BW6-761 part 1 (#100)

* Add Fp, Fp2, Fp6 support for BW6-761 * Add G1 for BW6-761 * Prepare to support G2 twists on the same field as G1 * Remove a useless dependent type for lines * Implement G2 for BW6-761 * Fix Line leftover
2025-02-23 09:28:07 +00:00 · 2020-10-09 07:51:47 +02:00 · 2020-10-09 07:51:47 +02:00 · 71bb4c799a
commit 71bb4c799a
parent 49164b66d8
88 changed files with 1150 additions and 600 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# Constantine - Constant Time Elliptic Curve Cryptography
+# Constantine - Constant Time Pairing-Based & Elliptic Curve Cryptography
 [![License: Apache](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
@ -7,9 +7,10 @@
 [![Build Status: Travis](https://img.shields.io/travis/com/mratsim/constantine/master?label=Travis%20%28Linux%20x86_64%2FARM64%2FPowerPC64,%20MacOS%20x86_64%29)](https://travis-ci.com/mratsim/constantine)\
 [![Build Status: Azure](https://img.shields.io/azure-devops/build/numforge/07a2a7a5-995a-45d3-acd5-f5456fe7b04d/4?label=Azure%20%28Linux%2032%2F64-bit%2C%20Windows%2032%2F64-bit%2C%20MacOS%2064-bit%29)](https://dev.azure.com/numforge/Constantine/_build?definitionId=4&branchName=master)
-This library provides constant-time implementation of elliptic curve cryptography.
+This library provides [constant-time](https://en.wikipedia.org/wiki/Side-channel_attack) implementation of elliptic curve cryptography
 with a particular focus on pairing-based cryptography.
-The implementation is accompanied with SAGE code used as reference implementation and test vectors generators before high speed implementation.
+The implementations are accompanied with SAGE code used as reference implementation and test vectors generators before writing highly optimized routines implemented in the [Nim language](https://nim-lang.org/)
 > The library is in development state and high-level wrappers or example protocols are not available yet.
@ -43,6 +44,23 @@ This can be deactivated with `"-d:ConstantineASM=false"`:
 - at misssed opportunity on recent CPUs that support MULX/ADCX/ADOX instructions (~60% faster than Clang).
 - There is a 2.4x perf ratio between using plain GCC vs GCC with inline assembly.
 ## Why Nim
 The Nim language offers the following benefits for cryptography:
 - Compilation to machine code via C or C++ or alternatively compilation to Javascript. Easy FFI to those languages.
  - Obscure embedded devices with proprietary C compilers can be targeted.
  - WASM can be targeted.
 - Performance reachable in C is reachable in Nim, easily.
 - Rich type system: generics, dependent types, mutability-tracking and side-effect analysis, borrow-checking, distinct types (Miles != Meters, SecretBool != bool SecretWord != uint64).
 - Compile-time evaluation, including parsing hex string, converting them to BigInt or Finite Field elements and doing bigint operations.
 - Assembly support either inline or ``__attribute__((naked))`` or a simple `{.compile: "myasm.S".}` away
 - No GC if no GC-ed types are used (automatic memory management is set at the type level and optimized for latency/soft-realtime by default and can be totally deactivated).
 - Procedural macros working directly on AST to
  - create generic curve configuration,
  - derive constants
  - write a size-independent inline assembly code generator
 - Upcoming proof system for formal verification via Z3 ([DrNim](https://nim-lang.org/docs/drnim.html), [Correct-by-Construction RFC](https://github.com/nim-lang/RFCs/issues/222))
 ## Curves supported
 At the moment the following curves are supported, adding a new curve only requires adding the prime modulus
@ -50,14 +68,6 @@ and its bitsize in [constantine/config/curves.nim](constantine/config/curves_dec
 The following curves are configured:
 ### ECDH / ECDSA / EdDSA curves
 WIP:
 - NIST P-224
 - Curve25519
 - NIST P-256 / Secp256r1
 - Secp256k1 (Bitcoin, Ethereum 1)
 ### Pairing-Friendly curves
 Supports:
@ -76,6 +86,7 @@ Curves:
 - BN254_Snarks (Zero-Knowledge Proofs, Snarks, Starks, Zcash, Ethereum 1)
 - BLS12-377 (Zexe)
 - BLS12-381 (Algorand, Chia Networks, Dfinity, Ethereum 2, Filecoin, Zcash Sapling)
 - BW6-671 (Celo, EY Blockchain) (Pairings are WIP)
 ## Security
@ -97,7 +108,7 @@ This is would be incomplete without mentioning that the hardware, OS and compile
 actively hinder you by:
 - Hardware: sometimes not implementing multiplication in constant-time.
 - OS: not providing a way to prevent memory paging to disk, core dumps, a debugger attaching to your process or a context switch (coroutines) leaking register data.
- Compiler: optimizing away your carefully crafted branchless code and leaking server secrets or optimizing away your secure erasure routine which is "useless" because at the end of the function the data is not used anymore.
+- Compiler: optimizing away your carefully crafted branchless code and leaking server secrets or optimizing away your secure erasure routine which is deemed "useless" because at the end of the function the data is not used anymore.
 A growing number of attack vectors is being collected for your viewing pleasure
 at https://github.com/mratsim/constantine/wiki/Constant-time-arithmetics
@ -167,40 +178,51 @@ nimble bench_pairing_bls12_381
 As mentioned in the [Compiler caveats](#compiler-caveats) section, GCC is up to 2x slower than Clang due to mishandling of carries and register usage.
-On my machine i9-9980XE, for selected benchmarks with Clang + Assembly
+On my machine i9-9980XE, for selected benchmarks with Clang + Assembly, all being constant-time (or tagged unsafe).
 ```
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-Line double                                                  BLS12_381            649350.649 ops/s          1540 ns/op          4617 CPU cycles (approx)
+Line double                                                  BLS12_381            872600.349 ops/s          1146 ns/op          3434 CPU cycles (approx)
-Line add                                                     BLS12_381            482858.522 ops/s          2071 ns/op          6211 CPU cycles (approx)
+Line add                                                     BLS12_381            616522.811 ops/s          1622 ns/op          4864 CPU cycles (approx)
-Mul 𝔽p12 by line xy000z                                      BLS12_381            543478.261 ops/s          1840 ns/op          5518 CPU cycles (approx)
+Mul 𝔽p12 by line xy000z                                      BLS12_381            535905.681 ops/s          1866 ns/op          5597 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-Final Exponentiation Easy                                    BLS12_381             39411.973 ops/s         25373 ns/op         76119 CPU cycles (approx)
+Final Exponentiation Easy                                    BLS12_381             39443.064 ops/s         25353 ns/op         76058 CPU cycles (approx)
-Final Exponentiation Hard BLS12                              BLS12_381              2141.603 ops/s        466940 ns/op       1400833 CPU cycles (approx)
+Final Exponentiation Hard BLS12                              BLS12_381              2139.367 ops/s        467428 ns/op       1402299 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-Miller Loop BLS12                                            BLS12_381              2731.576 ops/s        366089 ns/op       1098278 CPU cycles (approx)
+Miller Loop BLS12                                            BLS12_381              2971.512 ops/s        336529 ns/op       1009596 CPU cycles (approx)
-Final Exponentiation BLS12                                   BLS12_381              2033.045 ops/s        491873 ns/op       1475634 CPU cycles (approx)
+Final Exponentiation BLS12                                   BLS12_381              2029.365 ops/s        492765 ns/op       1478310 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-Pairing BLS12                                                BLS12_381              1131.391 ops/s        883868 ns/op       2651631 CPU cycles (approx)
+Pairing BLS12                                                BLS12_381              1164.051 ops/s        859069 ns/op       2577234 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ```
 ```
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 EC Add G1                                                    ECP_ShortW_Proj[Fp[BLS12_381]]               2118644.068 ops/s           472 ns/op          1416 CPU cycles (approx)
-EC Mixed Addition G1                                         ECP_ShortW_Proj[Fp[BLS12_381]]                 2439024.390 ops/s           410 ns/op          1232 CPU cycles (approx)
+EC Add G1                                                    ECP_ShortW_Jac[Fp[BLS12_381]]                1818181.818 ops/s           550 ns/op          1652 CPU cycles (approx)
-EC Double G1                                                 ECP_ShortW_Proj[Fp[BLS12_381]]                 3448275.862 ops/s           290 ns/op           871 CPU cycles (approx)
+EC Mixed Addition G1                                         ECP_ShortW_Proj[Fp[BLS12_381]]               2427184.466 ops/s           412 ns/op          1236 CPU cycles (approx)
 EC Double G1                                                 ECP_ShortW_Proj[Fp[BLS12_381]]               3460207.612 ops/s           289 ns/op           867 CPU cycles (approx)
 EC Double G1                                                 ECP_ShortW_Jac[Fp[BLS12_381]]                3717472.119 ops/s           269 ns/op           809 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-EC ScalarMul G1 (unsafe reference DoubleAdd)                 ECP_ShortW_Proj[Fp[BLS12_381]]                    7147.094 ops/s        139917 ns/op        419756 CPU cycles (approx)
+EC Projective to Affine G1                                   ECP_ShortW_Proj[Fp[BLS12_381]]                 72020.166 ops/s         13885 ns/op         41656 CPU cycles (approx)
 EC Jacobian to Affine G1                                     ECP_ShortW_Jac[Fp[BLS12_381]]                  71989.058 ops/s         13891 ns/op         41673 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-EC ScalarMul Generic G1 (window = 2, scratchsize = 4)        ECP_ShortW_Proj[Fp[BLS12_381]]                    5048.975 ops/s        198060 ns/op        594188 CPU cycles (approx)
+EC ScalarMul G1 (unsafe reference DoubleAdd)                 ECP_ShortW_Proj[Fp[BLS12_381]]                  7260.266 ops/s        137736 ns/op        413213 CPU cycles (approx)
-EC ScalarMul Generic G1 (window = 3, scratchsize = 8)        ECP_ShortW_Proj[Fp[BLS12_381]]                    7148.269 ops/s        139894 ns/op        419685 CPU cycles (approx)
+EC ScalarMul G1 (unsafe reference DoubleAdd)                 ECP_ShortW_Jac[Fp[BLS12_381]]                   7140.970 ops/s        140037 ns/op        420115 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 4, scratchsize = 16)       ECP_ShortW_Proj[Fp[BLS12_381]]                    8112.735 ops/s        123263 ns/op        369791 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 5, scratchsize = 32)       ECP_ShortW_Proj[Fp[BLS12_381]]                    8464.534 ops/s        118140 ns/op        354424 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-EC ScalarMul G1 (endomorphism accelerated)                   ECP_ShortW_Proj[Fp[BLS12_381]]                    9679.418 ops/s        103312 ns/op        309939 CPU cycles (approx)
+EC ScalarMul Generic G1 (window = 2, scratchsize = 4)        ECP_ShortW_Proj[Fp[BLS12_381]]                  5036.946 ops/s        198533 ns/op        595606 CPU cycles (approx)
-EC ScalarMul Window-2 G1 (endomorphism accelerated)          ECP_ShortW_Proj[Fp[BLS12_381]]                   13089.348 ops/s         76398 ns/op        229195 CPU cycles (approx)
+EC ScalarMul Generic G1 (window = 3, scratchsize = 8)        ECP_ShortW_Proj[Fp[BLS12_381]]                  7080.799 ops/s        141227 ns/op        423684 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 4, scratchsize = 16)       ECP_ShortW_Proj[Fp[BLS12_381]]                  8062.631 ops/s        124029 ns/op        372091 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 5, scratchsize = 32)       ECP_ShortW_Proj[Fp[BLS12_381]]                  8377.244 ops/s        119371 ns/op        358116 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 2, scratchsize = 4)        ECP_ShortW_Jac[Fp[BLS12_381]]                   4703.359 ops/s        212614 ns/op        637847 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 3, scratchsize = 8)        ECP_ShortW_Jac[Fp[BLS12_381]]                   6901.407 ops/s        144898 ns/op        434697 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 4, scratchsize = 16)       ECP_ShortW_Jac[Fp[BLS12_381]]                   8022.720 ops/s        124646 ns/op        373940 CPU cycles (approx)
 EC ScalarMul Generic G1 (window = 5, scratchsize = 32)       ECP_ShortW_Jac[Fp[BLS12_381]]                   8433.552 ops/s        118574 ns/op        355725 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 EC ScalarMul G1 (endomorphism accelerated)                   ECP_ShortW_Proj[Fp[BLS12_381]]                  9703.933 ops/s        103051 ns/op        309155 CPU cycles (approx)
 EC ScalarMul Window-2 G1 (endomorphism accelerated)          ECP_ShortW_Proj[Fp[BLS12_381]]                 13160.839 ops/s         75983 ns/op        227950 CPU cycles (approx)
 EC ScalarMul G1 (endomorphism accelerated)                   ECP_ShortW_Jac[Fp[BLS12_381]]                   9064.868 ops/s        110316 ns/op        330951 CPU cycles (approx)
 EC ScalarMul Window-2 G1 (endomorphism accelerated)          ECP_ShortW_Jac[Fp[BLS12_381]]                  12722.484 ops/s         78601 ns/op        235806 CPU cycles (approx)
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 ```
--- a/benchmarks/bench_ec_g1.nim
+++ b/benchmarks/bench_ec_g1.nim
@ -45,31 +45,31 @@ proc main() =
  separator()
  staticFor i, 0, AvailableCurves.len:
    const curve = AvailableCurves[i]
-    addBench(ECP_ShortW_Proj[Fp[curve]], Iters)
+    addBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
-    addBench(ECP_ShortW_Jac[Fp[curve]], Iters)
+    addBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], Iters)
-    mixedAddBench(ECP_ShortW_Proj[Fp[curve]], Iters)
+    mixedAddBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
-    doublingBench(ECP_ShortW_Proj[Fp[curve]], Iters)
+    doublingBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], Iters)
-    doublingBench(ECP_ShortW_Jac[Fp[curve]], Iters)
+    doublingBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], Iters)
    separator()
-    affFromProjBench(ECP_ShortW_Proj[Fp[curve]], MulIters)
+    affFromProjBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
-    affFromJacBench(ECP_ShortW_Jac[Fp[curve]], MulIters)
+    affFromJacBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
    separator()
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp[curve]], MulIters)
+    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp[curve]], MulIters)
+    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
    separator()
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 2, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 2, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 3, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 3, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 4, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 4, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve]], window = 5, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp[curve], NotOnTwist], window = 5, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 2, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 2, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 3, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 3, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 4, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 4, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve]], window = 5, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp[curve], NotOnTwist], window = 5, MulIters)
    separator()
-    scalarMulEndo(ECP_ShortW_Proj[Fp[curve]], MulIters)
+    scalarMulEndo(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
-    scalarMulEndoWindow(ECP_ShortW_Proj[Fp[curve]], MulIters)
+    scalarMulEndoWindow(ECP_ShortW_Proj[Fp[curve], NotOnTwist], MulIters)
-    scalarMulEndo(ECP_ShortW_Jac[Fp[curve]], MulIters)
+    scalarMulEndo(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
-    scalarMulEndoWindow(ECP_ShortW_Jac[Fp[curve]], MulIters)
+    scalarMulEndoWindow(ECP_ShortW_Jac[Fp[curve], NotOnTwist], MulIters)
    separator()
    separator()
--- a/benchmarks/bench_ec_g2.nim
+++ b/benchmarks/bench_ec_g2.nim
@ -46,29 +46,29 @@ proc main() =
  separator()
  staticFor i, 0, AvailableCurves.len:
    const curve = AvailableCurves[i]
-    addBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
+    addBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
-    addBench(ECP_ShortW_Jac[Fp2[curve]], Iters)
+    addBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], Iters)
-    mixedAddBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
+    mixedAddBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
-    doublingBench(ECP_ShortW_Proj[Fp2[curve]], Iters)
+    doublingBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], Iters)
-    doublingBench(ECP_ShortW_Jac[Fp2[curve]], Iters)
+    doublingBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], Iters)
    separator()
-    affFromProjBench(ECP_ShortW_Proj[Fp2[curve]], MulIters)
+    affFromProjBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
-    affFromJacBench(ECP_ShortW_Jac[Fp2[curve]], MulIters)
+    affFromJacBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
    separator()
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp2[curve]], MulIters)
+    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
-    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve]], MulIters)
+    scalarMulUnsafeDoubleAddBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
    separator()
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 2, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 2, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 3, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 3, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 4, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 4, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve]], window = 5, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Proj[Fp2[curve], OnTwist], window = 5, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 2, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 2, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 3, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 3, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 4, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 4, MulIters)
-    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve]], window = 5, MulIters)
+    scalarMulGenericBench(ECP_ShortW_Jac[Fp2[curve], OnTwist], window = 5, MulIters)
    separator()
-    scalarMulEndo(ECP_ShortW_Proj[Fp2[curve]], MulIters)
+    scalarMulEndo(ECP_ShortW_Proj[Fp2[curve], OnTwist], MulIters)
-    scalarMulEndo(ECP_ShortW_Jac[Fp2[curve]], MulIters)
+    scalarMulEndo(ECP_ShortW_Jac[Fp2[curve], OnTwist], MulIters)
    separator()
    separator()
--- a/benchmarks/bench_elliptic_template.nim
+++ b/benchmarks/bench_elliptic_template.nim
@ -140,7 +140,7 @@ proc mixedAddBench*(T: typedesc, iters: int) =
  var r {.noInit.}: T
  let P = rng.random_unsafe(T)
  let Q = rng.random_unsafe(T)
-  var Qaff: ECP_ShortW_Aff[T.F]
+  var Qaff: ECP_ShortW_Aff[T.F, T.Tw]
  Qaff.affineFromProjective(Q)
  bench("EC Mixed Addition " & G1_or_G2, T, iters):
    r.madd(P, Qaff)
@ -154,14 +154,14 @@ proc doublingBench*(T: typedesc, iters: int) =
 proc affFromProjBench*(T: typedesc, iters: int) =
  const G1_or_G2 = when T.F is Fp: "G1" else: "G2"
-  var r {.noInit.}: ECP_ShortW_Aff[T.F]
+  var r {.noInit.}: ECP_ShortW_Aff[T.F, T.Tw]
  let P = rng.random_unsafe(T)
  bench("EC Projective to Affine " & G1_or_G2, T, iters):
    r.affineFromProjective(P)
 proc affFromJacBench*(T: typedesc, iters: int) =
  const G1_or_G2 = when T.F is Fp: "G1" else: "G2"
-  var r {.noInit.}: ECP_ShortW_Aff[T.F]
+  var r {.noInit.}: ECP_ShortW_Aff[T.F, T.Tw]
  let P = rng.random_unsafe(T)
  bench("EC Jacobian to Affine " & G1_or_G2, T, iters):
    r.affineFromJacobian(P)
--- a/benchmarks/bench_pairing_template.nim
+++ b/benchmarks/bench_pairing_template.nim
@ -129,33 +129,33 @@ func random_point*(rng: var RngState, EC: typedesc): EC {.noInit.} =
  result.clearCofactorReference()
 proc lineDoubleBench*(C: static Curve, iters: int) =
-  var line: Line[Fp2[C], C.getSexticTwist()]
+  var line: Line[Fp2[C]]
-  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
-  let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+  let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-  var Paff: ECP_ShortW_Aff[Fp[C]]
