@noble/curves 0.5.2 → 0.6.0

package/lib/esm/ed448.js

@@ -4,6 +4,7 @@ import { concatBytes, randomBytes, utf8ToBytes, wrapConstructor } from '@noble/h
 import { twistedEdwards } from './abstract/edwards.js';
 import { mod, pow2, Fp as Field } from './abstract/modular.js';
 import { montgomery } from './abstract/montgomery.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * * X448 ECDH
@@ -46,79 +47,6 @@ function adjustScalarBytes(bytes) {
     return bytes;
 }
 const Fp = Field(ed448P, 456, true);
-// Hash To Curve Elligator2 Map
-const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-const ELL2_J = BigInt(156326);
-function map_to_curve_elligator2_curve448(u) {
-    let tv1 = Fp.square(u); // 1.  tv1 = u^2
-    let e1 = Fp.equals(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
-    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
-    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
-    let x1n = Fp.negate(ELL2_J); // 5.  x1n = -J
-    let tv2 = Fp.square(xd); // 6.  tv2 = xd^2
-    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
-    let gx1 = Fp.mul(tv1, Fp.negate(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
-    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
-    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
-    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
-    let tv3 = Fp.square(gxd); // 12. tv3 = gxd^2
-    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
-    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
-    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
-    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
-    let x2n = Fp.mul(x1n, Fp.negate(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
-    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
-    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
-    tv2 = Fp.square(y1); // 20. tv2 = y1^2
-    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
-    let e2 = Fp.equals(tv2, gx1); // 22.  e2 = tv2 == gx1
-    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
-    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
-    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
-    y = Fp.cmov(y, Fp.negate(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
-    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
-}
-function map_to_curve_elligator2_edwards448(u) {
-    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
-    let xn2 = Fp.square(xn); // 2.  xn2 = xn^2
-    let xd2 = Fp.square(xd); // 3.  xd2 = xd^2
-    let xd4 = Fp.square(xd2); // 4.  xd4 = xd2^2
-    let yn2 = Fp.square(yn); // 5.  yn2 = yn^2
-    let yd2 = Fp.square(yd); // 6.  yd2 = yd^2
-    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
-    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
-    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
-    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
-    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
-    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
-    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
-    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
-    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
-    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
-    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
-    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
-    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
-    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
-    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
-    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
-    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
-    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
-    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
-    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
-    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
-    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
-    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
-    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
-    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
-    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
