@noble/curves 0.5.1 → 0.6.0

package/lib/p521.d.ts

@@ -1,4 +1,5 @@
 import { PrivKey } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 export declare const P521: Readonly<{
     create: (hash: import("./abstract/utils.js").CHash) => import("./abstract/weierstrass.js").CurveFn;
     CURVE: Readonly<{
@@ -24,41 +25,26 @@ export declare const P521: Readonly<{
                 k2: bigint;
             };
         } | undefined;
-        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => boolean) | undefined;
-        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => import("./abstract/weierstrass.js").ProjectivePointType<bigint>) | undefined;
-        readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
-        readonly mapToCurve?: ((scalar: bigint[]) => {
-            x: bigint;
-            y: bigint;
-        }) | undefined;
+        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => boolean) | undefined;
+        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => import("./abstract/weierstrass.js").ProjPointType<bigint>) | undefined;
         lowS: boolean;
         readonly hash: import("./abstract/utils.js").CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
-        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
+        readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;
     getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
-    getSharedSecret: (privateA: PrivKey, publicB: import("./abstract/weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
-    sign: (msgHash: import("./abstract/utils.js").Hex, privKey: PrivKey, opts?: {
-        lowS?: boolean | undefined;
-        extraEntropy?: (true | import("./abstract/utils.js").Hex) | undefined;
-    } | undefined) => import("./abstract/weierstrass.js").SignatureType;
-    verify: (signature: import("./abstract/utils.js").Hex | import("./abstract/weierstrass.js").SignatureType, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/weierstrass.js").PubKey, opts?: {
-        lowS?: boolean | undefined;
-    } | undefined) => boolean;
-    Point: import("./abstract/weierstrass.js").PointConstructor<bigint>;
-    ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>;
+    getSharedSecret: (privateA: PrivKey, publicB: import("./abstract/utils.js").Hex, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("./abstract/utils.js").Hex, privKey: PrivKey, opts?: import("./abstract/weierstrass.js").SignOpts | undefined) => import("./abstract/weierstrass.js").SignatureType;
+    verify: (signature: import("./abstract/utils.js").Hex | {
+        r: bigint;
+        s: bigint;
+    }, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/utils.js").Hex, opts?: import("./abstract/weierstrass.js").VerOpts | undefined) => boolean;
+    ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>;
     Signature: import("./abstract/weierstrass.js").SignatureConstructor;
     utils: {
-        mod: (a: bigint, b?: bigint | undefined) => bigint;
-        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
-        _bigintToBytes: (num: bigint) => Uint8Array;
-        _bigintToString: (num: bigint) => string;
         _normalizePrivateKey: (key: PrivKey) => bigint;
-        _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => import("./abstract/weierstrass.js").PointType<bigint>;
-        _isWithinCurveOrder: (num: bigint) => boolean;
-        _isValidFieldElement: (num: bigint) => boolean;
-        _weierstrassEquation: (x: bigint) => bigint;
         isValidPrivateKey(privateKey: PrivKey): boolean;
         hashToPrivateKey: (hash: import("./abstract/utils.js").Hex) => Uint8Array;
         randomPrivateKey: () => Uint8Array;
@@ -89,43 +75,30 @@ export declare const secp521r1: Readonly<{
                 k2: bigint;
             };
         } | undefined;
-        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => boolean) | undefined;
-        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => import("./abstract/weierstrass.js").ProjectivePointType<bigint>) | undefined;
-        readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
-        readonly mapToCurve?: ((scalar: bigint[]) => {
-            x: bigint;
