@noble/curves 0.3.1 → 0.4.0

package/lib/weierstrass.js

@@ -2,7 +2,7 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Implementation of Short Weierstrass curve. The formula is: y² = x³ + ax + b
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.weierstrass = void 0;
+exports.weierstrass = exports.weierstrassPoints = void 0;
 // TODO: sync vs async naming
 // TODO: default randomBytes
 // Differences from @noble/secp256k1 1.7:
@@ -12,41 +12,9 @@ exports.weierstrass = void 0;
 // 4. DRBG supports outputLen bigger than outputLen of hmac
 const mod = require("./modular.js");
 const utils_js_1 = require("./utils.js");
+const utils = require("./utils.js");
+const hashToCurve_js_1 = require("./hashToCurve.js");
 const group_js_1 = require("./group.js");
-// Should be separate from overrides, since overrides can use information about curve (for example nBits)
-function validateOpts(curve) {
-    const opts = (0, utils_js_1.validateOpts)(curve);
-    for (const i of ['a', 'b']) {
-        if (typeof opts[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
-    }
-    for (const fn of ['hash', 'hmac']) {
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    for (const fn of ['randomBytes']) {
-        if (opts[fn] === undefined)
-            continue; // Optional
-        if (typeof opts[fn] !== 'function')
-            throw new Error(`Invalid ${fn} function`);
-    }
-    if (!Number.isSafeInteger(opts.hash.outputLen))
-        throw new Error('Invalid hash function');
-    const endo = opts.endo;
-    if (endo) {
-        if (opts.a !== _0n) {
-            throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
-        }
-        if (typeof endo !== 'object' ||
-            typeof endo.beta !== 'bigint' ||
-            typeof endo.splitScalar !== 'function') {
-            throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
-        }
-    }
-    // Set defaults
-    return Object.freeze({ lowS: true, randomBytes: utils_js_1.randomBytes, ...opts });
-}
-// TODO: convert bits to bytes aligned to 32 bits? (224 for example)
 // DER encoding utilities
 class DERError extends Error {
     constructor(message) {
@@ -93,108 +61,73 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _3n = BigInt(3);
 const _8n = BigInt(8);
-/**
- * Minimal HMAC-DRBG (NIST 800-90) for signatures.
- * Used only for RFC6979, does not fully implement DRBG spec.
- */
-class HmacDrbg {
-    constructor(hashLen, qByteLen, hmacFn) {
-        this.hashLen = hashLen;
-        this.qByteLen = qByteLen;
-        this.hmacFn = hmacFn;
-        if (typeof hashLen !== 'number' || hashLen < 2)
-            throw new Error('hashLen must be a number');
-        if (typeof qByteLen !== 'number' || qByteLen < 2)
-            throw new Error('qByteLen must be a number');
-        if (typeof hmacFn !== 'function')
-            throw new Error('hmacFn must be a function');
-        // Step B, Step C: set hashLen to 8*ceil(hlen/8)
-        this.v = new Uint8Array(hashLen).fill(1);
-        this.k = new Uint8Array(hashLen).fill(0);
-        this.counter = 0;
-    }
-    hmacSync(...values) {
-        return this.hmacFn(this.k, ...values);
-    }
-    incr() {
-        if (this.counter >= 1000)
-            throw new Error('Tried 1,000 k values for sign(), all were invalid');
-        this.counter += 1;
+function validatePointOpts(curve) {
+    const opts = utils.validateOpts(curve);
+    const Fp = opts.Fp;
+    for (const i of ['a', 'b']) {
+        if (!Fp.isValid(curve[i]))
+            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
     }
-    reseedSync(seed = new Uint8Array()) {
-        this.k = this.hmacSync(this.v, Uint8Array.from([0x00]), seed);
-        this.v = this.hmacSync(this.v);
-        if (seed.length === 0)
-            return;
-        this.k = this.hmacSync(this.v, Uint8Array.from([0x01]), seed);
-        this.v = this.hmacSync(this.v);
+    for (const i of ['isTorsionFree', 'clearCofactor', 'mapToCurve']) {
+        if (curve[i] === undefined)
+            continue; // Optional
+        if (typeof curve[i] !== 'function')
+            throw new Error(`Invalid ${i} function`);
     }
-    // TODO: review
-    generateSync() {
-        this.incr();
-        let len = 0;
-        const out = [];
-        while (len < this.qByteLen) {
-            this.v = this.hmacSync(this.v);
-            const sl = this.v.slice();
-            out.push(sl);
-            len += this.v.length;
+    const endo = opts.endo;
+    if (endo) {
+        if (!Fp.equals(opts.a, Fp.ZERO)) {
+            throw new Error('Endomorphism can only be defined for Koblitz curves that have a=0');
+        }
+        if (typeof endo !== 'object' ||
+            typeof endo.beta !== 'bigint' ||
+            typeof endo.splitScalar !== 'function') {
+            throw new Error('Expected endomorphism with beta: bigint and splitScalar: function');
         }
-        return (0, utils_js_1.concatBytes)(...out);
     }
+    if (typeof opts.fromBytes !== 'function')
+        throw new Error('Invalid fromBytes function');
+    if (typeof opts.toBytes !== 'function')
+        throw new Error('Invalid fromBytes function');
+    // Requires including hashToCurve file
+    if (opts.htfDefaults !== undefined)
+        (0, hashToCurve_js_1.validateHTFOpts)(opts.htfDefaults);
+    // Set defaults
+    return Object.freeze({ ...opts });
 }
-// Use only input from curveOpts!
