@noble/curves 1.9.0 → 1.9.2

package/abstract/weierstrass.js

@@ -1,26 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DER = exports.DERErr = void 0;
+exports._legacyHelperEquat = _legacyHelperEquat;
+exports._legacyHelperNormPriv = _legacyHelperNormPriv;
+exports.weierstrassN = weierstrassN;
 exports.weierstrassPoints = weierstrassPoints;
+exports.ecdsa = ecdsa;
 exports.weierstrass = weierstrass;
 exports.SWUFpSqrtRatio = SWUFpSqrtRatio;
 exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU;
 /**
  * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
  *
- * ### Parameters
- *
- * To initialize a weierstrass curve, one needs to pass following params:
- *
- * * a: formula param
- * * b: formula param
- * * Fp: finite Field over which we'll do calculations. Can be complex (Fp2, Fp12)
- * * n: Curve prime subgroup order, total count of valid points in the field
- * * Gx: Base point (x, y) aka generator point x coordinate
- * * Gy: ...y coordinate
- * * h: cofactor, usually 1. h*n = curve group order (n is only subgroup order)
- * * lowS: whether to enable (default) or disable "low-s" non-malleable signatures
- *
  * ### Design rationale for types
  *
  * * Interaction between classes from different curves should fail:
@@ -45,45 +36,16 @@ exports.mapToCurveSimpleSWU = mapToCurveSimpleSWU;
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// prettier-ignore
+const hmac_js_1 = require("@noble/hashes/hmac.js");
+const utils_ts_1 = require("../utils.js");
 const curve_ts_1 = require("./curve.js");
-// prettier-ignore
 const modular_ts_1 = require("./modular.js");
-// prettier-ignore
-const utils_ts_1 = require("./utils.js");
 function validateSigVerOpts(opts) {
     if (opts.lowS !== undefined)
         (0, utils_ts_1.abool)('lowS', opts.lowS);
     if (opts.prehash !== undefined)
         (0, utils_ts_1.abool)('prehash', opts.prehash);
 }
-function validatePointOpts(curve) {
-    const opts = (0, curve_ts_1.validateBasic)(curve);
-    (0, utils_ts_1.validateObject)(opts, {
-        a: 'field',
-        b: 'field',
-    }, {
-        allowedPrivateKeyLengths: 'array',
-        wrapPrivateKey: 'boolean',
-        isTorsionFree: 'function',
-        clearCofactor: 'function',
-        allowInfinityPoint: 'boolean',
-        fromBytes: 'function',
-        toBytes: 'function',
-    });
-    const { endo, Fp, a } = opts;
-    if (endo) {
-        if (!Fp.eql(a, Fp.ZERO)) {
-            throw new Error('invalid endomorphism, can only be defined for Koblitz curves that have a=0');
-        }
-        if (typeof endo !== 'object' ||
-            typeof endo.beta !== 'bigint' ||
-            typeof endo.splitScalar !== 'function') {
-            throw new Error('invalid endomorphism, expected beta: bigint and splitScalar: function');
-        }
-    }
-    return Object.freeze({ ...opts });
-}
 class DERErr extends Error {
     constructor(m = '') {
         super(m);
@@ -204,71 +166,157 @@ exports.DER = {
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
-function weierstrassPoints(opts) {
-    const CURVE = validatePointOpts(opts);
-    const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
-    const Fn = (0, modular_ts_1.Field)(CURVE.n, CURVE.nBitLength);
-    const toBytes = CURVE.toBytes ||
-        ((_c, point, _isCompressed) => {
-            const a = point.toAffine();
-            return (0, utils_ts_1.concatBytes)(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
-        });
-    const fromBytes = CURVE.fromBytes ||
-        ((bytes) => {
-            // const head = bytes[0];
-            const tail = bytes.subarray(1);
-            // if (head !== 0x04) throw new Error('Only non-compressed encoding is supported');
-            const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-            const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-            return { x, y };
-        });
+// TODO: remove
+function _legacyHelperEquat(Fp, a, b) {
     /**
      * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
      * @returns y²
      */
     function weierstrassEquation(x) {
-        const { a, b } = CURVE;
         const x2 = Fp.sqr(x); // x * x
-        const x3 = Fp.mul(x2, x); // x2 * x
-        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
-    }
-    // Validate whether the passed curve params are valid.
-    // We check if curve equation works for generator point.
-    // `assertValidity()` won't work: `isTorsionFree()` is not available at this point in bls12-381.
-    // ProjectivePoint class has not been initialized yet.
-    if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
-        throw new Error('bad generator point: equation left != right');
-    // Valid group elements reside in range 1..n-1
-    function isWithinCurveOrder(num) {
-        return (0, utils_ts_1.inRange)(num, _1n, CURVE.n);
+        const x3 = Fp.mul(x2, x); // x² * x
+        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
     }
+    return weierstrassEquation;
+}
+function _legacyHelperNormPriv(Fn, allowedPrivateKeyLengths, wrapPrivateKey) {
+    const { BYTES: expected } = Fn;
     // Validates if priv key is valid and converts it to bigint.