+  var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
  Paff.affineFromProjective(P)
  bench("Line double", C, iters):
    line.line_double(T, Paff)
 proc lineAddBench*(C: static Curve, iters: int) =
-  var line: Line[Fp2[C], C.getSexticTwist()]
+  var line: Line[Fp2[C]]
-  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  let
-    P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+    P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  var
-    Paff: ECP_ShortW_Aff[Fp[C]]
+    Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-    Qaff: ECP_ShortW_Aff[Fp2[C]]
+    Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
  bench("Line add", C, iters):
    line.line_add(T, Qaff, Paff)
 proc mulFp12byLine_xyz000_Bench*(C: static Curve, iters: int) =
-  var line: Line[Fp2[C], C.getSexticTwist()]
+  var line: Line[Fp2[C]]
-  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
-  let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+  let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-  var Paff: ECP_ShortW_Aff[Fp[C]]
+  var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
  Paff.affineFromProjective(P)
  line.line_double(T, Paff)
@ -165,10 +165,10 @@ proc mulFp12byLine_xyz000_Bench*(C: static Curve, iters: int) =
    f.mul_sparse_by_line_xyz000(line)
 proc mulFp12byLine_xy000z_Bench*(C: static Curve, iters: int) =
-  var line: Line[Fp2[C], C.getSexticTwist()]
+  var line: Line[Fp2[C]]
-  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+  var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
-  let P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+  let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-  var Paff: ECP_ShortW_Aff[Fp[C]]
+  var Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
  Paff.affineFromProjective(P)
  line.line_double(T, Paff)
@ -179,11 +179,11 @@ proc mulFp12byLine_xy000z_Bench*(C: static Curve, iters: int) =
 proc millerLoopBLS12Bench*(C: static Curve, iters: int) =
  let
-    P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+    P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  var
-    Paff: ECP_ShortW_Aff[Fp[C]]
+    Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-    Qaff: ECP_ShortW_Aff[Fp2[C]]
+    Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
@ -194,11 +194,11 @@ proc millerLoopBLS12Bench*(C: static Curve, iters: int) =
 proc millerLoopBNBench*(C: static Curve, iters: int) =
  let
-    P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+    P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  var
-    Paff: ECP_ShortW_Aff[Fp[C]]
+    Paff: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-    Qaff: ECP_ShortW_Aff[Fp2[C]]
+    Qaff: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
@ -238,8 +238,8 @@ proc finalExpBNBench*(C: static Curve, iters: int) =
 proc pairingBLS12Bench*(C: static Curve, iters: int) =
  let
-    P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+    P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  var f: Fp12[C]
@ -248,8 +248,8 @@ proc pairingBLS12Bench*(C: static Curve, iters: int) =
 proc pairingBNBench*(C: static Curve, iters: int) =
  let
-    P = rng.random_point(ECP_ShortW_Proj[Fp[C]])
+    P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist])
-    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]])
+    Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist])
  var f: Fp12[C]
--- a/constantine.nimble
+++ b/constantine.nimble
@ -43,6 +43,7 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
  ("tests/t_fp6_bn254_snarks.nim", false),
  ("tests/t_fp6_bls12_377.nim", false),
  ("tests/t_fp6_bls12_381.nim", false),
  ("tests/t_fp6_bw6_761.nim", false),
  ("tests/t_fp12_bn254_snarks.nim", false),
  ("tests/t_fp12_bls12_377.nim", false),
  ("tests/t_fp12_bls12_381.nim", false),
@ -60,36 +61,57 @@ const testDesc: seq[tuple[path: string, useGMP: bool]] = @[
  ("tests/t_ec_shortw_jac_g1_mul_sanity.nim", false),
  ("tests/t_ec_shortw_jac_g1_mul_distri.nim", false),
  ("tests/t_ec_shortw_jac_g1_mul_vs_ref.nim", false),
  # mixed_add
  # Elliptic curve arithmetic G2
  ("tests/t_ec_shortw_prj_g2_add_double_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_sanity_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_distri_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_vs_ref_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_prj_g2_mixed_add_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_prj_g2_add_double_bls12_381.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_sanity_bls12_381.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_distri_bls12_381.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_381.nim", false),
  ("tests/t_ec_shortw_prj_g2_mixed_add_bls12_381.nim", false),
  ("tests/t_ec_shortw_prj_g2_add_double_bls12_377.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_sanity_bls12_377.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_distri_bls12_377.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_377.nim", false),
  ("tests/t_ec_shortw_prj_g2_mixed_add_bls12_377.nim", false),
  ("tests/t_ec_shortw_prj_g2_add_double_bw6_761.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_sanity_bw6_761.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_distri_bw6_761.nim", false),
  ("tests/t_ec_shortw_prj_g2_mul_vs_ref_bw6_761.nim", false),
  ("tests/t_ec_shortw_prj_g2_mixed_add_bw6_761.nim", false),
  ("tests/t_ec_shortw_jac_g2_add_double_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_sanity_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_distri_bn254_snarks.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_vs_ref_bn254_snarks.nim", false),
  # mixed_add
  ("tests/t_ec_shortw_jac_g2_add_double_bls12_381.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_sanity_bls12_381.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_distri_bls12_381.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_381.nim", false),
  # mixed_add
  ("tests/t_ec_shortw_jac_g2_add_double_bls12_377.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_sanity_bls12_377.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_distri_bls12_377.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_377.nim", false),
  # mixed_add
  ("tests/t_ec_shortw_jac_g2_add_double_bw6_761.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_sanity_bw6_761.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_distri_bw6_761.nim", false),
  ("tests/t_ec_shortw_jac_g2_mul_vs_ref_bw6_761.nim", false),
  # mixed_add
  # Elliptic curve arithmetic vs Sagemath
  ("tests/t_ec_frobenius.nim", false),
  ("tests/t_ec_sage_bn254.nim", false),
@ -217,6 +239,10 @@ task test_no_gmp, "Run tests that don't require GMP":
    runBench("bench_fp12")
    runBench("bench_ec_g1")
    runBench("bench_ec_g2")
    runBench("bench_pairing_bls12_377")
    runBench("bench_pairing_bls12_381")
    runBench("bench_pairing_bn254_nogami")
    runBench("bench_pairing_bn254_snarks")
 task test_parallel, "Run all tests in parallel (via GNU parallel)":
  # -d:testingCurves is configured in a *.nim.cfg for convenience
@ -256,6 +282,10 @@ task test_parallel, "Run all tests in parallel (via GNU parallel)":
    runBench("bench_fp12")
    runBench("bench_ec_g1")
    runBench("bench_ec_g2")
    runBench("bench_pairing_bls12_377")
    runBench("bench_pairing_bls12_381")
    runBench("bench_pairing_bn254_nogami")
    runBench("bench_pairing_bn254_snarks")
 task test_parallel_no_assembler, "Run all tests (without macro assembler) in parallel (via GNU parallel)":
  # -d:testingCurves is configured in a *.nim.cfg for convenience
@ -295,6 +325,10 @@ task test_parallel_no_assembler, "Run all tests (without macro assembler) in par
    runBench("bench_fp12")
    runBench("bench_ec_g1")
    runBench("bench_ec_g2")
    runBench("bench_pairing_bls12_377")
    runBench("bench_pairing_bls12_381")
    runBench("bench_pairing_bn254_nogami")
    runBench("bench_pairing_bn254_snarks")
 task test_parallel_no_gmp, "Run all tests in parallel (via GNU parallel)":
  # -d:testingCurves is configured in a *.nim.cfg for convenience
@ -336,6 +370,10 @@ task test_parallel_no_gmp, "Run all tests in parallel (via GNU parallel)":
    runBench("bench_fp12")
    runBench("bench_ec_g1")
    runBench("bench_ec_g2")
    runBench("bench_pairing_bls12_377")
    runBench("bench_pairing_bls12_381")
    runBench("bench_pairing_bn254_nogami")
    runBench("bench_pairing_bn254_snarks")
 task test_parallel_no_gmp_no_assembler, "Run all tests in parallel (via GNU parallel)":
  # -d:testingCurves is configured in a *.nim.cfg for convenience
@ -377,6 +415,10 @@ task test_parallel_no_gmp_no_assembler, "Run all tests in parallel (via GNU para
    runBench("bench_fp12")
    runBench("bench_ec_g1")
    runBench("bench_ec_g2")
    runBench("bench_pairing_bls12_377")
    runBench("bench_pairing_bls12_381")
    runBench("bench_pairing_bn254_nogami")
    runBench("bench_pairing_bn254_snarks")
 task bench_fp, "Run benchmark 𝔽p with your default compiler":
  runBench("bench_fp")
--- a/constantine/config/curves_declaration.nim
+++ b/constantine/config/curves_declaration.nim
@ -128,7 +128,7 @@ declareCurves:
    # u: 0x8508c00000000001
    # G1 Equation: y² = x³ + 1
-    # G2 Equation: y² = x³ + 1/ with 𝑗 = √-5
+    # G2 Equation: y² = x³ + 1/𝑗 with 𝑗 = √-5
    order: "0x12ab655e9a2ca55660b44d1e5c37b00159aa76fed00000010a11800000000001"
    orderBitwidth: 253
    eq_form: ShortWeierstrass
@ -159,3 +159,27 @@ declareCurves:
    sexticTwist: M_Twist
    sexticNonResidue_fp2: (1, 1) # 1+𝑖
  curve BW6_761:
    bitwidth: 761
    modulus: "0x122e824fb83ce0ad187c94004faff3eb926186a81d14688528275ef8087be41707ba638e584e91903cebaff25b423048689c8ed12f9fd9071dcd3dc73ebff2e98a116c25667a8f8160cf8aeeaf0a437e6913e6870000082f49d00000000008b"
    family: BrezingWeng
    # Curve that embeds BLS12-377, see https://eprint.iacr.org/2020/351.pdf
    # u: 3 * 2^46 * (7 * 13 * 499) + 1
    # u: 0x8508c00000000001
    # r = p_BLS12-377 = (x⁶−2x⁵+2x³+x+1)/3
    # p = 103x¹²−379x¹¹+250x¹⁰+691x⁹−911x⁸−79x⁷+623x⁶−640x⁵+274x⁴+763x³+73x²+254x+229)/9
    # G1 Equation: y² = x³ - 1
    # G6 Equation: y² = x³ + 4 (M-Twist)
    order: "0x01ae3a4617c510eac63b05c06ca1493b1a22d9f300f5138f1ef3622fba094800170b5d44300000008508c00000000001"
    orderBitwidth: 377
    coef_a: 0
    coef_b: -1
    # TODO: rework the quad/cube/sextic non residue declaration
    nonresidue_quad_fp: -4       # -4   is not a square in 𝔽p
    nonresidue_cube_fp2: (0, 1)  # -4   is not a cube in 𝔽p²
    sexticTwist: M_Twist
    sexticNonResidue_fp2: (0, 1)  # -4
--- a/constantine/config/curves_parser.nim
+++ b/constantine/config/curves_parser.nim
@ -29,6 +29,7 @@ type
    NoFamily
    BarretoNaehrig   # BN curve
    BarretoLynnScott # BLS curve
    BrezingWeng      # BW curve
  CurveCoefKind* = enum
    ## Small coefficients fit in an int64
@ -184,6 +185,10 @@ proc parseCurveDecls(defs: var seq[CurveParams], curves: NimNode) =
      elif sectionId.eqIdent"coef_b":
        if sectionVal.kind == nnkIntLit:
          params.coef_B = CurveCoef(kind: Small, coef: sectionVal.intVal.int)
        elif sectionVal.kind == nnkPrefix: # Got -1
          sectionVal[0].expectIdent"-"
          sectionVal[1].expectKind(nnkIntLit)
          params.coef_B = CurveCoef(kind: Small, coef: -sectionVal[1].intVal.int)
        else:
          params.coef_B = CurveCoef(kind: Large, coefHex: sectionVal.strVal)
      elif sectionId.eqIdent"order":
--- a/constantine/elliptic/ec_endomorphism_accel.nim
+++ b/constantine/elliptic/ec_endomorphism_accel.nim
@ -65,18 +65,20 @@ func decomposeEndo*[M, scalBits, L: static int](
  static: doAssert L >= (scalBits + M - 1) div M + 1
  const w = F.C.getCurveOrderBitwidth().wordsRequired()
-  when F is Fp:
+  when M == 2:
    var alphas{.noInit.}: (
      BigInt[scalBits + babai(F)[0][0].bits],
      BigInt[scalBits + babai(F)[1][0].bits]
    )
-  else:
+  elif M == 4:
    var alphas{.noInit.}: (
      BigInt[scalBits + babai(F)[0][0].bits],
      BigInt[scalBits + babai(F)[1][0].bits],
      BigInt[scalBits + babai(F)[2][0].bits],
      BigInt[scalBits + babai(F)[3][0].bits]
    )
  else:
    {.error: "The decomposition degree " & $M & " is not configured".}
  staticFor i, 0, M:
    when bool babai(F)[i][0].isZero():
--- a/constantine/elliptic/ec_shortweierstrass_affine.nim
+++ b/constantine/elliptic/ec_shortweierstrass_affine.nim
@ -11,7 +11,7 @@ import
  ../config/[common, curves],
  ../arithmetic,
  ../towers,
-  ../io/io_bigints
+  ../io/[io_fields, io_towers]
 # ############################################################
 #
@ -20,14 +20,19 @@ import
 #
 # ############################################################
-type ECP_ShortW_Aff*[F] = object
+type
  Twisted* = enum
    NotOnTwist
    OnTwist
  ECP_ShortW_Aff*[F; Tw: static Twisted] = object
    ## Elliptic curve point for a curve in Short Weierstrass form
    ##   y² = x³ + a x + b
    ##
    ## over a field F
    x*, y*: F
-func curve_eq_rhs*[F](y2: var F, x: F) =
+func curve_eq_rhs*[F](y2: var F, x: F, Tw: static Twisted) =
  ## Compute the curve equation right-hand-side from field element `x`
  ## i.e.  `y²` in `y² = x³ + a x + b`
  ## or on sextic twists for pairing curves `y² = x³ + b/µ` or `y² = x³ + µ b`
@ -54,8 +59,9 @@ func curve_eq_rhs*[F](y2: var F, x: F) =
  # TODO: precomputation needed when deserializing points
  #       to check if a point is on-curve and prevent denial-of-service
  #       using slow inversion.
-  y2.fromBig F.C.matchingBigInt().fromUint F.C.getCoefB()
+  when F.C.getCoefB() >= 0:
-  when F is Fp2:
+    y2.fromInt F.C.getCoefB()
    when Tw == OnTwist:
      when F.C.getSexticTwist() == D_Twist:
        y2 /= SexticNonResidue
      elif F.C.getSexticTwist() == M_Twist:
@ -64,23 +70,36 @@ func curve_eq_rhs*[F](y2: var F, x: F) =
        {.error: "Only twisted curves are supported on extension field 𝔽p²".}
    y2 += t
  else:
    y2.fromInt -F.C.getCoefB()
    when Tw == OnTwist:
      when F.C.getSexticTwist() == D_Twist:
        y2 /= SexticNonResidue
      elif F.C.getSexticTwist() == M_Twist:
        y2 *= SexticNonResidue
      else:
        {.error: "Only twisted curves are supported on extension field 𝔽p²".}
    y2.diffAlias(t, y2)
  when F.C.getCoefA() != 0:
    t = x
    t *= F.C.getCoefA()
    y2 += t
-func isOnCurve*[F](x, y: F): SecretBool =
+func isOnCurve*[F](x, y: F, Tw: static Twisted): SecretBool =
  ## Returns true if the (x, y) coordinates
  ## represents a point of the elliptic curve
  var y2, rhs {.noInit.}: F
  y2.square(y)
-  rhs.curve_eq_rhs(x)
+  rhs.curve_eq_rhs(x, Tw)
  return y2 == rhs
-func trySetFromCoordX*[F](P: var ECP_ShortW_Aff[F], x: F): SecretBool =
+func trySetFromCoordX*[F, Tw](
       P: var ECP_ShortW_Aff[F, Tw],
       x: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## y² = x³ + a x + b     (affine coordinate)
  ##
@ -91,7 +110,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Aff[F], x: F): SecretBool =
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
-  P.y.curve_eq_rhs(x)
+  P.y.curve_eq_rhs(x, Tw)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
  result = sqrt_if_square(P.y)
--- a/constantine/elliptic/ec_shortweierstrass_jacobian.nim
+++ b/constantine/elliptic/ec_shortweierstrass_jacobian.nim
@ -13,6 +13,8 @@ import
  ../towers,
  ./ec_shortweierstrass_affine
 export Twisted
 # ############################################################
 #
 #             Elliptic Curve in Short Weierstrass form
@ -20,7 +22,7 @@ import
 #
 # ############################################################
-type ECP_ShortW_Jac*[F] = object
+type ECP_ShortW_Jac*[F; Tw: static Twisted] = object
  ## Elliptic curve point for a curve in Short Weierstrass form
  ##   y² = x³ + a x + b
  ##
@ -32,10 +34,11 @@ type ECP_ShortW_Jac*[F] = object
  ## Note that jacobian coordinates are not unique
  x*, y*, z*: F
-func `==`*[F](P, Q: ECP_ShortW_Jac[F]): SecretBool =
+func `==`*(P, Q: ECP_ShortW_Jac): SecretBool =
  ## Constant-time equality check
  ## This is a costly operation
  # Reminder: the representation is not unique
  type F = ECP_ShortW_Jac.F
  var z1z1 {.noInit.}, z2z2 {.noInit.}: F
  var a{.noInit.}, b{.noInit.}: F
@ -77,7 +80,9 @@ func ccopy*(P: var ECP_ShortW_Jac, Q: ECP_ShortW_Jac, ctl: SecretBool) =
  for fP, fQ in fields(P, Q):
    ccopy(fP, fQ, ctl)
-func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
+func trySetFromCoordsXandZ*[F; Tw](
       P: var ECP_ShortW_Jac[F, Tw],
       x, z: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## Y² = X³ + aXZ⁴ + bZ⁶  (Jacobian coordinates)
  ## y² = x³ + a x + b     (affine coordinate)
@ -86,7 +91,7 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
-  P.y.curve_eq_rhs(x)
+  P.y.curve_eq_rhs(x, Tw)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
  result = sqrt_if_square(P.y)
@ -97,7 +102,9 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Jac[F], x, z: F): SecretBool =
  P.y *= z
  P.z = z
-func trySetFromCoordX*[F](P: var ECP_ShortW_Jac[F], x: F): SecretBool =
+func trySetFromCoordX*[F; Tw](
       P: var ECP_ShortW_Jac[F, Tw],
       x: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## y² = x³ + a x + b     (affine coordinate)
  ##
@ -108,7 +115,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Jac[F], x: F): SecretBool =
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
-  P.y.curve_eq_rhs(x)
+  P.y.curve_eq_rhs(x, Tw)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
  result = sqrt_if_square(P.y)
  P.x = x
@ -129,9 +136,9 @@ func cneg*(P: var ECP_ShortW_Jac, ctl: CTBool) =
  ## Negate if ``ctl`` is true
  P.y.cneg(ctl)
-func sum*[F](
+func sum*[F; Tw: static Twisted](
-       r: var ECP_ShortW_Jac[F],
+       r: var ECP_ShortW_Jac[F, Tw],
-       P, Q: ECP_ShortW_Jac[F]
+       P, Q: ECP_ShortW_Jac[F, Tw]
     ) =
  ## Elliptic curve point addition for Short Weierstrass curves in Jacobian coordinates
  ##
@ -286,9 +293,9 @@ func sum*[F](
    r.ccopy(Q, P.isInf())
    r.ccopy(P, Q.isInf())
-func double*[F](
+func double*[F; Tw: static Twisted](
-       r: var ECP_ShortW_Jac[F],
+       r: var ECP_ShortW_Jac[F, Tw],
-       P: ECP_ShortW_Jac[F]
+       P: ECP_ShortW_Jac[F, Tw]
     ) =
  ## Elliptic curve point doubling for Short Weierstrass curves in projective coordinate
  ##
@ -365,7 +372,9 @@ func diff*(r: var ECP_ShortW_Jac,
  nQ.neg()
  r.sum(P, nQ)
-func affineFromJacobian*[F](aff: var ECP_ShortW_Aff[F], jac: ECP_ShortW_Jac) =
+func affineFromJacobian*[F; Tw](
       aff: var ECP_ShortW_Aff[F, Tw],
       jac: ECP_ShortW_Jac[F, Tw]) =
  var invZ {.noInit.}, invZ2: F
  invZ.inv(jac.z)
  invZ2.square(invZ)
@ -374,7 +383,9 @@ func affineFromJacobian*[F](aff: var ECP_ShortW_Aff[F], jac: ECP_ShortW_Jac) =
  aff.y.prod(jac.y, invZ)
  aff.y.prod(jac.y, invZ2)
-func projectiveFromJacobian*[F](jac: var ECP_ShortW_Jac, aff: ECP_ShortW_Aff[F]) {.inline.} =
+func projectiveFromJacobian*[F; Tw](
       jac: var ECP_ShortW_Jac[F, Tw],
       aff: ECP_ShortW_Aff[F, Tw]) {.inline.} =
  jac.x = aff.x
  jac.y = aff.y
  jac.z.setOne()
--- a/constantine/elliptic/ec_shortweierstrass_projective.nim
+++ b/constantine/elliptic/ec_shortweierstrass_projective.nim
@ -13,6 +13,8 @@ import
  ../towers,
  ./ec_shortweierstrass_affine
 export Twisted
 # ############################################################
 #
 #             Elliptic Curve in Short Weierstrass form
@ -20,7 +22,7 @@ import
 #
 # ############################################################
-type ECP_ShortW_Proj*[F] = object
+type ECP_ShortW_Proj*[F; Tw: static Twisted] = object
  ## Elliptic curve point for a curve in Short Weierstrass form
  ##   y² = x³ + a x + b
  ##
@ -32,10 +34,11 @@ type ECP_ShortW_Proj*[F] = object
  ## Note that projective coordinates are not unique
  x*, y*, z*: F
-func `==`*[F](P, Q: ECP_ShortW_Proj[F]): SecretBool =
+func `==`*(P, Q: ECP_ShortW_Proj): SecretBool =
  ## Constant-time equality check
  ## This is a costly operation
  # Reminder: the representation is not unique
  type F = ECP_ShortW_Proj.F
  var a{.noInit.}, b{.noInit.}: F
@ -71,7 +74,9 @@ func ccopy*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Proj, ctl: SecretBool) =
  for fP, fQ in fields(P, Q):
    ccopy(fP, fQ, ctl)
-func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
+func trySetFromCoordsXandZ*[F; Tw](
       P: var ECP_ShortW_Proj[F, Tw],
       x, z: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## Y²Z = X³ + aXZ² + bZ³ (projective coordinates)
  ## y² = x³ + a x + b     (affine coordinate)
@ -80,7 +85,7 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
-  P.y.curve_eq_rhs(x)
+  P.y.curve_eq_rhs(x, Tw)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
  result = sqrt_if_square(P.y)
@ -88,7 +93,9 @@ func trySetFromCoordsXandZ*[F](P: var ECP_ShortW_Proj[F], x, z: F): SecretBool =
  P.y *= z
  P.z = z
-func trySetFromCoordX*[F](P: var ECP_ShortW_Proj[F], x: F): SecretBool =
+func trySetFromCoordX*[F; Tw](
       P: var ECP_ShortW_Proj[F, Tw],
       x: F): SecretBool =
  ## Try to create a point the elliptic curve
  ## y² = x³ + a x + b     (affine coordinate)
  ##
@ -99,7 +106,7 @@ func trySetFromCoordX*[F](P: var ECP_ShortW_Proj[F], x: F): SecretBool =
