@noble/curves 1.9.7 → 2.0.0-beta.2

package/src/abstract/hash-to-curve.ts

@@ -7,18 +7,18 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import type { CHash } from '../utils.ts';
 import {
-  _validateObject,
   abytes,
+  asafenumber,
+  asciiToBytes,
   bytesToNumberBE,
   concatBytes,
   isBytes,
-  isHash,
-  utf8ToBytes,
+  validateObject,
 } from '../utils.ts';
-import type { AffinePoint, Group, GroupConstructor } from './curve.ts';
+import type { AffinePoint, PC_ANY, PC_F, PC_P } from './curve.ts';
 import { FpInvertBatch, mod, type IField } from './modular.ts';
 
-export type UnicodeOrBytes = string | Uint8Array;
+export type AsciiOrBytes = string | Uint8Array;
 
 /**
  * * `DST` is a domain separation tag, defined in section 2.2.5
@@ -29,7 +29,7 @@ export type UnicodeOrBytes = string | Uint8Array;
  * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
  */
 export type H2COpts = {
-  DST: UnicodeOrBytes;
+  DST: AsciiOrBytes;
   expand: 'xmd' | 'xof';
   hash: CHash;
   p: bigint;
@@ -40,16 +40,37 @@ export type H2CHashOpts = {
   expand: 'xmd' | 'xof';
   hash: CHash;
 };
-// todo: remove
-export type Opts = H2COpts;
+export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
+
+// Separated from initialization opts, so users won't accidentally change per-curve parameters
+// (changing DST is ok!)
+export type H2CDSTOpts = { DST: AsciiOrBytes };
+export type H2CHasherBase<PC extends PC_ANY> = {
+  hashToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  hashToScalar(msg: Uint8Array, options?: H2CDSTOpts): bigint;
+  deriveToCurve?(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  Point: PC;
+};
+/**
+ * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
+ *
+ * * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
+ * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
+ * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
+ */
+export type H2CHasher<PC extends PC_ANY> = H2CHasherBase<PC> & {
+  encodeToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC>;
+  mapToCurve: MapToCurve<PC_F<PC>>;
+  defaults: H2COpts & { encodeDST?: AsciiOrBytes };
+};
 
 // Octet Stream to Integer. "spec" implementation of os2ip is 2.5x slower vs bytesToNumberBE.
 const os2ip = bytesToNumberBE;
 
 // Integer to Octet Stream (numberToBytesBE)
 function i2osp(value: number, length: number): Uint8Array {
-  anum(value);
-  anum(length);
+  asafenumber(value);
+  asafenumber(length);
   if (value < 0 || value >= 1 << (8 * length)) throw new Error('invalid I2OSP input: ' + value);
   const res = Array.from({ length }).fill(0) as number[];
   for (let i = length - 1; i >= 0; i--) {
@@ -67,13 +88,12 @@ function strxor(a: Uint8Array, b: Uint8Array): Uint8Array {
   return arr;
 }
 
-function anum(item: unknown): void {
-  if (!Number.isSafeInteger(item)) throw new Error('number expected');
-}
-
-function normDST(DST: UnicodeOrBytes): Uint8Array {
-  if (!isBytes(DST) && typeof DST !== 'string') throw new Error('DST must be Uint8Array or string');
-  return typeof DST === 'string' ? utf8ToBytes(DST) : DST;
+// User can always use utf8 if they want, by passing Uint8Array.
+// If string is passed, we treat it as ASCII: other formats are likely a mistake.
+function normDST(DST: AsciiOrBytes): Uint8Array {
+  if (!isBytes(DST) && typeof DST !== 'string')
+    throw new Error('DST must be Uint8Array or ascii string');
+  return typeof DST === 'string' ? asciiToBytes(DST) : DST;
 }
 
