@noble/curves 1.9.2 → 1.9.3

package/src/abstract/edwards.ts

@@ -27,8 +27,9 @@ import {
   wNAF,
   type AffinePoint,
   type BasicCurve,
-  type Group,
-  type GroupConstructor,
+  type CurveInfo,
+  type CurvePoint,
+  type CurvePointCons,
 } from './curve.ts';
 import { Field, type IField, type NLength } from './modular.ts';
 
@@ -38,7 +39,7 @@ const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
 
 export type UVRatio = (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
 
-/** Edwards curves must declare params a & d. */
+// TODO: remove
 export type CurveType = BasicCurve<bigint> & {
   a: bigint; // curve param a
   d: bigint; // curve param d
@@ -51,45 +52,45 @@ export type CurveType = BasicCurve<bigint> & {
   mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
 };
 
+// TODO: remove
 export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
 
-// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-const VERIFY_DEFAULT = { zip215: true };
-
 /** Instance of Extended Point with coordinates in X, Y, Z, T. */
-export interface ExtPointType extends Group<ExtPointType> {
-  readonly ex: bigint;
-  readonly ey: bigint;
-  readonly ez: bigint;
-  readonly et: bigint;
-  get x(): bigint;
-  get y(): bigint;
-  assertValidity(): void;
-  multiply(scalar: bigint): ExtPointType;
-  multiplyUnsafe(scalar: bigint): ExtPointType;
-  is0(): boolean;
-  isSmallOrder(): boolean;
-  isTorsionFree(): boolean;
-  clearCofactor(): ExtPointType;
-  toAffine(iz?: bigint): AffinePoint<bigint>;
-  toBytes(): Uint8Array;
+export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
+  /** extended X coordinate. Different from affine x. */
+  readonly X: bigint;
+  /** extended Y coordinate. Different from affine y. */
+  readonly Y: bigint;
+  /** extended Z coordinate */
+  readonly Z: bigint;
+  /** extended T coordinate */
+  readonly T: bigint;
+
   /** @deprecated use `toBytes` */
   toRawBytes(): Uint8Array;
-  toHex(): string;
-  precompute(windowSize?: number, isLazy?: boolean): ExtPointType;
   /** @deprecated use `p.precompute(windowSize)` */
   _setWindowSize(windowSize: number): void;
+  /** @deprecated use .X */
+  readonly ex: bigint;
+  /** @deprecated use .Y */
+  readonly ey: bigint;
+  /** @deprecated use .Z */
+  readonly ez: bigint;
+  /** @deprecated use .T */
+  readonly et: bigint;
 }
 /** Static methods of Extended Point with coordinates in X, Y, Z, T. */
-export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
-  new (x: bigint, y: bigint, z: bigint, t: bigint): ExtPointType;
-  Fp: IField<bigint>;
-  Fn: IField<bigint>;
-  fromAffine(p: AffinePoint<bigint>): ExtPointType;
-  fromBytes(bytes: Uint8Array, zip215?: boolean): ExtPointType;
-  fromHex(hex: Hex, zip215?: boolean): ExtPointType;
-  msm(points: ExtPointType[], scalars: bigint[]): ExtPointType;
+export interface EdwardsPointCons extends CurvePointCons<bigint, EdwardsPoint> {
+  new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
+  fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
+  fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
+  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+  msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
 }
+/** @deprecated use EdwardsPoint */
+export type ExtPointType = EdwardsPoint;
+/** @deprecated use EdwardsPointCons */
+export type ExtPointConstructor = EdwardsPointCons;
 
 /**
  * Twisted Edwards curve options.
@@ -103,11 +104,11 @@ export interface ExtPointConstructor extends GroupConstructor<ExtPointType> {
  * * Gy: y coordinate of generator point
  */
 export type EdwardsOpts = Readonly<{
-  a: bigint;
-  d: bigint;
   p: bigint;
   n: bigint;
   h: bigint;
+  a: bigint;
+  d: bigint;
   Gx: bigint;
   Gy: bigint;
 }>;
@@ -128,76 +129,90 @@ export type EdwardsExtraOpts = Partial<{
 /**
  * EdDSA (Edwards Digital Signature algorithm) options.
  *
- * * hash: hash function used to hash private keys and messages
+ * * hash: hash function used to hash secret keys and messages
  * * adjustScalarBytes: clears bits to get valid field element
  * * domain: Used for hashing
  * * mapToCurve: for hash-to-curve standard
  * * prehash: RFC 8032 pre-hashing of messages to sign() / verify()
- * * randomBytes: function generating random bytes, used for randomPrivateKey
+ * * randomBytes: function generating random bytes, used for randomSecretKey
  */
-export type EdDSAOpts = {
-  hash: FHash;
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array;
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
-  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>;
-  prehash?: FHash;
-  randomBytes?: (bytesLength?: number) => Uint8Array;
-};
+export type EdDSAOpts = Partial<{
+  adjustScalarBytes: (bytes: Uint8Array) => Uint8Array;
+  domain: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array;
+  mapToCurve: (scalar: bigint[]) => AffinePoint<bigint>;
+  prehash: FHash;
+  randomBytes: (bytesLength?: number) => Uint8Array;
+}>;
 
 /**
  * EdDSA (Edwards Digital Signature algorithm) interface.
  *
- * Allows to create and verify signatures, create public and private keys.
+ * Allows to create and verify signatures, create public and secret keys.
  */
 export interface EdDSA {
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  sign: (message: Hex, privateKey: Hex, options?: { context?: Hex }) => Uint8Array;
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
+  getPublicKey: (secretKey: Hex) => Uint8Array;
+  sign: (message: Hex, secretKey: Hex, options?: { context?: Hex }) => Uint8Array;
   verify: (
     sig: Hex,
     message: Hex,
     publicKey: Hex,
     options?: { context?: Hex; zip215: boolean }
   ) => boolean;
-  Point: ExtPointConstructor;
+  Point: EdwardsPointCons;
   utils: {
-    randomPrivateKey: () => Uint8Array;
+    randomSecretKey: (seed?: Uint8Array) => Uint8Array;
+    isValidSecretKey: (secretKey: Uint8Array) => boolean;
+    isValidPublicKey: (publicKey: Uint8Array, zip215?: boolean) => boolean;
+
+    /**
+     * Converts ed public key to x public key.
+     * @example
+     * ```js
+     * const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
+     * const aPriv = x25519.utils.randomSecretKey();
+     * x25519.getSharedSecret(aPriv, ed25519.utils.toMontgomery(someonesPub))
+     * ```
+     */
+    toMontgomery: (publicKey: Uint8Array) => Uint8Array;
+    /**
+     * Converts ed secret key to x secret key.
+     * @example
+     * ```js
+     * const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
+     * const aPriv = ed25519.utils.randomSecretKey();
+     * x25519.getSharedSecret(ed25519.utils.toMontgomeryPriv(aPriv), someonesPub)
+     * ```
+     */
+    toMontgomeryPriv: (privateKey: Uint8Array) => Uint8Array;
     getExtendedPublicKey: (key: Hex) => {
       head: Uint8Array;
       prefix: Uint8Array;
       scalar: bigint;
-      point: ExtPointType;
+      point: EdwardsPoint;
       pointBytes: Uint8Array;
     };
+
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
     /** @deprecated use `point.precompute()` */
-    precompute: (windowSize?: number, point?: ExtPointType) => ExtPointType;
+    precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
   };
+  info: CurveInfo;
 }
 
