@noble/curves 1.9.5 → 1.9.7

package/src/abstract/utils.ts

@@ -1,7 +1,80 @@
 /**
+ * Deprecated module: moved from curves/abstract/utils.js to curves/utils.js
  * @module
  */
-export * from '../utils.ts';
+import * as u from '../utils.ts';
 
-// TODO
-// @deprecated use `@noble/curves/utils.js`
+/** @deprecated moved to `@noble/curves/utils.js` */
+export type Hex = u.Hex;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export type PrivKey = u.PrivKey;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export type CHash = u.CHash;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export type FHash = u.FHash;
+
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const abytes: typeof u.abytes = u.abytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const anumber: typeof u.anumber = u.anumber;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bytesToHex: typeof u.bytesToHex = u.bytesToHex;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bytesToUtf8: typeof u.bytesToUtf8 = u.bytesToUtf8;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const concatBytes: typeof u.concatBytes = u.concatBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const hexToBytes: typeof u.hexToBytes = u.hexToBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const isBytes: typeof u.isBytes = u.isBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const randomBytes: typeof u.randomBytes = u.randomBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const utf8ToBytes: typeof u.utf8ToBytes = u.utf8ToBytes;
+
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const abool: typeof u.abool = u.abool;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const numberToHexUnpadded: typeof u.numberToHexUnpadded = u.numberToHexUnpadded;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const hexToNumber: typeof u.hexToNumber = u.hexToNumber;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bytesToNumberBE: typeof u.bytesToNumberBE = u.bytesToNumberBE;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bytesToNumberLE: typeof u.bytesToNumberLE = u.bytesToNumberLE;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const numberToBytesBE: typeof u.numberToBytesBE = u.numberToBytesBE;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const numberToBytesLE: typeof u.numberToBytesLE = u.numberToBytesLE;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const numberToVarBytesBE: typeof u.numberToVarBytesBE = u.numberToVarBytesBE;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const ensureBytes: typeof u.ensureBytes = u.ensureBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const equalBytes: typeof u.equalBytes = u.equalBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const copyBytes: typeof u.copyBytes = u.copyBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const asciiToBytes: typeof u.asciiToBytes = u.asciiToBytes;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const inRange: typeof u.inRange = u.inRange;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const aInRange: typeof u.aInRange = u.aInRange;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bitLen: typeof u.bitLen = u.bitLen;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bitGet: typeof u.bitGet = u.bitGet;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bitSet: typeof u.bitSet = u.bitSet;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const bitMask: typeof u.bitMask = u.bitMask;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const createHmacDrbg: typeof u.createHmacDrbg = u.createHmacDrbg;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const notImplemented: typeof u.notImplemented = u.notImplemented;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const memoized: typeof u.memoized = u.memoized;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const validateObject: typeof u.validateObject = u.validateObject;
+/** @deprecated moved to `@noble/curves/utils.js` */
+export const isHash: typeof u.isHash = u.isHash;

package/src/abstract/weierstrass.ts

@@ -44,7 +44,7 @@ import {
   isBytes,
   memoized,
   numberToHexUnpadded,
-  randomBytes as wcRandomBytes,
+  randomBytes as randomBytesWeb,
   type CHash,
   type Hex,
   type PrivKey,
@@ -531,7 +531,7 @@ export function weierstrassN<T>(
   }
   function pointFromBytes(bytes: Uint8Array) {
     abytes(bytes, undefined, 'Point');
-    const { public: comp, publicUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
+    const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
     const length = bytes.length;
     const head = bytes[0];
     const tail = bytes.subarray(1);
