@noble/curves 1.8.1 → 1.8.2

package/README.md

@@ -40,40 +40,40 @@ Take a glance at [GitHub Discussions](https://github.com/paulmillr/noble-curves/
 
 > `deno add jsr:@noble/curves`
 
-> `deno doc jsr:@noble/curves`  # command-line documentation
+> `deno doc jsr:@noble/curves` # command-line documentation
 
 We support all major platforms and runtimes.
 For React Native, you may need a [polyfill for getRandomValues](https://github.com/LinusU/react-native-get-random-values).
 A standalone file [noble-curves.js](https://github.com/paulmillr/noble-curves/releases) is also available.
 
-```js
+```ts
 // import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
-import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
-// import { secp256k1 } from 'npm:@noble/curves@1.6.0/secp256k1'; // Deno
+import { secp256k1, schnorr } from '@noble/curves/secp256k1';
+import { ed25519, ed25519ph, ed25519ctx, x25519 } from '@noble/curves/ed25519';
+import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
+import { p256 } from '@noble/curves/p256';
+import { p384 } from '@noble/curves/p384';
+import { p521 } from '@noble/curves/p521';
+import { bls12_381 } from '@noble/curves/bls12-381';
+import { bn254 } from '@noble/curves/bn254'; // also known as alt_bn128
+import { jubjub, babyjubjub } from '@noble/curves/misc';
+import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
 ```
 
-- [Implementations](#implementations)
-  - [ECDSA signatures over secp256k1 and others](#ecdsa-signatures-over-secp256k1-and-others)
-  - [ECDSA public key recovery & extra entropy](#ecdsa-public-key-recovery--extra-entropy)
-  - [ECDH: Elliptic Curve Diffie-Hellman](#ecdh-elliptic-curve-diffie-hellman)
-  - [Schnorr signatures over secp256k1, BIP340](#schnorr-signatures-over-secp256k1-bip340)
-  - [ed25519, X25519, ristretto255](#ed25519-x25519-ristretto255)
-  - [ed448, X448, decaf448](#ed448-x448-decaf448)
-  - [bls12-381](#bls12-381)
-  - [bn254 aka alt_bn128](#bn254-aka-alt_bn128)
-  - [Multi-scalar-multiplication](#multi-scalar-multiplication)
-  - [Accessing a curve's variables](#accessing-a-curves-variables)
-  - [All available imports](#all-available-imports)
+- [ECDSA signatures over secp256k1 and others](#ecdsa-signatures-over-secp256k1-and-others)
+- [Hedged ECDSA with noise](#hedged-ecdsa-with-noise)
+- [ECDH: Diffie-Hellman shared secrets](#ecdh-diffie-hellman-shared-secrets)
+- [secp256k1 Schnorr signatures from BIP340](#secp256k1-schnorr-signatures-from-bip340)
+- [ed25519](#ed25519) / [X25519](#x25519) / [ristretto255](#ristretto255)
+- [ed448](#ed448) / [X448](#x448) / [decaf448](#decaf448)
+- [bls12-381](#bls12-381)
+- [bn254 aka alt_bn128](#bn254-aka-alt_bn128)
+- [misc curves](#misc-curves)
+- [Low-level methods](#low-level-methods)
 - [Abstract API](#abstract-api)
-  - [weierstrass: Short Weierstrass curve](#weierstrass-short-weierstrass-curve)
-  - [edwards: Twisted Edwards curve](#edwards-twisted-edwards-curve)
-  - [montgomery: Montgomery curve](#montgomery-montgomery-curve)
-  - [bls: Barreto-Lynn-Scott curves](#bls-barreto-lynn-scott-curves)
-  - [hash-to-curve: Hashing strings to curve points](#hash-to-curve-hashing-strings-to-curve-points)
-  - [poseidon: Poseidon hash](#poseidon-poseidon-hash)
-  - [modular: Modular arithmetics utilities](#modular-modular-arithmetics-utilities)
-    - [Creating private keys from hashes](#creating-private-keys-from-hashes)
-  - [utils: Useful utilities](#utils-useful-utilities)
+  - [weierstrass](#weierstrass-short-weierstrass-curve), [edwards](#edwards-twisted-edwards-curve), [montgomery](#montgomery-montgomery-curve), [bls](#bls-barreto-lynn-scott-curves)
+  - [hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points), [poseidon](#poseidon-poseidon-hash)
+  - [modular](#modular-modular-arithmetics-utilities), [utils](#utils-useful-utilities)
 - [Security](#security)
 - [Speed](#speed)
 - [Upgrading](#upgrading)
@@ -82,9 +82,6 @@ import { secp256k1 } from '@noble/curves/secp256k1'; // ESM and Common.js
 
 ### Implementations
 
-Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
-If you want to use a different hashing library, [abstract API](#abstract-api) doesn't depend on them.
-
 #### ECDSA signatures over secp256k1 and others
 
 ```ts
@@ -100,31 +97,40 @@ const isValid = secp256k1.verify(sig, msg, pub) === true;
 // hex strings are also supported besides Uint8Array-s:
 const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236';
 const pub2 = secp256k1.getPublicKey(privHex);
+
+// public key recovery
+// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex)
+// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format
+sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
 ```
 
 The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).
 
-#### ECDSA public key recovery & extra entropy
+#### Hedged ECDSA with noise
 
