@noble/curves 0.4.0 → 0.5.1

package/lib/{weierstrass.js → abstract/weierstrass.js}

@@ -1,8 +1,8 @@
 "use strict";
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Implementation of Short Weierstrass curve. The formula is: y² = x³ + ax + b
+// Short Weierstrass curve. The formula is: y² = x³ + ax + b
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.weierstrass = exports.weierstrassPoints = void 0;
+exports.mapToCurveSimpleSWU = exports.SWUFpSqrtRatio = exports.weierstrass = exports.weierstrassPoints = void 0;
 // TODO: sync vs async naming
 // TODO: default randomBytes
 // Differences from @noble/secp256k1 1.7:
@@ -13,7 +13,7 @@ exports.weierstrass = exports.weierstrassPoints = void 0;
 const mod = require("./modular.js");
 const utils_js_1 = require("./utils.js");
 const utils = require("./utils.js");
-const hashToCurve_js_1 = require("./hashToCurve.js");
+const hash_to_curve_js_1 = require("./hash-to-curve.js");
 const group_js_1 = require("./group.js");
 // DER encoding utilities
 class DERError extends Error {
@@ -58,9 +58,7 @@ function parseDERSignature(data) {
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
-const _2n = BigInt(2);
 const _3n = BigInt(3);
-const _8n = BigInt(8);
 function validatePointOpts(curve) {
     const opts = utils.validateOpts(curve);
     const Fp = opts.Fp;
@@ -91,7 +89,7 @@ function validatePointOpts(curve) {
         throw new Error('Invalid fromBytes function');
     // Requires including hashToCurve file
     if (opts.htfDefaults !== undefined)
-        (0, hashToCurve_js_1.validateHTFOpts)(opts.htfDefaults);
+        (0, hash_to_curve_js_1.validateHTFOpts)(opts.htfDefaults);
     // Set defaults
     return Object.freeze({ ...opts });
 }
@@ -117,8 +115,8 @@ function weierstrassPoints(opts) {
     function weierstrassEquation(x) {
         const { a, b } = CURVE;
         const x2 = Fp.square(x); // x * x
-        const x3 = Fp.multiply(x2, x); // x2 * x
-        return Fp.add(Fp.add(x3, Fp.multiply(x, a)), b); // x3 + a * x + b
+        const x3 = Fp.mul(x2, x); // x2 * x
+        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
     }
     function isWithinCurveOrder(num) {
         return _0n < num && num < CURVE.n;
@@ -161,11 +159,11 @@ function weierstrassPoints(opts) {
         throw new TypeError('Expected valid private scalar: 0 < scalar < curve.n');
     }
     /**
-     * Jacobian Point works in 3d / jacobi coordinates: (x, y, z) ∋ (x=x/z², y=y/z³)
+     * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
      * Default Point works in 2d / affine coordinates: (x, y)
-     * We're doing calculations in jacobi, because its operations don't require costly inversion.
+     * We're doing calculations in projective, because its operations don't require costly inversion.
      */
-    class JacobianPoint {
+    class ProjectivePoint {
         constructor(x, y, z) {
             this.x = x;
             this.y = y;
@@ -173,15 +171,15 @@ function weierstrassPoints(opts) {
         }
         static fromAffine(p) {
             if (!(p instanceof Point)) {
-                throw new TypeError('JacobianPoint#fromAffine: expected Point');
+                throw new TypeError('ProjectivePoint#fromAffine: expected Point');
             }
             // fromAffine(x:0, y:0) would produce (x:0, y:0, z:1), but we need (x:0, y:1, z:0)
             if (p.equals(Point.ZERO))
-                return JacobianPoint.ZERO;
-            return new JacobianPoint(p.x, p.y, Fp.ONE);
+                return ProjectivePoint.ZERO;
+            return new ProjectivePoint(p.x, p.y, Fp.ONE);
         }
         /**
-         * Takes a bunch of Jacobian Points but executes only one
+         * Takes a bunch of Projective Points but executes only one
          * invert on all of them. invert is very slow operation,
          * so this improves performance massively.