-function weierstrass(curveDef) {
-    const CURVE = validateOpts(curveDef);
-    const CURVE_ORDER = CURVE.n;
+function weierstrassPoints(opts) {
+    const CURVE = validatePointOpts(opts);
+    const Fp = CURVE.Fp;
     // Lengths
     // All curves has same field / group length as for now, but it can be different for other curves
-    const groupLen = CURVE.nByteLength;
-    const fieldLen = CURVE.nByteLength; // 32 (length of one field element)
-    if (fieldLen > 2048)
-        throw new Error('Field lengths over 2048 are not supported');
-    const compressedLen = fieldLen + 1; // 33
-    const uncompressedLen = 2 * fieldLen + 1; // 65
+    const { nByteLength, nBitLength } = CURVE;
+    const groupLen = nByteLength;
     // Not using ** operator with bigints for old engines.
     // 2n ** (8n * 32n) == 2n << (8n * 32n - 1n)
-    const FIELD_MASK = _2n << (_8n * BigInt(fieldLen) - _1n);
-    function numToFieldStr(num) {
-        if (typeof num !== 'bigint')
-            throw new Error('Expected bigint');
-        if (!(_0n <= num && num < FIELD_MASK))
-            throw new Error(`Expected number < 2^${fieldLen * 8}`);
-        return num.toString(16).padStart(2 * fieldLen, '0');
-    }
-    function numToField(num) {
-        const b = (0, utils_js_1.hexToBytes)(numToFieldStr(num));
-        if (b.length !== fieldLen)
-            throw new Error(`Error: expected ${fieldLen} bytes`);
-        return b;
-    }
-    function modP(n, m = CURVE.P) {
-        return mod.mod(n, m);
-    }
+    //const FIELD_MASK = _2n << (_8n * BigInt(fieldLen) - _1n);
+    // function numToFieldStr(num: bigint): string {
+    //   if (typeof num !== 'bigint') throw new Error('Expected bigint');
+    //   if (!(_0n <= num && num < FIELD_MASK)) throw new Error(`Expected number < 2^${fieldLen * 8}`);
+    //   return num.toString(16).padStart(2 * fieldLen, '0');
+    // }
     /**
      * y² = x³ + ax + b: Short weierstrass curve formula
      * @returns y²
      */
     function weierstrassEquation(x) {
         const { a, b } = CURVE;
-        const x2 = modP(x * x);
-        const x3 = modP(x2 * x);
-        return modP(x3 + a * x + b);
+        const x2 = Fp.square(x); // x * x
+        const x3 = Fp.multiply(x2, x); // x2 * x
+        return Fp.add(Fp.add(x3, Fp.multiply(x, a)), b); // x3 + a * x + b
     }
     function isWithinCurveOrder(num) {
         return _0n < num && num < CURVE.n;
     }
-    function isValidFieldElement(num) {
-        return _0n < num && num < CURVE.P;
-    }
     function normalizePrivateKey(key) {
-        let num;
         if (typeof CURVE.normalizePrivateKey === 'function') {
             key = CURVE.normalizePrivateKey(key);
         }
+        let num;
         if (typeof key === 'bigint') {
             num = key;
         }
@@ -214,32 +147,12 @@ function weierstrass(curveDef) {
         else {
             throw new TypeError('Expected valid private key');
         }
+        if (CURVE.wrapPrivateKey)
+            num = mod.mod(num, CURVE.n);
         if (!isWithinCurveOrder(num))
             throw new Error('Expected private key: 0 < key < n');
         return num;
     }
-    /**
-     * Normalizes hex, bytes, Point to Point. Checks for curve equation.