  ##
  ## Note: Dedicated robust procedures for hashing-to-curve
  ##       will be provided, this is intended for testing purposes.
-  P.y.curve_eq_rhs(x)
+  P.y.curve_eq_rhs(x, Tw)
  # TODO: supports non p ≡ 3 (mod 4) modulus like BLS12-377
  result = sqrt_if_square(P.y)
  P.x = x
@ -120,9 +127,9 @@ func cneg*(P: var ECP_ShortW_Proj, ctl: CTBool) =
  ## Negate if ``ctl`` is true
  P.y.cneg(ctl)
-func sum*[F](
+func sum*[F; Tw: static Twisted](
-       r: var ECP_ShortW_Proj[F],
+       r: var ECP_ShortW_Proj[F, Tw],
-       P, Q: ECP_ShortW_Proj[F]
+       P, Q: ECP_ShortW_Proj[F, Tw]
     ) =
  ## Elliptic curve point addition for Short Weierstrass curves in projective coordinates
  ##
@ -180,32 +187,32 @@ func sum*[F](
    t3 *= t4                  # 6.  t₃ <- t₃ * t₄
    t4.sum(t0, t1)            # 7.  t₄ <- t₀ + t₁
    t3 -= t4                  # 8.  t₃ <- t₃ - t₄   t₃ = (X₁ + Y₁)(X₂ + Y₂) - (X₁X₂ + Y₁Y₂) = X₁Y₂ + X₂Y₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t3 *= SexticNonResidue
    t4.sum(P.y, P.z)          # 9.  t₄ <- Y₁ + Z₁
    r.x.sum(Q.y, Q.z)         # 10. X₃ <- Y₂ + Z₂
    t4 *= r.x                 # 11. t₄ <- t₄ X₃
    r.x.sum(t1, t2)           # 12. X₃ <- t₁ + t₂   X₃ = Y₁Y₂ + Z₁Z₂
    t4 -= r.x                 # 13. t₄ <- t₄ - X₃   t₄ = (Y₁ + Z₁)(Y₂ + Z₂) - (Y₁Y₂ + Z₁Z₂) = Y₁Z₂ + Y₂Z₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t4 *= SexticNonResidue
    r.x.sum(P.x, P.z)         # 14. X₃ <- X₁ + Z₁
    r.y.sum(Q.x, Q.z)         # 15. Y₃ <- X₂ + Z₂
    r.x *= r.y                # 16. X₃ <- X₃ Y₃     X₃ = (X₁Z₁)(X₂Z₂)
    r.y.sum(t0, t2)           # 17. Y₃ <- t₀ + t₂   Y₃ = X₁ X₂ + Z₁ Z₂
    r.y.diffAlias(r.x, r.y)   # 18. Y₃ <- X₃ - Y₃   Y₃ = (X₁ + Z₁)(X₂ + Z₂) - (X₁ X₂ + Z₁ Z₂) = X₁Z₂ + X₂Z₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t0 *= SexticNonResidue
      t1 *= SexticNonResidue
    r.x.double(t0)            # 19. X₃ <- t₀ + t₀   X₃ = 2 X₁X₂
    t0 += r.x                 # 20. t₀ <- X₃ + t₀   t₀ = 3 X₁X₂
    t2 *= b3                  # 21. t₂ <- 3b t₂     t₂ = 3bZ₁Z₂
-    when F is Fp2 and F.C.getSexticTwist() == M_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
      t2 *= SexticNonResidue
    r.z.sum(t1, t2)           # 22. Z₃ <- t₁ + t₂   Z₃ = Y₁Y₂ + 3bZ₁Z₂
    t1 -= t2                  # 23. t₁ <- t₁ - t₂   t₁ = Y₁Y₂ - 3bZ₁Z₂
    r.y *= b3                 # 24. Y₃ <- 3b Y₃     Y₃ = 3b(X₁Z₂ + X₂Z₁)
-    when F is Fp2 and F.C.getSexticTwist() == M_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
      r.y *= SexticNonResidue
    r.x.prod(t4, r.y)         # 25. X₃ <- t₄ Y₃     X₃ = 3b(Y₁Z₂ + Y₂Z₁)(X₁Z₂ + X₂Z₁)
    t2.prod(t3, t1)           # 26. t₂ <- t₃ t₁     t₂ = (X₁Y₂ + X₂Y₁) (Y₁Y₂ - 3bZ₁Z₂)
@ -219,9 +226,10 @@ func sum*[F](
  else:
    {.error: "Not implemented.".}
-func madd*[F](
+func madd*[F; Tw: static Twisted](
-       r: var ECP_ShortW_Proj[F],
+       r: var ECP_ShortW_Proj[F, Tw],
-       P: ECP_ShortW_Proj[F], Q: ECP_ShortW_Aff[F]
+       P: ECP_ShortW_Proj[F, Tw],
       Q: ECP_ShortW_Aff[F, Tw]
     ) =
  ## Elliptic curve mixed addition for Short Weierstrass curves
  ## with p in Projective coordinates and Q in affine coordinates
@ -247,27 +255,27 @@ func madd*[F](
    t3 *= t4                  # 5.  t₃ <- t₃ * t₄
    t4.sum(t0, t1)            # 6.  t₄ <- t₀ + t₁
    t3 -= t4                  # 7.  t₃ <- t₃ - t₄, t₃ = (X₁ + Y₁)(X₂ + Y₂) - (X₁ X₂ + Y₁ Y₂) = X₁Y₂ + X₂Y₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t3 *= SexticNonResidue
    t4.prod(Q.y, P.z)         # 8.  t₄ <- Y₂ Z₁
    t4 += P.y                 # 9.  t₄ <- t₄ + Y₁, t₄ = Y₁+Y₂Z₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t4 *= SexticNonResidue
    r.y.prod(Q.x, P.z)        # 10. Y₃ <- X₂ Z₁
    r.y += P.x                # 11. Y₃ <- Y₃ + X₁, Y₃ = X₁ + X₂Z₁
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      t0 *= SexticNonResidue
      t1 *= SexticNonResidue
    r.x.double(t0)            # 12. X₃ <- t₀ + t₀
    t0 += r.x                 # 13. t₀ <- X₃ + t₀, t₀ = 3X₁X₂
    t2 = P.z
    t2 *= b3                  # 14. t₂ <- 3bZ₁
-    when F is Fp2 and F.C.getSexticTwist() == M_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
      t2 *= SexticNonResidue
    r.z.sum(t1, t2)           # 15. Z₃ <- t₁ + t₂, Z₃ = Y₁Y₂ + 3bZ₁
    t1 -= t2                  # 16. t₁ <- t₁ - t₂, t₁ = Y₁Y₂ - 3bZ₁
    r.y *= b3                 # 17. Y₃ <- 3bY₃,    Y₃ = 3b(X₁ + X₂Z₁)
-    when F is Fp2 and F.C.getSexticTwist() == M_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
      r.y *= SexticNonResidue
    r.x.prod(t4, r.y)         # 18. X₃ <- t₄ Y₃,   X₃ = (Y₁ + Y₂Z₁) 3b(X₁ + X₂Z₁)
    t2.prod(t3, t1)           # 19. t₂ <- t₃ t₁,   t₂ = (X₁Y₂ + X₂Y₁)(Y₁Y₂ - 3bZ₁)
@ -281,9 +289,9 @@ func madd*[F](
  else:
    {.error: "Not implemented.".}
-func double*[F](
+func double*[F; Tw: static Twisted](
-       r: var ECP_ShortW_Proj[F],
+       r: var ECP_ShortW_Proj[F, Tw],
-       P: ECP_ShortW_Proj[F]
+       P: ECP_ShortW_Proj[F, Tw]
     ) =
  ## Elliptic curve point doubling for Short Weierstrass curves in projective coordinate
  ##
@ -327,7 +335,7 @@ func double*[F](
    # Y₃ = (Y² - 9bZ²)(Y² + 3bZ²) + 24bY²Z²
    # Z₃ = 8Y³Z
    snrY = P.y
-    when F is Fp2 and F.C.getSexticTwist() == D_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == D_Twist:
      snrY *= SexticNonResidue
      t0.square(P.y)
      t0 *= SexticNonResidue
@ -339,7 +347,7 @@ func double*[F](
    t1.prod(snrY, P.z)        # 5.  t₁ <- Y Z
    t2.square(P.z)            # 6.  t₂ <- Z Z
    t2 *= b3                  # 7.  t₂ <- 3b t₂
-    when F is Fp2 and F.C.getSexticTwist() == M_Twist:
+    when Tw == OnTwist and F.C.getSexticTwist() == M_Twist:
      t2 *= SexticNonResidue
    r.x.prod(t2, r.z)         # 8.  X₃ <- t₂ Z₃
    r.y.sum(t0, t2)           # 9.  Y₃ <- t₀ + t₂
@ -355,25 +363,25 @@ func double*[F](
  else:
    {.error: "Not implemented.".}
-func `+=`*[F](P: var ECP_ShortW_Proj[F], Q: ECP_ShortW_Proj[F]) =
+func `+=`*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Proj) =
  ## In-place point addition
  # TODO test for aliasing support
-  var tmp {.noInit.}: ECP_ShortW_Proj[F]
+  var tmp {.noInit.}: ECP_ShortW_Proj
  tmp.sum(P, Q)
  P = tmp
-func `+=`*[F](P: var ECP_ShortW_Proj[F], Q: ECP_ShortW_Aff[F]) =
+func `+=`*(P: var ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
  ## In-place mixed point addition
  # used in line_addition
  P.madd(P, Q)
-func double*[F](P: var ECP_ShortW_Proj[F]) =
+func double*(P: var ECP_ShortW_Proj) =
-  var tmp {.noInit.}: ECP_ShortW_Proj[F]
+  var tmp {.noInit.}: ECP_ShortW_Proj
  tmp.double(P)
  P = tmp
-func diff*[F](r: var ECP_ShortW_Proj[F],
+func diff*(r: var ECP_ShortW_Proj,
-              P, Q: ECP_ShortW_Proj[F]
+              P, Q: ECP_ShortW_Proj
     ) =
  ## r = P - Q
  ## Can handle r and Q aliasing
@ -381,14 +389,18 @@ func diff*[F](r: var ECP_ShortW_Proj[F],
  nQ.neg()
  r.sum(P, nQ)
-func affineFromProjective*[F](aff: var ECP_ShortW_Aff[F], proj: ECP_ShortW_Proj) =
+func affineFromProjective*[F, Tw](
       aff: var ECP_ShortW_Aff[F, Tw],
       proj: ECP_ShortW_Proj[F, Tw]) =
  var invZ {.noInit.}: F
  invZ.inv(proj.z)
  aff.x.prod(proj.x, invZ)
  aff.y.prod(proj.y, invZ)
-func projectiveFromAffine*[F](proj: var ECP_ShortW_Proj, aff: ECP_ShortW_Aff[F]) {.inline.} =
+func projectiveFromAffine*[F, Tw](
       proj: var ECP_ShortW_Proj[F, Tw],
       aff: ECP_ShortW_Aff[F, Tw]) {.inline.} =
  proj.x = aff.x
  proj.y = aff.y
  proj.z.setOne()
--- a/constantine/hash_to_curve/cofactors.nim
+++ b/constantine/hash_to_curve/cofactors.nim
@ -42,40 +42,40 @@ const Cofactor_Eff_BLS12_381_G1 = BigInt[64].fromHex"0xd201000000010001"
 const Cofactor_Eff_BLS12_381_G2 = BigInt[636].fromHex"0xbc69f08f2ee75b3584c6a0ea91b352888e2a8e9145ad7689986ff031508ffe1329c2f178731db956d82bf015d1212b02ec0ec69d7477c1ae954cbc06689f6a359894c0adebbf6b4e8020005aaa95551"
  ## P -> (x^2 - x - 1) P + (x - 1) psi(P) + psi(psi(2P))
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Nogami]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Nogami], NotOnTwist]) {.inline.} =
  ## Clear the cofactor of BN254_Nogami G1
  ## BN curve have a G1 cofactor of 1 so this is a no-op
  discard
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Nogami]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist]) {.inline.} =
  ## Clear the cofactor of BN254_Snarks G2
  # Endomorphism acceleration cannot be used if cofactor is not cleared
  P.scalarMulGeneric(Cofactor_Eff_BN254_Nogami_G2)
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Snarks]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist]) {.inline.} =
  ## Clear the cofactor of BN254_Snarks G1
  ## BN curve have a G1 cofactor of 1 so this is a no-op
  discard
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Snarks]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist]) {.inline.} =
  ## Clear the cofactor of BN254_Snarks G2
  # Endomorphism acceleration cannot be used if cofactor is not cleared
  P.scalarMulGeneric(Cofactor_Eff_BN254_Snarks_G2)
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_377]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist]) {.inline.} =
  ## Clear the cofactor of BLS12_377 G1
  P.scalarMulGeneric(Cofactor_Eff_BLS12_377_G1)
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_377]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist]) {.inline.} =
  ## Clear the cofactor of BLS12_377 G2
  # Endomorphism acceleration cannot be used if cofactor is not cleared
  P.scalarMulGeneric(Cofactor_Eff_BLS12_377_G2)
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_381]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist]) {.inline.} =
  ## Clear the cofactor of BLS12_381 G1
  P.scalarMulGeneric(Cofactor_Eff_BLS12_381_G1)
-func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_381]]) {.inline.} =
+func clearCofactorReference*(P: var ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]) {.inline.} =
  ## Clear the cofactor of BLS12_381 G2
  # Endomorphism acceleration cannot be used if cofactor is not cleared
  P.scalarMulGeneric(Cofactor_Eff_BLS12_381_G2)
--- a/constantine/io/io_ec.nim
+++ b/constantine/io/io_ec.nim
@ -41,7 +41,7 @@ func toHex*[EC](P: EC): string =
  ##
  ## This proc output may change format in the future
-  var aff {.noInit.}: ECP_ShortW_Aff[EC.F]
+  var aff {.noInit.}: ECP_ShortW_Aff[EC.F, EC.Tw]
  when EC is ECP_ShortW_Proj:
    aff.affineFromProjective(P)
  elif EC is ECP_ShortW_Jac:
@ -64,7 +64,7 @@ func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x, y: string): bool
  dst.x.fromHex(x)
  dst.y.fromHex(y)
  dst.z.setOne()
-  return bool(isOnCurve(dst.x, dst.y))
+  return bool(isOnCurve(dst.x, dst.y, dst.Tw))
 func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x0, x1, y0, y1: string): bool {.raises: [ValueError].}=
  ## Convert hex strings to a G2 curve point
@ -75,7 +75,7 @@ func fromHex*(dst: var (ECP_ShortW_Proj or ECP_ShortW_Jac), x0, x1, y0, y1: stri
  dst.x.fromHex(x0, x1)
  dst.y.fromHex(y0, y1)
  dst.z.setOne()
-  return bool(isOnCurve(dst.x, dst.y))
+  return bool(isOnCurve(dst.x, dst.y, dst.Tw))
 func fromHex*(dst: var ECP_ShortW_Aff, x, y: string): bool {.raises: [ValueError].}=
  ## Convert hex strings to a G1 curve point
@ -85,7 +85,7 @@ func fromHex*(dst: var ECP_ShortW_Aff, x, y: string): bool {.raises: [ValueError
  static: doAssert dst.F is Fp, "dst must be on G1, an elliptic curve over 𝔽p"
  dst.x.fromHex(x)
  dst.y.fromHex(y)
-  return bool(isOnCurve(dst.x, dst.y))
+  return bool(isOnCurve(dst.x, dst.y, dst.Tw))
 func fromHex*(dst: var ECP_ShortW_Aff, x0, x1, y0, y1: string): bool {.raises: [ValueError].}=
  ## Convert hex strings to a G2 curve point
@ -95,4 +95,4 @@ func fromHex*(dst: var ECP_ShortW_Aff, x0, x1, y0, y1: string): bool {.raises: [
  static: doAssert dst.F is Fp2, "dst must be on G2, an elliptic curve over 𝔽p2"
  dst.x.fromHex(x0, x1)
  dst.y.fromHex(y0, y1)
-  return bool(isOnCurve(dst.x, dst.y))
+  return bool(isOnCurve(dst.x, dst.y, dst.Tw))
--- a/constantine/io/io_fields.nim
+++ b/constantine/io/io_fields.nim
@ -8,7 +8,9 @@
 import
  ./io_bigints,
-  ../arithmetic/finite_fields
+  ../config/common,
  ../arithmetic/finite_fields,
  ../primitives
 # No exceptions allowed
 {.push raises: [].}
@ -23,7 +25,22 @@ import
 func fromUint*(dst: var Fp,
               src: SomeUnsignedInt) =
  ## Parse a regular unsigned integer
-  ## and store it into a BigInt of size `bits`
+  ## and store it into a Fp
  let raw {.noinit.} = (type dst.mres).fromRawUint(cast[array[sizeof(src), byte]](src), cpuEndian)
  dst.fromBig(raw)
 func fromInt*(dst: var Fp,
               src: SomeInteger) =
  ## Parse a regular signed integer
  ## and store it into a Fp
  ## A negative integer will be instantiated as a negated number (mod p)
  when src is SomeUnsignedInt:
    dst.fromUint(src)
  else:
    const msb_pos = src.sizeof * 8 - 1
    let isNeg = SecretBool((src shr msb_pos) and 1)
    let src = isNeg.mux(SecretWord -src, SecretWord src)
    let raw {.noinit.} = (type dst.mres).fromRawUint(cast[array[sizeof(src), byte]](src), cpuEndian)
    dst.fromBig(raw)
--- a/constantine/io/io_towers.nim
+++ b/constantine/io/io_towers.nim
@ -12,6 +12,7 @@ import
  std/typetraits,
  # Internal
  ./io_bigints, ./io_fields,
  ../arithmetic/finite_fields,
  ../towers
 # No exceptions allowed
@ -103,3 +104,21 @@ func fromHex*(T: typedesc[Fp12],
              c8, c9, c10, c11: string): T {.raises: [ValueError].}=
  ## Convert 12 coordinates to an element of 𝔽p12
  result.fromHex(c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11)
 func fromUint*(a: var ExtensionField, src: SomeUnsignedInt) =
  ## Set ``a`` to the bigint value int eh extension field
  for fieldName, fA in fieldPairs(a):
    when fieldName == "c0":
      fA.fromUint(src)
    else:
      fA.setZero()
 func fromInt*(a: var ExtensionField, src: SomeInteger) =
  ## Parse a regular signed integer
  ## and store it into a Fp^n
  ## A negative integer will be instantiated as a negated number (mod p^n)
  for fieldName, fA in fieldPairs(a):
    when fieldName == "c0":
      fA.fromInt(src)
    else:
      fA.setZero()
--- a/constantine/pairing/cyclotomic_fp12.nim
+++ b/constantine/pairing/cyclotomic_fp12.nim
@ -40,11 +40,11 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
  ## an unique Gₜ representation
  ## (reminder, Gₜ is a multiplicative group hence we exponentiate by the cofactor)
  ##
-  ## i.e. Fp^12 --> (fexp easy) --> Gϕ₁₂ --> (fexp hard) --> Gₜ
+  ## i.e. Fp¹² --> (fexp easy) --> Gϕ₁₂ --> (fexp hard) --> Gₜ
  ##
-  ## The final exponentiation is fexp = f^((p^12 - 1) / r)
+  ## The final exponentiation is fexp = f^((p¹² - 1) / r)
  ## It is separated into:
-  ## f^((p^12 - 1) / r) = (p^12 - 1) / ϕ₁₂(p)  * ϕ₁₂(p) / r
+  ## f^((p¹² - 1) / r) = (p¹² - 1) / ϕ₁₂(p)  * ϕ₁₂(p) / r
  ##
  ## with the cyclotomic polynomial ϕ₁₂(p) = (p⁴-p²+1)
  ##
@ -53,10 +53,10 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
  ##  f^(p⁶−1)(p²+1)
  ##
  ## And properties are
-  ## 0. f^(p⁶) ≡ conj(f) (mod p^12) for all f in Fp12
+  ## 0. f^(p⁶) ≡ conj(f) (mod p¹²) for all f in Fp12
  ##
  ## After g = f^(p⁶−1) the result g is on the cyclotomic subgroup
-  ## 1. g^(-1) ≡ g^(p⁶) (mod p^12)
+  ## 1. g^(-1) ≡ g^(p⁶) (mod p¹²)
  ## 2. Inversion can be done with conjugate
  ## 3. g is unitary, its norm |g| (the product of conjugates) is 1
  ## 4. Squaring has a fast compressed variant.
@ -66,43 +66,43 @@ func finalExpEasy*[C: static Curve](f: var Fp12[C]) =
  # Fp12 can be defined as a quadratic extension over Fp⁶
  # with g = g₀ + x g₁ with x a quadratic non-residue
  #
-  # with q = p⁶
+  # with q = p⁶, q² = p¹²
  # The frobenius map f^q ≡ (f₀ + x f₁)^q (mod q²)
  #                       ≡ f₀^q + x^q f₁^q (mod q²)
  #                       ≡ f₀ + x^q f₁ (mod q²)
  #                       ≡ f₀ - x f₁ (mod q²)
  # hence
-  # f^p⁶ ≡ conj(f) (mod p^12)
+  # f^p⁶ ≡ conj(f) (mod p¹²)
  # Q.E.D. of (0)
  #
  # ----------------
  #
-  # p^12 - 1 = (p⁶−1)(p⁶+1) = (p⁶−1)(p²+1)(p⁴-p²+1)
+  # p¹² - 1 = (p⁶−1)(p⁶+1) = (p⁶−1)(p²+1)(p⁴-p²+1)
  # by Fermat's little theorem we have
-  # f^(p^12 - 1) ≡ 1 (mod p^12)
+  # f^(p¹² - 1) ≡ 1 (mod p¹²)
  #
-  # Hence f^(p⁶−1)(p⁶+1) ≡ 1 (mod p^12)
+  # Hence f^(p⁶−1)(p⁶+1) ≡ 1 (mod p¹²)
  #
  # We call g = f^(p⁶−1) we have
-  # g^(p⁶+1) ≡ 1 (mod p^12) <=> g^(p⁶) * g ≡ 1 (mod p^12)
+  # g^(p⁶+1) ≡ 1 (mod p¹²) <=> g^(p⁶) * g ≡ 1 (mod p¹²)
-  # hence g^(-1) ≡ g^(p⁶) (mod p^12)
+  # hence g^(-1) ≡ g^(p⁶) (mod p¹²)
  # Q.E.D. of (1)
  #
  # --
  #
-  # From (1) g^(-1) ≡ g^(p⁶) (mod p^12) for g = f^(p⁶−1)
+  # From (1) g^(-1) ≡ g^(p⁶) (mod p¹²) for g = f^(p⁶−1)
-  # and  (0) f^p⁶ ≡ conj(f) (mod p^12)  for all f in fp12
+  # and  (0) f^p⁶ ≡ conj(f) (mod p¹²)  for all f in fp12
  #
-  # so g^(-1) ≡ conj(g) (mod p^12) for g = f^(p⁶−1)
+  # so g^(-1) ≡ conj(g) (mod p¹²) for g = f^(p⁶−1)
  # Q.E.D. of (2)
  #
  # --
  #
-  # f^(p^12 - 1) ≡ 1 (mod p^12) by Fermat's Little Theorem
+  # f^(p¹² - 1) ≡ 1 (mod p¹²) by Fermat's Little Theorem
-  # f^(p⁶−1)(p⁶+1) ≡ 1 (mod p^12)
+  # f^(p⁶−1)(p⁶+1) ≡ 1 (mod p¹²)
-  # g^(p⁶+1) ≡ 1 (mod p^12)
+  # g^(p⁶+1) ≡ 1 (mod p¹²)
-  # g * g^p⁶ ≡ 1 (mod p^12)
+  # g * g^p⁶ ≡ 1 (mod p¹²)
-  # g * conj(g) ≡ 1 (mod p^12)
+  # g * conj(g) ≡ 1 (mod p¹²)
  # Q.E.D. of (3)
  var g {.noinit.}: typeof(f)
  g.inv(f)              # g = f^-1
--- a/constantine/pairing/lines_common.nim
+++ b/constantine/pairing/lines_common.nim
@ -16,7 +16,7 @@ import
  ../io/io_towers
 type
-  Line*[F; twist: static SexticTwist] = object
+  Line*[F] = object
    ## Packed line representation over a E'(Fp^k/d)
    ## with k the embedding degree and d the twist degree
    ## i.e. for a curve with embedding degree 12 and sextic twist
@ -47,9 +47,10 @@ func toHex*(line: Line, order: static Endianness = bigEndian): string =
 # Line evaluation
 # --------------------------------------------------
-func line_update*(line: var Line, P: ECP_ShortW_Aff) =
+func line_update*[F1, F2](line: var Line[F2], P: ECP_ShortW_Aff[F1, NotOnTwist]) =