-    // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
     function normPrivateKeyToScalar(key) {
-        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
-        if (lengths && typeof key !== 'bigint') {
-            if ((0, utils_ts_1.isBytes)(key))
-                key = (0, utils_ts_1.bytesToHex)(key);
-            // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
-            if (typeof key !== 'string' || !lengths.includes(key.length))
-                throw new Error('invalid private key');
-            key = key.padStart(nByteLength * 2, '0');
-        }
         let num;
-        try {
-            num =
-                typeof key === 'bigint'
-                    ? key
-                    : (0, utils_ts_1.bytesToNumberBE)((0, utils_ts_1.ensureBytes)('private key', key, nByteLength));
+        if (typeof key === 'bigint') {
+            num = key;
         }
-        catch (error) {
-            throw new Error('invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key);
+        else {
+            let bytes = (0, utils_ts_1.ensureBytes)('private key', key);
+            if (allowedPrivateKeyLengths) {
+                if (!allowedPrivateKeyLengths.includes(bytes.length * 2))
+                    throw new Error('invalid private key');
+                const padded = new Uint8Array(expected);
+                padded.set(bytes, padded.length - bytes.length);
+                bytes = padded;
+            }
+            try {
+                num = Fn.fromBytes(bytes);
+            }
+            catch (error) {
+                throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
+            }
         }
         if (wrapPrivateKey)
-            num = (0, modular_ts_1.mod)(num, N); // disabled by default, enabled for BLS
-        (0, utils_ts_1.aInRange)('private key', num, _1n, N); // num in range [1..N-1]
+            num = Fn.create(num); // disabled by default, enabled for BLS
+        if (!Fn.isValidNot0(num))
+            throw new Error('invalid private key: out of range [1..N-1]');
         return num;
     }
+    return normPrivateKeyToScalar;
+}
+function weierstrassN(CURVE, curveOpts = {}) {
+    const { Fp, Fn } = (0, curve_ts_1._createCurveFields)('weierstrass', CURVE, curveOpts);
+    const { h: cofactor, n: CURVE_ORDER } = CURVE;
+    (0, utils_ts_1._validateObject)(curveOpts, {}, {
+        allowInfinityPoint: 'boolean',
+        clearCofactor: 'function',
+        isTorsionFree: 'function',
+        fromBytes: 'function',
+        toBytes: 'function',
+        endo: 'object',
+        wrapPrivateKey: 'boolean',
+    });
+    const { endo } = curveOpts;
+    if (endo) {
+        // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
+        if (!Fp.is0(CURVE.a) ||
+            typeof endo.beta !== 'bigint' ||
+            typeof endo.splitScalar !== 'function') {
+            throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+        }
+    }
+    function assertCompressionIsSupported() {
+        if (!Fp.isOdd)
+            throw new Error('compression is not supported: Field does not have .isOdd()');
+    }
+    // Implements IEEE P1363 point encoding
+    function pointToBytes(_c, point, isCompressed) {
+        const { x, y } = point.toAffine();
+        const bx = Fp.toBytes(x);
+        (0, utils_ts_1.abool)('isCompressed', isCompressed);
+        if (isCompressed) {
+            assertCompressionIsSupported();
+            const hasEvenY = !Fp.isOdd(y);
+            return (0, utils_ts_1.concatBytes)(pprefix(hasEvenY), bx);
+        }
+        else {
+            return (0, utils_ts_1.concatBytes)(Uint8Array.of(0x04), bx, Fp.toBytes(y));
+        }
+    }
+    function pointFromBytes(bytes) {
+        (0, utils_ts_1.abytes)(bytes);
+        const L = Fp.BYTES;
+        const LC = L + 1; // length compressed, e.g. 33 for 32-byte field
+        const LU = 2 * L + 1; // length uncompressed, e.g. 65 for 32-byte field
+        const length = bytes.length;
+        const head = bytes[0];
+        const tail = bytes.subarray(1);
+        // No actual validation is done here: use .assertValidity()
+        if (length === LC && (head === 0x02 || head === 0x03)) {
+            const x = Fp.fromBytes(tail);
+            if (!Fp.isValid(x))
+                throw new Error('bad point: is not on curve, wrong x');
+            const y2 = weierstrassEquation(x); // y² = x³ + ax + b
+            let y;
+            try {
+                y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
+            }
+            catch (sqrtError) {
+                const err = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
+                throw new Error('bad point: is not on curve, sqrt error' + err);
+            }
+            assertCompressionIsSupported();
+            const isYOdd = Fp.isOdd(y); // (y & _1n) === _1n;
+            const isHeadOdd = (head & 1) === 1; // ECDSA-specific
+            if (isHeadOdd !== isYOdd)
+                y = Fp.neg(y);
+            return { x, y };
+        }
+        else if (length === LU && head === 0x04) {
+            // TODO: more checks
+            const x = Fp.fromBytes(tail.subarray(L * 0, L * 1));
+            const y = Fp.fromBytes(tail.subarray(L * 1, L * 2));
+            if (!isValidXY(x, y))
+                throw new Error('bad point: is not on curve');
+            return { x, y };
+        }
+        else {
+            throw new Error(`bad point: got length ${length}, expected compressed=${LC} or uncompressed=${LU}`);
+        }
+    }
+    const toBytes = curveOpts.toBytes || pointToBytes;
+    const fromBytes = curveOpts.fromBytes || pointFromBytes;
+    const weierstrassEquation = _legacyHelperEquat(Fp, CURVE.a, CURVE.b);
+    // TODO: move top-level
+    /** Checks whether equation holds for given x, y: y² == x³ + ax + b */
+    function isValidXY(x, y) {
+        const left = Fp.sqr(y); // y²
+        const right = weierstrassEquation(x); // x³ + ax + b
+        return Fp.eql(left, right);
+    }
+    // Validate whether the passed curve params are valid.
+    // Test 1: equation y² = x³ + ax + b should work for generator point.
+    if (!isValidXY(CURVE.Gx, CURVE.Gy))
+        throw new Error('bad curve params: generator point');
+    // Test 2: discriminant Δ part should be non-zero: 4a³ + 27b² != 0.
+    // Guarantees curve is genus-1, smooth (non-singular).
+    const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n), _4n);
+    const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
+    if (Fp.is0(Fp.add(_4a3, _27b2)))
+        throw new Error('bad curve params: a or b');
+    /** Asserts coordinate is valid: 0 <= n < Fp.ORDER. */
+    function acoord(title, n, banZero = false) {
+        if (!Fp.isValid(n) || (banZero && Fp.is0(n)))
+            throw new Error(`bad point coordinate ${title}`);
+        return n;
+    }
     function aprjpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
@@ -276,7 +324,7 @@ function weierstrassPoints(opts) {
     // Memoized toAffine / validity check. They are heavy. Points are immutable.
     // Converts Projective point to affine (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
-    // (x, y, z) ∋ (x=x/z, y=y/z)
+    // (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
     const toAffineMemo = (0, utils_ts_1.memoized)((p, iz) => {
         const { px: x, py: y, pz: z } = p;
         // Fast-path for normalized points
@@ -303,52 +351,48 @@ function weierstrassPoints(opts) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
             // (0, 0, 0) is invalid representation of ZERO.