-     */
-    function normalizePublicKey(publicKey) {
-        if (publicKey instanceof Point) {
-            publicKey.assertValidity();
-            return publicKey;
-        }
-        else if (publicKey instanceof Uint8Array || typeof publicKey === 'string') {
-            return Point.fromHex(publicKey);
-            // This can happen because PointType can be instance of different class
-        }
-        else
-            throw new Error(`Unknown type of public key: ${publicKey}`);
-    }
-    function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE_ORDER >> _1n;
-        return number > HALF;
-    }
-    function normalizeS(s) {
-        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE_ORDER) : s;
-    }
     function normalizeScalar(num) {
         if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
             return BigInt(num);
@@ -247,20 +160,6 @@ function weierstrass(curveDef) {
             return num;
         throw new TypeError('Expected valid private scalar: 0 < scalar < curve.n');
     }
-    const sqrtModCurve = CURVE.sqrtMod || mod.sqrt;
-    // Ensures ECDSA message hashes are 32 bytes and < curve order
-    function _truncateHash(hash, truncateOnly = false) {
-        const { n, nBitLength } = CURVE;
-        const byteLength = hash.length;
-        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = (0, utils_js_1.bytesToNumberBE)(hash);
-        if (delta > 0)
-            h = h >> BigInt(delta);
-        if (!truncateOnly && h >= n)
-            h -= n;
-        return h;
-    }
-    const truncateHash = CURVE.truncateHash || _truncateHash;
     /**
      * Jacobian Point works in 3d / jacobi coordinates: (x, y, z) ∋ (x=x/z², y=y/z³)
      * Default Point works in 2d / affine coordinates: (x, y)
@@ -279,7 +178,7 @@ function weierstrass(curveDef) {
             // fromAffine(x:0, y:0) would produce (x:0, y:0, z:1), but we need (x:0, y:1, z:0)
             if (p.equals(Point.ZERO))
                 return JacobianPoint.ZERO;
-            return new JacobianPoint(p.x, p.y, _1n);
+            return new JacobianPoint(p.x, p.y, Fp.ONE);
         }
         /**
          * Takes a bunch of Jacobian Points but executes only one
@@ -287,7 +186,7 @@ function weierstrass(curveDef) {
          * so this improves performance massively.
          */
         static toAffineBatch(points) {
-            const toInv = mod.invertBatch(points.map((p) => p.z), CURVE.P);
+            const toInv = Fp.invertBatch(points.map((p) => p.z));
             return points.map((p, i) => p.toAffine(toInv[i]));
         }
         static normalizeZ(points) {
@@ -301,19 +200,19 @@ function weierstrass(curveDef) {
                 throw new TypeError('JacobianPoint expected');
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
-            const Z1Z1 = modP(Z1 * Z1);
-            const Z2Z2 = modP(Z2 * Z2);
-            const U1 = modP(X1 * Z2Z2);
-            const U2 = modP(X2 * Z1Z1);
-            const S1 = modP(modP(Y1 * Z2) * Z2Z2);
-            const S2 = modP(modP(Y2 * Z1) * Z1Z1);
-            return U1 === U2 && S1 === S2;
+            const Z1Z1 = Fp.square(Z1); // Z1 * Z1
+            const Z2Z2 = Fp.square(Z2); // Z2 * Z2
+            const U1 = Fp.multiply(X1, Z2Z2); // X1 * Z2Z2
+            const U2 = Fp.multiply(X2, Z1Z1); // X2 * Z1Z1
+            const S1 = Fp.multiply(Fp.multiply(Y1, Z2), Z2Z2); // Y1 * Z2 * Z2Z2
+            const S2 = Fp.multiply(Fp.multiply(Y2, Z1), Z1Z1); // Y2 * Z1 * Z1Z1
+            return Fp.equals(U1, U2) && Fp.equals(S1, S2);
         }
         /**
          * Flips point to one corresponding to (x, -y) in Affine coordinates.
          */
         negate() {
-            return new JacobianPoint(this.x, modP(-this.y), this.z);
+            return new JacobianPoint(this.x, Fp.negate(this.y), this.z);
         }
         // Fast algo for doubling 2 Jacobian Points.
         // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl
@@ -324,31 +223,31 @@ function weierstrass(curveDef) {
             // Faster algorithm: when a=0
             // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
             // Cost: 2M + 5S + 6add + 3*2 + 1*3 + 1*8.
