@noble/curves 1.9.5 → 2.0.0-beta.1

package/bls12-381.js

@@ -1,6 +1,3 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.bls12_381 = exports.bls12_381_Fr = void 0;
 /**
  * bls12-381 is pairing-friendly Barreto-Lynn-Scott elliptic curve construction allowing to:
 
@@ -80,14 +77,14 @@ Filecoin uses little endian byte arrays for secret keys - make sure to reverse b
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const sha2_js_1 = require("@noble/hashes/sha2.js");
-const bls_ts_1 = require("./abstract/bls.js");
-const modular_ts_1 = require("./abstract/modular.js");
-const utils_ts_1 = require("./utils.js");
+import { sha256 } from '@noble/hashes/sha2.js';
+import { bls } from "./abstract/bls.js";
+import { Field } from "./abstract/modular.js";
+import { abytes, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, copyBytes, hexToBytes, numberToBytesBE, randomBytes, } from "./utils.js";
 // Types
-const hash_to_curve_ts_1 = require("./abstract/hash-to-curve.js");
-const tower_ts_1 = require("./abstract/tower.js");
-const weierstrass_ts_1 = require("./abstract/weierstrass.js");
+import { isogenyMap } from "./abstract/hash-to-curve.js";
+import { psiFrobenius, tower12 } from "./abstract/tower.js";
+import { mapToCurveSimpleSWU, weierstrass, } from "./abstract/weierstrass.js";
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
@@ -98,7 +95,7 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n =
 const BLS_X = BigInt('0xd201000000010000');
 // t = x (called differently in different places)
 // const t = -BLS_X;
-const BLS_X_LEN = (0, utils_ts_1.bitLen)(BLS_X);
+const BLS_X_LEN = bitLen(BLS_X);
 // a=0, b=4
 // P is characteristic of field Fp, in which curve calculations are done.
 // p = (t-1)² * (t⁴-t²+1)/3 + t
@@ -121,10 +118,13 @@ const bls12_381_CURVE_G1 = {
     Gy: BigInt('0x08b3f481e3aaa0f1a09e30ed741d8ae4fcf5e095d5d00af600db18cb2c04b3edd03cc744a2888ae40caa232946c5e7e1'),
 };
 // CURVE FIELDS
-exports.bls12_381_Fr = (0, modular_ts_1.Field)(bls12_381_CURVE_G1.n, { modFromBytes: true });
-const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = (0, tower_ts_1.tower12)({
-    // Order of Fp
+// r = z⁴ − z² + 1; CURVE.n from other curves
+export const bls12_381_Fr = Field(bls12_381_CURVE_G1.n, {
+    modFromBytes: true,
+});
+const { Fp, Fp2, Fp6, Fp12 } = tower12({
     ORDER: bls12_381_CURVE_G1.p,
+    X_LEN: BLS_X_LEN,
     // Finite extension field over irreducible polynominal.
     // Fp(u) / (u² - β) where β = -1
     FP2_NONRESIDUE: [_1n, _1n],
@@ -134,42 +134,6 @@ const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = (0, tower_ts_1.tower12)({
         // (T0-T1) + (T0+T1)*i
         return { c0: Fp.sub(t0, t1), c1: Fp.add(t0, t1) };
     },
-    // Fp12
-    // A cyclotomic group is a subgroup of Fp^n defined by
-    //   GΦₙ(p) = {α ∈ Fpⁿ : α^Φₙ(p) = 1}
-    // The result of any pairing is in a cyclotomic subgroup
-    // https://eprint.iacr.org/2009/565.pdf
-    Fp12cyclotomicSquare: ({ c0, c1 }) => {
-        const { c0: c0c0, c1: c0c1, c2: c0c2 } = c0;
-        const { c0: c1c0, c1: c1c1, c2: c1c2 } = c1;
