@noble/curves 1.9.1 → 1.9.3

package/README.md

@@ -5,11 +5,12 @@ Audited & minimal JS implementation of elliptic curve cryptography.
 - 🔒 [**Audited**](#security) by independent security firms
 - 🔻 Tree-shakeable: unused code is excluded from your builds
 - 🏎 Fast: hand-optimized for caveats of JS engines
-- 🔍 Reliable: cross-library / wycheproof tests and fuzzing ensure correctness
-- ➰ Short Weierstrass, Edwards, Montgomery curves
-- ✍️ ECDSA, EdDSA, Schnorr, BLS, ECDH, hashing to curves, Poseidon ZK-friendly hash
-- 🔖 SUF-CMA, SBS (non-repudiation), ZIP215 (consensus friendliness) features for ed25519 & ed448
-- 🪶 93KB (36KB gzipped) for everything with hashes, 26KB (11KB gzipped) for single-curve build
+- 🔍 Reliable: tested against cross-library, wycheproof and acvp vectors
+- ➰ Weierstrass, Edwards, Montgomery curves; ECDSA, EdDSA, Schnorr, BLS signatures
+- ✍️ ECDH, hash-to-curve, OPRF, Poseidon ZK-friendly hash
+- 🔖 Non-repudiation (SUF-CMA, SBS) & consensus-friendliness (ZIP215) in ed25519, ed448
+- 🥈 Optional, friendly wrapper over native WebCrypto
+- 🪶 36KB (gzipped) including bundled hashes, 11KB for single-curve build
 
 Curves have 4KB sister projects
 [secp256k1](https://github.com/paulmillr/noble-secp256k1) & [ed25519](https://github.com/paulmillr/noble-ed25519).
@@ -48,14 +49,14 @@ A standalone file [noble-curves.js](https://github.com/paulmillr/noble-curves/re
 
 ```ts
 // import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
-import { secp256k1, schnorr } from '@noble/curves/secp256k1';
-import { ed25519, ed25519ph, ed25519ctx, x25519 } from '@noble/curves/ed25519';
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448';
-import { p256, p384, p521 } from '@noble/curves/nist';
-import { bls12_381 } from '@noble/curves/bls12-381';
-import { bn254 } from '@noble/curves/bn254';
-import { jubjub, babyjubjub } from '@noble/curves/misc';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils';
+import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
+import { ed25519, ed25519ph, ed25519ctx, x25519 } from '@noble/curves/ed25519.js';
+import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
+import { p256, p384, p521 } from '@noble/curves/nist.js';
+import { bls12_381 } from '@noble/curves/bls12-381.js';
+import { bn254 } from '@noble/curves/bn254.js';
+import { jubjub, babyjubjub } from '@noble/curves/misc.js';
+import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
 ```
 
 - [ECDSA signatures over secp256k1 and others](#ecdsa-signatures-over-secp256k1-and-others)
@@ -69,8 +70,12 @@ import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/
 - [misc curves](#misc-curves)
 - [Low-level methods](#low-level-methods)
 - [Abstract API](#abstract-api)
-  - [weierstrass](#weierstrass-short-weierstrass-curve), [edwards](#edwards-twisted-edwards-curve), [montgomery](#montgomery-montgomery-curve), [bls](#bls-barreto-lynn-scott-curves)
-  - [hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points), [poseidon](#poseidon-poseidon-hash)
+  - [weierstrass](#weierstrass-short-weierstrass-curve), [Projective Point](#projective-weierstrass-point), [ECDSA signatures](#ecdsa-signatures)
+  - [edwards](#edwards-twisted-edwards-curve), [Extended Point](#extended-edwards-point), [EdDSA signatures](#eddsa-signatures)
+  - [montgomery](#montgomery-montgomery-curve)
+  - [bls](#bls-barreto-lynn-scott-curves)
+  - [hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points)
+  - [poseidon](#poseidon-poseidon-hash)
   - [modular](#modular-modular-arithmetics-utilities)
   - [fft](#fft-fast-fourier-transform)
   - [Creating private keys from hashes](#creating-private-keys-from-hashes)
@@ -86,8 +91,8 @@ import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/
 #### ECDSA signatures over secp256k1 and others
 
 ```ts
-import { secp256k1 } from '@noble/curves/secp256k1';
-// import { p256 } from '@noble/curves/nist'; // or p384 / p521
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+// import { p256 } from '@noble/curves/nist.js'; // or p384 / p521
 
 const priv = secp256k1.utils.randomPrivateKey();
 const pub = secp256k1.getPublicKey(priv);
@@ -134,7 +139,7 @@ const shared = secp256k1.getSharedSecret(priv, someonesPub);
 #### secp256k1 Schnorr signatures from BIP340
 