-            if (a === _0n) {
-                const A = modP(X1 * X1);
-                const B = modP(Y1 * Y1);
-                const C = modP(B * B);
-                const x1b = X1 + B;
-                const D = modP(_2n * (modP(x1b * x1b) - A - C));
-                const E = modP(_3n * A);
-                const F = modP(E * E);
-                const X3 = modP(F - _2n * D);
-                const Y3 = modP(E * (D - X3) - _8n * C);
-                const Z3 = modP(_2n * Y1 * Z1);
+            if (Fp.isZero(a)) {
+                const A = Fp.square(X1); // X1 * X1
+                const B = Fp.square(Y1); // Y1 * Y1
+                const C = Fp.square(B); // B * B
+                const x1b = Fp.addN(X1, B); // X1 + B
+                const D = Fp.multiply(Fp.subtractN(Fp.subtractN(Fp.square(x1b), A), C), _2n); // ((x1b * x1b) - A - C) * 2
+                const E = Fp.multiply(A, _3n); // A * 3
+                const F = Fp.square(E); // E * E
+                const X3 = Fp.subtract(F, Fp.multiplyN(D, _2n)); // F - 2 * D
+                const Y3 = Fp.subtract(Fp.multiplyN(E, Fp.subtractN(D, X3)), Fp.multiplyN(C, _8n)); // E * (D - X3) - 8 * C;
+                const Z3 = Fp.multiply(Fp.multiplyN(Y1, _2n), Z1); // 2 * Y1 * Z1
                 return new JacobianPoint(X3, Y3, Z3);
             }
-            const XX = modP(X1 * X1);
-            const YY = modP(Y1 * Y1);
-            const YYYY = modP(YY * YY);
-            const ZZ = modP(Z1 * Z1);
-            const tmp1 = modP(X1 + YY);
-            const S = modP(_2n * (modP(tmp1 * tmp1) - XX - YYYY)); // 2*((X1+YY)^2-XX-YYYY)
-            const M = modP(_3n * XX + a * modP(ZZ * ZZ));
-            const T = modP(modP(M * M) - _2n * S); // M^2-2*S
+            const XX = Fp.square(X1); //  X1 * X1
+            const YY = Fp.square(Y1); // Y1 * Y1
+            const YYYY = Fp.square(YY); // YY * YY
+            const ZZ = Fp.square(Z1); //  Z1 * Z1
+            const tmp1 = Fp.add(X1, YY); // X1 + YY
+            const S = Fp.multiply(Fp.subtractN(Fp.subtractN(Fp.square(tmp1), XX), YYYY), _2n); // 2*((X1+YY)^2-XX-YYYY)
+            const M = Fp.add(Fp.multiplyN(XX, _3n), Fp.multiplyN(Fp.square(ZZ), a)); // 3 * XX + a * ZZ^2
+            const T = Fp.subtract(Fp.square(M), Fp.multiplyN(S, _2n)); // M^2-2*S
             const X3 = T;
-            const Y3 = modP(M * (S - T) - _8n * YYYY); // M*(S-T)-8*YYYY
-            const y1az1 = modP(Y1 + Z1); // (Y1+Z1)
-            const Z3 = modP(modP(y1az1 * y1az1) - YY - ZZ); // (Y1+Z1)^2-YY-ZZ
+            const Y3 = Fp.subtract(Fp.multiplyN(M, Fp.subtractN(S, T)), Fp.multiplyN(YYYY, _8n)); // M*(S-T)-8*YYYY
+            const y1az1 = Fp.add(Y1, Z1); // (Y1+Z1)
+            const Z3 = Fp.subtract(Fp.subtractN(Fp.square(y1az1), YY), ZZ); // (Y1+Z1)^2-YY-ZZ
             return new JacobianPoint(X3, Y3, Z3);
         }
         // Fast algo for adding 2 Jacobian Points.
@@ -360,28 +259,28 @@ function weierstrass(curveDef) {
                 throw new TypeError('JacobianPoint expected');
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
-            if (X2 === _0n || Y2 === _0n)
+            if (Fp.isZero(X2) || Fp.isZero(Y2))
                 return this;
-            if (X1 === _0n || Y1 === _0n)
+            if (Fp.isZero(X1) || Fp.isZero(Y1))
                 return other;
             // We're using same code in equals()
-            const Z1Z1 = modP(Z1 * Z1); // Z1Z1 = Z1^2
-            const Z2Z2 = modP(Z2 * Z2); // Z2Z2 = Z2^2;
-            const U1 = modP(X1 * Z2Z2); // X1 * Z2Z2
-            const U2 = modP(X2 * Z1Z1); // X2 * Z1Z1
-            const S1 = modP(modP(Y1 * Z2) * Z2Z2); // Y1 * Z2 * Z2Z2
-            const S2 = modP(modP(Y2 * Z1) * Z1Z1); // Y2 * Z1 * Z1Z1
-            const H = modP(U2 - U1); // H = U2 - U1
-            const r = modP(S2 - S1); // S2 - S1
+            const Z1Z1 = Fp.square(Z1); // Z1Z1 = Z1^2
+            const Z2Z2 = Fp.square(Z2); // Z2Z2 = Z2^2;
+            const U1 = Fp.multiply(X1, Z2Z2); // X1 * Z2Z2
+            const U2 = Fp.multiply(X2, Z1Z1); // X2 * Z1Z1
+            const S1 = Fp.multiply(Fp.multiply(Y1, Z2), Z2Z2); // Y1 * Z2 * Z2Z2
+            const S2 = Fp.multiply(Fp.multiply(Y2, Z1), Z1Z1); // Y2 * Z1 * Z1Z1
+            const H = Fp.subtractN(U2, U1); // H = U2 - U1
+            const r = Fp.subtractN(S2, S1); // S2 - S1
             // H = 0 meaning it's the same point.