-    let e = Fp.equals(tv1, Fp.ZERO); // 33.   e = tv1 == 0
-    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
-    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
-    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
-    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
-    const inv = Fp.invertBatch([xEd, yEd]); // batch division
-    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
-}
 const ED448_DEF = {
     // Param: a
     a: BigInt(1),
@@ -166,15 +94,6 @@ const ED448_DEF = {
         // square root exists, and the decoding fails.
         return { isValid: mod(x2 * v, P) === u, value: x };
     },
-    htfDefaults: {
-        DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 224,
-        expand: 'xof',
-        hash: shake256,
-    },
-    mapToCurve: (scalars) => map_to_curve_elligator2_edwards448(scalars[0]),
 };
 export const ed448 = twistedEdwards(ED448_DEF);
 // NOTE: there is no ed448ctx, since ed448 supports ctx by default
@@ -207,3 +126,86 @@ export const x448 = montgomery({
     //   return numberToBytesLE(u, 56);
     // },
 });
+// Hash To Curve Elligator2 Map
+const ELL2_C1 = (Fp.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
+const ELL2_J = BigInt(156326);
+function map_to_curve_elligator2_curve448(u) {
+    let tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    let e1 = Fp.eql(tv1, Fp.ONE); // 2.   e1 = tv1 == 1
+    tv1 = Fp.cmov(tv1, Fp.ZERO, e1); // 3.  tv1 = CMOV(tv1, 0, e1)  # If Z * u^2 == -1, set tv1 = 0
+    let xd = Fp.sub(Fp.ONE, tv1); // 4.   xd = 1 - tv1
+    let x1n = Fp.neg(ELL2_J); // 5.  x1n = -J
+    let tv2 = Fp.sqr(xd); // 6.  tv2 = xd^2
+    let gxd = Fp.mul(tv2, xd); // 7.  gxd = tv2 * xd          # gxd = xd^3
+    let gx1 = Fp.mul(tv1, Fp.neg(ELL2_J)); // 8.  gx1 = -J * tv1          # x1n + J * xd
+    gx1 = Fp.mul(gx1, x1n); // 9.  gx1 = gx1 * x1n         # x1n^2 + J * x1n * xd
+    gx1 = Fp.add(gx1, tv2); // 10. gx1 = gx1 + tv2         # x1n^2 + J * x1n * xd + xd^2
+    gx1 = Fp.mul(gx1, x1n); // 11. gx1 = gx1 * x1n         # x1n^3 + J * x1n^2 * xd + x1n * xd^2
+    let tv3 = Fp.sqr(gxd); // 12. tv3 = gxd^2
+    tv2 = Fp.mul(gx1, gxd); // 13. tv2 = gx1 * gxd         # gx1 * gxd
+    tv3 = Fp.mul(tv3, tv2); // 14. tv3 = tv3 * tv2         # gx1 * gxd^3
+    let y1 = Fp.pow(tv3, ELL2_C1); // 15.  y1 = tv3^c1            # (gx1 * gxd^3)^((p - 3) / 4)
+    y1 = Fp.mul(y1, tv2); // 16.  y1 = y1 * tv2          # gx1 * gxd * (gx1 * gxd^3)^((p - 3) / 4)
+    let x2n = Fp.mul(x1n, Fp.neg(tv1)); // 17. x2n = -tv1 * x1n        # x2 = x2n / xd = -1 * u^2 * x1n / xd
+    let y2 = Fp.mul(y1, u); // 18.  y2 = y1 * u
+    y2 = Fp.cmov(y2, Fp.ZERO, e1); // 19.  y2 = CMOV(y2, 0, e1)
+    tv2 = Fp.sqr(y1); // 20. tv2 = y1^2
+    tv2 = Fp.mul(tv2, gxd); // 21. tv2 = tv2 * gxd
+    let e2 = Fp.eql(tv2, gx1); // 22.  e2 = tv2 == gx1
+    let xn = Fp.cmov(x2n, x1n, e2); // 23.  xn = CMOV(x2n, x1n, e2)  # If e2, x = x1, else x = x2
+    let y = Fp.cmov(y2, y1, e2); // 24.   y = CMOV(y2, y1, e2)    # If e2, y = y1, else y = y2
+    let e3 = Fp.isOdd(y); // 25.  e3 = sgn0(y) == 1        # Fix sign of y
+    y = Fp.cmov(y, Fp.neg(y), e2 !== e3); // 26.   y = CMOV(y, -y, e2 XOR e3)
+    return { xn, xd, yn: y, yd: Fp.ONE }; // 27. return (xn, xd, y, 1)
+}
+function map_to_curve_elligator2_edwards448(u) {
+    let { xn, xd, yn, yd } = map_to_curve_elligator2_curve448(u); // 1. (xn, xd, yn, yd) = map_to_curve_elligator2_curve448(u)
+    let xn2 = Fp.sqr(xn); // 2.  xn2 = xn^2
+    let xd2 = Fp.sqr(xd); // 3.  xd2 = xd^2
+    let xd4 = Fp.sqr(xd2); // 4.  xd4 = xd2^2
+    let yn2 = Fp.sqr(yn); // 5.  yn2 = yn^2
+    let yd2 = Fp.sqr(yd); // 6.  yd2 = yd^2
+    let xEn = Fp.sub(xn2, xd2); // 7.  xEn = xn2 - xd2
+    let tv2 = Fp.sub(xEn, xd2); // 8.  tv2 = xEn - xd2
+    xEn = Fp.mul(xEn, xd2); // 9.  xEn = xEn * xd2
+    xEn = Fp.mul(xEn, yd); // 10. xEn = xEn * yd
+    xEn = Fp.mul(xEn, yn); // 11. xEn = xEn * yn
+    xEn = Fp.mul(xEn, 4n); // 12. xEn = xEn * 4
+    tv2 = Fp.mul(tv2, xn2); // 13. tv2 = tv2 * xn2
+    tv2 = Fp.mul(tv2, yd2); // 14. tv2 = tv2 * yd2
+    let tv3 = Fp.mul(yn2, 4n); // 15. tv3 = 4 * yn2
+    let tv1 = Fp.add(tv3, yd2); // 16. tv1 = tv3 + yd2
