@noble/curves 1.9.1 → 1.9.2

package/src/nist.ts

@@ -4,152 +4,163 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256, sha384, sha512 } from '@noble/hashes/sha2';
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
 import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type Hasher } from './abstract/hash-to-curve.ts';
-import { Field } from './abstract/modular.ts';
-import { mapToCurveSimpleSWU } from './abstract/weierstrass.ts';
+import { createHasher, type H2CHasher } from './abstract/hash-to-curve.ts';
+import { Field, type IField } from './abstract/modular.ts';
+import { mapToCurveSimpleSWU, type WeierstrassOpts } from './abstract/weierstrass.ts';
 
-const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const p256_a = Fp256.create(BigInt('-3'));
-const p256_b = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
-
-/**
- * secp256r1 curve, ECDSA and ECDH methods.
- * Field: `2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n`
- */
-// prettier-ignore
-export const p256: CurveFnWithCreate = createCurve({
-  a: p256_a,
-  b: p256_b,
-  Fp: Fp256,
+// p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
+// a = Fp256.create(BigInt('-3'));
+const p256_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
   n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  h: BigInt(1),
+  a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+  b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
   Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
   Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-  h: BigInt(1),
-  lowS: false
-} as const, sha256);
-/** Alias to p256. */
-export const secp256r1: CurveFnWithCreate = p256;
+};
 
-const p256_mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp256, {
-    A: p256_a,
-    B: p256_b,
-    Z: Fp256.create(BigInt('-10')),
-  }))();
-
-/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
-export const p256_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(secp256r1.ProjectivePoint, (scalars: bigint[]) => p256_mapSWU(scalars[0]), {
-    DST: 'P256_XMD:SHA-256_SSWU_RO_',
-    encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
-    p: Fp256.ORDER,
-    m: 1,
-    k: 128,
-    expand: 'xmd',
-    hash: sha256,
-  }))();
-
-// Field over which we'll do calculations.
-const Fp384 = Field(
-  BigInt(
+// p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+const p384_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
     '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'
-  )
-);
-const p384_a = Fp384.create(BigInt('-3'));
-// prettier-ignore
-const p384_b = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
-
-/**
- * secp384r1 curve, ECDSA and ECDH methods.
- * Field: `2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n`.
- * */
-// prettier-ignore
-export const p384: CurveFnWithCreate = createCurve({
-  a: p384_a,
-  b: p384_b,
-  Fp: Fp384,
-  n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-  Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
-  Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+  ),
+  n: BigInt(
+    '0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'
+  ),
   h: BigInt(1),
-  lowS: false
-} as const, sha384);
-/** Alias to p384. */
-export const secp384r1: CurveFnWithCreate = p384;
-
-const p384_mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp384, {
-    A: p384_a,
-    B: p384_b,
-    Z: Fp384.create(BigInt('-12')),
-  }))();
-
-/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
-export const p384_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(secp384r1.ProjectivePoint, (scalars: bigint[]) => p384_mapSWU(scalars[0]), {
-    DST: 'P384_XMD:SHA-384_SSWU_RO_',
-    encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
-    p: Fp384.ORDER,
-    m: 1,
-    k: 192,
-    expand: 'xmd',
-    hash: sha384,
-  }))();
+  a: BigInt(
+    '0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'
+  ),
+  b: BigInt(
+    '0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'
+  ),
+  Gx: BigInt(
+    '0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'
+  ),
+  Gy: BigInt(
+    '0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'
+  ),
+};
 
-// Field over which we'll do calculations.
-const Fp521 = Field(
-  BigInt(
+// p = 2n**521n - 1n
+const p521_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
     '0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
-  )
-);
-
-const p521_a = Fp521.create(BigInt('-3'));
-const p521_b = BigInt(
-  '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
-);
-
-/**
- * NIST secp521r1 aka p521 curve, ECDSA and ECDH methods.
- * Field: `2n**521n - 1n`.
- */
-// prettier-ignore
-export const p521: CurveFnWithCreate = createCurve({
-  a: p521_a,
-  b: p521_b,
-  Fp: Fp521,
+  ),
   n: BigInt(
     '0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'
   ),
+  h: BigInt(1),
+  a: BigInt(
+    '0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'
+  ),
+  b: BigInt(
+    '0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'
+  ),
   Gx: BigInt(
     '0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'
   ),
   Gy: BigInt(
     '0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'
   ),
-  h: BigInt(1),
-  lowS: false,
-  allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
-} as const, sha512);
-/** Alias to p521. */
-export const secp521r1: CurveFnWithCreate = p521;
+};
 
