@noble/curves 1.9.2 → 1.9.3

package/esm/abstract/weierstrass.js

@@ -26,9 +26,40 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac.js';
-import { _validateObject, abool, abytes, aInRange, bitMask, bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes, inRange, isBytes, memoized, numberToHexUnpadded, randomBytes, } from "../utils.js";
+import { ahash } from '@noble/hashes/utils';
+import { _validateObject, abool, abytes, aInRange, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes, inRange, isBytes, memoized, numberToHexUnpadded, randomBytes, } from "../utils.js";
 import { _createCurveFields, mulEndoUnsafe, negateCt, normalizeZ, pippenger, wNAF, } from "./curve.js";
 import { Field, FpInvertBatch, getMinHashLength, mapHashToField, validateField, } from "./modular.js";
+// We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
+const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n) / den;
+/**
+ * Splits scalar for GLV endomorphism.
+ */
+export function _splitEndoScalar(k, basis, n) {
+    // Split scalar into two such that part is ~half bits: `abs(part) < sqrt(N)`
+    // Since part can be negative, we need to do this on point.
+    // TODO: verifyScalar function which consumes lambda
+    const [[a1, b1], [a2, b2]] = basis;
+    const c1 = divNearest(b2 * k, n);
+    const c2 = divNearest(-b1 * k, n);
+    // |k1|/|k2| is < sqrt(N), but can be negative.
+    // If we do `k1 mod N`, we'll get big scalar (`> sqrt(N)`): so, we do cheaper negation instead.
+    let k1 = k - c1 * a1 - c2 * a2;
+    let k2 = -c1 * b1 - c2 * b2;
+    const k1neg = k1 < _0n;
+    const k2neg = k2 < _0n;
+    if (k1neg)
+        k1 = -k1;
+    if (k2neg)
+        k2 = -k2;
+    // Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
+    // This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
+    const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n; // Half bits of N
+    if (k1 < _0n || k1 >= MAX_NUM || k2 < _0n || k2 >= MAX_NUM) {
+        throw new Error('splitScalar (endomorphism): failed, k=' + k);
+    }
+    return { k1neg, k1, k2neg, k2 };
+}
 function validateSigVerOpts(opts) {
     if (opts.lowS !== undefined)
         abool('lowS', opts.lowS);
@@ -167,37 +198,24 @@ export function _legacyHelperEquat(Fp, a, b) {
     }
     return weierstrassEquation;
 }
-export function _legacyHelperNormPriv(Fn, allowedPrivateKeyLengths, wrapPrivateKey) {
+export function _normFnElement(Fn, key) {
     const { BYTES: expected } = Fn;
-    // Validates if priv key is valid and converts it to bigint.
-    function normPrivateKeyToScalar(key) {
-        let num;
-        if (typeof key === 'bigint') {
-            num = key;
+    let num;
+    if (typeof key === 'bigint') {
+        num = key;
+    }
+    else {
+        let bytes = ensureBytes('private key', key);
+        try {
+            num = Fn.fromBytes(bytes);
         }
-        else {
-            let bytes = ensureBytes('private key', key);
-            if (allowedPrivateKeyLengths) {
-                if (!allowedPrivateKeyLengths.includes(bytes.length * 2))
-                    throw new Error('invalid private key');
-                const padded = new Uint8Array(expected);
-                padded.set(bytes, padded.length - bytes.length);
-                bytes = padded;
-            }
-            try {
-                num = Fn.fromBytes(bytes);
-            }
-            catch (error) {
-                throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
-            }
+        catch (error) {
+            throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
         }
-        if (wrapPrivateKey)
-            num = Fn.create(num); // disabled by default, enabled for BLS
-        if (!Fn.isValidNot0(num))
-            throw new Error('invalid private key: out of range [1..N-1]');
-        return num;
     }
-    return normPrivateKeyToScalar;
+    if (!Fn.isValidNot0(num))
+        throw new Error('invalid private key: out of range [1..N-1]');
+    return num;
 }
 export function weierstrassN(CURVE, curveOpts = {}) {
     const { Fp, Fn } = _createCurveFields('weierstrass', CURVE, curveOpts);
@@ -214,10 +232,8 @@ export function weierstrassN(CURVE, curveOpts = {}) {
     const { endo } = curveOpts;
     if (endo) {
         // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
-        if (!Fp.is0(CURVE.a) ||
-            typeof endo.beta !== 'bigint' ||
-            typeof endo.splitScalar !== 'function') {
-            throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+        if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
+            throw new Error('invalid endo: expected "beta": bigint and "basises": array');
         }
     }
     function assertCompressionIsSupported() {
@@ -309,28 +325,33 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
+    function splitEndoScalarN(k) {
+        if (!endo || !endo.basises)
+            throw new Error('no endo');
+        return _splitEndoScalar(k, endo.basises, Fn.ORDER);
+    }
     // Memoized toAffine / validity check. They are heavy. Points are immutable.