-            if (H === _0n)
-                return r === _0n ? this.double() : JacobianPoint.ZERO;
-            const HH = modP(H * H); // HH = H2
-            const HHH = modP(H * HH); // HHH = H * HH
-            const V = modP(U1 * HH); // V = U1 * HH
-            const X3 = modP(r * r - HHH - _2n * V); // X3 = r^2 - HHH - 2 * V;
-            const Y3 = modP(r * (V - X3) - S1 * HHH); // Y3 = r * (V - X3) - S1 * HHH;
-            const Z3 = modP(Z1 * Z2 * H); // Z3 = Z1 * Z2 * H;
+            if (Fp.isZero(H))
+                return Fp.isZero(r) ? this.double() : JacobianPoint.ZERO;
+            const HH = Fp.square(H); // HH = H2
+            const HHH = Fp.multiply(H, HH); // HHH = H * HH
+            const V = Fp.multiply(U1, HH); // V = U1 * HH
+            const X3 = Fp.subtract(Fp.subtractN(Fp.squareN(r), HHH), Fp.multiplyN(V, _2n)); // X3 = r^2 - HHH - 2 * V;
+            const Y3 = Fp.subtract(Fp.multiplyN(r, Fp.subtractN(V, X3)), Fp.multiplyN(S1, HHH)); // Y3 = r * (V - X3) - S1 * HHH;
+            const Z3 = Fp.multiply(Fp.multiply(Z1, Z2), H); // Z3 = Z1 * Z2 * H;
             return new JacobianPoint(X3, Y3, Z3);
         }
         subtract(other) {
@@ -420,7 +319,7 @@ function weierstrass(curveDef) {
                 k1p = k1p.negate();
             if (k2neg)
                 k2p = k2p.negate();
-            k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
+            k2p = new JacobianPoint(Fp.multiply(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
             return k1p.add(k2p);
         }
         /**
@@ -461,7 +360,7 @@ function weierstrass(curveDef) {
                 let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
                 k1p = wnaf.constTimeNegate(k1neg, k1p);
                 k2p = wnaf.constTimeNegate(k2neg, k2p);
-                k2p = new JacobianPoint(modP(k2p.x * CURVE.endo.beta), k2p.y, k2p.z);
+                k2p = new JacobianPoint(Fp.multiply(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
                 point = k1p.add(k2p);
                 fake = f1p.add(f2p);
             }
@@ -481,25 +380,42 @@ function weierstrass(curveDef) {
             const { x, y, z } = this;
             const is0 = this.equals(JacobianPoint.ZERO);
             // If invZ was 0, we return zero point. However we still want to execute
-            // all operations, so we replace invZ with a random number, 8.
+            // all operations, so we replace invZ with a random number, 1.
             if (invZ == null)
-                invZ = is0 ? _8n : mod.invert(z, CURVE.P);
+                invZ = is0 ? Fp.ONE : Fp.invert(z);
             const iz1 = invZ;
-            const iz2 = modP(iz1 * iz1);
-            const iz3 = modP(iz2 * iz1);
-            const ax = modP(x * iz2);
-            const ay = modP(y * iz3);
-            const zz = modP(z * iz1);
+            const iz2 = Fp.square(iz1); // iz1 * iz1
+            const iz3 = Fp.multiply(iz2, iz1); // iz2 * iz1
+            const ax = Fp.multiply(x, iz2); // x * iz2
+            const ay = Fp.multiply(y, iz3); // y * iz3
+            const zz = Fp.multiply(z, iz1); // z * iz1
             if (is0)
                 return Point.ZERO;
-            if (zz !== _1n)
+            if (!Fp.equals(zz, Fp.ONE))
                 throw new Error('invZ was invalid');
             return new Point(ax, ay);
         }
+        isTorsionFree() {
+            if (CURVE.h === _1n)
+                return true; // No subgroups, always torsion fee
+            if (CURVE.isTorsionFree)
+                return CURVE.isTorsionFree(JacobianPoint, this);
+            // is multiplyUnsafe(CURVE.n) is always ok, same as for edwards?
+            throw new Error('Unsupported!');
+        }
+        // Clear cofactor of G1
+        // https://eprint.iacr.org/2019/403
+        clearCofactor() {
+            if (CURVE.h === _1n)
+                return this; // Fast-path
+            if (CURVE.clearCofactor)
+                return CURVE.clearCofactor(JacobianPoint, this);
+            return this.multiplyUnsafe(CURVE.h);
+        }
     }
-    JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, _1n);
-    JacobianPoint.ZERO = new JacobianPoint(_0n, _1n, _0n);
-    const wnaf = (0, group_js_1.wNAF)(JacobianPoint, CURVE.endo ? CURVE.nBitLength / 2 : CURVE.nBitLength);
+    JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, Fp.ONE);
+    JacobianPoint.ZERO = new JacobianPoint(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    const wnaf = (0, group_js_1.wNAF)(JacobianPoint, CURVE.endo ? nBitLength / 2 : nBitLength);
     // Stores precomputed values for points.