+    tv1 = Fp.mul(tv1, xd4); // 17. tv1 = tv1 * xd4
+    let xEd = Fp.add(tv1, tv2); // 18. xEd = tv1 + tv2
+    tv2 = Fp.mul(tv2, xn); // 19. tv2 = tv2 * xn
+    let tv4 = Fp.mul(xn, xd4); // 20. tv4 = xn * xd4
+    let yEn = Fp.sub(tv3, yd2); // 21. yEn = tv3 - yd2
+    yEn = Fp.mul(yEn, tv4); // 22. yEn = yEn * tv4
+    yEn = Fp.sub(yEn, tv2); // 23. yEn = yEn - tv2
+    tv1 = Fp.add(xn2, xd2); // 24. tv1 = xn2 + xd2
+    tv1 = Fp.mul(tv1, xd2); // 25. tv1 = tv1 * xd2
+    tv1 = Fp.mul(tv1, xd); // 26. tv1 = tv1 * xd
+    tv1 = Fp.mul(tv1, yn2); // 27. tv1 = tv1 * yn2
+    tv1 = Fp.mul(tv1, BigInt(-2)); // 28. tv1 = -2 * tv1
+    let yEd = Fp.add(tv2, tv1); // 29. yEd = tv2 + tv1
+    tv4 = Fp.mul(tv4, yd2); // 30. tv4 = tv4 * yd2
+    yEd = Fp.add(yEd, tv4); // 31. yEd = yEd + tv4
+    tv1 = Fp.mul(xEd, yEd); // 32. tv1 = xEd * yEd
+    let e = Fp.eql(tv1, Fp.ZERO); // 33.   e = tv1 == 0
+    xEn = Fp.cmov(xEn, Fp.ZERO, e); // 34. xEn = CMOV(xEn, 0, e)
+    xEd = Fp.cmov(xEd, Fp.ONE, e); // 35. xEd = CMOV(xEd, 1, e)
+    yEn = Fp.cmov(yEn, Fp.ONE, e); // 36. yEn = CMOV(yEn, 1, e)
+    yEd = Fp.cmov(yEd, Fp.ONE, e); // 37. yEd = CMOV(yEd, 1, e)
+    const inv = Fp.invertBatch([xEd, yEd]); // batch division
+    return { x: Fp.mul(xEn, inv[0]), y: Fp.mul(yEn, inv[1]) }; // 38. return (xEn, xEd, yEn, yEd)
+}
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(ed448.ExtendedPoint, (scalars) => map_to_curve_elligator2_edwards448(scalars[0]), {
+    DST: 'edwards448_XOF:SHAKE256_ELL2_RO_',
+    encodeDST: 'edwards448_XOF:SHAKE256_ELL2_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 224,
+    expand: 'xof',
+    hash: shake256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/jubjub.js

@@ -33,7 +33,7 @@ export function groupHash(tag, personalization) {
     h.update(GH_FIRST_BLOCK);
     h.update(tag);
     // NOTE: returns ExtendedPoint, in case it will be multiplied later
-    let p = jubjub.ExtendedPoint.fromAffine(jubjub.Point.fromHex(h.digest()));
+    let p = jubjub.ExtendedPoint.fromHex(h.digest());
     // NOTE: cannot replace with isSmallOrder, returns Point*8
     p = p.multiply(jubjub.CURVE.h);
     if (p.equals(jubjub.ExtendedPoint.ZERO))

package/lib/esm/p256.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp256r1 aka P256
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
 // Field over which we'll do calculations; 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
@@ -26,14 +27,15 @@ export const P256 = createCurve({
     Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P256_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256,
-    },
 }, sha256);
 export const secp256r1 = P256;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp256r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P256_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p384.js

@@ -3,6 +3,7 @@ import { createCurve } from './_shortw_utils.js';
 import { sha384 } from '@noble/hashes/sha512';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp384r1 aka P384
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
 // Field over which we'll do calculations. 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
@@ -31,14 +32,15 @@ export const P384 = createCurve({
     Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
     h: BigInt(1),
     lowS: false,
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P384_XMD:SHA-384_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 192,
-        expand: 'xmd',
-        hash: sha384,
-    },
 }, sha384);
 export const secp384r1 = P384;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp384r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P384_XMD:SHA-384_SSWU_RO_',
+    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 192,
+    expand: 'xmd',
+    hash: sha384,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/p521.js

@@ -4,6 +4,7 @@ import { sha512 } from '@noble/hashes/sha512';
 import { bytesToHex } from './abstract/utils.js';
 import { Fp as Field } from './abstract/modular.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
+import * as htf from './abstract/hash-to-curve.js';
 // NIST secp521r1 aka P521
 // Note that it's 521, which differs from 512 of its hash function.
