GuBytes.slice(),
   };
 }

package/src/abstract/poseidon.ts

@@ -7,8 +7,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { _validateObject, bitGet } from '../utils.ts';
 import { FpInvertBatch, FpPow, type IField, validateField } from './modular.ts';
-import { bitGet } from './utils.ts';
 
 // Grain LFSR (Linear-Feedback Shift Register): https://eprint.iacr.org/2009/109.pdf
 function grainLFSR(state: number[]): () => boolean {
@@ -41,20 +41,28 @@ export type PoseidonBasicOpts = {
   isSboxInverse?: boolean;
 };
 
-function validateBasicOpts(opts: PoseidonBasicOpts) {
+function assertValidPosOpts(opts: PoseidonBasicOpts) {
   const { Fp, roundsFull } = opts;
   validateField(Fp);
+  _validateObject(
+    opts,
+    {
+      t: 'number',
+      roundsFull: 'number',
+      roundsPartial: 'number',
+    },
+    {
+      isSboxInverse: 'boolean',
+    }
+  );
   for (const i of ['t', 'roundsFull', 'roundsPartial'] as const) {
-    if (typeof opts[i] !== 'number' || !Number.isSafeInteger(opts[i]))
-      throw new Error('invalid number ' + i);
+    if (!Number.isSafeInteger(opts[i]) || opts[i] < 1) throw new Error('invalid number ' + i);
   }
-  if (opts.isSboxInverse !== undefined && typeof opts.isSboxInverse !== 'boolean')
-    throw new Error(`Poseidon: invalid param isSboxInverse=${opts.isSboxInverse}`);
   if (roundsFull & 1) throw new Error('roundsFull is not even' + roundsFull);
 }
 
 function poseidonGrain(opts: PoseidonBasicOpts) {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp } = opts;
   const state = Array(80).fill(1);
   let pos = 0;
@@ -140,7 +148,7 @@ export function validateOpts(opts: PoseidonOpts): Readonly<{
   sboxPower?: number;
   reversePartialPowIdx?: boolean; // Hack for stark
 }> {
-  validateBasicOpts(opts);
+  assertValidPosOpts(opts);
   const { Fp, mds, reversePartialPowIdx: rev, roundConstants: rc } = opts;
   const { roundsFull, roundsPartial, sboxPower, t } = opts;
 
@@ -196,12 +204,13 @@ export function splitConstants(rc: bigint[], t: number): bigint[][] {
   return res;
 }
 
-/** Poseidon NTT-friendly hash. */
-export function poseidon(opts: PoseidonOpts): {
+export type PoseidonFn = {
   (values: bigint[]): bigint[];
   // For verification in tests
   roundConstants: bigint[][];
-} {
+};
+/** Poseidon NTT-friendly hash. */
+export function poseidon(opts: PoseidonOpts): PoseidonFn {
   const _opts = validateOpts(opts);
   const { Fp, mds, roundConstants, rounds: totalRounds, roundsPartial, sboxFn, t } = _opts;
   const halfRoundsFull = _opts.roundsFull / 2;
@@ -242,17 +251,12 @@ export class PoseidonSponge {
   private Fp: IField<bigint>;
   readonly rate: number;
   readonly capacity: number;
-  readonly hash: ReturnType<typeof poseidon>;
+  readonly hash: PoseidonFn;
   private state: bigint[]; // [...capacity, ...rate]
   private pos = 0;
   private isAbsorbing = true;
 
-  constructor(
-    Fp: IField<bigint>,
-    rate: number,
-    capacity: number,
-    hash: ReturnType<typeof poseidon>
-  ) {
+  constructor(Fp: IField<bigint>, rate: number, capacity: number, hash: PoseidonFn) {
     this.Fp = Fp;
     this.hash = hash;
     this.rate = rate;

package/src/abstract/tower.ts

@@ -10,8 +10,8 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+import { bitLen, bitMask, concatBytes, notImplemented } from '../utils.ts';
 import * as mod from './modular.ts';
-import { bitLen, bitMask, concatBytes, notImplemented } from './utils.ts';
 import type { ProjConstructor, ProjPointType } from './weierstrass.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
@@ -34,19 +34,33 @@ export type BigintTwelve = [
 ];
 