 ```ts
-import { schnorr } from '@noble/curves/secp256k1';
+import { schnorr } from '@noble/curves/secp256k1.js';
 const priv = schnorr.utils.randomPrivateKey();
 const pub = schnorr.getPublicKey(priv);
 const msg = new TextEncoder().encode('hello');
@@ -145,7 +150,7 @@ const isValid = schnorr.verify(sig, msg, pub);
 #### ed25519
 
 ```ts
-import { ed25519 } from '@noble/curves/ed25519';
+import { ed25519 } from '@noble/curves/ed25519.js';
 const priv = ed25519.utils.randomPrivateKey();
 const pub = ed25519.getPublicKey(priv);
 const msg = new TextEncoder().encode('hello');
@@ -154,7 +159,7 @@ ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
 ed25519.verify(sig, msg, pub, { zip215: false }); // SBS / e-voting / RFC8032 / FIPS 186-5
 
 // Variants from RFC8032: with context, prehashed
-import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519';
+import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519.js';
 ```
 
 Default `verify` behavior follows ZIP215 and
@@ -167,7 +172,7 @@ Both options have SUF-CMA (strong unforgeability under chosen message attacks).
 
 ```ts
 // X25519 aka ECDH on Curve25519 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
-import { x25519 } from '@noble/curves/ed25519';
+import { x25519 } from '@noble/curves/ed25519.js';
 const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
 const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
 x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
@@ -175,7 +180,7 @@ x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
 x25519.getPublicKey(x25519.utils.randomPrivateKey());
 
 // ed25519 => x25519 conversion
-import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519';
+import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519.js';
 edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
 edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
 ```
@@ -183,17 +188,15 @@ edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
 #### ristretto255
 
 ```ts
-// ristretto255 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
-import { utf8ToBytes } from '@noble/hashes/utils';
-import { sha512 } from '@noble/hashes/sha512';
+import { sha512 } from '@noble/hashes/sha2.js';
 import {
   hashToCurve,
   encodeToCurve,
   RistrettoPoint,
   hashToRistretto255,
-} from '@noble/curves/ed25519';
+} from '@noble/curves/ed25519.js';
 
-const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
+const msg = new TextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');
 hashToCurve(msg);
 
 const rp = RistrettoPoint.fromHex(
@@ -207,10 +210,12 @@ RistrettoPoint.hashToCurve(sha512(msg));
 hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
 ```
 
+Check out [RFC9496](https://www.rfc-editor.org/rfc/rfc9496) more info on ristretto255.
+
 #### ed448
 
 ```ts
-import { ed448 } from '@noble/curves/ed448';
+import { ed448 } from '@noble/curves/ed448.js';
 const priv = ed448.utils.randomPrivateKey();
 const pub = ed448.getPublicKey(priv);
 const msg = new TextEncoder().encode('whatsup');
@@ -218,19 +223,19 @@ const sig = ed448.sign(msg, priv);
 ed448.verify(sig, msg, pub);
 
 // Variants from RFC8032: prehashed
-import { ed448ph } from '@noble/curves/ed448';
+import { ed448ph } from '@noble/curves/ed448.js';
 ```
 
