@noble/curves 0.5.1 → 0.5.2

package/lib/abstract/weierstrass.js

@@ -3,64 +3,61 @@
 // Short Weierstrass curve. The formula is: y² = x³ + ax + b
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.mapToCurveSimpleSWU = exports.SWUFpSqrtRatio = exports.weierstrass = exports.weierstrassPoints = void 0;
-// TODO: sync vs async naming
-// TODO: default randomBytes
 // Differences from @noble/secp256k1 1.7:
 // 1. Different double() formula (but same addition)
 // 2. Different sqrt() function
 // 3. truncateHash() truncateOnly mode
 // 4. DRBG supports outputLen bigger than outputLen of hmac
+// 5. Support for different hash functions
 const mod = require("./modular.js");
+const ut = require("./utils.js");
 const utils_js_1 = require("./utils.js");
-const utils = require("./utils.js");
 const hash_to_curve_js_1 = require("./hash-to-curve.js");
 const group_js_1 = require("./group.js");
-// DER encoding utilities
+// ASN.1 DER encoding utilities
 class DERError extends Error {
     constructor(message) {
         super(message);
     }
 }
-function sliceDER(s) {
-    // Proof: any([(i>=0x80) == (int(hex(i).replace('0x', '').zfill(2)[0], 16)>=8)  for i in range(0, 256)])
-    // Padding done by numberToHex
-    return Number.parseInt(s[0], 16) >= 8 ? '00' + s : s;
-}
-function parseDERInt(data) {
-    if (data.length < 2 || data[0] !== 0x02) {
-        throw new DERError(`Invalid signature integer tag: ${(0, utils_js_1.bytesToHex)(data)}`);
-    }
-    const len = data[1];
-    const res = data.subarray(2, len + 2);
-    if (!len || res.length !== len) {
-        throw new DERError(`Invalid signature integer: wrong length`);
-    }
-    // Strange condition, its not about length, but about first bytes of number.
-    if (res[0] === 0x00 && res[1] <= 0x7f) {
-        throw new DERError('Invalid signature integer: trailing length');
-    }
-    return { data: (0, utils_js_1.bytesToNumberBE)(res), left: data.subarray(len + 2) };
-}
-function parseDERSignature(data) {
-    if (data.length < 2 || data[0] != 0x30) {
-        throw new DERError(`Invalid signature tag: ${(0, utils_js_1.bytesToHex)(data)}`);
-    }
-    if (data[1] !== data.length - 2) {
-        throw new DERError('Invalid signature: incorrect length');
-    }
-    const { data: r, left: sBytes } = parseDERInt(data.subarray(2));
-    const { data: s, left: rBytesLeft } = parseDERInt(sBytes);
-    if (rBytesLeft.length) {
-        throw new DERError(`Invalid signature: left bytes after parsing: ${(0, utils_js_1.bytesToHex)(rBytesLeft)}`);
-    }
-    return { r, s };
-}
-// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
-const _0n = BigInt(0);
-const _1n = BigInt(1);
-const _3n = BigInt(3);
+const DER = {
+    slice(s) {
+        // Proof: any([(i>=0x80) == (int(hex(i).replace('0x', '').zfill(2)[0], 16)>=8)  for i in range(0, 256)])
+        // Padding done by numberToHex
+        return Number.parseInt(s[0], 16) >= 8 ? '00' + s : s;
+    },
+    parseInt(data) {
+        if (data.length < 2 || data[0] !== 0x02) {
+            throw new DERError(`Invalid signature integer tag: ${(0, utils_js_1.bytesToHex)(data)}`);
+        }
+        const len = data[1];
+        const res = data.subarray(2, len + 2);
+        if (!len || res.length !== len) {
+            throw new DERError(`Invalid signature integer: wrong length`);
+        }
+        // Strange condition, its not about length, but about first bytes of number.
+        if (res[0] === 0x00 && res[1] <= 0x7f) {
+            throw new DERError('Invalid signature integer: trailing length');
+        }
+        return { data: ut.bytesToNumberBE(res), left: data.subarray(len + 2) };
+    },
+    parseSig(data) {
+        if (data.length < 2 || data[0] != 0x30) {
+            throw new DERError(`Invalid signature tag: ${(0, utils_js_1.bytesToHex)(data)}`);
+        }
+        if (data[1] !== data.length - 2) {
+            throw new DERError('Invalid signature: incorrect length');
+        }
+        const { data: r, left: sBytes } = DER.parseInt(data.subarray(2));
+        const { data: s, left: rBytesLeft } = DER.parseInt(sBytes);
+        if (rBytesLeft.length) {
+            throw new DERError(`Invalid signature: left bytes after parsing: ${(0, utils_js_1.bytesToHex)(rBytesLeft)}`);
+        }
+        return { r, s };
+    },
+};
 function validatePointOpts(curve) {
-    const opts = utils.validateOpts(curve);
+    const opts = ut.validateOpts(curve);
     const Fp = opts.Fp;
     for (const i of ['a', 'b']) {
         if (!Fp.isValid(curve[i]))
@@ -93,21 +90,13 @@ function validatePointOpts(curve) {
     // Set defaults
     return Object.freeze({ ...opts });
 }
+// Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
+const _0n = BigInt(0);
+const _1n = BigInt(1);
+const _3n = BigInt(3);
 function weierstrassPoints(opts) {
     const CURVE = validatePointOpts(opts);
-    const Fp = CURVE.Fp;
-    // Lengths
-    // All curves has same field / group length as for now, but it can be different for other curves
-    const { nByteLength, nBitLength } = CURVE;
-    const groupLen = nByteLength;
-    // Not using ** operator with bigints for old engines.
-    // 2n ** (8n * 32n) == 2n << (8n * 32n - 1n)
-    //const FIELD_MASK = _2n << (_8n * BigInt(fieldLen) - _1n);
-    // function numToFieldStr(num: bigint): string {
-    //   if (typeof num !== 'bigint') throw new Error('Expected bigint');
-    //   if (!(_0n <= num && num < FIELD_MASK)) throw new Error(`Expected number < 2^${fieldLen * 8}`);
-    //   return num.toString(16).padStart(2 * fieldLen, '0');
-    // }
+    const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
     /**
      * y² = x³ + ax + b: Short weierstrass curve formula
      * @returns y²
@@ -118,41 +107,55 @@ function weierstrassPoints(opts) {
         const x3 = Fp.mul(x2, x); // x2 * x
         return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
     }
+    // Valid group elements reside in range 1..n-1
     function isWithinCurveOrder(num) {
         return _0n < num && num < CURVE.n;
     }
+    /**
+     * Validates if a private key is valid and converts it to bigint form.
+     * Supports two options, that are passed when CURVE is initialized:
+     * - `normalizePrivateKey()` executed before all checks
+     * - `wrapPrivateKey` when true, executed after most checks, but before `0 < key < n`
+     */
     function normalizePrivateKey(key) {
-        if (typeof CURVE.normalizePrivateKey === 'function') {
-            key = CURVE.normalizePrivateKey(key);
-        }
+        const { normalizePrivateKey: custom, nByteLength: groupLen, wrapPrivateKey, n: order } = CURVE;
+        if (typeof custom === 'function')
+            key = custom(key);
         let num;
         if (typeof key === 'bigint') {
+            // Curve order check is done below
             num = key;
         }
-        else if (typeof key === 'number' && Number.isSafeInteger(key) && key > 0) {
+        else if (ut.isPositiveInt(key)) {
             num = BigInt(key);
         }
         else if (typeof key === 'string') {
             if (key.length !== 2 * groupLen)
                 throw new Error(`Expected ${groupLen} bytes of private key`);
-            num = (0, utils_js_1.hexToNumber)(key);
+            // Validates individual octets
+            num = ut.hexToNumber(key);
         }
         else if (key instanceof Uint8Array) {
             if (key.length !== groupLen)
                 throw new Error(`Expected ${groupLen} bytes of private key`);
-            num = (0, utils_js_1.bytesToNumberBE)(key);
+            num = ut.bytesToNumberBE(key);
         }
         else {
             throw new TypeError('Expected valid private key');
         }
-        if (CURVE.wrapPrivateKey)
-            num = mod.mod(num, CURVE.n);
+        // Useful for curves with cofactor != 1
+        if (wrapPrivateKey)
+            num = mod.mod(num, order);
         if (!isWithinCurveOrder(num))
             throw new Error('Expected private key: 0 < key < n');
         return num;
     }
+    /**
+     * Validates if a scalar ("private number") is valid.
+     * Scalars are valid only if they are less than curve order.
+     */
     function normalizeScalar(num) {
-        if (typeof num === 'number' && Number.isSafeInteger(num) && num > 0)
+        if (ut.isPositiveInt(num))
             return BigInt(num);
         if (typeof num === 'bigint' && isWithinCurveOrder(num))
             return num;
@@ -180,13 +183,16 @@ function weierstrassPoints(opts) {
         }
         /**
          * Takes a bunch of Projective Points but executes only one
-         * invert on all of them. invert is very slow operation,
+         * inversion on all of them. Inversion is very slow operation,
          * so this improves performance massively.
          */
         static toAffineBatch(points) {
             const toInv = Fp.invertBatch(points.map((p) => p.z));
             return points.map((p, i) => p.toAffine(toInv[i]));
         }
+        /**
+         * Optimization: converts a list of projective points to a list of identical points with Z=1.
+         */
         static normalizeZ(points) {
             return ProjectivePoint.toAffineBatch(points).map(ProjectivePoint.fromAffine);
         }
@@ -207,9 +213,6 @@ function weierstrassPoints(opts) {
         negate() {
             return new ProjectivePoint(this.x, Fp.negate(this.y), this.z);
         }
-        doubleAdd() {
-            return this.add(this);
-        }
         // Renes-Costello-Batina exception-free doubling formula.
         // There is 30% faster Jacobian formula, but it is not complete.
         // https://eprint.iacr.org/2015/1060, algorithm 3
@@ -414,26 +417,26 @@ function weierstrassPoints(opts) {
             return new Point(ax, ay);
         }
         isTorsionFree() {
-            if (CURVE.h === _1n)
-                return true; // No subgroups, always torsion fee
-            if (CURVE.isTorsionFree)
-                return CURVE.isTorsionFree(ProjectivePoint, this);
-            // is multiplyUnsafe(CURVE.n) is always ok, same as for edwards?
-            throw new Error('Unsupported!');
-        }
-        // Clear cofactor of G1
-        // https://eprint.iacr.org/2019/403
+            const { h: cofactor, isTorsionFree } = CURVE;
+            if (cofactor === _1n)
+                return true; // No subgroups, always torsion-free
+            if (isTorsionFree)
+                return isTorsionFree(ProjectivePoint, this);
+            throw new Error('isTorsionFree() has not been declared for the elliptic curve');
+        }
         clearCofactor() {
-            if (CURVE.h === _1n)
+            const { h: cofactor, clearCofactor } = CURVE;
+            if (cofactor === _1n)
                 return this; // Fast-path
-            if (CURVE.clearCofactor)
-                return CURVE.clearCofactor(ProjectivePoint, this);
+            if (clearCofactor)
+                return clearCofactor(ProjectivePoint, this);
             return this.multiplyUnsafe(CURVE.h);
         }
     }
     ProjectivePoint.BASE = new ProjectivePoint(CURVE.Gx, CURVE.Gy, Fp.ONE);
     ProjectivePoint.ZERO = new ProjectivePoint(Fp.ZERO, Fp.ONE, Fp.ZERO);
-    const wnaf = (0, group_js_1.wNAF)(ProjectivePoint, CURVE.endo ? nBitLength / 2 : nBitLength);
+    const _bits = CURVE.nBitLength;
+    const wnaf = (0, group_js_1.wNAF)(ProjectivePoint, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
     function assertPrjPoint(other) {
         if (!(other instanceof ProjectivePoint))
             throw new TypeError('ProjectivePoint expected');
@@ -464,7 +467,7 @@ function weierstrassPoints(opts) {
          * @param hex short/long ECDSA hex
          */
         static fromHex(hex) {
-            const { x, y } = CURVE.fromBytes((0, utils_js_1.ensureBytes)(hex));
+            const { x, y } = CURVE.fromBytes(ut.ensureBytes(hex));
             const point = new Point(x, y);
             point.assertValidity();
             return point;
@@ -486,18 +489,18 @@ function weierstrassPoints(opts) {
             if (this.equals(Point.ZERO)) {
                 if (CURVE.allowInfinityPoint)
                     return;
-                throw new Error('Point is infinity');
+                throw new Error('Point at infinity');
             }
             // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
             const msg = 'Point is not on elliptic curve';
             const { x, y } = this;
+            // Check if x, y are valid field elements
             if (!Fp.isValid(x) || !Fp.isValid(y))
                 throw new Error(msg);
-            const left = Fp.square(y);
-            const right = weierstrassEquation(x);
+            const left = Fp.square(y); // y²
+            const right = weierstrassEquation(x); // x³ + ax + b
             if (!Fp.equals(left, right))
                 throw new Error(msg);
-            // TODO: flag to disable this?
             if (!this.isTorsionFree())
                 throw new Error('Point must be of prime-order subgroup');
         }
@@ -510,29 +513,30 @@ function weierstrassPoints(opts) {
         negate() {
             return new Point(this.x, Fp.negate(this.y));
         }
+        toProj() {
+            return ProjectivePoint.fromAffine(this);
+        }
         // Adds point to itself
         double() {
-            return ProjectivePoint.fromAffine(this).double().toAffine();
+            return this.toProj().double().toAffine();
         }
-        // Adds point to other point
         add(other) {
-            return ProjectivePoint.fromAffine(this).add(ProjectivePoint.fromAffine(other)).toAffine();
+            return this.toProj().add(ProjectivePoint.fromAffine(other)).toAffine();
         }
-        // Subtracts other point from the point
         subtract(other) {
             return this.add(other.negate());
         }
         multiply(scalar) {
-            return ProjectivePoint.fromAffine(this).multiply(scalar, this).toAffine();
+            return this.toProj().multiply(scalar, this).toAffine();
         }
         multiplyUnsafe(scalar) {
-            return ProjectivePoint.fromAffine(this).multiplyUnsafe(scalar).toAffine();
+            return this.toProj().multiplyUnsafe(scalar).toAffine();
         }
         clearCofactor() {
-            return ProjectivePoint.fromAffine(this).clearCofactor().toAffine();
+            return this.toProj().clearCofactor().toAffine();
         }
         isTorsionFree() {
-            return ProjectivePoint.fromAffine(this).isTorsionFree();
+            return this.toProj().isTorsionFree();
         }
         /**
          * Efficiently calculate `aP + bQ`.
@@ -541,7 +545,7 @@ function weierstrassPoints(opts) {
          * @returns non-zero affine point
          */
         multiplyAndAddUnsafe(Q, a, b) {
-            const P = ProjectivePoint.fromAffine(this);
+            const P = this.toProj();
             const aP = a === _0n || a === _1n || this !== Point.BASE ? P.multiplyUnsafe(a) : P.multiply(a);
             const bQ = ProjectivePoint.fromAffine(Q).multiplyUnsafe(b);
             const sum = aP.add(bQ);
@@ -550,31 +554,32 @@ function weierstrassPoints(opts) {
         // Encodes byte string to elliptic curve
         // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
         static hashToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
-                throw new Error('No mapToCurve defined for curve');
-            msg = (0, utils_js_1.ensureBytes)(msg);
+            const { mapToCurve } = CURVE;
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ut.ensureBytes(msg);
             const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 2, { ...CURVE.htfDefaults, ...options });
-            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
-            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
-            const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
-            return p;
+            const { x: x0, y: y0 } = mapToCurve(u[0]);
+            const { x: x1, y: y1 } = mapToCurve(u[1]);
+            return new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
         }
         // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
         static encodeToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
-                throw new Error('No mapToCurve defined for curve');
-            msg = (0, utils_js_1.ensureBytes)(msg);
+            const { mapToCurve } = CURVE;
+            if (!mapToCurve)
+                throw new Error('CURVE.mapToCurve() has not been defined');
+            msg = ut.ensureBytes(msg);
             const u = (0, hash_to_curve_js_1.hash_to_field)(msg, 1, { ...CURVE.htfDefaults, ...options });
-            const { x, y } = CURVE.mapToCurve(u[0]);
+            const { x, y } = mapToCurve(u[0]);
             return new Point(x, y).clearCofactor();
         }
     }
     /**
-     * Base point aka generator. public_key = Point.BASE * private_key
+     * Base point aka generator. Any public_key = Point.BASE * private_key
      */
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy);
     /**
-     * Identity point aka point at infinity. point = point + zero_point
+     * Identity point aka point at infinity. p - p = zero_p; p + zero_p = p
      */
     Point.ZERO = new Point(Fp.ZERO, Fp.ZERO);
     return {
@@ -587,8 +592,8 @@ function weierstrassPoints(opts) {
 }
 exports.weierstrassPoints = weierstrassPoints;
 function validateOpts(curve) {
-    const opts = utils.validateOpts(curve);
-    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+    const opts = ut.validateOpts(curve);
+    if (typeof opts.hash !== 'function' || !ut.isPositiveInt(opts.hash.outputLen))
         throw new Error('Invalid hash function');
     if (typeof opts.hmac !== 'function')
         throw new Error('Invalid hmac function');
@@ -644,15 +649,15 @@ class HmacDrbg {
             out.push(sl);
             len += this.v.length;
         }
-        return (0, utils_js_1.concatBytes)(...out);
+        return ut.concatBytes(...out);
     }
 }
 function weierstrass(curveDef) {
     const CURVE = validateOpts(curveDef);
     const CURVE_ORDER = CURVE.n;
     const Fp = CURVE.Fp;
-    const compressedLen = Fp.BYTES + 1; // 33
-    const uncompressedLen = 2 * Fp.BYTES + 1; // 65
+    const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
+    const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
     function isValidFieldElement(num) {
         // 0 is disallowed by arbitrary reasons. Probably because infinity point?
         return _0n < num && num < Fp.ORDER;
@@ -660,11 +665,13 @@ function weierstrass(curveDef) {
     const { Point, ProjectivePoint, normalizePrivateKey, weierstrassEquation, isWithinCurveOrder } = weierstrassPoints({
         ...CURVE,
         toBytes(c, point, isCompressed) {
+            const x = Fp.toBytes(point.x);
+            const cat = ut.concatBytes;
             if (isCompressed) {
-                return (0, utils_js_1.concatBytes)(new Uint8Array([point.hasEvenY() ? 0x02 : 0x03]), Fp.toBytes(point.x));
+                return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
             }
             else {
-                return (0, utils_js_1.concatBytes)(new Uint8Array([0x04]), Fp.toBytes(point.x), Fp.toBytes(point.y));
+                return cat(Uint8Array.from([0x04]), x, Fp.toBytes(point.y));
             }
         },
         fromBytes(bytes) {
@@ -672,7 +679,7 @@ function weierstrass(curveDef) {
             const header = bytes[0];
             // this.assertValidity() is done inside of fromHex
             if (len === compressedLen && (header === 0x02 || header === 0x03)) {
-                const x = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(1));
+                const x = ut.bytesToNumberBE(bytes.subarray(1));
                 if (!isValidFieldElement(x))
                     throw new Error('Point is not on curve');
                 const y2 = weierstrassEquation(x); // y² = x³ + ax + b
@@ -725,17 +732,18 @@ function weierstrass(curveDef) {
     function normalizeS(s) {
         return isBiggerThanHalfOrder(s) ? mod.mod(-s, CURVE_ORDER) : s;
     }
+    function bits2int_2(bytes) {
+        const delta = bytes.length * 8 - CURVE.nBitLength;
+        const num = ut.bytesToNumberBE(bytes);
+        return delta > 0 ? num >> BigInt(delta) : num;
+    }
     // Ensures ECDSA message hashes are 32 bytes and < curve order
     function _truncateHash(hash, truncateOnly = false) {
-        const { n, nBitLength } = CURVE;
-        const byteLength = hash.length;
-        const delta = byteLength * 8 - nBitLength; // size of curve.n (252 bits)
-        let h = (0, utils_js_1.bytesToNumberBE)(hash);
-        if (delta > 0)
-            h = h >> BigInt(delta);
-        if (!truncateOnly && h >= n)
-            h -= n;
-        return h;
+        const h = bits2int_2(hash);
+        if (truncateOnly)
+            return h;
+        const { n } = CURVE;
+        return h >= n ? h - n : h;
     }
     const truncateHash = CURVE.truncateHash || _truncateHash;
     /**
@@ -748,16 +756,18 @@ function weierstrass(curveDef) {
             this.recovery = recovery;
             this.assertValidity();
         }
-        // pair (32 bytes of r, 32 bytes of s)
+        // pair (bytes of r, bytes of s)
         static fromCompact(hex) {
             const arr = hex instanceof Uint8Array;
             const name = 'Signature.fromCompact';
             if (typeof hex !== 'string' && !arr)
                 throw new TypeError(`${name}: Expected string or Uint8Array`);
             const str = arr ? (0, utils_js_1.bytesToHex)(hex) : hex;
-            if (str.length !== 128)
-                throw new Error(`${name}: Expected 64-byte hex`);
-            return new Signature((0, utils_js_1.hexToNumber)(str.slice(0, 64)), (0, utils_js_1.hexToNumber)(str.slice(64, 128)));
+            const gl = CURVE.nByteLength * 2; // group length in hex, not ui8a
+            if (str.length !== 2 * gl)
+                throw new Error(`${name}: Expected ${gl / 2}-byte hex`);
+            const slice = (from, to) => ut.hexToNumber(str.slice(from, to));
+            return new Signature(slice(0, gl), slice(gl, 2 * gl));
         }
         // DER encoded ECDSA signature
         // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
@@ -765,7 +775,7 @@ function weierstrass(curveDef) {
             const arr = hex instanceof Uint8Array;
             if (typeof hex !== 'string' && !arr)
                 throw new TypeError(`Signature.fromDER: Expected string or Uint8Array`);
-            const { r, s } = parseDERSignature(arr ? hex : (0, utils_js_1.hexToBytes)(hex));
+            const { r, s } = DER.parseSig(arr ? hex : ut.hexToBytes(hex));
             return new Signature(r, s);
         }
         assertValidity() {
@@ -781,6 +791,7 @@ function weierstrass(curveDef) {
         /**
          * Recovers public key from signature with recovery bit. Throws on invalid hash.
          * https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Public_key_recovery
+         * It's also possible to recover key without bit: try all 4 bit values and check for sig match.
          *
          * ```
          * recover(r, s, h) where
@@ -796,17 +807,20 @@ function weierstrass(curveDef) {
             const { r, s, recovery } = this;
             if (recovery == null)
                 throw new Error('Cannot recover: recovery bit is not present');
-            if (recovery !== 0 && recovery !== 1)
+            if (![0, 1, 2, 3].includes(recovery))
                 throw new Error('Cannot recover: invalid recovery bit');
-            const h = truncateHash((0, utils_js_1.ensureBytes)(msgHash));
+            const h = truncateHash(ut.ensureBytes(msgHash));
             const { n } = CURVE;
-            const rinv = mod.invert(r, n);
+            const radj = recovery === 2 || recovery === 3 ? r + n : r;
+            if (radj >= Fp.ORDER)
+                throw new Error('Cannot recover: bit 2/3 is invalid with current r');
+            const rinv = mod.invert(radj, n);
             // Q = u1⋅G + u2⋅R
             const u1 = mod.mod(-h * rinv, n);
             const u2 = mod.mod(s * rinv, n);
             const prefix = recovery & 1 ? '03' : '02';
-            const R = Point.fromHex(prefix + numToFieldStr(r));
-            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2);
+            const R = Point.fromHex(prefix + numToFieldStr(radj));
+            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // unsafe is fine: no priv data leaked
             if (!Q)
                 throw new Error('Cannot recover: point at infinify');
             Q.assertValidity();
@@ -826,30 +840,29 @@ function weierstrass(curveDef) {
                 : this;
         }
         // DER-encoded
-        toDERRawBytes(isCompressed = false) {
-            return (0, utils_js_1.hexToBytes)(this.toDERHex(isCompressed));
-        }
-        toDERHex(isCompressed = false) {
-            const sHex = sliceDER((0, utils_js_1.numberToHexUnpadded)(this.s));
-            if (isCompressed)
-                return sHex;
-            const rHex = sliceDER((0, utils_js_1.numberToHexUnpadded)(this.r));
-            const rLen = (0, utils_js_1.numberToHexUnpadded)(rHex.length / 2);
-            const sLen = (0, utils_js_1.numberToHexUnpadded)(sHex.length / 2);
-            const length = (0, utils_js_1.numberToHexUnpadded)(rHex.length / 2 + sHex.length / 2 + 4);
+        toDERRawBytes() {
+            return ut.hexToBytes(this.toDERHex());
+        }
+        toDERHex() {
+            const { numberToHexUnpadded: toHex } = ut;
+            const sHex = DER.slice(toHex(this.s));
+            const rHex = DER.slice(toHex(this.r));
+            const sHexL = sHex.length / 2;
+            const rHexL = rHex.length / 2;
+            const sLen = toHex(sHexL);
+            const rLen = toHex(rHexL);
+            const length = toHex(rHexL + sHexL + 4);
             return `30${length}02${rLen}${rHex}02${sLen}${sHex}`;
         }
-        // 32 bytes of r, then 32 bytes of s
+        // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
-            return (0, utils_js_1.hexToBytes)(this.toCompactHex());
+            return ut.hexToBytes(this.toCompactHex());
         }
         toCompactHex() {
             return numToFieldStr(this.r) + numToFieldStr(this.s);
         }
     }
     const utils = {
-        mod: (n, modulo = Fp.ORDER) => mod.mod(n, modulo),
-        invert: Fp.invert,
         isValidPrivateKey(privateKey) {
             try {
                 normalizePrivateKey(privateKey);
@@ -869,7 +882,7 @@ function weierstrass(curveDef) {
         /**
          * Converts some bytes to a valid private key. Needs at least (nBitLength+64) bytes.
          */
-        hashToPrivateKey: (hash) => numToField((0, utils_js_1.hashToPrivateScalar)(hash, CURVE_ORDER)),
+        hashToPrivateKey: (hash) => numToField(ut.hashToPrivateScalar(hash, CURVE_ORDER)),
         /**
          * Produces cryptographically secure private key from random of size (nBitLength+64)
          * as per FIPS 186 B.4.1 with modulo bias being neglible.
@@ -891,10 +904,10 @@ function weierstrass(curveDef) {
         },
     };
     /**
-     * Computes public key for a private key.
+     * Computes public key for a private key. Checks for validity of the private key.
      * @param privateKey private key
-     * @param isCompressed whether to return compact, or full key
-     * @returns Public key, full by default; short when isCompressed=true
+     * @param isCompressed whether to return compact (default), or full key
+     * @returns Public key, full when isCompressed=false; short when isCompressed=true
      */
     function getPublicKey(privateKey, isCompressed = false) {
         return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);
@@ -915,12 +928,12 @@ function weierstrass(curveDef) {
         return false;
     }
     /**
-     * ECDH (Elliptic Curve Diffie Hellman) implementation.
-     * 1. Checks for validity of private key
-     * 2. Checks for the public key of being on-curve
+     * ECDH (Elliptic Curve Diffie Hellman).
+     * Computes shared public key from private key and public key.
+     * Checks: 1) private key validity 2) shared key is on-curve
      * @param privateA private key
      * @param publicB different public key
-     * @param isCompressed whether to return compact (33-byte), or full (65-byte) key
+     * @param isCompressed whether to return compact (default), or full key
      * @returns shared public key
      */
     function getSharedSecret(privateA, publicB, isCompressed = false) {
@@ -934,8 +947,21 @@ function weierstrass(curveDef) {
     }
     // RFC6979 methods
     function bits2int(bytes) {
-        const slice = bytes.length > Fp.BYTES ? bytes.slice(0, Fp.BYTES) : bytes;
-        return (0, utils_js_1.bytesToNumberBE)(slice);
+        const { nByteLength } = CURVE;
+        if (!(bytes instanceof Uint8Array))
+            throw new Error('Expected Uint8Array');
+        const slice = bytes.length > nByteLength ? bytes.slice(0, nByteLength) : bytes;
+        // const slice = bytes; nByteLength; nBitLength;
+        let num = ut.bytesToNumberBE(slice);
+        // const { nBitLength } = CURVE;
+        // const delta = (bytes.length * 8) - nBitLength;
+        // if (delta > 0) {
+        //   // console.log('bits=', bytes.length*8, 'CURVE n=', nBitLength, 'delta=', delta);
+        //   // console.log(bytes.length, nBitLength, delta);
+        //   // console.log(bytes, new Error().stack);
+        //   num >>= BigInt(delta);
+        // }
+        return num;
     }
     function bits2octets(bytes) {
         const z1 = bits2int(bytes);
@@ -943,7 +969,7 @@ function weierstrass(curveDef) {
         return int2octets(z2 < _0n ? z1 : z2);
     }
     function int2octets(num) {
-        return numToField(num); // prohibits >32 bytes
+        return numToField(num); // prohibits >nByteLength bytes
     }
     // Steps A, D of RFC6979 3.2
     // Creates RFC6979 seed; converts msg/privKey to numbers.
@@ -951,7 +977,7 @@ function weierstrass(curveDef) {
         if (msgHash == null)
             throw new Error(`sign: expected valid message hash, not "${msgHash}"`);
         // Step A is ignored, since we already provide hash instead of msg
-        const h1 = numToField(truncateHash((0, utils_js_1.ensureBytes)(msgHash)));
+        const h1 = numToField(truncateHash(ut.ensureBytes(msgHash)));
         const d = normalizePrivateKey(privateKey);
         // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
         const seedArgs = [int2octets(d), bits2octets(h1)];
@@ -959,7 +985,7 @@ function weierstrass(curveDef) {
         if (extraEntropy != null) {
             if (extraEntropy === true)
                 extraEntropy = CURVE.randomBytes(Fp.BYTES);
-            const e = (0, utils_js_1.ensureBytes)(extraEntropy);
+            const e = ut.ensureBytes(extraEntropy);
             if (e.length !== Fp.BYTES)
                 throw new Error(`sign: Expected ${Fp.BYTES} bytes of extra data`);
             seedArgs.push(e);
@@ -967,7 +993,7 @@ function weierstrass(curveDef) {
         // seed is constructed from private key and message
         // Step D
         // V, 0x00 are done in HmacDRBG constructor.
-        const seed = (0, utils_js_1.concatBytes)(...seedArgs);
+        const seed = ut.concatBytes(...seedArgs);
         const m = bits2int(h1);
         return { seed, m, d };
     }
@@ -991,10 +1017,11 @@ function weierstrass(curveDef) {
         const r = mod.mod(q.x, n);
         if (r === _0n)
             return;
-        // s = (1/k * (m + dr) mod n
+        // s = (m + dr)/k mod n where x/k == x*inv(k)
         const s = mod.mod(kinv * mod.mod(m + mod.mod(d * r, n), n), n);
         if (s === _0n)
             return;
+        // recovery bit is usually 0 or 1; rarely it's 2 or 3, when q.x > n
         let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n);
         let normS = s;
         if (lowS && isBiggerThanHalfOrder(s)) {
@@ -1003,11 +1030,18 @@ function weierstrass(curveDef) {
         }
         return new Signature(r, normS, recovery);
     }
+    const defaultSigOpts = { lowS: CURVE.lowS };
     /**
      * Signs message hash (not message: you need to hash it by yourself).
+     * ```
+     * sign(m, d, k) where
+     *   (x, y) = G × k
+     *   r = x mod n
+     *   s = (m + dr)/k mod n
+     * ```
      * @param opts `lowS, extraEntropy`
      */
-    function sign(msgHash, privKey, opts = { lowS: CURVE.lowS }) {
+    function sign(msgHash, privKey, opts = defaultSigOpts) {
         // Steps A, D of RFC6979 3.2.
         const { seed, m, d } = initSigArgs(msgHash, privKey, opts.extraEntropy);
         // Steps B, C, D, E, F, G
@@ -1019,6 +1053,12 @@ function weierstrass(curveDef) {
             drbg.reseedSync();
         return sig;
     }
+    /**
+     * Signs a message (not message hash).
+     */
+    function signUnhashed(msg, privKey, opts = defaultSigOpts) {
+        return sign(CURVE.hash(ut.ensureBytes(msg)), privKey, opts);
+    }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
     Point.BASE._setWindowSize(8);
     /**
@@ -1051,7 +1091,7 @@ function weierstrass(curveDef) {
                     signature = Signature.fromCompact(signature);
                 }
             }
-            msgHash = (0, utils_js_1.ensureBytes)(msgHash);
+            msgHash = ut.ensureBytes(msgHash);
         }
         catch (error) {
             return false;
@@ -1085,6 +1125,7 @@ function weierstrass(curveDef) {
         getPublicKey,
         getSharedSecret,
         sign,
+        signUnhashed,
         verify,
         Point,
         ProjectivePoint,