-            y: bigint;
-        }) | undefined;
+        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => boolean) | undefined;
+        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjPointType<bigint>) => import("./abstract/weierstrass.js").ProjPointType<bigint>) | undefined;
         lowS: boolean;
         readonly hash: import("./abstract/utils.js").CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
-        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
+        readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;
     getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
-    getSharedSecret: (privateA: PrivKey, publicB: import("./abstract/weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
-    sign: (msgHash: import("./abstract/utils.js").Hex, privKey: PrivKey, opts?: {
-        lowS?: boolean | undefined;
-        extraEntropy?: (true | import("./abstract/utils.js").Hex) | undefined;
-    } | undefined) => import("./abstract/weierstrass.js").SignatureType;
-    verify: (signature: import("./abstract/utils.js").Hex | import("./abstract/weierstrass.js").SignatureType, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/weierstrass.js").PubKey, opts?: {
-        lowS?: boolean | undefined;
-    } | undefined) => boolean;
-    Point: import("./abstract/weierstrass.js").PointConstructor<bigint>;
-    ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>;
+    getSharedSecret: (privateA: PrivKey, publicB: import("./abstract/utils.js").Hex, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: import("./abstract/utils.js").Hex, privKey: PrivKey, opts?: import("./abstract/weierstrass.js").SignOpts | undefined) => import("./abstract/weierstrass.js").SignatureType;
+    verify: (signature: import("./abstract/utils.js").Hex | {
+        r: bigint;
+        s: bigint;
+    }, msgHash: import("./abstract/utils.js").Hex, publicKey: import("./abstract/utils.js").Hex, opts?: import("./abstract/weierstrass.js").VerOpts | undefined) => boolean;
+    ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>;
     Signature: import("./abstract/weierstrass.js").SignatureConstructor;
     utils: {
-        mod: (a: bigint, b?: bigint | undefined) => bigint;
-        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
-        _bigintToBytes: (num: bigint) => Uint8Array;
-        _bigintToString: (num: bigint) => string;
         _normalizePrivateKey: (key: PrivKey) => bigint;
-        _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => import("./abstract/weierstrass.js").PointType<bigint>;
-        _isWithinCurveOrder: (num: bigint) => boolean;
-        _isValidFieldElement: (num: bigint) => boolean;
-        _weierstrassEquation: (x: bigint) => bigint;
         isValidPrivateKey(privateKey: PrivKey): boolean;
         hashToPrivateKey: (hash: import("./abstract/utils.js").Hex) => Uint8Array;
         randomPrivateKey: () => Uint8Array;
     };
 }>;
+declare const hashToCurve: (msg: import("./abstract/utils.js").Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>, encodeToCurve: (msg: import("./abstract/utils.js").Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>;
+export { hashToCurve, encodeToCurve };

package/lib/p521.js

@@ -1,12 +1,13 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.secp521r1 = exports.P521 = void 0;
+exports.encodeToCurve = exports.hashToCurve = exports.secp521r1 = exports.P521 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const sha512_1 = require("@noble/hashes/sha512");
 const utils_js_1 = require("./abstract/utils.js");
 const modular_js_1 = require("./abstract/modular.js");
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
+const htf = require("./abstract/hash-to-curve.js");
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
@@ -35,8 +36,7 @@ exports.P521 = (0, _shortw_utils_js_1.createCurve)({
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
     h: BigInt(1),
     lowS: false,
-    // P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
-    // We ensure all keys are 132 bytes.
+    // P521 keys could be 130, 131, 132 bytes. We normalize to 132 bytes.
     // Does not replace validation; invalid keys would still be rejected.