 ```ts
-// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex)
-// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format
-sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
-
-// extraEntropy https://moderncrypto.org/mail-archive/curves/2017/000925.html
-const sigImprovedSecurity = secp256k1.sign(msg, priv, { extraEntropy: true });
+const noisySignature = secp256k1.sign(msg, priv, { extraEntropy: true });
+const ent = new Uint8Array(32).fill(3); // set custom entropy
+const noisySignature2 = secp256k1.sign(msg, priv, { extraEntropy: ent });
 ```
 
-#### ECDH: Elliptic Curve Diffie-Hellman
+Hedged ECDSA is add-on, providing improved protection against fault attacks.
+It adds noise to signatures. The technique is used by default in BIP340; we also implement them
+optionally for ECDSA. Check out blog post
+[Deterministic signatures are not your friends](https://paulmillr.com/posts/deterministic-signatures/)
+and [spec draft](https://datatracker.ietf.org/doc/draft-irtf-cfrg-det-sigs-with-noise/).
+
+#### ECDH: Diffie-Hellman shared secrets
 
 ```ts
-// 1. The output includes parity byte. Strip it using shared.slice(1)
-// 2. The output is not hashed. More secure way is sha256(shared) or hkdf(shared)
 const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
 const shared = secp256k1.getSharedSecret(priv, someonesPub);
+// NOTE:
+// - `shared` includes parity byte: strip it using shared.slice(1)
+// - `shared` is not hashed: more secure way is sha256(shared) or hkdf(shared)
 ```
 
-#### Schnorr signatures over secp256k1 (BIP340)
+#### secp256k1 Schnorr signatures from BIP340
 
 ```ts
 import { schnorr } from '@noble/curves/secp256k1';
@@ -135,7 +141,7 @@ const sig = schnorr.sign(msg, priv);
 const isValid = schnorr.verify(sig, msg, pub);
 ```
 
-#### ed25519, X25519, ristretto255
+#### ed25519
 
 ```ts
 import { ed25519 } from '@noble/curves/ed25519';
@@ -144,23 +150,22 @@ const pub = ed25519.getPublicKey(priv);
 const msg = new TextEncoder().encode('hello');
 const sig = ed25519.sign(msg, priv);
 ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
-ed25519.verify(sig, msg, pub, { zip215: false }); // RFC8032 / FIPS 186-5
+ed25519.verify(sig, msg, pub, { zip215: false }); // SBS / e-voting / RFC8032 / FIPS 186-5
+
+// Variants from RFC8032: with context, prehashed
+import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
 ```
 
-Default `verify` behavior follows [ZIP215](https://zips.z.cash/zip-0215) and
-[can be used in consensus-critical applications](https://hdevalence.ca/blog/2020-10-04-its-25519am).
-It has SUF-CMA (strong unforgeability under chosen message attacks).
-`zip215: false` option switches verification criteria to strict
-[RFC8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
-and additionally provides [non-repudiation with SBS](#edwards-twisted-edwards-curve).
+Default `verify` behavior follows ZIP215 and
+can be used in consensus-critical applications.
+If you need SBS (Strongly Binding Signatures) and FIPS 186-5 compliance,
+use `zip215: false`. Check out [Edwards Signatures section for more info](#edwards-twisted-edwards-curve).
+Both options have SUF-CMA (strong unforgeability under chosen message attacks).
 
-X25519 follows [RFC7748](https://www.rfc-editor.org/rfc/rfc7748).
+#### X25519
 
 ```ts
-// Variants from RFC8032: with context, prehashed
-import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
-
-// ECDH using curve25519 aka x25519
+// X25519 aka ECDH on Curve25519 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
 import { x25519 } from '@noble/curves/ed25519';
 const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
 const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
@@ -174,10 +179,10 @@ edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
 edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
 ```
 
-ristretto255 follows [irtf draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448).
+#### ristretto255
 
 ```ts
-// hash-to-curve, ristretto255
+// ristretto255 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
 import { utf8ToBytes } from '@noble/hashes/utils';
 import { sha512 } from '@noble/hashes/sha512';
 import {
@@ -201,7 +206,7 @@ RistrettoPoint.hashToCurve(sha512(msg));
 hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
 ```
 
-#### ed448, X448, decaf448
+#### ed448
 
 ```ts
 import { ed448 } from '@noble/curves/ed448';
@@ -215,9 +220,10 @@ ed448.verify(sig, msg, pub);
 import { ed448ph } from '@noble/curves/ed448';
 ```
 
-ECDH using Curve448 aka X448, follows [RFC7748](https://www.rfc-editor.org/rfc/rfc7748).
+#### X448
 
 ```ts
+// X448 aka ECDH on Curve448 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
 import { x448 } from '@noble/curves/ed448';
 x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
 x448.getPublicKey(priv) === x448.scalarMultBase(priv);
@@ -227,9 +233,10 @@ import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
 edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
 ```
 
-decaf448 follows [irtf draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448).
+#### decaf448
 