     // Converts Projective point to affine (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     // (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
     const toAffineMemo = memoized((p, iz) => {
-        const { px: x, py: y, pz: z } = p;
+        const { X, Y, Z } = p;
         // Fast-path for normalized points
-        if (Fp.eql(z, Fp.ONE))
-            return { x, y };
+        if (Fp.eql(Z, Fp.ONE))
+            return { x: X, y: Y };
         const is0 = p.is0();
         // If invZ was 0, we return zero point. However we still want to execute
         // all operations, so we replace invZ with a random number, 1.
         if (iz == null)
-            iz = is0 ? Fp.ONE : Fp.inv(z);
-        const ax = Fp.mul(x, iz);
-        const ay = Fp.mul(y, iz);
-        const zz = Fp.mul(z, iz);
+            iz = is0 ? Fp.ONE : Fp.inv(Z);
+        const x = Fp.mul(X, iz);
+        const y = Fp.mul(Y, iz);
+        const zz = Fp.mul(Z, iz);
         if (is0)
             return { x: Fp.ZERO, y: Fp.ZERO };
         if (!Fp.eql(zz, Fp.ONE))
             throw new Error('invZ was invalid');
-        return { x: ax, y: ay };
+        return { x, y };
     });
     // NOTE: on exception this will crash 'cached' and no value will be set.
     // Otherwise true will be return
@@ -339,7 +360,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
             // (0, 0, 0) is invalid representation of ZERO.
-            if (curveOpts.allowInfinityPoint && !Fp.is0(p.py))
+            if (curveOpts.allowInfinityPoint && !Fp.is0(p.Y))
                 return;
             throw new Error('bad point: ZERO');
         }
@@ -354,7 +375,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         return true;
     });
     function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
-        k2p = new Point(Fp.mul(k2p.px, endoBeta), k2p.py, k2p.pz);
+        k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
         k1p = negateCt(k1neg, k1p);
         k2p = negateCt(k2neg, k2p);
         return k1p.add(k2p);
@@ -366,10 +387,10 @@ export function weierstrassN(CURVE, curveOpts = {}) {
      */
     class Point {
         /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
-        constructor(px, py, pz) {
-            this.px = acoord('x', px);
-            this.py = acoord('y', py, true);
-            this.pz = acoord('z', pz);
+        constructor(X, Y, Z) {
+            this.X = acoord('x', X);
+            this.Y = acoord('y', Y, true);
+            this.Z = acoord('z', Z);
             Object.freeze(this);
         }
         /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
@@ -390,8 +411,18 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         get y() {
             return this.toAffine().y;
         }
+        // TODO: remove
+        get px() {
+            return this.X;
+        }
+        get py() {
+            return this.X;
+        }
+        get pz() {
+            return this.Z;
+        }
         static normalizeZ(points) {
-            return normalizeZ(Point, 'pz', points);
+            return normalizeZ(Point, points);
         }
         static fromBytes(bytes) {
             abytes(bytes);
@@ -405,13 +436,15 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         }
         /** Multiplies generator point by privateKey. */
         static fromPrivateKey(privateKey) {
-            const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
-            return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
+            return Point.BASE.multiply(_normFnElement(Fn, privateKey));
         }
-        /** Multiscalar Multiplication */
+        // TODO: remove
         static msm(points, scalars) {
             return pippenger(Point, Fn, points, scalars);
         }
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
         /**
          *
          * @param windowSize
@@ -419,15 +452,11 @@ export function weierstrassN(CURVE, curveOpts = {}) {
          * @returns
          */
         precompute(windowSize = 8, isLazy = true) {
-            wnaf.setWindowSize(this, windowSize);
+            wnaf.createCache(this, windowSize);
             if (!isLazy)
                 this.multiply(_3n); // random number
             return this;
         }
-        /** "Private method", don't use it directly */
-        _setWindowSize(windowSize) {
-            this.precompute(windowSize);
-        }
         // TODO: return `this`
         /** A point on curve is valid if it conforms to equation. */
         assertValidity() {
@@ -442,15 +471,15 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         /** Compare one point to another. */
         equals(other) {
             aprjpoint(other);
-            const { px: X1, py: Y1, pz: Z1 } = this;
-            const { px: X2, py: Y2, pz: Z2 } = other;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
             const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
             return U1 && U2;
         }
         /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
         negate() {
-            return new Point(this.px, Fp.neg(this.py), this.pz);
+            return new Point(this.X, Fp.neg(this.Y), this.Z);
         }
         // Renes-Costello-Batina exception-free doubling formula.
         // There is 30% faster Jacobian formula, but it is not complete.