-        const { first: t3, second: t4 } = Fp4Square(c0c0, c1c1);
-        const { first: t5, second: t6 } = Fp4Square(c1c0, c0c2);
-        const { first: t7, second: t8 } = Fp4Square(c0c1, c1c2);
-        const t9 = Fp2.mulByNonresidue(t8); // T8 * (u + 1)
-        return {
-            c0: Fp6.create({
-                c0: Fp2.add(Fp2.mul(Fp2.sub(t3, c0c0), _2n), t3), // 2 * (T3 - c0c0)  + T3
-                c1: Fp2.add(Fp2.mul(Fp2.sub(t5, c0c1), _2n), t5), // 2 * (T5 - c0c1)  + T5
-                c2: Fp2.add(Fp2.mul(Fp2.sub(t7, c0c2), _2n), t7),
-            }), // 2 * (T7 - c0c2)  + T7
-            c1: Fp6.create({
-                c0: Fp2.add(Fp2.mul(Fp2.add(t9, c1c0), _2n), t9), // 2 * (T9 + c1c0) + T9
-                c1: Fp2.add(Fp2.mul(Fp2.add(t4, c1c1), _2n), t4), // 2 * (T4 + c1c1) + T4
-                c2: Fp2.add(Fp2.mul(Fp2.add(t6, c1c2), _2n), t6),
-            }),
-        }; // 2 * (T6 + c1c2) + T6
-    },
-    Fp12cyclotomicExp(num, n) {
-        let z = Fp12.ONE;
-        for (let i = BLS_X_LEN - 1; i >= 0; i--) {
-            z = Fp12._cyclotomicSquare(z);
-            if ((0, utils_ts_1.bitGet)(n, i))
-                z = Fp12.mul(z, num);
-        }
-        return z;
-    },
-    // https://eprint.iacr.org/2010/354.pdf
-    // https://eprint.iacr.org/2009/565.pdf
     Fp12finalExponentiate: (num) => {
         const x = BLS_X;
         // this^(q⁶) / this
@@ -191,7 +155,7 @@ const { Fp, Fp2, Fp6, Fp4Square, Fp12 } = (0, tower_ts_1.tower12)({
     },
 });
 // GLV endomorphism Ψ(P), for fast cofactor clearing
-const { G2psi, G2psi2 } = (0, tower_ts_1.psiFrobenius)(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)); // 1/(u+1)
+const { G2psi, G2psi2 } = psiFrobenius(Fp, Fp2, Fp2.div(Fp2.ONE, Fp2.NONRESIDUE)); // 1/(u+1)
 /**
  * Default hash_to_field / hash-to-curve for BLS.
  * m: 1 for G1, 2 for G2
@@ -199,14 +163,14 @@ const { G2psi, G2psi2 } = (0, tower_ts_1.psiFrobenius)(Fp, Fp2, Fp2.div(Fp2.ONE,
  * hash: any function, e.g. BBS+ uses BLAKE2: see [github](https://github.com/hyperledger/aries-framework-go/issues/2247).
  * Parameter values come from [section 8.8.2 of RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-8.8.2).
  */
-const htfDefaults = Object.freeze({
+const hasher_opts = Object.freeze({
     DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     encodeDST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_NUL_',
     p: Fp.ORDER,
     m: 2,
     k: 128,
     expand: 'xmd',
-    hash: sha2_js_1.sha256,
+    hash: sha256,
 });
 // a=0, b=4
 // cofactor h of G2
@@ -234,24 +198,25 @@ const bls12_381_CURVE_G2 = {
 // Set compressed & point-at-infinity bits
 const COMPZERO = setMask(Fp.toBytes(_0n), { infinity: true, compressed: true });
 function parseMask(bytes) {
-    // Copy, so we can remove mask data. It will be removed also later, when Fp.create will call modulo.
-    bytes = bytes.slice();
-    const mask = bytes[0] & 224;
+    // Copy, so we can remove mask data.
+    // It will be removed also later, when Fp.create will call modulo.