 ```ts
+// decaf448 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
 import { utf8ToBytes } from '@noble/hashes/utils';
 import { shake256 } from '@noble/hashes/sha3';
 import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
@@ -248,8 +255,6 @@ DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
 hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
 ```
 
-Same RFC7748 / RFC8032 / IRTF draft are followed.
-
 #### bls12-381
 
 ```ts
@@ -275,7 +280,10 @@ const signatureEth = bls.sign(message, privateKey, htfEthereum);
 const isValidEth = bls.verify(signature, message, publicKey, htfEthereum);
 
 // Aggregation
-const aggregatedKey = bls.aggregatePublicKeys([bls.utils.randomPrivateKey(), bls.utils.randomPrivateKey()])
+const aggregatedKey = bls.aggregatePublicKeys([
+  bls.utils.randomPrivateKey(),
+  bls.utils.randomPrivateKey(),
+]);
 // const aggregatedSig = bls.aggregateSignatures(sigs)
 
 // Pairings, with and without final exponentiation
@@ -296,11 +304,7 @@ For example usage, check out [the implementation of BLS EVM precompiles](https:/
 ```ts
 import { bn254 } from '@noble/curves/bn254';
 
-console.log(
-  bn254.G1,
-  bn254.G2,
-  bn254.pairing
-)
+console.log(bn254.G1, bn254.G2, bn254.pairing);
 ```
 
 The API mirrors [BLS](#bls12-381). The curve was previously called alt_bn128.
@@ -316,49 +320,43 @@ different implementations of bn254 do it differently - there is no standard. Poi
 
 For example usage, check out [the implementation of bn254 EVM precompiles](https://github.com/paulmillr/noble-curves/blob/3ed792f8ad9932765b84d1064afea8663a255457/test/bn254.test.js#L697).
 
-#### Multi-scalar-multiplication
+#### misc curves
 
 ```ts
-import { secp256k1 } from '@noble/curves/secp256k1';
-const p = secp256k1.ProjectivePoint;
-const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)];
-p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n)); // 129*G
+import { jubjub, babyjubjub } from '@noble/curves/misc';
 ```
 
-Pippenger algorithm is used underneath.
-Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.
-It's 10-30x faster vs naive addition for large amount of points.
+Miscellaneous, rarely used curves are contained in the module.
+Jubjub curves have Fp over scalar fields of other curves. They are friendly to ZK proofs.
+jubjub Fp = bls n. babyjubjub Fp = bn254 n.
 
-#### Accessing a curve's variables
+#### Low-level methods
 
 ```ts
 import { secp256k1 } from '@noble/curves/secp256k1';
+
+// Curve's variables
 // Every curve has `CURVE` object that contains its parameters, field, and others
 console.log(secp256k1.CURVE.p); // field modulus
 console.log(secp256k1.CURVE.n); // curve order
 console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params
 console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates
-```
-
 
-#### All available imports
-
-```typescript
-import { secp256k1, schnorr } from '@noble/curves/secp256k1';
-import { ed25519, ed25519ph, ed25519ctx, x25519, RistrettoPoint } from '@noble/curves/ed25519';
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
-import { p256 } from '@noble/curves/p256';
-import { p384 } from '@noble/curves/p384';
-import { p521 } from '@noble/curves/p521';
-import { pallas, vesta } from '@noble/curves/pasta';
-import { bls12_381 } from '@noble/curves/bls12-381';
-import { bn254 } from '@noble/curves/bn254'; // also known as alt_bn128
-import { jubjub } from '@noble/curves/jubjub';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
+// MSM
+const p = secp256k1.ProjectivePoint;
+const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)];
+p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n)); // 129*G
 ```
 
+Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.
+It's 10-30x faster vs naive addition for large amount of points.
+Pippenger algorithm is used underneath.
+
 ## Abstract API
 
+Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
+If you want to use a different hashing library, abstract API doesn't depend on them.
+
 Abstract API allows to define custom curves. All arithmetics is done with JS
 bigints over finite fields, which is defined from `modular` sub-module. For
 scalar multiplication, we use
@@ -371,171 +369,69 @@ method: check out examples.
 
 ```ts
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
-import { Field } from '@noble/curves/abstract/modular'; // finite field for mod arithmetics
-import { sha256 } from '@noble/hashes/sha256'; // 3rd-party sha256() of type utils.CHash
-import { hmac } from '@noble/hashes/hmac'; // 3rd-party hmac() that will accept sha256()
-import { concatBytes, randomBytes } from '@noble/hashes/utils'; // 3rd-party utilities
+import { Field } from '@noble/curves/abstract/modular';
+import { sha256 } from '@noble/hashes/sha256';
+import { hmac } from '@noble/hashes/hmac';
+import { concatBytes, randomBytes } from '@noble/hashes/utils';
 
-const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sha256, key, concatBytes(...msgs));
+const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) =>
+  hmac(sha256, key, concatBytes(...msgs));
 
-// secq256k1: cycle of secp256k1 with Fp/N flipped.
+// secQ (not secP) - secq256k1 is a cycle of secp256k1 with Fp/N flipped.
 // https://personaelabs.org/posts/spartan-ecdsa
 // https://zcash.github.io/halo2/background/curves.html#cycles-of-curves
 const secq256k1 = weierstrass({
-  // Curve equation params a, b
   a: 0n,
   b: 7n,
-  // Field over which we'll do calculations
   Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n),
-  // Curve order, total count of valid points in the field.
   n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n,
-  // Base point (x, y) aka generator point
   Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
   Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
-
   hash: sha256,
   hmac: hmacSha256,
   randomBytes,
 });
 
-// NIST secp192r1 aka p192 https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
+// NIST secp192r1 aka p192
+// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
 const secp192r1 = weierstrass({
-  a: BigInt('0xfffffffffffffffffffffffffffffffefffffffffffffffc'),
-  b: BigInt('0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1'),
-  Fp: Field(BigInt('0xfffffffffffffffffffffffffffffffeffffffffffffffff')),
-  n: BigInt('0xffffffffffffffffffffffff99def836146bc9b1b4d22831'),
-  Gx: BigInt('0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012'),
-  Gy: BigInt('0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811'),
-  h: BigInt(1),
+  a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
+  b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
+  Fp: Field(0xfffffffffffffffffffffffffffffffeffffffffffffffffn),
+  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
+  Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
+  Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
   hash: sha256,
   hmac: hmacSha256,
   randomBytes,
 });
-
-
-// Replace weierstrass() with weierstrassPoints() if you don't need ECDSA, hash, hmac, randomBytes
 ```
 