     const pointPrecomputes = new WeakMap();
     /**
@@ -517,87 +433,60 @@ function weierstrass(curveDef) {
         }
         // Checks for y % 2 == 0
         hasEvenY() {
-            return this.y % _2n === _0n;
-        }
-        /**
-         * Supports compressed ECDSA points
-         * @returns Point instance
-         */
-        static fromCompressedHex(bytes) {
-            const P = CURVE.P;
-            const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1));
-            if (!isValidFieldElement(x))
-                throw new Error('Point is not on curve');
-            const y2 = weierstrassEquation(x); // y² = x³ + ax + b
-            let y = sqrtModCurve(y2, P); // y = y² ^ (p+1)/4
-            const isYOdd = (y & _1n) === _1n;
-            // ECDSA
-            const isFirstByteOdd = (bytes[0] & 1) === 1;
-            if (isFirstByteOdd !== isYOdd)
-                y = modP(-y);
-            const point = new Point(x, y);
-            point.assertValidity();
-            return point;
-        }
-        static fromUncompressedHex(bytes) {
-            const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1, fieldLen + 1));
-            const y = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(fieldLen + 1, 2 * fieldLen + 1));
-            const point = new Point(x, y);
-            point.assertValidity();
-            return point;
+            if (Fp.isOdd)
+                return !Fp.isOdd(this.y);
+            throw new Error("Field doesn't support isOdd");
         }
         /**
          * Converts hash string or Uint8Array to Point.
          * @param hex short/long ECDSA hex
          */
         static fromHex(hex) {
-            const bytes = (0, utils_js_1.ensureBytes)(hex);
-            const len = bytes.length;
-            const header = bytes[0];
-            // this.assertValidity() is done inside of those two functions
-            if (len === compressedLen && (header === 0x02 || header === 0x03))
-                return this.fromCompressedHex(bytes);
-            if (len === uncompressedLen && header === 0x04)
-                return this.fromUncompressedHex(bytes);
-            throw new Error(`Point.fromHex: received invalid point. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes, not ${len}`);
+            const { x, y } = CURVE.fromBytes((0, utils_js_1.ensureBytes)(hex));
+            const point = new Point(x, y);
+            point.assertValidity();
+            return point;
         }
         // Multiplies generator point by privateKey.
         static fromPrivateKey(privateKey) {
             return Point.BASE.multiply(normalizePrivateKey(privateKey));
         }
         toRawBytes(isCompressed = false) {
-            return (0, utils_js_1.hexToBytes)(this.toHex(isCompressed));
+            this.assertValidity();
+            return CURVE.toBytes(Point, this, isCompressed);
         }
         toHex(isCompressed = false) {
-            const x = numToFieldStr(this.x);
-            if (isCompressed) {
-                const prefix = this.hasEvenY() ? '02' : '03';
-                return `${prefix}${x}`;
-            }
-            else {
-                return `04${x}${numToFieldStr(this.y)}`;
-            }
+            return (0, utils_js_1.bytesToHex)(this.toRawBytes(isCompressed));
         }
         // A point on curve is valid if it conforms to equation.
         assertValidity() {
+            // Zero is valid point too!
+            if (this.equals(Point.ZERO)) {
+                if (CURVE.allowInfinityPoint)
+                    return;
+                throw new Error('Point is infinity');
+            }
             // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
             const msg = 'Point is not on elliptic curve';
             const { x, y } = this;
-            if (!isValidFieldElement(x) || !isValidFieldElement(y))
+            if (!Fp.isValid(x) || !Fp.isValid(y))
                 throw new Error(msg);
-            const left = modP(y * y);
+            const left = Fp.square(y);
             const right = weierstrassEquation(x);
-            if (modP(left - right) !== _0n)
+            if (!Fp.equals(left, right))
                 throw new Error(msg);
+            // TODO: flag to disable this?
+            if (!this.isTorsionFree())
+                throw new Error('Point must be of prime-order subgroup');
         }
         equals(other) {
             if (!(other instanceof Point))
                 throw new TypeError('Point#equals: expected Point');
-            return this.x === other.x && this.y === other.y;
+            return Fp.equals(this.x, other.x) && Fp.equals(this.y, other.y);
         }
         // Returns the same point with inverted `y`
         negate() {
-            return new Point(this.x, modP(-this.y));
+            return new Point(this.x, Fp.negate(this.y));
         }
         // Adds point to itself
         double() {
@@ -614,6 +503,15 @@ function weierstrass(curveDef) {
         multiply(scalar) {
             return JacobianPoint.fromAffine(this).multiply(scalar, this).toAffine();
         }
+        multiplyUnsafe(scalar) {
+            return JacobianPoint.fromAffine(this).multiplyUnsafe(scalar).toAffine();
+        }
+        clearCofactor() {
+            return JacobianPoint.fromAffine(this).clearCofactor().toAffine();
+        }
+        isTorsionFree() {
+            return JacobianPoint.fromAffine(this).isTorsionFree();
+        }
         /**
          * Efficiently calculate `aP + bQ`.
          * Unsafe, can expose private key, if used incorrectly.