-            if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
+            if (curveOpts.allowInfinityPoint && !Fp.is0(p.py))
                 return;
             throw new Error('bad point: ZERO');
         }
         // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
         const { x, y } = p.toAffine();
-        // Check if x, y are valid field elements
         if (!Fp.isValid(x) || !Fp.isValid(y))
-            throw new Error('bad point: x or y not FE');
-        const left = Fp.sqr(y); // y²
-        const right = weierstrassEquation(x); // x³ + ax + b
-        if (!Fp.eql(left, right))
+            throw new Error('bad point: x or y not field elements');
+        if (!isValidXY(x, y))
             throw new Error('bad point: equation left != right');
         if (!p.isTorsionFree())
             throw new Error('bad point: not in prime-order subgroup');
         return true;
     });
+    function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
+        k2p = new Point(Fp.mul(k2p.px, endoBeta), k2p.py, k2p.pz);
+        k1p = (0, curve_ts_1.negateCt)(k1neg, k1p);
+        k2p = (0, curve_ts_1.negateCt)(k2neg, k2p);
+        return k1p.add(k2p);
+    }
     /**
-     * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
-     * Default Point works in 2d / affine coordinates: (x, y)
+     * Projective Point works in 3d / projective (homogeneous) coordinates:(X, Y, Z) ∋ (x=X/Z, y=Y/Z).
+     * Default Point works in 2d / affine coordinates: (x, y).
      * We're doing calculations in projective, because its operations don't require costly inversion.
      */
     class Point {
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
         constructor(px, py, pz) {
-            if (px == null || !Fp.isValid(px))
-                throw new Error('x required');
-            if (py == null || !Fp.isValid(py) || Fp.is0(py))
-                throw new Error('y required');
-            if (pz == null || !Fp.isValid(pz))
-                throw new Error('z required');
-            this.px = px;
-            this.py = py;
-            this.pz = pz;
+            this.px = acoord('x', px);
+            this.py = acoord('y', py, true);
+            this.pz = acoord('z', pz);
             Object.freeze(this);
         }
-        // Does not validate if the point is on-curve.
-        // Use fromHex instead, or call assertValidity() later.
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
         static fromAffine(p) {
             const { x, y } = p || {};
             if (!p || !Fp.isValid(x) || !Fp.isValid(y))
                 throw new Error('invalid affine point');
             if (p instanceof Point)
                 throw new Error('projective point not allowed');
-            const is0 = (i) => Fp.eql(i, Fp.ZERO);
-            // fromAffine(x:0, y:0) would produce (x:0, y:0, z:1), but we need (x:0, y:1, z:0)
-            if (is0(x) && is0(y))
+            // (0, 0) would've produced (0, 0, 1) - instead, we need (0, 1, 0)
+            if (Fp.is0(x) && Fp.is0(y))
                 return Point.ZERO;
             return new Point(x, y, Fp.ONE);
         }
@@ -358,50 +402,56 @@ function weierstrassPoints(opts) {
         get y() {
             return this.toAffine().y;
         }
-        /**
-         * Takes a bunch of Projective Points but executes only one
-         * inversion on all of them. Inversion is very slow operation,
-         * so this improves performance massively.
-         * Optimization: converts a list of projective points to a list of identical points with Z=1.
-         */
         static normalizeZ(points) {
-            const toInv = (0, modular_ts_1.FpInvertBatch)(Fp, points.map((p) => p.pz));
-            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+            return (0, curve_ts_1.normalizeZ)(Point, 'pz', points);
         }
-        /**
-         * Converts hash string or Uint8Array to Point.
-         * @param hex short/long ECDSA hex
-         */
+        static fromBytes(bytes) {
+            (0, utils_ts_1.abytes)(bytes);
+            return Point.fromHex(bytes);
+        }
+        /** Converts hash string or Uint8Array to Point. */
         static fromHex(hex) {
             const P = Point.fromAffine(fromBytes((0, utils_ts_1.ensureBytes)('pointHex', hex)));
             P.assertValidity();
             return P;
         }
-        // Multiplies generator point by privateKey.
+        /** Multiplies generator point by privateKey. */
         static fromPrivateKey(privateKey) {
+            const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
             return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
         }
-        // Multiscalar Multiplication
+        /** Multiscalar Multiplication */
         static msm(points, scalars) {
             return (0, curve_ts_1.pippenger)(Point, Fn, points, scalars);
         }
-        // "Private method", don't use it directly
-        _setWindowSize(windowSize) {
+        /**
+         *
+         * @param windowSize
+         * @param isLazy true will defer table computation until the first multiplication
+         * @returns
+         */
+        precompute(windowSize = 8, isLazy = true) {
             wnaf.setWindowSize(this, windowSize);
+            if (!isLazy)
+                this.multiply(_3n); // random number
+            return this;
         }
-        // A point on curve is valid if it conforms to equation.
+        /** "Private method", don't use it directly */
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
+        // TODO: return `this`
+        /** A point on curve is valid if it conforms to equation. */
         assertValidity() {
             assertValidMemo(this);
         }
         hasEvenY() {
             const { y } = this.toAffine();
-            if (Fp.isOdd)
-                return !Fp.isOdd(y);
-            throw new Error("Field doesn't support isOdd");
+            if (!Fp.isOdd)
+                throw new Error("Field doesn't support isOdd");
+            return !Fp.isOdd(y);
         }
-        /**
-         * Compare one point to another.
-         */
+        /** Compare one point to another. */
         equals(other) {
             aprjpoint(other);
             const { px: X1, py: Y1, pz: Z1 } = this;
@@ -410,9 +460,7 @@ function weierstrassPoints(opts) {
             const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
             return U1 && U2;
         }
-        /**
-         * Flips point to one corresponding to (x, -y) in Affine coordinates.
-         */
+        /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
         negate() {
             return new Point(this.px, Fp.neg(this.py), this.pz);
         }
@@ -517,46 +565,6 @@ function weierstrassPoints(opts) {
         is0() {
             return this.equals(Point.ZERO);
         }
-        wNAF(n) {
-            return wnaf.wNAFCached(this, n, Point.normalizeZ);
-        }
-        /**
-         * Non-constant-time multiplication. Uses double-and-add algorithm.
-         * It's faster, but should only be used when you don't care about
-         * an exposed private key e.g. sig verification, which works over *public* keys.
-         */
-        multiplyUnsafe(sc) {
-            const { endo, n: N } = CURVE;
-            (0, utils_ts_1.aInRange)('scalar', sc, _0n, N);
-            const I = Point.ZERO;
-            if (sc === _0n)
-                return I;
-            if (this.is0() || sc === _1n)
-                return this;
-            // Case a: no endomorphism. Case b: has precomputes.