 // https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
@@ -32,8 +33,7 @@ export const P521 = createCurve({
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
     h: BigInt(1),
     lowS: false,
-    // P521 keys could be 130, 131, 132 bytes - which doesn't play nicely.
-    // We ensure all keys are 132 bytes.
+    // P521 keys could be 130, 131, 132 bytes. We normalize to 132 bytes.
     // Does not replace validation; invalid keys would still be rejected.
     normalizePrivateKey(key) {
         if (typeof key === 'bigint')
@@ -43,16 +43,17 @@ export const P521 = createCurve({
         if (typeof key !== 'string' || !([130, 131, 132].includes(key.length))) {
             throw new Error('Invalid key');
         }
-        return key.padStart(66 * 2, '0');
-    },
-    mapToCurve: (scalars) => mapSWU(scalars[0]),
-    htfDefaults: {
-        DST: 'P521_XMD:SHA-512_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 256,
-        expand: 'xmd',
-        hash: sha512,
+        return key.padStart(66 * 2, '0'); // ensure it's always 132 bytes
     },
 }, sha512);
 export const secp521r1 = P521;
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp521r1.ProjectivePoint, (scalars) => mapSWU(scalars[0]), {
+    DST: 'P521_XMD:SHA-512_SSWU_RO_',
+    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 256,
+    expand: 'xmd',
+    hash: sha512,
+});
+export { hashToCurve, encodeToCurve };

package/lib/esm/secp256k1.js

@@ -3,9 +3,9 @@ import { sha256 } from '@noble/hashes/sha256';
 import { Fp as Field, mod, pow2 } from './abstract/modular.js';
 import { createCurve } from './_shortw_utils.js';
 import { mapToCurveSimpleSWU } from './abstract/weierstrass.js';
-import { ensureBytes, concatBytes, hexToBytes, bytesToNumberBE, } from './abstract/utils.js';
+import { ensureBytes, concatBytes, bytesToNumberBE as bytesToNum, numberToBytesBE, } from './abstract/utils.js';
 import { randomBytes } from '@noble/hashes/utils';
-import { isogenyMap } from './abstract/hash-to-curve.js';
+import * as htf from './abstract/hash-to-curve.js';
 /**
  * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
  * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
@@ -19,10 +19,7 @@ const _1n = BigInt(1);
 const _2n = BigInt(2);
 const divNearest = (a, b) => (a + b / _2n) / b;
 /**
- * Allows to compute square root √y 2x faster.
- * To calculate √y, we need to exponentiate it to a very big number:
- * `y² = x³ + ax + b; y = y² ^ (p+1)/4`
- * We are unwrapping the loop and multiplying it bit-by-bit.
+ * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
  */
 function sqrtMod(y) {
@@ -45,45 +42,11 @@ function sqrtMod(y) {
     const t1 = (pow2(b223, _23n, P) * b22) % P;
     const t2 = (pow2(t1, _6n, P) * b2) % P;
     const root = pow2(t2, _2n, P);
-    if (!Fp.equals(Fp.square(root), y))
+    if (!Fp.eql(Fp.sqr(root), y))
         throw new Error('Cannot find square root');
     return root;
 }
 const Fp = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
-const isoMap = isogenyMap(Fp, [
-    // xNum
-    [
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
-        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
-        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
-        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
-    ],
-    // xDen
-    [
-        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
-        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-    // yNum
-    [
-        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
-        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
-        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
-        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
-    ],
-    // yDen
-    [
-        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
-        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
-        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
-        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
-    ],
-].map((i) => i.map((j) => BigInt(j))));
-const mapSWU = mapToCurveSimpleSWU(Fp, {
-    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
-    B: BigInt('1771'),
-    Z: Fp.create(BigInt('-11')),
-});
 export const secp256k1 = createCurve({
     // Params: a, b
     // Seem to be rigid https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
@@ -126,51 +89,13 @@ export const secp256k1 = createCurve({
             return { k1neg, k1, k2neg, k2 };
         },
     },
-    mapToCurve: (scalars) => {
-        const { x, y } = mapSWU(Fp.create(scalars[0]));
-        return isoMap(x, y);
-    },
-    htfDefaults: {
-        DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
-        p: Fp.ORDER,
-        m: 1,
-        k: 128,
-        expand: 'xmd',
-        hash: sha256,
-    },
 }, sha256);
-// Schnorr
+// Schnorr signatures are superior to ECDSA from above.
