@noble/curves 1.9.1 → 1.9.3

package/src/abstract/edwards.ts

@@ -1,182 +1,264 @@
 /**
  * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
  * For design rationale of types / exports, see weierstrass module documentation.
+ * Untwisted Edwards curves exist, but they aren't used in real-world protocols.
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// prettier-ignore
 import {
-  pippenger, validateBasic, wNAF,
-  type AffinePoint, type BasicCurve, type Group, type GroupConstructor
-} from './curve.ts';
-import { Field, FpInvertBatch, mod } from './modular.ts';
-// prettier-ignore
+  _validateObject,
+  abool,
+  abytes,
+  aInRange,
+  bytesToHex,
+  bytesToNumberLE,
+  concatBytes,
+  ensureBytes,
+  memoized,
+  numberToBytesLE,
+  randomBytes,
+  type FHash,
+  type Hex,
+} from '../utils.ts';
 import {
-  abool, aInRange, bytesToHex, bytesToNumberLE, concatBytes,
-  ensureBytes, memoized, numberToBytesLE, validateObject,
-  type FHash, type Hex
-} from './utils.ts';
+  _createCurveFields,
+  normalizeZ,
+  pippenger,
+  wNAF,
+  type AffinePoint,
+  type BasicCurve,
+  type CurveInfo,
+  type CurvePoint,
+  type CurvePointCons,
+} from './curve.ts';
+import { Field, type IField, type NLength } from './modular.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
 
-/** Edwards curves must declare params a & d. */
+export type UVRatio = (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
+
+// TODO: remove
 export type CurveType = BasicCurve<bigint> & {
   a: bigint; // curve param a
   d: bigint; // curve param d
   hash: FHash; // Hashing
-  randomBytes: (bytesLength?: number) => Uint8Array; // CSPRNG
+  randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
   adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
   domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
-  uvRatio?: (u: bigint, v: bigint) => { isValid: boolean; value: bigint }; // Ratio √(u/v)
+  uvRatio?: UVRatio; // Ratio √(u/v)
   prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
   mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
 };
 
-export type CurveTypeWithLength = Readonly<CurveType & { nByteLength: number; nBitLength: number }>;
-
-// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-const VERIFY_DEFAULT = { zip215: true };
-
-function validateOpts(curve: CurveType): CurveTypeWithLength {
-  const opts = validateBasic(curve);
-  validateObject(
-    curve,
-    {
-      hash: 'function',
-      a: 'bigint',
-      d: 'bigint',
-      randomBytes: 'function',
-    },
-    {
-      adjustScalarBytes: 'function',
-      domain: 'function',
-      uvRatio: 'function',
-      mapToCurve: 'function',
-    }
-  );
-  // Set defaults
-  return Object.freeze({ ...opts } as const);
-}
+// TODO: remove
+export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
 
 /** Instance of Extended Point with coordinates in X, Y, Z, T. */
-export interface ExtPointType extends Group<ExtPointType> {
+export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
+  /** extended X coordinate. Different from affine x. */
+  readonly X: bigint;
+  /** extended Y coordinate. Different from affine y. */
+  readonly Y: bigint;
+  /** extended Z coordinate */
+  readonly Z: bigint;
+  /** extended T coordinate */
+  readonly T: bigint;
+
+  /** @deprecated use `toBytes` */
+  toRawBytes(): Uint8Array;
+  /** @deprecated use `p.precompute(windowSize)` */
+  _setWindowSize(windowSize: number): void;
+  /** @deprecated use .X */
   readonly ex: bigint;
+  /** @deprecated use .Y */
   readonly ey: bigint;
+  /** @deprecated use .Z */
   readonly ez: bigint;
+  /** @deprecated use .T */
   readonly et: bigint;
-  get x(): bigint;
-  get y(): bigint;
-  assertValidity(): void;
-  multiply(scalar: bigint): ExtPointType;
-  multiplyUnsafe(scalar: bigint): ExtPointType;
-  isSmallOrder(): boolean;
-  isTorsionFree(): boolean;
-  clearCofactor(): ExtPointType;
-  toAffine(iz?: bigint): AffinePoint<bigint>;
-  toRawBytes(isCompressed?: boolean): Uint8Array;
-  toHex(isCompressed?: boolean): string;
-  _setWindowSize(windowSize: number): void;
 }
 /** Static methods of Extended Point with coordinates in X, Y, Z, T. */
-export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
-  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
-  fromAffine(p: AffinePoint<bigint>): ExtPointType;
-  fromHex(hex: Hex): ExtPointType;
-  fromPrivateKey(privateKey: Hex): ExtPointType;
-  msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
+export interface EdwardsPointCons extends CurvePointCons<bigint, EdwardsPoint> {
+  new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
+  fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
+  fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
+  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+  msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
 }
+/** @deprecated use EdwardsPoint */
+export type ExtPointType = EdwardsPoint;
+/** @deprecated use EdwardsPointCons */
+export type ExtPointConstructor = EdwardsPointCons;
 