 #### X448
 
 ```ts
 // X448 aka ECDH on Curve448 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
-import { x448 } from '@noble/curves/ed448';
+import { x448 } from '@noble/curves/ed448.js';
 x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
 x448.getPublicKey(priv) === x448.scalarMultBase(priv);
 
 // ed448 => x448 conversion
-import { edwardsToMontgomeryPub } from '@noble/curves/ed448';
+import { edwardsToMontgomeryPub } from '@noble/curves/ed448.js';
 edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
 ```
 
@@ -238,11 +243,10 @@ edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
 
 ```ts
 // decaf448 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
-import { utf8ToBytes } from '@noble/hashes/utils';
-import { shake256 } from '@noble/hashes/sha3';
-import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448';
+import { shake256 } from '@noble/hashes/sha3.js';
+import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448.js';
 
-const msg = utf8ToBytes('Ristretto is traditionally a short shot of espresso coffee');
+const msg = new TextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');
 hashToCurve(msg);
 
 const dp = DecafPoint.fromHex(
@@ -256,34 +260,41 @@ DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
 hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
 ```
 
+Check out [RFC9496](https://www.rfc-editor.org/rfc/rfc9496) more info on decaf448.
+
 #### bls12-381
 
 ```ts
-import { bls12_381 as bls } from '@noble/curves/bls12-381';
-
-// G1 keys, G2 signatures
-const privateKey = '67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c';
-const message = '64726e3da8';
-const publicKey = bls.getPublicKey(privateKey);
-const signature = bls.sign(message, privateKey);
-const isValid = bls.verify(signature, message, publicKey);
-console.log({ publicKey, signature, isValid });
+import { bls12_381 } from '@noble/curves/bls12-381.js';
+import { hexToBytes } from '@noble/curves/abstract/utils.js';
 
-// G2 keys, G1 signatures
-// getPublicKeyForShortSignatures(privateKey)
-// signShortSignature(message, privateKey)
-// verifyShortSignature(signature, message, publicKey)
-// aggregateShortSignatures(signatures)
+// private keys are 32 bytes
+const privKey = hexToBytes('67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c');
+// const privKey = bls12_381.utils.randomPrivateKey();
 
-// Custom DST
-const htfEthereum = { DST: 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_' };
-const signatureEth = bls.sign(message, privateKey, htfEthereum);
-const isValidEth = bls.verify(signature, message, publicKey, htfEthereum);
+// Long signatures (G2), short public keys (G1)
+const blsl = bls12_381.longSignatures;
+const publicKey = blsl.getPublicKey(privateKey);
+// Sign msg with custom (Ethereum) DST
+const msg = new TextEncoder().encode('hello');
+const DST = 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_';
+const msgp = blsl.hash(msg, DST);
+const signature = blsl.sign(msgp, privateKey);
+const isValid = blsl.verify(signature, msgp, publicKey);
+console.log({ publicKey, signature, isValid });
+
+// Short signatures (G1), long public keys (G2)
+const blss = bls12_381.shortSignatures;
+const publicKey2 = blss.getPublicKey(privateKey);
+const msgp2 = blss.hash(new TextEncoder().encode('hello'), 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_')
+const signature2 = blss.sign(msgp2, privateKey);
+const isValid2 = blss.verify(signature2, msgp2, publicKey);
+console.log({ publicKey2, signature2, isValid2 });
 
 // Aggregation
-const aggregatedKey = bls.aggregatePublicKeys([
-  bls.utils.randomPrivateKey(),
-  bls.utils.randomPrivateKey(),
+const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([
+  bls12_381.utils.randomPrivateKey(),
+  bls12_381.utils.randomPrivateKey(),
 ]);
 // const aggregatedSig = bls.aggregateSignatures(sigs)
 
@@ -303,7 +314,7 @@ For example usage, check out [the implementation of BLS EVM precompiles](https:/
 #### bn254 aka alt_bn128
 