+    bytes = copyBytes(bytes);
+    const mask = bytes[0] & 0b1110_0000;
     const compressed = !!((mask >> 7) & 1); // compression bit (0b1000_0000)
     const infinity = !!((mask >> 6) & 1); // point at infinity bit (0b0100_0000)
     const sort = !!((mask >> 5) & 1); // sort bit (0b0010_0000)
-    bytes[0] &= 31; // clear mask (zero first 3 bits)
+    bytes[0] &= 0b0001_1111; // clear mask (zero first 3 bits)
     return { compressed, infinity, sort, value: bytes };
 }
 function setMask(bytes, mask) {
-    if (bytes[0] & 224)
+    if (bytes[0] & 0b1110_0000)
         throw new Error('setMask: non-empty mask');
     if (mask.compressed)
-        bytes[0] |= 128;
+        bytes[0] |= 0b1000_0000;
     if (mask.infinity)
-        bytes[0] |= 64;
+        bytes[0] |= 0b0100_0000;
     if (mask.sort)
-        bytes[0] |= 32;
+        bytes[0] |= 0b0010_0000;
     return bytes;
 }
 function pointG1ToBytes(_c, point, isComp) {
@@ -262,14 +227,14 @@ function pointG1ToBytes(_c, point, isComp) {
         if (is0)
             return COMPZERO.slice();
         const sort = Boolean((y * _2n) / P);
-        return setMask((0, utils_ts_1.numberToBytesBE)(x, L), { compressed: true, sort });
+        return setMask(numberToBytesBE(x, L), { compressed: true, sort });
     }
     else {
         if (is0) {
-            return (0, utils_ts_1.concatBytes)(Uint8Array.of(0x40), new Uint8Array(2 * L - 1));
+            return concatBytes(Uint8Array.of(0x40), new Uint8Array(2 * L - 1));
         }
         else {
-            return (0, utils_ts_1.concatBytes)((0, utils_ts_1.numberToBytesBE)(x, L), (0, utils_ts_1.numberToBytesBE)(y, L));
+            return concatBytes(numberToBytesBE(x, L), numberToBytesBE(y, L));
         }
     }
 }
@@ -280,15 +245,15 @@ function signatureG1ToBytes(point) {
     if (point.is0())
         return COMPZERO.slice();
     const sort = Boolean((y * _2n) / P);
-    return setMask((0, utils_ts_1.numberToBytesBE)(x, L), { compressed: true, sort });
+    return setMask(numberToBytesBE(x, L), { compressed: true, sort });
 }
 function pointG1FromBytes(bytes) {
     const { compressed, infinity, sort, value } = parseMask(bytes);
     const { BYTES: L, ORDER: P } = Fp;
     if (value.length === 48 && compressed) {
-        const compressedValue = (0, utils_ts_1.bytesToNumberBE)(value);
+        const compressedValue = bytesToNumberBE(value);
         // Zero
-        const x = Fp.create(compressedValue & (0, utils_ts_1.bitMask)(Fp.BITS));
+        const x = Fp.create(compressedValue & bitMask(Fp.BITS));
         if (infinity) {
             if (x !== _0n)
                 throw new Error('invalid G1 point: non-empty, at infinity, with compression');
@@ -304,12 +269,12 @@ function pointG1FromBytes(bytes) {
     }
     else if (value.length === 96 && !compressed) {
         // Check if the infinity flag is set
-        const x = (0, utils_ts_1.bytesToNumberBE)(value.subarray(0, L));
-        const y = (0, utils_ts_1.bytesToNumberBE)(value.subarray(L));
+        const x = bytesToNumberBE(value.subarray(0, L));
+        const y = bytesToNumberBE(value.subarray(L));
         if (infinity) {
             if (x !== _0n || y !== _0n)
                 throw new Error('G1: non-empty point at infinity');
-            return exports.bls12_381.G1.Point.ZERO.toAffine();
+            return bls12_381.G1.Point.ZERO.toAffine();
         }
         return { x: Fp.create(x), y: Fp.create(y) };
     }
@@ -317,15 +282,15 @@ function pointG1FromBytes(bytes) {
         throw new Error('invalid G1 point: expected 48/96 bytes');
     }
 }
-function signatureG1FromBytes(hex) {
-    const { infinity, sort, value } = parseMask((0, utils_ts_1.ensureBytes)('signatureHex', hex, 48));
+function signatureG1FromBytes(bytes) {