 /**
- * Edwards Curve interface.
- * Main methods: `getPublicKey(priv)`, `sign(msg, priv)`, `verify(sig, msg, pub)`.
+ * Twisted Edwards curve options.
+ *
+ * * a: formula param
+ * * d: formula param
+ * * p: prime characteristic (order) of finite field, in which arithmetics is done
+ * * n: order of prime subgroup a.k.a total amount of valid curve points
+ * * h: cofactor. h*n is group order; n is subgroup order
+ * * Gx: x coordinate of generator point a.k.a. base point
+ * * Gy: y coordinate of generator point
  */
-export type CurveFn = {
-  CURVE: ReturnType<typeof validateOpts>;
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  sign: (message: Hex, privateKey: Hex, options?: { context?: Hex }) => Uint8Array;
+export type EdwardsOpts = Readonly<{
+  p: bigint;
+  n: bigint;
+  h: bigint;
+  a: bigint;
+  d: bigint;
+  Gx: bigint;
+  Gy: bigint;
+}>;
+
+/**
+ * Extra curve options for Twisted Edwards.
+ *
+ * * Fp: redefined Field over curve.p
+ * * Fn: redefined Field over curve.n
+ * * uvRatio: helper function for decompression, calculating √(u/v)
+ */
+export type EdwardsExtraOpts = Partial<{
+  Fp: IField<bigint>;
+  Fn: IField<bigint>;
+  uvRatio: (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
+}>;
+
+/**
+ * EdDSA (Edwards Digital Signature algorithm) options.
+ *
+ * * hash: hash function used to hash secret keys and messages
+ * * adjustScalarBytes: clears bits to get valid field element
+ * * domain: Used for hashing
+ * * mapToCurve: for hash-to-curve standard
+ * * prehash: RFC 8032 pre-hashing of messages to sign() / verify()
+ * * randomBytes: function generating random bytes, used for randomSecretKey
+ */
+export type EdDSAOpts = Partial<{
+  adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
+  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
+  mapToCurve: (scalar: bigint[]) => AffinePoint<bigint>;
+  prehash: FHash;
+  randomBytes: (bytesLength?: number) => Uint8Array;
+}>;
+
+/**
+ * EdDSA (Edwards Digital Signature algorithm) interface.
+ *
+ * Allows to create and verify signatures, create public and secret keys.
+ */
+export interface EdDSA {
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
+  getPublicKey: (secretKey: Hex) => Uint8Array;
+  sign: (message: Hex, secretKey: Hex, options?: { context?: Hex }) => Uint8Array;
   verify: (
     sig: Hex,
     message: Hex,
     publicKey: Hex,
     options?: { context?: Hex; zip215: boolean }
   ) => boolean;
-  ExtendedPoint: ExtPointConstructor;
+  Point: EdwardsPointCons;
   utils: {
-    randomPrivateKey: () => Uint8Array;
+    randomSecretKey: (seed?: Uint8Array) => Uint8Array;
+    isValidSecretKey: (secretKey: Uint8Array) => boolean;
+    isValidPublicKey: (publicKey: Uint8Array, zip215?: boolean) => boolean;
+
+    /**
+     * Converts ed public key to x public key.
+     * @example
+     * ```js
+     * const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
+     * const aPriv = x25519.utils.randomSecretKey();
+     * x25519.getSharedSecret(aPriv, ed25519.utils.toMontgomery(someonesPub))
+     * ```
+     */
+    toMontgomery: (publicKey: Uint8Array) => Uint8Array;
+    /**
+     * Converts ed secret key to x secret key.
+     * @example
+     * ```js
+     * const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
+     * const aPriv = ed25519.utils.randomSecretKey();
+     * x25519.getSharedSecret(ed25519.utils.toMontgomeryPriv(aPriv), someonesPub)
+     * ```
+     */
+    toMontgomeryPriv: (privateKey: Uint8Array) => Uint8Array;
     getExtendedPublicKey: (key: Hex) => {
       head: Uint8Array;
       prefix: Uint8Array;
       scalar: bigint;
-      point: ExtPointType;
+      point: EdwardsPoint;
       pointBytes: Uint8Array;
     };
-    precompute: (windowSize?: number, point?: ExtPointType) => ExtPointType;
+
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
+    /** @deprecated use `point.precompute()` */
+    precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
   };
+  info: CurveInfo;
+}
+
+// Legacy params. TODO: remove
+export type CurveFn = {
+  CURVE: CurveType;
+  keygen: EdDSA['keygen'];
+  getPublicKey: EdDSA['getPublicKey'];
+  sign: EdDSA['sign'];
+  verify: EdDSA['verify'];
+  Point: EdwardsPointCons;
+  /** @deprecated use `Point` */
+  ExtendedPoint: EdwardsPointCons;
+  utils: EdDSA['utils'];
+  info: CurveInfo;
 };
 