 export type Fp2Bls = mod.IField<Fp2> & {
-  reim: (num: Fp2) => { re: Fp; im: Fp };
-  mulByB: (num: Fp2) => Fp2;
   frobeniusMap(num: Fp2, power: number): Fp2;
   fromBigTuple(num: [bigint, bigint]): Fp2;
+  mulByB: (num: Fp2) => Fp2;
+  mulByNonresidue: (num: Fp2) => Fp2;
+  reim: (num: Fp2) => { re: Fp; im: Fp };
+  NONRESIDUE: Fp2;
+};
+
+export type Fp6Bls = mod.IField<Fp6> & {
+  frobeniusMap(num: Fp6, power: number): Fp6;
+  fromBigSix: (tuple: BigintSix) => Fp6;
+  mul1(num: Fp6, b1: Fp2): Fp6;
+  mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
+  mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
+  mulByNonresidue: (num: Fp6) => Fp6;
 };
 
 export type Fp12Bls = mod.IField<Fp12> & {
   frobeniusMap(num: Fp12, power: number): Fp12;
+  fromBigTwelve: (t: BigintTwelve) => Fp12;
   mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
   mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
+  mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
   conjugate(num: Fp12): Fp12;
   finalExponentiate(num: Fp12): Fp12;
-  fromBigTwelve(num: BigintTwelve): Fp12;
+  _cyclotomicSquare(num: Fp12): Fp12;
+  _cyclotomicExp(num: Fp12, n: bigint): Fp12;
 };
 
 function calcFrobeniusCoefficients<T>(
@@ -88,7 +102,7 @@ export function psiFrobenius(
   PSI2_X: Fp2;
   PSI2_Y: Fp2;
 } {
-  // Ψ endomorphism
+  // GLV endomorphism Ψ(P)
   const PSI_X = Fp2.pow(base, (Fp.ORDER - _1n) / _3n); // u^((p-1)/3)
   const PSI_Y = Fp2.pow(base, (Fp.ORDER - _1n) / _2n); // u^((p-1)/2)
   function psi(x: Fp2, y: Fp2): [Fp2, Fp2] {
@@ -134,34 +148,10 @@ export type Tower12Opts = {
 
 export function tower12(opts: Tower12Opts): {
   Fp: Readonly<mod.IField<bigint> & Required<Pick<mod.IField<bigint>, 'isOdd'>>>;
-  Fp2: mod.IField<Fp2> & {
-    NONRESIDUE: Fp2;
-    fromBigTuple: (tuple: BigintTuple | bigint[]) => Fp2;
-    reim: (num: Fp2) => { re: bigint; im: bigint };
-    mulByNonresidue: (num: Fp2) => Fp2;
-    mulByB: (num: Fp2) => Fp2;
-    frobeniusMap(num: Fp2, power: number): Fp2;
-  };
-  Fp6: mod.IField<Fp6> & {
-    fromBigSix: (tuple: BigintSix) => Fp6;
-    mulByNonresidue: (num: Fp6) => Fp6;
-    frobeniusMap(num: Fp6, power: number): Fp6;
-    mul1(num: Fp6, b1: Fp2): Fp6;
-    mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
-    mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
-  };
+  Fp2: Fp2Bls;
+  Fp6: Fp6Bls;
+  Fp12: Fp12Bls;
   Fp4Square: (a: Fp2, b: Fp2) => { first: Fp2; second: Fp2 };
-  Fp12: mod.IField<Fp12> & {
-    fromBigTwelve: (t: BigintTwelve) => Fp12;
-    frobeniusMap(num: Fp12, power: number): Fp12;
-    mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
-    mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
-    mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
-    conjugate(num: Fp12): Fp12;
-    finalExponentiate(num: Fp12): Fp12;
-    _cyclotomicSquare(num: Fp12): Fp12;
-    _cyclotomicExp(num: Fp12, n: bigint): Fp12;
-  };
 } {
   const { ORDER } = opts;
   // Fp
@@ -196,23 +186,19 @@ export function tower12(opts: Tower12Opts): {
     const c = Fp.add(c0, c0);
     return { c0: Fp.mul(a, b), c1: Fp.mul(c, c1) };
   };
-  type Fp2Utils = {
-    NONRESIDUE: Fp2;
-    fromBigTuple: (tuple: BigintTuple | bigint[]) => Fp2;
-    reim: (num: Fp2) => { re: bigint; im: bigint };
-    mulByNonresidue: (num: Fp2) => Fp2;
-    mulByB: (num: Fp2) => Fp2;
-    frobeniusMap(num: Fp2, power: number): Fp2;
-  };
   const Fp2fromBigTuple = (tuple: BigintTuple | bigint[]) => {
     if (tuple.length !== 2) throw new Error('invalid tuple');
     const fps = tuple.map((n) => Fp.create(n)) as [Fp, Fp];
     return { c0: fps[0], c1: fps[1] };
   };
 