@@ -988,6 +988,7 @@ export function weierstrassN<T>(
   }
   const bits = Fn.BITS;
   const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
+  Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
   return Point;
 }
 
@@ -1171,9 +1172,9 @@ export function mapToCurveSimpleSWU<T>(
 
 function getWLengths<T>(Fp: IField<T>, Fn: IField<bigint>) {
   return {
-    secret: Fn.BYTES,
-    public: 1 + Fp.BYTES,
-    publicUncompressed: 1 + 2 * Fp.BYTES,
+    secretKey: Fn.BYTES,
+    publicKey: 1 + Fp.BYTES,
+    publicKeyUncompressed: 1 + 2 * Fp.BYTES,
     publicKeyHasPrefix: true,
     signature: 2 * Fn.BYTES,
   };
@@ -1188,7 +1189,7 @@ export function ecdh(
   ecdhOpts: { randomBytes?: (bytesLength?: number) => Uint8Array } = {}
 ): ECDH {
   const { Fn } = Point;
-  const randomBytes_ = ecdhOpts.randomBytes || wcRandomBytes;
+  const randomBytes_ = ecdhOpts.randomBytes || randomBytesWeb;
   const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
 
   function isValidSecretKey(secretKey: PrivKey) {
@@ -1200,11 +1201,11 @@ export function ecdh(
   }
 
   function isValidPublicKey(publicKey: Uint8Array, isCompressed?: boolean): boolean {
-    const { public: comp, publicUncompressed } = lengths;
+    const { publicKey: comp, publicKeyUncompressed } = lengths;
     try {
       const l = publicKey.length;
       if (isCompressed === true && l !== comp) return false;
-      if (isCompressed === false && l !== publicUncompressed) return false;
+      if (isCompressed === false && l !== publicKeyUncompressed) return false;
       return !!Point.fromBytes(publicKey);
     } catch (error) {
       return false;
@@ -1239,9 +1240,10 @@ export function ecdh(
   function isProbPub(item: PrivKey | PubKey): boolean | undefined {
     if (typeof item === 'bigint') return false;
     if (item instanceof Point) return true;
-    if (Fn.allowedLengths || lengths.secret === lengths.public) return undefined;
+    const { secretKey, publicKey, publicKeyUncompressed } = lengths;
+    if (Fn.allowedLengths || secretKey === publicKey) return undefined;
     const l = ensureBytes('key', item).length;
-    return l === lengths.public || l === lengths.publicUncompressed;
+    return l === publicKey || l === publicKeyUncompressed;
   }
 
   /**
@@ -1290,6 +1292,7 @@ export function ecdh(
  * const p256_Point = weierstrass(...);
  * const p256_sha256 = ecdsa(p256_Point, sha256);
  * const p256_sha224 = ecdsa(p256_Point, sha224);
+ * const p256_sha224_r = ecdsa(p256_Point, sha224, { randomBytes: (length) => { ... } });
  * ```
  */
 export function ecdsa(
@@ -1310,8 +1313,8 @@ export function ecdsa(
     }
   );
 
-  const randomBytes_ = ecdsaOpts.randomBytes || wcRandomBytes;
-  const hmac_: HmacFnSync =
+  const randomBytes = ecdsaOpts.randomBytes || randomBytesWeb;
+  const hmac: HmacFnSync =
     ecdsaOpts.hmac ||
     (((key, ...msgs) => nobleHmac(hash, key, concatBytes(...msgs))) satisfies HmacFnSync);
 
@@ -1330,14 +1333,17 @@ export function ecdsa(
     const HALF = CURVE_ORDER >> _1n;
     return number > HALF;
   }
-  function normalizeS(s: bigint) {
-    return isBiggerThanHalfOrder(s) ? Fn.neg(s) : s;
-  }
   function validateRS(title: string, num: bigint): bigint {
     if (!Fn.isValidNot0(num))
       throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
     return num;
   }
+  function validateSigLength(bytes: Uint8Array, format: ECDSASigFormat) {
+    validateSigFormat(format);
+    const size = lengths.signature!;
+    const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
+    return abytes(bytes, sizer, `${format} signature`);
+  }
 
   /**
    * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
@@ -1354,21 +1360,18 @@ export function ecdsa(
     }
 
     static fromBytes(bytes: Uint8Array, format: ECDSASigFormat = defaultSigOpts_format): Signature {
-      validateSigFormat(format);
-      const size = lengths.signature!;
+      validateSigLength(bytes, format);
       let recid: number | undefined;
       if (format === 'der') {
         const { r, s } = DER.toSig(abytes(bytes));
         return new Signature(r, s);
       }
       if (format === 'recovered') {
-        abytes(bytes, size + 1);
         recid = bytes[0];
         format = 'compact';
         bytes = bytes.subarray(1);
       }
-      abytes(bytes, size);
-      const L = size / 2;
+      const L = Fn.BYTES;
       const r = bytes.subarray(0, L);
       const s = bytes.subarray(L, L * 2);
       return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
@@ -1382,7 +1385,7 @@ export function ecdsa(
       return new Signature(this.r, this.s, recovery) as RecoveredSignature;