-/**
- * Creates Twisted Edwards curve with EdDSA signatures.
- * @example
- * import { Field } from '@noble/curves/abstract/modular';
- * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h
- * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })
- */
-export function twistedEdwards(curveDef: CurveType): CurveFn {
-  const CURVE = validateOpts(curveDef) as ReturnType<typeof validateOpts>;
-  const {
-    Fp,
-    n: CURVE_ORDER,
-    prehash: prehash,
-    hash: cHash,
-    randomBytes,
-    nByteLength,
-    h: cofactor,
-  } = CURVE;
+function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigint): boolean {
+  const x2 = Fp.sqr(x);
+  const y2 = Fp.sqr(y);
+  const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
+  const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
+  return Fp.eql(left, right);
+}
+
+export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
+  const { Fp, Fn } = _createCurveFields('edwards', CURVE, curveOpts);
+  const { h: cofactor, n: CURVE_ORDER } = CURVE;
+  _validateObject(curveOpts, {}, { uvRatio: 'function' });
+
   // Important:
   // There are some places where Fp.BYTES is used instead of nByteLength.
   // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
   // TODO: test and find curves which behave otherwise.
-  const MASK = _2n << (BigInt(nByteLength * 8) - _1n);
-  const modP = Fp.create; // Function overrides
-  const Fn = Field(CURVE.n, CURVE.nBitLength);
-
-  function isEdValidXY(x: bigint, y: bigint): boolean {
-    const x2 = Fp.sqr(x);
-    const y2 = Fp.sqr(y);
-    const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
-    const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
-    return Fp.eql(left, right);
-  }
-
-  // Validate whether the passed curve params are valid.
-  // equation ax² + y² = 1 + dx²y² should work for generator point.
-  if (!isEdValidXY(CURVE.Gx, CURVE.Gy)) throw new Error('bad curve params: generator point');
+  const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
+  const modP = (n: bigint) => Fp.create(n); // Function overrides
 