-const p521_mapSWU = /* @__PURE__ */ (() =>
-  mapToCurveSimpleSWU(Fp521, {
-    A: p521_a,
-    B: p521_b,
-    Z: Fp521.create(BigInt('-4')),
-  }))();
+const Fp256 = Field(p256_CURVE.p);
+const Fp384 = Field(p384_CURVE.p);
+const Fp521 = Field(p521_CURVE.p);
+type SwuOpts = {
+  A: bigint;
+  B: bigint;
+  Z: bigint;
+};
+function createSWU(field: IField<bigint>, opts: SwuOpts) {
+  const map = mapToCurveSimpleSWU(field, opts);
+  return (scalars: bigint[]) => map(scalars[0]);
+}
 
+/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
+export const p256: CurveFnWithCreate = createCurve(
+  { ...p256_CURVE, Fp: Fp256, lowS: false },
+  sha256
+);
+/** Alias to p256. */
+export const secp256r1: CurveFnWithCreate = p256;
+/** Hashing / encoding to p256 points / field. RFC 9380 methods. */
+export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+  return createHasher(
+    p256.Point,
+    createSWU(Fp256, {
+      A: p256_CURVE.a,
+      B: p256_CURVE.b,
+      Z: Fp256.create(BigInt('-10')),
+    }),
+    {
+      DST: 'P256_XMD:SHA-256_SSWU_RO_',
+      encodeDST: 'P256_XMD:SHA-256_SSWU_NU_',
+      p: p256_CURVE.p,
+      m: 1,
+      k: 128,
+      expand: 'xmd',
+      hash: sha256,
+    }
+  );
+})();
+
+/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
+export const p384: CurveFnWithCreate = createCurve(
+  { ...p384_CURVE, Fp: Fp384, lowS: false },
+  sha384
+);
+/** Alias to p384. */
+export const secp384r1: CurveFnWithCreate = p384;
+/** Hashing / encoding to p384 points / field. RFC 9380 methods. */
+export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+  return createHasher(
+    p384.Point,
+    createSWU(Fp384, {
+      A: p384_CURVE.a,
+      B: p384_CURVE.b,
+      Z: Fp384.create(BigInt('-12')),
+    }),
+    {
+      DST: 'P384_XMD:SHA-384_SSWU_RO_',
+      encodeDST: 'P384_XMD:SHA-384_SSWU_NU_',
+      p: p384_CURVE.p,
+      m: 1,
+      k: 192,
+      expand: 'xmd',
+      hash: sha384,
+    }
+  );
+})();
+
+/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
+export const p521: CurveFnWithCreate = createCurve(
+  { ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] },
+  sha512
+);
+/** Alias to p521. */
+export const secp521r1: CurveFnWithCreate = p521;
 /** Hashing / encoding to p521 points / field. RFC 9380 methods. */
-export const p521_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
-  createHasher(secp521r1.ProjectivePoint, (scalars: bigint[]) => p521_mapSWU(scalars[0]), {
-    DST: 'P521_XMD:SHA-512_SSWU_RO_',
-    encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
-    p: Fp521.ORDER,
-    m: 1,
-    k: 256,
-    expand: 'xmd',
-    hash: sha512,
-  }))();
+export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+  return createHasher(
+    p521.Point,
+    createSWU(Fp521, {
+      A: p521_CURVE.a,
+      B: p521_CURVE.b,
+      Z: Fp521.create(BigInt('-4')),
+    }),
+    {
+      DST: 'P521_XMD:SHA-512_SSWU_RO_',
+      encodeDST: 'P521_XMD:SHA-512_SSWU_NU_',
+      p: p521_CURVE.p,
+      m: 1,
+      k: 256,
+      expand: 'xmd',
+      hash: sha512,
+    }
+  );
+})();

package/src/p256.ts

@@ -3,9 +3,9 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p256_hasher, p256 as p256n } from './nist.ts';
 export const p256: typeof p256n = p256n;
 export const secp256r1: typeof p256n = p256n;
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.hashToCurve)();
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p256_hasher.encodeToCurve)();

package/src/p384.ts

@@ -3,11 +3,11 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p384_hasher, p384 as p384n } from './nist.ts';
 export const p384: typeof p384n = p384n;
 export const secp384r1: typeof p384n = p384n;
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.hashToCurve)();
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p384_hasher.encodeToCurve)();
 