+    const { infinity, sort, value } = parseMask(abytes(bytes, 48, 'signature'));
     const P = Fp.ORDER;
-    const Point = exports.bls12_381.G1.Point;
-    const compressedValue = (0, utils_ts_1.bytesToNumberBE)(value);
+    const Point = bls12_381.G1.Point;
+    const compressedValue = bytesToNumberBE(value);
     // Zero
     if (infinity)
         return Point.ZERO;
-    const x = Fp.create(compressedValue & (0, utils_ts_1.bitMask)(Fp.BITS));
+    const x = Fp.create(compressedValue & bitMask(Fp.BITS));
     const right = Fp.add(Fp.pow(x, _3n), Fp.create(bls12_381_CURVE_G1.b)); // y² = x³ + b
     let y = Fp.sqrt(right);
     if (!y)
@@ -343,30 +308,30 @@ function pointG2ToBytes(_c, point, isComp) {
     const { x, y } = point.toAffine();
     if (isComp) {
         if (is0)
-            return (0, utils_ts_1.concatBytes)(COMPZERO, (0, utils_ts_1.numberToBytesBE)(_0n, L));
+            return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
         const flag = Boolean(y.c1 === _0n ? (y.c0 * _2n) / P : (y.c1 * _2n) / P);
-        return (0, utils_ts_1.concatBytes)(setMask((0, utils_ts_1.numberToBytesBE)(x.c1, L), { compressed: true, sort: flag }), (0, utils_ts_1.numberToBytesBE)(x.c0, L));
+        return concatBytes(setMask(numberToBytesBE(x.c1, L), { compressed: true, sort: flag }), numberToBytesBE(x.c0, L));
     }
     else {
         if (is0)
-            return (0, utils_ts_1.concatBytes)(Uint8Array.of(0x40), new Uint8Array(4 * L - 1));
+            return concatBytes(Uint8Array.of(0x40), new Uint8Array(4 * L - 1));
         const { re: x0, im: x1 } = Fp2.reim(x);
         const { re: y0, im: y1 } = Fp2.reim(y);
-        return (0, utils_ts_1.concatBytes)((0, utils_ts_1.numberToBytesBE)(x1, L), (0, utils_ts_1.numberToBytesBE)(x0, L), (0, utils_ts_1.numberToBytesBE)(y1, L), (0, utils_ts_1.numberToBytesBE)(y0, L));
+        return concatBytes(numberToBytesBE(x1, L), numberToBytesBE(x0, L), numberToBytesBE(y1, L), numberToBytesBE(y0, L));
     }
 }
 function signatureG2ToBytes(point) {
     point.assertValidity();
     const { BYTES: L } = Fp;
     if (point.is0())
-        return (0, utils_ts_1.concatBytes)(COMPZERO, (0, utils_ts_1.numberToBytesBE)(_0n, L));
+        return concatBytes(COMPZERO, numberToBytesBE(_0n, L));
     const { x, y } = point.toAffine();
     const { re: x0, im: x1 } = Fp2.reim(x);
     const { re: y0, im: y1 } = Fp2.reim(y);
     const tmp = y1 > _0n ? y1 * _2n : y0 * _2n;
     const sort = Boolean((tmp / Fp.ORDER) & _1n);
     const z2 = x0;
-    return (0, utils_ts_1.concatBytes)(setMask((0, utils_ts_1.numberToBytesBE)(x1, L), { sort, compressed: true }), (0, utils_ts_1.numberToBytesBE)(z2, L));
+    return concatBytes(setMask(numberToBytesBE(x1, L), { sort, compressed: true }), numberToBytesBE(z2, L));
 }
 function pointG2FromBytes(bytes) {
     const { BYTES: L, ORDER: P } = Fp;
@@ -375,9 +340,9 @@ function pointG2FromBytes(bytes) {
         (!compressed && infinity && sort) || // 01100000
         (sort && infinity && compressed) // 11100000
     ) {
-        throw new Error('invalid encoding flag: ' + (bytes[0] & 224));
+        throw new Error('invalid encoding flag: ' + (bytes[0] & 0b1110_0000));
     }
-    const slc = (b, from, to) => (0, utils_ts_1.bytesToNumberBE)(b.slice(from, to));
+    const slc = (b, from, to) => bytesToNumberBE(b.slice(from, to));
     if (value.length === 96 && compressed) {
         if (infinity) {
             // check that all bytes are 0
@@ -412,20 +377,20 @@ function pointG2FromBytes(bytes) {
         throw new Error('invalid G2 point: expected 96/192 bytes');
     }
 }
-function signatureG2FromBytes(hex) {
+function signatureG2FromBytes(bytes) {
     const { ORDER: P } = Fp;
     // TODO: Optimize, it's very slow because of sqrt.