     normalizePrivateKey(key) {
         if (typeof key === 'bigint')
@@ -46,16 +46,18 @@ exports.P521 = (0, _shortw_utils_js_1.createCurve)({
         if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
             throw new Error('Invalid key');
         }
-        return key.padStart(66 * 2, '0');
-    },
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P521_XMD:SHA-512_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 256,
-        expand: 'xmd',
-        hash: sha512_1.sha512,
+        return key.padStart(66 * 2, '0'); // ensure it's always 132 bytes
     },
 }, sha512_1.sha512);
 exports.secp521r1 = exports.P521;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512_1.sha512,
+});
+exports.hashToCurve = hashToCurve;
+exports.encodeToCurve = encodeToCurve;

package/lib/secp256k1.d.ts

@@ -1,5 +1,6 @@
-import { PointType } from './abstract/weierstrass.js';
-import { Hex, PrivKey } from './abstract/utils.js';
+import { ProjPointType as PointType } from './abstract/weierstrass.js';
+import { Hex, bytesToNumberBE as bytesToNum, PrivKey } from './abstract/utils.js';
+import * as htf from './abstract/hash-to-curve.js';
 export declare const secp256k1: Readonly<{
     create: (hash: import("./abstract/utils.js").CHash) => import("./abstract/weierstrass.js").CurveFn;
     CURVE: Readonly<{
@@ -25,56 +26,34 @@ export declare const secp256k1: Readonly<{
                 k2: bigint;
             };
         } | undefined;
-        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => boolean) | undefined;
-        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>, point: import("./abstract/weierstrass.js").ProjectivePointType<bigint>) => import("./abstract/weierstrass.js").ProjectivePointType<bigint>) | undefined;
-        readonly htfDefaults?: import("./abstract/hash-to-curve.js").htfOpts | undefined;
-        readonly mapToCurve?: ((scalar: bigint[]) => {
-            x: bigint;
-            y: bigint;
-        }) | undefined;
+        readonly isTorsionFree?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: PointType<bigint>) => boolean) | undefined;
+        readonly clearCofactor?: ((c: import("./abstract/weierstrass.js").ProjConstructor<bigint>, point: PointType<bigint>) => PointType<bigint>) | undefined;
         lowS: boolean;
         readonly hash: import("./abstract/utils.js").CHash;
         readonly hmac: (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
         readonly randomBytes: (bytesLength?: number | undefined) => Uint8Array;
-        readonly truncateHash?: ((hash: Uint8Array, truncateOnly?: boolean | undefined) => bigint) | undefined;
+        readonly bits2int?: ((bytes: Uint8Array) => bigint) | undefined;
+        readonly bits2int_modN?: ((bytes: Uint8Array) => bigint) | undefined;
     }>;
     getPublicKey: (privateKey: PrivKey, isCompressed?: boolean | undefined) => Uint8Array;
-    getSharedSecret: (privateA: PrivKey, publicB: import("./abstract/weierstrass.js").PubKey, isCompressed?: boolean | undefined) => Uint8Array;
-    sign: (msgHash: Hex, privKey: PrivKey, opts?: {
-        lowS?: boolean | undefined;
-        extraEntropy?: (true | Hex) | undefined;
-    } | undefined) => import("./abstract/weierstrass.js").SignatureType;
-    verify: (signature: Hex | import("./abstract/weierstrass.js").SignatureType, msgHash: Hex, publicKey: import("./abstract/weierstrass.js").PubKey, opts?: {
-        lowS?: boolean | undefined;
-    } | undefined) => boolean;
-    Point: import("./abstract/weierstrass.js").PointConstructor<bigint>;
-    ProjectivePoint: import("./abstract/weierstrass.js").ProjectiveConstructor<bigint>;
+    getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean | undefined) => Uint8Array;
+    sign: (msgHash: Hex, privKey: PrivKey, opts?: import("./abstract/weierstrass.js").SignOpts | undefined) => import("./abstract/weierstrass.js").SignatureType;
+    verify: (signature: Hex | {
+        r: bigint;
+        s: bigint;
+    }, msgHash: Hex, publicKey: Hex, opts?: import("./abstract/weierstrass.js").VerOpts | undefined) => boolean;
+    ProjectivePoint: import("./abstract/weierstrass.js").ProjConstructor<bigint>;
     Signature: import("./abstract/weierstrass.js").SignatureConstructor;
     utils: {
-        mod: (a: bigint, b?: bigint | undefined) => bigint;
-        invert: (number: bigint, modulo?: bigint | undefined) => bigint;
-        _bigintToBytes: (num: bigint) => Uint8Array;
-        _bigintToString: (num: bigint) => string;
         _normalizePrivateKey: (key: PrivKey) => bigint;
-        _normalizePublicKey: (publicKey: import("./abstract/weierstrass.js").PubKey) => PointType<bigint>;
-        _isWithinCurveOrder: (num: bigint) => boolean;
-        _isValidFieldElement: (num: bigint) => boolean;
-        _weierstrassEquation: (x: bigint) => bigint;
         isValidPrivateKey(privateKey: PrivKey): boolean;
         hashToPrivateKey: (hash: Hex) => Uint8Array;
         randomPrivateKey: () => Uint8Array;
     };
 }>;
-export declare function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array;
-declare class SchnorrSignature {
-    readonly r: bigint;
-    readonly s: bigint;
-    constructor(r: bigint, s: bigint);
-    static fromHex(hex: Hex): SchnorrSignature;
-    assertValidity(): void;
-    toHex(): string;
-    toRawBytes(): Uint8Array;
-}
+declare function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array;
+declare function lift_x(x: bigint): PointType<bigint>;
+declare function schnorrGetPublicKey(privateKey: PrivKey): Uint8Array;
 /**
  * Synchronously creates Schnorr signature. Improved security: verifies itself before
  * producing an output.