@@ -459,7 +488,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         double() {
             const { a, b } = CURVE;
             const b3 = Fp.mul(b, _3n);
-            const { px: X1, py: Y1, pz: Z1 } = this;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             let t0 = Fp.mul(X1, X1); // step 1
             let t1 = Fp.mul(Y1, Y1);
@@ -500,8 +529,8 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
         add(other) {
             aprjpoint(other);
-            const { px: X1, py: Y1, pz: Z1 } = this;
-            const { px: X2, py: Y2, pz: Z2 } = other;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             const a = CURVE.a;
             const b3 = Fp.mul(CURVE.b, _3n);
@@ -567,10 +596,10 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             if (!Fn.isValidNot0(scalar))
                 throw new Error('invalid scalar: out of range'); // 0 is invalid
             let point, fake; // Fake point is used to const-time mult
-            const mul = (n) => wnaf.wNAFCached(this, n, Point.normalizeZ);
+            const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
             /** See docs for {@link EndomorphismOpts} */
             if (endo) {
-                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
+                const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
                 const { p: k1p, f: k1f } = mul(k1);
                 const { p: k2p, f: k2f } = mul(k2);
                 fake = k1f.add(k2f);
@@ -582,12 +611,12 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 fake = f;
             }
             // Normalize `z` for both points, but return only real one
-            return Point.normalizeZ([point, fake])[0];
+            return normalizeZ(Point, [point, fake])[0];
         }
         /**
          * Non-constant-time multiplication. Uses double-and-add algorithm.
          * It's faster, but should only be used when you don't care about
-         * an exposed private key e.g. sig verification, which works over *public* keys.
+         * an exposed secret key e.g. sig verification, which works over *public* keys.
          */
         multiplyUnsafe(sc) {
             const { endo } = curveOpts;
@@ -598,16 +627,15 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 return Point.ZERO;
             if (sc === _1n)
                 return p; // fast-path
-            if (wnaf.hasPrecomputes(this))
+            if (wnaf.hasCache(this))
                 return this.multiply(sc);
             if (endo) {
-                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
-                // `wNAFCachedUnsafe` is 30% slower
-                const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2);
+                const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
+                const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
                 return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
             }
             else {
-                return wnaf.wNAFCachedUnsafe(p, sc);
+                return wnaf.unsafe(p, sc);
             }
         }
         multiplyAndAddUnsafe(Q, a, b) {
@@ -631,7 +659,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 return true;
             if (isTorsionFree)
                 return isTorsionFree(Point, this);
-            return wnaf.wNAFCachedUnsafe(this, CURVE_ORDER).is0();
+            return wnaf.unsafe(this, CURVE_ORDER).is0();
         }
         clearCofactor() {
             const { clearCofactor } = curveOpts;
@@ -641,6 +669,10 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 return clearCofactor(Point, this);
             return this.multiplyUnsafe(cofactor);
         }
+        isSmallOrder() {
+            // can we use this.clearCofactor()?
+            return this.multiplyUnsafe(cofactor).is0();
+        }
         toBytes(isCompressed = true) {
             abool('isCompressed', isCompressed);
             this.assertValidity();
@@ -665,10 +697,11 @@ export function weierstrassN(CURVE, curveOpts = {}) {
     Point.Fp = Fp;
     Point.Fn = Fn;
     const bits = Fn.BITS;
-    const wnaf = wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+    const wnaf = new wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
     return Point;
 }
 // _legacyWeierstrass
+// TODO: remove
 /** @deprecated use `weierstrassN` */
 export function weierstrassPoints(c) {
     const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
@@ -679,8 +712,136 @@ export function weierstrassPoints(c) {
 function pprefix(hasEvenY) {
     return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
 }
-export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
-    _validateObject(ecdsaOpts, { hash: 'function' }, {
+/**
+ * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
+ * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
+ * b = True and y = sqrt(u / v) if (u / v) is square in F, and
+ * b = False and y = sqrt(Z * (u / v)) otherwise.