  ## Update the line evaluation with P
  ## after addition or doubling
  ## P in G1
  static: doAssert F1.C == F2.C
  line.x *= P.y
  line.z *= P.x
--- a/constantine/pairing/lines_projective.nim
+++ b/constantine/pairing/lines_projective.nim
@ -44,7 +44,9 @@ export lines_common
 # Line evaluation only
 # -----------------------------------------------------------------------------
-func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
+func line_eval_double[F](
       line: var Line[F],
       T: ECP_ShortW_Proj[F, OnTwist]) =
  ## Evaluate the line function for doubling
  ## i.e. the tangent at T
  ##
@ -83,8 +85,8 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
  ## A constant factor on twisted coordinates pᵏᐟᵈ
  ## is a constant factor on pᵏ with d the twisting degree
  ## and so will be elminated. QED.
-  var v {.noInit.}: Line.F
+  var v {.noInit.}: F
-  const b3 = 3 * ECP_ShortW_Proj.F.C.getCoefB()
+  const b3 = 3 * F.C.getCoefB()
  template A: untyped = line.x
  template B: untyped = line.y
@ -106,9 +108,9 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
  B *= b3               # B = 3b Z²
  C *= 3                # C = 3X²
-  when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
+  when F.C.getSexticTwist() == M_Twist:
    B *= SexticNonResidue # B = 3b' Z² = 3bξ Z²
-  elif ECP_ShortW_Proj.F.C.getSexticTwist() == D_Twist:
+  elif F.C.getSexticTwist() == D_Twist:
    v *= SexticNonResidue # v =  ξ Y²
    C *= SexticNonResidue # C = 3ξ X²
  else:
@ -117,7 +119,10 @@ func line_eval_double(line: var Line, T: ECP_ShortW_Proj) =
  B -= v                # B = 3bξ Z² - Y²  (M-twist)
                        # B = 3b Z² - ξ Y² (D-twist)
-func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
+func line_eval_add[F](
       line: var Line[F],
       T: ECP_ShortW_Proj[F, OnTwist],
       Q: ECP_ShortW_Aff[F, OnTwist]) =
  ## Evaluate the line function for addition
  ## i.e. the line between T and Q
  ##
@ -137,7 +142,7 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
  ## Note: There is no need for complete formula as
  ## we have T ∉ [Q, -Q] in the Miller loop doubling-and-add
  ## i.e. the line cannot be vertical
-  var v {.noInit.}: Line.F
+  var v {.noInit.}: F
  template A: untyped = line.x
  template B: untyped = line.y
@ -155,7 +160,7 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
  C -= v      # C = Y₁-Z₁Y₂
  v = A       # v = X₁-Z₁X₂
-  when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
+  when F.C.getSexticTwist() == M_Twist:
    A *= SexticNonResidue # A = ξ (X₁ - Z₁X₂)
  v *= Q.y    # v = (X₁-Z₁X₂) Y₂
@ -165,16 +170,18 @@ func line_eval_add(line: var Line, T: ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
  C.neg()     # C = -(Y₁-Z₁Y₂)
-func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
+func line_eval_fused_double[F](
       line: var Line[F],
       T: var ECP_ShortW_Proj[F, OnTwist]) =
  ## Fused line evaluation and elliptic point doubling
  # Grewal et al, 2012 adapted to Scott 2019 line notation
-  var A {.noInit.}, B {.noInit.}, C {.noInit.}: Line.F
+  var A {.noInit.}, B {.noInit.}, C {.noInit.}: F
-  var E {.noInit.}, F {.noInit.}, G {.noInit.}: Line.F
+  var E {.noInit.}, F {.noInit.}, G {.noInit.}: F
  template H: untyped = line.x
-  const b3 = 3*Line.F.C.getCoefB()
+  const b3 = 3*F.C.getCoefB()
  var snrY = T.y
-  when Line.F.C.getSexticTwist() == D_Twist:
+  when F.C.getSexticTwist() == D_Twist:
    snrY *= SexticNonResidue
  A.prod(T.x, snrY)
@ -183,12 +190,12 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
  C.square(T.z)     # C = Z²
  var snrB = B
-  when Line.F.C.getSexticTwist() == D_Twist:
+  when F.C.getSexticTwist() == D_Twist:
    snrB *= SexticNonResidue
  E = C
  E *= b3
-  when Line.F.C.getSexticTwist() == M_Twist:
+  when F.C.getSexticTwist() == M_Twist:
    E *= SexticNonResidue # E = 3b'Z² = 3bξ Z²
  F = E
@ -202,7 +209,7 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
  line.z.square(T.x)
  line.z *= 3       # lz = 3X²
-  when Line.F.C.getSexticTwist() == D_Twist:
+  when F.C.getSexticTwist() == D_Twist:
    line.z *= SexticNonResidue
  line.y.diff(E, snrB) # ly = E-B = 3b'Z² - Y²
@ -220,7 +227,7 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
                    # M-twist: (Y²+9bξZ²)²/4 - 3*(3bξZ²)²
                    # D-Twist: (ξY²+9bZ²)²/4 - 3*(3bZ²)²
-  when Line.F.C.getSexticTwist() == D_Twist:
+  when F.C.getSexticTwist() == D_Twist:
    H *= SexticNonResidue
  T.z.prod(snrB, H) # Z₃ = BH = Y²((Y+Z)² - (Y²+Z²)) = 2Y³Z
                    # M-twist: 2Y³Z
@ -228,23 +235,26 @@ func line_eval_fused_double(line: var Line, T: var ECP_ShortW_Proj) =
  # Correction for Fp4 towering
  H.neg()           # lx = -H
-  when Line.F.C.getSexticTwist() == M_Twist:
+  when F.C.getSexticTwist() == M_Twist:
    H *= SexticNonResidue
    # else: the SNR is already integrated in H
-func line_eval_fused_add(line: var Line, T: var ECP_ShortW_Proj, Q: ECP_ShortW_Aff) =
+func line_eval_fused_add[F](
       line: var Line[F],
       T: var ECP_ShortW_Proj[F, OnTwist],
       Q: ECP_ShortW_Aff[F, OnTwist]) =
  ## Fused line evaluation and elliptic point addition
  # Grewal et al, 2012 adapted to Scott 2019 line notation
  var
-    A {.noInit.}: Line.F
+    A {.noInit.}: F
-    B {.noInit.}: Line.F
+    B {.noInit.}: F
-    C {.noInit.}: Line.F
+    C {.noInit.}: F
-    D {.noInit.}: Line.F
+    D {.noInit.}: F
-    E {.noInit.}: Line.F
+    E {.noInit.}: F
-    F {.noInit.}: Line.F
+    F {.noInit.}: F
-    G {.noInit.}: Line.F
+    G {.noInit.}: F
-    H {.noInit.}: Line.F
+    H {.noInit.}: F
-    I {.noInit.}: Line.F
+    I {.noInit.}: F
  template lambda: untyped = line.x
  template theta: untyped = line.z
@ -279,17 +289,21 @@ func line_eval_fused_add(line: var Line, T: var ECP_ShortW_Proj, Q: ECP_ShortW_A
  # Line evaluation
  theta.neg()
-  when ECP_ShortW_Proj.F.C.getSexticTwist() == M_Twist:
+  when F.C.getSexticTwist() == M_Twist:
    lambda *= SexticNonResidue # A = ξ (X₁ - Z₁X₂)
 # Public proc
 # -----------------------------------------------------------------------------
-func line_double*(line: var Line, T: var ECP_ShortW_Proj, P: ECP_ShortW_Aff) =
+func line_double*[F1, F2](
       line: var Line[F2],
       T: var ECP_ShortW_Proj[F2, OnTwist],
       P: ECP_ShortW_Aff[F1, NotOnTwist]) =
  ## Doubling step of the Miller loop
  ## T in G2, P in G1
  ##
  ## Compute lt,t(P)
  static: doAssert F1.C == F2.C
  when true:
    line_eval_fused_double(line, T)
    line.line_update(P)
@ -298,14 +312,16 @@ func line_double*(line: var Line, T: var ECP_ShortW_Proj, P: ECP_ShortW_Aff) =
    line.line_update(P)
    T.double()
-func line_add*[C](
+func line_add*[F1, F2](
-       line: var Line,
+       line: var Line[F2],
-       T: var ECP_ShortW_Proj[Fp2[C]],
+       T: var ECP_ShortW_Proj[F2, OnTwist],
-       Q: ECP_ShortW_Aff[Fp2[C]], P: ECP_ShortW_Aff[Fp[C]]) =
+       Q: ECP_ShortW_Aff[F2, OnTwist],
       P: ECP_ShortW_Aff[F1, NotOnTwist]) =
  ## Addition step of the Miller loop
  ## T and Q in G2, P in G1
  ##
  ## Compute lt,q(P)
  static: doAssert F1.C == F2.C
  when true:
    line_eval_fused_add(line, T, Q)
    line.line_update(P)
--- a/constantine/pairing/mul_fp12_by_lines.nim
+++ b/constantine/pairing/mul_fp12_by_lines.nim
@ -41,10 +41,10 @@ import
 # 𝔽p12 by line - Sparse functions
 # ----------------------------------------------------------------
-func mul_by_line_xy0*[C: static Curve, twist: static SexticTwist](
+func mul_by_line_xy0*[C: static Curve](
       r: var Fp6[C],
       a: Fp6[C],
-       b: Line[Fp2[C], twist]) =
+       b: Line[Fp2[C]]) =
  ## Sparse multiplication of an 𝔽p6
  ## with coordinates (a₀, a₁, a₂) by a line (x, y, 0)
  ## The z coordinates in the line will be ignored.
@ -68,19 +68,21 @@ func mul_by_line_xy0*[C: static Curve, twist: static SexticTwist](
  r.c2.prod(a.c2, b.x)
  r.c2 += v1
-func mul_sparse_by_line_xy00z0*[C: static Curve, Tw: static SexticTwist](
+func mul_sparse_by_line_xy00z0*[C: static Curve](
-      f: var Fp12[C], l: Line[Fp2[C], Tw]) =
+      f: var Fp12[C], l: Line[Fp2[C]]) =
  ## Sparse multiplication of an 𝔽p12 element
  ## by a sparse 𝔽p12 element coming from an D-Twist line function.
  ## The sparse element is represented by a packed Line type
  ## with coordinate (x,y,z) matching 𝔽p12 coordinates xy00z0 (TODO: verify this)
-  static: doAssert f.c0.typeof is Fp6, "This assumes 𝔽p12 as a quadratic extension of 𝔽p6"
+  static:
    doAssert C.getSexticTwist() == D_Twist
    doAssert f.c0.typeof is Fp6, "This assumes 𝔽p12 as a quadratic extension of 𝔽p6"
  var
    v0 {.noInit.}: Fp6[C]
    v1 {.noInit.}: Fp6[C]
-    v2 {.noInit.}: Line[Fp2[C], Tw]
+    v2 {.noInit.}: Line[Fp2[C]]
    v3 {.noInit.}: Fp6[C]
  v0.mul_by_line_xy0(f.c0, l)
@ -100,14 +102,16 @@ func mul_sparse_by_line_xy00z0*[C: static Curve, Tw: static SexticTwist](
  v3.c2.sum(v0.c2, v1.c1)
  f.c0 = v3
-func mul_sparse_by_line_xyz000*[C: static Curve, Tw: static SexticTwist](
+func mul_sparse_by_line_xyz000*[C: static Curve](
-       f: var Fp12[C], l: Line[Fp2[C], Tw]) =
+       f: var Fp12[C], l: Line[Fp2[C]]) =
  ## Sparse multiplication of an 𝔽p12 element
  ## by a sparse 𝔽p12 element coming from an D-Twist line function.
  ## The sparse element is represented by a packed Line type
  ## with coordinates (x,y,z) matching 𝔽p12 coordinates xyz000
-  static: doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
+  static:
    doAssert C.getSexticTwist() == D_Twist
    doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
  # In the following equations (taken from cubic extension implementation)
  # a = f
@ -153,10 +157,12 @@ func mul_sparse_by_line_xyz000*[C: static Curve, Tw: static SexticTwist](
  f.c2 *= b0
  f.c2 += v1
-func mul_sparse_by_line_xy000z*[C: static Curve, Tw: static SexticTwist](
+func mul_sparse_by_line_xy000z*[C: static Curve](
-       f: var Fp12[C], l: Line[Fp2[C], Tw]) =
+       f: var Fp12[C], l: Line[Fp2[C]]) =
-  static: doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
+  static:
    doAssert C.getSexticTwist() == M_Twist
    doAssert f.c0.typeof is Fp4, "This assumes 𝔽p12 as a cubic extension of 𝔽p4"
  # In the following equations (taken from cubic extension implementation)
  # a = f
@ -202,3 +208,11 @@ func mul_sparse_by_line_xy000z*[C: static Curve, Tw: static SexticTwist](
  f.c1 *= b0
  v2 *= NonResidue
  f.c1 += v2
 func mul*[C](f: var Fp12[C], line: Line[Fp2[C]]) {.inline.} =
  when C.getSexticTwist() == D_Twist:
    f.mul_sparse_by_line_xyz000(line)
  elif C.getSexticTwist() == M_Twist:
    f.mul_sparse_by_line_xy000z(line)
  else:
    {.error: "A line function assumes that the curve has a twist".}
--- a/constantine/pairing/pairing_bls12.nim
+++ b/constantine/pairing/pairing_bls12.nim
@ -47,8 +47,8 @@ import
 func millerLoopGenericBLS12*[C](
       f: var Fp12[C],
-       P: ECP_ShortW_Aff[Fp[C]],
+       P: ECP_ShortW_Aff[Fp[C], NotOnTwist],
-       Q: ECP_ShortW_Aff[Fp2[C]]
+       Q: ECP_ShortW_Aff[Fp2[C], OnTwist]
     ) =
  ## Generic Miller Loop for BLS12 curve
  ## Computes f{u,Q}(P) with u the BLS curve parameter
@ -81,20 +81,14 @@ func millerLoopGenericBLS12*[C](
  #      or we ensure the loop is done for a number of iterations strictly less
  #      than the curve order which is the case for BLS12 curves
  var
-    T {.noInit.}: ECP_ShortW_Proj[Fp2[C]]
+    T {.noInit.}: ECP_ShortW_Proj[Fp2[C], OnTwist]
-    line {.noInit.}: Line[Fp2[C], C.getSexticTwist()]
+    line {.noInit.}: Line[Fp2[C]]
    nQ{.noInit.}: typeof(Q)
  T.projectiveFromAffine(Q)
  nQ.neg(Q)
  f.setOne()
  template mul(f, line): untyped =
    when C.getSexticTwist() == D_Twist:
      f.mul_sparse_by_line_xyz000(line)
    else:
      f.mul_sparse_by_line_xy000z(line)
  template u: untyped = C.pairing(ate_param)
  let u3 = 3*C.pairing(ate_param)
  for i in countdown(u3.bits - 2, 1):
@ -121,14 +115,17 @@ func finalExpGeneric[C: static Curve](f: var Fp12[C]) =
  ## for sanity checks purposes.
  f.powUnsafeExponent(C.pairing(finalexponent), window = 3)
-func pairing_bls12_reference*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
+func pairing_bls12_reference*[C](
       gt: var Fp12[C],
       P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
       Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
  ## Compute the optimal Ate Pairing for BLS12 curves
  ## Input: P ∈ G1, Q ∈ G2
  ## Output: e(P, Q) ∈ Gt
  ##
  ## Reference implementation
-  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
+  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
  gt.millerLoopGenericBLS12(Paff, Qaff)
@ -195,12 +192,15 @@ func finalExpHard_BLS12*[C](f: var Fp12[C]) =
  # (x−1)².(x+p).(x²+p²−1) + 3
  f *= v0
-func pairing_bls12*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
+func pairing_bls12*[C](
       gt: var Fp12[C],
       P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
       Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
  ## Compute the optimal Ate Pairing for BLS12 curves
  ## Input: P ∈ G1, Q ∈ G2
  ## Output: e(P, Q) ∈ Gt
-  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
+  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
  gt.millerLoopGenericBLS12(Paff, Qaff)
--- a/constantine/pairing/pairing_bn.nim
+++ b/constantine/pairing/pairing_bn.nim
@ -44,8 +44,8 @@ import
 func millerLoopGenericBN*[C](
       f: var Fp12[C],
-       P: ECP_ShortW_Aff[Fp[C]],
+       P: ECP_ShortW_Aff[Fp[C], NotOnTwist],
-       Q: ECP_ShortW_Aff[Fp2[C]]
+       Q: ECP_ShortW_Aff[Fp2[C], OnTwist]
     ) =
  ## Generic Miller Loop for BN curves
  ## Computes f{6u+2,Q}(P) with u the BN curve parameter
@ -79,20 +79,14 @@ func millerLoopGenericBN*[C](
  #      than the curve order which is the case for BN curves
  var
-    T {.noInit.}: ECP_ShortW_Proj[Fp2[C]]
+    T {.noInit.}: ECP_ShortW_Proj[Fp2[C], OnTwist]
-    line {.noInit.}: Line[Fp2[C], C.getSexticTwist()]
+    line {.noInit.}: Line[Fp2[C]]
    nQ{.noInit.}: typeof(Q)
  T.projectiveFromAffine(Q)
  nQ.neg(Q)
  f.setOne()
  template mul(f, line): untyped =
    when C.getSexticTwist() == D_Twist:
      f.mul_sparse_by_line_xyz000(line)
    else:
      f.mul_sparse_by_line_xy000z(line)
  template u: untyped = C.pairing(ate_param)
  let u3 = 3*C.pairing(ate_param)
  for i in countdown(u3.bits - 2, 1):
@ -120,26 +114,29 @@ func millerLoopGenericBN*[C](
  V.frobenius_psi(Q)
  line.line_add(T, V, P)
-  f.mul_sparse_by_line_xyz000(line)
+  f.mul(line)
  V.frobenius_psi2(Q)
  V.neg()
  line.line_add(T, V, P)
-  f.mul_sparse_by_line_xyz000(line)
+  f.mul(line)