@@ -82,15 +61,20 @@ declare class SchnorrSignature {
  * @param privateKey private key
  * @param auxRand random bytes that would be added to k. Bad RNG won't break it.
  */
-declare function schnorrSign(message: Hex, privateKey: PrivKey, auxRand?: Hex): Uint8Array;
+declare function schnorrSign(message: Hex, privateKey: Hex, auxRand?: Hex): Uint8Array;
 /**
  * Verifies Schnorr signature synchronously.
  */
 declare function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean;
 export declare const schnorr: {
-    Signature: typeof SchnorrSignature;
-    getPublicKey: (privateKey: PrivKey) => Uint8Array;
+    getPublicKey: typeof schnorrGetPublicKey;
     sign: typeof schnorrSign;
     verify: typeof schnorrVerify;
+    utils: {
+        lift_x: typeof lift_x;
+        int: typeof bytesToNum;
+        taggedHash: typeof taggedHash;
+    };
 };
-export {};
+declare const hashToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>, encodeToCurve: (msg: Hex, options?: htf.htfBasicOpts | undefined) => htf.H2CPoint<bigint>;
+export { hashToCurve, encodeToCurve };

package/lib/secp256k1.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.schnorr = exports.taggedHash = exports.secp256k1 = void 0;
+exports.encodeToCurve = exports.hashToCurve = exports.schnorr = exports.secp256k1 = void 0;
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const sha256_1 = require("@noble/hashes/sha256");
 const modular_js_1 = require("./abstract/modular.js");
@@ -8,12 +8,10 @@ const _shortw_utils_js_1 = require("./_shortw_utils.js");
 const weierstrass_js_1 = require("./abstract/weierstrass.js");
 const utils_js_1 = require("./abstract/utils.js");
 const utils_1 = require("@noble/hashes/utils");
-const hash_to_curve_js_1 = require("./abstract/hash-to-curve.js");
+const htf = require("./abstract/hash-to-curve.js");
 /**
- * secp256k1 belongs to Koblitz curves: it has
- * efficiently computable Frobenius endomorphism.
- * Endomorphism improves efficiency:
- * Uses 2x less RAM, speeds up precomputation by 2x and ECDH / sign key recovery by 20%.
+ * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
+ * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
  * Should always be used for Projective's double-and-add multiplication.
  * For affines cached multiplication, it trades off 1/2 init time & 1/3 ram for 20% perf hit.
  * https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
@@ -24,10 +22,7 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const divNearest = (a, b) => (a + b / _2n) / b;
 /**
- * Allows to compute square root √y 2x faster.
- * To calculate √y, we need to exponentiate it to a very big number:
- * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
- * We are unwrapping the loop and multiplying it bit-by-bit.
+ * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
  */
 function sqrtMod(y) {
@@ -50,45 +45,11 @@ function sqrtMod(y) {
     const t1 = ((0, modular_js_1.pow2)(b223, _23n, P) * b22) % P;
     const t2 = ((0, modular_js_1.pow2)(t1, _6n, P) * b2) % P;
     const root = (0, modular_js_1.pow2)(t2, _2n, P);
-    if (!Fp.equals(Fp.square(root), y))
+    if (!Fp.eql(Fp.sqr(root), y))
         throw new Error('Cannot find square root');
     return root;
 }
 const Fp = (0, modular_js_1.Fp)(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
-const isoMap = (0, hash_to_curve_js_1.isogenyMap)(Fp, [
-    // xNum
-    [
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
-        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
-        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
-    ],
-    // xDen
-    [
-        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
-        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-    // yNum
-    [
-        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
-        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
-        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
-        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
-    ],
-    // yDen
-    [
-        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
-        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
-        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-].map((i) => i.map((j) => BigInt(j))));
-const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, {
-    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
-    B: BigInt('1771'),
-    Z: Fp.create(BigInt('-11')),
-});
 exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
     // Params: a, b
     // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
@@ -114,7 +75,7 @@ exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
             const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
             const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
             const b2 = a1;
-            const POW_2_128 = BigInt('0x100000000000000000000000000000000');
+            const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
             const c1 = divNearest(b2 * k, n);
             const c2 = divNearest(-b1 * k, n);
             let k1 = (0, modular_js_1.mod)(k - c1 * a1 - c2 * a2, n);
@@ -131,53 +92,13 @@ exports.secp256k1 = (0, _shortw_utils_js_1.createCurve)({
             return { k1neg, k1, k2neg, k2 };
         },
     },
-    mapToCurve: (scalars) => {
-        const { x, y } = mapSWU(Fp.create(scalars[0]));
-        return isoMap(x, y);
-    },
-    htfDefaults: {
-        DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256_1.sha256,
-    },
 }, sha256_1.sha256);
-// Schnorr
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
-const numTo32b = exports.secp256k1.utils._bigintToBytes;
-const numTo32bStr = exports.secp256k1.utils._bigintToString;
-const normalizePrivateKey = exports.secp256k1.utils._normalizePrivateKey;
-// TODO: export?
-function normalizePublicKey(publicKey) {
-    if (publicKey instanceof exports.secp256k1.Point) {
-        publicKey.assertValidity();
-        return publicKey;
-    }
-    else {
-        const bytes = (0, utils_js_1.ensureBytes)(publicKey);
-        // Schnorr is 32 bytes
-        if (bytes.length === 32) {
-            const x = (0, utils_js_1.bytesToNumberBE)(bytes);
-            if (!isValidFieldElement(x))
-                throw new Error('Point is not on curve');
-            const y2 = exports.secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
-            let y = sqrtMod(y2); // y = y² ^ (p+1)/4
-            const isYOdd = (y & _1n) === _1n;
-            // Schnorr
-            if (isYOdd)
-                y = exports.secp256k1.CURVE.Fp.negate(y);
-            const point = new exports.secp256k1.Point(x, y);
-            point.assertValidity();
-            return point;
-        }
-        // Do we need that in schnorr at all?
-        return exports.secp256k1.Point.fromHex(publicKey);
-    }
-}
-const isWithinCurveOrder = exports.secp256k1.utils._isWithinCurveOrder;
-const isValidFieldElement = exports.secp256k1.utils._isValidFieldElement;
+const fe = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
+const ge = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
 const TAGS = {
     challenge: 'BIP0340/challenge',
     aux: 'BIP0340/aux',
@@ -194,45 +115,38 @@ function taggedHash(tag, ...messages) {
     }
     return (0, sha256_1.sha256)((0, utils_js_1.concatBytes)(tagP, ...messages));
 }
-exports.taggedHash = taggedHash;
 const toRawX = (point) => point.toRawBytes(true).slice(1);
-// Schnorr signatures are superior to ECDSA from above.
-// Below is Schnorr-specific code as per BIP0340.
-function schnorrChallengeFinalize(ch) {
-    return (0, modular_js_1.mod)((0, utils_js_1.bytesToNumberBE)(ch), exports.secp256k1.CURVE.n);
-}
-// Do we need this at all for Schnorr?