 ```ts
-import { bn254 } from '@noble/curves/bn254';
+import { bn254 } from '@noble/curves/bn254.js';
 
 console.log(bn254.G1, bn254.G2, bn254.pairing);
 ```
@@ -326,109 +337,89 @@ For example usage, check out [the implementation of bn254 EVM precompiles](https
 #### misc curves
 
 ```ts
-import { jubjub, babyjubjub } from '@noble/curves/misc';
+import { jubjub, babyjubjub } from '@noble/curves/misc.js';
 ```
 
 Miscellaneous, rarely used curves are contained in the module.
 Jubjub curves have Fp over scalar fields of other curves. They are friendly to ZK proofs.
 jubjub Fp = bls n. babyjubjub Fp = bn254 n.
 
-#### Low-level methods
-
-```ts
-import { secp256k1 } from '@noble/curves/secp256k1';
-
-// Curve's variables
-// Every curve has `CURVE` object that contains its parameters, field, and others
-console.log(secp256k1.CURVE.p); // field modulus
-console.log(secp256k1.CURVE.n); // curve order
-console.log(secp256k1.CURVE.a, secp256k1.CURVE.b); // equation params
-console.log(secp256k1.CURVE.Gx, secp256k1.CURVE.Gy); // base point coordinates
-
-// MSM
-const p = secp256k1.ProjectivePoint;
-const points = [p.BASE, p.BASE.multiply(2n), p.BASE.multiply(4n), p.BASE.multiply(8n)];
-p.msm(points, [3n, 5n, 7n, 11n]).equals(p.BASE.multiply(129n)); // 129*G
-```
-
-Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.
-It's 10-30x faster vs naive addition for large amount of points.
-Pippenger algorithm is used underneath.
-
 ## Abstract API
 
-Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
-If you want to use a different hashing library, abstract API doesn't depend on them.
-
 Abstract API allows to define custom curves. All arithmetics is done with JS
-bigints over finite fields, which is defined from `modular` sub-module. For
-scalar multiplication, we use
+bigints over finite fields, which is defined from `modular` sub-module.
+For scalar multiplication, we use
 [precomputed tables with w-ary non-adjacent form (wNAF)](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/).
-Precomputes are enabled for weierstrass and edwards BASE points of a curve. You
-could precompute any other point (e.g. for ECDH) using `utils.precompute()`
-method: check out examples.
+Precomputes are enabled for weierstrass and edwards BASE points of a curve.
+Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
+It's always possible to use different hashing library.
 
-### weierstrass: Short Weierstrass curve
 
-```ts
-import { weierstrass } from '@noble/curves/abstract/weierstrass';
-import { Field } from '@noble/curves/abstract/modular';
-import { sha256 } from '@noble/hashes/sha256';
-import { hmac } from '@noble/hashes/hmac';
-import { concatBytes, randomBytes } from '@noble/hashes/utils';
-
-const hmacSha256 = (key: Uint8Array, ...msgs: Uint8Array[]) =>
-  hmac(sha256, key, concatBytes(...msgs));
-
-// secQ (not secP) - secq256k1 is a cycle of secp256k1 with Fp/N flipped.
-// https://personaelabs.org/posts/spartan-ecdsa
-// https://zcash.github.io/halo2/background/curves.html#cycles-of-curves
-const secq256k1 = weierstrass({
-  a: 0n,
-  b: 7n,
-  Fp: Field(2n ** 256n - 432420386565659656852420866394968145599n),
-  n: 2n ** 256n - 2n ** 32n - 2n ** 9n - 2n ** 8n - 2n ** 7n - 2n ** 6n - 2n ** 4n - 1n,
-  Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
-  Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
-  hash: sha256,
-  hmac: hmacSha256,
-  randomBytes,
-});
+### weierstrass: Short Weierstrass curve
 
-// NIST secp192r1 aka p192
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/secg/secp192r1
-const secp192r1 = weierstrass({
+```js
+import { weierstrass } from '@noble/curves/abstract/weierstrass.js';
+// NIST secp192r1 aka p192. https://www.secg.org/sec2-v2.pdf
+const p192_CURVE = {
+  p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
+  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
+  h: 1n,
   a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
   b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
-  Fp: Field(0xfffffffffffffffffffffffffffffffeffffffffffffffffn),
-  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
   Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
   Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
-  hash: sha256,
-  hmac: hmacSha256,
-  randomBytes,
-});
+};
+const p192_Point = weierstrass(p192_CURVE);
 ```
 