+ * @param Fp
+ * @param Z
+ * @returns
+ */
+export function SWUFpSqrtRatio(Fp, Z) {
+    // Generic implementation
+    const q = Fp.ORDER;
+    let l = _0n;
+    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
+        l += _1n;
+    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
+    // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
+    // 2n ** c1 == 2n << (c1-1)
+    const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
+    const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
+    const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
+    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+    const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+    const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
+    const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
+    const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
+    let sqrtRatio = (u, v) => {
+        let tv1 = c6; // 1. tv1 = c6
+        let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
+        let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2
+        tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
+        let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
+        tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
+        tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
+        tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
+        tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
+        let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
+        tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
+        let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1
+        tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
+        tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
+        tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
+        tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
+        // 17. for i in (c1, c1 - 1, ..., 2):
+        for (let i = c1; i > _1n; i--) {
+            let tv5 = i - _2n; // 18.    tv5 = i - 2
+            tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
+            let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
+            const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
+            tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
+            tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1
+            tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1
+            tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)
+            tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)
+        }
+        return { isValid: isQR, value: tv3 };
+    };
+    if (Fp.ORDER % _4n === _3n) {
+        // sqrt_ratio_3mod4(u, v)
+        const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+        const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
+        sqrtRatio = (u, v) => {
+            let tv1 = Fp.sqr(v); // 1. tv1 = v^2
+            const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
+            tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
+            let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
+            y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
+            const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
+            const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
+            const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u
+            let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
+            return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
+        };
+    }
+    // No curves uses that
+    // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
+    return sqrtRatio;
+}
+/**
+ * Simplified Shallue-van de Woestijne-Ulas Method
+ * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
+ */
+export function mapToCurveSimpleSWU(Fp, opts) {
+    validateField(Fp);
+    const { A, B, Z } = opts;
+    if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
+        throw new Error('mapToCurveSimpleSWU: invalid opts');
+    const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
+    if (!Fp.isOdd)
+        throw new Error('Field does not have .isOdd()');
+    // Input: u, an element of F.
+    // Output: (x, y), a point on E.
+    return (u) => {
+        // prettier-ignore
+        let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
+        tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+        tv1 = Fp.mul(tv1, Z); // 2.  tv1 = Z * tv1
+        tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2
+        tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
+        tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
+        tv3 = Fp.mul(tv3, B); // 6.  tv3 = B * tv3
+        tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
+        tv4 = Fp.mul(tv4, A); // 8.  tv4 = A * tv4
+        tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2
+        tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
+        tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
+        tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
+        tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
+        tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
+        tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
+        tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
+        x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
+        const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
+        y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1
+        y = Fp.mul(y, value); // 20.   y = y * y1
+        x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)
+        y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
+        const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23.  e1 = sgn0(u) == sgn0(y)
+        y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
+        const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
+        x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
+        return { x, y };
+    };
+}
+/**
+ * Creates ECDSA for given elliptic curve Point and hash function.
+ */
+export function ecdsa(Point, hash, ecdsaOpts = {}) {
+    ahash(hash);
+    _validateObject(ecdsaOpts, {}, {
         hmac: 'function',
         lowS: 'boolean',
         randomBytes: 'function',
@@ -689,9 +850,17 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
     });
     const randomBytes_ = ecdsaOpts.randomBytes || randomBytes;
     const hmac_ = ecdsaOpts.hmac ||
-        ((key, ...msgs) => hmac(ecdsaOpts.hash, key, concatBytes(...msgs)));
+        ((key, ...msgs) => hmac(hash, key, concatBytes(...msgs)));
     const { Fp, Fn } = Point;
     const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
+    const seedLen = getMinHashLength(CURVE_ORDER);
+    const lengths = {
+        secret: Fn.BYTES,
+        public: 1 + Fp.BYTES,
+        publicUncompressed: 1 + 2 * Fp.BYTES,