 Short Weierstrass curve's formula is `y² = x³ + ax + b`. `weierstrass`
 expects arguments `a`, `b`, field `Fp`, curve order `n`, cofactor `h`
 and coordinates `Gx`, `Gy` of generator point.
-
-**`k` generation** is done deterministically, following
-[RFC6979](https://www.rfc-editor.org/rfc/rfc6979). It is suggested to use `extraEntropy`
-option, which incorporates randomness into signatures to increase their security.
-
-For k generation, specifying `hmac` & `hash` is required,
-which in our implementations is done by noble-hashes. If
-you're using different hashing library, make sure to wrap it in the following interface:
-
-```ts
-type CHash = {
-  (message: Uint8Array): Uint8Array;
-  blockLen: number;
-  outputLen: number;
-  create(): any;
-};
-
-// example
-function sha256(message: Uint8Array) {
-  return _internal_lowlvl(message);
-}
-sha256.outputLen = 32; // 32 bytes of output for sha2-256
-```
-
-**Message hash** is expected instead of message itself:
-
-- `sign(msgHash, privKey)` is default behavior, assuming you pre-hash msg with sha2, or other hash
-- `sign(msg, privKey, {prehash: true})` option can be used if you want to pass the message itself
+`hmac` and `hash` must be specified for deterministic `k` generation.
 
 **Weierstrass points:**
 
-1. Exported as `ProjectivePoint`
-2. Represented in projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
-3. Use complete exception-free formulas for addition and doubling
-4. Can be decoded/encoded from/to Uint8Array / hex strings using
-   `ProjectivePoint.fromHex` and `ProjectivePoint#toRawBytes()`
-5. Have `assertValidity()` which checks for being on-curve
-6. Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
-
-```ts
-// `weierstrassPoints()` returns `CURVE` and `ProjectivePoint`
-// `weierstrass()` returns `CurveFn`
-type SignOpts = { lowS?: boolean; prehash?: boolean; extraEntropy: boolean | Uint8Array };
-type CurveFn = {
-  CURVE: ReturnType<typeof validateOpts>;
-  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
-  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => SignatureType;
-  verify: (
-    signature: Hex | SignatureType,
-    msgHash: Hex,
-    publicKey: Hex,
-    opts?: { lowS?: boolean; prehash?: boolean; format?: 'compact' | 'der' }
-  ) => boolean;
-  ProjectivePoint: ProjectivePointConstructor;
-  Signature: SignatureConstructor;
-  utils: {
-    normPrivateKeyToScalar: (key: PrivKey) => bigint;
-    isValidPrivateKey(key: PrivKey): boolean;
-    randomPrivateKey: () => Uint8Array;
-    precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
-  };
-};
-
-// T is usually bigint, but can be something else like complex numbers in BLS curves
-interface ProjPointType<T> extends Group<ProjPointType<T>> {
-  readonly px: T;
-  readonly py: T;
-  readonly pz: T;
-  get x(): bigint;
-  get y(): bigint;
-  multiply(scalar: bigint): ProjPointType<T>;
-  multiplyUnsafe(scalar: bigint): ProjPointType<T>;
-  multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
-  toAffine(iz?: T): AffinePoint<T>;
-  isTorsionFree(): boolean;
-  clearCofactor(): ProjPointType<T>;
-  assertValidity(): void;
-  hasEvenY(): boolean;
-  toRawBytes(isCompressed?: boolean): Uint8Array;
-  toHex(isCompressed?: boolean): string;
-}
-// Static methods for 3d XYZ points
-interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
-  new (x: T, y: T, z: T): ProjPointType<T>;
-  fromAffine(p: AffinePoint<T>): ProjPointType<T>;
-  fromHex(hex: Hex): ProjPointType<T>;
-  fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
-  msm(points: ProjPointType[], scalars: bigint[]): ProjPointType<T>;
-}
-```
-
-**ECDSA signatures** are represented by `Signature` instances and can be
-described by the interface:
-
-```ts
-interface SignatureType {
-  readonly r: bigint;
-  readonly s: bigint;
-  readonly recovery?: number;
-  assertValidity(): void;
-  addRecoveryBit(recovery: number): SignatureType;
-  hasHighS(): boolean;
-  normalizeS(): SignatureType;
-  recoverPublicKey(msgHash: Hex): ProjPointType<bigint>;
-  toCompactRawBytes(): Uint8Array;
-  toCompactHex(): string;
-  // DER-encoded
-  toDERRawBytes(): Uint8Array;
-  toDERHex(): string;
-}
-type SignatureConstructor = {
-  new (r: bigint, s: bigint): SignatureType;
-  fromCompact(hex: Hex): SignatureType;
-  fromDER(hex: Hex): SignatureType;
-};
-```
+- Are exported as `ProjectivePoint`
+- Are represented in projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
+- Use complete exception-free formulas for addition and doubling
+- Can be decoded/encoded from/to Uint8Array / hex strings using
+  `ProjectivePoint.fromHex` and `ProjectivePoint#toRawBytes()`
+- Have `assertValidity()` which checks for being on-curve
+- Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
+
+**ECDSA signatures:**
+
+- Are represented by `Signature` instances with `r, s` and optional `recovery` properties
+- Have `recoverPublicKey()`, `toCompactRawBytes()` and `toDERRawBytes()` methods
+- Can be prehashed, or non-prehashed:
+  - `sign(msgHash, privKey)` (default, prehash: false) - you did hashing before
+  - `sign(msg, privKey, {prehash: true})` - curves will do hashing for you
+- Are generated deterministically, following [RFC6979](https://www.rfc-editor.org/rfc/rfc6979).
+  - Consider [hedged ECDSA with noise](#hedged-ecdsa-with-noise) for adding randomness into
+    for signatures, to get improved security against fault attacks.
 