   // sqrt(u/v)
   const uvRatio =
-    CURVE.uvRatio ||
+    curveOpts.uvRatio ||
     ((u: bigint, v: bigint) => {
       try {
-        return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
+        return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
       } catch (e) {
         return { isValid: false, value: _0n };
       }
     });
-  const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes: Uint8Array) => bytes); // NOOP
-  const domain =
-    CURVE.domain ||
-    ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
-      abool('phflag', phflag);
-      if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
-      return data;
-    }); // NOOP
-  // 0 <= n < MASK
-  // Coordinates larger than Fp.ORDER are allowed for zip215
-  function aCoordinate(title: string, n: bigint, banZero = false) {
+
+  // Validate whether the passed curve params are valid.
+  // equation ax² + y² = 1 + dx²y² should work for generator point.
+  if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
+    throw new Error('bad curve params: generator point');
+
+  /**
+   * Asserts coordinate is valid: 0 <= n < MASK.
+   * Coordinates >= Fp.ORDER are allowed for zip215.
+   */
+  function acoord(title: string, n: bigint, banZero = false) {
     const min = banZero ? _1n : _0n;
     aInRange('coordinate ' + title, n, min, MASK);
+    return n;
   }
 
   function aextpoint(other: unknown) {
@@ -185,22 +267,22 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   // Converts Extended point to default (x, y) coordinates.
   // Can accept precomputed Z^-1 - for example, from invertBatch.
   const toAffineMemo = memoized((p: Point, iz?: bigint): AffinePoint<bigint> => {
-    const { ex: x, ey: y, ez: z } = p;
+    const { X, Y, Z } = p;
     const is0 = p.is0();
-    if (iz == null) iz = is0 ? _8n : (Fp.inv(z) as bigint); // 8 was chosen arbitrarily
-    const ax = modP(x * iz);
-    const ay = modP(y * iz);
-    const zz = modP(z * iz);
+    if (iz == null) iz = is0 ? _8n : (Fp.inv(Z) as bigint); // 8 was chosen arbitrarily
+    const x = modP(X * iz);
+    const y = modP(Y * iz);
+    const zz = Fp.mul(Z, iz);
     if (is0) return { x: _0n, y: _1n };
     if (zz !== _1n) throw new Error('invZ was invalid');
-    return { x: ax, y: ay };
+    return { x, y };
   });
   const assertValidMemo = memoized((p: Point) => {
     const { a, d } = CURVE;
     if (p.is0()) throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
     // Equation in affine coordinates: ax² + y² = 1 + dx²y²
     // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-    const { ex: X, ey: Y, ez: Z, et: T } = p;
+    const { X, Y, Z, T } = p;
     const X2 = modP(X * X); // X²
     const Y2 = modP(Y * Y); // Y²
     const Z2 = modP(Z * Z); // Z²
@@ -218,25 +300,25 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
   // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
   // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
-  class Point implements ExtPointType {
+  class Point implements EdwardsPoint {
     // base / generator point
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     // zero / infinity / identity point
     static readonly ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
-    readonly ex: bigint;
-    readonly ey: bigint;
-    readonly ez: bigint;
-    readonly et: bigint;
-
-    constructor(ex: bigint, ey: bigint, ez: bigint, et: bigint) {
-      aCoordinate('x', ex);
-      aCoordinate('y', ey);
-      aCoordinate('z', ez, true);
-      aCoordinate('t', et);
-      this.ex = ex;
-      this.ey = ey;
-      this.ez = ez;
-      this.et = et;
+    // fields
+    static readonly Fp = Fp;
+    static readonly Fn = Fn;
+
+    readonly X: bigint;
+    readonly Y: bigint;
+    readonly Z: bigint;
+    readonly T: bigint;
+
+    constructor(X: bigint, Y: bigint, Z: bigint, T: bigint) {
+      this.X = acoord('x', X);
+      this.Y = acoord('y', Y);
+      this.Z = acoord('z', Z, true);
+      this.T = acoord('t', T);
       Object.freeze(this);
     }
 
@@ -247,31 +329,44 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       return this.toAffine().y;
     }
 