+        signature: 2 * Fn.BYTES,
+        seed: seedLen,
+    };
     function isBiggerThanHalfOrder(number) {
         const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
@@ -716,23 +885,24 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
                 this.recovery = recovery;
             Object.freeze(this);
         }
-        // pair (bytes of r, bytes of s)
-        static fromCompact(hex) {
-            const L = Fn.BYTES;
-            const b = ensureBytes('compactSignature', hex, L * 2);
-            return new Signature(Fn.fromBytes(b.subarray(0, L)), Fn.fromBytes(b.subarray(L, L * 2)));
+        static fromBytes(bytes, format = 'compact') {
+            if (format === 'compact') {
+                const L = Fn.BYTES;
+                abytes(bytes, L * 2);
+                const r = bytes.subarray(0, L);
+                const s = bytes.subarray(L, L * 2);
+                return new Signature(Fn.fromBytes(r), Fn.fromBytes(s));
+            }
+            if (format === 'der') {
+                abytes(bytes);
+                const { r, s } = DER.toSig(bytes);
+                return new Signature(r, s);
+            }
+            throw new Error('invalid format');
         }
-        // DER encoded ECDSA signature
-        // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
-        static fromDER(hex) {
-            const { r, s } = DER.toSig(ensureBytes('DER', hex));
-            return new Signature(r, s);
+        static fromHex(hex, format) {
+            return this.fromBytes(hexToBytes(hex), format);
         }
-        /**
-         * @todo remove
-         * @deprecated
-         */
-        assertValidity() { }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
@@ -776,21 +946,30 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
         normalizeS() {
             return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
         }
-        toBytes(format) {
+        toBytes(format = 'compact') {
             if (format === 'compact')
                 return concatBytes(Fn.toBytes(this.r), Fn.toBytes(this.s));
             if (format === 'der')
                 return hexToBytes(DER.hexFromSig(this));
             throw new Error('invalid format');
         }
-        // DER-encoded
+        toHex(format) {
+            return bytesToHex(this.toBytes(format));
+        }
+        // TODO: remove
+        assertValidity() { }
+        static fromCompact(hex) {
+            return Signature.fromBytes(ensureBytes('sig', hex), 'compact');
+        }
+        static fromDER(hex) {
+            return Signature.fromBytes(ensureBytes('sig', hex), 'der');
+        }
         toDERRawBytes() {
             return this.toBytes('der');
         }
         toDERHex() {
             return bytesToHex(this.toBytes('der'));
         }
-        // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
             return this.toBytes('compact');
         }
@@ -798,76 +977,85 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
             return bytesToHex(this.toBytes('compact'));
         }
     }
-    const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, curveOpts.allowedPrivateKeyLengths, curveOpts.wrapPrivateKey);
-    const utils = {
-        isValidPrivateKey(privateKey) {
-            try {
-                normPrivateKeyToScalar(privateKey);
-                return true;
-            }
-            catch (error) {
+    function isValidSecretKey(privateKey) {
+        try {
+            return !!_normFnElement(Fn, privateKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    function isValidPublicKey(publicKey, isCompressed) {
+        try {
+            const l = publicKey.length;
+            if (isCompressed === true && l !== lengths.public)
                 return false;
-            }
-        },
-        normPrivateKeyToScalar: normPrivateKeyToScalar,
-        /**
-         * Produces cryptographically secure private key from random of size
-         * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-         */
-        randomPrivateKey: () => {
-            const n = CURVE_ORDER;
-            return mapHashToField(randomBytes_(getMinHashLength(n)), n);
-        },
+            if (isCompressed === false && l !== lengths.publicUncompressed)
+                return false;
+            return !!Point.fromBytes(publicKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    /**
+     * Produces cryptographically secure secret key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    function randomSecretKey(seed = randomBytes_(seedLen)) {
+        return mapHashToField(seed, CURVE_ORDER);
+    }
+    const utils = {
+        isValidSecretKey,
+        isValidPublicKey,
+        randomSecretKey,
+        // TODO: remove
+        isValidPrivateKey: isValidSecretKey,
+        randomPrivateKey: randomSecretKey,
+        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
         precompute(windowSize = 8, point = Point.BASE) {
             return point.precompute(windowSize, false);
         },
     };
     /**
-     * Computes public key for a private key. Checks for validity of the private key.
-     * @param privateKey private key
+     * Computes public key for a secret key. Checks for validity of the secret key.
      * @param isCompressed whether to return compact (default), or full key
      * @returns Public key, full when isCompressed=false; short when isCompressed=true
      */
-    function getPublicKey(privateKey, isCompressed = true) {
-        return Point.fromPrivateKey(privateKey).toBytes(isCompressed);
+    function getPublicKey(secretKey, isCompressed = true) {
+        return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
     }
     /**
      * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
      */
     function isProbPub(item) {
+        // TODO: remove
         if (typeof item === 'bigint')
             return false;
+        // TODO: remove
         if (item instanceof Point)
             return true;
-        const arr = ensureBytes('key', item);
-        const length = arr.length;
-        const L = Fp.BYTES;
-        const LC = L + 1; // e.g. 33 for 32
-        const LU = 2 * L + 1; // e.g. 65 for 32
-        if (curveOpts.allowedPrivateKeyLengths || Fn.BYTES === LC) {
+        if (Fn.allowedLengths || lengths.secret === lengths.public)
             return undefined;
-        }
-        else {
-            return length === LC || length === LU;
-        }
+        const l = ensureBytes('key', item).length;
+        return l === lengths.public || l === lengths.publicUncompressed;
     }
     /**
      * ECDH (Elliptic Curve Diffie Hellman).
-     * Computes shared public key from private key and public key.
-     * Checks: 1) private key validity 2) shared key is on-curve.
+     * Computes shared public key from secret key A and public key B.
+     * Checks: 1) secret key validity 2) shared key is on-curve.
      * Does NOT hash the result.