 /**
@@ -82,15 +102,15 @@ function normDST(DST: UnicodeOrBytes): Uint8Array {
  */
 export function expand_message_xmd(
   msg: Uint8Array,
-  DST: UnicodeOrBytes,
+  DST: AsciiOrBytes,
   lenInBytes: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  anum(lenInBytes);
+  asafenumber(lenInBytes);
   DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
-  if (DST.length > 255) DST = H(concatBytes(utf8ToBytes('H2C-OVERSIZE-DST-'), DST));
+  if (DST.length > 255) DST = H(concatBytes(asciiToBytes('H2C-OVERSIZE-DST-'), DST));
   const { outputLen: b_in_bytes, blockLen: r_in_bytes } = H;
   const ell = Math.ceil(lenInBytes / b_in_bytes);
   if (lenInBytes > 65535 || ell > 255) throw new Error('expand_message_xmd: invalid lenInBytes');
@@ -117,19 +137,19 @@ export function expand_message_xmd(
  */
 export function expand_message_xof(
   msg: Uint8Array,
-  DST: UnicodeOrBytes,
+  DST: AsciiOrBytes,
   lenInBytes: number,
   k: number,
   H: CHash
 ): Uint8Array {
   abytes(msg);
-  anum(lenInBytes);
+  asafenumber(lenInBytes);
   DST = normDST(DST);
   // https://www.rfc-editor.org/rfc/rfc9380#section-5.3.3
   // DST = H('H2C-OVERSIZE-DST-' || a_very_long_DST, Math.ceil((lenInBytes * k) / 8));
   if (DST.length > 255) {
     const dkLen = Math.ceil((2 * k) / 8);
-    DST = H.create({ dkLen }).update(utf8ToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
+    DST = H.create({ dkLen }).update(asciiToBytes('H2C-OVERSIZE-DST-')).update(DST).digest();
   }
   if (lenInBytes > 65535 || DST.length > 255)
     throw new Error('expand_message_xof: invalid lenInBytes');
@@ -153,16 +173,16 @@ export function expand_message_xof(
  * @returns [u_0, ..., u_(count - 1)], a list of field elements.
  */
 export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts): bigint[][] {
-  _validateObject(options, {
+  validateObject(options, {
     p: 'bigint',
     m: 'number',
     k: 'number',
     hash: 'function',
   });
   const { p, k, m, hash, expand, DST } = options;
-  if (!isHash(options.hash)) throw new Error('expected valid hash');
+  asafenumber(hash.outputLen, 'valid hash');
   abytes(msg);
-  anum(count);
+  asafenumber(count);
   const log2p = p.toString(2).length;
   const L = Math.ceil((log2p + k) / 8); // section 5.1 of ietf draft link above
   const len_in_bytes = count * m * L;
@@ -190,8 +210,8 @@ export function hash_to_field(msg: Uint8Array, count: number, options: H2COpts):
   return u;
 }
 
-export type XY<T> = (x: T, y: T) => { x: T; y: T };
-export type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
+type XY<T> = (x: T, y: T) => { x: T; y: T };
+type XYRatio<T> = [T[], T[], T[], T[]]; // xn/xd, yn/yd
 export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): XY<T> {
   // Make same order as in spec
   const coeff = map.map((i) => Array.from(i).reverse());
@@ -210,76 +230,37 @@ export function isogenyMap<T, F extends IField<T>>(field: F, map: XYRatio<T>): X
   };
 }
 