          */
@@ -190,98 +188,122 @@ function weierstrassPoints(opts) {
             return points.map((p, i) => p.toAffine(toInv[i]));
         }
         static normalizeZ(points) {
-            return JacobianPoint.toAffineBatch(points).map(JacobianPoint.fromAffine);
+            return ProjectivePoint.toAffineBatch(points).map(ProjectivePoint.fromAffine);
         }
         /**
          * Compare one point to another.
          */
         equals(other) {
-            if (!(other instanceof JacobianPoint))
-                throw new TypeError('JacobianPoint expected');
+            assertPrjPoint(other);
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
-            const Z1Z1 = Fp.square(Z1); // Z1 * Z1
-            const Z2Z2 = Fp.square(Z2); // Z2 * Z2
-            const U1 = Fp.multiply(X1, Z2Z2); // X1 * Z2Z2
-            const U2 = Fp.multiply(X2, Z1Z1); // X2 * Z1Z1
-            const S1 = Fp.multiply(Fp.multiply(Y1, Z2), Z2Z2); // Y1 * Z2 * Z2Z2
-            const S2 = Fp.multiply(Fp.multiply(Y2, Z1), Z1Z1); // Y2 * Z1 * Z1Z1
-            return Fp.equals(U1, U2) && Fp.equals(S1, S2);
+            const U1 = Fp.equals(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
+            const U2 = Fp.equals(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
+            return U1 && U2;
         }
         /**
          * Flips point to one corresponding to (x, -y) in Affine coordinates.
          */
         negate() {
-            return new JacobianPoint(this.x, Fp.negate(this.y), this.z);
+            return new ProjectivePoint(this.x, Fp.negate(this.y), this.z);
         }
-        // Fast algo for doubling 2 Jacobian Points.
-        // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl
-        // Cost: 1M + 8S + 1*a + 10add + 2*2 + 1*3 + 1*8.
+        doubleAdd() {
+            return this.add(this);
+        }
+        // Renes-Costello-Batina exception-free doubling formula.
+        // There is 30% faster Jacobian formula, but it is not complete.
+        // https://eprint.iacr.org/2015/1060, algorithm 3
+        // Cost: 8M + 3S + 3*a + 2*b3 + 15add.
         double() {
+            const { a, b } = CURVE;
+            const b3 = Fp.mul(b, 3n);
             const { x: X1, y: Y1, z: Z1 } = this;
-            const { a } = CURVE;
-            // Faster algorithm: when a=0
-            // From: https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-0.html#doubling-dbl-2009-l
-            // Cost: 2M + 5S + 6add + 3*2 + 1*3 + 1*8.
-            if (Fp.isZero(a)) {
-                const A = Fp.square(X1); // X1 * X1
-                const B = Fp.square(Y1); // Y1 * Y1
-                const C = Fp.square(B); // B * B
-                const x1b = Fp.addN(X1, B); // X1 + B
-                const D = Fp.multiply(Fp.subtractN(Fp.subtractN(Fp.square(x1b), A), C), _2n); // ((x1b * x1b) - A - C) * 2
-                const E = Fp.multiply(A, _3n); // A * 3
-                const F = Fp.square(E); // E * E
-                const X3 = Fp.subtract(F, Fp.multiplyN(D, _2n)); // F - 2 * D
-                const Y3 = Fp.subtract(Fp.multiplyN(E, Fp.subtractN(D, X3)), Fp.multiplyN(C, _8n)); // E * (D - X3) - 8 * C;
-                const Z3 = Fp.multiply(Fp.multiplyN(Y1, _2n), Z1); // 2 * Y1 * Z1
-                return new JacobianPoint(X3, Y3, Z3);
-            }
-            const XX = Fp.square(X1); //  X1 * X1
-            const YY = Fp.square(Y1); // Y1 * Y1
-            const YYYY = Fp.square(YY); // YY * YY
-            const ZZ = Fp.square(Z1); //  Z1 * Z1
-            const tmp1 = Fp.add(X1, YY); // X1 + YY
-            const S = Fp.multiply(Fp.subtractN(Fp.subtractN(Fp.square(tmp1), XX), YYYY), _2n); // 2*((X1+YY)^2-XX-YYYY)
-            const M = Fp.add(Fp.multiplyN(XX, _3n), Fp.multiplyN(Fp.square(ZZ), a)); // 3 * XX + a * ZZ^2
-            const T = Fp.subtract(Fp.square(M), Fp.multiplyN(S, _2n)); // M^2-2*S
-            const X3 = T;
-            const Y3 = Fp.subtract(Fp.multiplyN(M, Fp.subtractN(S, T)), Fp.multiplyN(YYYY, _8n)); // M*(S-T)-8*YYYY
-            const y1az1 = Fp.add(Y1, Z1); // (Y1+Z1)
-            const Z3 = Fp.subtract(Fp.subtractN(Fp.square(y1az1), YY), ZZ); // (Y1+Z1)^2-YY-ZZ
-            return new JacobianPoint(X3, Y3, Z3);
-        }
-        // Fast algo for adding 2 Jacobian Points.