 Short Weierstrass curve's formula is `y² = x³ + ax + b`. `weierstrass`
-expects arguments `a`, `b`, field `Fp`, curve order `n`, cofactor `h`
-and coordinates `Gx`, `Gy` of generator point.
-`hmac` and `hash` must be specified for deterministic `k` generation.
-
-**Weierstrass points:**
+expects arguments `a`, `b`, field characteristic `p`, curve order `n`,
+cofactor `h` and coordinates `Gx`, `Gy` of generator point.
+
+#### Projective Weierstrass Point
+
+```js
+// # weierstrass Point methods
+// projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
+// const p = new Point(x, y, z);
+const p = Point.BASE;
+// arithmetics
+p.add(p).equals(p.double());
+p.subtract(p).equals(Point.ZERO);
+p.negate();
+p.multiply(31415n);
+
+// decoding, encoding
+const b = p.toBytes();
+const p2 = Point.fromBytes(b);
+// affine conversion
+const { x, y } = p.toAffine();
+const p3 = Point.fromAffine({ x, y });
+
+// Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.
+// It's 10-30x faster vs naive addition for large amount of points.
+// Pippenger algorithm is used underneath.
+const points = [Point.BASE, Point.BASE.multiply(2n), Point.BASE.multiply(4n), Point.BASE.multiply(8n)];
+Point.msm(points, [3n, 5n, 7n, 11n]).equals(Point.BASE.multiply(129n)); // 129*G
+```
 
-- Are exported as `ProjectivePoint`
-- Are represented in projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
-- Use complete exception-free formulas for addition and doubling
-- Can be decoded/encoded from/to Uint8Array / hex strings using
-  `ProjectivePoint.fromHex` and `ProjectivePoint#toRawBytes()`
-- Have `assertValidity()` which checks for being on-curve
-- Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
+#### ECDSA signatures
+
+```js
+import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+const p192 = ecdsa(p192_Point, sha256);
+const priv = p192.utils.randomPrivateKey();
+const pub = p192.getPublicKey(priv);
+const msg = sha256(new TextEncoder().encode('custom curve'));
+const sig = p192.sign(msg);
+const isValid = p192.verify(sig, msg, pub);
+```
 
-**ECDSA signatures:**
+ECDSA signatures:
 
 - Are represented by `Signature` instances with `r, s` and optional `recovery` properties
-- Have `recoverPublicKey()`, `toCompactRawBytes()` and `toDERRawBytes()` methods
+- Have `recoverPublicKey()`, `toBytes()` with optional `format: 'compact' | 'der'`
 - Can be prehashed, or non-prehashed:
   - `sign(msgHash, privKey)` (default, prehash: false) - you did hashing before
   - `sign(msg, privKey, {prehash: true})` - curves will do hashing for you
@@ -436,85 +427,66 @@ and coordinates `Gx`, `Gy` of generator point.
   - Consider [hedged ECDSA with noise](#hedged-ecdsa-with-noise) for adding randomness into
     for signatures, to get improved security against fault attacks.
 