 // Legacy params. TODO: remove
 export type CurveFn = {
   CURVE: CurveType;
-  getPublicKey: (privateKey: Hex) => Uint8Array;
-  sign: (message: Hex, privateKey: Hex, options?: { context?: Hex }) => Uint8Array;
-  verify: (
-    sig: Hex,
-    message: Hex,
-    publicKey: Hex,
-    options?: { context?: Hex; zip215: boolean }
-  ) => boolean;
-  Point: ExtPointConstructor;
+  keygen: EdDSA['keygen'];
+  getPublicKey: EdDSA['getPublicKey'];
+  sign: EdDSA['sign'];
+  verify: EdDSA['verify'];
+  Point: EdwardsPointCons;
   /** @deprecated use `Point` */
-  ExtendedPoint: ExtPointConstructor;
-  utils: {
-    randomPrivateKey: () => Uint8Array;
-    getExtendedPublicKey: (key: Hex) => {
-      head: Uint8Array;
-      prefix: Uint8Array;
-      scalar: bigint;
-      point: ExtPointType;
-      pointBytes: Uint8Array;
-    };
-    precompute: (windowSize?: number, point?: ExtPointType) => ExtPointType;
-  };
+  ExtendedPoint: EdwardsPointCons;
+  utils: EdDSA['utils'];
+  info: CurveInfo;
 };
 
 function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigint): boolean {
@@ -208,7 +223,7 @@ function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigin
   return Fp.eql(left, right);
 }
 
-export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): ExtPointConstructor {
+export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
   const { Fp, Fn } = _createCurveFields('edwards', CURVE, curveOpts);
   const { h: cofactor, n: CURVE_ORDER } = CURVE;
   _validateObject(curveOpts, {}, { uvRatio: 'function' });
@@ -252,22 +267,22 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
   // Converts Extended point to default (x, y) coordinates.
   // Can accept precomputed Z^-1 - for example, from invertBatch.
   const toAffineMemo = memoized((p: Point, iz?: bigint): AffinePoint<bigint> => {
-    const { ex: x, ey: y, ez: z } = p;
+    const { X, Y, Z } = p;
     const is0 = p.is0();
-    if (iz == null) iz = is0 ? _8n : (Fp.inv(z) as bigint); // 8 was chosen arbitrarily
-    const ax = modP(x * iz);
-    const ay = modP(y * iz);
-    const zz = modP(z * iz);
+    if (iz == null) iz = is0 ? _8n : (Fp.inv(Z) as bigint); // 8 was chosen arbitrarily
+    const x = modP(X * iz);
+    const y = modP(Y * iz);
+    const zz = Fp.mul(Z, iz);
     if (is0) return { x: _0n, y: _1n };
     if (zz !== _1n) throw new Error('invZ was invalid');
-    return { x: ax, y: ay };
+    return { x, y };
   });
   const assertValidMemo = memoized((p: Point) => {
     const { a, d } = CURVE;
     if (p.is0()) throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
     // Equation in affine coordinates: ax² + y² = 1 + dx²y²
     // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-    const { ex: X, ey: Y, ez: Z, et: T } = p;
+    const { X, Y, Z, T } = p;
     const X2 = modP(X * X); // X²
     const Y2 = modP(Y * Y); // Y²
     const Z2 = modP(Z * Z); // Z²
@@ -285,7 +300,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
 
   // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
   // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
-  class Point implements ExtPointType {
+  class Point implements EdwardsPoint {
     // base / generator point
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, _1n, modP(CURVE.Gx * CURVE.Gy));
     // zero / infinity / identity point
@@ -294,16 +309,16 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     static readonly Fp = Fp;
     static readonly Fn = Fn;
 
-    readonly ex: bigint;
-    readonly ey: bigint;
-    readonly ez: bigint;
-    readonly et: bigint;
+    readonly X: bigint;
+    readonly Y: bigint;
+    readonly Z: bigint;
+    readonly T: bigint;
 