-        // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-add-1998-cmo-2
-        // Cost: 12M + 4S + 6add + 1*2
-        // Note: 2007 Bernstein-Lange (11M + 5S + 9add + 4*2) is actually 10% slower.
+            let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
+            let t0 = Fp.mul(X1, X1); // step 1
+            let t1 = Fp.mul(Y1, Y1);
+            let t2 = Fp.mul(Z1, Z1);
+            let t3 = Fp.mul(X1, Y1);
+            t3 = Fp.add(t3, t3); // step 5
+            Z3 = Fp.mul(X1, Z1);
+            Z3 = Fp.add(Z3, Z3);
+            X3 = Fp.mul(a, Z3);
+            Y3 = Fp.mul(b3, t2);
+            Y3 = Fp.add(X3, Y3); // step 10
+            X3 = Fp.sub(t1, Y3);
+            Y3 = Fp.add(t1, Y3);
+            Y3 = Fp.mul(X3, Y3);
+            X3 = Fp.mul(t3, X3);
+            Z3 = Fp.mul(b3, Z3); // step 15
+            t2 = Fp.mul(a, t2);
+            t3 = Fp.sub(t0, t2);
+            t3 = Fp.mul(a, t3);
+            t3 = Fp.add(t3, Z3);
+            Z3 = Fp.add(t0, t0); // step 20
+            t0 = Fp.add(Z3, t0);
+            t0 = Fp.add(t0, t2);
+            t0 = Fp.mul(t0, t3);
+            Y3 = Fp.add(Y3, t0);
+            t2 = Fp.mul(Y1, Z1); // step 25
+            t2 = Fp.add(t2, t2);
+            t0 = Fp.mul(t2, t3);
+            X3 = Fp.sub(X3, t0);
+            Z3 = Fp.mul(t2, t1);
+            Z3 = Fp.add(Z3, Z3); // step 30
+            Z3 = Fp.add(Z3, Z3);
+            return new ProjectivePoint(X3, Y3, Z3);
+        }
+        // Renes-Costello-Batina exception-free addition formula.
+        // There is 30% faster Jacobian formula, but it is not complete.
+        // https://eprint.iacr.org/2015/1060, algorithm 1
+        // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
         add(other) {
-            if (!(other instanceof JacobianPoint))
-                throw new TypeError('JacobianPoint expected');
+            assertPrjPoint(other);
             const { x: X1, y: Y1, z: Z1 } = this;
             const { x: X2, y: Y2, z: Z2 } = other;
-            if (Fp.isZero(X2) || Fp.isZero(Y2))
-                return this;
-            if (Fp.isZero(X1) || Fp.isZero(Y1))
-                return other;
-            // We're using same code in equals()
-            const Z1Z1 = Fp.square(Z1); // Z1Z1 = Z1^2
-            const Z2Z2 = Fp.square(Z2); // Z2Z2 = Z2^2;
-            const U1 = Fp.multiply(X1, Z2Z2); // X1 * Z2Z2
-            const U2 = Fp.multiply(X2, Z1Z1); // X2 * Z1Z1
-            const S1 = Fp.multiply(Fp.multiply(Y1, Z2), Z2Z2); // Y1 * Z2 * Z2Z2
-            const S2 = Fp.multiply(Fp.multiply(Y2, Z1), Z1Z1); // Y2 * Z1 * Z1Z1
-            const H = Fp.subtractN(U2, U1); // H = U2 - U1
-            const r = Fp.subtractN(S2, S1); // S2 - S1
-            // H = 0 meaning it's the same point.