 More examples:
 
@@ -599,101 +495,43 @@ const ed25519 = twistedEdwards({
 } as const);
 ```
 
-Twisted Edwards curve's formula is `ax² + y² = 1 + dx²y²`. You must specify `a`, `d`, field `Fp`, order `n`, cofactor `h`
+Twisted Edwards curve's formula is `ax² + y² = 1 + dx²y²`.
+You must specify `a`, `d`, field `Fp`, order `n`, cofactor `h`
 and coordinates `Gx`, `Gy` of generator point.
-
-For EdDSA signatures, `hash` param required. `adjustScalarBytes` which instructs how to change private scalars could be specified.
-
-We support [non-repudiation](https://eprint.iacr.org/2020/1244), which help in following scenarios:
-
-- Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
-- E-voting: malicious voters may pick keys that allow repudiation in order to deny results
-- Blockchains: transaction of amount X might also be valid for a different amount Y
+For EdDSA signatures, `hash` param required.
+`adjustScalarBytes` which instructs how to change private scalars could be specified.
 
 **Edwards points:**
 
-1. Exported as `ExtendedPoint`
-2. Represented in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
-3. Use complete exception-free formulas for addition and doubling
-4. Can be decoded/encoded from/to Uint8Array / hex strings using `ExtendedPoint.fromHex` and `ExtendedPoint#toRawBytes()`
-5. Have `assertValidity()` which checks for being on-curve
-6. Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
-7. Have `isTorsionFree()`, `clearCofactor()` and `isSmallOrder()` utilities to handle torsions
-
-```ts
-// `twistedEdwards()` returns `CurveFn` of following type:
-type CurveFn = {
-  CURVE: ReturnType<typeof validateOpts>;
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  sign: (message: Hex, privateKey: Hex, context?: Hex) => Uint8Array;
-  verify: (sig: SigType, message: Hex, publicKey: Hex, context?: Hex) => boolean;
-  ExtendedPoint: ExtPointConstructor;
-  utils: {
-    randomPrivateKey: () => Uint8Array;
-    getExtendedPublicKey: (key: PrivKey) => {
-      head: Uint8Array;
-      prefix: Uint8Array;
-      scalar: bigint;
-      point: PointType;
-      pointBytes: Uint8Array;
-    };
-  };
-};
-
-interface ExtPointType extends Group<ExtPointType> {
-  readonly ex: bigint;
-  readonly ey: bigint;
-  readonly ez: bigint;
-  readonly et: bigint;
-  get x(): bigint;
-  get y(): bigint;
-  assertValidity(): void;
-  multiply(scalar: bigint): ExtPointType;
-  multiplyUnsafe(scalar: bigint): ExtPointType;
-  isSmallOrder(): boolean;
-  isTorsionFree(): boolean;
-  clearCofactor(): ExtPointType;
-  toAffine(iz?: bigint): AffinePoint<bigint>;
-  toRawBytes(isCompressed?: boolean): Uint8Array;
-  toHex(isCompressed?: boolean): string;
-}
-// Static methods of Extended Point with coordinates in X, Y, Z, T
-interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
-  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
-  fromAffine(p: AffinePoint<bigint>): ExtPointType;
-  fromHex(hex: Hex): ExtPointType;
-  fromPrivateKey(privateKey: Hex): ExtPointType;
-  msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
-}
-```
+- Are exported as `ExtendedPoint`
+- Are represented in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
+- Use complete exception-free formulas for addition and doubling
+- Can be decoded/encoded from/to Uint8Array / hex strings using `ExtendedPoint.fromHex` and `ExtendedPoint#toRawBytes()`
+- Have `assertValidity()` which checks for being on-curve
+- Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
+- Have `isTorsionFree()`, `clearCofactor()` and `isSmallOrder()` utilities to handle torsions
+
+**EdDSA signatures:**
+
+- `zip215: true` is default behavior. It has slightly looser verification logic
+  to be [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am), following [ZIP215](https://zips.z.cash/zip-0215) rules
+- `zip215: false` switches verification criteria to strict