+// Below is Schnorr-specific code as per BIP0340.
+// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
 const _0n = BigInt(0);
-const numTo32b = secp256k1.utils._bigintToBytes;
-const numTo32bStr = secp256k1.utils._bigintToString;
-const normalizePrivateKey = secp256k1.utils._normalizePrivateKey;
-// TODO: export?
-function normalizePublicKey(publicKey) {
-    if (publicKey instanceof secp256k1.Point) {
-        publicKey.assertValidity();
-        return publicKey;
-    }
-    else {
-        const bytes = ensureBytes(publicKey);
-        // Schnorr is 32 bytes
-        if (bytes.length !== 32)
-            throw new Error('Schnorr pubkeys must be 32 bytes');
-        const x = bytesToNumberBE(bytes);
-        if (!isValidFieldElement(x))
-            throw new Error('Point is not on curve');
-        const y2 = secp256k1.utils._weierstrassEquation(x); // y² = x³ + ax + b
-        let y = sqrtMod(y2); // y = y² ^ (p+1)/4
-        const isYOdd = (y & _1n) === _1n;
-        // Schnorr
-        if (isYOdd)
-            y = secp256k1.CURVE.Fp.negate(y);
-        const point = new secp256k1.Point(x, y);
-        point.assertValidity();
-        return point;
-    }
-}
-const isWithinCurveOrder = secp256k1.utils._isWithinCurveOrder;
-const isValidFieldElement = secp256k1.utils._isValidFieldElement;
+const fe = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1P;
+const ge = (x) => typeof x === 'bigint' && _0n < x && x < secp256k1N;
 const TAGS = {
     challenge: 'BIP0340/challenge',
     aux: 'BIP0340/aux',
@@ -178,7 +103,7 @@ const TAGS = {
 };
 /** An object mapping tags to their tagged hash prefix of [SHA256(tag) | SHA256(tag)] */
 const TAGGED_HASH_PREFIXES = {};
-export function taggedHash(tag, ...messages) {
+function taggedHash(tag, ...messages) {
     let tagP = TAGGED_HASH_PREFIXES[tag];
     if (tagP === undefined) {
         const tagH = sha256(Uint8Array.from(tag, (c) => c.charCodeAt(0)));
@@ -188,44 +113,37 @@ export function taggedHash(tag, ...messages) {
     return sha256(concatBytes(tagP, ...messages));
 }
 const toRawX = (point) => point.toRawBytes(true).slice(1);
-// Schnorr signatures are superior to ECDSA from above.
-// Below is Schnorr-specific code as per BIP0340.
-function schnorrChallengeFinalize(ch) {
-    return mod(bytesToNumberBE(ch), secp256k1.CURVE.n);
-}
-// Do we need this at all for Schnorr?
-class SchnorrSignature {
-    constructor(r, s) {
-        this.r = r;
-        this.s = s;
-        this.assertValidity();
-    }
-    static fromHex(hex) {
-        const bytes = ensureBytes(hex);
-        const len = 32; // group length
-        if (bytes.length !== 2 * len)
-            throw new TypeError(`SchnorrSignature.fromHex: expected ${2 * len} bytes, not ${bytes.length}`);
-        const r = bytesToNumberBE(bytes.subarray(0, len));
-        const s = bytesToNumberBE(bytes.subarray(len, 2 * len));
-        return new SchnorrSignature(r, s);
-    }
-    assertValidity() {
-        const { r, s } = this;
-        if (!isValidFieldElement(r) || !isWithinCurveOrder(s))
-            throw new Error('Invalid signature');
-    }
-    toHex() {
-        return numTo32bStr(this.r) + numTo32bStr(this.s);
-    }
-    toRawBytes() {
-        return hexToBytes(this.toHex());
-    }
-}
+const numTo32b = (n) => numberToBytesBE(n, 32);
+const modN = (x) => mod(x, secp256k1N);
+const _Point = secp256k1.ProjectivePoint;
+const Gmul = (priv) => _Point.fromPrivateKey(priv);
+const GmulAdd = (Q, a, b) => _Point.BASE.multiplyAndAddUnsafe(Q, a, b);
 function schnorrGetScalar(priv) {
-    const point = secp256k1.Point.fromPrivateKey(priv);
-    const scalar = point.hasEvenY() ? priv : secp256k1.CURVE.n - priv;
+    // Let d' = int(sk)
+    // Fail if d' = 0 or d' ≥ n
+    // Let P = d'⋅G
+    // Let d = d' if has_even_y(P), otherwise let d = n - d' .