-            if (Fp.isZero(H))
-                return Fp.isZero(r) ? this.double() : JacobianPoint.ZERO;
-            const HH = Fp.square(H); // HH = H2
-            const HHH = Fp.multiply(H, HH); // HHH = H * HH
-            const V = Fp.multiply(U1, HH); // V = U1 * HH
-            const X3 = Fp.subtract(Fp.subtractN(Fp.squareN(r), HHH), Fp.multiplyN(V, _2n)); // X3 = r^2 - HHH - 2 * V;
-            const Y3 = Fp.subtract(Fp.multiplyN(r, Fp.subtractN(V, X3)), Fp.multiplyN(S1, HHH)); // Y3 = r * (V - X3) - S1 * HHH;
-            const Z3 = Fp.multiply(Fp.multiply(Z1, Z2), H); // Z3 = Z1 * Z2 * H;
-            return new JacobianPoint(X3, Y3, Z3);
+            let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
+            const a = CURVE.a;
+            const b3 = Fp.mul(CURVE.b, 3n);
+            let t0 = Fp.mul(X1, X2); // step 1
+            let t1 = Fp.mul(Y1, Y2);
+            let t2 = Fp.mul(Z1, Z2);
+            let t3 = Fp.add(X1, Y1);
+            let t4 = Fp.add(X2, Y2); // step 5
+            t3 = Fp.mul(t3, t4);
+            t4 = Fp.add(t0, t1);
+            t3 = Fp.sub(t3, t4);
+            t4 = Fp.add(X1, Z1);
+            let t5 = Fp.add(X2, Z2); // step 10
+            t4 = Fp.mul(t4, t5);
+            t5 = Fp.add(t0, t2);
+            t4 = Fp.sub(t4, t5);
+            t5 = Fp.add(Y1, Z1);
+            X3 = Fp.add(Y2, Z2); // step 15
+            t5 = Fp.mul(t5, X3);
+            X3 = Fp.add(t1, t2);
+            t5 = Fp.sub(t5, X3);
+            Z3 = Fp.mul(a, t4);
+            X3 = Fp.mul(b3, t2); // step 20
+            Z3 = Fp.add(X3, Z3);
+            X3 = Fp.sub(t1, Z3);
+            Z3 = Fp.add(t1, Z3);
+            Y3 = Fp.mul(X3, Z3);
+            t1 = Fp.add(t0, t0); // step 25
+            t1 = Fp.add(t1, t0);
+            t2 = Fp.mul(a, t2);
+            t4 = Fp.mul(b3, t4);
+            t1 = Fp.add(t1, t2);
+            t2 = Fp.sub(t0, t2); // step 30
+            t2 = Fp.mul(a, t2);
+            t4 = Fp.add(t4, t2);
+            t0 = Fp.mul(t1, t4);
+            Y3 = Fp.add(Y3, t0);
+            t0 = Fp.mul(t5, t4); // step 35
+            X3 = Fp.mul(t3, X3);
+            X3 = Fp.sub(X3, t0);
+            t0 = Fp.mul(t3, t1);
+            Z3 = Fp.mul(t5, Z3);
+            Z3 = Fp.add(Z3, t0); // step 40
+            return new ProjectivePoint(X3, Y3, Z3);
         }
         subtract(other) {
             return this.add(other.negate());
@@ -292,7 +314,7 @@ function weierstrassPoints(opts) {
          * an exposed private key e.g. sig verification, which works over *public* keys.
          */
         multiplyUnsafe(scalar) {
-            const P0 = JacobianPoint.ZERO;
+            const P0 = ProjectivePoint.ZERO;
             if (typeof scalar === 'bigint' && scalar === _0n)
                 return P0;
             // Will throw on 0
@@ -319,14 +341,14 @@ function weierstrassPoints(opts) {
                 k1p = k1p.negate();
             if (k2neg)
                 k2p = k2p.negate();
-            k2p = new JacobianPoint(Fp.multiply(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
+            k2p = new ProjectivePoint(Fp.mul(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
             return k1p.add(k2p);
         }
         /**
          * Implements w-ary non-adjacent form for calculating ec multiplication.
          */
         wNAF(n, affinePoint) {
-            if (!affinePoint && this.equals(JacobianPoint.BASE))
+            if (!affinePoint && this.equals(ProjectivePoint.BASE))
                 affinePoint = Point.BASE;
             const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
             // Calculate precomputes on a first run, reuse them after
@@ -334,7 +356,7 @@ function weierstrassPoints(opts) {
             if (!precomputes) {
                 precomputes = wnaf.precomputeWindow(this, W);
                 if (affinePoint && W !== 1) {
-                    precomputes = JacobianPoint.normalizeZ(precomputes);
+                    precomputes = ProjectivePoint.normalizeZ(precomputes);
                     pointPrecomputes.set(affinePoint, precomputes);
                 }
             }
@@ -360,7 +382,7 @@ function weierstrassPoints(opts) {
                 let { p: k2p, f: f2p } = this.wNAF(k2, affinePoint);
                 k1p = wnaf.constTimeNegate(k1neg, k1p);
                 k2p = wnaf.constTimeNegate(k2neg, k2p);
-                k2p = new JacobianPoint(Fp.multiply(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
+                k2p = new ProjectivePoint(Fp.mul(k2p.x, CURVE.endo.beta), k2p.y, k2p.z);
                 point = k1p.add(k2p);
                 fake = f1p.add(f2p);
             }
@@ -370,25 +392,21 @@ function weierstrassPoints(opts) {
                 fake = f;
             }
             // Normalize `z` for both points, but return only real one
-            return JacobianPoint.normalizeZ([point, fake])[0];
+            return ProjectivePoint.normalizeZ([point, fake])[0];
         }
-        // Converts Jacobian point to affine (x, y) coordinates.
+        // Converts Projective point to affine (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
-        // (x, y, z) ∋ (x=x/z², y=y/z³)
-        // https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#scaling-z
+        // (x, y, z) ∋ (x=x/z, y=y/z)
         toAffine(invZ) {
             const { x, y, z } = this;
-            const is0 = this.equals(JacobianPoint.ZERO);
+            const is0 = this.equals(ProjectivePoint.ZERO);
             // If invZ was 0, we return zero point. However we still want to execute
             // all operations, so we replace invZ with a random number, 1.
             if (invZ == null)
                 invZ = is0 ? Fp.ONE : Fp.invert(z);
-            const iz1 = invZ;
-            const iz2 = Fp.square(iz1); // iz1 * iz1
-            const iz3 = Fp.multiply(iz2, iz1); // iz2 * iz1
-            const ax = Fp.multiply(x, iz2); // x * iz2
-            const ay = Fp.multiply(y, iz3); // y * iz3
-            const zz = Fp.multiply(z, iz1); // z * iz1
+            const ax = Fp.mul(x, invZ);
+            const ay = Fp.mul(y, invZ);
+            const zz = Fp.mul(z, invZ);
             if (is0)
                 return Point.ZERO;
             if (!Fp.equals(zz, Fp.ONE))
@@ -399,7 +417,7 @@ function weierstrassPoints(opts) {
             if (CURVE.h === _1n)
                 return true; // No subgroups, always torsion fee
             if (CURVE.isTorsionFree)
-                return CURVE.isTorsionFree(JacobianPoint, this);
+                return CURVE.isTorsionFree(ProjectivePoint, this);
             // is multiplyUnsafe(CURVE.n) is always ok, same as for edwards?
             throw new Error('Unsupported!');
         }
@@ -409,13 +427,17 @@ function weierstrassPoints(opts) {
             if (CURVE.h === _1n)
                 return this; // Fast-path
             if (CURVE.clearCofactor)
-                return CURVE.clearCofactor(JacobianPoint, this);
+                return CURVE.clearCofactor(ProjectivePoint, this);
             return this.multiplyUnsafe(CURVE.h);
         }
     }
-    JacobianPoint.BASE = new JacobianPoint(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    JacobianPoint.ZERO = new JacobianPoint(Fp.ZERO, Fp.ONE, Fp.ZERO);
-    const wnaf = (0, group_js_1.wNAF)(JacobianPoint, CURVE.endo ? nBitLength / 2 : nBitLength);
+    ProjectivePoint.BASE = new ProjectivePoint(CURVE.Gx, CURVE.Gy, Fp.ONE);
+    ProjectivePoint.ZERO = new ProjectivePoint(Fp.ZERO, Fp.ONE, Fp.ZERO);
+    const wnaf = (0, group_js_1.wNAF)(ProjectivePoint, CURVE.endo ? nBitLength / 2 : nBitLength);
+    function assertPrjPoint(other) {
+        if (!(other instanceof ProjectivePoint))
+            throw new TypeError('ProjectivePoint expected');
+    }
     // Stores precomputed values for points.
     const pointPrecomputes = new WeakMap();
     /**
@@ -490,27 +512,27 @@ function weierstrassPoints(opts) {
         }
         // Adds point to itself
         double() {
-            return JacobianPoint.fromAffine(this).double().toAffine();
+            return ProjectivePoint.fromAffine(this).double().toAffine();
         }
         // Adds point to other point
         add(other) {
-            return JacobianPoint.fromAffine(this).add(JacobianPoint.fromAffine(other)).toAffine();
+            return ProjectivePoint.fromAffine(this).add(ProjectivePoint.fromAffine(other)).toAffine();
         }
         // Subtracts other point from the point
         subtract(other) {
             return this.add(other.negate());
         }
         multiply(scalar) {
-            return JacobianPoint.fromAffine(this).multiply(scalar, this).toAffine();
+            return ProjectivePoint.fromAffine(this).multiply(scalar, this).toAffine();
         }
         multiplyUnsafe(scalar) {
-            return JacobianPoint.fromAffine(this).multiplyUnsafe(scalar).toAffine();
+            return ProjectivePoint.fromAffine(this).multiplyUnsafe(scalar).toAffine();
         }
         clearCofactor() {
-            return JacobianPoint.fromAffine(this).clearCofactor().toAffine();
+            return ProjectivePoint.fromAffine(this).clearCofactor().toAffine();
         }
         isTorsionFree() {
-            return JacobianPoint.fromAffine(this).isTorsionFree();
+            return ProjectivePoint.fromAffine(this).isTorsionFree();
         }
         /**
          * Efficiently calculate `aP + bQ`.