+  [RFC8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
+  and additionally provides [non-repudiation with SBS](https://eprint.iacr.org/2020/1244),
+  which is useful for:
+  - Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
+  - E-voting: malicious voters may pick keys that allow repudiation in order to deny results
+  - Blockchains: transaction of amount X might also be valid for a different amount Y
+- Both modes have SUF-CMA (strong unforgeability under chosen message attacks).
+
+Check out [RFC9496](https://datatracker.ietf.org/doc/html/rfc9496) for description of
+ristretto and decaf groups which we implement.
 
 ### montgomery: Montgomery curve
 
-```typescript
-import { montgomery } from '@noble/curves/abstract/montgomery';
-import { Field } from '@noble/curves/abstract/modular';
-
-const x25519 = montgomery({
-  a: 486662n,
-  Gu: 9n,
-  P: 2n ** 255n - 19n,
-  montgomeryBits: 255,
-  nByteLength: 32,
-  // Optional param
-  adjustScalarBytes(bytes) {
-    bytes[0] &= 248;
-    bytes[31] &= 127;
-    bytes[31] |= 64;
-    return bytes;
-  },
-});
-```
-
 The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
 Proper Elliptic Curve Points are not implemented yet.
 
-You must specify curve params `Fp`, `a`, `Gu` coordinate of u, `montgomeryBits` and `nByteLength`.
-
 ### bls: Barreto-Lynn-Scott curves
 
 The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.
@@ -889,33 +727,37 @@ The library has been independently audited:
   - The audit has been funded by [Ryan Shea](https://www.shea.io)
 
 It is tested against property-based, cross-library and Wycheproof vectors,
-and has fuzzing by [Guido Vranken's cryptofuzz](https://github.com/guidovranken/cryptofuzz).
+and is being fuzzed in [the separate repo](https://github.com/paulmillr/fuzzing).
 
 If you see anything unusual: investigate and report.
 
 ### Constant-timeness
 
-_JIT-compiler_ and _Garbage Collector_ make "constant time" extremely hard to
-achieve [timing attack](https://en.wikipedia.org/wiki/Timing_attack) resistance
+We're targetting algorithmic constant time. _JIT-compiler_ and _Garbage Collector_ make "constant time"
+extremely hard to achieve [timing attack](https://en.wikipedia.org/wiki/Timing_attack) resistance
 in a scripting language. Which means _any other JS library can't have
 constant-timeness_. Even statically typed Rust, a language without GC,
 [makes it harder to achieve constant-time](https://www.chosenplaintext.ca/open-source/rust-timing-shield/security)
 for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
-Use low-level libraries & languages. Nonetheless we're targetting algorithmic constant time.
+Use low-level libraries & languages.
 
 ### Supply chain security
 
-- **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures.
+- **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
 - **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
+  - Use GitHub CLI to verify single-file builds:
+    `gh attestation verify --owner paulmillr noble-curves.js`
 - **Rare releasing** is followed to ensure less re-audit need for end-users
-- **Dependencies** are minimized and locked-down:
-  - If your app has 500 dependencies, any dep could get hacked and you'll be downloading
-    malware with every install. We make sure to use as few dependencies as possible
-  - We prevent automatic dependency updates by locking-down version ranges. Every update is checked with `npm-diff`
-  - One dependency [noble-hashes](https://github.com/paulmillr/noble-hashes) is used, by the same author, to provide hashing functionality
-- **Dev Dependencies** are only used if you want to contribute to the repo. They are disabled for end-users:
-  - scure-base, scure-bip32, scure-bip39, micro-bmark and micro-should are developed by the same author and follow identical security practices