-            if (!endo || wnaf.hasPrecomputes(this))
-                return wnaf.wNAFCachedUnsafe(this, sc, Point.normalizeZ);
-            // Case c: endomorphism
-            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
-            let k1p = I;
-            let k2p = I;
-            let d = this;
-            while (k1 > _0n || k2 > _0n) {
-                if (k1 & _1n)
-                    k1p = k1p.add(d);
-                if (k2 & _1n)
-                    k2p = k2p.add(d);
-                d = d.double();
-                k1 >>= _1n;
-                k2 >>= _1n;
-            }
-            if (k1neg)
-                k1p = k1p.negate();
-            if (k2neg)
-                k2p = k2p.negate();
-            k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-            return k1p.add(k2p);
-        }
         /**
          * Constant time multiplication.
          * Uses wNAF method. Windowed method may be 10% faster,
@@ -567,21 +575,21 @@ function weierstrassPoints(opts) {
          * @returns New point
          */
         multiply(scalar) {
-            const { endo, n: N } = CURVE;
-            (0, utils_ts_1.aInRange)('scalar', scalar, _1n, N);
+            const { endo } = curveOpts;
+            if (!Fn.isValidNot0(scalar))
+                throw new Error('invalid scalar: out of range'); // 0 is invalid
             let point, fake; // Fake point is used to const-time mult
+            const mul = (n) => wnaf.wNAFCached(this, n, Point.normalizeZ);
+            /** See docs for {@link EndomorphismOpts} */
             if (endo) {
                 const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
-                let { p: k1p, f: f1p } = this.wNAF(k1);
-                let { p: k2p, f: f2p } = this.wNAF(k2);
-                k1p = wnaf.constTimeNegate(k1neg, k1p);
-                k2p = wnaf.constTimeNegate(k2neg, k2p);
-                k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-                point = k1p.add(k2p);
-                fake = f1p.add(f2p);
+                const { p: k1p, f: k1f } = mul(k1);
+                const { p: k2p, f: k2f } = mul(k2);
+                fake = k1f.add(k2f);
+                point = finishEndo(endo.beta, k1p, k2p, k1neg, k2neg);
             }
             else {
-                const { p, f } = this.wNAF(scalar);
+                const { p, f } = mul(scalar);
                 point = p;
                 fake = f;
             }
@@ -589,161 +597,131 @@ function weierstrassPoints(opts) {
             return Point.normalizeZ([point, fake])[0];
         }
         /**
-         * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
-         * Not using Strauss-Shamir trick: precomputation tables are faster.
-         * The trick could be useful if both P and Q are not G (not in our case).
-         * @returns non-zero affine point
+         * Non-constant-time multiplication. Uses double-and-add algorithm.
+         * It's faster, but should only be used when you don't care about
+         * an exposed private key e.g. sig verification, which works over *public* keys.
          */
+        multiplyUnsafe(sc) {
+            const { endo } = curveOpts;
+            const p = this;
+            if (!Fn.isValid(sc))
+                throw new Error('invalid scalar: out of range'); // 0 is valid
+            if (sc === _0n || p.is0())
+                return Point.ZERO;
+            if (sc === _1n)
+                return p; // fast-path
+            if (wnaf.hasPrecomputes(this))
+                return this.multiply(sc);
+            if (endo) {
+                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
+                // `wNAFCachedUnsafe` is 30% slower
+                const { p1, p2 } = (0, curve_ts_1.mulEndoUnsafe)(Point, p, k1, k2);
+                return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
+            }
+            else {
+                return wnaf.wNAFCachedUnsafe(p, sc);
+            }
+        }
         multiplyAndAddUnsafe(Q, a, b) {
-            const G = Point.BASE; // No Strauss-Shamir trick: we have 10% faster G precomputes
-            const mul = (P, a // Select faster multiply() method
-            ) => (a === _0n || a === _1n || !P.equals(G) ? P.multiplyUnsafe(a) : P.multiply(a));
-            const sum = mul(this, a).add(mul(Q, b));
+            const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
             return sum.is0() ? undefined : sum;
         }
-        // Converts Projective point to affine (x, y) coordinates.
-        // Can accept precomputed Z^-1 - for example, from invertBatch.
-        // (x, y, z) ∋ (x=x/z, y=y/z)
-        toAffine(iz) {
-            return toAffineMemo(this, iz);
+        /**
+         * Converts Projective point to affine (x, y) coordinates.
+         * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+         */
+        toAffine(invertedZ) {
+            return toAffineMemo(this, invertedZ);
         }
+        /**
+         * Checks whether Point is free of torsion elements (is in prime subgroup).
+         * Always torsion-free for cofactor=1 curves.
+         */
         isTorsionFree() {
-            const { h: cofactor, isTorsionFree } = CURVE;
+            const { isTorsionFree } = curveOpts;
             if (cofactor === _1n)
-                return true; // No subgroups, always torsion-free
+                return true;
             if (isTorsionFree)
                 return isTorsionFree(Point, this);
-            throw new Error('isTorsionFree() has not been declared for the elliptic curve');
+            return wnaf.wNAFCachedUnsafe(this, CURVE_ORDER).is0();
         }
         clearCofactor() {
-            const { h: cofactor, clearCofactor } = CURVE;
+            const { clearCofactor } = curveOpts;
             if (cofactor === _1n)
                 return this; // Fast-path
             if (clearCofactor)
                 return clearCofactor(Point, this);
-            return this.multiplyUnsafe(CURVE.h);
+            return this.multiplyUnsafe(cofactor);
         }
-        toRawBytes(isCompressed = true) {
+        toBytes(isCompressed = true) {
             (0, utils_ts_1.abool)('isCompressed', isCompressed);
             this.assertValidity();
             return toBytes(Point, this, isCompressed);
         }
+        /** @deprecated use `toBytes` */
+        toRawBytes(isCompressed = true) {
+            return this.toBytes(isCompressed);
+        }
         toHex(isCompressed = true) {
-            (0, utils_ts_1.abool)('isCompressed', isCompressed);
-            return (0, utils_ts_1.bytesToHex)(this.toRawBytes(isCompressed));
+            return (0, utils_ts_1.bytesToHex)(this.toBytes(isCompressed));
+        }
+        toString() {
+            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
         }
     }
+    // base / generator point
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
+    // zero / infinity / identity point
     Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
-    const _bits = CURVE.nBitLength;
-    const wnaf = (0, curve_ts_1.wNAF)(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-    return {
-        CURVE,
-        ProjectivePoint: Point,
-        normPrivateKeyToScalar,
-        weierstrassEquation,
-        isWithinCurveOrder,
-    };
+    // fields
+    Point.Fp = Fp;
+    Point.Fn = Fn;
+    const bits = Fn.BITS;
+    const wnaf = (0, curve_ts_1.wNAF)(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+    return Point;
+}
+// _legacyWeierstrass
+/** @deprecated use `weierstrassN` */
+function weierstrassPoints(c) {
+    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+    const Point = weierstrassN(CURVE, curveOpts);
+    return _weierstrass_new_output_to_legacy(c, Point);
+}
+// Points start with byte 0x02 when y is even; otherwise 0x03
+function pprefix(hasEvenY) {
+    return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
 }
-function validateOpts(curve) {
-    const opts = (0, curve_ts_1.validateBasic)(curve);
-    (0, utils_ts_1.validateObject)(opts, {
-        hash: 'hash',
+function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
+    (0, utils_ts_1._validateObject)(ecdsaOpts, { hash: 'function' }, {
         hmac: 'function',
+        lowS: 'boolean',
         randomBytes: 'function',
-    }, {
         bits2int: 'function',
         bits2int_modN: 'function',
-        lowS: 'boolean',
     });
-    return Object.freeze({ lowS: true, ...opts });
-}
-/**
- * Creates short weierstrass curve and ECDSA signature methods for it.