     }
 
-    recoverPublicKey(msgHash: Hex): typeof Point.BASE {
+    recoverPublicKey(messageHash: Hex): WeierstrassPoint<bigint> {
       const FIELD_ORDER = Fp.ORDER;
       const { r, s, recovery: rec } = this;
       if (rec == null || ![0, 1, 2, 3].includes(rec)) throw new Error('recovery id invalid');
@@ -1403,7 +1406,7 @@ export function ecdsa(
       const x = Fp.toBytes(radj);
       const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
       const ir = Fn.inv(radj); // r^-1
-      const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash
+      const h = bits2int_modN(ensureBytes('msgHash', messageHash)); // Truncate hash
       const u1 = Fn.create(-h * ir); // -hr^-1
       const u2 = Fn.create(s * ir); // sr^-1
       // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
@@ -1466,7 +1469,7 @@ export function ecdsa(
   // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
   const bits2int =
     ecdsaOpts.bits2int ||
-    function (bytes: Uint8Array): bigint {
+    function bits2int_def(bytes: Uint8Array): bigint {
       // Our custom check "just in case", for protection against DoS
       if (bytes.length > 8192) throw new Error('input is too large');
       // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
@@ -1477,20 +1480,23 @@ export function ecdsa(
     };
   const bits2int_modN =
     ecdsaOpts.bits2int_modN ||
-    function (bytes: Uint8Array): bigint {
+    function bits2int_modN_def(bytes: Uint8Array): bigint {
       return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
     };
-  // NOTE: pads output with zero as per spec
+  // Pads output with zero as per spec
   const ORDER_MASK = bitMask(fnBits);
-  /**
-   * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
-   */
+  /** Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`. */
   function int2octets(num: bigint): Uint8Array {
     // IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
     aInRange('num < 2^' + fnBits, num, _0n, ORDER_MASK);
     return Fn.toBytes(num);
   }
 
+  function validateMsgAndHash(message: Uint8Array, prehash: boolean) {
+    abytes(message, undefined, 'message');
+    return prehash ? abytes(hash(message), undefined, 'prehashed message') : message;
+  }
+
   /**
    * Steps A, D of RFC6979 3.2.
    * Creates RFC6979 seed; converts msg/privKey to numbers.
@@ -1503,10 +1509,7 @@ export function ecdsa(
     if (['recovered', 'canonical'].some((k) => k in opts))
       throw new Error('sign() legacy options not supported');
     const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
-    // RFC6979 3.2: we skip step A, because we already provide hash
-    message = abytes(message, undefined, 'message');
-    if (prehash) message = abytes(hash(message), undefined, 'prehashed message');
-
+    message = validateMsgAndHash(message, prehash); // RFC6979 3.2 A: h1 = H(m)
     // We can't later call bits2octets, since nested bits2int is broken for curves
     // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
     // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
@@ -1517,7 +1520,7 @@ export function ecdsa(
     if (extraEntropy != null && extraEntropy !== false) {
       // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
       // gen random bytes OR pass as-is
-      const e = extraEntropy === true ? randomBytes_(lengths.secret) : extraEntropy;
+      const e = extraEntropy === true ? randomBytes(lengths.secretKey) : extraEntropy;
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
     const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
@@ -1544,7 +1547,7 @@ export function ecdsa(
       let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
       let normS = s;
       if (lowS && isBiggerThanHalfOrder(s)) {
-        normS = normalizeS(s); // if lowS was passed, ensure s is always
+        normS = Fn.neg(s); // if lowS was passed, ensure s is always
         recovery ^= 1; // // in the bottom half of N
       }
       return new Signature(r, normS, recovery) as RecoveredSignature; // use normS, not s
@@ -1566,13 +1569,42 @@ export function ecdsa(
   function sign(message: Hex, secretKey: PrivKey, opts: ECDSASignOpts = {}): RecoveredSignature {
     message = ensureBytes('message', message);
     const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
-    const drbg = createHmacDrbg<RecoveredSignature>(hash.outputLen, Fn.BYTES, hmac_);
+    const drbg = createHmacDrbg<RecoveredSignature>(hash.outputLen, Fn.BYTES, hmac);
     const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
     return sig;
   }
 
-  // Enable precomputes. Slows down first publicKey computation by 20ms.
