@noble/curves 1.9.1 → 1.9.3

package/abstract/edwards.js

@@ -1,89 +1,61 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.PrimeEdwardsPoint = void 0;
+exports.edwards = edwards;
+exports.eddsa = eddsa;
 exports.twistedEdwards = twistedEdwards;
 /**
  * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
  * For design rationale of types / exports, see weierstrass module documentation.
+ * Untwisted Edwards curves exist, but they aren't used in real-world protocols.
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// prettier-ignore
+const utils_ts_1 = require("../utils.js");
 const curve_ts_1 = require("./curve.js");
 const modular_ts_1 = require("./modular.js");
-// prettier-ignore
-const utils_ts_1 = require("./utils.js");
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
-// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-const VERIFY_DEFAULT = { zip215: true };
-function validateOpts(curve) {
-    const opts = (0, curve_ts_1.validateBasic)(curve);
-    (0, utils_ts_1.validateObject)(curve, {
-        hash: 'function',
-        a: 'bigint',
-        d: 'bigint',
-        randomBytes: 'function',
-    }, {
-        adjustScalarBytes: 'function',
-        domain: 'function',
-        uvRatio: 'function',
-        mapToCurve: 'function',
-    });
-    // Set defaults
-    return Object.freeze({ ...opts });
+function isEdValidXY(Fp, CURVE, x, y) {
+    const x2 = Fp.sqr(x);
+    const y2 = Fp.sqr(y);
+    const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
+    const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
+    return Fp.eql(left, right);
 }
-/**
- * Creates Twisted Edwards curve with EdDSA signatures.
- * @example
- * import { Field } from '@noble/curves/abstract/modular';
- * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h
- * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })
- */
-function twistedEdwards(curveDef) {
-    const CURVE = validateOpts(curveDef);
-    const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
+function edwards(CURVE, curveOpts = {}) {
+    const { Fp, Fn } = (0, curve_ts_1._createCurveFields)('edwards', CURVE, curveOpts);
+    const { h: cofactor, n: CURVE_ORDER } = CURVE;
+    (0, utils_ts_1._validateObject)(curveOpts, {}, { uvRatio: 'function' });
     // Important:
     // There are some places where Fp.BYTES is used instead of nByteLength.
     // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
     // TODO: test and find curves which behave otherwise.
-    const MASK = _2n << (BigInt(nByteLength * 8) - _1n);
-    const modP = Fp.create; // Function overrides
-    const Fn = (0, modular_ts_1.Field)(CURVE.n, CURVE.nBitLength);
-    function isEdValidXY(x, y) {
-        const x2 = Fp.sqr(x);
-        const y2 = Fp.sqr(y);
-        const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
-        const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
-        return Fp.eql(left, right);
-    }
-    // Validate whether the passed curve params are valid.
-    // equation ax² + y² = 1 + dx²y² should work for generator point.
-    if (!isEdValidXY(CURVE.Gx, CURVE.Gy))
-        throw new Error('bad curve params: generator point');
+    const MASK = _2n << (BigInt(Fn.BYTES * 8) - _1n);
+    const modP = (n) => Fp.create(n); // Function overrides
     // sqrt(u/v)
-    const uvRatio = CURVE.uvRatio ||
+    const uvRatio = curveOpts.uvRatio ||
         ((u, v) => {
             try {
-                return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
+                return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
             }
             catch (e) {
                 return { isValid: false, value: _0n };
             }
         });
-    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
-    const domain = CURVE.domain ||
-        ((data, ctx, phflag) => {
-            (0, utils_ts_1.abool)('phflag', phflag);
-            if (ctx.length || phflag)
-                throw new Error('Contexts/pre-hash are not supported');
-            return data;
-        }); // NOOP
-    // 0 <= n < MASK
-    // Coordinates larger than Fp.ORDER are allowed for zip215
-    function aCoordinate(title, n, banZero = false) {
+    // Validate whether the passed curve params are valid.
+    // equation ax² + y² = 1 + dx²y² should work for generator point.
+    if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
+        throw new Error('bad curve params: generator point');
+    /**
+     * Asserts coordinate is valid: 0 <= n < MASK.
+     * Coordinates >= Fp.ORDER are allowed for zip215.
+     */
+    function acoord(title, n, banZero = false) {
         const min = banZero ? _1n : _0n;
         (0, utils_ts_1.aInRange)('coordinate ' + title, n, min, MASK);
+        return n;
     }
     function aextpoint(other) {
         if (!(other instanceof Point))
@@ -92,18 +64,18 @@ function twistedEdwards(curveDef) {
     // Converts Extended point to default (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     const toAffineMemo = (0, utils_ts_1.memoized)((p, iz) => {
-        const { ex: x, ey: y, ez: z } = p;
+        const { X, Y, Z } = p;
         const is0 = p.is0();
         if (iz == null)
-            iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
-        const ax = modP(x * iz);
-        const ay = modP(y * iz);
-        const zz = modP(z * iz);
+            iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily
+        const x = modP(X * iz);
+        const y = modP(Y * iz);
+        const zz = Fp.mul(Z, iz);
         if (is0)
             return { x: _0n, y: _1n };
         if (zz !== _1n)
             throw new Error('invZ was invalid');
-        return { x: ax, y: ay };
+        return { x, y };
     });
     const assertValidMemo = (0, utils_ts_1.memoized)((p) => {
         const { a, d } = CURVE;
@@ -111,7 +83,7 @@ function twistedEdwards(curveDef) {
             throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
         // Equation in affine coordinates: ax² + y² = 1 + dx²y²
         // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-        const { ex: X, ey: Y, ez: Z, et: T } = p;
+        const { X, Y, Z, T } = p;
         const X2 = modP(X * X); // X²
         const Y2 = modP(Y * Y); // Y²
         const Z2 = modP(Z * Z); // Z²
@@ -131,15 +103,11 @@ function twistedEdwards(curveDef) {
     // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
     // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
     class Point {
-        constructor(ex, ey, ez, et) {
-            aCoordinate('x', ex);
-            aCoordinate('y', ey);
-            aCoordinate('z', ez, true);
-            aCoordinate('t', et);
-            this.ex = ex;
-            this.ey = ey;
-            this.ez = ez;
-            this.et = et;
+        constructor(X, Y, Z, T) {
+            this.X = acoord('x', X);
+            this.Y = acoord('y', Y);
+            this.Z = acoord('z', Z, true);
+            this.T = acoord('t', T);
             Object.freeze(this);
         }
         get x() {
@@ -148,36 +116,51 @@ function twistedEdwards(curveDef) {
         get y() {
             return this.toAffine().y;
         }
-        static fromAffine(p) {
-            if (p instanceof Point)
-                throw new Error('extended point not allowed');
-            const { x, y } = p || {};
-            aCoordinate('x', x);
-            aCoordinate('y', y);
-            return new Point(x, y, _1n, modP(x * y));
+        // TODO: remove
+        get ex() {
+            return this.X;
+        }
+        get ey() {
+            return this.Y;
+        }
+        get ez() {
+            return this.Z;
+        }
+        get et() {
+            return this.T;
         }
         static normalizeZ(points) {
-            const toInv = (0, modular_ts_1.FpInvertBatch)(Fp, points.map((p) => p.ez));
-            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+            return (0, curve_ts_1.normalizeZ)(Point, points);
         }
-        // Multiscalar Multiplication
         static msm(points, scalars) {
             return (0, curve_ts_1.pippenger)(Point, Fn, points, scalars);
         }
-        // "Private method", don't use it directly
         _setWindowSize(windowSize) {
-            wnaf.setWindowSize(this, windowSize);
+            this.precompute(windowSize);
+        }
+        static fromAffine(p) {
+            if (p instanceof Point)
+                throw new Error('extended point not allowed');
+            const { x, y } = p || {};
+            acoord('x', x);
+            acoord('y', y);
+            return new Point(x, y, _1n, modP(x * y));
         }
-        // Not required for fromHex(), which always creates valid points.
-        // Could be useful for fromAffine().
+        precompute(windowSize = 8, isLazy = true) {
+            wnaf.createCache(this, windowSize);
+            if (!isLazy)
+                this.multiply(_2n); // random number
+            return this;
+        }
+        // Useful in fromAffine() - not for fromBytes(), which always created valid points.
         assertValidity() {
             assertValidMemo(this);
         }
         // Compare one point to another.
         equals(other) {
             aextpoint(other);
-            const { ex: X1, ey: Y1, ez: Z1 } = this;
-            const { ex: X2, ey: Y2, ez: Z2 } = other;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
             const X2Z1 = modP(X2 * Z1);
             const Y1Z2 = modP(Y1 * Z2);
@@ -189,14 +172,14 @@ function twistedEdwards(curveDef) {
         }
         negate() {
             // Flips point sign to a negative one (-x, y in affine coords)
-            return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+            return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
         }
         // Fast algo for doubling Extended Point.
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
         // Cost: 4M + 4S + 1*a + 6add + 1*2.
         double() {
             const { a } = CURVE;
-            const { ex: X1, ey: Y1, ez: Z1 } = this;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
             const A = modP(X1 * X1); // A = X12
             const B = modP(Y1 * Y1); // B = Y12
             const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
@@ -218,8 +201,8 @@ function twistedEdwards(curveDef) {
         add(other) {
             aextpoint(other);
             const { a, d } = CURVE;
-            const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
-            const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
+            const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+            const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
             const A = modP(X1 * X2); // A = X1*X2
             const B = modP(Y1 * Y2); // B = Y1*Y2
             const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -237,15 +220,12 @@ function twistedEdwards(curveDef) {
         subtract(other) {
             return this.add(other.negate());
         }
-        wNAF(n) {
-            return wnaf.wNAFCached(this, n, Point.normalizeZ);
-        }
         // Constant-time multiplication.
         multiply(scalar) {
             const n = scalar;
             (0, utils_ts_1.aInRange)('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
-            const { p, f } = this.wNAF(n);
-            return Point.normalizeZ([p, f])[0];
+            const { p, f } = wnaf.cached(this, n, (p) => (0, curve_ts_1.normalizeZ)(Point, p));
+            return (0, curve_ts_1.normalizeZ)(Point, [p, f])[0];
         }
         // Non-constant-time multiplication. Uses double-and-add algorithm.
         // It's faster, but should only be used when you don't care about
@@ -256,10 +236,10 @@ function twistedEdwards(curveDef) {
             const n = scalar;
             (0, utils_ts_1.aInRange)('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
             if (n === _0n)
-                return I;
+                return Point.ZERO;
             if (this.is0() || n === _1n)
                 return this;
-            return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
+            return wnaf.unsafe(this, n, (p) => (0, curve_ts_1.normalizeZ)(Point, p), acc);
         }
         // Checks if point is of small order.
         // If you add something to small order point, you will have "dirty"
@@ -271,19 +251,22 @@ function twistedEdwards(curveDef) {
         // Multiplies point by curve order and checks if the result is 0.
         // Returns `false` is the point is dirty.
         isTorsionFree() {
-            return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
+            return wnaf.unsafe(this, CURVE_ORDER).is0();
         }
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
-        toAffine(iz) {
-            return toAffineMemo(this, iz);
+        toAffine(invertedZ) {
+            return toAffineMemo(this, invertedZ);
         }
         clearCofactor() {
-            const { h: cofactor } = CURVE;
             if (cofactor === _1n)
                 return this;
             return this.multiplyUnsafe(cofactor);
         }
+        static fromBytes(bytes, zip215 = false) {
+            (0, utils_ts_1.abytes)(bytes);
+            return Point.fromHex(bytes, zip215);
+        }
         // Converts hash string or Uint8Array to Point.
         // Uses algo from RFC8032 5.1.3.
         static fromHex(hex, zip215 = false) {
@@ -318,31 +301,138 @@ function twistedEdwards(curveDef) {
                 x = modP(-x); // if x_0 != x mod 2, set x = p-x
             return Point.fromAffine({ x, y });
         }
-        static fromPrivateKey(privKey) {
-            const { scalar } = getPrivateScalar(privKey);
-            return G.multiply(scalar); // reduced one call of `toRawBytes`
-        }
-        toRawBytes() {
+        toBytes() {
             const { x, y } = this.toAffine();
             const bytes = (0, utils_ts_1.numberToBytesLE)(y, Fp.BYTES); // each y has 2 x values (x, -y)
             bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
             return bytes; // and use the last byte to encode sign of x
         }
+        /** @deprecated use `toBytes` */
+        toRawBytes() {
+            return this.toBytes();
+        }
         toHex() {
-            return (0, utils_ts_1.bytesToHex)(this.toRawBytes()); // Same as toRawBytes, but returns string.
+            return (0, utils_ts_1.bytesToHex)(this.toBytes());
+        }
+        toString() {
+            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
         }
     }
     // base / generator point
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     // zero / infinity / identity point
     Point.ZERO = new Point(_0n, _1n, _1n, _0n); // 0, 1, 1, 0
-    const { BASE: G, ZERO: I } = Point;
-    const wnaf = (0, curve_ts_1.wNAF)(Point, nByteLength * 8);
+    // fields
+    Point.Fp = Fp;
+    Point.Fn = Fn;
+    const wnaf = new curve_ts_1.wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
+    return Point;
+}
+/**
+ * Base class for prime-order points like Ristretto255 and Decaf448.
+ * These points eliminate cofactor issues by representing equivalence classes
+ * of Edwards curve points.
+ */
+class PrimeEdwardsPoint {
+    constructor(ep) {
+        this.ep = ep;
+    }
+    // Static methods that must be implemented by subclasses
+    static fromBytes(_bytes) {
+        throw new Error('fromBytes must be implemented by subclass');
+    }
+    static fromHex(_hex) {
+        throw new Error('fromHex must be implemented by subclass');
+    }
+    get x() {
+        return this.toAffine().x;
+    }
+    get y() {
+        return this.toAffine().y;
+    }
+    // Common implementations
+    clearCofactor() {
+        // no-op for prime-order groups
+        return this;
+    }
+    assertValidity() {
+        this.ep.assertValidity();
+    }
+    toAffine(invertedZ) {
+        return this.ep.toAffine(invertedZ);
+    }
+    /** @deprecated use `toBytes` */
+    toRawBytes() {
+        return this.toBytes();
+    }
+    toHex() {
+        return (0, utils_ts_1.bytesToHex)(this.toBytes());
+    }
+    toString() {
+        return this.toHex();
+    }
+    isTorsionFree() {
+        return true;
+    }
+    isSmallOrder() {
+        return false;
+    }
+    add(other) {
+        this.assertSame(other);
+        return this.init(this.ep.add(other.ep));
+    }
+    subtract(other) {
+        this.assertSame(other);
+        return this.init(this.ep.subtract(other.ep));
+    }
+    multiply(scalar) {
+        return this.init(this.ep.multiply(scalar));
+    }
+    multiplyUnsafe(scalar) {
+        return this.init(this.ep.multiplyUnsafe(scalar));
+    }
+    double() {
+        return this.init(this.ep.double());
+    }
+    negate() {
+        return this.init(this.ep.negate());
+    }
+    precompute(windowSize, isLazy) {
+        return this.init(this.ep.precompute(windowSize, isLazy));
+    }
+}
+exports.PrimeEdwardsPoint = PrimeEdwardsPoint;
+/**
+ * Initializes EdDSA signatures over given Edwards curve.
+ */
+function eddsa(Point, cHash, eddsaOpts) {
+    if (typeof cHash !== 'function')
+        throw new Error('"hash" function param is required');
+    (0, utils_ts_1._validateObject)(eddsaOpts, {}, {
+        adjustScalarBytes: 'function',
+        randomBytes: 'function',
+        domain: 'function',
+        prehash: 'function',
+        mapToCurve: 'function',
+    });
+    const { prehash } = eddsaOpts;
+    const { BASE: G, Fp, Fn } = Point;
+    const CURVE_ORDER = Fn.ORDER;
+    const randomBytes_ = eddsaOpts.randomBytes || utils_ts_1.randomBytes;
+    const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes); // NOOP
+    const domain = eddsaOpts.domain ||
+        ((data, ctx, phflag) => {
+            (0, utils_ts_1.abool)('phflag', phflag);
+            if (ctx.length || phflag)
+                throw new Error('Contexts/pre-hash are not supported');
+            return data;
+        }); // NOOP
     function modN(a) {
-        return (0, modular_ts_1.mod)(a, CURVE_ORDER);
+        return Fn.create(a);
     }
     // Little-endian SHA512 with modulo n
     function modN_LE(hash) {
+        // Not using Fn.fromBytes: hash can be 2*Fn.BYTES
         return modN((0, utils_ts_1.bytesToNumberLE)(hash));
     }
     // Get the hashed private scalar per RFC8032 5.1.5
@@ -357,16 +447,16 @@ function twistedEdwards(curveDef) {
         const scalar = modN_LE(head); // The actual private scalar
         return { head, prefix, scalar };
     }
-    // Convenience method that creates public key from scalar. RFC8032 5.1.5
-    function getExtendedPublicKey(key) {
-        const { head, prefix, scalar } = getPrivateScalar(key);
+    /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+    function getExtendedPublicKey(secretKey) {
+        const { head, prefix, scalar } = getPrivateScalar(secretKey);
         const point = G.multiply(scalar); // Point on Edwards curve aka public key
-        const pointBytes = point.toRawBytes(); // Uint8Array representation
+        const pointBytes = point.toBytes();
         return { head, prefix, scalar, point, pointBytes };
     }
-    // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
-    function getPublicKey(privKey) {
-        return getExtendedPublicKey(privKey).pointBytes;
+    /** Calculates EdDSA pub key. RFC8032 5.1.5. */
+    function getPublicKey(secretKey) {
+        return getExtendedPublicKey(secretKey).pointBytes;
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
     function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
@@ -374,20 +464,22 @@ function twistedEdwards(curveDef) {
         return modN_LE(cHash(domain(msg, (0, utils_ts_1.ensureBytes)('context', context), !!prehash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
-    function sign(msg, privKey, options = {}) {
+    function sign(msg, secretKey, options = {}) {
         msg = (0, utils_ts_1.ensureBytes)('message', msg);
         if (prehash)
             msg = prehash(msg); // for ed25519ph etc.
-        const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+        const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
         const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
-        const R = G.multiply(r).toRawBytes(); // R = rG
+        const R = G.multiply(r).toBytes(); // R = rG
         const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
         const s = modN(r + k * scalar); // S = (r + k * s) mod L
         (0, utils_ts_1.aInRange)('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
-        const res = (0, utils_ts_1.concatBytes)(R, (0, utils_ts_1.numberToBytesLE)(s, Fp.BYTES));
-        return (0, utils_ts_1.ensureBytes)('result', res, Fp.BYTES * 2); // 64-byte signature
+        const L = Fp.BYTES;
+        const res = (0, utils_ts_1.concatBytes)(R, (0, utils_ts_1.numberToBytesLE)(s, L));
+        return (0, utils_ts_1.ensureBytes)('result', res, L * 2); // 64-byte signature
     }
-    const verifyOpts = VERIFY_DEFAULT;
+    // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+    const verifyOpts = { zip215: true };
     /**
      * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
      * An extended group equation is checked.
@@ -417,17 +509,57 @@ function twistedEdwards(curveDef) {
         }
         if (!zip215 && A.isSmallOrder())
             return false;
-        const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+        const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));
         // Extended group equation
         // [8][S]B = [8]R + [8][k]A'
-        return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
+        return RkA.subtract(SB).clearCofactor().is0();
+    }
+    G.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+    const size = Fp.BYTES;
+    const lengths = {
+        secret: size,
+        public: size,
+        signature: 2 * size,
+        seed: size,
+    };
+    function randomSecretKey(seed = randomBytes_(lengths.seed)) {
+        return seed;
     }
-    G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
     const utils = {
         getExtendedPublicKey,
         /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
-        randomPrivateKey: () => randomBytes(Fp.BYTES),
+        randomSecretKey,
+        isValidSecretKey,
+        isValidPublicKey,
+        randomPrivateKey: randomSecretKey,
+        /**
+         * Converts ed public key to x public key. Uses formula:
+         * - ed25519:
+         *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+         *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+         * - ed448:
+         *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+         *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+         *
+         * There is NO `fromMontgomery`:
+         * - There are 2 valid ed25519 points for every x25519, with flipped coordinate
+         * - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
+         *   accepts inputs on the quadratic twist, which can't be moved to ed25519
+         */
+        toMontgomery(publicKey) {
+            const { y } = Point.fromBytes(publicKey);
+            const is25519 = size === 32;
+            if (!is25519 && size !== 57)
+                throw new Error('only defined for 25519 and 448');
+            const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
+            return Fp.toBytes(u);
+        },
+        toMontgomeryPriv(privateKey) {
+            (0, utils_ts_1.abytes)(privateKey, size);
+            const hashed = cHash(privateKey.subarray(0, size));
+            return adjustScalarBytes(hashed).subarray(0, size);
+        },
         /**
          * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
          * values. This slows down first getPublicKey() by milliseconds (see Speed section),
@@ -435,18 +567,72 @@ function twistedEdwards(curveDef) {
          * @param windowSize 2, 4, 8, 16
          */
         precompute(windowSize = 8, point = Point.BASE) {
-            point._setWindowSize(windowSize);
-            point.multiply(BigInt(3));
-            return point;
+            return point.precompute(windowSize, false);
         },
     };
-    return {
-        CURVE,
+    function keygen(seed) {
+        const secretKey = utils.randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    }
+    function isValidSecretKey(key) {
+        try {
+            return !!Fn.fromBytes(key, false);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    function isValidPublicKey(key, zip215) {
+        try {
+            return !!Point.fromBytes(key, zip215);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    return Object.freeze({
+        keygen,
         getPublicKey,
         sign,
         verify,
-        ExtendedPoint: Point,
         utils,
+        Point,
+        info: { type: 'edwards', lengths },
+    });
+}
+// TODO: remove
+function _eddsa_legacy_opts_to_new(c) {
+    const CURVE = {
+        a: c.a,
+        d: c.d,
+        p: c.Fp.ORDER,
+        n: c.n,
+        h: c.h,
+        Gx: c.Gx,
+        Gy: c.Gy,
     };
+    const Fp = c.Fp;
+    const Fn = (0, modular_ts_1.Field)(CURVE.n, c.nBitLength, true);
+    const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };
+    const eddsaOpts = {
+        randomBytes: c.randomBytes,
+        adjustScalarBytes: c.adjustScalarBytes,
+        domain: c.domain,
+        prehash: c.prehash,
+        mapToCurve: c.mapToCurve,
+    };
+    return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
+}
+// TODO: remove
+function _eddsa_new_output_to_legacy(c, eddsa) {
+    const legacy = Object.assign({}, eddsa, { ExtendedPoint: eddsa.Point, CURVE: c });
+    return legacy;
+}
+// TODO: remove. Use eddsa
+function twistedEdwards(c) {
+    const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
+    const Point = edwards(CURVE, curveOpts);
+    const EDDSA = eddsa(Point, hash, eddsaOpts);
+    return _eddsa_new_output_to_legacy(c, EDDSA);
 }
 //# sourceMappingURL=edwards.js.map