-More examples:
-
-```typescript
-// All curves expose same generic interface.
-const priv = secq256k1.utils.randomPrivateKey();
-secq256k1.getPublicKey(priv); // Convert private key to public.
-const sig = secq256k1.sign(msg, priv); // Sign msg with private key.
-const sig2 = secq256k1.sign(msg, priv, { prehash: true }); // hash(msg)
-secq256k1.verify(sig, msg, priv); // Verify if sig is correct.
-
-// Default behavior is "try DER, then try compact if fails". Can be explicit:
-secq256k1.verify(sig.toCompactHex(), msg, priv, { format: 'compact' });
-
-const Point = secq256k1.ProjectivePoint;
-const point = Point.BASE; // Elliptic curve Point class and BASE point static var.
-point.add(point).equals(point.double()); // add(), equals(), double() methods
-point.subtract(point).equals(Point.ZERO); // subtract() method, ZERO static var
-point.negate(); // Flips point over x/y coordinate.
-point.multiply(31415n); // Multiplication of Point by scalar.
-
-point.assertValidity(); // Checks for being on-curve
-point.toAffine(); // Converts to 2d affine xy coordinates
-
-secq256k1.CURVE.n;
-secq256k1.CURVE.p;
-secq256k1.CURVE.Fp.mod();
-secq256k1.CURVE.hash();
-
-// precomputes
-const fast = secq256k1.utils.precompute(8, Point.fromHex(someonesPubKey));
-fast.multiply(privKey); // much faster ECDH now
-```
-
 ### edwards: Twisted Edwards curve
 
 ```ts
-import { twistedEdwards } from '@noble/curves/abstract/edwards';
-import { Field } from '@noble/curves/abstract/modular';
-import { sha512 } from '@noble/hashes/sha512';
-import { randomBytes } from '@noble/hashes/utils';
-
-const Fp = Field(2n ** 255n - 19n);
-const ed25519 = twistedEdwards({
-  a: Fp.create(-1n),
-  d: Fp.div(-121665n, 121666n), // -121665n/121666n mod p
-  Fp: Fp,
-  n: 2n ** 252n + 27742317777372353535851937790883648493n,
+import { edwards } from '@noble/curves/abstract/edwards.js';
+const ed25519_CURVE = {
+  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
+  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
   h: 8n,
-  Gx: 15112221349535400772501151409588531511454012693041857206046113283949847762202n,
-  Gy: 46316835694926478169428394003475163141307993866256225615783033603165251855960n,
-  hash: sha512,
-  randomBytes,
-  adjustScalarBytes(bytes) {
-    // optional; but mandatory in ed25519
-    bytes[0] &= 248;
-    bytes[31] &= 127;
-    bytes[31] |= 64;
-    return bytes;
-  },
-} as const);
+  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
+  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
+  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
+  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n,
+};
+const ed25519_Point = edwards(ed25519_CURVE);
 ```
 
 Twisted Edwards curve's formula is `ax² + y² = 1 + dx²y²`.
-You must specify `a`, `d`, field `Fp`, order `n`, cofactor `h`
-and coordinates `Gx`, `Gy` of generator point.
-For EdDSA signatures, `hash` param required.
-`adjustScalarBytes` which instructs how to change private scalars could be specified.
+You must specify `a`, `d`, field characteristic `p`, curve order `n` (sometimes named as `L`),
+cofactor `h` and coordinates `Gx`, `Gy` of generator point.
+
+#### Extended Edwards Point
+
+```js
+const Point = ed25519_Point;
+// extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
+// const p = new Point(x, y, z, t);
+
+const p = Point.BASE;
+// arithmetics
+p.add(p).equals(p.double());
+p.subtract(p).equals(Point.ZERO);
+p.negate();
+p.multiply(31415n);
+
+// decoding, encoding
+const b = p.toBytes();
+const p2 = Point.fromBytes(b);
+// on-curve test
+p.assertValidity();
+// affine conversion
+const { x, y } = p.toAffine();
+const p3 = Point.fromAffine({ x, y });
+// misc
+const pcl = p.clearCofactor();
+console.log(p.isTorsionFree(), p.isSmallOrder());
+```
+
+#### EdDSA signatures
 
-**Edwards points:**
+```js
+const ed25519 = eddsa(ed25519_Point, { hash: sha512 });
+// ed25519.getPublicKey();
+// ed25519.sign();
+// ed25519.verify();
+```
 
-- Are exported as `ExtendedPoint`
-- Are represented in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
-- Use complete exception-free formulas for addition and doubling
-- Can be decoded/encoded from/to Uint8Array / hex strings using `ExtendedPoint.fromHex` and `ExtendedPoint#toRawBytes()`
-- Have `assertValidity()` which checks for being on-curve
-- Have `toAffine()` and `x` / `y` getters which convert to 2d xy affine coordinates
-- Have `isTorsionFree()`, `clearCofactor()` and `isSmallOrder()` utilities to handle torsions
+We define ed25519, ed448; user can use custom curves with EdDSA,
+but EdDSA in general is not defined. Check out `edwards.ts` source code.
 