-  - prettier (linter), fast-check (property-based testing) and typescript are used for code quality, vector generation and ts compilation. The packages are big, which makes it hard to audit their source code thoroughly and fully
+- **Dependencies** are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
+  - We make sure to use as few dependencies as possible
+  - Automatic dep updates are prevented by locking-down version ranges; diffs are checked with `npm-diff`
+- **Dev Dependencies** are disabled for end-users; they are only used to develop / build the source code
+
+For this package, there is 1 dependency; and a few dev dependencies:
+
+- [noble-hashes](https://github.com/paulmillr/noble-hashes) provides cryptographic hashing functionality
+- micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
+- prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size
 
 ### Randomness
 
@@ -939,96 +781,114 @@ NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH) [after 2035](https
 
 ## Speed
 
-Benchmark results on Apple M2 with node v22:
-
-```
-secp256k1
-init x 68 ops/sec @ 14ms/op
-getPublicKey x 6,839 ops/sec @ 146μs/op
-sign x 5,226 ops/sec @ 191μs/op
-verify x 893 ops/sec @ 1ms/op
-getSharedSecret x 538 ops/sec @ 1ms/op
-recoverPublicKey x 923 ops/sec @ 1ms/op
-schnorr.sign x 700 ops/sec @ 1ms/op
-schnorr.verify x 919 ops/sec @ 1ms/op
-
-ed25519
-init x 51 ops/sec @ 19ms/op
-getPublicKey x 9,809 ops/sec @ 101μs/op
-sign x 4,976 ops/sec @ 200μs/op
-verify x 1,018 ops/sec @ 981μs/op
-
-ed448
-init x 19 ops/sec @ 50ms/op
-getPublicKey x 3,723 ops/sec @ 268μs/op
-sign x 1,759 ops/sec @ 568μs/op
-verify x 344 ops/sec @ 2ms/op
-
-p256
-init x 39 ops/sec @ 25ms/op
-getPublicKey x 6,518 ops/sec @ 153μs/op
-sign x 5,148 ops/sec @ 194μs/op
-verify x 609 ops/sec @ 1ms/op
-
-p384
-init x 17 ops/sec @ 57ms/op
-getPublicKey x 2,933 ops/sec @ 340μs/op
-sign x 2,327 ops/sec @ 429μs/op
-verify x 244 ops/sec @ 4ms/op
-
-p521
-init x 8 ops/sec @ 112ms/op
-getPublicKey x 1,484 ops/sec @ 673μs/op
-sign x 1,264 ops/sec @ 790μs/op
-verify x 124 ops/sec @ 8ms/op
-
-ristretto255
-add x 680,735 ops/sec @ 1μs/op
-multiply x 10,766 ops/sec @ 92μs/op
-encode x 15,835 ops/sec @ 63μs/op
-decode x 15,972 ops/sec @ 62μs/op
-
-decaf448
-add x 345,303 ops/sec @ 2μs/op
-multiply x 300 ops/sec @ 3ms/op
-encode x 5,987 ops/sec @ 167μs/op
-decode x 5,892 ops/sec @ 169μs/op
-
-ecdh
-├─x25519 x 1,477 ops/sec @ 676μs/op
-├─secp256k1 x 537 ops/sec @ 1ms/op
-├─p256 x 512 ops/sec @ 1ms/op
-├─p384 x 198 ops/sec @ 5ms/op
-├─p521 x 99 ops/sec @ 10ms/op
-└─x448 x 504 ops/sec @ 1ms/op
-
-bls12-381
-init x 36 ops/sec @ 27ms/op
-getPublicKey x 960 ops/sec @ 1ms/op
-sign x 60 ops/sec @ 16ms/op
-verify x 47 ops/sec @ 21ms/op
-pairing x 125 ops/sec @ 7ms/op
-pairing10 x 40 ops/sec @ 24ms/op ± 23.27% (min: 21ms, max: 48ms)
-MSM 4096 scalars x points x 0 ops/sec @ 4655ms/op
-aggregatePublicKeys/8 x 129 ops/sec @ 7ms/op
-aggregatePublicKeys/32 x 34 ops/sec @ 28ms/op
-aggregatePublicKeys/128 x 8 ops/sec @ 113ms/op
-aggregatePublicKeys/512 x 2 ops/sec @ 449ms/op
-aggregatePublicKeys/2048 x 0 ops/sec @ 1792ms/op
-aggregateSignatures/8 x 62 ops/sec @ 15ms/op
-aggregateSignatures/32 x 16 ops/sec @ 60ms/op
-aggregateSignatures/128 x 4 ops/sec @ 238ms/op
-aggregateSignatures/512 x 1 ops/sec @ 946ms/op
-aggregateSignatures/2048 x 0 ops/sec @ 3774ms/op
-
-hash-to-curve
-hash_to_field x 91,600 ops/sec @ 10μs/op
-secp256k1 x 2,373 ops/sec @ 421μs/op
-p256 x 4,310 ops/sec @ 231μs/op
-p384 x 1,664 ops/sec @ 600μs/op
-p521 x 807 ops/sec @ 1ms/op
-ed25519 x 3,088 ops/sec @ 323μs/op
-ed448 x 1,247 ops/sec @ 801μs/op
+```sh
+npm run bench:install && npm run bench
+```
+
+During first call of most methods, `init` is done, which calculates base point precomputes.
+The method consumes 20MB+ of memory and takes some time.
+You can adjust how many precomputes are generated,
+by using `_setWindowSize`. Check out the source code.
+
+Benchmark results on Apple M4:
+
+```
+# secp256k1
+init 10ms
+getPublicKey x 9,099 ops/sec @ 109μs/op
+sign x 7,182 ops/sec @ 139μs/op
+verify x 1,188 ops/sec @ 841μs/op
+getSharedSecret x 735 ops/sec @ 1ms/op
+recoverPublicKey x 1,265 ops/sec @ 790μs/op
+schnorr.sign x 957 ops/sec @ 1ms/op
+schnorr.verify x 1,210 ops/sec @ 825μs/op
+
+# ed25519
+init 14ms
+getPublicKey x 14,216 ops/sec @ 70μs/op
+sign x 6,849 ops/sec @ 145μs/op
+verify x 1,400 ops/sec @ 713μs/op
+
+# ed448
+init 37ms
+getPublicKey x 5,273 ops/sec @ 189μs/op
+sign x 2,494 ops/sec @ 400μs/op
+verify x 476 ops/sec @ 2ms/op
+
+# p256
+init 17ms
+getPublicKey x 8,977 ops/sec @ 111μs/op
+sign x 7,236 ops/sec @ 138μs/op
+verify x 877 ops/sec @ 1ms/op
+
+# p384
+init 42ms
+getPublicKey x 4,084 ops/sec @ 244μs/op
+sign x 3,247 ops/sec @ 307μs/op
+verify x 331 ops/sec @ 3ms/op
+
+# p521
+init 83ms
+getPublicKey x 2,049 ops/sec @ 487μs/op
+sign x 1,748 ops/sec @ 571μs/op
+verify x 170 ops/sec @ 5ms/op
+
+# ristretto255
+add x 931,966 ops/sec @ 1μs/op
+multiply x 15,444 ops/sec @ 64μs/op
+encode x 21,367 ops/sec @ 46μs/op
+decode x 21,715 ops/sec @ 46μs/op
+
+# decaf448
+add x 478,011 ops/sec @ 2μs/op
+multiply x 416 ops/sec @ 2ms/op
+encode x 8,562 ops/sec @ 116μs/op
+decode x 8,636 ops/sec @ 115μs/op
+
+# ECDH
+x25519 x 1,981 ops/sec @ 504μs/op
+x448 x 743 ops/sec @ 1ms/op
+secp256k1 x 728 ops/sec @ 1ms/op
+p256 x 705 ops/sec @ 1ms/op
+p384 x 268 ops/sec @ 3ms/op
+p521 x 137 ops/sec @ 7ms/op
+
+# hash-to-curve
+hashToPrivateScalar x 1,754,385 ops/sec @ 570ns/op
+hash_to_field x 135,703 ops/sec @ 7μs/op
+hashToCurve secp256k1 x 3,194 ops/sec @ 313μs/op
+hashToCurve p256 x 5,962 ops/sec @ 167μs/op
+hashToCurve p384 x 2,230 ops/sec @ 448μs/op
+hashToCurve p521 x 1,063 ops/sec @ 940μs/op
+hashToCurve ed25519 x 4,047 ops/sec @ 247μs/op
+hashToCurve ed448 x 1,691 ops/sec @ 591μs/op
+hash_to_ristretto255 x 8,733 ops/sec @ 114μs/op
+hash_to_decaf448 x 3,882 ops/sec @ 257μs/op
+
+# modular over secp256k1 P field
+invert a x 866,551 ops/sec @ 1μs/op
+invert b x 693,962 ops/sec @ 1μs/op
+sqrt p = 3 mod 4 x 25,738 ops/sec @ 38μs/op
+sqrt tonneli-shanks x 847 ops/sec @ 1ms/op
+
+# bls12-381
+init 22ms
+getPublicKey x 1,325 ops/sec @ 754μs/op
+sign x 80 ops/sec @ 12ms/op
+verify x 62 ops/sec @ 15ms/op
+pairing x 166 ops/sec @ 6ms/op
+pairing10 x 54 ops/sec @ 18ms/op ± 23.48% (15ms..36ms)
+MSM 4096 scalars x points 3286ms
+aggregatePublicKeys/8 x 173 ops/sec @ 5ms/op
+aggregatePublicKeys/32 x 46 ops/sec @ 21ms/op
+aggregatePublicKeys/128 x 11 ops/sec @ 84ms/op
+aggregatePublicKeys/512 x 2 ops/sec @ 335ms/op
+aggregatePublicKeys/2048 x 0 ops/sec @ 1346ms/op
+aggregateSignatures/8 x 82 ops/sec @ 12ms/op
+aggregateSignatures/32 x 21 ops/sec @ 45ms/op
+aggregateSignatures/128 x 5 ops/sec @ 178ms/op
+aggregateSignatures/512 x 1 ops/sec @ 705ms/op
+aggregateSignatures/2048 x 0 ops/sec @ 2823ms/op
 ```
 
 ## Upgrading
@@ -1092,10 +952,10 @@ Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):
 
 ## Contributing & testing
 
-* `npm install && npm run build && npm test` will build the code and run tests.
-* `npm run lint` / `npm run format` will run linter / fix linter issues.
-* `npm run bench` will run benchmarks, which may need their deps first (`npm run bench:install`)
-* `cd build && npm install && npm run build:release` will build single file
+- `npm install && npm run build && npm test` will build the code and run tests.
+- `npm run lint` / `npm run format` will run linter / fix linter issues.
+- `npm run bench` will run benchmarks, which may need their deps first (`npm run bench:install`)
+- `npm run build:release` will build single file
 
 Check out [github.com/paulmillr/guidelines](https://github.com/paulmillr/guidelines)
 for general coding practices and rules.