-  Point.BASE.precompute(8);
+  function tryParsingSig(sg: Hex | SignatureLike) {
+    // Try to deduce format
+    let sig: Signature | undefined = undefined;
+    const isHex = typeof sg === 'string' || isBytes(sg);
+    const isObj =
+      !isHex &&
+      sg !== null &&
+      typeof sg === 'object' &&
+      typeof sg.r === 'bigint' &&
+      typeof sg.s === 'bigint';
+    if (!isHex && !isObj)
+      throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
+    if (isObj) {
+      sig = new Signature(sg.r, sg.s);
+    } else if (isHex) {
+      try {
+        sig = Signature.fromBytes(ensureBytes('sig', sg), 'der');
+      } catch (derError) {
+        if (!(derError instanceof DER.Err)) throw derError;
+      }
+      if (!sig) {
+        try {
+          sig = Signature.fromBytes(ensureBytes('sig', sg), 'compact');
+        } catch (error) {
+          return false;
+        }
+      }
+    }
+    if (!sig) return false;
+    return sig;
+  }
 
   /**
    * Verifies a signature against message and public key.
@@ -1593,61 +1625,19 @@ export function ecdsa(
     publicKey: Hex,
     opts: ECDSAVerifyOpts = {}
   ): boolean {
-    const sg = signature;
-    message = ensureBytes('msgHash', message);
-    publicKey = ensureBytes('publicKey', publicKey);
     const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
-    let _sig: Signature | undefined = undefined;
-    let P: WeierstrassPoint<bigint>;
-
+    publicKey = ensureBytes('publicKey', publicKey);
+    message = validateMsgAndHash(ensureBytes('message', message), prehash);
     if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
-    if (format === undefined) {
-      // Try to deduce format
-      const isHex = typeof sg === 'string' || isBytes(sg);
-      const isObj =
-        !isHex &&
-        sg !== null &&
-        typeof sg === 'object' &&
-        typeof sg.r === 'bigint' &&
-        typeof sg.s === 'bigint';
-      if (!isHex && !isObj)
-        throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
-      if (isObj) {
-        _sig = new Signature(sg.r, sg.s);
-      } else if (isHex) {
-        // TODO: remove this malleable check
-        // Signature can be represented in 2 ways: compact (2*Fn.BYTES) & DER (variable-length).
-        // Since DER can also be 2*Fn.BYTES bytes, we check for it first.