-class SchnorrSignature {
-    constructor(r, s) {
-        this.r = r;
-        this.s = s;
-        this.assertValidity();
-    }
-    static fromHex(hex) {
-        const bytes = (0, utils_js_1.ensureBytes)(hex);
-        if (bytes.length !== 64)
-            throw new TypeError(`SchnorrSignature.fromHex: expected 64 bytes, not ${bytes.length}`);
-        const r = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(0, 32));
-        const s = (0, utils_js_1.bytesToNumberBE)(bytes.subarray(32, 64));
-        return new SchnorrSignature(r, s);
-    }
-    assertValidity() {
-        const { r, s } = this;
-        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
-            throw new Error('Invalid signature');
-    }
-    toHex() {
-        return numTo32bStr(this.r) + numTo32bStr(this.s);
-    }
-    toRawBytes() {
-        return (0, utils_js_1.hexToBytes)(this.toHex());
-    }
-}
+const numTo32b = (n) => (0, utils_js_1.numberToBytesBE)(n, 32);
+const modN = (x) => (0, modular_js_1.mod)(x, secp256k1N);
+const _Point = exports.secp256k1.ProjectivePoint;
+const Gmul = (priv) => _Point.fromPrivateKey(priv);
+const GmulAdd = (Q, a, b) => _Point.BASE.multiplyAndAddUnsafe(Q, a, b);
 function schnorrGetScalar(priv) {
-    const point = exports.secp256k1.Point.fromPrivateKey(priv);
-    const scalar = point.hasEvenY() ? priv : exports.secp256k1.CURVE.n - priv;
+    // Let d' = int(sk)
+    // Fail if d' = 0 or d' ≥ n
+    // Let P = d'⋅G
+    // Let d = d' if has_even_y(P), otherwise let d = n - d' .
+    const point = Gmul(priv);
+    const scalar = point.hasEvenY() ? priv : modN(-priv);
     return { point, scalar, x: toRawX(point) };
 }
+function lift_x(x) {
+    if (!fe(x))
+        throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
+    const c = (0, modular_js_1.mod)(x * x * x + BigInt(7), secp256k1P); // Let c = x³ + 7 mod p.
+    let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
+    if (y % 2n !== 0n)
+        y = (0, modular_js_1.mod)(-y, secp256k1P); // Return the unique point P such that x(P) = x and
+    const p = new _Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+    p.assertValidity();
+    return p;
+}
+function challenge(...args) {
+    return modN((0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.challenge, ...args)));
+}
+function schnorrGetPublicKey(privateKey) {
+    return toRawX(Gmul(privateKey)); // Let d' = int(sk). Fail if d' = 0 or d' ≥ n. Return bytes(d'⋅G)
+}
 /**
  * Synchronously creates Schnorr signature. Improved security: verifies itself before
  * producing an output.
@@ -242,23 +156,23 @@ function schnorrGetScalar(priv) {
  */
 function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)) {
     if (message == null)
-        throw new TypeError(`sign: Expected valid message, not "${message}"`);
+        throw new Error(`sign: Expected valid message, not "${message}"`);
     const m = (0, utils_js_1.ensureBytes)(message);
     // checks for isWithinCurveOrder
-    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
-    const rand = (0, utils_js_1.ensureBytes)(auxRand);
-    if (rand.length !== 32)
-        throw new TypeError('sign: Expected 32 bytes of aux randomness');
-    const tag = taggedHash;
-    const t0h = tag(TAGS.aux, rand);
-    const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(t0h));
-    const k0h = tag(TAGS.nonce, t, px, m);
-    const k0 = (0, modular_js_1.mod)((0, utils_js_1.bytesToNumberBE)(k0h), exports.secp256k1.CURVE.n);
-    if (k0 === _0n)
-        throw new Error('sign: Creation of signature failed. k is zero');
-    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
-    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
-    const sig = new SchnorrSignature(R.x, (0, modular_js_1.mod)(k + e * d, exports.secp256k1.CURVE.n)).toRawBytes();
+    const { x: px, scalar: d } = schnorrGetScalar((0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(privateKey, 32)));
+    const a = (0, utils_js_1.ensureBytes)(auxRand, 32); // Auxiliary random data a: a 32-byte array
+    // TODO: replace with proper xor?