-**EdDSA signatures:**
+For EdDSA signatures:
 
 - `zip215: true` is default behavior. It has slightly looser verification logic
   to be [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am), following [ZIP215](https://zips.z.cash/zip-0215) rules
@@ -527,9 +499,6 @@ For EdDSA signatures, `hash` param required.
   - Blockchains: transaction of amount X might also be valid for a different amount Y
 - Both modes have SUF-CMA (strong unforgeability under chosen message attacks).
 
-Check out [RFC9496](https://www.rfc-editor.org/rfc/rfc9496) for description of
-ristretto and decaf groups which we implement.
-
 ### montgomery: Montgomery curve
 
 The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
@@ -557,13 +526,13 @@ The module allows to hash arbitrary strings to elliptic curve points. Implements
 Every curve has exported `hashToCurve` and `encodeToCurve` methods. You should always prefer `hashToCurve` for security:
 
 ```ts
-import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1';
-import { randomBytes } from '@noble/hashes/utils';
+import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1.js';
+import { randomBytes } from '@noble/hashes/utils.js';
 hashToCurve('0102abcd');
 console.log(hashToCurve(randomBytes()));
 console.log(encodeToCurve(randomBytes()));
 
-import { bls12_381 } from '@noble/curves/bls12-381';
+import { bls12_381 } from '@noble/curves/bls12-381.js';
 bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' });
 bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
 ```
@@ -615,10 +584,10 @@ permutation and sponge.
 
 There are many poseidon variants with different constants.
 We don't provide them: you should construct them manually.
-Check out [micro-starknet](https://github.com/paulmillr/micro-starknet) package for a proper example.
+Check out [scure-starknet](https://github.com/paulmillr/scure-starknet) package for a proper example.
 
 ```ts
-import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon';
+import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
 
 const rate = 2;
 const capacity = 1;
@@ -645,7 +614,7 @@ const sponge = poseidon.poseidonSponge(opts); // use carefully, not specced
 ### modular: Modular arithmetics utilities
 
 ```ts
-import * as mod from '@noble/curves/abstract/modular';
+import * as mod from '@noble/curves/abstract/modular.js';
 
 // Finite Field utils
 const fp = mod.Field(2n ** 255n - 19n); // Finite field over 2^255-19
@@ -695,10 +664,10 @@ Use [abstract/hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points)
 if you need to hash to **public key**.
 
 ```ts
-import { p256 } from '@noble/curves/nist';
-import { sha256 } from '@noble/hashes/sha256';
-import { hkdf } from '@noble/hashes/hkdf';
-import * as mod from '@noble/curves/abstract/modular';
+import { p256 } from '@noble/curves/nist.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { hkdf } from '@noble/hashes/hkdf.js';
+import * as mod from '@noble/curves/abstract/modular.js';
 const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2)
 const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv
 const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
@@ -707,7 +676,7 @@ const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
 ### utils: Useful utilities
 