+  function isValidC(num: bigint, ORDER: bigint) {
+    return typeof num === 'bigint' && _0n <= num && num < ORDER;
+  }
+
   const FP2_ORDER = ORDER * ORDER;
   const Fp2Nonresidue = Fp2fromBigTuple(opts.FP2_NONRESIDUE);
-  const Fp2: mod.IField<Fp2> & Fp2Utils = {
+  const Fp2: Fp2Bls = {
     ORDER: FP2_ORDER,
     isLE: Fp.isLE,
     NONRESIDUE: Fp2Nonresidue,
@@ -222,8 +208,9 @@ export function tower12(opts: Tower12Opts): {
     ZERO: { c0: Fp.ZERO, c1: Fp.ZERO },
     ONE: { c0: Fp.ONE, c1: Fp.ZERO },
     create: (num) => num,
-    isValid: ({ c0, c1 }) => typeof c0 === 'bigint' && typeof c1 === 'bigint',
+    isValid: ({ c0, c1 }) => isValidC(c0, FP2_ORDER) && isValidC(c1, FP2_ORDER),
     is0: ({ c0, c1 }) => Fp.is0(c0) && Fp.is0(c1),
+    isValidNot0: (num) => !Fp2.is0(num) && Fp2.isValid(num),
     eql: ({ c0, c1 }: Fp2, { c0: r0, c1: r1 }: Fp2) => Fp.eql(c0, r0) && Fp.eql(c1, r1),
     neg: ({ c0, c1 }) => ({ c0: Fp.neg(c0), c1: Fp.neg(c1) }),
     pow: (num, power) => mod.FpPow(Fp2, num, power),
@@ -361,15 +348,6 @@ export function tower12(opts: Tower12Opts): {
       c2: Fp2.sub(Fp2.sub(Fp2.add(Fp2.add(t1, Fp2.sqr(Fp2.add(Fp2.sub(c0, c1), c2))), t3), t0), t4),
     };
   };
-  type Fp6Utils = {
-    fromBigSix: (tuple: BigintSix) => Fp6;
-    mulByNonresidue: (num: Fp6) => Fp6;
-    frobeniusMap(num: Fp6, power: number): Fp6;
-    mul1(num: Fp6, b1: Fp2): Fp6;
-    mul01(num: Fp6, b0: Fp2, b1: Fp2): Fp6;
-    mulByFp2(lhs: Fp6, rhs: Fp2): Fp6;
-  };
-
   const [FP6_FROBENIUS_COEFFICIENTS_1, FP6_FROBENIUS_COEFFICIENTS_2] = calcFrobeniusCoefficients(
     Fp2,
     Fp2Nonresidue,
@@ -379,7 +357,7 @@ export function tower12(opts: Tower12Opts): {
     3
   );
 