+    const t = numTo32b(d ^ (0, utils_js_1.bytesToNumberBE)(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
+    const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
+    const k_ = modN((0, utils_js_1.bytesToNumberBE)(rand)); // Let k' = int(rand) mod n
+    if (k_ === _0n)
+        throw new Error('sign failed: k is zero'); // Fail if k' = 0.
+    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k_); // Let R = k'⋅G.
+    const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
+    const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
+    sig.set(numTo32b(R.px), 0);
+    sig.set(numTo32b(modN(k + e * d)), 32);
+    // If Verify(bytes(P), m, sig) (see below) returns failure, abort
     if (!schnorrVerify(sig, m, px))
         throw new Error('sign: Invalid signature produced');
     return sig;
@@ -268,30 +182,77 @@ function schnorrSign(message, privateKey, auxRand = (0, utils_1.randomBytes)(32)
  */
 function schnorrVerify(signature, message, publicKey) {
     try {
-        const raw = signature instanceof SchnorrSignature;
-        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
-        if (raw)
-            sig.assertValidity(); // just in case
-        const { r, s } = sig;
-        const m = (0, utils_js_1.ensureBytes)(message);
-        const P = normalizePublicKey(publicKey);
-        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
-        // Finalize
-        // R = s⋅G - e⋅P
-        // -eP == (n-e)P
-        const R = exports.secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), (0, modular_js_1.mod)(-e, exports.secp256k1.CURVE.n));
-        if (!R || !R.hasEvenY() || R.x !== r)
+        const P = lift_x((0, utils_js_1.bytesToNumberBE)((0, utils_js_1.ensureBytes)(publicKey, 32))); // P = lift_x(int(pk)); fail if that fails
+        const sig = (0, utils_js_1.ensureBytes)(signature, 64);
+        const r = (0, utils_js_1.bytesToNumberBE)(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
+        if (!fe(r))
+            return false;
+        const s = (0, utils_js_1.bytesToNumberBE)(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
+        if (!ge(s))
             return false;
-        return true;
+        const m = (0, utils_js_1.ensureBytes)(message);
+        const e = challenge(numTo32b(r), toRawX(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
+        const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
+        if (!R || !R.hasEvenY() || R.toAffine().x !== r)
+            return false; // -eP == (n-e)P
+        return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
     }
     catch (error) {
         return false;
     }
 }
 exports.schnorr = {
-    Signature: SchnorrSignature,
     // Schnorr's pubkey is just `x` of Point (BIP340)
-    getPublicKey: (privateKey) => toRawX(exports.secp256k1.Point.fromPrivateKey(privateKey)),
+    getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,
+    utils: { lift_x, int: utils_js_1.bytesToNumberBE, taggedHash },
 };
+const isoMap = htf.isogenyMap(Fp, [
+    // xNum
+    [
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
+        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
+        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
+    ],
+    // xDen
+    [
+        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
+        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+    // yNum
+    [
+        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
+        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
+        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
+        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
+    ],
+    // yDen
+    [
+        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
+        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
+        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+].map((i) => i.map((j) => BigInt(j))));
+const mapSWU = (0, weierstrass_js_1.mapToCurveSimpleSWU)(Fp, {
+    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
+    B: BigInt('1771'),
+    Z: Fp.create(BigInt('-11')),
+});
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(exports.secp256k1.ProjectivePoint, (scalars) => {
+    const { x, y } = mapSWU(Fp.create(scalars[0]));
+    return isoMap(x, y);
+}, {
+    DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256_1.sha256,
+});
+exports.hashToCurve = hashToCurve;
+exports.encodeToCurve = encodeToCurve;