-    constructor(ex: bigint, ey: bigint, ez: bigint, et: bigint) {
-      this.ex = acoord('x', ex);
-      this.ey = acoord('y', ey);
-      this.ez = acoord('z', ez, true);
-      this.et = acoord('t', et);
+    constructor(X: bigint, Y: bigint, Z: bigint, T: bigint) {
+      this.X = acoord('x', X);
+      this.Y = acoord('y', Y);
+      this.Z = acoord('z', Z, true);
+      this.T = acoord('t', T);
       Object.freeze(this);
     }
 
@@ -314,32 +329,44 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       return this.toAffine().y;
     }
 
-    static fromAffine(p: AffinePoint<bigint>): Point {
-      if (p instanceof Point) throw new Error('extended point not allowed');
-      const { x, y } = p || {};
-      acoord('x', x);
-      acoord('y', y);
-      return new Point(x, y, _1n, modP(x * y));
+    // TODO: remove
+    get ex(): bigint {
+      return this.X;
+    }
+    get ey(): bigint {
+      return this.Y;
+    }
+    get ez(): bigint {
+      return this.Z;
+    }
+    get et(): bigint {
+      return this.T;
     }
     static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, 'ez', points);
+      return normalizeZ(Point, points);
     }
-    // Multiscalar Multiplication
     static msm(points: Point[], scalars: bigint[]): Point {
       return pippenger(Point, Fn, points, scalars);
     }
-
-    // "Private method", don't use it directly
     _setWindowSize(windowSize: number) {
       this.precompute(windowSize);
     }
+
+    static fromAffine(p: AffinePoint<bigint>): Point {
+      if (p instanceof Point) throw new Error('extended point not allowed');
+      const { x, y } = p || {};
+      acoord('x', x);
+      acoord('y', y);
+      return new Point(x, y, _1n, modP(x * y));
+    }
+
     precompute(windowSize: number = 8, isLazy = true) {
-      wnaf.setWindowSize(this, windowSize);
+      wnaf.createCache(this, windowSize);
       if (!isLazy) this.multiply(_2n); // random number
       return this;
     }
-    // Not required for fromHex(), which always creates valid points.
-    // Could be useful for fromAffine().
+
+    // Useful in fromAffine() - not for fromBytes(), which always created valid points.
     assertValidity(): void {
       assertValidMemo(this);
     }
@@ -347,8 +374,8 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     // Compare one point to another.
     equals(other: Point): boolean {
       aextpoint(other);
-      const { ex: X1, ey: Y1, ez: Z1 } = this;
-      const { ex: X2, ey: Y2, ez: Z2 } = other;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
       const X1Z2 = modP(X1 * Z2);
       const X2Z1 = modP(X2 * Z1);
       const Y1Z2 = modP(Y1 * Z2);
@@ -362,7 +389,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
 
     negate(): Point {
       // Flips point sign to a negative one (-x, y in affine coords)
-      return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+      return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
     }
 
     // Fast algo for doubling Extended Point.
@@ -370,7 +397,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     // Cost: 4M + 4S + 1*a + 6add + 1*2.
     double(): Point {
       const { a } = CURVE;
-      const { ex: X1, ey: Y1, ez: Z1 } = this;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
       const A = modP(X1 * X1); // A = X12
       const B = modP(Y1 * Y1); // B = Y12
       const C = modP(_2n * modP(Z1 * Z1)); // C = 2*Z12
@@ -393,8 +420,8 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     add(other: Point) {
       aextpoint(other);
       const { a, d } = CURVE;
-      const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
-      const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
+      const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+      const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
       const A = modP(X1 * X2); // A = X1*X2
       const B = modP(Y1 * Y2); // B = Y1*Y2
       const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -418,8 +445,8 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     multiply(scalar: bigint): Point {
       const n = scalar;
       aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
-      const { p, f } = wnaf.wNAFCached(this, n, Point.normalizeZ);
-      return Point.normalizeZ([p, f])[0];
+      const { p, f } = wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+      return normalizeZ(Point, [p, f])[0];
     }
 
     // Non-constant-time multiplication. Uses double-and-add algorithm.
@@ -432,7 +459,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
       if (n === _0n) return Point.ZERO;
       if (this.is0() || n === _1n) return this;
-      return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
+      return wnaf.unsafe(this, n, (p) => normalizeZ(Point, p), acc);
     }
 
     // Checks if point is of small order.
@@ -446,7 +473,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
     // Multiplies point by curve order and checks if the result is 0.
     // Returns `false` is the point is dirty.
     isTorsionFree(): boolean {
-      return wnaf.wNAFCachedUnsafe(this, CURVE_ORDER).is0();
+      return wnaf.unsafe(this, CURVE_ORDER).is0();
     }
 
     // Converts Extended point to default (x, y) coordinates.
@@ -462,7 +489,7 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
 
     static fromBytes(bytes: Uint8Array, zip215 = false): Point {
       abytes(bytes);
-      return this.fromHex(bytes, zip215);
+      return Point.fromHex(bytes, zip215);
     }
 
     // Converts hash string or Uint8Array to Point.
@@ -499,9 +526,6 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
       return Point.fromAffine({ x, y });
     }
-    static fromPrivateScalar(scalar: bigint): Point {
-      return Point.BASE.multiply(scalar);
-    }
     toBytes(): Uint8Array {
       const { x, y } = this.toAffine();
       const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
@@ -520,19 +544,128 @@ export function edwards(CURVE: EdwardsOpts, curveOpts: EdwardsExtraOpts = {}): E
       return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
   }
-  const wnaf = wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
+  const wnaf = new wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
   return Point;
 }
 
+/**
+ * Base class for prime-order points like Ristretto255 and Decaf448.
+ * These points eliminate cofactor issues by representing equivalence classes
+ * of Edwards curve points.
+ */
+export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
+  implements CurvePoint<bigint, T>
+{
+  static BASE: PrimeEdwardsPoint<any>;
+  static ZERO: PrimeEdwardsPoint<any>;
+  static Fp: IField<bigint>;
+  static Fn: IField<bigint>;
+
+  protected readonly ep: EdwardsPoint;
+
+  constructor(ep: EdwardsPoint) {
+    this.ep = ep;
+  }
+
+  // Abstract methods that must be implemented by subclasses
+  abstract toBytes(): Uint8Array;
+  abstract equals(other: T): boolean;
+
+  // Static methods that must be implemented by subclasses
+  static fromBytes(_bytes: Uint8Array): any {
+    throw new Error('fromBytes must be implemented by subclass');
+  }
+
+  static fromHex(_hex: Hex): any {
+    throw new Error('fromHex must be implemented by subclass');
+  }
+
+  get x(): bigint {
+    return this.toAffine().x;
+  }
+  get y(): bigint {
+    return this.toAffine().y;
+  }
+
+  // Common implementations
+  clearCofactor(): T {
+    // no-op for prime-order groups
+    return this as any;
+  }
+
+  assertValidity(): void {
+    this.ep.assertValidity();
+  }
+
+  toAffine(invertedZ?: bigint): AffinePoint<bigint> {
+    return this.ep.toAffine(invertedZ);
+  }
+
+  /** @deprecated use `toBytes` */
+  toRawBytes(): Uint8Array {
+    return this.toBytes();
+  }
+
+  toHex(): string {
+    return bytesToHex(this.toBytes());
+  }
+
+  toString(): string {
+    return this.toHex();
+  }
+
+  isTorsionFree(): boolean {
+    return true;
+  }
+
+  isSmallOrder(): boolean {
+    return false;
+  }
+
+  add(other: T): T {
+    this.assertSame(other);
+    return this.init(this.ep.add(other.ep));
+  }
+
+  subtract(other: T): T {
+    this.assertSame(other);
+    return this.init(this.ep.subtract(other.ep));
+  }
+
+  multiply(scalar: bigint): T {
+    return this.init(this.ep.multiply(scalar));
+  }
+
+  multiplyUnsafe(scalar: bigint): T {
+    return this.init(this.ep.multiplyUnsafe(scalar));
+  }
+
+  double(): T {
+    return this.init(this.ep.double());
+  }
+
+  negate(): T {
+    return this.init(this.ep.negate());
+  }
+
+  precompute(windowSize?: number, isLazy?: boolean): T {
+    return this.init(this.ep.precompute(windowSize, isLazy));
+  }
+
+  // Helper methods
+  abstract is0(): boolean;
+  protected abstract assertSame(other: T): void;
+  protected abstract init(ep: EdwardsPoint): T;
+}
+
 /**
  * Initializes EdDSA signatures over given Edwards curve.
  */
-export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
+export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts): EdDSA {
+  if (typeof cHash !== 'function') throw new Error('"hash" function param is required');
   _validateObject(
     eddsaOpts,
-    {
-      hash: 'function',
-    },
+    {},
     {
       adjustScalarBytes: 'function',
       randomBytes: 'function',
@@ -542,7 +675,7 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
     }
   );
 