-        try {
-          _sig = Signature.fromDER(sg);
-        } catch (derError) {
-          if (!(derError instanceof DER.Err)) throw derError;
-        }
-        if (!_sig) {
-          try {
-            _sig = Signature.fromCompact(sg);
-          } catch (error) {
-            return false;
-          }
-        }
-      }
-    } else {
-      if (format === 'compact' || format === 'der') {
-        if (typeof sg !== 'string' && !isBytes(sg))
-          throw new Error('"der" / "compact" format expects Uint8Array signature');
-        _sig = Signature.fromBytes(ensureBytes('sig', sg), format);
-      } else {
-        throw new Error('format must be "compact", "der" or "js"');
-      }
-    }
-
-    if (!_sig) return false;
+    const sig =
+      format === undefined
+        ? tryParsingSig(signature)
+        : Signature.fromBytes(ensureBytes('sig', signature as Hex), format);
+    if (sig === false) return false;
     try {
-      P = Point.fromHex(publicKey);
-      if (lowS && _sig.hasHighS()) return false;
-      // todo: optional.hash => hash
-      if (prehash) message = hash(message);
-      const { r, s } = _sig;
+      const P = Point.fromBytes(publicKey);
+      if (lowS && sig.hasHighS()) return false;
+      const { r, s } = sig;
       const h = bits2int_modN(message); // mod n, not mod p
       const is = Fn.inv(s); // s^-1 mod n
       const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
@@ -1666,10 +1656,8 @@ export function ecdsa(
     message: Uint8Array,
     opts: ECDSARecoverOpts = {}
   ): Uint8Array {
-    const prehash = opts.prehash !== undefined ? opts.prehash : defaultSigOpts.prehash;
-    abool(prehash, 'prehash');
-    message = abytes(message, undefined, 'message');
-    if (prehash) message = abytes(hash(message), undefined, 'prehashed message');
+    const { prehash } = validateSigOpts(opts, defaultSigOpts);
+    message = validateMsgAndHash(message, prehash);
     return Signature.fromBytes(signature, 'recovered').recoverPublicKey(message).toBytes();
   }
 
@@ -1689,13 +1677,14 @@ export function ecdsa(
 }
 
 // TODO: remove everything below
-/** @deprecated */
+/** @deprecated use ECDSASignature */
 export type SignatureType = ECDSASignature;
-/** @deprecated */
+/** @deprecated use ECDSASigRecovered */
 export type RecoveredSignatureType = ECDSASigRecovered;
-/** @deprecated */
+/** @deprecated switch to Uint8Array signatures in format 'compact' */
 export type SignatureLike = { r: bigint; s: bigint };
-/** @deprecated use `Uint8Array | boolean` */
+export type ECDSAExtraEntropy = Hex | boolean;
+/** @deprecated use `ECDSAExtraEntropy` */
 export type Entropy = Hex | boolean;
 export type BasicWCurve<T> = BasicCurve<T> & {
   // Params: a, b
@@ -1721,6 +1710,8 @@ export type VerOpts = ECDSAVerifyOpts;
 export type ProjPointType<T> = WeierstrassPoint<T>;
 /** @deprecated use WeierstrassPointCons */
 export type ProjConstructor<T> = WeierstrassPointCons<T>;
+/** @deprecated use ECDSASignatureCons */
+export type SignatureConstructor = ECDSASignatureCons;
 
 // TODO: remove
 export type CurvePointsType<T> = BasicWCurve<T> & {

package/src/bls12-381.ts

@@ -82,7 +82,6 @@ import { bls, type CurveFn } from './abstract/bls.ts';
 import { Field, type IField } from './abstract/modular.ts';
 import {
   abytes,
-  bitGet,
   bitLen,
   bitMask,
   bytesToHex,
@@ -147,10 +146,13 @@ const bls12_381_CURVE_G1: WeierstrassOpts<bigint> = {
 };
 
 // CURVE FIELDS
-export const bls12_381_Fr: IField<bigint> = Field(bls12_381_CURVE_G1.n, { modFromBytes: true });
-const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
-  // Order of Fp
+export const bls12_381_Fr: IField<bigint> = Field(bls12_381_CURVE_G1.n, {
+  modFromBytes: true,
+  isLE: true,
+});
+const { Fp, Fp2, Fp6, Fp12 } = tower12({
   ORDER: bls12_381_CURVE_G1.p,
+  X_LEN: BLS_X_LEN,
   // Finite extension field over irreducible polynominal.