-    static fromAffine(p: AffinePoint<bigint>): Point {
-      if (p instanceof Point) throw new Error('extended point not allowed');
-      const { x, y } = p || {};
-      aCoordinate('x', x);
-      aCoordinate('y', y);
-      return new Point(x, y, _1n, modP(x * y));
+    // TODO: remove
+    get ex(): bigint {
+      return this.X;
+    }
+    get ey(): bigint {
+      return this.Y;
+    }
+    get ez(): bigint {
+      return this.Z;
+    }
+    get et(): bigint {
+      return this.T;
     }
     static normalizeZ(points: Point[]): Point[] {
-      const toInv = FpInvertBatch(
-        Fp,
-        points.map((p) => p.ez)
-      );
-      return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+      return normalizeZ(Point, points);
     }
-    // Multiscalar Multiplication
     static msm(points: Point[], scalars: bigint[]): Point {
       return pippenger(Point, Fn, points, scalars);
     }
-
-    // "Private method", don't use it directly
     _setWindowSize(windowSize: number) {
-      wnaf.setWindowSize(this, windowSize);
+      this.precompute(windowSize);
+    }
+
+    static fromAffine(p: AffinePoint<bigint>): Point {
+      if (p instanceof Point) throw new Error('extended point not allowed');
+      const { x, y } = p || {};
+      acoord('x', x);
+      acoord('y', y);
+      return new Point(x, y, _1n, modP(x * y));
+    }
+
+    precompute(windowSize: number = 8, isLazy = true) {
+      wnaf.createCache(this, windowSize);
+      if (!isLazy) this.multiply(_2n); // random number
+      return this;
     }
-    // Not required for fromHex(), which always creates valid points.
-    // Could be useful for fromAffine().
+
+    // Useful in fromAffine() - not for fromBytes(), which always created valid points.
     assertValidity(): void {
       assertValidMemo(this);
     }
@@ -279,8 +374,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Compare one point to another.
     equals(other: Point): boolean {
       aextpoint(other);
-      const { ex: X1, ey: Y1, ez: Z1 } = this;
-      const { ex: X2, ey: Y2, ez: Z2 } = other;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
       const X1Z2 = modP(X1 * Z2);
       const X2Z1 = modP(X2 * Z1);
       const Y1Z2 = modP(Y1 * Z2);
@@ -294,7 +389,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
 
     negate(): Point {
       // Flips point sign to a negative one (-x, y in affine coords)
-      return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+      return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
     }
 
     // Fast algo for doubling Extended Point.
@@ -302,7 +397,7 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Cost: 4M + 4S + 1*a + 6add + 1*2.
     double(): Point {
       const { a } = CURVE;
-      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
       const A = modP(X1 * X1); // A = X12
       const B = modP(Y1 * Y1); // B = Y12
       const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
@@ -325,8 +420,8 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     add(other: Point) {
       aextpoint(other);
       const { a, d } = CURVE;
-      const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
-      const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
+      const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+      const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
       const A = modP(X1 * X2); // A = X1*X2
       const B = modP(Y1 * Y2); // B = Y1*Y2
       const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -346,16 +441,12 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       return this.add(other.negate());
     }
 
-    private wNAF(n: bigint): { p: Point; f: Point } {
-      return wnaf.wNAFCached(this, n, Point.normalizeZ);
-    }
-
     // Constant-time multiplication.
     multiply(scalar: bigint): Point {
       const n = scalar;
       aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
-      const { p, f } = this.wNAF(n);
-      return Point.normalizeZ([p, f])[0];
+      const { p, f } = wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+      return normalizeZ(Point, [p, f])[0];
     }
 
     // Non-constant-time multiplication. Uses double-and-add algorithm.
@@ -366,9 +457,9 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     multiplyUnsafe(scalar: bigint, acc = Point.ZERO): Point {
       const n = scalar;
       aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
-      if (n === _0n) return I;
+      if (n === _0n) return Point.ZERO;
       if (this.is0() || n === _1n) return this;
-      return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
+      return wnaf.unsafe(this, n, (p) => normalizeZ(Point, p), acc);
     }
 
     // Checks if point is of small order.
@@ -382,21 +473,25 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     // Multiplies point by curve order and checks if the result is 0.
     // Returns `false` is the point is dirty.
     isTorsionFree(): boolean {
-      return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
+      return wnaf.unsafe(this, CURVE_ORDER).is0();
     }
 
     // Converts Extended point to default (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
-    toAffine(iz?: bigint): AffinePoint<bigint> {
-      return toAffineMemo(this, iz);
+    toAffine(invertedZ?: bigint): AffinePoint<bigint> {
+      return toAffineMemo(this, invertedZ);
     }
 
     clearCofactor(): Point {
-      const { h: cofactor } = CURVE;
       if (cofactor === _1n) return this;
       return this.multiplyUnsafe(cofactor);
     }
 