-  const Fp6: mod.IField<Fp6> & Fp6Utils = {
+  const Fp6: Fp6Bls = {
     ORDER: Fp2.ORDER, // TODO: unused, but need to verify
     isLE: Fp2.isLE,
     BITS: 3 * Fp2.BITS,
@@ -390,6 +368,7 @@ export function tower12(opts: Tower12Opts): {
     create: (num) => num,
     isValid: ({ c0, c1, c2 }) => Fp2.isValid(c0) && Fp2.isValid(c1) && Fp2.isValid(c2),
     is0: ({ c0, c1, c2 }) => Fp2.is0(c0) && Fp2.is0(c1) && Fp2.is0(c2),
+    isValidNot0: (num) => !Fp6.is0(num) && Fp6.isValid(num),
     neg: ({ c0, c1, c2 }) => ({ c0: Fp2.neg(c0), c1: Fp2.neg(c1), c2: Fp2.neg(c2) }),
     eql: ({ c0, c1, c2 }, { c0: r0, c1: r1, c2: r2 }) =>
       Fp2.eql(c0, r0) && Fp2.eql(c1, r1) && Fp2.eql(c2, r2),
@@ -439,9 +418,9 @@ export function tower12(opts: Tower12Opts): {
     fromBigSix: (t: BigintSix): Fp6 => {
       if (!Array.isArray(t) || t.length !== 6) throw new Error('invalid Fp6 usage');
       return {
-        c0: Fp2.fromBigTuple(t.slice(0, 2)),
-        c1: Fp2.fromBigTuple(t.slice(2, 4)),
-        c2: Fp2.fromBigTuple(t.slice(4, 6)),
+        c0: Fp2.fromBigTuple(t.slice(0, 2) as BigintTuple),
+        c1: Fp2.fromBigTuple(t.slice(2, 4) as BigintTuple),
+        c2: Fp2.fromBigTuple(t.slice(4, 6) as BigintTuple),
       };
     },
     frobeniusMap: ({ c0, c1, c2 }, power: number) => ({
@@ -524,19 +503,8 @@ export function tower12(opts: Tower12Opts): {
       second: Fp2.sub(Fp2.sub(Fp2.sqr(Fp2.add(a, b)), a2), b2), // (a + b)² - a² - b²
     };
   }
-  type Fp12Utils = {
-    fromBigTwelve: (t: BigintTwelve) => Fp12;
-    frobeniusMap(num: Fp12, power: number): Fp12;
-    mul014(num: Fp12, o0: Fp2, o1: Fp2, o4: Fp2): Fp12;
-    mul034(num: Fp12, o0: Fp2, o3: Fp2, o4: Fp2): Fp12;
-    mulByFp2(lhs: Fp12, rhs: Fp2): Fp12;
-    conjugate(num: Fp12): Fp12;
-    finalExponentiate(num: Fp12): Fp12;
-    _cyclotomicSquare(num: Fp12): Fp12;
-    _cyclotomicExp(num: Fp12, n: bigint): Fp12;
-  };
 
-  const Fp12: mod.IField<Fp12> & Fp12Utils = {
+  const Fp12: Fp12Bls = {
     ORDER: Fp2.ORDER, // TODO: unused, but need to verify
     isLE: Fp6.isLE,
     BITS: 2 * Fp6.BITS,
@@ -547,6 +515,7 @@ export function tower12(opts: Tower12Opts): {
     create: (num) => num,
     isValid: ({ c0, c1 }) => Fp6.isValid(c0) && Fp6.isValid(c1),
     is0: ({ c0, c1 }) => Fp6.is0(c0) && Fp6.is0(c1),
+    isValidNot0: (num) => !Fp12.is0(num) && Fp12.isValid(num),
     neg: ({ c0, c1 }) => ({ c0: Fp6.neg(c0), c1: Fp6.neg(c1) }),
     eql: ({ c0, c1 }, { c0: r0, c1: r1 }) => Fp6.eql(c0, r0) && Fp6.eql(c1, r1),
     sqrt: notImplemented,
@@ -646,5 +615,5 @@ export function tower12(opts: Tower12Opts): {
     finalExponentiate: opts.Fp12finalExponentiate,
   };
 
-  return { Fp, Fp2, Fp6, Fp4Square, Fp12 };
+  return { Fp, Fp2, Fp6, Fp12, Fp4Square };
 }