   // Fp(u) / (u² - β) where β = -1
   FP2_NONRESIDUE: [_1n, _1n],
@@ -160,41 +162,6 @@ const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
     // (T0-T1) + (T0+T1)*i
     return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
   },
-  // Fp12
-  // A cyclotomic group is a subgroup of Fp^n defined by
-  //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
-  // The result of any pairing is in a cyclotomic subgroup
-  // https://eprint.iacr.org/2009/565.pdf
-  Fp12cyclotomicSquare: ({ c0, c1 }): Fp12 => {
-    const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
-    const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
-    const { first: t3, second: t4 } = Fp4Square(c0c0, c1c1);
-    const { first: t5, second: t6 } = Fp4Square(c1c0, c0c2);
-    const { first: t7, second: t8 } = Fp4Square(c0c1, c1c2);
-    const t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
-    return {
-      c0: Fp6.create({
-        c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0)  + T3
-        c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1)  + T5
-        c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
-      }), // 2 * (T7 - c0c2)  + T7
-      c1: Fp6.create({
-        c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
-        c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
-        c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
-      }),
-    }; // 2 * (T6 + c1c2) + T6
-  },
-  Fp12cyclotomicExp(num, n) {
-    let z = Fp12.ONE;
-    for (let i = BLS_X_LEN - 1; i >= 0; i--) {
-      z = Fp12._cyclotomicSquare(z);
-      if (bitGet(n, i)) z = Fp12.mul(z, num);
-    }
-    return z;
-  },
-  // https://eprint.iacr.org/2010/354.pdf
-  // https://eprint.iacr.org/2009/565.pdf
   Fp12finalExponentiate: (num) => {
     const x = BLS_X;
     // this^(q⁶) / this

package/src/bn254.ts

@@ -65,7 +65,7 @@ import { Field, type IField } from './abstract/modular.ts';
 import type { Fp, Fp12, Fp2, Fp6 } from './abstract/tower.ts';
 import { psiFrobenius, tower12 } from './abstract/tower.ts';
 import { type CurveFn, weierstrass, type WeierstrassOpts } from './abstract/weierstrass.ts';
-import { bitGet, bitLen, notImplemented } from './utils.ts';
+import { bitLen, notImplemented } from './utils.ts';
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3);
 const _6n = BigInt(6);
@@ -94,42 +94,11 @@ const Fp2B = {
   c1: BigInt('266929791119991161246907387137283842545076965332900288569378510910307636690'),
 };
 
-const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = tower12({
+const { Fp, Fp2, Fp6, Fp12 } = tower12({
   ORDER: bn254_G1_CURVE.p,
+  X_LEN: BN_X_LEN,
   FP2_NONRESIDUE: [BigInt(9), _1n],
   Fp2mulByB: (num) => Fp2.mul(num, Fp2B),
-  // The result of any pairing is in a cyclotomic subgroup
-  // https://eprint.iacr.org/2009/565.pdf
-  Fp12cyclotomicSquare: ({ c0, c1 }): Fp12 => {
-    const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
-    const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
-    const { first: t3, second: t4 } = Fp4Square(c0c0, c1c1);
-    const { first: t5, second: t6 } = Fp4Square(c1c0, c0c2);
-    const { first: t7, second: t8 } = Fp4Square(c0c1, c1c2);
-    let t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
-    return {
-      c0: Fp6.create({
-        c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0)  + T3
-        c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1)  + T5
-        c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
-      }), // 2 * (T7 - c0c2)  + T7
-      c1: Fp6.create({
-        c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
-        c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
-        c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
-      }),
-    }; // 2 * (T6 + c1c2) + T6
-  },
-  Fp12cyclotomicExp(num, n) {
-    let z = Fp12.ONE;
-    for (let i = BN_X_LEN - 1; i >= 0; i--) {
-      z = Fp12._cyclotomicSquare(z);
-      if (bitGet(n, i)) z = Fp12.mul(z, num);
-    }
-    return z;
-  },
-  // https://eprint.iacr.org/2010/354.pdf
-  // https://eprint.iacr.org/2009/565.pdf
   Fp12finalExponentiate: (num) => {
     const powMinusX = (num: Fp12) => Fp12.conjugate(Fp12._cyclotomicExp(num, BN_X));
     const r0 = Fp12.mul(Fp12.conjugate(num), Fp12.inv(num));