+    static fromBytes(bytes: Uint8Array, zip215 = false): Point {
+      abytes(bytes);
+      return Point.fromHex(bytes, zip215);
+    }
+
     // Converts hash string or Uint8Array to Point.
     // Uses algo from RFC8032 5.1.3.
     static fromHex(hex: Hex, zip215 = false): Point {
@@ -431,28 +526,176 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
       if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
       return Point.fromAffine({ x, y });
     }
-    static fromPrivateKey(privKey: Hex): Point {
-      const { scalar } = getPrivateScalar(privKey);
-      return G.multiply(scalar); // reduced one call of `toRawBytes`
-    }
-    toRawBytes(): Uint8Array {
+    toBytes(): Uint8Array {
       const { x, y } = this.toAffine();
       const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
       bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
       return bytes; // and use the last byte to encode sign of x
     }
+    /** @deprecated use `toBytes` */
+    toRawBytes(): Uint8Array {
+      return this.toBytes();
+    }
     toHex(): string {
-      return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
+      return bytesToHex(this.toBytes());
+    }
+
+    toString() {
+      return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
   }
-  const { BASE: G, ZERO: I } = Point;
-  const wnaf = wNAF(Point, nByteLength * 8);
+  const wnaf = new wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
+  return Point;
+}
+
+/**
+ * Base class for prime-order points like Ristretto255 and Decaf448.
+ * These points eliminate cofactor issues by representing equivalence classes
+ * of Edwards curve points.
+ */
+export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
+  implements CurvePoint<bigint, T>
+{
+  static BASE: PrimeEdwardsPoint<any>;
+  static ZERO: PrimeEdwardsPoint<any>;
+  static Fp: IField<bigint>;
+  static Fn: IField<bigint>;
+
+  protected readonly ep: EdwardsPoint;
+
+  constructor(ep: EdwardsPoint) {
+    this.ep = ep;
+  }
+
+  // Abstract methods that must be implemented by subclasses
+  abstract toBytes(): Uint8Array;
+  abstract equals(other: T): boolean;
+
+  // Static methods that must be implemented by subclasses
+  static fromBytes(_bytes: Uint8Array): any {
+    throw new Error('fromBytes must be implemented by subclass');
+  }
+
+  static fromHex(_hex: Hex): any {
+    throw new Error('fromHex must be implemented by subclass');
+  }
+
+  get x(): bigint {
+    return this.toAffine().x;
+  }
+  get y(): bigint {
+    return this.toAffine().y;
+  }
+
+  // Common implementations
+  clearCofactor(): T {
+    // no-op for prime-order groups
+    return this as any;
+  }
+
+  assertValidity(): void {
+    this.ep.assertValidity();
+  }
+
+  toAffine(invertedZ?: bigint): AffinePoint<bigint> {
+    return this.ep.toAffine(invertedZ);
+  }
+
+  /** @deprecated use `toBytes` */
+  toRawBytes(): Uint8Array {
+    return this.toBytes();
+  }
+
+  toHex(): string {
+    return bytesToHex(this.toBytes());
+  }
+
+  toString(): string {
+    return this.toHex();
+  }
+
+  isTorsionFree(): boolean {
+    return true;
+  }
+
+  isSmallOrder(): boolean {
+    return false;
+  }
+
+  add(other: T): T {
+    this.assertSame(other);
+    return this.init(this.ep.add(other.ep));
+  }
+
+  subtract(other: T): T {
+    this.assertSame(other);
+    return this.init(this.ep.subtract(other.ep));
+  }
+
+  multiply(scalar: bigint): T {
+    return this.init(this.ep.multiply(scalar));
+  }
+
+  multiplyUnsafe(scalar: bigint): T {
+    return this.init(this.ep.multiplyUnsafe(scalar));
+  }
+
+  double(): T {
+    return this.init(this.ep.double());
+  }
+
+  negate(): T {
+    return this.init(this.ep.negate());
+  }
+
+  precompute(windowSize?: number, isLazy?: boolean): T {
+    return this.init(this.ep.precompute(windowSize, isLazy));
+  }
+
+  // Helper methods
+  abstract is0(): boolean;
+  protected abstract assertSame(other: T): void;
+  protected abstract init(ep: EdwardsPoint): T;
+}
+
+/**
+ * Initializes EdDSA signatures over given Edwards curve.
+ */
+export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts): EdDSA {
+  if (typeof cHash !== 'function') throw new Error('"hash" function param is required');
+  _validateObject(
+    eddsaOpts,
+    {},
+    {
+      adjustScalarBytes: 'function',
+      randomBytes: 'function',
+      domain: 'function',
+      prehash: 'function',
+      mapToCurve: 'function',
+    }
+  );
+
+  const { prehash } = eddsaOpts;
+  const { BASE: G, Fp, Fn } = Point;
+  const CURVE_ORDER = Fn.ORDER;
+
+  const randomBytes_ = eddsaOpts.randomBytes || randomBytes;
+  const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes: Uint8Array) => bytes); // NOOP
+  const domain =
+    eddsaOpts.domain ||
+    ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
+      abool('phflag', phflag);
+      if (ctx.length || phflag) throw new Error('Contexts/pre-hash are not supported');
+      return data;
+    }); // NOOP
 
   function modN(a: bigint) {
-    return mod(a, CURVE_ORDER);
+    return Fn.create(a);
   }
+
   // Little-endian SHA512 with modulo n
   function modN_LE(hash: Uint8Array): bigint {
+    // Not using Fn.fromBytes: hash can be 2*Fn.BYTES
     return modN(bytesToNumberLE(hash));
   }
 
@@ -469,17 +712,17 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     return { head, prefix, scalar };
   }
 
-  // Convenience method that creates public key from scalar. RFC8032 5.1.5
-  function getExtendedPublicKey(key: Hex) {
-    const { head, prefix, scalar } = getPrivateScalar(key);
+  /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+  function getExtendedPublicKey(secretKey: Hex) {
+    const { head, prefix, scalar } = getPrivateScalar(secretKey);
     const point = G.multiply(scalar); // Point on Edwards curve aka public key
-    const pointBytes = point.toRawBytes(); // Uint8Array representation
+    const pointBytes = point.toBytes();
     return { head, prefix, scalar, point, pointBytes };
   }
 
-  // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
-  function getPublicKey(privKey: Hex): Uint8Array {
-    return getExtendedPublicKey(privKey).pointBytes;
+  /** Calculates EdDSA pub key. RFC8032 5.1.5. */
+  function getPublicKey(secretKey: Hex): Uint8Array {
+    return getExtendedPublicKey(secretKey).pointBytes;
   }
 
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
@@ -489,20 +732,22 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
   }
 
   /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, privKey: Hex, options: { context?: Hex } = {}): Uint8Array {
+  function sign(msg: Hex, secretKey: Hex, options: { context?: Hex } = {}): Uint8Array {
     msg = ensureBytes('message', msg);
     if (prehash) msg = prehash(msg); // for ed25519ph etc.
-    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+    const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
     const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
-    const R = G.multiply(r).toRawBytes(); // R = rG
+    const R = G.multiply(r).toBytes(); // R = rG
     const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
     const s = modN(r + k * scalar); // S = (r + k * s) mod L
     aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
-    const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
-    return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
+    const L = Fp.BYTES;
+    const res = concatBytes(R, numberToBytesLE(s, L));
+    return ensureBytes('result', res, L * 2); // 64-byte signature
   }
 
-  const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+  // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+  const verifyOpts: { context?: Hex; zip215?: boolean } = { zip215: true };
 
   /**
    * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
@@ -531,19 +776,63 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
     }
     if (!zip215 && A.isSmallOrder()) return false;
 
-    const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+    const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
     // Extended group equation
     // [8][S]B = [8]R + [8][k]A'
-    return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
+    return RkA.subtract(SB).clearCofactor().is0();
   }
 
-  G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+  G.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+
+  const size = Fp.BYTES;
+  const lengths = {
+    secret: size,
+    public: size,
+    signature: 2 * size,
+    seed: size,
+  };
+  function randomSecretKey(seed = randomBytes_!(lengths.seed)): Uint8Array {
+    return seed;
+  }
 
   const utils = {
     getExtendedPublicKey,
     /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
-    randomPrivateKey: (): Uint8Array => randomBytes(Fp.BYTES),
+    randomSecretKey,
+
+    isValidSecretKey,
+    isValidPublicKey,
+
+    randomPrivateKey: randomSecretKey,
+
+    /**
+     * Converts ed public key to x public key. Uses formula:
+     * - ed25519:
+     *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+     *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+     * - ed448:
+     *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+     *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+     *
+     * There is NO `fromMontgomery`:
+     * - There are 2 valid ed25519 points for every x25519, with flipped coordinate
+     * - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
+     *   accepts inputs on the quadratic twist, which can't be moved to ed25519
+     */
+    toMontgomery(publicKey: Uint8Array): Uint8Array {
+      const { y } = Point.fromBytes(publicKey);
+      const is25519 = size === 32;
+      if (!is25519 && size !== 57) throw new Error('only defined for 25519 and 448');
+      const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
+      return Fp.toBytes(u);
+    },
+
+    toMontgomeryPriv(privateKey: Uint8Array): Uint8Array {
+      abytes(privateKey, size);
+      const hashed = cHash(privateKey.subarray(0, size));
+      return adjustScalarBytes(hashed).subarray(0, size);
+    },
 
     /**
      * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
@@ -551,19 +840,82 @@ export function twistedEdwards(curveDef: CurveType): CurveFn {
      * but allows to speed-up subsequent getPublicKey() calls up to 20x.
      * @param windowSize 2, 4, 8, 16
      */
-    precompute(windowSize = 8, point: ExtPointType = Point.BASE): ExtPointType {
-      point._setWindowSize(windowSize);
-      point.multiply(BigInt(3));
-      return point;
+    precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
+      return point.precompute(windowSize, false);
     },
   };
 
-  return {
-    CURVE,
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  }
+
+  function isValidSecretKey(key: Uint8Array): boolean {
+    try {
+      return !!Fn.fromBytes(key, false);
+    } catch (error) {
+      return false;
+    }
+  }
+
+  function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
+    try {
+      return !!Point.fromBytes(key, zip215);
+    } catch (error) {
+      return false;
+    }
+  }
+
+  return Object.freeze({
+    keygen,
     getPublicKey,
     sign,
     verify,
-    ExtendedPoint: Point,
     utils,
+    Point,
+    info: { type: 'edwards' as const, lengths },
+  });
+}
+
+// TODO: remove
+export type EdComposed = {
+  CURVE: EdwardsOpts;
+  curveOpts: EdwardsExtraOpts;
+  hash: FHash;
+  eddsaOpts: EdDSAOpts;
+};
+// TODO: remove
+function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
+  const CURVE: EdwardsOpts = {
+    a: c.a,
+    d: c.d,
+    p: c.Fp.ORDER,
+    n: c.n,
+    h: c.h,
+    Gx: c.Gx,
+    Gy: c.Gy,
+  };
+  const Fp = c.Fp;
+  const Fn = Field(CURVE.n, c.nBitLength, true);
+  const curveOpts: EdwardsExtraOpts = { Fp, Fn, uvRatio: c.uvRatio };
+  const eddsaOpts: EdDSAOpts = {
+    randomBytes: c.randomBytes,
+    adjustScalarBytes: c.adjustScalarBytes,
+    domain: c.domain,
+    prehash: c.prehash,
+    mapToCurve: c.mapToCurve,
   };
+  return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
+}
+// TODO: remove
+function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
+  const legacy = Object.assign({}, eddsa, { ExtendedPoint: eddsa.Point, CURVE: c });
+  return legacy;
+}
+// TODO: remove. Use eddsa
+export function twistedEdwards(c: CurveTypeWithLength): CurveFn {
+  const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
+  const Point = edwards(CURVE, curveOpts);
+  const EDDSA = eddsa(Point, hash, eddsaOpts);
+  return _eddsa_new_output_to_legacy(c, EDDSA);
 }