- * @example
- * import { Field } from '@noble/curves/abstract/modular';
- * // Before that, define BigInt-s: a, b, p, n, Gx, Gy
- * const curve = weierstrass({ a, b, Fp: Field(p), n, Gx, Gy, h: 1n })
- */
-function weierstrass(curveDef) {
-    const CURVE = validateOpts(curveDef);
-    const { Fp, n: CURVE_ORDER } = CURVE;
-    const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
-    const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
-    function modN(a) {
-        return (0, modular_ts_1.mod)(a, CURVE_ORDER);
-    }
-    function invN(a) {
-        return (0, modular_ts_1.invert)(a, CURVE_ORDER);
-    }
-    const { ProjectivePoint: Point, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder, } = weierstrassPoints({
-        ...CURVE,
-        toBytes(_c, point, isCompressed) {
-            const a = point.toAffine();
-            const x = Fp.toBytes(a.x);
-            const cat = utils_ts_1.concatBytes;
-            (0, utils_ts_1.abool)('isCompressed', isCompressed);
-            if (isCompressed) {
-                return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
-            }
-            else {
-                return cat(Uint8Array.from([0x04]), x, Fp.toBytes(a.y));
-            }
-        },
-        fromBytes(bytes) {
-            const len = bytes.length;
-            const head = bytes[0];
-            const tail = bytes.subarray(1);
-            // this.assertValidity() is done inside of fromHex
-            if (len === compressedLen && (head === 0x02 || head === 0x03)) {
-                const x = (0, utils_ts_1.bytesToNumberBE)(tail);
-                if (!(0, utils_ts_1.inRange)(x, _1n, Fp.ORDER))
-                    throw new Error('Point is not on curve');
-                const y2 = weierstrassEquation(x); // y² = x³ + ax + b
-                let y;
-                try {
-                    y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
-                }
-                catch (sqrtError) {
-                    const suffix = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
-                    throw new Error('Point is not on curve' + suffix);
-                }
-                const isYOdd = (y & _1n) === _1n;
-                // ECDSA
-                const isHeadOdd = (head & 1) === 1;
-                if (isHeadOdd !== isYOdd)
-                    y = Fp.neg(y);
-                return { x, y };
-            }
-            else if (len === uncompressedLen && head === 0x04) {
-                const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-                const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-                return { x, y };
-            }
-            else {
-                const cl = compressedLen;
-                const ul = uncompressedLen;
-                throw new Error('invalid Point, expected length of ' + cl + ', or uncompressed ' + ul + ', got ' + len);
-            }
-        },
-    });
-    const numToNByteHex = (num) => (0, utils_ts_1.bytesToHex)((0, utils_ts_1.numberToBytesBE)(num, CURVE.nByteLength));
+    const randomBytes_ = ecdsaOpts.randomBytes || utils_ts_1.randomBytes;
+    const hmac_ = ecdsaOpts.hmac ||
+        ((key, ...msgs) => (0, hmac_js_1.hmac)(ecdsaOpts.hash, key, (0, utils_ts_1.concatBytes)(...msgs)));
+    const { Fp, Fn } = Point;
+    const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
     function isBiggerThanHalfOrder(number) {
         const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
     }
     function normalizeS(s) {
-        return isBiggerThanHalfOrder(s) ? modN(-s) : s;
+        return isBiggerThanHalfOrder(s) ? Fn.neg(s) : s;
+    }
+    function aValidRS(title, num) {
+        if (!Fn.isValidNot0(num))
+            throw new Error(`invalid signature ${title}: out of range 1..CURVE.n`);
     }
-    // slice bytes num
-    const slcNum = (b, from, to) => (0, utils_ts_1.bytesToNumberBE)(b.slice(from, to));
     /**
      * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
      */
     class Signature {
         constructor(r, s, recovery) {
-            (0, utils_ts_1.aInRange)('r', r, _1n, CURVE_ORDER); // r in [1..N]
-            (0, utils_ts_1.aInRange)('s', s, _1n, CURVE_ORDER); // s in [1..N]
+            aValidRS('r', r); // r in [1..N-1]
+            aValidRS('s', s); // s in [1..N-1]
             this.r = r;
             this.s = s;
             if (recovery != null)
@@ -752,9 +730,9 @@ function weierstrass(curveDef) {
         }
         // pair (bytes of r, bytes of s)
         static fromCompact(hex) {
-            const l = CURVE.nByteLength;
-            hex = (0, utils_ts_1.ensureBytes)('compactSignature', hex, l * 2);
-            return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
+            const L = Fn.BYTES;
+            const b = (0, utils_ts_1.ensureBytes)('compactSignature', hex, L * 2);
+            return new Signature(Fn.fromBytes(b.subarray(0, L)), Fn.fromBytes(b.subarray(L, L * 2)));
         }
         // DER encoded ECDSA signature
         // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
@@ -770,22 +748,36 @@ function weierstrass(curveDef) {
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
+        // ProjPointType<bigint>
         recoverPublicKey(msgHash) {
+            const FIELD_ORDER = Fp.ORDER;
             const { r, s, recovery: rec } = this;
-            const h = bits2int_modN((0, utils_ts_1.ensureBytes)('msgHash', msgHash)); // Truncate hash
             if (rec == null || ![0, 1, 2, 3].includes(rec))
                 throw new Error('recovery id invalid');
-            const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
-            if (radj >= Fp.ORDER)
+            // ECDSA recovery is hard for cofactor > 1 curves.