-    const { infinity, sort, value } = parseMask((0, utils_ts_1.ensureBytes)('signatureHex', hex));
-    const Point = exports.bls12_381.G2.Point;
+    const { infinity, sort, value } = parseMask(abytes(bytes));
+    const Point = bls12_381.G2.Point;
     const half = value.length / 2;
     if (half !== 48 && half !== 96)
         throw new Error('invalid compressed signature length, expected 96/192 bytes');
-    const z1 = (0, utils_ts_1.bytesToNumberBE)(value.slice(0, half));
-    const z2 = (0, utils_ts_1.bytesToNumberBE)(value.slice(half));
+    const z1 = bytesToNumberBE(value.slice(0, half));
+    const z2 = bytesToNumberBE(value.slice(half));
     // Indicates the infinity point
     if (infinity)
         return Point.ZERO;
-    const x1 = Fp.create(z1 & (0, utils_ts_1.bitMask)(Fp.BITS));
+    const x1 = Fp.create(z1 & bitMask(Fp.BITS));
     const x2 = Fp.create(z2);
     const x = Fp2.create({ c0: x2, c1: x1 });
     const y2 = Fp2.add(Fp2.pow(x, _3n), bls12_381_CURVE_G2.b); // y² = x³ + 4
@@ -445,6 +410,121 @@ function signatureG2FromBytes(hex) {
     point.assertValidity();
     return point;
 }
+const signatureCoders = {
+    ShortSignature: {
+        fromBytes(bytes) {
+            return signatureG1FromBytes(abytes(bytes));
+        },
+        fromHex(hex) {
+            return signatureG1FromBytes(hexToBytes(hex));
+        },
+        toBytes(point) {
+            return signatureG1ToBytes(point);
+        },
+        toRawBytes(point) {
+            return signatureG1ToBytes(point);
+        },
+        toHex(point) {
+            return bytesToHex(signatureG1ToBytes(point));
+        },
+    },
+    LongSignature: {
+        fromBytes(bytes) {
+            return signatureG2FromBytes(abytes(bytes));
+        },
+        fromHex(hex) {
+            return signatureG2FromBytes(hexToBytes(hex));
+        },
+        toBytes(point) {
+            return signatureG2ToBytes(point);
+        },
+        toRawBytes(point) {
+            return signatureG2ToBytes(point);
+        },
+        toHex(point) {
+            return bytesToHex(signatureG2ToBytes(point));
+        },
+    },
+};
+const fields = {
+    Fp,
+    Fp2,
+    Fp6,
+    Fp12,
+    Fr: bls12_381_Fr,
+};
+const G1_Point = weierstrass(bls12_381_CURVE_G1, {
+    allowInfinityPoint: true,
+    Fn: bls12_381_Fr,
+    fromBytes: pointG1FromBytes,
+    toBytes: pointG1ToBytes,
+    // Checks is the point resides in prime-order subgroup.
+    // point.isTorsionFree() should return true for valid points
+    // It returns false for shitty points.
+    // https://eprint.iacr.org/2021/1130.pdf
+    isTorsionFree: (c, point) => {
+        // GLV endomorphism ψ(P)
+        const beta = BigInt('0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe');
+        const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
+        // TODO: unroll
+        const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
+        const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
+        return u2P.equals(phi);
+    },
+    // Clear cofactor of G1
+    // https://eprint.iacr.org/2019/403
+    clearCofactor: (_c, point) => {
+        // return this.multiplyUnsafe(CURVE.h);
+        return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
+    },
+});
+const G2_Point = weierstrass(bls12_381_CURVE_G2, {
+    Fp: Fp2,
+    allowInfinityPoint: true,
+    Fn: bls12_381_Fr,
+    fromBytes: pointG2FromBytes,
+    toBytes: pointG2ToBytes,
+    // https://eprint.iacr.org/2021/1130.pdf
+    // Older version: https://eprint.iacr.org/2019/814.pdf
+    isTorsionFree: (c, P) => {
+        return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
+    },
+    // clear_cofactor_bls12381_g2 from RFC 9380.
+    // https://eprint.iacr.org/2017/419.pdf
+    // prettier-ignore
+    clearCofactor: (c, P) => {
+        const x = BLS_X;
+        let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
+        let t2 = G2psi(c, P); // Ψ(P)
+        let t3 = P.double(); // 2P
+        t3 = G2psi2(c, t3); // Ψ²(2P)
+        t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
+        t2 = t1.add(t2); // [-x]P + Ψ(P)
+        t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
+        t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
+        t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
+        const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
+        return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
+    },
+});
+const bls12_hasher_opts = {
+    mapToG1: mapToG1,
+    mapToG2: mapToG2,
+    hasherOpts: hasher_opts,
+    hasherOptsG1: { ...hasher_opts, m: 1, DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_' },
+    hasherOptsG2: { ...hasher_opts },
+};
+const bls12_params = {
+    ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
+    xNegative: true,
+    twistType: 'multiplicative',
+    randomBytes: randomBytes,
+    // https://datatracker.ietf.org/doc/html/rfc9380#name-clearing-the-cofactor
+    // https://datatracker.ietf.org/doc/html/rfc9380#name-cofactor-clearing-for-bls12
+    // G2hEff: BigInt(
+    //   '0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'
+    // ),
+};
 /**
  * bls12-381 pairing-friendly curve.