-/** Point interface, which curves must implement to work correctly with the module. */
-export interface H2CPoint<T> extends Group<H2CPoint<T>> {
-  add(rhs: H2CPoint<T>): H2CPoint<T>;
-  toAffine(iz?: bigint): AffinePoint<T>;
-  clearCofactor(): H2CPoint<T>;
-  assertValidity(): void;
-}
-
-export interface H2CPointConstructor<T> extends GroupConstructor<H2CPoint<T>> {
-  fromAffine(ap: AffinePoint<T>): H2CPoint<T>;
-}
-
-export type MapToCurve<T> = (scalar: bigint[]) => AffinePoint<T>;
-
-// Separated from initialization opts, so users won't accidentally change per-curve parameters
-// (changing DST is ok!)
-export type htfBasicOpts = { DST: UnicodeOrBytes };
-export type H2CMethod<T> = (msg: Uint8Array, options?: htfBasicOpts) => H2CPoint<T>;
-// TODO: remove
-export type HTFMethod<T> = H2CMethod<T>;
-export type MapMethod<T> = (scalars: bigint[]) => H2CPoint<T>;
-export type H2CHasherBase<T> = {
-  hashToCurve: H2CMethod<T>;
-  hashToScalar: (msg: Uint8Array, options: htfBasicOpts) => bigint;
-};
-/**
- * RFC 9380 methods, with cofactor clearing. See https://www.rfc-editor.org/rfc/rfc9380#section-3.
- *
- * * hashToCurve: `map(hash(input))`, encodes RANDOM bytes to curve (WITH hashing)
- * * encodeToCurve: `map(hash(input))`, encodes NON-UNIFORM bytes to curve (WITH hashing)
- * * mapToCurve: `map(scalars)`, encodes NON-UNIFORM scalars to curve (NO hashing)
- */
-export type H2CHasher<T> = H2CHasherBase<T> & {
-  encodeToCurve: H2CMethod<T>;
-  mapToCurve: MapMethod<T>;
-  defaults: H2COpts & { encodeDST?: UnicodeOrBytes };
-};
-// TODO: remove
-export type Hasher<T> = H2CHasher<T>;
-
-export const _DST_scalar: Uint8Array = utf8ToBytes('HashToScalar-');
+export const _DST_scalar: Uint8Array = asciiToBytes('HashToScalar-');
 
 /** Creates hash-to-curve methods from EC Point and mapToCurve function. See {@link H2CHasher}. */
-export function createHasher<T>(
-  Point: H2CPointConstructor<T>,
-  mapToCurve: MapToCurve<T>,
-  defaults: H2COpts & { encodeDST?: UnicodeOrBytes }
-): H2CHasher<T> {
+export function createHasher<PC extends PC_ANY>(
+  Point: PC,
+  mapToCurve: MapToCurve<PC_F<PC>>,
+  defaults: H2COpts & { encodeDST?: AsciiOrBytes }
+): H2CHasher<PC> {
   if (typeof mapToCurve !== 'function') throw new Error('mapToCurve() must be defined');
-  function map(num: bigint[]) {
-    return Point.fromAffine(mapToCurve(num));
+  function map(num: bigint[]): PC_P<PC> {
+    return Point.fromAffine(mapToCurve(num)) as PC_P<PC>;
   }
-  function clear(initial: H2CPoint<T>) {
+  function clear(initial: PC_P<PC>): PC_P<PC> {
     const P = initial.clearCofactor();
-    if (P.equals(Point.ZERO)) return Point.ZERO; // zero will throw in assert
+    if (P.equals(Point.ZERO)) return Point.ZERO as PC_P<PC>; // zero will throw in assert
     P.assertValidity();
-    return P;
+    return P as PC_P<PC>;
   }
 
   return {
-    defaults,
+    defaults: Object.freeze(defaults),
+    Point,
 
-    hashToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
+    hashToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC> {
       const opts = Object.assign({}, defaults, options);
       const u = hash_to_field(msg, 2, opts);
       const u0 = map(u[0]);
       const u1 = map(u[1]);
-      return clear(u0.add(u1));
+      return clear(u0.add(u1) as PC_P<PC>);
     },
-    encodeToCurve(msg: Uint8Array, options?: htfBasicOpts): H2CPoint<T> {
+    encodeToCurve(msg: Uint8Array, options?: H2CDSTOpts): PC_P<PC> {
       const optsDst = defaults.encodeDST ? { DST: defaults.encodeDST } : {};
       const opts = Object.assign({}, defaults, optsDst, options);
       const u = hash_to_field(msg, 1, opts);
@@ -287,7 +268,12 @@ export function createHasher<T>(
       return clear(u0);
     },
     /** See {@link H2CHasher} */
-    mapToCurve(scalars: bigint[]): H2CPoint<T> {
+    mapToCurve(scalars: bigint | bigint[]): PC_P<PC> {
+      // Curves with m=1 accept only single scalar
+      if (defaults.m === 1) {
+        if (typeof scalars !== 'bigint') throw new Error('expected bigint (m=1)');
+        return clear(map([scalars]));
+      }
       if (!Array.isArray(scalars)) throw new Error('expected array of bigints');
       for (const i of scalars)
         if (typeof i !== 'bigint') throw new Error('expected array of bigints');
@@ -296,7 +282,7 @@ export function createHasher<T>(
 
     // hash_to_scalar can produce 0: https://www.rfc-editor.org/errata/eid8393
     // RFC 9380, draft-irtf-cfrg-bbs-signatures-08
-    hashToScalar(msg: Uint8Array, options?: htfBasicOpts): bigint {
+    hashToScalar(msg: Uint8Array, options?: H2CDSTOpts): bigint {
       // @ts-ignore
       const N = Point.Fn.ORDER;
       const opts = Object.assign({}, defaults, { p: N, m: 1, DST: _DST_scalar }, options);

package/src/abstract/modular.ts

@@ -6,22 +6,23 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
-  _validateObject,
+  abytes,
   anumber,
-  bitMask,
   bytesToNumberBE,
   bytesToNumberLE,
-  ensureBytes,
   numberToBytesBE,
   numberToBytesLE,
+  validateObject,
 } from '../utils.ts';
 
+// Numbers aren't used in x25519 / x448 builds
 // prettier-ignore
-const _0n = BigInt(0), _1n = BigInt(1), _2n = /* @__PURE__ */ BigInt(2), _3n = /* @__PURE__ */ BigInt(3);
+const _0n = /* @__PURE__ */ BigInt(0), _1n = /* @__PURE__ */ BigInt(1), _2n = /* @__PURE__ */ BigInt(2);
 // prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
+const _3n = /* @__PURE__ */ BigInt(3), _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5);
 // prettier-ignore
-const _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
+const _7n = /* @__PURE__ */ BigInt(7), _8n = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9);
+const _16n = /* @__PURE__ */ BigInt(16);
 