+            // In sign, `r = q.x mod n`, and here we recover q.x from r.
+            // While recovering q.x >= n, we need to add r+n for cofactor=1 curves.
+            // However, for cofactor>1, r+n may not get q.x:
+            // r+n*i would need to be done instead where i is unknown.
+            // To easily get i, we either need to:
+            // a. increase amount of valid recid values (4, 5...); OR
+            // b. prohibit non-prime-order signatures (recid > 1).
+            const hasCofactor = CURVE_ORDER * _2n < FIELD_ORDER;
+            if (hasCofactor && rec > 1)
+                throw new Error('recovery id is ambiguous for h>1 curve');
+            const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
+            if (!Fp.isValid(radj))
                 throw new Error('recovery id 2 or 3 invalid');
-            const prefix = (rec & 1) === 0 ? '02' : '03';
-            const R = Point.fromHex(prefix + numToNByteHex(radj));
-            const ir = invN(radj); // r^-1
-            const u1 = modN(-h * ir); // -hr^-1
-            const u2 = modN(s * ir); // sr^-1
-            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)
-            if (!Q)
-                throw new Error('point at infinify'); // unsafe is fine: no priv data leaked
+            const x = Fp.toBytes(radj);
+            const R = Point.fromHex((0, utils_ts_1.concatBytes)(pprefix((rec & 1) === 0), x));
+            const ir = Fn.inv(radj); // r^-1
+            const h = bits2int_modN((0, utils_ts_1.ensureBytes)('msgHash', msgHash)); // Truncate hash
+            const u1 = Fn.create(-h * ir); // -hr^-1
+            const u2 = Fn.create(s * ir); // sr^-1
+            // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
+            const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
+            if (Q.is0())
+                throw new Error('point at infinify');
             Q.assertValidity();
             return Q;
         }
@@ -794,23 +786,31 @@ function weierstrass(curveDef) {
             return isBiggerThanHalfOrder(this.s);
         }
         normalizeS() {
-            return this.hasHighS() ? new Signature(this.r, modN(-this.s), this.recovery) : this;
+            return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
+        }
+        toBytes(format) {
+            if (format === 'compact')
+                return (0, utils_ts_1.concatBytes)(Fn.toBytes(this.r), Fn.toBytes(this.s));
+            if (format === 'der')
+                return (0, utils_ts_1.hexToBytes)(exports.DER.hexFromSig(this));
+            throw new Error('invalid format');
         }
         // DER-encoded
         toDERRawBytes() {
-            return (0, utils_ts_1.hexToBytes)(this.toDERHex());
+            return this.toBytes('der');
         }
         toDERHex() {
-            return exports.DER.hexFromSig(this);
+            return (0, utils_ts_1.bytesToHex)(this.toBytes('der'));
         }
         // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
-            return (0, utils_ts_1.hexToBytes)(this.toCompactHex());
+            return this.toBytes('compact');
         }
         toCompactHex() {
-            return numToNByteHex(this.r) + numToNByteHex(this.s);
+            return (0, utils_ts_1.bytesToHex)(this.toBytes('compact'));
         }
     }
+    const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
     const utils = {
         isValidPrivateKey(privateKey) {
             try {
@@ -827,21 +827,11 @@ function weierstrass(curveDef) {
          * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
          */
         randomPrivateKey: () => {
-            const length = (0, modular_ts_1.getMinHashLength)(CURVE.n);
-            return (0, modular_ts_1.mapHashToField)(CURVE.randomBytes(length), CURVE.n);
+            const n = CURVE_ORDER;
+            return (0, modular_ts_1.mapHashToField)(randomBytes_((0, modular_ts_1.getMinHashLength)(n)), n);
         },
-        /**
-         * Creates precompute table for an arbitrary EC point. Makes point "cached".
-         * Allows to massively speed-up `point.multiply(scalar)`.
-         * @returns cached point
-         * @example
-         * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
-         * fast.multiply(privKey); // much faster ECDH now
-         */
         precompute(windowSize = 8, point = Point.BASE) {
-            point._setWindowSize(windowSize);
-            point.multiply(BigInt(3)); // 3 is arbitrary, just need any number here
-            return point;
+            return point.precompute(windowSize, false);
         },
     };
     /**
@@ -851,22 +841,27 @@ function weierstrass(curveDef) {
      * @returns Public key, full when isCompressed=false; short when isCompressed=true
      */
     function getPublicKey(privateKey, isCompressed = true) {
-        return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);
+        return Point.fromPrivateKey(privateKey).toBytes(isCompressed);
     }
     /**
      * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
      */
     function isProbPub(item) {
-        const arr = (0, utils_ts_1.isBytes)(item);
-        const str = typeof item === 'string';
-        const len = (arr || str) && item.length;
-        if (arr)
-            return len === compressedLen || len === uncompressedLen;
-        if (str)
-            return len === 2 * compressedLen || len === 2 * uncompressedLen;
+        if (typeof item === 'bigint')
+            return false;
         if (item instanceof Point)
             return true;
-        return false;
+        const arr = (0, utils_ts_1.ensureBytes)('key', item);
+        const length = arr.length;
+        const L = Fp.BYTES;
+        const LC = L + 1; // e.g. 33 for 32
+        const LU = 2 * L + 1; // e.g. 65 for 32
+        if (curveOpts.allowedPrivateKeyLengths || Fn.BYTES === LC) {
+            return undefined;
+        }
+        else {
+            return length === LC || length === LU;
+        }
     }
     /**
      * ECDH (Elliptic Curve Diffie Hellman).
@@ -879,41 +874,41 @@ function weierstrass(curveDef) {
      * @returns shared public key
      */
     function getSharedSecret(privateA, publicB, isCompressed = true) {
-        if (isProbPub(privateA))
+        if (isProbPub(privateA) === true)
             throw new Error('first arg must be private key');
-        if (!isProbPub(publicB))
+        if (isProbPub(publicB) === false)
             throw new Error('second arg must be public key');
         const b = Point.fromHex(publicB); // check for being on-curve
-        return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
+        return b.multiply(normPrivateKeyToScalar(privateA)).toBytes(isCompressed);
     }
     // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
     // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
     // bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.
     // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
-    const bits2int = CURVE.bits2int ||
+    const bits2int = ecdsaOpts.bits2int ||
         function (bytes) {
-            // Our custom check "just in case"
+            // Our custom check "just in case", for protection against DoS
             if (bytes.length > 8192)
                 throw new Error('input is too large');
             // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
             // for some cases, since bytes.length * 8 is not actual bitLength.
             const num = (0, utils_ts_1.bytesToNumberBE)(bytes); // check for == u8 done here
-            const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
+            const delta = bytes.length * 8 - fnBits; // truncate to nBitLength leftmost bits
             return delta > 0 ? num >> BigInt(delta) : num;
         };
-    const bits2int_modN = CURVE.bits2int_modN ||
+    const bits2int_modN = ecdsaOpts.bits2int_modN ||
         function (bytes) {
-            return modN(bits2int(bytes)); // can't use bytesToNumberBE here
+            return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
         };
     // NOTE: pads output with zero as per spec
-    const ORDER_MASK = (0, utils_ts_1.bitMask)(CURVE.nBitLength);
+    const ORDER_MASK = (0, utils_ts_1.bitMask)(fnBits);
     /**
      * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
      */
     function int2octets(num) {
-        (0, utils_ts_1.aInRange)('num < 2^' + CURVE.nBitLength, num, _0n, ORDER_MASK);
-        // works with order, can have different size than numToField!
-        return (0, utils_ts_1.numberToBytesBE)(num, CURVE.nByteLength);
+        // IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
+        (0, utils_ts_1.aInRange)('num < 2^' + fnBits, num, _0n, ORDER_MASK);
+        return Fn.toBytes(num);
     }
     // Steps A, D of RFC6979 3.2
     // Creates RFC6979 seed; converts msg/privKey to numbers.
@@ -923,7 +918,7 @@ function weierstrass(curveDef) {
     function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
         if (['recovered', 'canonical'].some((k) => k in opts))
             throw new Error('sign() legacy options not supported');
-        const { hash, randomBytes } = CURVE;
+        const { hash } = ecdsaOpts;
         let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
         if (lowS == null)
             lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
@@ -932,7 +927,7 @@ function weierstrass(curveDef) {
         if (prehash)
             msgHash = (0, utils_ts_1.ensureBytes)('prehashed msgHash', hash(msgHash));
         // We can't later call bits2octets, since nested bits2int is broken for curves
-        // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call.
+        // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
         const h1int = bits2int_modN(msgHash);
         const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
@@ -940,26 +935,27 @@ function weierstrass(curveDef) {
         // extraEntropy. RFC6979 3.6: additional k' (optional).
         if (ent != null && ent !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-            const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
+            const e = ent === true ? randomBytes_(Fp.BYTES) : ent; // generate random bytes OR pass as-is
             seedArgs.push((0, utils_ts_1.ensureBytes)('extraEntropy', e)); // check for being bytes
         }
         const seed = (0, utils_ts_1.concatBytes)(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
         // Converts signature params into point w r/s, checks result for validity.
+        // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
+        // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
+        // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
         function k2sig(kBytes) {
             // RFC 6979 Section 3.2, step 3: k = bits2int(T)
+            // Important: all mod() calls here must be done over N
             const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
-            if (!isWithinCurveOrder(k))
-                return; // Important: all mod() calls here must be done over N
-            const ik = invN(k); // k^-1 mod n
+            if (!Fn.isValidNot0(k))
+                return; // Valid scalars (including k) must be in 1..N-1
+            const ik = Fn.inv(k); // k^-1 mod n
             const q = Point.BASE.multiply(k).toAffine(); // q = Gk
-            const r = modN(q.x); // r = q.x mod n
+            const r = Fn.create(q.x); // r = q.x mod n
             if (r === _0n)
                 return;
-            // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
-            // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
-            // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
-            const s = modN(ik * modN(m + r * d)); // Not using blinding here
+            const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
             if (s === _0n)
                 return;
             let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
@@ -972,8 +968,8 @@ function weierstrass(curveDef) {
         }
         return { seed, k2sig };
     }
-    const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };
-    const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };
+    const defaultSigOpts = { lowS: ecdsaOpts.lowS, prehash: false };
+    const defaultVerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
     /**
      * Signs message hash with a private key.
      * ```
@@ -989,13 +985,11 @@ function weierstrass(curveDef) {
      */
     function sign(msgHash, privKey, opts = defaultSigOpts) {
         const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
-        const C = CURVE;
-        const drbg = (0, utils_ts_1.createHmacDrbg)(C.hash.outputLen, C.nByteLength, C.hmac);
+        const drbg = (0, utils_ts_1.createHmacDrbg)(ecdsaOpts.hash.outputLen, Fn.BYTES, hmac_);
         return drbg(seed, k2sig); // Steps B, C, D, E, F, G
     }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
-    Point.BASE._setWindowSize(8);
-    // utils.precompute(8, ProjectivePoint.BASE)
+    Point.BASE.precompute(8);
     /**
      * Verifies a signature against message hash and public key.
      * Rejects lowS signatures by default: to override,
@@ -1013,13 +1007,14 @@ function weierstrass(curveDef) {
         const sg = signature;
         msgHash = (0, utils_ts_1.ensureBytes)('msgHash', msgHash);
         publicKey = (0, utils_ts_1.ensureBytes)('publicKey', publicKey);
-        const { lowS, prehash, format } = opts;
-        // Verify opts, deduce signature format
+        // Verify opts
         validateSigVerOpts(opts);
+        const { lowS, prehash, format } = opts;
+        // TODO: remove
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
-        if (format !== undefined && format !== 'compact' && format !== 'der')
-            throw new Error('format must be compact or der');
+        if (format !== undefined && !['compact', 'der', 'js'].includes(format))
+            throw new Error('format must be "compact", "der" or "js"');
         const isHex = typeof sg === 'string' || (0, utils_ts_1.isBytes)(sg);
         const isObj = !isHex &&
             !format &&
@@ -1031,12 +1026,29 @@ function weierstrass(curveDef) {
             throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
         let _sig = undefined;
         let P;
+        // deduce signature format
         try {
-            if (isObj)
-                _sig = new Signature(sg.r, sg.s);
+            // if (format === 'js') {
+            //   if (sg != null && !isBytes(sg)) _sig = new Signature(sg.r, sg.s);
+            // } else if (format === 'compact') {
+            //   _sig = Signature.fromCompact(sg);
+            // } else if (format === 'der') {
+            //   _sig = Signature.fromDER(sg);
+            // } else {
+            //   throw new Error('invalid format');
+            // }
+            if (isObj) {
+                if (format === undefined || format === 'js') {
+                    _sig = new Signature(sg.r, sg.s);
+                }
+                else {
+                    throw new Error('invalid format');
+                }
+            }
             if (isHex) {
-                // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
-                // Since DER can also be 2*nByteLength bytes, we check for it first.