-     * @param privateA private key
-     * @param publicB different public key
      * @param isCompressed whether to return compact (default), or full key
      * @returns shared public key
      */
-    function getSharedSecret(privateA, publicB, isCompressed = true) {
-        if (isProbPub(privateA) === true)
+    function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
+        if (isProbPub(secretKeyA) === true)
             throw new Error('first arg must be private key');
-        if (isProbPub(publicB) === false)
+        if (isProbPub(publicKeyB) === false)
             throw new Error('second arg must be public key');
-        const b = Point.fromHex(publicB); // check for being on-curve
-        return b.multiply(normPrivateKeyToScalar(privateA)).toBytes(isCompressed);
+        const s = _normFnElement(Fn, secretKeyA);
+        const b = Point.fromHex(publicKeyB); // checks for being on-curve
+        return b.multiply(s).toBytes(isCompressed);
     }
     // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
     // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
@@ -906,7 +1094,6 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
     function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
         if (['recovered', 'canonical'].some((k) => k in opts))
             throw new Error('sign() legacy options not supported');
-        const { hash } = ecdsaOpts;
         let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
         if (lowS == null)
             lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
@@ -918,17 +1105,21 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
         // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
         const h1int = bits2int_modN(msgHash);
-        const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
+        const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
         const seedArgs = [int2octets(d), int2octets(h1int)];
         // extraEntropy. RFC6979 3.6: additional k' (optional).
         if (ent != null && ent !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-            const e = ent === true ? randomBytes_(Fp.BYTES) : ent; // generate random bytes OR pass as-is
+            const e = ent === true ? randomBytes_(lengths.secret) : ent; // gen random bytes OR pass as-is
             seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
         }
         const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
         // Converts signature params into point w r/s, checks result for validity.
+        // To transform k => Signature:
+        // q = k⋅G
+        // r = q.x mod n
+        // s = k^-1(m + rd) mod n
         // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
         // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
         // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
@@ -939,7 +1130,7 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
             if (!Fn.isValidNot0(k))
                 return; // Valid scalars (including k) must be in 1..N-1
             const ik = Fn.inv(k); // k^-1 mod n
-            const q = Point.BASE.multiply(k).toAffine(); // q = Gk
+            const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
             const r = Fn.create(q.x); // r = q.x mod n
             if (r === _0n)
                 return;
@@ -959,21 +1150,17 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
     const defaultSigOpts = { lowS: ecdsaOpts.lowS, prehash: false };
     const defaultVerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
     /**
-     * Signs message hash with a private key.
+     * Signs message hash with a secret key.
      * ```
      * sign(m, d, k) where
      *   (x, y) = G × k
      *   r = x mod n
      *   s = (m + dr)/k mod n
      * ```
-     * @param msgHash NOT message. msg needs to be hashed to `msgHash`, or use `prehash`.
-     * @param privKey private key
-     * @param opts lowS for non-malleable sigs. extraEntropy for mixing randomness into k. prehash will hash first arg.
-     * @returns signature with recovery param
      */
-    function sign(msgHash, privKey, opts = defaultSigOpts) {
-        const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
-        const drbg = createHmacDrbg(ecdsaOpts.hash.outputLen, Fn.BYTES, hmac_);
+    function sign(msgHash, secretKey, opts = defaultSigOpts) {
+        const { seed, k2sig } = prepSig(msgHash, secretKey, opts); // Steps A, D of RFC6979 3.2.
+        const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac_);
         return drbg(seed, k2sig); // Steps B, C, D, E, F, G
     }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
@@ -1001,88 +1188,98 @@ export function ecdsa(Point, ecdsaOpts, curveOpts = {}) {
         // TODO: remove
         if ('strict' in opts)
             throw new Error('options.strict was renamed to lowS');
-        if (format !== undefined && !['compact', 'der', 'js'].includes(format))
-            throw new Error('format must be "compact", "der" or "js"');
-        const isHex = typeof sg === 'string' || isBytes(sg);
-        const isObj = !isHex &&
-            !format &&
-            typeof sg === 'object' &&
-            sg !== null &&
-            typeof sg.r === 'bigint' &&
-            typeof sg.s === 'bigint';
-        if (!isHex && !isObj)
-            throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
         let _sig = undefined;
         let P;
-        // deduce signature format
-        try {
-            // if (format === 'js') {
-            //   if (sg != null && !isBytes(sg)) _sig = new Signature(sg.r, sg.s);
-            // } else if (format === 'compact') {
-            //   _sig = Signature.fromCompact(sg);
-            // } else if (format === 'der') {
-            //   _sig = Signature.fromDER(sg);
-            // } else {
-            //   throw new Error('invalid format');
-            // }
+        if (format === undefined) {
+            // Try to deduce format
+            const isHex = typeof sg === 'string' || isBytes(sg);
+            const isObj = !isHex &&
+                sg !== null &&
+                typeof sg === 'object' &&
+                typeof sg.r === 'bigint' &&
+                typeof sg.s === 'bigint';
+            if (!isHex && !isObj)
+                throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
             if (isObj) {
-                if (format === undefined || format === 'js') {
-                    _sig = new Signature(sg.r, sg.s);
-                }
-                else {
-                    throw new Error('invalid format');
-                }
+                _sig = new Signature(sg.r, sg.s);
             }
-            if (isHex) {
+            else if (isHex) {
                 // TODO: remove this malleable check
                 // Signature can be represented in 2 ways: compact (2*Fn.BYTES) & DER (variable-length).