+    const point = Gmul(priv);
+    const scalar = point.hasEvenY() ? priv : modN(-priv);
     return { point, scalar, x: toRawX(point) };
 }
+function lift_x(x) {
+    if (!fe(x))
+        throw new Error('bad x: need 0 < x < p'); // Fail if x ≥ p.
+    const c = mod(x * x * x + BigInt(7), secp256k1P); // Let c = x³ + 7 mod p.
+    let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
+    if (y % 2n !== 0n)
+        y = mod(-y, secp256k1P); // Return the unique point P such that x(P) = x and
+    const p = new _Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+    p.assertValidity();
+    return p;
+}
+function challenge(...args) {
+    return modN(bytesToNum(taggedHash(TAGS.challenge, ...args)));
+}
+function schnorrGetPublicKey(privateKey) {
+    return toRawX(Gmul(privateKey)); // Let d' = int(sk). Fail if d' = 0 or d' ≥ n. Return bytes(d'⋅G)
+}
 /**
  * Synchronously creates Schnorr signature. Improved security: verifies itself before
  * producing an output.
@@ -235,23 +153,23 @@ function schnorrGetScalar(priv) {
  */
 function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
     if (message == null)
-        throw new TypeError(`sign: Expected valid message, not "${message}"`);
+        throw new Error(`sign: Expected valid message, not "${message}"`);
     const m = ensureBytes(message);
     // checks for isWithinCurveOrder
-    const { x: px, scalar: d } = schnorrGetScalar(normalizePrivateKey(privateKey));
-    const rand = ensureBytes(auxRand);
-    if (rand.length !== 32)
-        throw new TypeError('sign: Expected 32 bytes of aux randomness');
-    const tag = taggedHash;
-    const t0h = tag(TAGS.aux, rand);
-    const t = numTo32b(d ^ bytesToNumberBE(t0h));
-    const k0h = tag(TAGS.nonce, t, px, m);
-    const k0 = mod(bytesToNumberBE(k0h), secp256k1.CURVE.n);
-    if (k0 === _0n)
-        throw new Error('sign: Creation of signature failed. k is zero');
-    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k0);
-    const e = schnorrChallengeFinalize(tag(TAGS.challenge, rx, px, m));
-    const sig = new SchnorrSignature(R.x, mod(k + e * d, secp256k1.CURVE.n)).toRawBytes();
+    const { x: px, scalar: d } = schnorrGetScalar(bytesToNum(ensureBytes(privateKey, 32)));
+    const a = ensureBytes(auxRand, 32); // Auxiliary random data a: a 32-byte array
+    // TODO: replace with proper xor?
+    const t = numTo32b(d ^ bytesToNum(taggedHash(TAGS.aux, a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
+    const rand = taggedHash(TAGS.nonce, t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
+    const k_ = modN(bytesToNum(rand)); // Let k' = int(rand) mod n
+    if (k_ === _0n)
+        throw new Error('sign failed: k is zero'); // Fail if k' = 0.
+    const { point: R, x: rx, scalar: k } = schnorrGetScalar(k_); // Let R = k'⋅G.
+    const e = challenge(rx, px, m); // Let e = int(hash/challenge(bytes(R) || bytes(P) || m)) mod n.
+    const sig = new Uint8Array(64); // Let sig = bytes(R) || bytes((k + ed) mod n).