 /** @deprecated Use `import { p384_hasher } from "@noble/curves/nist"` module. */

package/src/p521.ts

@@ -3,9 +3,9 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { type HTFMethod } from './abstract/hash-to-curve.ts';
+import { type H2CMethod } from './abstract/hash-to-curve.ts';
 import { p521_hasher, p521 as p521n } from './nist.ts';
 export const p521: typeof p521n = p521n;
 export const secp521r1: typeof p521n = p521n;
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.hashToCurve)();
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() => p521_hasher.encodeToCurve)();

package/src/secp256k1.ts

@@ -1,22 +1,28 @@
 /**
- * NIST secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
+ * SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
  *
- * Seems to be rigid (not backdoored)
- * [as per discussion](https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975).
- *
- * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
- * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
- * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
- * [See explanation](https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066).
+ * Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,
+ * check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { sha256 } from '@noble/hashes/sha2';
-import { randomBytes } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { randomBytes } from '@noble/hashes/utils.js';
 import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
-import { createHasher, type Hasher, type HTFMethod, isogenyMap } from './abstract/hash-to-curve.ts';
+import {
+  createHasher,
+  type H2CHasher,
+  type H2CMethod,
+  isogenyMap,
+} from './abstract/hash-to-curve.ts';
 import { Field, mod, pow2 } from './abstract/modular.ts';
-import type { Hex, PrivKey } from './abstract/utils.ts';
+import {
+  type EndomorphismOpts,
+  mapToCurveSimpleSWU,
+  type ProjPointType as PointType,
+  type WeierstrassOpts,
+} from './abstract/weierstrass.ts';
+import type { Hex, PrivKey } from './utils.ts';
 import {
   aInRange,
   bytesToNumberBE,
@@ -24,11 +30,20 @@ import {
   ensureBytes,
   inRange,
   numberToBytesBE,
-} from './abstract/utils.ts';
-import { mapToCurveSimpleSWU, type ProjPointType as PointType } from './abstract/weierstrass.ts';
+} from './utils.ts';
 
-const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
-const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
+// Seems like generator was produced from some seed:
+// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
+// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
+const secp256k1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
+  n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
+  h: BigInt(1),
+  a: BigInt(0),
+  b: BigInt(7),
+  Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
+  Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
+};
 const _0n = BigInt(0);
 const _1n = BigInt(1);
 const _2n = BigInt(2);
@@ -39,7 +54,7 @@ const divNearest = (a: bigint, b: bigint) => (a + b / _2n) / b;
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
  */
 function sqrtMod(y: bigint): bigint {
-  const P = secp256k1P;
+  const P = secp256k1_CURVE.p;
   // prettier-ignore
   const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
   // prettier-ignore
@@ -62,7 +77,7 @@ function sqrtMod(y: bigint): bigint {
   return root;
 }
 
-const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = Field(secp256k1_CURVE.p, undefined, undefined, { sqrt: sqrtMod });
 
 /**
  * secp256k1 curve, ECDSA and ECDH methods.
@@ -81,19 +96,14 @@ const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
  */
 export const secp256k1: CurveFnWithCreate = createCurve(
   {
-    a: _0n,
-    b: BigInt(7),
+    ...secp256k1_CURVE,
     Fp: Fpk1,
-    n: secp256k1N,
-    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
-    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
-    h: BigInt(1),
     lowS: true, // Allow only low-S signatures by default in sign() and verify()
     endo: {
       // Endomorphism, see above
       beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
       splitScalar: (k: bigint) => {
-        const n = secp256k1N;
+        const n = secp256k1_CURVE.n;
         const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
         const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
         const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
@@ -113,7 +123,7 @@ export const secp256k1: CurveFnWithCreate = createCurve(
         }
         return { k1neg, k1, k2neg, k2 };
       },
-    },
+    } satisfies EndomorphismOpts,
   },
   sha256
 );
@@ -133,19 +143,18 @@ function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
 }
 
 // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
-const pointToBytes = (point: PointType<bigint>) => point.toRawBytes(true).slice(1);
+const pointToBytes = (point: PointType<bigint>) => point.toBytes(true).slice(1);
 const numTo32b = (n: bigint) => numberToBytesBE(n, 32);
-const modP = (x: bigint) => mod(x, secp256k1P);
-const modN = (x: bigint) => mod(x, secp256k1N);
-const Point = /* @__PURE__ */ (() => secp256k1.ProjectivePoint)();
-const GmulAdd = (Q: PointType<bigint>, a: bigint, b: bigint) =>
-  Point.BASE.multiplyAndAddUnsafe(Q, a, b);
+const modP = (x: bigint) => mod(x, secp256k1_CURVE.p);
+const modN = (x: bigint) => mod(x, secp256k1_CURVE.n);
+const Point = /* @__PURE__ */ (() => secp256k1.Point)();
+const hasEven = (y: bigint) => y % _2n === _0n;
 
 // Calculate point, scalar and bytes
 function schnorrGetExtPubKey(priv: PrivKey) {
   let d_ = secp256k1.utils.normPrivateKeyToScalar(priv); // same method executed in fromPrivateKey
   let p = Point.fromPrivateKey(d_); // P = d'⋅G; 0 < d' < n check is done inside
-  const scalar = p.hasEvenY() ? d_ : modN(-d_);
+  const scalar = hasEven(p.y) ? d_ : modN(-d_);
   return { scalar: scalar, bytes: pointToBytes(p) };
 }
 /**
@@ -153,12 +162,12 @@ function schnorrGetExtPubKey(priv: PrivKey) {
  * @returns valid point checked for being on-curve
  */
 function lift_x(x: bigint): PointType<bigint> {
-  aInRange('x', x, _1n, secp256k1P); // Fail if x ≥ p.
+  aInRange('x', x, _1n, secp256k1_CURVE.p); // Fail if x ≥ p.
   const xx = modP(x * x);
   const c = modP(xx * x + BigInt(7)); // Let c = x³ + 7 mod p.
   let y = sqrtMod(c); // Let y = c^(p+1)/4 mod p.
-  if (y % _2n !== _0n) y = modP(-y); // Return the unique point P such that x(P) = x and
-  const p = new Point(x, y, _1n); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
+  if (!hasEven(y)) y = modP(-y); // Return the unique point P such that x(P) = x and
+  const p = Point.fromAffine({ x, y }); // y(P) = y if y mod 2 = 0 or y(P) = p-y otherwise.
   p.assertValidity();
   return p;
 }
@@ -214,13 +223,16 @@ function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
   try {
     const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
     const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
-    if (!inRange(r, _1n, secp256k1P)) return false;
+    if (!inRange(r, _1n, secp256k1_CURVE.p)) return false;
     const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
-    if (!inRange(s, _1n, secp256k1N)) return false;
+    if (!inRange(s, _1n, secp256k1_CURVE.n)) return false;
     const e = challenge(numTo32b(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
-    const R = GmulAdd(P, s, modN(-e)); // R = s⋅G - e⋅P
-    if (!R || !R.hasEvenY() || R.toAffine().x !== r) return false; // -eP == (n-e)P
-    return true; // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
+    // R = s⋅G - e⋅P, where -eP == (n-e)P
+    const R = Point.BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(modN(-e)));
+    const { x, y } = R.toAffine();
+    // Fail if is_infinite(R) / not has_even_y(R) / x(R) ≠ r.
+    if (R.is0() || !hasEven(y) || x !== r) return false;
+    return true;
   } catch (error) {
     return false;
   }
@@ -308,9 +320,9 @@ const mapSWU = /* @__PURE__ */ (() =>
     Z: Fpk1.create(BigInt('-11')),
   }))();
 /** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
-export const secp256k1_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
+export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
   createHasher(
-    secp256k1.ProjectivePoint,
+    secp256k1.Point,
     (scalars: bigint[]) => {
       const { x, y } = mapSWU(Fpk1.create(scalars[0]));
       return isoMap(x, y);
@@ -323,11 +335,11 @@ export const secp256k1_hasher: Hasher<bigint> = /* @__PURE__ */ (() =>
       k: 128,
       expand: 'xmd',
       hash: sha256,
-    } as const
+    }
   ))();
 
-export const hashToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   secp256k1_hasher.hashToCurve)();
 
-export const encodeToCurve: HTFMethod<bigint> = /* @__PURE__ */ (() =>
+export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
   secp256k1_hasher.encodeToCurve)();