                 // Since DER can also be 2*Fn.BYTES bytes, we check for it first.
                 try {
-                    if (format !== 'compact')
-                        _sig = Signature.fromDER(sg);
+                    _sig = Signature.fromDER(sg);
                 }
                 catch (derError) {
                     if (!(derError instanceof DER.Err))
                         throw derError;
                 }
-                if (!_sig && format !== 'der')
-                    _sig = Signature.fromCompact(sg);
+                if (!_sig) {
+                    try {
+                        _sig = Signature.fromCompact(sg);
+                    }
+                    catch (error) {
+                        return false;
+                    }
+                }
             }
-            P = Point.fromHex(publicKey);
         }
-        catch (error) {
-            return false;
+        else {
+            if (format === 'compact' || format === 'der') {
+                if (typeof sg !== 'string' && !isBytes(sg))
+                    throw new Error('"der" / "compact" format expects Uint8Array signature');
+                _sig = Signature.fromBytes(ensureBytes('sig', sg), format);
+            }
+            else if (format === 'js') {
+                if (!(sg instanceof Signature))
+                    throw new Error('"js" format expects Signature instance');
+                _sig = sg;
+            }
+            else {
+                throw new Error('format must be "compact", "der" or "js"');
+            }
         }
         if (!_sig)
             return false;
-        if (lowS && _sig.hasHighS())
-            return false;
-        // todo: optional.hash => hash
-        if (prehash)
-            msgHash = ecdsaOpts.hash(msgHash);
-        const { r, s } = _sig;
-        const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-        const is = Fn.inv(s); // s^-1
-        const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
-        const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
-        const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
-        if (R.is0())
+        try {
+            P = Point.fromHex(publicKey);
+            if (lowS && _sig.hasHighS())
+                return false;
+            // todo: optional.hash => hash
+            if (prehash)
+                msgHash = hash(msgHash);
+            const { r, s } = _sig;
+            const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
+            const is = Fn.inv(s); // s^-1
+            const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
+            const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
+            const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+            if (R.is0())
+                return false;
+            const v = Fn.create(R.x); // v = r.x mod n
+            return v === r;
+        }
+        catch (e) {
             return false;
-        const v = Fn.create(R.x); // v = r.x mod n
-        return v === r;
+        }
+    }
+    function keygen(seed) {
+        const secretKey = utils.randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
     }
-    // TODO: clarify API for cloning .clone({hash: sha512}) ? .createWith({hash: sha512})?
-    // const clone = (hash: CHash): ECDSA => ecdsa(Point, { ...ecdsaOpts, ...getHash(hash) }, curveOpts);
     return Object.freeze({
+        keygen,
         getPublicKey,
-        getSharedSecret,
         sign,
         verify,
+        getSharedSecret,
         utils,
         Point,
         Signature,
+        info: { type: 'weierstrass', lengths, publicKeyHasPrefix: true },
     });
 }
+// TODO: remove
 function _weierstrass_legacy_opts_to_new(c) {
     const CURVE = {
         a: c.a,
@@ -1094,14 +1291,19 @@ function _weierstrass_legacy_opts_to_new(c) {
         Gy: c.Gy,
     };
     const Fp = c.Fp;
-    const Fn = Field(CURVE.n, c.nBitLength);
+    let allowedLengths = c.allowedPrivateKeyLengths
+        ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
+        : undefined;
+    const Fn = Field(CURVE.n, {
+        BITS: c.nBitLength,
+        allowedLengths: allowedLengths,
+        modOnDecode: c.wrapPrivateKey,
+    });
     const curveOpts = {
         Fp,
         Fn,
-        allowedPrivateKeyLengths: c.allowedPrivateKeyLengths,
         allowInfinityPoint: c.allowInfinityPoint,
         endo: c.endo,
-        wrapPrivateKey: c.wrapPrivateKey,
         isTorsionFree: c.isTorsionFree,
         clearCofactor: c.clearCofactor,
         fromBytes: c.fromBytes,
@@ -1112,15 +1314,15 @@ function _weierstrass_legacy_opts_to_new(c) {
 function _ecdsa_legacy_opts_to_new(c) {
     const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
     const ecdsaOpts = {
-        hash: c.hash,
         hmac: c.hmac,
         randomBytes: c.randomBytes,
         lowS: c.lowS,
         bits2int: c.bits2int,
         bits2int_modN: c.bits2int_modN,
     };
-    return { CURVE, curveOpts, ecdsaOpts };
+    return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
 }
+// TODO: remove
 function _weierstrass_new_output_to_legacy(c, Point) {
     const { Fp, Fn } = Point;
     // TODO: remove
@@ -1128,16 +1330,16 @@ function _weierstrass_new_output_to_legacy(c, Point) {
         return inRange(num, _1n, Fn.ORDER);
     }
     const weierstrassEquation = _legacyHelperEquat(Fp, c.a, c.b);
-    const normPrivateKeyToScalar = _legacyHelperNormPriv(Fn, c.allowedPrivateKeyLengths, c.wrapPrivateKey);
     return Object.assign({}, {
         CURVE: c,
         Point: Point,
         ProjectivePoint: Point,
-        normPrivateKeyToScalar,
+        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
         weierstrassEquation,
         isWithinCurveOrder,
     });
 }
+// TODO: remove
 function _ecdsa_new_output_to_legacy(c, ecdsa) {
     return Object.assign({}, ecdsa, {
         ProjectivePoint: ecdsa.Point,
@@ -1146,133 +1348,9 @@ function _ecdsa_new_output_to_legacy(c, ecdsa) {
 }
 // _ecdsa_legacy
 export function weierstrass(c) {
-    const { CURVE, curveOpts, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
+    const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
     const Point = weierstrassN(CURVE, curveOpts);
-    const signs = ecdsa(Point, ecdsaOpts, curveOpts);
+    const signs = ecdsa(Point, hash, ecdsaOpts);
     return _ecdsa_new_output_to_legacy(c, signs);
 }
-/**
- * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
- * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
- * b = True and y = sqrt(u / v) if (u / v) is square in F, and
- * b = False and y = sqrt(Z * (u / v)) otherwise.
- * @param Fp
- * @param Z
- * @returns
- */
-export function SWUFpSqrtRatio(Fp, Z) {
-    // Generic implementation
-    const q = Fp.ORDER;
-    let l = _0n;
-    for (let o = q - _1n; o % _2n === _0n; o /= _2n)
-        l += _1n;
-    const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-    // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
-    // 2n ** c1 == 2n << (c1-1)
-    const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
-    const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
-    const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
-    const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-    const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
-    const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
-    const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
-    const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
-    let sqrtRatio = (u, v) => {
-        let tv1 = c6; // 1. tv1 = c6
-        let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
-        let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2
-        tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
-        let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
-        tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
-        tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
-        tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
-        tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
-        let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
-        tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
-        let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1
-        tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
-        tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
-        tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
-        tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
-        // 17. for i in (c1, c1 - 1, ..., 2):
-        for (let i = c1; i > _1n; i--) {
-            let tv5 = i - _2n; // 18.    tv5 = i - 2
-            tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
-            let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
-            const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
-            tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
-            tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1
-            tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1
-            tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)
-            tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)
-        }
-        return { isValid: isQR, value: tv3 };
-    };
-    if (Fp.ORDER % _4n === _3n) {
-        // sqrt_ratio_3mod4(u, v)
-        const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
-        const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
-        sqrtRatio = (u, v) => {
-            let tv1 = Fp.sqr(v); // 1. tv1 = v^2
-            const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
-            tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
-            let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
-            y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
-            const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
-            const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
-            const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u
-            let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
-            return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
-        };
-    }
-    // No curves uses that
-    // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
-    return sqrtRatio;
-}
-/**
- * Simplified Shallue-van de Woestijne-Ulas Method
- * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
- */
-export function mapToCurveSimpleSWU(Fp, opts) {
-    validateField(Fp);
-    const { A, B, Z } = opts;
-    if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
-        throw new Error('mapToCurveSimpleSWU: invalid opts');
-    const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
-    if (!Fp.isOdd)
-        throw new Error('Field does not have .isOdd()');
-    // Input: u, an element of F.
-    // Output: (x, y), a point on E.
-    return (u) => {
-        // prettier-ignore
-        let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
-        tv1 = Fp.sqr(u); // 1.  tv1 = u^2
-        tv1 = Fp.mul(tv1, Z); // 2.  tv1 = Z * tv1
-        tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2
-        tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
-        tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
-        tv3 = Fp.mul(tv3, B); // 6.  tv3 = B * tv3
-        tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
-        tv4 = Fp.mul(tv4, A); // 8.  tv4 = A * tv4
-        tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2
-        tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
-        tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
-        tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
-        tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
-        tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
-        tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
-        tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
-        x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
-        const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
-        y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1
-        y = Fp.mul(y, value); // 20.   y = y * y1
-        x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)
-        y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
-        const e1 = Fp.isOdd(u) === Fp.isOdd(y); // 23.  e1 = sgn0(u) == sgn0(y)
-        y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
-        const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
-        x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
-        return { x, y };
-    };
-}
 //# sourceMappingURL=weierstrass.js.map