@@ -627,6 +525,27 @@ function weierstrass(curveDef) {
             const sum = aP.add(bQ);
             return sum.equals(JacobianPoint.ZERO) ? undefined : sum.toAffine();
         }
+        // Encodes byte string to elliptic curve
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
+        static hashToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = (0, hashToCurve_js_1.hash_to_field)(msg, 2, { ...CURVE.htfDefaults, ...options });
+            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
+            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
+            const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
+            return p;
+        }
+        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
+        static encodeToCurve(msg, options) {
+            if (!CURVE.mapToCurve)
+                throw new Error('No mapToCurve defined for curve');
+            msg = (0, utils_js_1.ensureBytes)(msg);
+            const u = (0, hashToCurve_js_1.hash_to_field)(msg, 1, { ...CURVE.htfDefaults, ...options });
+            const { x, y } = CURVE.mapToCurve(u[0]);
+            return new Point(x, y).clearCofactor();
+        }
     }
     /**
      * Base point aka generator. public_key = Point.BASE * private_key
@@ -635,7 +554,168 @@ function weierstrass(curveDef) {
     /**
      * Identity point aka point at infinity. point = point + zero_point
      */
-    Point.ZERO = new Point(_0n, _0n);
+    Point.ZERO = new Point(Fp.ZERO, Fp.ZERO);
+    return {
+        Point: Point,
+        JacobianPoint: JacobianPoint,
+        normalizePrivateKey,
+        weierstrassEquation,
+        isWithinCurveOrder,
+    };
+}
+exports.weierstrassPoints = weierstrassPoints;
+function validateOpts(curve) {
+    const opts = utils.validateOpts(curve);
+    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+        throw new Error('Invalid hash function');
+    if (typeof opts.hmac !== 'function')
+        throw new Error('Invalid hmac function');
+    if (typeof opts.randomBytes !== 'function')
+        throw new Error('Invalid randomBytes function');
+    // Set defaults
+    return Object.freeze({ lowS: true, ...opts });
+}
+/**
+ * Minimal HMAC-DRBG (NIST 800-90) for signatures.
+ * Used only for RFC6979, does not fully implement DRBG spec.
+ */
+class HmacDrbg {
+    constructor(hashLen, qByteLen, hmacFn) {
+        this.hashLen = hashLen;
+        this.qByteLen = qByteLen;
+        this.hmacFn = hmacFn;
+        if (typeof hashLen !== 'number' || hashLen < 2)
+            throw new Error('hashLen must be a number');
+        if (typeof qByteLen !== 'number' || qByteLen < 2)
+            throw new Error('qByteLen must be a number');
+        if (typeof hmacFn !== 'function')
+            throw new Error('hmacFn must be a function');
+        // Step B, Step C: set hashLen to 8*ceil(hlen/8)
+        this.v = new Uint8Array(hashLen).fill(1);
+        this.k = new Uint8Array(hashLen).fill(0);
+        this.counter = 0;
+    }
+    hmacSync(...values) {
+        return this.hmacFn(this.k, ...values);
+    }
+    incr() {
+        if (this.counter >= 1000)
+            throw new Error('Tried 1,000 k values for sign(), all were invalid');
+        this.counter += 1;
+    }
+    reseedSync(seed = new Uint8Array()) {
+        this.k = this.hmacSync(this.v, Uint8Array.from([0x00]), seed);
+        this.v = this.hmacSync(this.v);
+        if (seed.length === 0)
+            return;
+        this.k = this.hmacSync(this.v, Uint8Array.from([0x01]), seed);
+        this.v = this.hmacSync(this.v);
+    }
+    // TODO: review
+    generateSync() {
+        this.incr();
+        let len = 0;
+        const out = [];
+        while (len < this.qByteLen) {
+            this.v = this.hmacSync(this.v);
+            const sl = this.v.slice();
+            out.push(sl);
+            len += this.v.length;
+        }
+        return (0, utils_js_1.concatBytes)(...out);
+    }
+}
+function weierstrass(curveDef) {
+    const CURVE = validateOpts(curveDef);
+    const CURVE_ORDER = CURVE.n;
+    const Fp = CURVE.Fp;
+    const compressedLen = Fp.BYTES + 1; // 33
+    const uncompressedLen = 2 * Fp.BYTES + 1; // 65
+    function isValidFieldElement(num) {
+        // 0 is disallowed by arbitrary reasons. Probably because infinity point?