-  const { prehash, hash: cHash } = eddsaOpts;
+  const { prehash } = eddsaOpts;
   const { BASE: G, Fp, Fn } = Point;
   const CURVE_ORDER = Fn.ORDER;
 
@@ -559,6 +692,7 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
   function modN(a: bigint) {
     return Fn.create(a);
   }
+
   // Little-endian SHA512 with modulo n
   function modN_LE(hash: Uint8Array): bigint {
     // Not using Fn.fromBytes: hash can be 2*Fn.BYTES
@@ -578,17 +712,17 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
     return { head, prefix, scalar };
   }
 
-  // Convenience method that creates public key from scalar. RFC8032 5.1.5
-  function getExtendedPublicKey(key: Hex) {
-    const { head, prefix, scalar } = getPrivateScalar(key);
+  /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+  function getExtendedPublicKey(secretKey: Hex) {
+    const { head, prefix, scalar } = getPrivateScalar(secretKey);
     const point = G.multiply(scalar); // Point on Edwards curve aka public key
     const pointBytes = point.toBytes();
     return { head, prefix, scalar, point, pointBytes };
   }
 
-  // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
-  function getPublicKey(privKey: Hex): Uint8Array {
-    return getExtendedPublicKey(privKey).pointBytes;
+  /** Calculates EdDSA pub key. RFC8032 5.1.5. */
+  function getPublicKey(secretKey: Hex): Uint8Array {
+    return getExtendedPublicKey(secretKey).pointBytes;
   }
 
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
@@ -598,10 +732,10 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
   }
 
   /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, privKey: Hex, options: { context?: Hex } = {}): Uint8Array {
+  function sign(msg: Hex, secretKey: Hex, options: { context?: Hex } = {}): Uint8Array {
     msg = ensureBytes('message', msg);
     if (prehash) msg = prehash(msg); // for ed25519ph etc.
-    const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+    const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
     const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
     const R = G.multiply(r).toBytes(); // R = rG
     const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
@@ -612,7 +746,8 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
     return ensureBytes('result', res, L * 2); // 64-byte signature
   }
 
-  const verifyOpts: { context?: Hex; zip215?: boolean } = VERIFY_DEFAULT;
+  // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+  const verifyOpts: { context?: Hex; zip215?: boolean } = { zip215: true };
 
   /**
    * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
@@ -650,10 +785,54 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
 
   G.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
 
+  const size = Fp.BYTES;
+  const lengths = {
+    secret: size,
+    public: size,
+    signature: 2 * size,
+    seed: size,
+  };
+  function randomSecretKey(seed = randomBytes_!(lengths.seed)): Uint8Array {
+    return seed;
+  }
+
   const utils = {
     getExtendedPublicKey,
     /** ed25519 priv keys are uniform 32b. No need to check for modulo bias, like in secp256k1. */
-    randomPrivateKey: (): Uint8Array => randomBytes_!(Fp.BYTES),
+    randomSecretKey,
+
+    isValidSecretKey,
+    isValidPublicKey,
+
+    randomPrivateKey: randomSecretKey,
+
+    /**
+     * Converts ed public key to x public key. Uses formula:
+     * - ed25519:
+     *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+     *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+     * - ed448:
+     *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+     *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
+     *
+     * There is NO `fromMontgomery`:
+     * - There are 2 valid ed25519 points for every x25519, with flipped coordinate
+     * - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
+     *   accepts inputs on the quadratic twist, which can't be moved to ed25519
+     */
+    toMontgomery(publicKey: Uint8Array): Uint8Array {
+      const { y } = Point.fromBytes(publicKey);
+      const is25519 = size === 32;
+      if (!is25519 && size !== 57) throw new Error('only defined for 25519 and 448');
+      const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
+      return Fp.toBytes(u);
+    },
+
+    toMontgomeryPriv(privateKey: Uint8Array): Uint8Array {
+      abytes(privateKey, size);
+      const hashed = cHash(privateKey.subarray(0, size));
+      return adjustScalarBytes(hashed).subarray(0, size);
+    },
 
     /**
      * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
@@ -661,19 +840,51 @@ export function eddsa(Point: ExtPointConstructor, eddsaOpts: EdDSAOpts): EdDSA {
      * but allows to speed-up subsequent getPublicKey() calls up to 20x.
      * @param windowSize 2, 4, 8, 16
      */
-    precompute(windowSize = 8, point: ExtPointType = Point.BASE): ExtPointType {
+    precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
       return point.precompute(windowSize, false);
     },
   };
 
-  return { getPublicKey, sign, verify, utils, Point };
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  }
+
+  function isValidSecretKey(key: Uint8Array): boolean {
+    try {
+      return !!Fn.fromBytes(key, false);
+    } catch (error) {
+      return false;
+    }
+  }
+
+  function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
+    try {
+      return !!Point.fromBytes(key, zip215);
+    } catch (error) {
+      return false;
+    }
+  }
+
+  return Object.freeze({
+    keygen,
+    getPublicKey,
+    sign,
+    verify,
+    utils,
+    Point,
+    info: { type: 'edwards' as const, lengths },
+  });
 }
 
+// TODO: remove
 export type EdComposed = {
   CURVE: EdwardsOpts;
   curveOpts: EdwardsExtraOpts;
+  hash: FHash;
   eddsaOpts: EdDSAOpts;
 };
+// TODO: remove
 function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
   const CURVE: EdwardsOpts = {
     a: c.a,
@@ -688,23 +899,23 @@ function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
   const Fn = Field(CURVE.n, c.nBitLength, true);
   const curveOpts: EdwardsExtraOpts = { Fp, Fn, uvRatio: c.uvRatio };
   const eddsaOpts: EdDSAOpts = {
-    hash: c.hash,
     randomBytes: c.randomBytes,
     adjustScalarBytes: c.adjustScalarBytes,
     domain: c.domain,
     prehash: c.prehash,
     mapToCurve: c.mapToCurve,
   };
-  return { CURVE, curveOpts, eddsaOpts };
+  return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
 }
+// TODO: remove
 function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
   const legacy = Object.assign({}, eddsa, { ExtendedPoint: eddsa.Point, CURVE: c });
   return legacy;
 }
 // TODO: remove. Use eddsa
 export function twistedEdwards(c: CurveTypeWithLength): CurveFn {
-  const { CURVE, curveOpts, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
+  const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
   const Point = edwards(CURVE, curveOpts);
-  const EDDSA = eddsa(Point, eddsaOpts);
+  const EDDSA = eddsa(Point, hash, eddsaOpts);
   return _eddsa_new_output_to_legacy(c, EDDSA);
 }