+    sig.set(numTo32b(R.px), 0);
+    sig.set(numTo32b(modN(k + e * d)), 32);
+    // If Verify(bytes(P), m, sig) (see below) returns failure, abort
     if (!schnorrVerify(sig, m, px))
         throw new Error('sign: Invalid signature produced');
     return sig;
@@ -261,30 +179,76 @@ function schnorrSign(message, privateKey, auxRand = randomBytes(32)) {
  */
 function schnorrVerify(signature, message, publicKey) {
     try {
-        const raw = signature instanceof SchnorrSignature;
-        const sig = raw ? signature : SchnorrSignature.fromHex(signature);
-        if (raw)
-            sig.assertValidity(); // just in case
-        const { r, s } = sig;
-        const m = ensureBytes(message);
-        const P = normalizePublicKey(publicKey);
-        const e = schnorrChallengeFinalize(taggedHash(TAGS.challenge, numTo32b(r), toRawX(P), m));
-        // Finalize
-        // R = s⋅G - e⋅P
-        // -eP == (n-e)P
-        const R = secp256k1.Point.BASE.multiplyAndAddUnsafe(P, normalizePrivateKey(s), mod(-e, secp256k1.CURVE.n));
-        if (!R || !R.hasEvenY() || R.x !== r)
+        const P = lift_x(bytesToNum(ensureBytes(publicKey, 32))); // P = lift_x(int(pk)); fail if that fails
+        const sig = ensureBytes(signature, 64);
+        const r = bytesToNum(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
+        if (!fe(r))
+            return false;
+        const s = bytesToNum(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
+        if (!ge(s))
             return false;
-        return true;
+        const m = ensureBytes(message);
+        const e = challenge(numTo32b(r), toRawX(P), m); // int(challenge(bytes(r)||bytes(P)||m)) mod n
+        const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
+        if (!R || !R.hasEvenY() || R.toAffine().x !== r)
+            return false; // -eP == (n-e)P
+        return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
     }
     catch (error) {
         return false;
     }
 }
 export const schnorr = {
-    Signature: SchnorrSignature,
     // Schnorr's pubkey is just `x` of Point (BIP340)
-    getPublicKey: (privateKey) => toRawX(secp256k1.Point.fromPrivateKey(privateKey)),
+    getPublicKey: schnorrGetPublicKey,
     sign: schnorrSign,
     verify: schnorrVerify,
+    utils: { lift_x, int: bytesToNum, taggedHash },
 };
+const isoMap = htf.isogenyMap(Fp, [
+    // xNum
+    [
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa8c7',
+        '0x7d3d4c80bc321d5b9f315cea7fd44c5d595d2fc0bf63b92dfff1044f17c6581',
+        '0x534c328d23f234e6e2a413deca25caece4506144037c40314ecbd0b53d9dd262',
+        '0x8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38daaaaa88c',
+    ],
+    // xDen
+    [
+        '0xd35771193d94918a9ca34ccbb7b640dd86cd409542f8487d9fe6b745781eb49b',
+        '0xedadc6f64383dc1df7c4b2d51b54225406d36b641f5e41bbc52a56612a8c6d14',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+    // yNum
+    [
+        '0x4bda12f684bda12f684bda12f684bda12f684bda12f684bda12f684b8e38e23c',
+        '0xc75e0c32d5cb7c0fa9d0a54b12a0a6d5647ab046d686da6fdffc90fc201d71a3',
+        '0x29a6194691f91a73715209ef6512e576722830a201be2018a765e85a9ecee931',
+        '0x2f684bda12f684bda12f684bda12f684bda12f684bda12f684bda12f38e38d84',
+    ],
+    // yDen
+    [
+        '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffff93b',
+        '0x7a06534bb8bdb49fd5e9e6632722c2989467c1bfc8e8d978dfb425d2685c2573',
+        '0x6484aa716545ca2cf3a70c3fa8fe337e0a3d21162f0d6299a7bf8192bfd2a76f',
+        '0x0000000000000000000000000000000000000000000000000000000000000001', // LAST 1
+    ],
+].map((i) => i.map((j) => BigInt(j))));
+const mapSWU = mapToCurveSimpleSWU(Fp, {
+    A: BigInt('0x3f8731abdd661adca08a5558f0f5d272e953d363cb6f0e5d405447c01a444533'),
+    B: BigInt('1771'),
+    Z: Fp.create(BigInt('-11')),
+});
+const { hashToCurve, encodeToCurve } = htf.hashToCurve(secp256k1.ProjectivePoint, (scalars) => {
+    const { x, y } = mapSWU(Fp.create(scalars[0]));
+    return isoMap(x, y);
+}, {
+    DST: 'secp256k1_XMD:SHA-256_SSWU_RO_',
+    encodeDST: 'secp256k1_XMD:SHA-256_SSWU_NU_',
+    p: Fp.ORDER,
+    m: 1,
+    k: 128,
+    expand: 'xmd',
+    hash: sha256,
+});
+export { hashToCurve, encodeToCurve };