 ```ts
-import * as utils from '@noble/curves/abstract/utils';
+import * as utils from '@noble/curves/abstract/utils.js';
 
 utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
 utils.hexToBytes('deadbeef');
@@ -724,6 +693,11 @@ utils.nLength(255n);
 utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
 ```
 
+### Unreleased bits
+
+- `test/unreleased-xeddsa.ts` contains implementation of XEd25519, defined by Signal
+- `test/misc/endomorphism.js` contains tool for generation of endomorphism params for Koblitz curves
+
 ## Security
 
 The library has been independently audited:
@@ -763,6 +737,30 @@ constant-timeness_. Even statically typed Rust, a language without GC,
 for some cases. If your goal is absolute security, don't use any JS lib — including bindings to native ones.
 Use low-level libraries & languages.
 
+### Memory dumping
+
+Use low-level languages instead of JS / WASM if your goal is absolute security.
+
+The library mostly uses Uint8Arrays and bigints.
+
+- Uint8Arrays have `.fill(0)` which instructs to fill content with zeroes
+  but there are no guarantees in JS
+- bigints are immutable and don't have a method to zeroize their content:
+  a user needs to wait until the next garbage collection cycle
+- hex strings are also immutable: there is no way to zeroize them
+- `await fn()` will write all internal variables to memory. With
+  async functions there are no guarantees when the code
+  chunk would be executed. Which means attacker can have
+  plenty of time to read data from memory.
+
+This means some secrets could stay in memory longer than anticipated.
+However, if an attacker can read application memory, it's doomed anyway:
+there is no way to guarantee anything about zeroizing sensitive data without
+complex tests-suite which will dump process memory and verify that there is
+no sensitive data left. For JS it means testing all browsers (including mobile).
+And, of course, it will be useless without using the same
+test-suite in the actual application that consumes the library.
+
 ### Supply chain security
 
 - **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
@@ -807,10 +805,12 @@ NIST prohibits classical cryptography (RSA, DSA, ECDSA, ECDH) [after 2035](https
 npm run bench:install && npm run bench
 ```
 
-During first call of most methods, `init` is done, which calculates base point precomputes.
-The method consumes 20MB+ of memory and takes some time.
-You can adjust how many precomputes are generated,
-by using `_setWindowSize`. Check out the source code.
+noble-curves spends 10+ ms to generate 20MB+ of base point precomputes.
+This is done **one-time** per curve.
+
+The generation is deferred until any method (pubkey, sign, verify) is called.
+User can force precompute generation by manually calling `Point.BASE.precompute(windowSize, false)`.
+Check out the source code.
 
 Benchmark results on Apple M4:
 
@@ -915,6 +915,17 @@ aggregateSignatures/2048 x 0 ops/sec @ 2823ms/op
 
 ## Upgrading
 
+Supported node.js versions:
+
+- v2: v20.19+ (ESM-only)
+- v1: v14.21+ (ESM & CJS)
+
+### curves v1 => curves v2
+
+WIP. Changelog of v2, when upgrading from curves v1.
+
+### noble-secp256k1 v1 => curves v1
+
 Previously, the library was split into single-feature packages
 [noble-secp256k1](https://github.com/paulmillr/noble-secp256k1),
 [noble-ed25519](https://github.com/paulmillr/noble-ed25519) and
@@ -924,10 +935,6 @@ Curves continue their original work. The single-feature packages changed their
 direction towards providing minimal 4kb implementations of cryptography,
 which means they have less features.
 
-Upgrading from noble-secp256k1 2.0 or noble-ed25519 2.0: no changes, libraries are compatible.
-
-Upgrading from noble-secp256k1 1.7:
-
 - `getPublicKey`
   - now produce 33-byte compressed signatures by default
   - to use old behavior, which produced 65-byte uncompressed keys, set
@@ -954,6 +961,8 @@ Upgrading from noble-secp256k1 1.7:
 - `utils` were split into `utils` (same api as in noble-curves) and
   `etc` (`hmacSha256Sync` and others)
 
+### noble-ed25519 v1 => curves v1
+
 Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) 1.7:
 
 - Methods are now sync by default
@@ -965,6 +974,8 @@ Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) 1.7:
 - `getSharedSecret` was moved to `x25519` module
 - `toX25519` has been moved to `edwardsToMontgomeryPub` and `edwardsToMontgomeryPriv` methods
 
+### noble-bls12-381 => curves v1
+
 Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):
 
 - Methods and classes were renamed: