@noble/curves 1.9.2 → 1.9.4

package/src/abstract/weierstrass.ts

@@ -26,11 +26,13 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { hmac } from '@noble/hashes/hmac.js';
+import { ahash } from '@noble/hashes/utils';
 import {
   _validateObject,
   abool,
   abytes,
   aInRange,
+  bitLen,
   bitMask,
   bytesToHex,
   bytesToNumberBE,
@@ -56,8 +58,9 @@ import {
   wNAF,
   type AffinePoint,
   type BasicCurve,
-  type Group,
-  type GroupConstructor,
+  type CurveInfo,
+  type CurvePoint,
+  type CurvePointCons,
 } from './curve.ts';
 import {
   Field,
@@ -71,6 +74,8 @@ import {
 
 export type { AffinePoint };
 export type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Array;
+
+type EndoBasis = [[bigint, bigint], [bigint, bigint]];
 /**
  * When Weierstrass curve has `a=0`, it becomes Koblitz curve.
  * Koblitz curves allow using **efficiently-computable GLV endomorphism ψ**.
@@ -96,7 +101,8 @@ export type HmacFnSync = (key: Uint8Array, ...messages: Uint8Array[]) => Uint8Ar
  */
 export type EndomorphismOpts = {
   beta: bigint;
-  splitScalar: (k: bigint) => { k1neg: boolean; k1: bigint; k2neg: boolean; k2: bigint };
+  basises?: EndoBasis;
+  splitScalar?: (k: bigint) => { k1neg: boolean; k1: bigint; k2neg: boolean; k2: bigint };
 };
 export type BasicWCurve<T> = BasicCurve<T> & {
   // Params: a, b
@@ -109,86 +115,123 @@ export type BasicWCurve<T> = BasicCurve<T> & {
   endo?: EndomorphismOpts;
   // When a cofactor != 1, there can be an effective methods to:
   // 1. Determine whether a point is torsion-free
-  isTorsionFree?: (c: ProjConstructor<T>, point: ProjPointType<T>) => boolean;
+  isTorsionFree?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
   // 2. Clear torsion component
-  clearCofactor?: (c: ProjConstructor<T>, point: ProjPointType<T>) => ProjPointType<T>;
+  clearCofactor?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
 };
 
+// We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
+const divNearest = (num: bigint, den: bigint) => (num + (num >= 0 ? den : -den) / _2n) / den;
+
+export type ScalarEndoParts = { k1neg: boolean; k1: bigint; k2neg: boolean; k2: bigint };
+
+/**
+ * Splits scalar for GLV endomorphism.
+ */
+export function _splitEndoScalar(k: bigint, basis: EndoBasis, n: bigint): ScalarEndoParts {
+  // Split scalar into two such that part is ~half bits: `abs(part) < sqrt(N)`
+  // Since part can be negative, we need to do this on point.
+  // TODO: verifyScalar function which consumes lambda
+  const [[a1, b1], [a2, b2]] = basis;
+  const c1 = divNearest(b2 * k, n);
+  const c2 = divNearest(-b1 * k, n);
+  // |k1|/|k2| is < sqrt(N), but can be negative.
+  // If we do `k1 mod N`, we'll get big scalar (`> sqrt(N)`): so, we do cheaper negation instead.
+  let k1 = k - c1 * a1 - c2 * a2;
+  let k2 = -c1 * b1 - c2 * b2;
+  const k1neg = k1 < _0n;
+  const k2neg = k2 < _0n;
+  if (k1neg) k1 = -k1;
+  if (k2neg) k2 = -k2;
+  // Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
+  // This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
+  const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n; // Half bits of N
+  if (k1 < _0n || k1 >= MAX_NUM || k2 < _0n || k2 >= MAX_NUM) {
+    throw new Error('splitScalar (endomorphism): failed, k=' + k);
+  }
+  return { k1neg, k1, k2neg, k2 };
+}
+
+export type ECDSASigFormat = 'compact' | 'der';
 export type Entropy = Hex | boolean;
-export type SignOpts = { lowS?: boolean; extraEntropy?: Entropy; prehash?: boolean };
-export type VerOpts = {
-  lowS?: boolean;
-  prehash?: boolean;
-  format?: 'compact' | 'der' | 'js' | undefined;
-};
+export type SignOpts = Partial<{
+  lowS: boolean;
+  extraEntropy: Entropy;
+  prehash: boolean;
+  format: ECDSASigFormat | 'js';
+}>;
+export type VerOpts = Partial<{
+  lowS: boolean;
+  prehash: boolean;
+  format: ECDSASigFormat | 'js' | undefined;
+}>;
 
 function validateSigVerOpts(opts: SignOpts | VerOpts) {
   if (opts.lowS !== undefined) abool('lowS', opts.lowS);
   if (opts.prehash !== undefined) abool('prehash', opts.prehash);
 }
 
-/** Instance methods for 3D XYZ points. */
-export interface ProjPointType<T> extends Group<ProjPointType<T>> {
-  /** projective x coordinate. Note: different from .x */
-  readonly px: T;
-  /** projective y coordinate. Note: different from .y */
-  readonly py: T;
+/** Instance methods for 3D XYZ projective points. */
+export interface WeierstrassPoint<T> extends CurvePoint<T, WeierstrassPoint<T>> {
+  /** projective X coordinate. Different from affine x. */
+  readonly X: T;
+  /** projective Y coordinate. Different from affine y. */
+  readonly Y: T;
   /** projective z coordinate */
-  readonly pz: T;
-  /** affine x coordinate */
+  readonly Z: T;
+  /** affine x coordinate. Different from projective X. */
   get x(): T;
-  /** affine y coordinate */
+  /** affine y coordinate. Different from projective Y. */
   get y(): T;
-  assertValidity(): void;
-  clearCofactor(): ProjPointType<T>;
-  is0(): boolean;
-  isTorsionFree(): boolean;
-  multiplyUnsafe(scalar: bigint): ProjPointType<T>;
-  /**
-   * Massively speeds up `p.multiply(n)` by using wnaf precompute tables (caching).
-   * Table generation takes 30MB of ram and 10ms on high-end CPU, but may take
-   * much longer on slow devices.
-   * Actual generation will happen on first call of `.multiply()`.
-   * By default, BASE point is precomputed.
-   * @param windowSize - table window size
-   * @param isLazy - (default true) allows to defer generation
-   */
-  precompute(windowSize?: number, isLazy?: boolean): ProjPointType<T>;
-
-  /** Converts 3D XYZ projective point to 2D xy affine coordinates */
-  toAffine(invertedZ?: T): AffinePoint<T>;
   /** Encodes point using IEEE P1363 (DER) encoding. First byte is 2/3/4. Default = isCompressed. */
   toBytes(isCompressed?: boolean): Uint8Array;
   toHex(isCompressed?: boolean): string;
 
+  /** @deprecated use .X */
+  readonly px: T;
+  /** @deprecated use .Y */
+  readonly py: T;
+  /** @deprecated use .Z */
+  readonly pz: T;
   /** @deprecated use `toBytes` */
   toRawBytes(isCompressed?: boolean): Uint8Array;
   /** @deprecated use `multiplyUnsafe` */
-  multiplyAndAddUnsafe(Q: ProjPointType<T>, a: bigint, b: bigint): ProjPointType<T> | undefined;
+  multiplyAndAddUnsafe(
+    Q: WeierstrassPoint<T>,
+    a: bigint,
+    b: bigint
+  ): WeierstrassPoint<T> | undefined;
   /** @deprecated use `p.y % 2n === 0n` */
   hasEvenY(): boolean;
   /** @deprecated use `p.precompute(windowSize)` */
   _setWindowSize(windowSize: number): void;
 }
 
-/** Static methods for 3D XYZ points. */
-export interface ProjConstructor<T> extends GroupConstructor<ProjPointType<T>> {
-  Fp: IField<T>;
-  Fn: IField<bigint>;
+/** Static methods for 3D XYZ projective points. */
+export interface WeierstrassPointCons<T> extends CurvePointCons<T, WeierstrassPoint<T>> {
   /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
-  new (x: T, y: T, z: T): ProjPointType<T>;
-  /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
-  fromAffine(p: AffinePoint<T>): ProjPointType<T>;
-  fromBytes(encodedPoint: Uint8Array): ProjPointType<T>;
-  fromHex(hex: Hex): ProjPointType<T>;
-  fromPrivateKey(privateKey: PrivKey): ProjPointType<T>;
-  normalizeZ(points: ProjPointType<T>[]): ProjPointType<T>[];
-  msm(points: ProjPointType<T>[], scalars: bigint[]): ProjPointType<T>;
+  new (X: T, Y: T, Z: T): WeierstrassPoint<T>;
+  /** @deprecated use `Point.BASE.multiply(Point.Fn.fromBytes(privateKey))` */
+  fromPrivateKey(privateKey: PrivKey): WeierstrassPoint<T>;
+  /** @deprecated use `import { normalizeZ } from '@noble/curves/abstract/curve.js';` */
+  normalizeZ(points: WeierstrassPoint<T>[]): WeierstrassPoint<T>[];
+  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
+  msm(points: WeierstrassPoint<T>[], scalars: bigint[]): WeierstrassPoint<T>;
 }
 
+/** @deprecated use WeierstrassPoint */
+export type ProjPointType<T> = WeierstrassPoint<T>;
+/** @deprecated use WeierstrassPointCons */
+export type ProjConstructor<T> = WeierstrassPointCons<T>;
+
+// TODO: remove
 export type CurvePointsType<T> = BasicWCurve<T> & {
   fromBytes?: (bytes: Uint8Array) => AffinePoint<T>;
-  toBytes?: (c: ProjConstructor<T>, point: ProjPointType<T>, isCompressed: boolean) => Uint8Array;
+  toBytes?: (
+    c: WeierstrassPointCons<T>,
+    point: WeierstrassPoint<T>,
+    isCompressed: boolean
+  ) => Uint8Array;
 };
 
 // LegacyWeierstrassOpts
@@ -196,12 +239,13 @@ export type CurvePointsTypeWithLength<T> = Readonly<CurvePointsType<T> & Partial
 
 // LegacyWeierstrass
 export type CurvePointsRes<T> = {
-  /** @deprecated import individual CURVE params */
+  Point: WeierstrassPointCons<T>;
+
+  /** @deprecated the property will be removed in next release */
   CURVE: CurvePointsType<T>;
-  Point: ProjConstructor<T>;
   /** @deprecated use `Point` */
-  ProjectivePoint: ProjConstructor<T>;
-  /** @deprecated */
+  ProjectivePoint: WeierstrassPointCons<T>;
+  /** @deprecated use `Point.Fn.fromBytes(privateKey)` */
   normPrivateKeyToScalar: (key: PrivKey) => bigint;
   /** @deprecated */
   weierstrassEquation: (x: T) => T;
@@ -245,45 +289,53 @@ export type WeierstrassOpts<T> = Readonly<{
 export type WeierstrassExtraOpts<T> = Partial<{
   Fp: IField<T>;
   Fn: IField<bigint>;
-  // TODO: remove
-  allowedPrivateKeyLengths: readonly number[]; // for P521
   allowInfinityPoint: boolean;
   endo: EndomorphismOpts;
-  wrapPrivateKey: boolean;
-  isTorsionFree: (c: ProjConstructor<T>, point: ProjPointType<T>) => boolean;
-  clearCofactor: (c: ProjConstructor<T>, point: ProjPointType<T>) => ProjPointType<T>;
+  isTorsionFree: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
+  clearCofactor: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
   fromBytes: (bytes: Uint8Array) => AffinePoint<T>;
-  toBytes: (c: ProjConstructor<T>, point: ProjPointType<T>, isCompressed: boolean) => Uint8Array;
+  toBytes: (
+    c: WeierstrassPointCons<T>,
+    point: WeierstrassPoint<T>,
+    isCompressed: boolean
+  ) => Uint8Array;
 }>;
 