 func finalExpGeneric[C: static Curve](f: var Fp12[C]) =
  ## A generic and slow implementation of final exponentiation
  ## for sanity checks purposes.
  f.powUnsafeExponent(C.pairing(finalexponent), window = 3)
-func pairing_bn_reference*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
+func pairing_bn_reference*[C](
       gt: var Fp12[C],
       P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
       Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
  ## Compute the optimal Ate Pairing for BN curves
  ## Input: P ∈ G1, Q ∈ G2
  ## Output: e(P, Q) ∈ Gt
  ##
  ## Reference implementation
-  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
+  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
  gt.millerLoopGenericBN(Paff, Qaff)
@ -200,12 +197,15 @@ func finalExpHard_BN*[C: static Curve](f: var Fp12[C]) =
  f.frobenius_map(t2, 3)       # r = f^λ₃p³
  f *= t0                      # r = f^(λ₀ + λ₁p + λ₂p² + λ₃p³) = f^((p⁴-p²+1)/r)
-func pairing_bn*[C](gt: var Fp12[C], P: ECP_ShortW_Proj[Fp[C]], Q: ECP_ShortW_Proj[Fp2[C]]) =
+func pairing_bn*[C](
       gt: var Fp12[C],
       P: ECP_ShortW_Proj[Fp[C], NotOnTwist],
       Q: ECP_ShortW_Proj[Fp2[C], OnTwist]) =
  ## Compute the optimal Ate Pairing for BLS12 curves
  ## Input: P ∈ G1, Q ∈ G2
  ## Output: e(P, Q) ∈ Gt
-  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C]]
+  var Paff {.noInit.}: ECP_ShortW_Aff[Fp[C], NotOnTwist]
-  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+  var Qaff {.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
  Paff.affineFromProjective(P)
  Qaff.affineFromProjective(Q)
  gt.millerLoopGenericBN(Paff, Qaff)
--- a/constantine/tower_field_extensions/tower_common.nim
+++ b/constantine/tower_field_extensions/tower_common.nim
@ -57,7 +57,7 @@ func setOne*(a: var ExtensionField) =
      fA.setZero()
 func fromBig*(a: var ExtensionField, src: BigInt) =
-  ## Set ``a`` to the bigint value int eh extension field
+  ## Set ``a`` to the bigint value in the extension field
  for fieldName, fA in fieldPairs(a):
    when fieldName == "c0":
      fA.fromBig(src)
--- a/constantine/towers.nim
+++ b/constantine/towers.nim
@ -27,6 +27,9 @@ type
    c0*, c1*: Fp[C]
  β = NonResidue
    # Quadratic or Cubic non-residue
  SexticNonResidue* = object
 template fromComplexExtension*[F](elem: F): static bool =
  ## Returns true if the input is a complex extension
@ -50,8 +53,18 @@ func `*`*(_: typedesc[β], a: Fp): Fp {.inline, noInit.} =
  result = a
  result *= β
-type
+# TODO: rework the quad/cube/sextic non residue declaration
-  SexticNonResidue* = object
+
 func `*=`*(a: var Fp, _: typedesc[SexticNonResidue]) {.inline.} =
  ## Multiply an element of 𝔽p by the sextic non-residue
  ## chosen to construct 𝔽p6
  a *= Fp.C.get_QNR_Fp()
 func `*`*(_: typedesc[SexticNonResidue], a: Fp): Fp {.inline, noInit.} =
  ## Multiply an element of 𝔽p by the sextic non-residue
  ## chosen to construct 𝔽p6
  result = a
  result *= SexticNonResidue
 func `*=`*(a: var Fp2, _: typedesc[SexticNonResidue]) {.inline.} =
  ## Multiply an element of 𝔽p2 by the sextic non-residue
--- a/helpers/prng_unsafe.nim
+++ b/helpers/prng_unsafe.nim
@ -229,85 +229,85 @@ func random_long01Seq[T](rng: var RngState, a: var T, C: static Curve) =
 # Elliptic curves
 # ------------------------------------------------------------
-func random_unsafe[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
+func random_unsafe(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate == 1
  ## Unsafe: for testing and benchmarking purposes only
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
    # Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
    #                    so we have a probability of ~0.5 to get a good point
-    rng.random_unsafe(fieldElem, F.C)
+    rng.random_unsafe(fieldElem, a.F.C)
    success = trySetFromCoordX(a, fieldElem)
-func random_unsafe_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
+func random_unsafe_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate being random
  ## Unsafe: for testing and benchmarking purposes only
-  var Z{.noInit.}: F
+  var Z{.noInit.}: a.F
-  rng.random_unsafe(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
+  rng.random_unsafe(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
-    rng.random_unsafe(fieldElem, F.C)
+    rng.random_unsafe(fieldElem, a.F.C)
    success = trySetFromCoordsXandZ(a, fieldElem, Z)
-func random_highHammingWeight[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
+func random_highHammingWeight(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate == 1
  ## This will be generated with a biaised RNG with high Hamming Weight
  ## to trigger carry bugs
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
    # Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
    #                    so we have a probability of ~0.5 to get a good point
-    rng.random_highHammingWeight(fieldElem, F.C)
+    rng.random_highHammingWeight(fieldElem, a.F.C)
    success = trySetFromCoordX(a, fieldElem)
-func random_highHammingWeight_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
+func random_highHammingWeight_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate == 1
  ## This will be generated with a biaised RNG with high Hamming Weight
  ## to trigger carry bugs
-  var Z{.noInit.}: F
+  var Z{.noInit.}: a.F
-  rng.random_highHammingWeight(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
+  rng.random_highHammingWeight(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
-    rng.random_highHammingWeight(fieldElem, F.C)
+    rng.random_highHammingWeight(fieldElem, a.F.C)
    success = trySetFromCoordsXandZ(a, fieldElem, Z)
-func random_long01Seq[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Aff[F] or ECP_ShortW_Jac[F])) =
+func random_long01Seq(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Aff or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate == 1
  ## This will be generated with a biaised RNG
  ## that produces long bitstrings of 0 and 1
  ## to trigger edge cases
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
    # Euler's criterion: there are (p-1)/2 squares in a field with modulus `p`
    #                    so we have a probability of ~0.5 to get a good point
-    rng.random_long01Seq(fieldElem, F.C)
+    rng.random_long01Seq(fieldElem, a.F.C)
    success = trySetFromCoordX(a, fieldElem)
-func random_long01Seq_with_randZ[F](rng: var RngState, a: var (ECP_ShortW_Proj[F] or ECP_ShortW_Jac[F])) =
+func random_long01Seq_with_randZ(rng: var RngState, a: var (ECP_ShortW_Proj or ECP_ShortW_Jac)) =
  ## Initialize a random curve point with Z coordinate == 1
  ## This will be generated with a biaised RNG
  ## that produces long bitstrings of 0 and 1
  ## to trigger edge cases
-  var Z{.noInit.}: F
+  var Z{.noInit.}: a.F
-  rng.random_long01Seq(Z, F.C) # If Z is zero, X will be zero and that will be an infinity point
+  rng.random_long01Seq(Z, a.F.C) # If Z is zero, X will be zero and that will be an infinity point
-  var fieldElem {.noInit.}: F
+  var fieldElem {.noInit.}: a.F
  var success = CtFalse
  while not bool(success):
-    rng.random_long01Seq(fieldElem, F.C)
+    rng.random_long01Seq(fieldElem, a.F.C)
    success = trySetFromCoordsXandZ(a, fieldElem, Z)
 # Generic over any Constantine type
--- a/tests/t_ec_frobenius.nim
+++ b/tests/t_ec_frobenius.nim
@ -55,7 +55,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  # - sage sage/frobenius_bls12_381.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "598e4c8c14c24c90834f2debedee4db3d31fed98a5134177704bfec14f46cb5",
    Px1 = "c6fffa61daeb7caaf96983e70f164931d958c6820b205cdde19f2fa1eaaa7b1",
    Py0 = "2f5fa252a27df56f5ca2e9c3382c17e531d317d50396f3fe952704304946a5a",
@ -68,7 +68,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "21014830dd88a0e7961e704cea531200866c5df46cb25aa3e2aac8d4fec64c6e",
    Px1 = "1db17d8364def10443beab6e4a055c210d3e49c7c3af31e9cfb66d829938dca7",
    Py0 = "1394ab8c346ad3eba14fa14789d3bbfc2deed5a7a510da8e9418580515d27bda",
@ -81,7 +81,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "46f2a2be9a3e19c1bb484fc37703ff64c3d7379de22249ccf0881037948beec",
    Px1 = "10a5aaae14cb028f4ff4b81d41b712038b9f620a99e208c23504887e56831806",
    Py0 = "2e6c3ebe0f3dada0063dc59f85fe2264dc3502bf65206336106a8d39d838a7b2",
@ -94,7 +94,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "1cf3af1d41e89d8df378aa81463a978c021f27f4a48387e74655ce2cf5c1f298",
    Px1 = "36553e80e5c7c7360c7a2ae6bf1b8f68eb48804fc7eba7d2f56f09e87bbb0b1",
    Py0 = "25f03e551d74b6be3268bf001905dfbe0bcbe43a2d1aac645a3ca8650b52e551",
@ -109,7 +109,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "112de13b7cd42bccdb005f2d4dc2726f360243103335ef6cf5e217e777554ae7c1deff5ddb5bcbb581fc9f13728a439",
    Px1 = "10d1a8963e5c6854d5e610ece9914f9b5619c27652be1e9ec3e87687d63ed5d45b449bf59c2481e18ac6159f75966ac",
    Py0 = "8aaf3a8660cf0edd6e97a2cd7837af1c63ec89e18f9bf4c64638662a661636b928a4f8097e6a2e8dfa11e13c51b075",
@ -122,7 +122,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "2f9318360b53c2d706061f527571e91679e6086a72ce8203ba1a04850f83bb192b29307e9b2d63feb1d23979e3f632",
    Px1 = "3cbab0789968a3a35fa5d2e2326baa40c34d11a4af05a4109350944300ce32eef74dc5e47ba46717bd8bf87604696d",
    Py0 = "14ea84922f76f2681fec869dce26141392975dcdb4f21d5fa8aec06b37bf71ba6249c219ecbaef4a266196dafb4ad19",
@ -135,7 +135,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "833ca23630be463c388ea6cfcff5b0e3b055065702a84310d2c726aee14d9e140cba05be79b5cb0441816d9e8c8370",
    Px1 = "264a9755524baac8d9e53b0a45789e9dafcb6b453e965061fcfa20bb12a27d9b9417d5277ae2a499b1cfe567d75e2d",
    Py0 = "5b670b9789825e2b48101b5b6e660cf9117e29c521dad54640cb356b674b3946c98cb43909c3495fb6d6d231891b7e",
@ -148,7 +148,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "14cd89e2e2755ddc086f63fd62e1f9904c3c1497243455c578a963e81b389f04e95ceafc4f47dc777579cdc82eca79b",
    Px1 = "ba8801beba0654f20ccb78783efa7a911d182ec0eb99abe10f9a3d26b46fb7f90552e4ff6beb4df4611a9072be648b",
    Py0 = "12e23bc97d891f2a047bac9c90e728cb89760c812156f96c95e36c40f1c830cf6ecbb5d407b189070d48a92eb461ea6",
@ -163,7 +163,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "d6904be428a0310dbd6e15a744a774bcf9800abe27536267a5383f1ddbd7783e1dc20098a8e045e3cca66b83f6d7f0f",
    Px1 = "12107f6ef71d0d1e3bcba9e00a0675d3080519dd1b6c086bd660eb2d2bca8f276e283a891b5c0615064d7886af625cf2",
    Py0 = "c592a3546d2d61d671070909e97860822db0a389e351c1744bdbb2c472cf52f3ca3e94068b0b6f3b0121923659131f5",
@ -176,7 +176,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "112de130b7cd42bccdb005f2d4dc2726f360243103335ef6cf5e217e777554ae7c1deff5ddb5bcbb581fc9f13728a439",
    Px1 = "10d1a89a63e5c6854d5e610ece9914f9b5619c27652be1e9ec3e87687d63ed5d45b449bf59c2481e18ac6159f75966ac",
    Py0 = "11261c8fcb0f4f560479547fe6b2a1c1e8b648d87e54c39f299eba8729294e99b415851d134ca31e8bb861c42e6f1022",
@ -189,7 +189,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "2f93183360b53c2d706061f527571e91679e6086a72ce8203ba1a04850f83bb192b29307e9b2d63feb1d23979e3f632",
    Px1 = "3cbab0c789968a3a35fa5d2e2326baa40c34d11a4af05a4109350944300ce32eef74dc5e47ba46717bd8bf87604696d",
    Py0 = "2b8d995b0f2114442b7bbdbe5732fbf94430d6d413e1f388031f3abb956e598cb6764275a75832c1670868c458378b6",
@ -202,7 +202,7 @@ suite "ψ (Psi) - Untwist-Frobenius-Twist Endomorphism on G2 vs SageMath" & " ["
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "d7d1c55ddf8bd03b7a15c3ea4f8f69aee37bf282d4aac82b7bd1fd47139250b9c708997a7ff8f603e48f0471c2cfe03",
    Px1 = "d145a91934a6ad865d24ab556ae1e6c42decdd05d676b80e53365a6ff7536332859c9682e7200e40515f675415d71a3",
    Py0 = "6de67fa12af93813a42612b1e9449c7b1f160c5de004ec26ea61010e48ba38dcf158d2692f347fdc6c6332bbec7106f",
@ -240,9 +240,10 @@ suite "ψ - psi(psi(P)) == psi2(P) - (Untwist-Frobenius-Twist Endomorphism)" & "
      test(EC, randZ = false, gen = Long01Sequence)
      test(EC, randZ = true, gen = Long01Sequence)
-  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
-  # testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
-  testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
+  testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
  testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])
 suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
  const Iters = 10
@ -252,6 +253,15 @@ suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
      # x = "0x44E992B44A6909F1"
      # t = 6x²+1
      return (BigInt[127].fromHex"0x6f4d8248eeb859fbf83e9682e87cfd47", false)
    elif C == BN254_Nogami:
      # x = "-0x4080000000000001"
      # t = 6x²+1
      return (BigInt[127].fromHex"0x61818000000000030600000000000007", false)
    elif C == BLS12_377:
      # x = 3 * 2^46 * (7 * 13 * 499) + 1
      # x = 0x8508c00000000001
      # t = x+1
      return (BigInt[64].fromHex"8508c00000000002", false)
    elif C == BLS12_381:
      # x = "-(2^63 + 2^62 + 2^60 + 2^57 + 2^48 + 2^16)"
      # t = x+1
@ -290,9 +300,10 @@ suite "ψ²(P) - [t]ψ(P) + [p]P = Inf" & " [" & $WordBitwidth & "-bit mode]":
      test(EC, randZ = false, gen = Long01Sequence)
      test(EC, randZ = true, gen = Long01Sequence)
-  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
-  # testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
-  testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
+  testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
  testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])
 suite "ψ⁴(P) - ψ²(P) + P = Inf (k-th cyclotomic polynomial with embedding degree k=12)" & " [" & $WordBitwidth & "-bit mode]":
  const Iters = 10
@ -319,6 +330,7 @@ suite "ψ⁴(P) - ψ²(P) + P = Inf (k-th cyclotomic polynomial with embedding d
      test(EC, randZ = false, gen = Long01Sequence)
      test(EC, randZ = true, gen = Long01Sequence)
-  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Nogami], OnTwist])
-  # testAll(ECP_ShortW_Proj[Fp2[BLS12_377]])
+  testAll(ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist])
-  testAll(ECP_ShortW_Proj[Fp2[BLS12_381]])
+  testAll(ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist])
  testAll(ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist])
--- a/tests/t_ec_sage_bls12_377.nim
+++ b/tests/t_ec_sage_bls12_377.nim
@ -61,7 +61,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  # Generated via sage sage/testgen_bls12_377.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "4e7e6dfa01ed0ceb6e66708b07cb5c6cd30a42eeb13d7b76f8d103a0a4d491450be6f526fc12f15209b792220c041e",
    Py = "c782515159b7e7b9371e0e0caa387951317e993b1625d91869d4346621058a0960ef1b8b6eabb33cd5719694908a05",
    scalar = "cf815cb4d44d3d691b7c82a40b4b70caa9b0e8fe9586648abf3f1e2e639ca1b",
@ -71,7 +71,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "13d735b28405253dcc0bc60bcdc13633475ffc187d38a9b97655b0d0fa1d56c4548f11ea0a795391ee85c953aaf9b83",
    Py = "1693101123fd13a20f9c0569c52c29507ba1c8b6dd412660bc82e7974022f1a10f9137b4ba59d3f0aab67027cefec19",
    scalar = "913aa7b9fa2f940b70b6dcf538cc08da1a369809ab86a8ee49cead0ed6bfef6",
@ -81,7 +81,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "6dd2211113cada09d3b96848cbf21ed14f6fc238b581c0afd49aa776980101e4ee279a256ce8f1428d3ed3f70afd85",
    Py = "3b406b4433a3f44f8e196012f50c520e876412fbcae2651916f133c1fd3899c79f676e1abba01d84bab7ad100c9295",
    scalar = "4cf47669aeb0f30b6c6c5aa02808a87dc787fba22da32875e614a54a50b6a0c",
@ -91,7 +91,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "18648abbe3261f93cbf679777eac66e419035041a967d1e6a0f0afdb92810d7122e0984f1d6efc8fe518500464ee803",
    Py = "7b6f518d4d06309aad4d60d29118310b6c8b17c7bf5db2251f4701b13b89a8c0f04bb5d0386785e55ffbbd7ecc445e",
    scalar = "69498486a06c18f836a8e9ed507bbb563d6d03545e03e08f628e8fbd2e5d098",
@ -101,7 +101,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "745e9944549522486f3446676cc62fb666682e10c661a13b8110b42cb9a37676b6f33a46f9495f4fafb342d5809db5",
    Py = "bc595854bc42ccec60dd9ec573608d736aa59996cef1c2e8f6c5d424f525a6f3e3d4beeedfac6b959dbd71ced95b13",
    scalar = "6e08d8714102a5aa3e9f46e33c70a759c27253c7b0196c3e46c7cb42671197e",
@ -111,7 +111,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "f7b56cf212a8906ed77a758164c0bd05ce1fbd3ee3c4357e7a09b3aedc748a29ace254f1f6df35b8cb74361060337f",
    Py = "2640ef641d20fea19b28947833e53faceeafa57a8761b807049f3d707d70c01f1c69a57edd993d301a64517bf47f77",
    scalar = "a5c46d7a52938fed7f3093d5867f65361dc8b48c83bd7db490c26736196e20e",
@ -121,7 +121,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "43b387c12e4cc91fb1a5593b7671356dceb0fe6e6ac666d5bac94f2a44c8db54976b649a678aae038b21144de04e23",
    Py = "1a6366a50f1f9ba64eef73d82bec86177bf184be048a9d66326ccb0122203569ddcb8cf74445cadaff7f47a66d1b1a2",
    scalar = "bddd07231bc7fe89ee4a859a00ea1f9d236be9e7fd561303d566904c1b0a07c",
@ -131,7 +131,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "6984c9385a67081f97b3d33444077466cca1d0442a4da8c083a0957578e0b21011435b126a5ab143da9da1cf5b216f",
    Py = "18a87c7f5f6c5a8101773e63956b9addd4becf5177acc560d548e5331638121934842fdc9f654b3f456a7df5a2e471a",
    scalar = "b72c41a6ffaff0aacb5d62e3dcb16acfec66b6a9639e19d3128fd43c18e7dbe",
@ -141,7 +141,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "efc34595823e7333616f7768bc82f407268df6f029bf4c94d15f1785dc7ccc08f22e7301dfc48dadc0ea383c8bb3e",
    Py = "2459bd9f71977ef122d2102e8bfd07a5737066075058cfa8bcaa9f9690ed065919c844363ceaea6f9bb650906a535f",
    scalar = "8f90f6ab0ffa6e4acc601b44c062745f2935b3dc153d0da07977470080d5c18",
@ -151,7 +151,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Px = "3eec93c2a9c5fd03f0de5ede2fdac9e361090fbaea38e4a0f1828745f1d14a057d9fd7c46b9168bd95a45a182a3a62",
    Py = "e912dc7e95f90d91e3274ec5639edacb88be1b092c47c13d31a29ecd579885cc09f197f8207d23b2260ab10c94d5f5",
    scalar = "203300e949aff816d084a388f07c74b9152bb11b523543afd65c805a389980",
@ -163,7 +163,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "4e7e6dfa01ed0ceb6e66708b07cb5c6cd30a42eeb13d7b76f8d103a0a4d491450be6f526fc12f15209b792220c041e",
    Py = "c782515159b7e7b9371e0e0caa387951317e993b1625d91869d4346621058a0960ef1b8b6eabb33cd5719694908a05",
    scalar = "cf815cb4d44d3d691b7c82a40b4b70caa9b0e8fe9586648abf3f1e2e639ca1b",
@ -173,7 +173,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "13d735b28405253dcc0bc60bcdc13633475ffc187d38a9b97655b0d0fa1d56c4548f11ea0a795391ee85c953aaf9b83",
    Py = "1693101123fd13a20f9c0569c52c29507ba1c8b6dd412660bc82e7974022f1a10f9137b4ba59d3f0aab67027cefec19",
    scalar = "913aa7b9fa2f940b70b6dcf538cc08da1a369809ab86a8ee49cead0ed6bfef6",
@ -183,7 +183,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "6dd2211113cada09d3b96848cbf21ed14f6fc238b581c0afd49aa776980101e4ee279a256ce8f1428d3ed3f70afd85",
    Py = "3b406b4433a3f44f8e196012f50c520e876412fbcae2651916f133c1fd3899c79f676e1abba01d84bab7ad100c9295",
    scalar = "4cf47669aeb0f30b6c6c5aa02808a87dc787fba22da32875e614a54a50b6a0c",
@ -193,7 +193,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "18648abbe3261f93cbf679777eac66e419035041a967d1e6a0f0afdb92810d7122e0984f1d6efc8fe518500464ee803",
    Py = "7b6f518d4d06309aad4d60d29118310b6c8b17c7bf5db2251f4701b13b89a8c0f04bb5d0386785e55ffbbd7ecc445e",
    scalar = "69498486a06c18f836a8e9ed507bbb563d6d03545e03e08f628e8fbd2e5d098",
@ -203,7 +203,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "745e9944549522486f3446676cc62fb666682e10c661a13b8110b42cb9a37676b6f33a46f9495f4fafb342d5809db5",
    Py = "bc595854bc42ccec60dd9ec573608d736aa59996cef1c2e8f6c5d424f525a6f3e3d4beeedfac6b959dbd71ced95b13",
    scalar = "6e08d8714102a5aa3e9f46e33c70a759c27253c7b0196c3e46c7cb42671197e",
@ -213,7 +213,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "f7b56cf212a8906ed77a758164c0bd05ce1fbd3ee3c4357e7a09b3aedc748a29ace254f1f6df35b8cb74361060337f",
    Py = "2640ef641d20fea19b28947833e53faceeafa57a8761b807049f3d707d70c01f1c69a57edd993d301a64517bf47f77",
    scalar = "a5c46d7a52938fed7f3093d5867f65361dc8b48c83bd7db490c26736196e20e",
@ -223,7 +223,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "43b387c12e4cc91fb1a5593b7671356dceb0fe6e6ac666d5bac94f2a44c8db54976b649a678aae038b21144de04e23",
    Py = "1a6366a50f1f9ba64eef73d82bec86177bf184be048a9d66326ccb0122203569ddcb8cf74445cadaff7f47a66d1b1a2",
    scalar = "bddd07231bc7fe89ee4a859a00ea1f9d236be9e7fd561303d566904c1b0a07c",
@ -233,7 +233,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "6984c9385a67081f97b3d33444077466cca1d0442a4da8c083a0957578e0b21011435b126a5ab143da9da1cf5b216f",
    Py = "18a87c7f5f6c5a8101773e63956b9addd4becf5177acc560d548e5331638121934842fdc9f654b3f456a7df5a2e471a",
    scalar = "b72c41a6ffaff0aacb5d62e3dcb16acfec66b6a9639e19d3128fd43c18e7dbe",
@ -243,7 +243,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "efc34595823e7333616f7768bc82f407268df6f029bf4c94d15f1785dc7ccc08f22e7301dfc48dadc0ea383c8bb3e",
    Py = "2459bd9f71977ef122d2102e8bfd07a5737066075058cfa8bcaa9f9690ed065919c844363ceaea6f9bb650906a535f",
    scalar = "8f90f6ab0ffa6e4acc601b44c062745f2935b3dc153d0da07977470080d5c18",
@ -253,7 +253,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_377 implementation vs Sag
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Px = "3eec93c2a9c5fd03f0de5ede2fdac9e361090fbaea38e4a0f1828745f1d14a057d9fd7c46b9168bd95a45a182a3a62",
    Py = "e912dc7e95f90d91e3274ec5639edacb88be1b092c47c13d31a29ecd579885cc09f197f8207d23b2260ab10c94d5f5",