+        return _0n < num && num < Fp.ORDER;
+    }
+    const { Point, JacobianPoint, normalizePrivateKey, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
+        ...CURVE,
+        toBytes(c, point, isCompressed) {
+            if (isCompressed) {
+                return (0, utils_js_1.concatBytes)(new Uint8Array([point.hasEvenY() ? 0x02 : 0x03]), Fp.toBytes(point.x));
+            }
+            else {
+                return (0, utils_js_1.concatBytes)(new Uint8Array([0x04]), Fp.toBytes(point.x), Fp.toBytes(point.y));
+            }
+        },
+        fromBytes(bytes) {
+            const len = bytes.length;
+            const header = bytes[0];
+            // this.assertValidity() is done inside of fromHex
+            if (len === compressedLen && (header === 0x02 || header === 0x03)) {
+                const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1));
+                if (!isValidFieldElement(x))
+                    throw new Error('Point is not on curve');
+                const y2 = weierstrassEquation(x); // y² = x³ + ax + b
+                let y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
+                const isYOdd = (y & _1n) === _1n;
+                // ECDSA
+                const isFirstByteOdd = (bytes[0] & 1) === 1;
+                if (isFirstByteOdd !== isYOdd)
+                    y = Fp.negate(y);
+                return { x, y };
+            }
+            else if (len === uncompressedLen && header === 0x04) {
+                const x = Fp.fromBytes(bytes.subarray(1, Fp.BYTES + 1));
+                const y = Fp.fromBytes(bytes.subarray(Fp.BYTES + 1, 2 * Fp.BYTES + 1));
+                return { x, y };
+            }
+            else {
+                throw new Error(`Point.fromHex: received invalid point. Expected ${compressedLen} compressed bytes or ${uncompressedLen} uncompressed bytes, not ${len}`);
+            }
+        },
+    });
+    // Do we need these functions at all?
+    function numToField(num) {
+        if (typeof num !== 'bigint')
+            throw new Error('Expected bigint');
+        if (!(_0n <= num && num < Fp.MASK))
+            throw new Error(`Expected number < 2^${Fp.BYTES * 8}`);
+        return Fp.toBytes(num);
+    }
+    const numToFieldStr = (num) => (0, utils_js_1.bytesToHex)(numToField(num));
+    /**
+     * Normalizes hex, bytes, Point to Point. Checks for curve equation.
+     */
+    function normalizePublicKey(publicKey) {
+        if (publicKey instanceof Point) {
+            publicKey.assertValidity();
+            return publicKey;
+        }
+        else if (publicKey instanceof Uint8Array || typeof publicKey === 'string') {
+            return Point.fromHex(publicKey);
+            // This can happen because PointType can be instance of different class
+        }
+        else
+            throw new Error(`Unknown type of public key: ${publicKey}`);
+    }
+    function isBiggerThanHalfOrder(number) {
+        const HALF = CURVE_ORDER >> _1n;
+        return number > HALF;
+    }
+    function normalizeS(s) {
+        return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE_ORDER) : s;
+    }
+    // Ensures ECDSA message hashes are 32 bytes and < curve order
+    function _truncateHash(hash, truncateOnly = false) {
+        const { n, nBitLength } = CURVE;
+        const byteLength = hash.length;
+        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
+        let h = (0, utils_js_1.bytesToNumberBE)(hash);
+        if (delta > 0)
+            h = h >> BigInt(delta);
+        if (!truncateOnly && h >= n)
+            h -= n;
+        return h;
+    }
+    const truncateHash = CURVE.truncateHash || _truncateHash;
     /**
      * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
      */
@@ -746,8 +826,8 @@ function weierstrass(curveDef) {
         }
     }
     const utils = {
-        mod: modP,
-        invert: (n, m = CURVE.P) => mod.invert(n, m),
+        mod: (n, modulo = Fp.ORDER) => mod.mod(n, modulo),
+        invert: Fp.invert,
         isValidPrivateKey(privateKey) {
             try {
                 normalizePrivateKey(privateKey);
@@ -772,7 +852,7 @@ function weierstrass(curveDef) {
          * Produces cryptographically secure private key from random of size (nBitLength+64)
          * as per FIPS 186 B.4.1 with modulo bias being neglible.
          */
-        randomPrivateKey: () => utils.hashToPrivateKey(CURVE.randomBytes(fieldLen + 8)),
+        randomPrivateKey: () => utils.hashToPrivateKey(CURVE.randomBytes(Fp.BYTES + 8)),
         /**
          * 1. Returns cached point which you can use to pass to `getSharedSecret` or `#multiply` by it.
          * 2. Precomputes point multiplication table. Is done by default on first `getPublicKey()` call.
@@ -832,7 +912,7 @@ function weierstrass(curveDef) {
     }
     // RFC6979 methods
     function bits2int(bytes) {
-        const slice = bytes.length > fieldLen ? bytes.slice(0, fieldLen) : bytes;
+        const slice = bytes.length > Fp.BYTES ? bytes.slice(0, Fp.BYTES) : bytes;
         return (0, utils_js_1.bytesToNumberBE)(slice);
     }
     function bits2octets(bytes) {
@@ -856,10 +936,10 @@ function weierstrass(curveDef) {
         // RFC6979 3.6: additional k' could be provided
         if (extraEntropy != null) {
             if (extraEntropy === true)
-                extraEntropy = CURVE.randomBytes(fieldLen);
+                extraEntropy = CURVE.randomBytes(Fp.BYTES);
             const e = (0, utils_js_1.ensureBytes)(extraEntropy);
-            if (e.length !== fieldLen)
-                throw new Error(`sign: Expected ${fieldLen} bytes of extra data`);
+            if (e.length !== Fp.BYTES)
+                throw new Error(`sign: Expected ${Fp.BYTES} bytes of extra data`);
             seedArgs.push(e);
         }
         // seed is constructed from private key and message