From d0c3bee4de8f6bb08e85218451a0ca615edde0eb Mon Sep 17 00:00:00 2001
From: Paul Miller <paul@paulmillr.com>
Date: Thu, 30 Mar 2023 07:20:35 +0000
Subject: [PATCH] weierstrass, edwards: make points expose typescript x, y

---
 src/abstract/edwards.ts     | 9 ++++++---
 src/abstract/weierstrass.ts | 2 ++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/abstract/edwards.ts b/src/abstract/edwards.ts
index 2f374c7..d030224 100644
--- a/src/abstract/edwards.ts
+++ b/src/abstract/edwards.ts
@@ -49,6 +49,8 @@ export interface ExtPointType extends Group<ExtPointType> {
   readonly ey: bigint;
   readonly ez: bigint;
   readonly et: bigint;
+  get x(): bigint;
+  get y(): bigint;
   assertValidity(): void;
   multiply(scalar: bigint): ExtPointType;
   multiplyUnsafe(scalar: bigint): ExtPointType;
@@ -297,8 +299,9 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Non-constant-time multiplication. Uses double-and-add algorithm.
     // It's faster, but should only be used when you don't care about
     // an exposed private key e.g. sig verification.
+    // Does NOT allow scalars higher than CURVE.n.
     multiplyUnsafe(scalar: bigint): Point {
-      let n = assertGE0(scalar);
+      let n = assertGE0(scalar); // 0 <= scalar < CURVE.n
       if (n === _0n) return I;
       if (this.equals(I) || n === _1n) return this;
       if (this.equals(G)) return this.wNAF(n).p;
@@ -440,8 +443,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     if (preHash) msg = preHash(msg); // for ed25519ph, etc
     const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
     const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
-    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
-    const SB = G.multiplyUnsafe(s);
+    const s = ut.bytesToNumberLE(sig.slice(len, 2 * len));
+    const SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
     const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
     // [8][S]B = [8]R + [8][k]A'
diff --git a/src/abstract/weierstrass.ts b/src/abstract/weierstrass.ts
index c83b048..ac81e89 100644
--- a/src/abstract/weierstrass.ts
+++ b/src/abstract/weierstrass.ts
@@ -58,6 +58,8 @@ export interface ProjPointType<T> extends Group<ProjPointType<T>> {
   readonly px: T;
   readonly py: T;
   readonly pz: T;
+  get x(): T;
+  get y(): T;
   multiply(scalar: bigint): ProjPointType<T>;
   toAffine(iz?: T): AffinePoint<T>;
   isTorsionFree(): boolean;