    scalar = "203300e949aff816d084a388f07c74b9152bb11b523543afd65c805a389980",
@ -297,7 +297,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  # Generated via sage sage/testgen_bls12_377.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "267401f3ef554fe74ae131d56a10edf14ae40192654901b4618d2bf7af22e77c2a9b79e407348dbd4aad13ca73b33a",
    Px1 = "12dcca838f46a3e0418e5dd8b978362757a16bfd78f0b77f4a1916ace353938389ae3ea228d0eb5020a0aaa58884aec",
    Py0 = "11799118d2e054aabd9f74c0843fecbdc1c0d56f61c61c5854c2507ae2416e48a6b2cd3bc8bf7495a4d3d8270eafe2b",
@ -311,7 +311,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "3a3055d6a46901c1b2227a0e334ffa9f654e62a6d3608f3a672e5816f9e9b04c0e668c3e9f8c807b269422afdc7de9",
    Px1 = "25803bd55f37b254865d5fc7ac9843fb306c2eb09d34ee0c4ecb705b5e10f6911f07fd707a2e28681a421f45b1a4d",
    Py0 = "15a0594a3c9dddc535472c4827aa443774a06f77bec2d20837c6574aa5fac35a279bac756531fa75f979a7a97f297d6",
@ -325,7 +325,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "18ebf549cd24a64badff4ec177205be121757b68589020434aba816756d2e6fa95fdb389c8639d4bf77575122e1c04e",
    Px1 = "11cd0f0976658a6f2ec113034428ef1605befdaa5642944f5c4e571b24fc166c368c30473e25ab148209be4c0b4e37",
    Py0 = "1190d818317495201732feb2cfc8f507adac6273debff46bb6aea4a3f3e3fe7d28d893c90b21a6f28d2fbc72d9fc528",
@ -339,7 +339,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "52b54c30c1dcadbcb698d0cb7fd65de1eb8f7590c7afe46e019bdc9e0ef8bc4c060339220d3615e4b1f2b12ffa6d83",
    Px1 = "dd53b483c2ab1aaa7ed22ef619b5e979237ae95476436f2c51c8b70da39a4e54a989f10f6d12ee098154911aa052f6",
    Py0 = "2a8c96662a7c76cb7d8ca6571a5b99abfd2d7343dd668425e5fa4a8c880b313b70f09a15a825fac63ae7065c0c51d",
@ -353,7 +353,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "fb6dd822e327a60c9e55d760c4f5d26783617a06f868835c2f46e902108eaca5d60fd64c0a0c8a6dc12f9352dfef33",
    Px1 = "85e97eef3b4e42a93b8421644e9334f4543a25a36ccd41d448c385146baf3b1efbaeac49c202b04cdbf8b50f3fd962",
    Py0 = "8db78b315a524f17ac3d69333604e6bc8aa0b2f138f9adf7edb19f49c847eda6b64df9fe2576b7687e7b55cb5f0bd0",
@ -367,7 +367,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "b56e23f2558c3c124f024952e1858067223541f51a8885d161133beb7bf8d64f22163769e604afbf7fbfb02e1fcb43",
    Px1 = "e10c4366d667b40488a9ae32daf3e2a5cc8ddf25ed407afe1a38b855f3ac4f7ea20455924e71369eed07114613b633",
    Py0 = "f42d3ab4716d10384bcdfec38cba997c2bafb8d8de32a47225a3e2d2835be1ad02a63323d3dd4145db21e3cbf5cc7a",
@ -381,7 +381,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "137001541ab8a479362ee39f818fc38788231e5288ceea5ebe0c08d0bbca3be9519aa415bde98428df26d361b7311ea",
    Px1 = "411b1a4f0abb9fd255a7ae26ac39c1f2c88a48f82c7623b6f225aec9755206e27084b23cbc98f31399405a6599dc54",
    Py0 = "833ef097986116cab669c4fddff9b831535d100644f732fb0da0a2dce17d69beaeed67230dd66392e840679afbae1e",
@ -395,7 +395,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "1580ffccc21b057dfe4831f950cbb8f1436f999df657404ecec20225a929a5d56920e8662abc426de23402643087308",
    Px1 = "8bf8ff20713a9054aa1cce9635eb3d6ac8371fc052b747a8414595708ff9462d64a0a11ff2c1c5121f4ecc5f22df5e",
    Py0 = "e7a5f7df0cec03de25da415fdda485ecc1443b95352e47b23e5506b820c9bc9ea9c2d9e99dd48e1f74e1befe58ce80",
@ -409,7 +409,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "10898a074b6931cc4ada152b64dd1c6b2bb47912e6502b9e88f638e489c144f8aa9b9f915bb428e082ec84676607f40",
    Px1 = "18484823648fe1699468e2d265cd2f2e381a0e67f35f8d192259e2a14573692b4e1fbdeed639e9b6eb0731be820b166",
    Py0 = "1840bc6fcb224efe00e32f827fa4f9694cd4186493089c66a936e912b50346b75542b6edbe51ba95c88d3b0fcac34ed",
@ -423,7 +423,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Px0 = "13c3a392307124afb5f219ba0f8062fa9b75654d3fff12bc924592d284af550f039b6ac58880d2c6fea146b3982f03c",
    Px1 = "188169bc937fcc20cc9c289adef30580188f64ecb126faadb5b888f31b813727ff7046d1a19b81abeea6609b8b208c6",
    Py0 = "2f9bde8fdd43c5f4de30f335a480dca3bf0858464d8368984406f10ddc1ecabb15fcfd11cebd4fef426e7ca9411221",
@ -439,7 +439,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "267401f3ef554fe74ae131d56a10edf14ae40192654901b4618d2bf7af22e77c2a9b79e407348dbd4aad13ca73b33a",
    Px1 = "12dcca838f46a3e0418e5dd8b978362757a16bfd78f0b77f4a1916ace353938389ae3ea228d0eb5020a0aaa58884aec",
    Py0 = "11799118d2e054aabd9f74c0843fecbdc1c0d56f61c61c5854c2507ae2416e48a6b2cd3bc8bf7495a4d3d8270eafe2b",
@ -453,7 +453,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "3a3055d6a46901c1b2227a0e334ffa9f654e62a6d3608f3a672e5816f9e9b04c0e668c3e9f8c807b269422afdc7de9",
    Px1 = "25803bd55f37b254865d5fc7ac9843fb306c2eb09d34ee0c4ecb705b5e10f6911f07fd707a2e28681a421f45b1a4d",
    Py0 = "15a0594a3c9dddc535472c4827aa443774a06f77bec2d20837c6574aa5fac35a279bac756531fa75f979a7a97f297d6",
@ -467,7 +467,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "18ebf549cd24a64badff4ec177205be121757b68589020434aba816756d2e6fa95fdb389c8639d4bf77575122e1c04e",
    Px1 = "11cd0f0976658a6f2ec113034428ef1605befdaa5642944f5c4e571b24fc166c368c30473e25ab148209be4c0b4e37",
    Py0 = "1190d818317495201732feb2cfc8f507adac6273debff46bb6aea4a3f3e3fe7d28d893c90b21a6f28d2fbc72d9fc528",
@ -481,7 +481,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "52b54c30c1dcadbcb698d0cb7fd65de1eb8f7590c7afe46e019bdc9e0ef8bc4c060339220d3615e4b1f2b12ffa6d83",
    Px1 = "dd53b483c2ab1aaa7ed22ef619b5e979237ae95476436f2c51c8b70da39a4e54a989f10f6d12ee098154911aa052f6",
    Py0 = "2a8c96662a7c76cb7d8ca6571a5b99abfd2d7343dd668425e5fa4a8c880b313b70f09a15a825fac63ae7065c0c51d",
@ -495,7 +495,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "fb6dd822e327a60c9e55d760c4f5d26783617a06f868835c2f46e902108eaca5d60fd64c0a0c8a6dc12f9352dfef33",
    Px1 = "85e97eef3b4e42a93b8421644e9334f4543a25a36ccd41d448c385146baf3b1efbaeac49c202b04cdbf8b50f3fd962",
    Py0 = "8db78b315a524f17ac3d69333604e6bc8aa0b2f138f9adf7edb19f49c847eda6b64df9fe2576b7687e7b55cb5f0bd0",
@ -509,7 +509,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "b56e23f2558c3c124f024952e1858067223541f51a8885d161133beb7bf8d64f22163769e604afbf7fbfb02e1fcb43",
    Px1 = "e10c4366d667b40488a9ae32daf3e2a5cc8ddf25ed407afe1a38b855f3ac4f7ea20455924e71369eed07114613b633",
    Py0 = "f42d3ab4716d10384bcdfec38cba997c2bafb8d8de32a47225a3e2d2835be1ad02a63323d3dd4145db21e3cbf5cc7a",
@ -523,7 +523,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "137001541ab8a479362ee39f818fc38788231e5288ceea5ebe0c08d0bbca3be9519aa415bde98428df26d361b7311ea",
    Px1 = "411b1a4f0abb9fd255a7ae26ac39c1f2c88a48f82c7623b6f225aec9755206e27084b23cbc98f31399405a6599dc54",
    Py0 = "833ef097986116cab669c4fddff9b831535d100644f732fb0da0a2dce17d69beaeed67230dd66392e840679afbae1e",
@ -537,7 +537,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "1580ffccc21b057dfe4831f950cbb8f1436f999df657404ecec20225a929a5d56920e8662abc426de23402643087308",
    Px1 = "8bf8ff20713a9054aa1cce9635eb3d6ac8371fc052b747a8414595708ff9462d64a0a11ff2c1c5121f4ecc5f22df5e",
    Py0 = "e7a5f7df0cec03de25da415fdda485ecc1443b95352e47b23e5506b820c9bc9ea9c2d9e99dd48e1f74e1befe58ce80",
@ -551,7 +551,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "10898a074b6931cc4ada152b64dd1c6b2bb47912e6502b9e88f638e489c144f8aa9b9f915bb428e082ec84676607f40",
    Px1 = "18484823648fe1699468e2d265cd2f2e381a0e67f35f8d192259e2a14573692b4e1fbdeed639e9b6eb0731be820b166",
    Py0 = "1840bc6fcb224efe00e32f827fa4f9694cd4186493089c66a936e912b50346b75542b6edbe51ba95c88d3b0fcac34ed",
@ -565,7 +565,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Px0 = "13c3a392307124afb5f219ba0f8062fa9b75654d3fff12bc924592d284af550f039b6ac58880d2c6fea146b3982f03c",
    Px1 = "188169bc937fcc20cc9c289adef30580188f64ecb126faadb5b888f31b813727ff7046d1a19b81abeea6609b8b208c6",
    Py0 = "2f9bde8fdd43c5f4de30f335a480dca3bf0858464d8368984406f10ddc1ecabb15fcfd11cebd4fef426e7ca9411221",
--- a/tests/t_ec_sage_bls12_381.nim
+++ b/tests/t_ec_sage_bls12_381.nim
@ -62,7 +62,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  # Generated via sage sage/testgen_bls12_381.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "f9679bb02ee7f352fff6a6467a5e563ec8dd38c86a48abd9e8f7f241f1cdd29d54bc3ddea3a33b62e0d7ce22f3d244a",
    Py = "50189b992cf856846b30e52205ff9ef72dc081e9680726586231cbc29a81a162120082585f401e00382d5c86fb1083f",
    scalar = "f7e60a832eb77ac47374bc93251360d6c81c21add62767ff816caf11a20d8db",
@ -72,7 +72,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "17d71835ff84f150fabf5c77ac90bf7f6249143abd1f5d8a46a76f243d424d82e1e258fc7983ba8af97a2462adebe090",
    Py = "d3e108ee1332067cbe4f4193eae10381acb69f493b40e53d9dee59506b49c6564c9056494a7f987982eb4069512c1c6",
    scalar = "5f10367bdae7aa872d90b5ac209321ce5a15181ce22848d032a8d452055cbfd0",
@ -82,7 +82,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "f92c9572692e8f3d450483a7a9bb4694e3b54c9cd09441a4dd7f579b0a6984e47f8090c31c172b33d87f3de186d6b58",
    Py = "286ede4cb2ae19ead4932d5550c5d3ec8ce3a3ada5e1ed6d202e93dd1b16d3513f0f9b62adc6323f18e272a426ee955",
    scalar = "4c321d72220c098fc0fd52306de98f8be9446bf854cf1e4d8dbae62375d18faf",
@ -92,7 +92,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "ec23ff3435b8ebd5e8e0a879d432e11eb974161664b1341fd28f1ffc4c228bf6ada2ae4a565f18c9b66f67a7573502d",
    Py = "10c4b647be08db0b49b75320ae891f9f9c5d7bb7c798947e800d681d205d1b24b12e4dfa993d1bd16851b00356627cc1",
    scalar = "1738857afb76c55f615c2a20b44ca90dcb3267d804ec23fddea431dbee4eb37f",
@ -102,7 +102,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "df127083c2a5ef2388b02af913c0e4002a52a82db9e5ecbf23ee4f557d3b61c91ebcfe9d4973070b46bc5ea6897bca1",
    Py = "318960aeea262ec23ffdd42ec1ba72ae6fa2186a1e2a0fc2659073fb7b5adfb50d581a4d998a94d1accf78b1b3a0163",
    scalar = "19c47811813444020c999a2b263940b5054cf45bb8ad8e086ff126bfcd5507e1",
@ -112,7 +112,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "101123de23c0f240c583c2368c4118dc942db219c55f58cf54acd500c1fcfa06f651ad75319ebf840cbdb6bddea7fde4",
    Py = "5268587d4b844b0708e0336d1bbf48da185aaf5b948eccc3b565d00a856dd55882b9bb31c52af0e275b168cb35eb7b0",
    scalar = "43ffcda71e45a3e90b7502d92b30a0b06c54c95a91aa21e0438677b1c2714ecb",
@ -122,7 +122,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "1457ba1bae6eb3afae3261941c65c93e3ae7d784907d15b8d559100da5e13fd29e4a4d6e3103b781a95237b7b2d80a8e",
    Py = "6a869a47cb48d01e7d29660932afd7617720262b55de5f430b8aa3d74f9fd2b9d3a07ce192425da58014764fc9532cd",
    scalar = "64ad0d6c36dba5368e71f0010aebf860288f54611e5aaf18082bae7a404ebfd8",
@ -132,7 +132,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "2615f843e8fe68d4c337bcf83b2cf13cbae638edd0740f1eac520dc2146afa3b8d36c540878c1d207ef913634b1e593",
    Py = "1787d6eeeceb6e7793073f0bbe7bae522529c126b650c43d5d41e732c581a57df1bfb818061b7b4e6c9145da5df2c43e",
    scalar = "b0ac3d0e685583075aa46c03a00859dfbec24ccb36e2cae3806d82275adcc03",
@ -142,7 +142,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "10bc0c4e1ed87246a9d4d7d38546369f275a245f6e1d3b882e8c9a7f05bc6ee8ff97a96a54084c2bef15ed8bfefb1465",
    Py = "1782377e5f588576b5ab42fea224e88873dda957202f0c6d72ce8728c2d58dc654be77226fbda385d5f269354e4a176a",
    scalar = "23941bb3c3659423d6fdafb7cff52e0e02de0ac91e64c537c6203d64905b63d0",
@ -152,7 +152,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Px = "be4f9f721d98a761a5562bd80ea06f369e9cbb7d33bbb2f0191d4b77d0fd2a10c4083b54157b525f36c522ca3a6ca09",
    Py = "166c315ecdd20acb3c5efcc7e038b17d0b37a06ffbf77873f15fc0cd091a1e4102a8b8bf5507919453759e744391b04d",
    scalar = "4203156dcf70582ea8cbd0388104f47fd5a18ae336b2fed8458e1e4e74d7baf5",
@ -164,7 +164,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "f9679bb02ee7f352fff6a6467a5e563ec8dd38c86a48abd9e8f7f241f1cdd29d54bc3ddea3a33b62e0d7ce22f3d244a",
    Py = "50189b992cf856846b30e52205ff9ef72dc081e9680726586231cbc29a81a162120082585f401e00382d5c86fb1083f",
    scalar = "f7e60a832eb77ac47374bc93251360d6c81c21add62767ff816caf11a20d8db",
@ -174,7 +174,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "17d71835ff84f150fabf5c77ac90bf7f6249143abd1f5d8a46a76f243d424d82e1e258fc7983ba8af97a2462adebe090",
    Py = "d3e108ee1332067cbe4f4193eae10381acb69f493b40e53d9dee59506b49c6564c9056494a7f987982eb4069512c1c6",
    scalar = "5f10367bdae7aa872d90b5ac209321ce5a15181ce22848d032a8d452055cbfd0",
@ -184,7 +184,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "f92c9572692e8f3d450483a7a9bb4694e3b54c9cd09441a4dd7f579b0a6984e47f8090c31c172b33d87f3de186d6b58",
    Py = "286ede4cb2ae19ead4932d5550c5d3ec8ce3a3ada5e1ed6d202e93dd1b16d3513f0f9b62adc6323f18e272a426ee955",
    scalar = "4c321d72220c098fc0fd52306de98f8be9446bf854cf1e4d8dbae62375d18faf",
@ -194,7 +194,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "ec23ff3435b8ebd5e8e0a879d432e11eb974161664b1341fd28f1ffc4c228bf6ada2ae4a565f18c9b66f67a7573502d",
    Py = "10c4b647be08db0b49b75320ae891f9f9c5d7bb7c798947e800d681d205d1b24b12e4dfa993d1bd16851b00356627cc1",
    scalar = "1738857afb76c55f615c2a20b44ca90dcb3267d804ec23fddea431dbee4eb37f",
@ -204,7 +204,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "df127083c2a5ef2388b02af913c0e4002a52a82db9e5ecbf23ee4f557d3b61c91ebcfe9d4973070b46bc5ea6897bca1",
    Py = "318960aeea262ec23ffdd42ec1ba72ae6fa2186a1e2a0fc2659073fb7b5adfb50d581a4d998a94d1accf78b1b3a0163",
    scalar = "19c47811813444020c999a2b263940b5054cf45bb8ad8e086ff126bfcd5507e1",
@ -214,7 +214,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "101123de23c0f240c583c2368c4118dc942db219c55f58cf54acd500c1fcfa06f651ad75319ebf840cbdb6bddea7fde4",
    Py = "5268587d4b844b0708e0336d1bbf48da185aaf5b948eccc3b565d00a856dd55882b9bb31c52af0e275b168cb35eb7b0",
    scalar = "43ffcda71e45a3e90b7502d92b30a0b06c54c95a91aa21e0438677b1c2714ecb",
@ -224,7 +224,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "1457ba1bae6eb3afae3261941c65c93e3ae7d784907d15b8d559100da5e13fd29e4a4d6e3103b781a95237b7b2d80a8e",
    Py = "6a869a47cb48d01e7d29660932afd7617720262b55de5f430b8aa3d74f9fd2b9d3a07ce192425da58014764fc9532cd",
    scalar = "64ad0d6c36dba5368e71f0010aebf860288f54611e5aaf18082bae7a404ebfd8",
@ -234,7 +234,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "2615f843e8fe68d4c337bcf83b2cf13cbae638edd0740f1eac520dc2146afa3b8d36c540878c1d207ef913634b1e593",
    Py = "1787d6eeeceb6e7793073f0bbe7bae522529c126b650c43d5d41e732c581a57df1bfb818061b7b4e6c9145da5df2c43e",
    scalar = "b0ac3d0e685583075aa46c03a00859dfbec24ccb36e2cae3806d82275adcc03",
@ -244,7 +244,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "10bc0c4e1ed87246a9d4d7d38546369f275a245f6e1d3b882e8c9a7f05bc6ee8ff97a96a54084c2bef15ed8bfefb1465",
    Py = "1782377e5f588576b5ab42fea224e88873dda957202f0c6d72ce8728c2d58dc654be77226fbda385d5f269354e4a176a",
    scalar = "23941bb3c3659423d6fdafb7cff52e0e02de0ac91e64c537c6203d64905b63d0",
@ -254,7 +254,7 @@ suite "Scalar Multiplication (cofactor cleared): BLS12_381 implementation vs Sag
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Px = "be4f9f721d98a761a5562bd80ea06f369e9cbb7d33bbb2f0191d4b77d0fd2a10c4083b54157b525f36c522ca3a6ca09",
    Py = "166c315ecdd20acb3c5efcc7e038b17d0b37a06ffbf77873f15fc0cd091a1e4102a8b8bf5507919453759e744391b04d",
    scalar = "4203156dcf70582ea8cbd0388104f47fd5a18ae336b2fed8458e1e4e74d7baf5",
@ -298,7 +298,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  # Generated via sage sage/testgen_bls12_381.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "10fbddd49246ac4b0faa489e3474507ebc96a5da194b2f7a706fad6bf8435021e1598700088abfe0ae7343296c1b7f52",
    Px1 = "324102fa5bd71d9048c3c6a6c62d1f35195d7067bf00dc5eaedd14eecc688383446aba4e8fda059d3f619f00be7890",
    Py0 = "f3e974aafa7a3fb3a1209f3af4492c9d9c52f1ae738e1e08309dd0f438f131f8ddd8b934eb8ff2cb078b8c524c11fab",
@ -312,7 +312,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "4b472ab5d0995a22c95f0805eb459b147d2033b8c13c1c07c857a97e66952d4df3e3b5f346997cc7bd19886492fae83",
    Px1 = "12228345592511c7327176258097c70dffad1ff53b37163cbd4747d0085ed0bcfe90b9150d2f7e49580a42110b1d9c6b",
    Py0 = "19220ed4e423d3274a8e9a58624b8762d7831d6f65fcaf6718b933bf77a0c41d3bb713a2224dbc448cfc735101a5bb1e",
@ -326,7 +326,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "11c9f03cd130f7b4d6675b902d9b4dddfa41577b7673c31a508760675ca083abedfe3f6c1c69eb46737d4877adb527c6",
    Px1 = "c64be8d22d478378784c4f38e386635a8ab606d2b35101ebecfe97b3bb5132d26e9a7ea9690d07a78a22f458045a8c5",
    Py0 = "6253c05b48fde95024644efd87cdf0cf15414c36c35625e383ea7b5ab839eaa783563918cd9e5e391ef1512a6ac28e0",
@ -340,7 +340,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "5adc112fb04bf4ca642d5a7d7343ccd6b93546442d2fff5b9d32c15e456d54884cba49dd7f94ce4ddaad4018e55d0f2",
    Px1 = "5d1c5bbf5d7a833dc76ba206bfa99c281fc37941be050e18f8c6d267b2376b3634d8ad6eb951e52a6d096315abd17d6",
    Py0 = "15a959e54981fab9ac3c6f5bfd6fb60a50a916bd43d96a09922a54309b84812736581bfa728670cba864b08b9e391bb9",
@ -354,7 +354,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "99f8b62e82892d323847f64ab2b422478d207b780fbb097cdca6a1a89e70ff09213dee8534eaf63dac9f7f7feff2548",
    Px1 = "12e7b53d802fa9cd897b5470614d57b1620bfe53f36158466f83e7cc6a6cccb1ac7557a8d5a2208c7c1366835c2cba59",
    Py0 = "115d6b7a8bc5628690ec750207b3252d4121c20c2106d0277cd41dee7b1d4ed1ff856883719bccb545054b9a745a53e2",
@ -368,7 +368,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "7f56aa6111f341d6381090f058835b3d60200032b382108194188c40afe4225eb6fecaba734084283771923e004b5ca",
    Px1 = "18abca4d9eca6d3ef3c720ca6b27f824fdd12dcac72c167f0212f707fa22752f291c9c20a4b92417d05c64207b8e6da6",
    Py0 = "10e08fc323d2ef92c5fd9a0ba38e32e16068ac5a4a0f95b0390c2e8ad6caa446adebe16bbf628a0c2de007bfa1218317",
@ -382,7 +382,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "a8c5649d2df1bae84fd9e8bfcde5113937b3acea22d67ddfedaf1fb8de8c1ef4c70591cf505c24c31e54020c2c510c3",
    Px1 = "a0553f98229a6a067489c3ee204161c11e96f421b3e9c145dc3865b03e9d4ff6cab14c5b5308ecd31173f954463690c",
    Py0 = "b29d8dfe18dc41b4826c3a102c1bf8f306cb42433cc36ee38080f47a324c02a678f9daed0a2bc577c18b9865de029f0",
@ -396,7 +396,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "eb79d9e425feb105ec09ce60949721b12dac5e6721c8a6b505aa2d83270d2a3e6c6bcce16a1b510f6822504c5e86416",
    Px1 = "9f5d2dc403a2e96c3f59c7bb98a36cc8be68500510fd88b09f55938efd192d9653f4bcfd1451518c535e9d1996a924",
    Py0 = "114825899129828ee0b946811ff98a79af1b53c4511bc45a8e41a07a7d9600c824ed7c5cd608781d0a98a13e69b0c002",
@ -410,7 +410,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "17ce8a849a475599245ad6b84cf5284cd15d6346ae52a833954ec50d5cf7f0be1cd8473fdc9dfd500d7f1d80bf6fa6ca",
    Px1 = "15d8128bc60c8e83846bf6748982a7188df6393a9379b2959fa7e1cb72f1c1da066fe3a6d927f97ecec3725fac65eb10",
    Py0 = "a05421595b36750e134b91500962201e9f57ac068732b9fb34ec50ff22f274d395d34d133e131e6dc7bc42d66149767",
@ -424,7 +424,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Px0 = "13eb9e9906446be49345c08de406cd104d6bb9901ee12af0b80a8351027152d6f6d158d5a906e4a58c5602e97347cfd5",
    Px1 = "1218df3f2a9cd7685325a4a7bb6a3636a458a52ea7f1e1d73c2429acb74a2a9beb838c109541120b095118c90868eb0f",
    Py0 = "3ac16edac6898f11ff8ddb48fad6f59f4842cd427d72fa964171801be172b8ecd2fdffb4882d4aa6f1e730f6e53f8c5",
@ -440,7 +440,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "10fbddd49246ac4b0faa489e3474507ebc96a5da194b2f7a706fad6bf8435021e1598700088abfe0ae7343296c1b7f52",
    Px1 = "324102fa5bd71d9048c3c6a6c62d1f35195d7067bf00dc5eaedd14eecc688383446aba4e8fda059d3f619f00be7890",
    Py0 = "f3e974aafa7a3fb3a1209f3af4492c9d9c52f1ae738e1e08309dd0f438f131f8ddd8b934eb8ff2cb078b8c524c11fab",
@ -454,7 +454,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "4b472ab5d0995a22c95f0805eb459b147d2033b8c13c1c07c857a97e66952d4df3e3b5f346997cc7bd19886492fae83",
    Px1 = "12228345592511c7327176258097c70dffad1ff53b37163cbd4747d0085ed0bcfe90b9150d2f7e49580a42110b1d9c6b",
    Py0 = "19220ed4e423d3274a8e9a58624b8762d7831d6f65fcaf6718b933bf77a0c41d3bb713a2224dbc448cfc735101a5bb1e",
@ -468,7 +468,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "11c9f03cd130f7b4d6675b902d9b4dddfa41577b7673c31a508760675ca083abedfe3f6c1c69eb46737d4877adb527c6",
    Px1 = "c64be8d22d478378784c4f38e386635a8ab606d2b35101ebecfe97b3bb5132d26e9a7ea9690d07a78a22f458045a8c5",
    Py0 = "6253c05b48fde95024644efd87cdf0cf15414c36c35625e383ea7b5ab839eaa783563918cd9e5e391ef1512a6ac28e0",
@ -482,7 +482,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "5adc112fb04bf4ca642d5a7d7343ccd6b93546442d2fff5b9d32c15e456d54884cba49dd7f94ce4ddaad4018e55d0f2",
    Px1 = "5d1c5bbf5d7a833dc76ba206bfa99c281fc37941be050e18f8c6d267b2376b3634d8ad6eb951e52a6d096315abd17d6",
    Py0 = "15a959e54981fab9ac3c6f5bfd6fb60a50a916bd43d96a09922a54309b84812736581bfa728670cba864b08b9e391bb9",
@ -496,7 +496,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "99f8b62e82892d323847f64ab2b422478d207b780fbb097cdca6a1a89e70ff09213dee8534eaf63dac9f7f7feff2548",
    Px1 = "12e7b53d802fa9cd897b5470614d57b1620bfe53f36158466f83e7cc6a6cccb1ac7557a8d5a2208c7c1366835c2cba59",
    Py0 = "115d6b7a8bc5628690ec750207b3252d4121c20c2106d0277cd41dee7b1d4ed1ff856883719bccb545054b9a745a53e2",
@ -510,7 +510,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "7f56aa6111f341d6381090f058835b3d60200032b382108194188c40afe4225eb6fecaba734084283771923e004b5ca",
    Px1 = "18abca4d9eca6d3ef3c720ca6b27f824fdd12dcac72c167f0212f707fa22752f291c9c20a4b92417d05c64207b8e6da6",
    Py0 = "10e08fc323d2ef92c5fd9a0ba38e32e16068ac5a4a0f95b0390c2e8ad6caa446adebe16bbf628a0c2de007bfa1218317",
@ -524,7 +524,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "a8c5649d2df1bae84fd9e8bfcde5113937b3acea22d67ddfedaf1fb8de8c1ef4c70591cf505c24c31e54020c2c510c3",
    Px1 = "a0553f98229a6a067489c3ee204161c11e96f421b3e9c145dc3865b03e9d4ff6cab14c5b5308ecd31173f954463690c",
    Py0 = "b29d8dfe18dc41b4826c3a102c1bf8f306cb42433cc36ee38080f47a324c02a678f9daed0a2bc577c18b9865de029f0",
@ -538,7 +538,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "eb79d9e425feb105ec09ce60949721b12dac5e6721c8a6b505aa2d83270d2a3e6c6bcce16a1b510f6822504c5e86416",
    Px1 = "9f5d2dc403a2e96c3f59c7bb98a36cc8be68500510fd88b09f55938efd192d9653f4bcfd1451518c535e9d1996a924",
    Py0 = "114825899129828ee0b946811ff98a79af1b53c4511bc45a8e41a07a7d9600c824ed7c5cd608781d0a98a13e69b0c002",
@ -552,7 +552,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "17ce8a849a475599245ad6b84cf5284cd15d6346ae52a833954ec50d5cf7f0be1cd8473fdc9dfd500d7f1d80bf6fa6ca",
    Px1 = "15d8128bc60c8e83846bf6748982a7188df6393a9379b2959fa7e1cb72f1c1da066fe3a6d927f97ecec3725fac65eb10",
    Py0 = "a05421595b36750e134b91500962201e9f57ac068732b9fb34ec50ff22f274d395d34d133e131e6dc7bc42d66149767",
@ -566,7 +566,7 @@ suite "Scalar Multiplication G2: BLS12-381 implementation vs SageMath" & " [" &
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    EC = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Px0 = "13eb9e9906446be49345c08de406cd104d6bb9901ee12af0b80a8351027152d6f6d158d5a906e4a58c5602e97347cfd5",
    Px1 = "1218df3f2a9cd7685325a4a7bb6a3636a458a52ea7f1e1d73c2429acb74a2a9beb838c109541120b095118c90868eb0f",
    Py0 = "3ac16edac6898f11ff8ddb48fad6f59f4842cd427d72fa964171801be172b8ecd2fdffb4882d4aa6f1e730f6e53f8c5",
--- a/tests/t_ec_sage_bn254.nim
+++ b/tests/t_ec_sage_bn254.nim
@ -62,7 +62,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  # Generated via sage sage/testgen_bn254_snarks.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "22d3af0f3ee310df7fc1a2a204369ac13eb4a48d969a27fcd2861506b2dc0cd7",
    Py = "1c994169687886ccd28dd587c29c307fb3cab55d796d73a5be0bbf9aab69912e",
    scalar = "e08a292f940cfb361cc82bc24ca564f51453708c9745a9cf8707b11c84bc448",
@ -72,7 +72,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "2724750abe620fce759b6f18729e40f891a514160d477811a44b222372cc4ea3",
    Py = "105cdcbe363921790a56bf2696e73642447c60b814827ca4dba86c814912c98a",
    scalar = "2f5c2960850eabadab1e5595ff0bf841206885653e7f2024248b281a86744790",
@ -82,7 +82,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "39bc19c41835082f86ca046b71875b051575072e4d6a4aeedac31eee34b07df",
    Py = "1fdbf42fc20421e1e775fd93ed1888d614f7e39067e7443f21b6a4817481c346",
    scalar = "29e140c33f706c0111443699b0b8396d8ead339a3d6f3c212b08749cf2a16f6b",
@ -92,7 +92,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "157a3e1ff9dabccced9746e19855a9438098be6d734f07d1c069aa1bd05b8d87",
    Py = "1c96bf3e48bc1a6635d93d4f1302a0eba39bd907c5d861f2a9d0c714ee60f04d",
    scalar = "29b05bd55963e262e0fa458c76297fb5be3ec1421fdb1354789f68fdce81dc2c",
@ -102,7 +102,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "2f260967d4cd5d15f98c0a0a9d5abaae0c70d3b8d83e1e884586cd6ece395fe7",
    Py = "2a102c7aebdfaa999d5a99984148ada142f72f5d4158c10368a2e13dded886f6",
    scalar = "1796de74c1edac90d102e7c33f3fad94304eaff4a67a018cae678774d377f6cd",
@ -112,7 +112,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "1b4ccef57f4411360a02b8228e4251896c9492ff93a69ba3720da0cd46a04e83",
    Py = "1fabcb215bd7c06ead2e6b0167497efc2cdd3dbacf69bcb0244142fd63c1e405",
    scalar = "116741cd19dac61c5e77877fc6fef40f363b164b501dfbdbc09e17ea51d6beb0",
@ -122,7 +122,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "2807c88d6759280d6bd83a54d349a533d1a66dc32f72cab8114ab707f10e829b",
    Py = "dbf0d486aeed3d303880f324faa2605aa0219e35661bc88150470c7df1c0b61",
    scalar = "2a5976268563870739ced3e6efd8cf53887e8e4426803377095708509dd156ca",
@ -132,7 +132,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "2754a174a33a55f2a31573767e9bf5381b47dca1cbebc8b68dd4df58b3f1cc2",
    Py = "f222f59c8893ad87c581dacb3f8b6e7c20e7a13bc5fb6e24262a3436d663b1",
    scalar = "25d596bf6caf4565fbfd22d81f9cef40c8f89b1e5939f20caa1b28056e0e4f58",
@ -142,7 +142,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "273bf6c679d8e880034590d16c007bbabc6c65ed870a263b5d1ce7375c18fd7",
    Py = "2904086cb9e33657999229b082558a74c19b2b619a0499afb2e21d804d8598ee",
    scalar = "67a499a389129f3902ba6140660c431a56811b53de01d043e924711bd341e53",
@ -152,7 +152,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Px = "ec892c09a5f1c68c1bfec7780a1ebd279739383f2698eeefbba745b3e717fd5",
    Py = "23d273a1b9750fe1d4ebd4b7c25f4a8d7d94f6662c436305cca8ff2cdbd3f736",
    scalar = "d2f09ceaa2638b7ac3d7d4aa9eff7a12e93dc85db0f9676e5f19fb86d6273e9",
@ -164,7 +164,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "22d3af0f3ee310df7fc1a2a204369ac13eb4a48d969a27fcd2861506b2dc0cd7",
    Py = "1c994169687886ccd28dd587c29c307fb3cab55d796d73a5be0bbf9aab69912e",
    scalar = "e08a292f940cfb361cc82bc24ca564f51453708c9745a9cf8707b11c84bc448",
@ -174,7 +174,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "2724750abe620fce759b6f18729e40f891a514160d477811a44b222372cc4ea3",
    Py = "105cdcbe363921790a56bf2696e73642447c60b814827ca4dba86c814912c98a",
    scalar = "2f5c2960850eabadab1e5595ff0bf841206885653e7f2024248b281a86744790",
@ -184,7 +184,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "39bc19c41835082f86ca046b71875b051575072e4d6a4aeedac31eee34b07df",
    Py = "1fdbf42fc20421e1e775fd93ed1888d614f7e39067e7443f21b6a4817481c346",
    scalar = "29e140c33f706c0111443699b0b8396d8ead339a3d6f3c212b08749cf2a16f6b",
@ -194,7 +194,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "157a3e1ff9dabccced9746e19855a9438098be6d734f07d1c069aa1bd05b8d87",
    Py = "1c96bf3e48bc1a6635d93d4f1302a0eba39bd907c5d861f2a9d0c714ee60f04d",
    scalar = "29b05bd55963e262e0fa458c76297fb5be3ec1421fdb1354789f68fdce81dc2c",
@ -204,7 +204,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "2f260967d4cd5d15f98c0a0a9d5abaae0c70d3b8d83e1e884586cd6ece395fe7",
    Py = "2a102c7aebdfaa999d5a99984148ada142f72f5d4158c10368a2e13dded886f6",
    scalar = "1796de74c1edac90d102e7c33f3fad94304eaff4a67a018cae678774d377f6cd",
@ -214,7 +214,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "1b4ccef57f4411360a02b8228e4251896c9492ff93a69ba3720da0cd46a04e83",
    Py = "1fabcb215bd7c06ead2e6b0167497efc2cdd3dbacf69bcb0244142fd63c1e405",
    scalar = "116741cd19dac61c5e77877fc6fef40f363b164b501dfbdbc09e17ea51d6beb0",
@ -224,7 +224,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "2807c88d6759280d6bd83a54d349a533d1a66dc32f72cab8114ab707f10e829b",
    Py = "dbf0d486aeed3d303880f324faa2605aa0219e35661bc88150470c7df1c0b61",
    scalar = "2a5976268563870739ced3e6efd8cf53887e8e4426803377095708509dd156ca",
@ -234,7 +234,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "2754a174a33a55f2a31573767e9bf5381b47dca1cbebc8b68dd4df58b3f1cc2",
    Py = "f222f59c8893ad87c581dacb3f8b6e7c20e7a13bc5fb6e24262a3436d663b1",
    scalar = "25d596bf6caf4565fbfd22d81f9cef40c8f89b1e5939f20caa1b28056e0e4f58",
@ -244,7 +244,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "273bf6c679d8e880034590d16c007bbabc6c65ed870a263b5d1ce7375c18fd7",
    Py = "2904086cb9e33657999229b082558a74c19b2b619a0499afb2e21d804d8598ee",
    scalar = "67a499a389129f3902ba6140660c431a56811b53de01d043e924711bd341e53",
@ -254,7 +254,7 @@ suite "Scalar Multiplication G1: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Px = "ec892c09a5f1c68c1bfec7780a1ebd279739383f2698eeefbba745b3e717fd5",
    Py = "23d273a1b9750fe1d4ebd4b7c25f4a8d7d94f6662c436305cca8ff2cdbd3f736",
    scalar = "d2f09ceaa2638b7ac3d7d4aa9eff7a12e93dc85db0f9676e5f19fb86d6273e9",
@ -298,7 +298,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  # Generated via sage sage/testgen_bn254_snarks.sage
  test(
    id = 0,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "1dcee2242ae85da43d02d38032b85836660f9a0a8777ab66c84ffbbde3ac3b25",
    Px1 = "1e2eb4c305e3b6c36a4081888b7a953eb44804b8b5120306331f8c89a3bb950",
    Py0 = "1db75f495edd522cae161ceeb86ca466ca2efd80ef979028d7aa39679de675fd",
@ -312,7 +312,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 1,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "5ed8c937273562944e0f1ebfb40e6511202188c1cabf588ed38735016d37b32",
    Px1 = "23f75e8322c4b540cd5b8fd144a89ab5206a040f498b7b59385770bc841cf012",
    Py0 = "2150beef17f5c22a65a4129390f47eece8f0c7d0c516790ea2632e7fd594ed8",
@ -326,7 +326,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 2,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2ac4b3d0a70d6686c63d9d63cce1370eafd4dc67f616c13582c6c64f6670513e",
    Px1 = "f1daeb6a2581ba6c8027a645ab5c10e303db4aee85c70c8fe11f4c1adcc7029",
    Py0 = "25807ff21967759cab64844741d006e2aa0221d9836613b1239da1a167d15131",
@ -340,7 +340,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 3,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2a028c1328bb0abf252edfbf7133b84eef2a5f20163fe61685b4b54229ca585d",
    Px1 = "8f80ad79e8e7e79bbdc645d9f5b339c52dd99a901b90de2494492656f11a9d5",
    Py0 = "1f04320578e31ffa2e2b59ad8fcb1aba622b5f307ac540cf2ccdab07dec56503",
@ -354,7 +354,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 4,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "1132e63c444e1abce6fc4c39bdf5be5caad586837cbf5ca9d3891482bdefe77",
    Px1 = "22b71f598dab789f055fc9669ddf66f0d75f581af0e9e8863d7f95a51ef34862",
    Py0 = "58e39050f64c9948d7238b99ecaee947cb934688a6e9f483c5c36b6e07aa31b",
@ -368,7 +368,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 5,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "6a20c456e80e2bfe37d8631d41ffed31cba5d1c411e816d64014d0088d16554",
    Px1 = "9d1555c77222abd79e17e2806386c53aba9609375276e817f52f03dc3f75676",
    Py0 = "127e76f384726e56dfaa46e6fde6dc644f5fd494d056191059e2bebc525ce835",
@ -382,7 +382,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 6,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "4c591d080257375d6189340185c6fe4c1fa796722d07e1bec0b17080b6b1154",
    Px1 = "241e2f2eb2a58afc2b5410d4ccbf75b53744ca1ac0bb28d7c60449f8d06204a4",
    Py0 = "eaddea52f2e884a5e2635965ca4146b12127fe8a8883e07def8e8720f410781",
@ -396,7 +396,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 7,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "115e772198e3f0003e31c0a1c48b6ac870d96020a4d634b7f14c15422d001cfe",
    Px1 = "1913447ff41836e0b6a3b01be670a2457e6119e02ae35903fb71be4369e269f7",
    Py0 = "14cb779c640aad2731b93b07c623c621a5585d0374f0394e5332f20ac28ca49d",
@ -410,7 +410,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 8,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "13faa1f28e6bfe89765c284e67face6ce0a29006ebc1551d4243e754c59f88ad",
    Px1 = "640cebb80938dfcb998d84a8e5aafd47ffbcba0aa2f8c9b1c585baf119a8942",
    Py0 = "1de793a9ef8f4dea5dad12fb09ddefa07ce197d4d7389a29ad3d8c6484582afe",
@ -424,7 +424,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 9,
-    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2fc3da947b78ac524a57670cef36ca89f1dad71b337bc3c18305c582a59648ad",
    Px1 = "2f7cc845d8c1ef0613f919d8c47f3c62f83608a45b1e186748ac5dcccd4c6baf",
    Py0 = "18ddc4718a4161f72f8d188fc61a609a3d592e186a65f4158483b719ffb05b8f",
@ -440,7 +440,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 0,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "1dcee2242ae85da43d02d38032b85836660f9a0a8777ab66c84ffbbde3ac3b25",
    Px1 = "1e2eb4c305e3b6c36a4081888b7a953eb44804b8b5120306331f8c89a3bb950",
    Py0 = "1db75f495edd522cae161ceeb86ca466ca2efd80ef979028d7aa39679de675fd",
@ -454,7 +454,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 1,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "5ed8c937273562944e0f1ebfb40e6511202188c1cabf588ed38735016d37b32",
    Px1 = "23f75e8322c4b540cd5b8fd144a89ab5206a040f498b7b59385770bc841cf012",
    Py0 = "2150beef17f5c22a65a4129390f47eece8f0c7d0c516790ea2632e7fd594ed8",
@ -468,7 +468,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 2,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2ac4b3d0a70d6686c63d9d63cce1370eafd4dc67f616c13582c6c64f6670513e",
    Px1 = "f1daeb6a2581ba6c8027a645ab5c10e303db4aee85c70c8fe11f4c1adcc7029",
    Py0 = "25807ff21967759cab64844741d006e2aa0221d9836613b1239da1a167d15131",
@ -482,7 +482,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 3,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2a028c1328bb0abf252edfbf7133b84eef2a5f20163fe61685b4b54229ca585d",
    Px1 = "8f80ad79e8e7e79bbdc645d9f5b339c52dd99a901b90de2494492656f11a9d5",
    Py0 = "1f04320578e31ffa2e2b59ad8fcb1aba622b5f307ac540cf2ccdab07dec56503",
@ -496,7 +496,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 4,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "1132e63c444e1abce6fc4c39bdf5be5caad586837cbf5ca9d3891482bdefe77",
    Px1 = "22b71f598dab789f055fc9669ddf66f0d75f581af0e9e8863d7f95a51ef34862",
    Py0 = "58e39050f64c9948d7238b99ecaee947cb934688a6e9f483c5c36b6e07aa31b",
@ -510,7 +510,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 5,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "6a20c456e80e2bfe37d8631d41ffed31cba5d1c411e816d64014d0088d16554",
    Px1 = "9d1555c77222abd79e17e2806386c53aba9609375276e817f52f03dc3f75676",
    Py0 = "127e76f384726e56dfaa46e6fde6dc644f5fd494d056191059e2bebc525ce835",
@ -524,7 +524,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 6,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "4c591d080257375d6189340185c6fe4c1fa796722d07e1bec0b17080b6b1154",
    Px1 = "241e2f2eb2a58afc2b5410d4ccbf75b53744ca1ac0bb28d7c60449f8d06204a4",
    Py0 = "eaddea52f2e884a5e2635965ca4146b12127fe8a8883e07def8e8720f410781",
@ -538,7 +538,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 7,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "115e772198e3f0003e31c0a1c48b6ac870d96020a4d634b7f14c15422d001cfe",
    Px1 = "1913447ff41836e0b6a3b01be670a2457e6119e02ae35903fb71be4369e269f7",
    Py0 = "14cb779c640aad2731b93b07c623c621a5585d0374f0394e5332f20ac28ca49d",
@ -552,7 +552,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 8,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "13faa1f28e6bfe89765c284e67face6ce0a29006ebc1551d4243e754c59f88ad",
    Px1 = "640cebb80938dfcb998d84a8e5aafd47ffbcba0aa2f8c9b1c585baf119a8942",
    Py0 = "1de793a9ef8f4dea5dad12fb09ddefa07ce197d4d7389a29ad3d8c6484582afe",
@ -566,7 +566,7 @@ suite "Scalar Multiplication G2: BN254 implementation vs SageMath" & " [" & $Wor
  test(
    id = 9,
-    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    EC = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Px0 = "2fc3da947b78ac524a57670cef36ca89f1dad71b337bc3c18305c582a59648ad",
    Px1 = "2f7cc845d8c1ef0613f919d8c47f3c62f83608a45b1e186748ac5dcccd4c6baf",
    Py0 = "18ddc4718a4161f72f8d188fc61a609a3d592e186a65f4158483b719ffb05b8f",
--- a/tests/t_ec_shortw_jac_g1_add_double.nim
+++ b/tests/t_ec_shortw_jac_g1_add_double.nim
@ -17,19 +17,25 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BN254_Snarks
  )
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_381
  )
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_377
  )
 run_EC_addition_tests(
    ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_add_double_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g1_mul_distri.nim
+++ b/tests/t_ec_shortw_jac_g1_mul_distri.nim
@ -18,19 +18,25 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BN254_Snarks
  )
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_381
  )
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_377
  )
 run_EC_mul_distributive_tests(
    ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_distributive_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g1_mul_sanity.nim
+++ b/tests/t_ec_shortw_jac_g1_mul_sanity.nim
@ -24,7 +24,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BN254_Snarks
  )
@ -56,8 +56,8 @@ suite "Order checks on BN254_Snarks":
          bool(impl.isInf())
          bool(reference.isInf())
-    test(ECP_ShortW_Jac[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
+    test(ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
-    test(ECP_ShortW_Jac[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
+    test(ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
    # TODO: BLS12 is using a subgroup of order "r" such as r*h = CurveOrder
    #       with h the curve cofactor
    #       instead of the full group
@ -67,20 +67,20 @@ suite "Order checks on BN254_Snarks":
  test "Not a point on the curve / not a square - #67":
    var ax, ay: Fp[BN254_Snarks]
    ax.fromHex"0x2a74c9ca553cd5f3437b41e77ca0c8cc77567a7eca5e7debc55b146b0bee324b"
-    ay.curve_eq_rhs(ax)
+    ay.curve_eq_rhs(ax, NotOnTwist)
    check:
      bool not ay.isSquare()
      bool not ay.sqrt_if_square()
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BLS12_381
  )
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_sanity_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g1_mul_vs_ref.nim
+++ b/tests/t_ec_shortw_jac_g1_mul_vs_ref.nim
@ -18,19 +18,25 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BN254_Snarks
  )
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_381
  )
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_377
  )
 run_EC_mul_vs_ref_impl(
    ec = ECP_ShortW_Jac[Fp[BW6_761], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g1_mul_vs_ref_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_add_double_bls12_377.nim
+++ b/tests/t_ec_shortw_jac_g2_add_double_bls12_377.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_add_double_bls12_381.nim
+++ b/tests/t_ec_shortw_jac_g2_add_double_bls12_381.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_jac_g2_add_double_bn254_snarks.nim
+++ b/tests/t_ec_shortw_jac_g2_add_double_bn254_snarks.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_jac_g2_add_double_bw6_761.nim
+++ b/tests/t_ec_shortw_jac_g2_add_double_bw6_761.nim
@ -0,0 +1,23 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_jacobian,
  # Test utilities
  ./t_ec_template
 const
  Iters = 8
 run_EC_addition_tests(
    ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_add_double_" & $BW6_761
  )
--- a/tests/t_ec_shortw_jac_g2_mixed_add_bls12_377.nim
+++ b/tests/t_ec_shortw_jac_g2_mixed_add_bls12_377.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_mixed_add_bls12_381.nim
+++ b/tests/t_ec_shortw_jac_g2_mixed_add_bls12_381.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_jac_g2_mixed_add_bn254_snarks.nim
+++ b/tests/t_ec_shortw_jac_g2_mixed_add_bn254_snarks.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_jac_g2_mixed_add_bw6_761.nim
+++ b/tests/t_ec_shortw_jac_g2_mixed_add_bw6_761.nim
@ -0,0 +1,23 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_jacobian,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
 run_EC_mixed_add_impl(
    ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_jacobian_mixed_add_" & $BW6_761
  )
--- a/tests/t_ec_shortw_jac_g2_mul_distri_bls12_377.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_distri_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_mul_distri_bls12_381.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_distri_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_jac_g2_mul_distri_bn254_snarks.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_distri_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_jac_g2_mul_distri_bw6_761.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_distri_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_jacobian,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
    ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_distributive_" & $BW6_761
  )
--- a/tests/t_ec_shortw_jac_g2_mul_sanity_bls12_377.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_sanity_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_mul_sanity_bls12_381.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_sanity_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_jac_g2_mul_sanity_bn254_snarks.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_sanity_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_jac_g2_mul_sanity_bw6_761.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_sanity_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_jacobian,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
    ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_sanity_" & $BW6_761
  )
--- a/tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_377.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_381.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_vs_ref_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Jac[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_jac_g2_mul_vs_ref_bn254_snarks.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_vs_ref_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Jac[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_jac_g2_mul_vs_ref_bw6_761.nim
+++ b/tests/t_ec_shortw_jac_g2_mul_vs_ref_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_jacobian,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
    ec = ECP_ShortW_Jac[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_jacobian_g2_mul_vs_ref_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_edge_cases.nim
+++ b/tests/t_ec_shortw_prj_edge_cases.nim
@ -26,7 +26,7 @@ import
  ./support/ec_reference_scalar_mult
 func testAddAssociativity[EC](a, b, c: EC) =
-  var tmp1{.noInit.}, tmp2{.noInit.}: ECP_ShortW_Proj[Fp2[BLS12_381]]
+  var tmp1{.noInit.}, tmp2{.noInit.}: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
  # r0 = (a + b) + c
  tmp1.sum(a, b)
@ -63,7 +63,7 @@ func testAddAssociativity[EC](a, b, c: EC) =
 suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit mode]":
  test "EC Add G2 is associative - #60":
-    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
+    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
    var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
    ax.fromHex(
@ -101,7 +101,7 @@ suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit
  test "EC Add G2 is associative - #65-1":
-    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
+    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
    var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
    ax.fromHex(
@ -139,7 +139,7 @@ suite "Short Weierstrass Elliptic Curve - Edge cases [" & $WordBitwidth & "-bit
  test "EC Add G2 is associative - #65-2":
-    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381]]
+    var a, b, c: ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist]
    var ax, az, bx, bz, cx, cz: Fp2[BLS12_381]
    ax.fromHex(
--- a/tests/t_ec_shortw_prj_g1_add_double.nim
+++ b/tests/t_ec_shortw_prj_g1_add_double.nim
@ -14,22 +14,28 @@ import
  ./t_ec_template
 const
-  Iters = 8
+  Iters = 1
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BN254_Snarks
  )
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BLS12_381
  )
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BLS12_377
  )
 run_EC_addition_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g1_add_double_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g1_mixed_add.nim
+++ b/tests/t_ec_shortw_prj_g1_mixed_add.nim
@ -18,19 +18,25 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BN254_Snarks
  )
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_381
  )
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_377
  )
 run_EC_mixed_add_impl(
    ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g1_mul_distri.nim
+++ b/tests/t_ec_shortw_prj_g1_mul_distri.nim
@ -18,19 +18,25 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BN254_Snarks
  )
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BLS12_381
  )
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BLS12_377
  )
 run_EC_mul_distributive_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_distributive_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g1_mul_sanity.nim
+++ b/tests/t_ec_shortw_prj_g1_mul_sanity.nim
@ -24,7 +24,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BN254_Snarks
  )
@ -56,31 +56,37 @@ suite "Order checks on BN254_Snarks":
          bool(impl.isInf())
          bool(reference.isInf())
-    test(ECP_ShortW_Proj[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
+    test(ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = false)
-    test(ECP_ShortW_Proj[Fp[BN254_Snarks]], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
+    test(ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist], bits = BN254_Snarks.getCurveOrderBitwidth(), randZ = true)
    # TODO: BLS12 is using a subgroup of order "r" such as r*h = CurveOrder
    #       with h the curve cofactor
    #       instead of the full group
-    # test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = false)
+    # test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = NotOnTwist)
    # test(Fp[BLS12_381], bits = BLS12_381.getCurveOrderBitwidth(), randZ = true)
  test "Not a point on the curve / not a square - #67":
    var ax, ay: Fp[BN254_Snarks]
    ax.fromHex"0x2a74c9ca553cd5f3437b41e77ca0c8cc77567a7eca5e7debc55b146b0bee324b"
-    ay.curve_eq_rhs(ax)
+    ay.curve_eq_rhs(ax, NotOnTwist)
    check:
      bool not ay.isSquare()
      bool not ay.sqrt_if_square()
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BLS12_381
  )
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BLS12_377
  )
 run_EC_mul_sanity_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_sanity_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g1_mul_vs_ref.nim
+++ b/tests/t_ec_shortw_prj_g1_mul_vs_ref.nim
@ -18,19 +18,25 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp[BN254_Snarks], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BN254_Snarks
  )
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_381], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BLS12_381
  )
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp[BLS12_377], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BLS12_377
  )
 run_EC_mul_vs_ref_impl(
    ec = ECP_ShortW_Proj[Fp[BW6_761], NotOnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g1_mul_vs_ref_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g2_add_double_bls12_377.nim
+++ b/tests/t_ec_shortw_prj_g2_add_double_bls12_377.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_prj_g2_add_double_bls12_381.nim
+++ b/tests/t_ec_shortw_prj_g2_add_double_bls12_381.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_prj_g2_add_double_bn254_snarks.nim
+++ b/tests/t_ec_shortw_prj_g2_add_double_bn254_snarks.nim
@ -18,7 +18,7 @@ const
  Iters = 8
 run_EC_addition_tests(
-    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_prj_g2_add_double_bw6_761.nim
+++ b/tests/t_ec_shortw_prj_g2_add_double_bw6_761.nim
@ -0,0 +1,23 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_projective,
  # Test utilities
  ./t_ec_template
 const
  Iters = 8
 run_EC_addition_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_g2_add_double_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g2_mixed_add_bls12_377.nim
+++ b/tests/t_ec_shortw_prj_g2_mixed_add_bls12_377.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_prj_g2_mixed_add_bls12_381.nim
+++ b/tests/t_ec_shortw_prj_g2_mixed_add_bls12_381.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_prj_g2_mixed_add_bn254_snarks.nim
+++ b/tests/t_ec_shortw_prj_g2_mixed_add_bn254_snarks.nim
@ -18,7 +18,7 @@ const
  Iters = 12
 run_EC_mixed_add_impl(
-    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_prj_g2_mixed_add_bw6_761.nim
+++ b/tests/t_ec_shortw_prj_g2_mixed_add_bw6_761.nim
@ -0,0 +1,23 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_projective,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
 run_EC_mixed_add_impl(
    ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
    Iters = Iters,
    moduleName = "test_ec_shortweierstrass_projective_mixed_add_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g2_mul_distri_bls12_377.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_distri_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_prj_g2_mul_distri_bls12_381.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_distri_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_prj_g2_mul_distri_bn254_snarks.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_distri_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
-    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_prj_g2_mul_distri_bw6_761.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_distri_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_projective,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_distributive_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_distributive_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g2_mul_sanity_bls12_377.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_sanity_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_prj_g2_mul_sanity_bls12_381.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_sanity_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_prj_g2_mul_sanity_bn254_snarks.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_sanity_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
-    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_prj_g2_mul_sanity_bw6_761.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_sanity_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_projective,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_sanity_tests(
    ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_sanity_" & $BW6_761
  )
--- a/tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_377.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_377.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_377]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_377], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BLS12_377
  )
--- a/tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_381.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_vs_ref_bls12_381.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp2[BLS12_381]],
+    ec = ECP_ShortW_Proj[Fp2[BLS12_381], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BLS12_381
  )
--- a/tests/t_ec_shortw_prj_g2_mul_vs_ref_bn254_snarks.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_vs_ref_bn254_snarks.nim
@ -19,7 +19,7 @@ const
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
-    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks]],
+    ec = ECP_ShortW_Proj[Fp2[BN254_Snarks], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BN254_Snarks
  )
--- a/tests/t_ec_shortw_prj_g2_mul_vs_ref_bw6_761.nim
+++ b/tests/t_ec_shortw_prj_g2_mul_vs_ref_bw6_761.nim
@ -0,0 +1,24 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/config/[type_fp, curves],
  ../constantine/elliptic/ec_shortweierstrass_projective,
  # Test utilities
  ./t_ec_template
 const
  Iters = 12
  ItersMul = Iters div 4
 run_EC_mul_vs_ref_impl(
    ec = ECP_ShortW_Proj[Fp[BW6_761], OnTwist],
    ItersMul = ItersMul,
    moduleName = "test_ec_shortweierstrass_projective_g2_mul_vs_ref_" & $BW6_761
  )
--- a/tests/t_ec_template.nim
+++ b/tests/t_ec_template.nim
@ -64,7 +64,7 @@ proc run_EC_addition_tests*(
  echo "\n------------------------------------------------------\n"
  echo moduleName, " xoshiro512** seed: ", seed
-  when ec.F is Fp:
+  when ec.Tw == NotOnTwist:
    const G1_or_G2 = "G1"
  else:
    const G1_or_G2 = "G2"
@ -215,7 +215,7 @@ proc run_EC_mul_sanity_tests*(
  echo "\n------------------------------------------------------\n"
  echo moduleName, " xoshiro512** seed: ", seed
-  when ec.F is Fp:
+  when ec.Tw == NotOnTwist:
    const G1_or_G2 = "G1"
  else:
    const G1_or_G2 = "G2"
@ -313,7 +313,7 @@ proc run_EC_mul_distributive_tests*(
  echo "\n------------------------------------------------------\n"
  echo moduleName, " xoshiro512** seed: ", seed
-  when ec.F is Fp:
+  when ec.Tw == NotOnTwist:
    const G1_or_G2 = "G1"
  else:
    const G1_or_G2 = "G2"
@ -383,7 +383,7 @@ proc run_EC_mul_vs_ref_impl*(
  echo "\n------------------------------------------------------\n"
  echo moduleName, " xoshiro512** seed: ", seed
-  when ec.F is Fp:
+  when ec.Tw == NotOnTwist:
    const G1_or_G2 = "G1"
  else:
    const G1_or_G2 = "G2"
@ -427,7 +427,7 @@ proc run_EC_mixed_add_impl*(
  echo "\n------------------------------------------------------\n"
  echo moduleName, " xoshiro512** seed: ", seed
-  when ec.F is Fp:
+  when ec.Tw == NotOnTwist:
    const G1_or_G2 = "G1"
  else:
    const G1_or_G2 = "G2"
@ -440,7 +440,7 @@ proc run_EC_mixed_add_impl*(
        for _ in 0 ..< Iters:
          let a = rng.random_point(EC, randZ, gen)
          let b = rng.random_point(EC, randZ, gen)
-          var bAff: ECP_ShortW_Aff[EC.F]
+          var bAff: ECP_ShortW_Aff[EC.F, EC.Tw]
          bAff.affineFromProjective(b)
          var r_generic, r_mixed: EC
--- a/tests/t_finite_fields_sqrt.nim
+++ b/tests/t_finite_fields_sqrt.nim
@ -119,8 +119,8 @@ proc randomSqrtCheck(C: static Curve) =
 proc main() =
  suite "Modular square root" & " [" & $WordBitwidth & "-bit mode]":
    exhaustiveCheck Fake103, 103
-    exhaustiveCheck Fake10007, 10007
+    # exhaustiveCheck Fake10007, 10007
-    exhaustiveCheck Fake65519, 65519
+    # exhaustiveCheck Fake65519, 65519
    randomSqrtCheck BN254_Nogami
    randomSqrtCheck BN254_Snarks
    randomSqrtCheck BLS12_377 # p ≢ 3 (mod 4)
--- a/tests/t_finite_fields_vs_gmp.nim
+++ b/tests/t_finite_fields_vs_gmp.nim
@ -25,7 +25,7 @@ const AvailableCurves = [
  P224,
  BN254_Nogami, BN254_Snarks,
  P256, Secp256k1,
-  BLS12_381
+  BLS12_377, BLS12_381, BW6_761
 ]
 const # https://gmplib.org/manual/Integer-Import-and-Export.html
@ -133,7 +133,7 @@ proc addTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
  r2Test += bTest
  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Addition (with result)")
-  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Addition (in-place)")
+  binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Addition (in-place)")
 proc subTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
  # echo "Testing: random modular substraction on ", $C
@ -155,8 +155,12 @@ proc subTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
  var r2Test = aTest
  r2Test -= bTest
  var r3Test = bTest
  r3Test.diffAlias(aTest, r3Test)
  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Substraction (with result)")
-  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Substraction (in-place)")
+  binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Substraction (in-place)")
  binary_epilogue(r, a, b, r3Test, aBuf, bBuf, "Substraction (result aliasing)")
 proc mulTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
  # echo "Testing: random modular multiplication on ", $C
@ -175,7 +179,11 @@ proc mulTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curv
  var rTest {.noInit.}: Fp[C]
  rTest.prod(aTest, bTest)
-  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Multiplication")
+  var r2Test = aTest
  r2Test *= bTest
  binary_epilogue(r, a, b, rTest, aBuf, bBuf, "Multiplication (with result)")
  binary_epilogue(r, a, b, r2Test, aBuf, bBuf, "Multiplication (in-place)")
 proc invTests(gmpRng: var gmp_randstate_t, a, b, p, r: var mpz_t, C: static Curve) =
  # We use the binary prologue epilogue but the "b" parameter is actual unused
--- a/tests/t_fp2.nim
+++ b/tests/t_fp2.nim
@ -18,6 +18,7 @@ const TestCurves = [
    BN254_Snarks,
    BLS12_377,
    BLS12_381,
    BW6_761
  ]
 runTowerTests(
--- a/tests/t_fp6_bw6_761.nim
+++ b/tests/t_fp6_bw6_761.nim
@ -0,0 +1,26 @@
 # Constantine
 # Copyright (c) 2018-2019    Status Research & Development GmbH
 # Copyright (c) 2020-Present Mamy André-Ratsimbazafy
 # Licensed and distributed under either of
 #   * MIT license (license terms in the root directory or at http://opensource.org/licenses/MIT).
 #   * Apache v2 license (license terms in the root directory or at http://www.apache.org/licenses/LICENSE-2.0).
 # at your option. This file may not be copied, modified, or distributed except according to those terms.
 import
  # Internals
  ../constantine/towers,
  ../constantine/config/curves,
  # Test utilities
  ./t_fp_tower_template
 const TestCurves = [
    BW6_761,
  ]
 runTowerTests(
  ExtDegree = 6,
  Iters = 12,
  TestCurves = TestCurves,
  moduleName = "test_fp6_" & $BW6_761,
  testSuiteDesc = "𝔽p6 = 𝔽p2[v] " & $BW6_761
 )
--- a/tests/t_pairing_bls12_377_line_functions.nim
+++ b/tests/t_pairing_bls12_377_line_functions.nim
@ -69,10 +69,10 @@ suite "Pairing - Line Functions on BLS12-377" & " [" & $WordBitwidth & "-bit mod
  test "Line double - lt,t(P)":
    proc test_line_double(C: static Curve, randZ: bool, gen: RandomGen) =
      for _ in 0 ..< Iters:
-        let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
+        let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
-        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var l: Line[Fp2[C], C.getSexticTwist()]
+        var l: Line[Fp2[C]]
        var T2: typeof(Q)
        T2.double(T)
@ -91,15 +91,15 @@ suite "Pairing - Line Functions on BLS12-377" & " [" & $WordBitwidth & "-bit mod
  test "Line add - lt,q(P)":
    proc test_line_add(C: static Curve, randZ: bool, gen: RandomGen) =
      for _ in 0 ..< Iters:
-        let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
+        let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
-        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var l: Line[Fp2[C], C.getSexticTwist()]
+        var l: Line[Fp2[C]]
        var TQ{.noInit.}: typeof(T)
        TQ.sum(T, Q)
-        var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+        var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
        Qaff.affineFromProjective(Q)
        l.line_add(T, Qaff, P)
--- a/tests/t_pairing_bls12_381_line_functions.nim
+++ b/tests/t_pairing_bls12_381_line_functions.nim
@ -69,10 +69,10 @@ suite "Pairing - Line Functions on BLS12-381" & " [" & $WordBitwidth & "-bit mod
  test "Line double - lt,t(P)":
    proc test_line_double(C: static Curve, randZ: bool, gen: RandomGen) =
      for _ in 0 ..< Iters:
-        let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
+        let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
-        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var l: Line[Fp2[C], C.getSexticTwist()]
+        var l: Line[Fp2[C]]
        var T2: typeof(Q)
        T2.double(T)
@ -91,15 +91,15 @@ suite "Pairing - Line Functions on BLS12-381" & " [" & $WordBitwidth & "-bit mod
  test "Line add - lt,q(P)":
    proc test_line_add(C: static Curve, randZ: bool, gen: RandomGen) =
      for _ in 0 ..< Iters:
-        let P = rng.random_point(ECP_ShortW_Aff[Fp[C]], gen)
+        let P = rng.random_point(ECP_ShortW_Aff[Fp[C], NotOnTwist], gen)
-        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+        var T = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
-        var l: Line[Fp2[C], C.getSexticTwist()]
+        var l: Line[Fp2[C]]
        var TQ{.noInit.}: typeof(T)
        TQ.sum(T, Q)
-        var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C]]
+        var Qaff{.noInit.}: ECP_ShortW_Aff[Fp2[C], OnTwist]
        Qaff.affineFromProjective(Q)
        l.line_add(T, Qaff, P)
--- a/tests/t_pairing_mul_fp12_by_lines.nim
+++ b/tests/t_pairing_mul_fp12_by_lines.nim
@ -97,7 +97,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
        let x = rng.random_elem(Fp2[C], gen)
        let y = rng.random_elem(Fp2[C], gen)
        let b = Fp6[C](c0: x, c1: y)
-        let line = Line[Fp2[C], M_twist](x: x, y: y)
+        let line = Line[Fp2[C]](x: x, y: y)
        var r {.noInit.}, r2 {.noInit.}: Fp6[C]
@ -122,7 +122,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
          var y = rng.random_elem(Fp2[C], gen)
          var z = rng.random_elem(Fp2[C], gen)
-          let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
+          let line = Line[Fp2[C]](x: x, y: y, z: z)
          let b = Fp12[C](
            c0: Fp6[C](c0: x, c1: y),
            c1: Fp6[C](c1: z)
@ -148,7 +148,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
          var y = rng.random_elem(Fp2[C], gen)
          var z = rng.random_elem(Fp2[C], gen)
-          let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
+          let line = Line[Fp2[C]](x: x, y: y, z: z)
          let b = Fp12[C](
            c0: Fp6[C](c0: x, c1: y, c2: z)
          )
@ -165,8 +165,9 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
  else:
    static: doAssert Fp12[BN254_Snarks]().c0.typeof is Fp4
-    test "Sparse 𝔽p12/𝔽p4 resulting from xy000z line function":
+    test "Sparse 𝔽p12/𝔽p4 resulting from xy000z line function (M-twist only)":
      proc test_fp12_xy000z(C: static Curve, gen: static RandomGen) =
        when C.getSexticTwist() == M_Twist:
          for _ in 0 ..< Iters:
            var a = rng.random_elem(Fp12[C], gen)
            var a2 = a
@ -175,7 +176,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
            var y = rng.random_elem(Fp2[C], gen)
            var z = rng.random_elem(Fp2[C], gen)
-          let line = Line[Fp2[C], Mtwist](x: x, y: y, z: z)
+            let line = Line[Fp2[C]](x: x, y: y, z: z)
            let b = Fp12[C](
              c0: Fp4[C](c0: x, c1: y),
              # c1
@ -192,8 +193,9 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
        test_fp12_xy000z(curve, gen = HighHammingWeight)
        test_fp12_xy000z(curve, gen = Long01Sequence)
-    test "Sparse 𝔽p12/𝔽p4 resulting from xyz000 line function":
+    test "Sparse 𝔽p12/𝔽p4 resulting from xyz000 line function (D-twist only)":
      proc test_fp12_xy000z(C: static Curve, gen: static RandomGen) =
        when C.getSexticTwist() == D_Twist:
          for _ in 0 ..< Iters:
            var a = rng.random_elem(Fp12[C], gen)
            var a2 = a
@ -202,7 +204,7 @@ suite "Pairing - Sparse 𝔽p12 multiplication by line function is consistent wi
            var y = rng.random_elem(Fp2[C], gen)
            var z = rng.random_elem(Fp2[C], gen)
-          let line = Line[Fp2[C], Dtwist](x: x, y: y, z: z)
+            let line = Line[Fp2[C]](x: x, y: y, z: z)
            let b = Fp12[C](
              c0: Fp4[C](c0: x, c1: y),
              c1: Fp4[C](c0: z       ),
--- a/tests/t_pairing_template.nim
+++ b/tests/t_pairing_template.nim
@ -61,8 +61,8 @@ template runPairingTests*(Iters: static int, C: static Curve, pairing_fn: untype
  proc test_bilinearity_double_impl(randZ: bool, gen: RandomGen) =
    for _ in 0 ..< Iters:
-      let P = rng.random_point(ECP_ShortW_Proj[Fp[C]], randZ, gen)
+      let P = rng.random_point(ECP_ShortW_Proj[Fp[C], NotOnTwist], randZ, gen)
-      let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C]], randZ, gen)
+      let Q = rng.random_point(ECP_ShortW_Proj[Fp2[C], OnTwist], randZ, gen)
      var P2: typeof(P)
      var Q2: typeof(Q)