@@ -519,11 +541,11 @@ function weierstrassPoints(opts) {
          * @returns non-zero affine point
          */
         multiplyAndAddUnsafe(Q, a, b) {
-            const P = JacobianPoint.fromAffine(this);
+            const P = ProjectivePoint.fromAffine(this);
             const aP = a === _0n || a === _1n || this !== Point.BASE ? P.multiplyUnsafe(a) : P.multiply(a);
-            const bQ = JacobianPoint.fromAffine(Q).multiplyUnsafe(b);
+            const bQ = ProjectivePoint.fromAffine(Q).multiplyUnsafe(b);
             const sum = aP.add(bQ);
-            return sum.equals(JacobianPoint.ZERO) ? undefined : sum.toAffine();
+            return sum.equals(ProjectivePoint.ZERO) ? undefined : sum.toAffine();
         }
         // Encodes byte string to elliptic curve
         // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
@@ -531,7 +553,7 @@ function weierstrassPoints(opts) {
             if (!CURVE.mapToCurve)
                 throw new Error('No mapToCurve defined for curve');
             msg = (0, utils_js_1.ensureBytes)(msg);
-            const u = (0, hashToCurve_js_1.hash_to_field)(msg, 2, { ...CURVE.htfDefaults, ...options });
+            const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 2, { ...CURVE.htfDefaults, ...options });
             const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
             const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
             const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
@@ -542,7 +564,7 @@ function weierstrassPoints(opts) {
             if (!CURVE.mapToCurve)
                 throw new Error('No mapToCurve defined for curve');
             msg = (0, utils_js_1.ensureBytes)(msg);
-            const u = (0, hashToCurve_js_1.hash_to_field)(msg, 1, { ...CURVE.htfDefaults, ...options });
+            const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 1, { ...CURVE.htfDefaults, ...options });
             const { x, y } = CURVE.mapToCurve(u[0]);
             return new Point(x, y).clearCofactor();
         }
@@ -557,7 +579,7 @@ function weierstrassPoints(opts) {
     Point.ZERO = new Point(Fp.ZERO, Fp.ZERO);
     return {
         Point: Point,
-        JacobianPoint: JacobianPoint,
+        ProjectivePoint: ProjectivePoint,
         normalizePrivateKey,
         weierstrassEquation,
         isWithinCurveOrder,
@@ -635,7 +657,7 @@ function weierstrass(curveDef) {
         // 0 is disallowed by arbitrary reasons. Probably because infinity point?
         return _0n < num && num < Fp.ORDER;
     }
-    const { Point, JacobianPoint, normalizePrivateKey, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
+    const { Point, ProjectivePoint, normalizePrivateKey, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
         ...CURVE,
         toBytes(c, point, isCompressed) {
             if (isCompressed) {
@@ -958,18 +980,19 @@ function weierstrass(curveDef) {
      * @returns Signature with its point on curve Q OR undefined if params were invalid
      */
     function kmdToSig(kBytes, m, d, lowS = true) {
+        const { n } = CURVE;
         const k = truncateHash(kBytes, true);
         if (!isWithinCurveOrder(k))
             return;
         // Important: all mod() calls in the function must be done over `n`
-        const { n } = CURVE;
+        const kinv = mod.invert(k, n);
         const q = Point.BASE.multiply(k);
         // r = x mod n
         const r = mod.mod(q.x, n);
         if (r === _0n)
             return;
         // s = (1/k * (m + dr) mod n
-        const s = mod.mod(mod.invert(k, n) * mod.mod(m + d * r, n), n);
+        const s = mod.mod(kinv * mod.mod(m + mod.mod(d * r, n), n), n);
         if (s === _0n)
             return;
         let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n);
@@ -1049,7 +1072,7 @@ function weierstrass(curveDef) {
         // R = u1⋅G - u2⋅P
         const u1 = mod.mod(h * sinv, n);
         const u2 = mod.mod(r * sinv, n);
-        // Some implementations compare R.x in jacobian, without inversion.
+        // Some implementations compare R.x in projective, without inversion.
         // The speed-up is <5%, so we don't complicate the code.
         const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2);
         if (!R)
@@ -1064,9 +1087,120 @@ function weierstrass(curveDef) {
         sign,
         verify,
         Point,
-        JacobianPoint,
+        ProjectivePoint,
         Signature,
         utils,
     };
 }
 exports.weierstrass = weierstrass;
+// Implementation of the Shallue and van de Woestijne method for any Weierstrass curve
+// TODO: check if there is a way to merge this with uvRation in Edwards && move to modular?
+// b = True and y = sqrt(u / v) if (u / v) is square in F, and
+// b = False and y = sqrt(Z * (u / v)) otherwise.