  * @example
@@ -456,131 +536,9 @@ function signatureG2FromBytes(hex) {
  * const signature = bls.sign(message, privateKey);
  * const isValid = bls.verify(signature, message, publicKey);
  */
-exports.bls12_381 = (0, bls_ts_1.bls)({
-    // Fields
-    fields: {
-        Fp,
-        Fp2,
-        Fp6,
-        Fp12,
-        Fr: exports.bls12_381_Fr,
-    },
-    // G1: y² = x³ + 4
-    G1: {
-        ...bls12_381_CURVE_G1,
-        Fp,
-        htfDefaults: { ...htfDefaults, m: 1, DST: 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_' },
-        wrapPrivateKey: true,
-        allowInfinityPoint: true,
-        // Checks is the point resides in prime-order subgroup.
-        // point.isTorsionFree() should return true for valid points
-        // It returns false for shitty points.
-        // https://eprint.iacr.org/2021/1130.pdf
-        isTorsionFree: (c, point) => {
-            // GLV endomorphism ψ(P)
-            const beta = BigInt('0x5f19672fdf76ce51ba69c6076a0f77eaddb3a93be6f89688de17d813620a00022e01fffffffefffe');
-            const phi = new c(Fp.mul(point.X, beta), point.Y, point.Z);
-            // TODO: unroll
-            const xP = point.multiplyUnsafe(BLS_X).negate(); // [x]P
-            const u2P = xP.multiplyUnsafe(BLS_X); // [u2]P
-            return u2P.equals(phi);
-        },
-        // Clear cofactor of G1
-        // https://eprint.iacr.org/2019/403
-        clearCofactor: (_c, point) => {
-            // return this.multiplyUnsafe(CURVE.h);
-            return point.multiplyUnsafe(BLS_X).add(point); // x*P + P
-        },
-        mapToCurve: mapToG1,
-        fromBytes: pointG1FromBytes,
-        toBytes: pointG1ToBytes,
-        ShortSignature: {
-            fromBytes(bytes) {
-                (0, utils_ts_1.abytes)(bytes);
-                return signatureG1FromBytes(bytes);
-            },
-            fromHex(hex) {
-                return signatureG1FromBytes(hex);
-            },
-            toBytes(point) {
-                return signatureG1ToBytes(point);
-            },
-            toRawBytes(point) {
-                return signatureG1ToBytes(point);
-            },
-            toHex(point) {
-                return (0, utils_ts_1.bytesToHex)(signatureG1ToBytes(point));
-            },
-        },
-    },
-    G2: {
-        ...bls12_381_CURVE_G2,
-        Fp: Fp2,
-        // https://datatracker.ietf.org/doc/html/rfc9380#name-clearing-the-cofactor
-        // https://datatracker.ietf.org/doc/html/rfc9380#name-cofactor-clearing-for-bls12
-        hEff: BigInt('0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551'),
-        htfDefaults: { ...htfDefaults },
-        wrapPrivateKey: true,
-        allowInfinityPoint: true,
-        mapToCurve: mapToG2,
-        // Checks is the point resides in prime-order subgroup.
-        // point.isTorsionFree() should return true for valid points
-        // It returns false for shitty points.
-        // https://eprint.iacr.org/2021/1130.pdf
-        // Older version: https://eprint.iacr.org/2019/814.pdf
-        isTorsionFree: (c, P) => {
-            return P.multiplyUnsafe(BLS_X).negate().equals(G2psi(c, P)); // ψ(P) == [u](P)
-        },
-        // Maps the point into the prime-order subgroup G2.
-        // clear_cofactor_bls12381_g2 from RFC 9380.
-        // https://eprint.iacr.org/2017/419.pdf
-        // prettier-ignore
-        clearCofactor: (c, P) => {
-            const x = BLS_X;
-            let t1 = P.multiplyUnsafe(x).negate(); // [-x]P
-            let t2 = G2psi(c, P); // Ψ(P)
-            let t3 = P.double(); // 2P
-            t3 = G2psi2(c, t3); // Ψ²(2P)
-            t3 = t3.subtract(t2); // Ψ²(2P) - Ψ(P)
-            t2 = t1.add(t2); // [-x]P + Ψ(P)
-            t2 = t2.multiplyUnsafe(x).negate(); // [x²]P - [x]Ψ(P)
-            t3 = t3.add(t2); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P)
-            t3 = t3.subtract(t1); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P
-            const Q = t3.subtract(P); // Ψ²(2P) - Ψ(P) + [x²]P - [x]Ψ(P) + [x]P - 1P
-            return Q; // [x²-x-1]P + [x-1]Ψ(P) + Ψ²(2P)
-        },
-        fromBytes: pointG2FromBytes,
-        toBytes: pointG2ToBytes,
-        Signature: {
-            fromBytes(bytes) {
-                (0, utils_ts_1.abytes)(bytes);
-                return signatureG2FromBytes(bytes);
-            },
-            fromHex(hex) {
-                return signatureG2FromBytes(hex);
-            },
-            toBytes(point) {
-                return signatureG2ToBytes(point);
-            },
-            toRawBytes(point) {
-                return signatureG2ToBytes(point);
-            },
-            toHex(point) {
-                return (0, utils_ts_1.bytesToHex)(signatureG2ToBytes(point));
-            },
-        },
-    },
-    params: {
-        ateLoopSize: BLS_X, // The BLS parameter x for BLS12-381
-        r: bls12_381_CURVE_G1.n, // order; z⁴ − z² + 1; CURVE.n from other curves
-        xNegative: true,
-        twistType: 'multiplicative',
-    },
-    htfDefaults,
-    hash: sha2_js_1.sha256,
-});
+export const bls12_381 = bls(fields, G1_Point, G2_Point, bls12_params, bls12_hasher_opts, signatureCoders);
 // 3-isogeny map from E' to E https://www.rfc-editor.org/rfc/rfc9380#appendix-E.3
-const isogenyMapG2 = (0, hash_to_curve_ts_1.isogenyMap)(Fp2, [
+const isogenyMapG2 = isogenyMap(Fp2, [
     // xNum
     [
         [
@@ -649,7 +607,7 @@ const isogenyMapG2 = (0, hash_to_curve_ts_1.isogenyMap)(Fp2, [
     ],
 ].map((i) => i.map((pair) => Fp2.fromBigTuple(pair.map(BigInt)))));
 // 11-isogeny map from E' to E
-const isogenyMapG1 = (0, hash_to_curve_ts_1.isogenyMap)(Fp, [
+const isogenyMapG1 = isogenyMap(Fp, [
     // xNum
     [
         '0x11a05f2b1e833340b809101dd99815856b303e88a2d7005ff2627b56cdb4e2c85610c2d5f2e62d6eaeac1662734649b7',
@@ -719,13 +677,13 @@ const isogenyMapG1 = (0, hash_to_curve_ts_1.isogenyMap)(Fp, [
     ],
 ].map((i) => i.map((j) => BigInt(j))));
 // Optimized SWU Map - Fp to G1
-const G1_SWU = (0, weierstrass_ts_1.mapToCurveSimpleSWU)(Fp, {
+const G1_SWU = mapToCurveSimpleSWU(Fp, {
     A: Fp.create(BigInt('0x144698a3b8e9433d693a02c96d4982b0ea985383ee66a8d8e8981aefd881ac98936f8da0e0f97f5cf428082d584c1d')),
     B: Fp.create(BigInt('0x12e2908d11688030018b12e8753eee3b2016c1f0f24f4070a0b9c14fcef35ef55a23215a316ceaa5d1cc48e98e172be0')),
     Z: Fp.create(BigInt(11)),
 });
 // SWU Map - Fp2 to G2': y² = x³ + 240i * x + 1012 + 1012i
-const G2_SWU = (0, weierstrass_ts_1.mapToCurveSimpleSWU)(Fp2, {
+const G2_SWU = mapToCurveSimpleSWU(Fp2, {
     A: Fp2.create({ c0: Fp.create(_0n), c1: Fp.create(BigInt(240)) }), // A' = 240 * I
     B: Fp2.create({ c0: Fp.create(BigInt(1012)), c1: Fp.create(BigInt(1012)) }), // B' = 1012 * (1 + I)
     Z: Fp2.create({ c0: Fp.create(BigInt(-2)), c1: Fp.create(BigInt(-1)) }), // Z: -(2 + I)