+                // TODO: remove this malleable check
+                // Signature can be represented in 2 ways: compact (2*Fn.BYTES) & DER (variable-length).
+                // Since DER can also be 2*Fn.BYTES bytes, we check for it first.
                 try {
                     if (format !== 'compact')
                         _sig = Signature.fromDER(sg);
@@ -1057,29 +1069,99 @@ function weierstrass(curveDef) {
             return false;
         if (lowS && _sig.hasHighS())
             return false;
+        // todo: optional.hash => hash
         if (prehash)
-            msgHash = CURVE.hash(msgHash);
+            msgHash = ecdsaOpts.hash(msgHash);
         const { r, s } = _sig;
         const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-        const is = invN(s); // s^-1
-        const u1 = modN(h * is); // u1 = hs^-1 mod n
-        const u2 = modN(r * is); // u2 = rs^-1 mod n
-        const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2)?.toAffine(); // R = u1⋅G + u2⋅P
-        if (!R)
+        const is = Fn.inv(s); // s^-1
+        const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
+        const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
+        const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+        if (R.is0())
             return false;
-        const v = modN(R.x);
+        const v = Fn.create(R.x); // v = r.x mod n
         return v === r;
     }
-    return {
-        CURVE,
+    // TODO: clarify API for cloning .clone({hash: sha512}) ? .createWith({hash: sha512})?
+    // const clone = (hash: CHash): ECDSA => ecdsa(Point, { ...ecdsaOpts, ...getHash(hash) }, curveOpts);
+    return Object.freeze({
         getPublicKey,
         getSharedSecret,
         sign,
         verify,
-        ProjectivePoint: Point,
-        Signature,
         utils,
+        Point,
+        Signature,
+    });
+}
+function _weierstrass_legacy_opts_to_new(c) {
+    const CURVE = {
+        a: c.a,
+        b: c.b,
+        p: c.Fp.ORDER,
+        n: c.n,
+        h: c.h,
+        Gx: c.Gx,
+        Gy: c.Gy,
+    };
+    const Fp = c.Fp;
+    const Fn = (0, modular_ts_1.Field)(CURVE.n, c.nBitLength);
+    const curveOpts = {
+        Fp,
+        Fn,
+        allowedPrivateKeyLengths: c.allowedPrivateKeyLengths,
+        allowInfinityPoint: c.allowInfinityPoint,
+        endo: c.endo,
+        wrapPrivateKey: c.wrapPrivateKey,
+        isTorsionFree: c.isTorsionFree,
+        clearCofactor: c.clearCofactor,
+        fromBytes: c.fromBytes,
+        toBytes: c.toBytes,
     };
+    return { CURVE, curveOpts };
+}
+function _ecdsa_legacy_opts_to_new(c) {
+    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+    const ecdsaOpts = {
+        hash: c.hash,
+        hmac: c.hmac,
+        randomBytes: c.randomBytes,
+        lowS: c.lowS,
+        bits2int: c.bits2int,
+        bits2int_modN: c.bits2int_modN,
+    };
+    return { CURVE, curveOpts, ecdsaOpts };
+}
+function _weierstrass_new_output_to_legacy(c, Point) {
+    const { Fp, Fn } = Point;
+    // TODO: remove
+    function isWithinCurveOrder(num) {
+        return (0, utils_ts_1.inRange)(num, _1n, Fn.ORDER);
+    }
+    const weierstrassEquation = _legacyHelperEquat(Fp, c.a, c.b);
+    const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, c.allowedPrivateKeyLengths, c.wrapPrivateKey);
+    return Object.assign({}, {
+        CURVE: c,
+        Point: Point,
+        ProjectivePoint: Point,
+        normPrivateKeyToScalar,
+        weierstrassEquation,
+        isWithinCurveOrder,
+    });
+}
+function _ecdsa_new_output_to_legacy(c, ecdsa) {
+    return Object.assign({}, ecdsa, {
+        ProjectivePoint: ecdsa.Point,
+        CURVE: c,
+    });
+}
+// _ecdsa_legacy
+function weierstrass(c) {
+    const { CURVE, curveOpts, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
+    const Point = weierstrassN(CURVE, curveOpts);
+    const signs = ecdsa(Point, ecdsaOpts, curveOpts);
+    return _ecdsa_new_output_to_legacy(c, signs);
 }
 /**
  * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
@@ -1165,31 +1247,32 @@ function SWUFpSqrtRatio(Fp, Z) {
  */
 function mapToCurveSimpleSWU(Fp, opts) {
     (0, modular_ts_1.validateField)(Fp);
-    if (!Fp.isValid(opts.A) || !Fp.isValid(opts.B) || !Fp.isValid(opts.Z))
+    const { A, B, Z } = opts;
+    if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
         throw new Error('mapToCurveSimpleSWU: invalid opts');
-    const sqrtRatio = SWUFpSqrtRatio(Fp, opts.Z);
+    const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
     if (!Fp.isOdd)
-        throw new Error('Fp.isOdd is not implemented!');
+        throw new Error('Field does not have .isOdd()');
     // Input: u, an element of F.
     // Output: (x, y), a point on E.
     return (u) => {
         // prettier-ignore
         let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
         tv1 = Fp.sqr(u); // 1.  tv1 = u^2
-        tv1 = Fp.mul(tv1, opts.Z); // 2.  tv1 = Z * tv1
+        tv1 = Fp.mul(tv1, Z); // 2.  tv1 = Z * tv1
         tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2
         tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
         tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
-        tv3 = Fp.mul(tv3, opts.B); // 6.  tv3 = B * tv3
-        tv4 = Fp.cmov(opts.Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
-        tv4 = Fp.mul(tv4, opts.A); // 8.  tv4 = A * tv4
+        tv3 = Fp.mul(tv3, B); // 6.  tv3 = B * tv3
+        tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
+        tv4 = Fp.mul(tv4, A); // 8.  tv4 = A * tv4
         tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2
         tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
-        tv5 = Fp.mul(tv6, opts.A); // 11. tv5 = A * tv6
+        tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
         tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
         tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
         tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
-        tv5 = Fp.mul(tv6, opts.B); // 15. tv5 = B * tv6
+        tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
         tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
         x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
         const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)