 // Calculates a modulo b
 export function mod(a: bigint, b: bigint): bigint {
@@ -227,10 +228,9 @@ export const isNegativeLE = (num: bigint, modulo: bigint): boolean =>
 /** Field is not always over prime: for example, Fp2 has ORDER(q)=p^m. */
 export interface IField<T> {
   ORDER: bigint;
-  isLE: boolean;
   BYTES: number;
   BITS: number;
-  MASK: bigint;
+  isLE: boolean;
   ZERO: T;
   ONE: T;
   // 1-arg
@@ -260,7 +260,6 @@ export interface IField<T> {
   // [RFC9380](https://www.rfc-editor.org/rfc/rfc9380#section-4.1).
   // NOTE: sgn0 is 'negative in LE', which is same as odd. And negative in LE is kinda strange definition anyway.
   isOdd?(num: T): boolean; // Odd instead of even since we have it for Fp2
-  allowedLengths?: number[];
   // legendre?(num: T): T;
   invertBatch: (lst: T[]) => T[];
   toBytes(num: T): Uint8Array;
@@ -277,7 +276,6 @@ const FIELD_FIELDS = [
 export function validateField<T>(field: IField<T>): IField<T> {
   const initial = {
     ORDER: 'bigint',
-    MASK: 'bigint',
     BYTES: 'number',
     BITS: 'number',
   } as Record<string, string>;
@@ -285,7 +283,7 @@ export function validateField<T>(field: IField<T>): IField<T> {
     map[val] = 'function';
     return map;
   }, initial);
-  _validateObject(field, opts);
+  validateObject(field, opts);
   // const max = 16384;
   // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
   // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
@@ -381,12 +379,147 @@ export function nLength(n: bigint, nBitLength?: number): NLength {
 type FpField = IField<bigint> & Required<Pick<IField<bigint>, 'isOdd'>>;
 type SqrtFn = (n: bigint) => bigint;
 type FieldOpts = Partial<{
-  sqrt: SqrtFn;
   isLE: boolean;
   BITS: number;
-  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+  sqrt: SqrtFn;
   allowedLengths?: readonly number[]; // for P521 (adds padding for smaller sizes)
+  modFromBytes: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
 }>;
+class _Field implements IField<bigint> {
+  readonly ORDER: bigint;
+  readonly BITS: number;
+  readonly BYTES: number;
+  readonly isLE: boolean;
+  readonly ZERO = _0n;
+  readonly ONE = _1n;
+  readonly _lengths?: number[];
+  private _sqrt: ReturnType<typeof FpSqrt> | undefined; // cached sqrt
+  private readonly _mod?: boolean;
+  constructor(ORDER: bigint, opts: FieldOpts = {}) {
+    if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
+    let _nbitLength: number | undefined = undefined;
+    this.isLE = false;
+    if (opts != null && typeof opts === 'object') {
+      if (typeof opts.BITS === 'number') _nbitLength = opts.BITS;
+      if (typeof opts.sqrt === 'function') this.sqrt = opts.sqrt;
+      if (typeof opts.isLE === 'boolean') this.isLE = opts.isLE;
+      if (opts.allowedLengths) this._lengths = opts.allowedLengths?.slice();
+      if (typeof opts.modFromBytes === 'boolean') this._mod = opts.modFromBytes;
+    }
+    const { nBitLength, nByteLength } = nLength(ORDER, _nbitLength);
+    if (nByteLength > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
+    this.ORDER = ORDER;
+    this.BITS = nBitLength;
+    this.BYTES = nByteLength;
+    this._sqrt = undefined;
+    Object.preventExtensions(this);
+  }
+
+  create(num: bigint) {
+    return mod(num, this.ORDER);
+  }
+  isValid(num: bigint) {
+    if (typeof num !== 'bigint')
+      throw new Error('invalid field element: expected bigint, got ' + typeof num);
+    return _0n <= num && num < this.ORDER; // 0 is valid element, but it's not invertible
+  }
+  is0(num: bigint) {
+    return num === _0n;
+  }
+  // is valid and invertible
+  isValidNot0(num: bigint) {
+    return !this.is0(num) && this.isValid(num);
+  }
+  isOdd(num: bigint) {
+    return (num & _1n) === _1n;
+  }
+  neg(num: bigint) {
+    return mod(-num, this.ORDER);
+  }
+  eql(lhs: bigint, rhs: bigint) {
+    return lhs === rhs;
+  }
+
+  sqr(num: bigint) {
+    return mod(num * num, this.ORDER);
+  }
+  add(lhs: bigint, rhs: bigint) {
+    return mod(lhs + rhs, this.ORDER);
+  }
+  sub(lhs: bigint, rhs: bigint) {
+    return mod(lhs - rhs, this.ORDER);
+  }
+  mul(lhs: bigint, rhs: bigint) {
+    return mod(lhs * rhs, this.ORDER);
+  }
+  pow(num: bigint, power: bigint): bigint {
+    return FpPow(this, num, power);
+  }
+  div(lhs: bigint, rhs: bigint) {
+    return mod(lhs * invert(rhs, this.ORDER), this.ORDER);
+  }
+
+  // Same as above, but doesn't normalize
+  sqrN(num: bigint) {
+    return num * num;
+  }
+  addN(lhs: bigint, rhs: bigint) {
+    return lhs + rhs;
+  }
+  subN(lhs: bigint, rhs: bigint) {
+    return lhs - rhs;
+  }
+  mulN(lhs: bigint, rhs: bigint) {
+    return lhs * rhs;
+  }
+
+  inv(num: bigint) {
+    return invert(num, this.ORDER);
+  }
+  sqrt(num: bigint): bigint {
+    // Caching _sqrt speeds up sqrt9mod16 by 5x and tonneli-shanks by 10%
+    if (!this._sqrt) this._sqrt = FpSqrt(this.ORDER);
+    return this._sqrt(this, num);
+  }
+  toBytes(num: bigint) {
+    return this.isLE ? numberToBytesLE(num, this.BYTES) : numberToBytesBE(num, this.BYTES);
+  }
+  fromBytes(bytes: Uint8Array, skipValidation = false) {
+    abytes(bytes);
+    const { _lengths: allowedLengths, BYTES, isLE, ORDER, _mod: modFromBytes } = this;
+    if (allowedLengths) {
+      if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+        throw new Error(
+          'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
+        );
+      }
+      const padded = new Uint8Array(BYTES);
+      // isLE add 0 to right, !isLE to the left.
+      padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+      bytes = padded;
+    }
+    if (bytes.length !== BYTES)
+      throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
+    let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+    if (modFromBytes) scalar = mod(scalar, ORDER);
+    if (!skipValidation)
+      if (!this.isValid(scalar))
+        throw new Error('invalid field element: outside of range 0..ORDER');
+    // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+    // protocol may allow non-reduced scalar that reduced later or changed some other way.
+    return scalar;
+  }
+  // TODO: we don't need it here, move out to separate fn
+  invertBatch(lst: bigint[]): bigint[] {
+    return FpInvertBatch(this, lst);
+  }
+  // We can't move this out because Fp6, Fp12 implement it
+  // and it's unclear what to return in there.
+  cmov(a: bigint, b: bigint, condition: boolean) {
+    return condition ? b : a;
+  }
+}
+
 /**
  * Creates a finite field. Major performance optimizations:
  * * 1. Denormalized operations like mulN instead of mul.
@@ -406,104 +539,8 @@ type FieldOpts = Partial<{
  * @param isLE (default: false) if encoding / decoding should be in little-endian
  * @param redef optional faster redefinitions of sqrt and other methods
  */
-export function Field(
-  ORDER: bigint,
-  bitLenOrOpts?: number | FieldOpts, // TODO: use opts only in v2?
-  isLE = false,
-  opts: { sqrt?: SqrtFn } = {}
-): Readonly<FpField> {
-  if (ORDER <= _0n) throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-  let _nbitLength: number | undefined = undefined;
-  let _sqrt: SqrtFn | undefined = undefined;
-  let modFromBytes: boolean = false;
-  let allowedLengths: undefined | readonly number[] = undefined;
-  if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
-    if (opts.sqrt || isLE) throw new Error('cannot specify opts in two arguments');
-    const _opts = bitLenOrOpts;
-    if (_opts.BITS) _nbitLength = _opts.BITS;
-    if (_opts.sqrt) _sqrt = _opts.sqrt;
-    if (typeof _opts.isLE === 'boolean') isLE = _opts.isLE;
-    if (typeof _opts.modFromBytes === 'boolean') modFromBytes = _opts.modFromBytes;
-    allowedLengths = _opts.allowedLengths;
-  } else {
-    if (typeof bitLenOrOpts === 'number') _nbitLength = bitLenOrOpts;
-    if (opts.sqrt) _sqrt = opts.sqrt;
-  }
-  const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
-  if (BYTES > 2048) throw new Error('invalid field: expected ORDER of <= 2048 bytes');
-  let sqrtP: ReturnType<typeof FpSqrt>; // cached sqrtP
-  const f: Readonly<FpField> = Object.freeze({
-    ORDER,
-    isLE,
-    BITS,
-    BYTES,
-    MASK: bitMask(BITS),
-    ZERO: _0n,
-    ONE: _1n,
-    allowedLengths: allowedLengths,
-    create: (num) => mod(num, ORDER),
-    isValid: (num) => {
-      if (typeof num !== 'bigint')
-        throw new Error('invalid field element: expected bigint, got ' + typeof num);
-      return _0n <= num && num < ORDER; // 0 is valid element, but it's not invertible
-    },
-    is0: (num) => num === _0n,
-    // is valid and invertible
-    isValidNot0: (num: bigint) => !f.is0(num) && f.isValid(num),
-    isOdd: (num) => (num & _1n) === _1n,
-    neg: (num) => mod(-num, ORDER),
-    eql: (lhs, rhs) => lhs === rhs,
-
-    sqr: (num) => mod(num * num, ORDER),
-    add: (lhs, rhs) => mod(lhs + rhs, ORDER),
-    sub: (lhs, rhs) => mod(lhs - rhs, ORDER),
-    mul: (lhs, rhs) => mod(lhs * rhs, ORDER),
-    pow: (num, power) => FpPow(f, num, power),
-    div: (lhs, rhs) => mod(lhs * invert(rhs, ORDER), ORDER),
-
-    // Same as above, but doesn't normalize
-    sqrN: (num) => num * num,
-    addN: (lhs, rhs) => lhs + rhs,
-    subN: (lhs, rhs) => lhs - rhs,
-    mulN: (lhs, rhs) => lhs * rhs,
-
-    inv: (num) => invert(num, ORDER),
-    sqrt:
-      _sqrt ||
-      ((n) => {
-        if (!sqrtP) sqrtP = FpSqrt(ORDER);
-        return sqrtP(f, n);
-      }),
-    toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-    fromBytes: (bytes, skipValidation = true) => {
-      if (allowedLengths) {
-        if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
-          throw new Error(
-            'Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length
-          );
-        }
-        const padded = new Uint8Array(BYTES);
-        // isLE add 0 to right, !isLE to the left.
-        padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
-        bytes = padded;
-      }
-      if (bytes.length !== BYTES)
-        throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-      let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
-      if (modFromBytes) scalar = mod(scalar, ORDER);
-      if (!skipValidation)
-        if (!f.isValid(scalar)) throw new Error('invalid field element: outside of range 0..ORDER');
-      // NOTE: we don't validate scalar here, please use isValid. This done such way because some
-      // protocol may allow non-reduced scalar that reduced later or changed some other way.
-      return scalar;
-    },
-    // TODO: we don't need it here, move out to separate fn
-    invertBatch: (lst) => FpInvertBatch(f, lst),
-    // We can't move this out because Fp6, Fp12 implement it
-    // and it's unclear what to return in there.
-    cmov: (a, b, c) => (c ? b : a),
-  } as FpField);
-  return Object.freeze(f);
+export function Field(ORDER: bigint, opts: FieldOpts = {}): Readonly<FpField> {
+  return new _Field(ORDER, opts);
 }
 
 // Generic random scalar, we can do same for other fields if via Fp2.mul(Fp2.ONE, Fp2.random)?
@@ -532,28 +569,6 @@ export function FpSqrtEven<T>(Fp: IField<T>, elm: T): T {
   return Fp.isOdd(root) ? Fp.neg(root) : root;
 }
 
-/**
- * "Constant-time" private key generation utility.
- * Same as mapKeyToField, but accepts less bytes (40 instead of 48 for 32-byte field).
- * Which makes it slightly more biased, less secure.
- * @deprecated use `mapKeyToField` instead
- */
-export function hashToPrivateScalar(
-  hash: string | Uint8Array,
-  groupOrder: bigint,
-  isLE = false
-): bigint {
-  hash = ensureBytes('privateHash', hash);
-  const hashLen = hash.length;
-  const minLen = nLength(groupOrder).nByteLength + 8;
-  if (minLen < 24 || hashLen < minLen || hashLen > 1024)
-    throw new Error(
-      'hashToPrivateScalar: expected ' + minLen + '-1024 bytes of input, got ' + hashLen
-    );
-  const num = isLE ? bytesToNumberLE(hash) : bytesToNumberBE(hash);
-  return mod(num, groupOrder - _1n) + _1n;
-}
-
 /**
  * Returns total number of bytes consumed by the field element.
  * For example, 32 bytes for usual 256-bit weierstrass curve.
@@ -587,11 +602,12 @@ export function getMinHashLength(fieldOrder: bigint): number {
  * FIPS 186-5, A.2 https://csrc.nist.gov/publications/detail/fips/186/5/final
  * RFC 9380, https://www.rfc-editor.org/rfc/rfc9380#section-5
  * @param hash hash output from SHA3 or a similar function
- * @param groupOrder size of subgroup - (e.g. secp256k1.CURVE.n)
+ * @param groupOrder size of subgroup - (e.g. secp256k1.Point.Fn.ORDER)
  * @param isLE interpret hash bytes as LE num
  * @returns valid private scalar
  */
 export function mapHashToField(key: Uint8Array, fieldOrder: bigint, isLE = false): Uint8Array {
+  abytes(key);
   const len = key.length;
   const fieldLen = getFieldBytesLength(fieldOrder);
   const minLen = getMinHashLength(fieldOrder);