+function SWUFpSqrtRatio(Fp, Z) {
+    // Generic implementation
+    const q = Fp.ORDER;
+    let l = 0n;
+    for (let o = q - 1n; o % 2n === 0n; o /= 2n)
+        l += 1n;
+    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
+    const c2 = (q - 1n) / 2n ** c1; // 2. c2 = (q - 1) / (2^c1)        # Integer arithmetic
+    const c3 = (c2 - 1n) / 2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+    const c4 = 2n ** c1 - 1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+    const c5 = 2n ** (c1 - 1n); // 5. c5 = 2^(c1 - 1)              # Integer arithmetic
+    const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
+    const c7 = Fp.pow(Z, (c2 + 1n) / 2n); // 7. c7 = Z^((c2 + 1) / 2)
+    let sqrtRatio = (u, v) => {
+        let tv1 = c6; // 1. tv1 = c6
+        let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
+        let tv3 = Fp.square(tv2); // 3. tv3 = tv2^2
+        tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
+        let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
+        tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
+        tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
+        tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
+        tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
+        let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
+        tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
+        let isQR = Fp.equals(tv5, Fp.ONE); // 12. isQR = tv5 == 1
+        tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
+        tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
+        tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
+        tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
+        // 17. for i in (c1, c1 - 1, ..., 2):
+        for (let i = c1; i > 1; i--) {
+            let tv5 = 2n ** (i - 2n); // 18.    tv5 = i - 2;    19.    tv5 = 2^tv5
+            let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
+            const e1 = Fp.equals(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
+            tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
+            tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1
+            tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1
+            tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)
+            tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)
+        }
+        return { isValid: isQR, value: tv3 };
+    };
+    if (Fp.ORDER % 4n === 3n) {
+        // sqrt_ratio_3mod4(u, v)
+        const c1 = (Fp.ORDER - 3n) / 4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+        const c2 = Fp.sqrt(Fp.negate(Z)); // 2. c2 = sqrt(-Z)
+        sqrtRatio = (u, v) => {
+            let tv1 = Fp.square(v); // 1. tv1 = v^2
+            const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
+            tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
+            let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
+            y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
+            const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
+            const tv3 = Fp.mul(Fp.square(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
+            const isQR = Fp.equals(tv3, u); // 9. isQR = tv3 == u
+            let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
+            return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
+        };
+    }
+    // No curves uses that
+    // if (Fp.ORDER % 8n === 5n) // sqrt_ratio_5mod8
+    return sqrtRatio;
+}
+exports.SWUFpSqrtRatio = SWUFpSqrtRatio;
+// From draft-irtf-cfrg-hash-to-curve-16
+function mapToCurveSimpleSWU(Fp, opts) {
+    mod.validateField(Fp);
+    if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
+        throw new Error('mapToCurveSimpleSWU: invalid opts');
+    const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);
+    if (!Fp.isOdd)
+        throw new Error('Fp.isOdd is not implemented!');
+    // Input: u, an element of F.
+    // Output: (x, y), a point on E.
+    return (u) => {
+        // prettier-ignore
+        let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
+        tv1 = Fp.square(u); // 1.  tv1 = u^2
+        tv1 = Fp.mul(tv1, opts.Z); // 2.  tv1 = Z * tv1
+        tv2 = Fp.square(tv1); // 3.  tv2 = tv1^2
+        tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
+        tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
+        tv3 = Fp.mul(tv3, opts.B); // 6.  tv3 = B * tv3
+        tv4 = Fp.cmov(opts.Z, Fp.negate(tv2), !Fp.equals(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
+        tv4 = Fp.mul(tv4, opts.A); // 8.  tv4 = A * tv4
+        tv2 = Fp.square(tv3); // 9.  tv2 = tv3^2
+        tv6 = Fp.square(tv4); // 10. tv6 = tv4^2
+        tv5 = Fp.mul(tv6, opts.A); // 11. tv5 = A * tv6
+        tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
+        tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
+        tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
+        tv5 = Fp.mul(tv6, opts.B); // 15. tv5 = B * tv6
+        tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
+        x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
+        const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
+        y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1
+        y = Fp.mul(y, value); // 20.   y = y * y1
+        x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)
+        y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
+        const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23.  e1 = sgn0(u) == sgn0(y)
+        y = Fp.cmov(Fp.negate(y), y, e1); // 24.   y = CMOV(-y, y, e1)
+        x = Fp.div(x, tv4); // 25.   x = x / tv4
+        return { x, y };
+    };
+}
+exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU;