@noble/curves 0.5.1 → 0.6.0

package/lib/esm/abstract/edwards.js

@@ -1,135 +1,141 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 // Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
-// Differences from @noble/ed25519 1.7:
-// 1. Different field element lengths in ed448:
-//   EDDSA (RFC8032) is 456 bits / 57 bytes, ECDH (RFC7748) is 448 bits / 56 bytes
-// 2. Different addition formula (doubling is same)
-// 3. uvRatio differs between curves (half-expected, not only pow fn changes)
-// 4. Point decompression code is different too (unexpected), now using generalized formula
-// 5. Domain function was no-op for ed25519, but adds some data even with empty context for ed448
-import * as mod from './modular.js';
-import { bytesToHex, concatBytes, ensureBytes, numberToBytesLE, bytesToNumberLE, hashToPrivateScalar, validateOpts as utilOpts, } from './utils.js'; // TODO: import * as u from './utils.js'?
-import { wNAF } from './group.js';
-import { hash_to_field, validateHTFOpts } from './hash-to-curve.js';
+import { mod } from './modular.js';
+import { bytesToHex, bytesToNumberLE, concatBytes, ensureBytes, numberToBytesLE, } from './utils.js';
+import { wNAF, validateAbsOpts, } from './curve.js';
 // Be friendly to bad ECMAScript parsers by not using bigint literals like 123n
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
 const _8n = BigInt(8);
-// Should be separate from overrides, since overrides can use information about curve (for example nBits)
 function validateOpts(curve) {
-    const opts = utilOpts(curve);
-    if (typeof opts.hash !== 'function' || !Number.isSafeInteger(opts.hash.outputLen))
+    const opts = validateAbsOpts(curve);
+    if (typeof opts.hash !== 'function')
         throw new Error('Invalid hash function');
     for (const i of ['a', 'd']) {
-        if (typeof opts[i] !== 'bigint')
-            throw new Error(`Invalid curve param ${i}=${opts[i]} (${typeof opts[i]})`);
+        const val = opts[i];
+        if (typeof val !== 'bigint')
+            throw new Error(`Invalid curve param ${i}=${val} (${typeof val})`);
     }
     for (const fn of ['randomBytes']) {
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
-    for (const fn of [
-        'adjustScalarBytes',
-        'domain',
-        'uvRatio',
-        'mapToCurve',
-        'clearCofactor',
-    ]) {
+    for (const fn of ['adjustScalarBytes', 'domain', 'uvRatio', 'mapToCurve']) {
         if (opts[fn] === undefined)
             continue; // Optional
         if (typeof opts[fn] !== 'function')
             throw new Error(`Invalid ${fn} function`);
     }
-    if (opts.htfDefaults !== undefined)
-        validateHTFOpts(opts.htfDefaults);
     // Set defaults
     return Object.freeze({ ...opts });
 }
-// NOTE: it is not generic twisted curve for now, but ed25519/ed448 generic implementation
+// It is not generic twisted curve for now, but ed25519/ed448 generic implementation
 export function twistedEdwards(curveDef) {
     const CURVE = validateOpts(curveDef);
-    const Fp = CURVE.Fp;
-    const CURVE_ORDER = CURVE.n;
-    const fieldLen = Fp.BYTES; // 32 (length of one field element)
-    if (fieldLen > 2048)
-        throw new Error('Field lengths over 2048 are not supported');
-    const groupLen = CURVE.nByteLength;
-    // (2n ** 256n).toString(16);
-    const maxGroupElement = _2n ** BigInt(groupLen * 8); // previous POW_2_256
-    // Function overrides
-    const { randomBytes } = CURVE;
-    const modP = Fp.create;
+    const { Fp, n: CURVE_ORDER, preHash, hash: cHash, randomBytes, nByteLength, h: cofactor } = CURVE;
+    const MASK = _2n ** BigInt(nByteLength * 8);
+    const modP = Fp.create; // Function overrides
     // sqrt(u/v)
-    function _uvRatio(u, v) {
-        try {
-            const value = Fp.sqrt(u * Fp.invert(v));
-            return { isValid: true, value };
-        }
-        catch (e) {
-            return { isValid: false, value: _0n };
-        }
+    const uvRatio = CURVE.uvRatio ||
+        ((u, v) => {
+            try {
+                return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
+            }
+            catch (e) {
+                return { isValid: false, value: _0n };
+            }
+        });
+    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
+    const domain = CURVE.domain ||
+        ((data, ctx, phflag) => {
+            if (ctx.length || phflag)
+                throw new Error('Contexts/pre-hash are not supported');
+            return data;
+        }); // NOOP
+    const inBig = (n) => typeof n === 'bigint' && 0n < n; // n in [1..]
+    const inRange = (n, max) => inBig(n) && inBig(max) && n < max; // n in [1..max-1]
+    const in0MaskRange = (n) => n === _0n || inRange(n, MASK); // n in [0..MASK-1]
+    function assertInRange(n, max) {
+        // n in [1..max-1]
+        if (inRange(n, max))
+            return n;
+        throw new Error(`Expected valid scalar < ${max}, got ${typeof n} ${n}`);
+    }
+    function assertGE0(n) {
+        // n in [0..CURVE_ORDER-1]
+        return n === _0n ? n : assertInRange(n, CURVE_ORDER); // GE = prime subgroup, not full group
     }
-    const uvRatio = CURVE.uvRatio || _uvRatio;
-    const _adjustScalarBytes = (bytes) => bytes; // NOOP
-    const adjustScalarBytes = CURVE.adjustScalarBytes || _adjustScalarBytes;
-    function _domain(data, ctx, phflag) {
-        if (ctx.length || phflag)
-            throw new Error('Contexts/pre-hash are not supported');
-        return data;
+    const pointPrecomputes = new Map();
+    function isPoint(other) {
+        if (!(other instanceof Point))
+            throw new Error('ExtendedPoint expected');
     }
-    const domain = CURVE.domain || _domain; // NOOP
-    /**
-     * Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
-     * Default Point works in affine coordinates: (x, y)
-     * https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
-     */
-    class ExtendedPoint {
-        constructor(x, y, z, t) {
-            this.x = x;
-            this.y = y;
-            this.z = z;
-            this.t = t;
+    // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
+    // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
+    class Point {
+        constructor(ex, ey, ez, et) {
+            this.ex = ex;
+            this.ey = ey;
+            this.ez = ez;
+            this.et = et;
+            if (!in0MaskRange(ex))
+                throw new Error('x required');
+            if (!in0MaskRange(ey))
+                throw new Error('y required');
+            if (!in0MaskRange(ez))
+                throw new Error('z required');
+            if (!in0MaskRange(et))
+                throw new Error('t required');
+        }
+        get x() {
+            return this.toAffine().x;
+        }
+        get y() {
+            return this.toAffine().y;
         }
         static fromAffine(p) {
-            if (!(p instanceof Point)) {
-                throw new TypeError('ExtendedPoint#fromAffine: expected Point');
-            }
-            if (p.equals(Point.ZERO))
-                return ExtendedPoint.ZERO;
-            return new ExtendedPoint(p.x, p.y, _1n, modP(p.x * p.y));
-        }
-        // Takes a bunch of Jacobian Points but executes only one
-        // invert on all of them. invert is very slow operation,
-        // so this improves performance massively.
-        static toAffineBatch(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.z));
-            return points.map((p, i) => p.toAffine(toInv[i]));
+            if (p instanceof Point)
+                throw new Error('extended point not allowed');
+            const { x, y } = p || {};
+            if (!in0MaskRange(x) || !in0MaskRange(y))
+                throw new Error('invalid affine point');
+            return new Point(x, y, _1n, modP(x * y));
         }
         static normalizeZ(points) {
-            return this.toAffineBatch(points).map(this.fromAffine);
+            const toInv = Fp.invertBatch(points.map((p) => p.ez));
+            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+        }
+        // "Private method", don't use it directly
+        _setWindowSize(windowSize) {
+            this._WINDOW_SIZE = windowSize;
+            pointPrecomputes.delete(this);
         }
+        assertValidity() { }
         // Compare one point to another.
         equals(other) {
-            assertExtPoint(other);
-            const { x: X1, y: Y1, z: Z1 } = this;
-            const { x: X2, y: Y2, z: Z2 } = other;
+            isPoint(other);
+            const { ex: X1, ey: Y1, ez: Z1 } = this;
+            const { ex: X2, ey: Y2, ez: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
             const X2Z1 = modP(X2 * Z1);
             const Y1Z2 = modP(Y1 * Z2);
             const Y2Z1 = modP(Y2 * Z1);
             return X1Z2 === X2Z1 && Y1Z2 === Y2Z1;
         }
-        // Inverses point to one corresponding to (x, -y) in Affine coordinates.
+        is0() {
+            return this.equals(Point.ZERO);
+        }
         negate() {
-            return new ExtendedPoint(modP(-this.x), this.y, this.z, modP(-this.t));
+            // Flips point sign to a negative one (-x, y in affine coords)
+            return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
         }
         // Fast algo for doubling Extended Point.
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
         // Cost: 4M + 4S + 1*a + 6add + 1*2.
         double() {
             const { a } = CURVE;
-            const { x: X1, y: Y1, z: Z1 } = this;
+            const { ex: X1, ey: Y1, ez: Z1 } = this;
             const A = modP(X1 * X1); // A = X12
             const B = modP(Y1 * Y1); // B = Y12
             const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
@@ -143,16 +149,16 @@ export function twistedEdwards(curveDef) {
             const Y3 = modP(G * H); // Y3 = G*H
             const T3 = modP(E * H); // T3 = E*H
             const Z3 = modP(F * G); // Z3 = F*G
-            return new ExtendedPoint(X3, Y3, Z3, T3);
+            return new Point(X3, Y3, Z3, T3);
         }
         // Fast algo for adding 2 Extended Points.
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
         // Cost: 9M + 1*a + 1*d + 7add.
         add(other) {
-            assertExtPoint(other);
+            isPoint(other);
             const { a, d } = CURVE;
-            const { x: X1, y: Y1, z: Z1, t: T1 } = this;
-            const { x: X2, y: Y2, z: Z2, t: T2 } = other;
+            const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
+            const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
             // Faster algo for adding 2 Extended Points when curve's a=-1.
             // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
             // Cost: 8M + 8add + 2*2.
@@ -172,7 +178,7 @@ export function twistedEdwards(curveDef) {
                 const Y3 = modP(G * H);
                 const T3 = modP(E * H);
                 const Z3 = modP(F * G);
-                return new ExtendedPoint(X3, Y3, Z3, T3);
+                return new Point(X3, Y3, Z3, T3);
             }
             const A = modP(X1 * X2); // A = X1*X2
             const B = modP(Y1 * Y2); // B = Y1*Y2
@@ -186,386 +192,188 @@ export function twistedEdwards(curveDef) {
             const Y3 = modP(G * H); // Y3 = G*H
             const T3 = modP(E * H); // T3 = E*H
             const Z3 = modP(F * G); // Z3 = F*G
-            return new ExtendedPoint(X3, Y3, Z3, T3);
+            return new Point(X3, Y3, Z3, T3);
         }
         subtract(other) {
             return this.add(other.negate());
         }
-        wNAF(n, affinePoint) {
-            if (!affinePoint && this.equals(ExtendedPoint.BASE))
-                affinePoint = Point.BASE;
-            const W = (affinePoint && affinePoint._WINDOW_SIZE) || 1;
-            let precomputes = affinePoint && pointPrecomputes.get(affinePoint);
-            if (!precomputes) {
-                precomputes = wnaf.precomputeWindow(this, W);
-                if (affinePoint && W !== 1) {
-                    precomputes = ExtendedPoint.normalizeZ(precomputes);
-                    pointPrecomputes.set(affinePoint, precomputes);
-                }
-            }
-            const { p, f } = wnaf.wNAF(W, precomputes, n);
-            return ExtendedPoint.normalizeZ([p, f])[0];
+        wNAF(n) {
+            return wnaf.wNAFCached(this, pointPrecomputes, n, Point.normalizeZ);
         }
-        // Constant time multiplication.
-        // Uses wNAF method. Windowed method may be 10% faster,
-        // but takes 2x longer to generate and consumes 2x memory.
-        multiply(scalar, affinePoint) {
-            return this.wNAF(normalizeScalar(scalar, CURVE_ORDER), affinePoint);
+        // Constant-time multiplication.
+        multiply(scalar) {
+            const { p, f } = this.wNAF(assertInRange(scalar, CURVE_ORDER));
+            return Point.normalizeZ([p, f])[0];
         }
         // Non-constant-time multiplication. Uses double-and-add algorithm.
         // It's faster, but should only be used when you don't care about
         // an exposed private key e.g. sig verification.
-        // Allows scalar bigger than curve order, but less than 2^256
         multiplyUnsafe(scalar) {
-            let n = normalizeScalar(scalar, CURVE_ORDER, false);
-            const G = ExtendedPoint.BASE;
-            const P0 = ExtendedPoint.ZERO;
+            let n = assertGE0(scalar);
             if (n === _0n)
-                return P0;
-            if (this.equals(P0) || n === _1n)
+                return I;
+            if (this.equals(I) || n === _1n)
                 return this;
             if (this.equals(G))
-                return this.wNAF(n);
+                return this.wNAF(n).p;
             return wnaf.unsafeLadder(this, n);
         }
+        // Checks if point is of small order.
+        // If you add something to small order point, you will have "dirty"
+        // point with torsion component.
         // Multiplies point by cofactor and checks if the result is 0.
         isSmallOrder() {
-            return this.multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
+            return this.multiplyUnsafe(cofactor).is0();
         }
-        // Multiplies point by a very big scalar n and checks if the result is 0.
+        // Multiplies point by curve order and checks if the result is 0.
+        // Returns `false` is the point is dirty.
         isTorsionFree() {
-            return this.multiplyUnsafe(CURVE_ORDER).equals(ExtendedPoint.ZERO);
+            return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
         }
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
-        toAffine(invZ) {
-            const { x, y, z } = this;
-            const is0 = this.equals(ExtendedPoint.ZERO);
-            if (invZ == null)
-                invZ = is0 ? _8n : Fp.invert(z); // 8 was chosen arbitrarily
-            const ax = modP(x * invZ);
-            const ay = modP(y * invZ);
-            const zz = modP(z * invZ);
+        toAffine(iz) {
+            const { ex: x, ey: y, ez: z } = this;
+            const is0 = this.is0();
+            if (iz == null)
+                iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
+            const ax = modP(x * iz);
+            const ay = modP(y * iz);
+            const zz = modP(z * iz);
             if (is0)
-                return Point.ZERO;
+                return { x: _0n, y: _1n };
             if (zz !== _1n)
                 throw new Error('invZ was invalid');
-            return new Point(ax, ay);
+            return { x: ax, y: ay };
         }
         clearCofactor() {
-            if (CURVE.h === _1n)
-                return this; // Fast-path
-            // clear_cofactor(P) := h_eff * P
-            // hEff = h for ed25519/ed448. Maybe worth moving to params?
-            if (CURVE.clearCofactor)
-                return CURVE.clearCofactor(ExtendedPoint, this);
-            return this.multiplyUnsafe(CURVE.h);
-        }
-    }
-    ExtendedPoint.BASE = new ExtendedPoint(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
-    ExtendedPoint.ZERO = new ExtendedPoint(_0n, _1n, _1n, _0n);
-    const wnaf = wNAF(ExtendedPoint, groupLen * 8);
-    function assertExtPoint(other) {
-        if (!(other instanceof ExtendedPoint))
-            throw new TypeError('ExtendedPoint expected');
-    }
-    // Stores precomputed values for points.
-    const pointPrecomputes = new WeakMap();
-    /**
-     * Default Point works in affine coordinates: (x, y)
-     */
-    class Point {
-        constructor(x, y) {
-            this.x = x;
-            this.y = y;
-        }
-        // "Private method", don't use it directly.
-        _setWindowSize(windowSize) {
-            this._WINDOW_SIZE = windowSize;
-            pointPrecomputes.delete(this);
+            const { h: cofactor } = CURVE;
+            if (cofactor === _1n)
+                return this;
+            return this.multiplyUnsafe(cofactor);
         }
         // Converts hash string or Uint8Array to Point.
         // Uses algo from RFC8032 5.1.3.
         static fromHex(hex, strict = true) {
             const { d, a } = CURVE;
-            hex = ensureBytes(hex, fieldLen);
-            // 1.  First, interpret the string as an integer in little-endian
-            // representation. Bit 255 of this number is the least significant
-            // bit of the x-coordinate and denote this value x_0.  The
-            // y-coordinate is recovered simply by clearing this bit.  If the
-            // resulting value is >= p, decoding fails.
-            const normed = hex.slice();
-            const lastByte = hex[fieldLen - 1];
-            normed[fieldLen - 1] = lastByte & ~0x80;
+            const len = Fp.BYTES;
+            hex = ensureBytes(hex, len); // copy hex to a new array
+            const normed = hex.slice(); // copy again, we'll manipulate it
+            const lastByte = hex[len - 1]; // select last byte
+            normed[len - 1] = lastByte & ~0x80; // clear last bit
             const y = bytesToNumberLE(normed);
-            if (strict && y >= Fp.ORDER)
-                throw new Error('Expected 0 < hex < P');
-            if (!strict && y >= maxGroupElement)
-                throw new Error('Expected 0 < hex < 2**256');
-            // 2.  To recover the x-coordinate, the curve equation implies
-            // Ed25519: x² = (y² - 1) / (d y² + 1) (mod p).
-            // Ed448: x² = (y² - 1) / (d y² - 1) (mod p).
-            // For generic case:
-            // a*x²+y²=1+d*x²*y²
-            // -> y²-1 = d*x²*y²-a*x²
-            // -> y²-1 = x² (d*y²-a)
-            // -> x² = (y²-1) / (d*y²-a)
-            // The denominator is always non-zero mod p.  Let u = y² - 1 and v = d y² + 1.
-            const y2 = modP(y * y);
-            const u = modP(y2 - _1n);
-            const v = modP(d * y2 - a);
-            let { isValid, value: x } = uvRatio(u, v);
+            if (y === _0n) {
+                // y=0 is allowed
+            }
+            else {
+                // RFC8032 prohibits >= p, but ZIP215 doesn't
+                if (strict)
+                    assertInRange(y, Fp.ORDER); // strict=true [1..P-1] (2^255-19-1 for ed25519)
+                else
+                    assertInRange(y, MASK); // strict=false [1..MASK-1] (2^256-1 for ed25519)
+            }
+            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
+            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
+            const y2 = modP(y * y); // denominator is always non-0 mod p.
+            const u = modP(y2 - _1n); // u = y² - 1
+            const v = modP(d * y2 - a); // v = d y² + 1.
+            let { isValid, value: x } = uvRatio(u, v); // √(u/v)
             if (!isValid)
                 throw new Error('Point.fromHex: invalid y coordinate');
-            // 4.  Finally, use the x_0 bit to select the right square root.  If
-            // x = 0, and x_0 = 1, decoding fails.  Otherwise, if x_0 != x mod
-            // 2, set x <-- p - x.  Return the decoded point (x,y).
-            const isXOdd = (x & _1n) === _1n;
-            const isLastByteOdd = (lastByte & 0x80) !== 0;
+            const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
+            const isLastByteOdd = (lastByte & 0x80) !== 0; // if x=0 and x_0 = 1, fail
             if (isLastByteOdd !== isXOdd)
-                x = modP(-x);
-            return new Point(x, y);
+                x = modP(-x); // if x_0 != x mod 2, set x = p-x
+            return Point.fromAffine({ x, y });
         }
-        static fromPrivateKey(privateKey) {
-            return getExtendedPublicKey(privateKey).point;
+        static fromPrivateKey(privKey) {
+            return getExtendedPublicKey(privKey).point;
         }
-        // There can always be only two x values (x, -x) for any y
-        // When compressing point, it's enough to only store its y coordinate
-        // and use the last byte to encode sign of x.
         toRawBytes() {
-            const bytes = numberToBytesLE(this.y, fieldLen);
-            bytes[fieldLen - 1] |= this.x & _1n ? 0x80 : 0;
-            return bytes;
+            const { x, y } = this.toAffine();
+            const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
+            bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
+            return bytes; // and use the last byte to encode sign of x
         }
-        // Same as toRawBytes, but returns string.
         toHex() {
-            return bytesToHex(this.toRawBytes());
-        }
-        isTorsionFree() {
-            return ExtendedPoint.fromAffine(this).isTorsionFree();
-        }
-        equals(other) {
-            if (!(other instanceof Point))
-                throw new TypeError('Point#equals: expected Point');
-            return this.x === other.x && this.y === other.y;
-        }
-        negate() {
-            return new Point(modP(-this.x), this.y);
-        }
-        double() {
-            return ExtendedPoint.fromAffine(this).double().toAffine();
-        }
-        add(other) {
-            return ExtendedPoint.fromAffine(this).add(ExtendedPoint.fromAffine(other)).toAffine();
-        }
-        subtract(other) {
-            return this.add(other.negate());
-        }
-        /**
-         * Constant time multiplication.
-         * @param scalar Big-Endian number
-         * @returns new point
-         */
-        multiply(scalar) {
-            return ExtendedPoint.fromAffine(this).multiply(scalar, this).toAffine();
-        }
-        clearCofactor() {
-            return ExtendedPoint.fromAffine(this).clearCofactor().toAffine();
-        }
-        // Encodes byte string to elliptic curve
-        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-11#section-3
-        static hashToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
-                throw new Error('No mapToCurve defined for curve');
-            msg = ensureBytes(msg);
-            const u = hash_to_field(msg, 2, { ...CURVE.htfDefaults, ...options });
-            const { x: x0, y: y0 } = CURVE.mapToCurve(u[0]);
-            const { x: x1, y: y1 } = CURVE.mapToCurve(u[1]);
-            const p = new Point(x0, y0).add(new Point(x1, y1)).clearCofactor();
-            return p;
-        }
-        // https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hash-to-curve-16#section-3
-        static encodeToCurve(msg, options) {
-            if (!CURVE.mapToCurve)
-                throw new Error('No mapToCurve defined for curve');
-            msg = ensureBytes(msg);
-            const u = hash_to_field(msg, 1, { ...CURVE.htfDefaults, ...options });
-            const { x, y } = CURVE.mapToCurve(u[0]);
-            return new Point(x, y).clearCofactor();
+            return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
         }
     }
-    // Base point aka generator
-    // public_key = Point.BASE * private_key
-    Point.BASE = new Point(CURVE.Gx, CURVE.Gy);
-    // Identity point aka point at infinity
-    // point = point + zero_point
-    Point.ZERO = new Point(_0n, _1n);
-    /**
-     * EDDSA signature.
-     */
-    class Signature {
-        constructor(r, s) {
-            this.r = r;
-            this.s = s;
-            this.assertValidity();
-        }
-        static fromHex(hex) {
-            const bytes = ensureBytes(hex, 2 * fieldLen);
-            const r = Point.fromHex(bytes.slice(0, fieldLen), false);
-            const s = bytesToNumberLE(bytes.slice(fieldLen, 2 * fieldLen));
-            return new Signature(r, s);
-        }
-        assertValidity() {
-            const { r, s } = this;
-            if (!(r instanceof Point))
-                throw new Error('Expected Point instance');
-            // 0 <= s < l
-            normalizeScalar(s, CURVE_ORDER, false);
-            return this;
-        }
-        toRawBytes() {
-            return concatBytes(this.r.toRawBytes(), numberToBytesLE(this.s, fieldLen));
-        }
-        toHex() {
-            return bytesToHex(this.toRawBytes());
-        }
+    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
+    Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
+    const { BASE: G, ZERO: I } = Point;
+    const wnaf = wNAF(Point, nByteLength * 8);
+    function modN(a) {
+        return mod(a, CURVE_ORDER);
     }
     // Little-endian SHA512 with modulo n
-    function modlLE(hash) {
-        return mod.mod(bytesToNumberLE(hash), CURVE_ORDER);
+    function modN_LE(hash) {
+        return modN(bytesToNumberLE(hash));
     }
-    /**
-     * Checks for num to be in range:
-     * For strict == true:  `0 <  num < max`.
-     * For strict == false: `0 <= num < max`.
-     * Converts non-float safe numbers to bigints.
-     */
-    function normalizeScalar(num, max, strict = true) {
-        if (!max)
-            throw new TypeError('Specify max value');
-        if (typeof num === 'number' && Number.isSafeInteger(num))
-            num = BigInt(num);
-        if (typeof num === 'bigint' && num < max) {
-            if (strict) {
-                if (_0n < num)
-                    return num;
-            }
-            else {
-                if (_0n <= num)
-                    return num;
-            }
-        }
-        throw new TypeError('Expected valid scalar: 0 < scalar < max');
-    }
-    function checkPrivateKey(key) {
-        // Normalize bigint / number / string to Uint8Array
-        key =
-            typeof key === 'bigint' || typeof key === 'number'
-                ? numberToBytesLE(normalizeScalar(key, maxGroupElement), groupLen)
-                : ensureBytes(key);
-        if (key.length !== groupLen)
-            throw new Error(`Expected ${groupLen} bytes, got ${key.length}`);
-        return key;
-    }
-    // Takes 64 bytes
-    function getKeyFromHash(hashed) {
-        // First 32 bytes of 64b uniformingly random input are taken,
-        // clears 3 bits of it to produce a random field element.
-        const head = adjustScalarBytes(hashed.slice(0, groupLen));
-        // Second 32 bytes is called key prefix (5.1.6)
-        const prefix = hashed.slice(groupLen, 2 * groupLen);
-        // The actual private scalar
-        const scalar = modlLE(head);
-        // Point on Edwards curve aka public key
-        const point = Point.BASE.multiply(scalar);
-        const pointBytes = point.toRawBytes();
-        return { head, prefix, scalar, point, pointBytes };
+    function isHex(item, err) {
+        if (typeof item !== 'string' && !(item instanceof Uint8Array))
+            throw new Error(`${err} must be hex string or Uint8Array`);
     }
     /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
     function getExtendedPublicKey(key) {
-        return getKeyFromHash(CURVE.hash(checkPrivateKey(key)));
+        isHex(key, 'private key');
+        const len = nByteLength;
+        // Hash private key with curve's hash function to produce uniformingly random input
+        // Check byte lengths: ensure(64, h(ensure(32, key)))
+        const hashed = ensureBytes(cHash(ensureBytes(key, len)), 2 * len);
+        const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
+        const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
+        const scalar = modN_LE(head); // The actual private scalar
+        const point = G.multiply(scalar); // Point on Edwards curve aka public key
+        const pointBytes = point.toRawBytes(); // Uint8Array representation
+        return { head, prefix, scalar, point, pointBytes };
     }
-    /**
-     * Calculates ed25519 public key. RFC8032 5.1.5
-     * 1. private key is hashed with sha512, then first 32 bytes are taken from the hash
-     * 2. 3 least significant bits of the first byte are cleared
-     */
-    function getPublicKey(privateKey) {
-        return getExtendedPublicKey(privateKey).pointBytes;
+    // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
+    function getPublicKey(privKey) {
+        return getExtendedPublicKey(privKey).pointBytes;
     }
-    const EMPTY = new Uint8Array();
-    function hashDomainToScalar(message, context = EMPTY) {
-        context = ensureBytes(context);
-        return modlLE(CURVE.hash(domain(message, context, !!CURVE.preHash)));
+    // int('LE', SHA512(dom2(F, C) || msgs)) mod N
+    function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
+        const msg = concatBytes(...msgs);
+        return modN_LE(cHash(domain(msg, ensureBytes(context), !!preHash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
-    function sign(message, privateKey, context) {
-        message = ensureBytes(message);
-        if (CURVE.preHash)
-            message = CURVE.preHash(message);
-        const { prefix, scalar, pointBytes } = getExtendedPublicKey(privateKey);
-        const r = hashDomainToScalar(concatBytes(prefix, message), context);
-        const R = Point.BASE.multiply(r); // R = rG
-        const k = hashDomainToScalar(concatBytes(R.toRawBytes(), pointBytes, message), context); // k = hash(R+P+msg)
-        const s = mod.mod(r + k * scalar, CURVE_ORDER); // s = r + kp
-        return new Signature(R, s).toRawBytes();
+    function sign(msg, privKey, context) {
+        isHex(msg, 'message');
+        msg = ensureBytes(msg);
+        if (preHash)
+            msg = preHash(msg); // for ed25519ph etc.
+        const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+        const r = hashDomainToScalar(context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
+        const R = G.multiply(r).toRawBytes(); // R = rG
+        const k = hashDomainToScalar(context, R, pointBytes, msg); // R || A || PH(M)
+        const s = modN(r + k * scalar); // S = (r + k * s) mod L
+        assertGE0(s); // 0 <= s < l
+        const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
+        return ensureBytes(res, nByteLength * 2); // 64-byte signature
     }
-    /**
-     * Verifies EdDSA signature against message and public key.
-     * An extended group equation is checked.
-     * RFC8032 5.1.7
-     * Compliant with ZIP215:
-     * 0 <= sig.R/publicKey < 2**256 (can be >= curve.P)
-     * 0 <= sig.s < l
-     * Not compliant with RFC8032: it's not possible to comply to both ZIP & RFC at the same time.
-     */
-    function verify(sig, message, publicKey, context) {
-        message = ensureBytes(message);
-        if (CURVE.preHash)
-            message = CURVE.preHash(message);
-        // When hex is passed, we check public key fully.
-        // When Point instance is passed, we assume it has already been checked, for performance.
-        // If user passes Point/Sig instance, we assume it has been already verified.
-        // We don't check its equations for performance. We do check for valid bounds for s though
-        // We always check for: a) s bounds. b) hex validity
-        if (publicKey instanceof Point) {
-            // ignore
-        }
-        else if (publicKey instanceof Uint8Array || typeof publicKey === 'string') {
-            publicKey = Point.fromHex(publicKey, false);
-        }
-        else {
-            throw new Error(`Invalid publicKey: ${publicKey}`);
-        }
-        if (sig instanceof Signature)
-            sig.assertValidity();
-        else if (sig instanceof Uint8Array || typeof sig === 'string')
-            sig = Signature.fromHex(sig);
-        else
-            throw new Error(`Wrong signature: ${sig}`);
-        const { r, s } = sig;
-        const SB = ExtendedPoint.BASE.multiplyUnsafe(s);
-        const k = hashDomainToScalar(concatBytes(r.toRawBytes(), publicKey.toRawBytes(), message), context);
-        const kA = ExtendedPoint.fromAffine(publicKey).multiplyUnsafe(k);
-        const RkA = ExtendedPoint.fromAffine(r).add(kA);
+    function verify(sig, msg, publicKey, context) {
+        isHex(sig, 'sig');
+        isHex(msg, 'message');
+        const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
+        sig = ensureBytes(sig, 2 * len); // An extended group equation is checked.
+        msg = ensureBytes(msg); // ZIP215 compliant, which means not fully RFC8032 compliant.
+        if (preHash)
+            msg = preHash(msg); // for ed25519ph, etc
+        const A = Point.fromHex(publicKey, false); // Check for s bounds, hex validity
+        const R = Point.fromHex(sig.slice(0, len), false); // 0 <= R < 2^256: ZIP215 R can be >= P
+        const s = bytesToNumberLE(sig.slice(len, 2 * len)); // 0 <= s < l
+        const SB = G.multiplyUnsafe(s);
+        const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+        const RkA = R.add(A.multiplyUnsafe(k));
         // [8][S]B = [8]R + [8][k]A'
-        return RkA.subtract(SB).multiplyUnsafe(CURVE.h).equals(ExtendedPoint.ZERO);
+        return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
     }
-    // Enable precomputes. Slows down first publicKey computation by 20ms.
-    Point.BASE._setWindowSize(8);
+    G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
     const utils = {
         getExtendedPublicKey,
-        mod: modP,
-        invert: Fp.invert,
-        /**
-         * Not needed for ed25519 private keys. Needed if you use scalars directly (rare).
-         */
-        hashToPrivateScalar: (hash) => hashToPrivateScalar(hash, CURVE_ORDER, true),
-        /**
-         * ed25519 private keys are uniform 32-bit strings. We do not need to check for
-         * modulo bias like we do in secp256k1 randomPrivateKey()
-         */
-        randomPrivateKey: () => randomBytes(fieldLen),
+        // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
+        randomPrivateKey: () => randomBytes(Fp.BYTES),
         /**
          * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
          * values. This slows down first getPublicKey() by milliseconds (see Speed section),
@@ -573,10 +381,9 @@ export function twistedEdwards(curveDef) {
          * @param windowSize 2, 4, 8, 16
          */
         precompute(windowSize = 8, point = Point.BASE) {
-            const cached = point.equals(Point.BASE) ? point : new Point(point.x, point.y);
-            cached._setWindowSize(windowSize);
-            cached.multiply(_2n);
-            return cached;
+            point._setWindowSize(windowSize);
+            point.multiply(BigInt(3));
+            return point;
         },
     };
     return {
@@ -584,9 +391,7 @@ export function twistedEdwards(curveDef) {
         getPublicKey,
         sign,
         verify,
-        ExtendedPoint,
-        Point,
-        Signature,
+        ExtendedPoint: Point,
         utils,
     };
 }