 /**
  * Options for ECDSA signatures over a Weierstrass curve.
  */
-export type ECDSAOpts = {
-  hash: CHash;
-  hmac?: HmacFnSync;
-  randomBytes?: (bytesLength?: number) => Uint8Array;
-  lowS?: boolean;
-  bits2int?: (bytes: Uint8Array) => bigint;
-  bits2int_modN?: (bytes: Uint8Array) => bigint;
-};
+export type ECDSAOpts = Partial<{
+  lowS: boolean;
+  hmac: HmacFnSync;
+  randomBytes: (bytesLength?: number) => Uint8Array;
+  bits2int: (bytes: Uint8Array) => bigint;
+  bits2int_modN: (bytes: Uint8Array) => bigint;
+}>;
 
 /** ECDSA is only supported for prime fields, not Fp2 (extension fields). */
 export interface ECDSA {
-  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
-  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => RecoveredSignatureType;
+  keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
+  getPublicKey: (secretKey: PrivKey, isCompressed?: boolean) => Uint8Array;
+  sign: (msgHash: Hex, secretKey: PrivKey, opts?: SignOpts) => ECDSASigRecovered;
   verify: (signature: Hex | SignatureLike, msgHash: Hex, publicKey: Hex, opts?: VerOpts) => boolean;
-  Point: ProjConstructor<bigint>;
-  Signature: SignatureConstructor;
+  getSharedSecret: (secretKeyA: PrivKey, publicKeyB: Hex, isCompressed?: boolean) => Uint8Array;
+  Point: WeierstrassPointCons<bigint>;
+  Signature: ECDSASignatureCons;
   utils: {
-    isValidPrivateKey(privateKey: PrivKey): boolean;
-    randomPrivateKey: () => Uint8Array;
-    // TODO: deprecate those two
+    isValidSecretKey: (secretKey: PrivKey) => boolean;
+    isValidPublicKey: (publicKey: Uint8Array, isCompressed?: boolean) => boolean;
+    randomSecretKey: (seed?: Uint8Array) => Uint8Array;
+
+    /** @deprecated use `randomSecretKey` */
+    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
+    /** @deprecated use `isValidSecretKey` */
+    isValidPrivateKey: (secretKey: PrivKey) => boolean;
+    /** @deprecated use `Point.Fn.fromBytes()` */
     normPrivateKeyToScalar: (key: PrivKey) => bigint;
-    /** @deprecated */
-    precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
+    /** @deprecated use `point.precompute()` */
+    precompute: (windowSize?: number, point?: WeierstrassPoint<bigint>) => WeierstrassPoint<bigint>;
   };
+  info: CurveInfo;
 }
 export class DERErr extends Error {
   constructor(m = '') {
@@ -420,45 +472,27 @@ export function _legacyHelperEquat<T>(Fp: IField<T>, a: T, b: T): (x: T) => T {
   }
   return weierstrassEquation;
 }
-export function _legacyHelperNormPriv(
-  Fn: IField<bigint>,
-  allowedPrivateKeyLengths?: readonly number[],
-  wrapPrivateKey?: boolean
-): (key: PrivKey) => bigint {
+export function _normFnElement(Fn: IField<bigint>, key: PrivKey): bigint {
   const { BYTES: expected } = Fn;
-  // Validates if priv key is valid and converts it to bigint.
-  function normPrivateKeyToScalar(key: PrivKey): bigint {
-    let num: bigint;
-    if (typeof key === 'bigint') {
-      num = key;
-    } else {
-      let bytes = ensureBytes('private key', key);
-      if (allowedPrivateKeyLengths) {
-        if (!allowedPrivateKeyLengths.includes(bytes.length * 2))
-          throw new Error('invalid private key');
-        const padded = new Uint8Array(expected);
-        padded.set(bytes, padded.length - bytes.length);
-        bytes = padded;
-      }
-      try {
-        num = Fn.fromBytes(bytes);
-      } catch (error) {
-        throw new Error(
-          `invalid private key: expected ui8a of size ${expected}, got ${typeof key}`
-        );
-      }
+  let num: bigint;
+  if (typeof key === 'bigint') {
+    num = key;
+  } else {
+    let bytes = ensureBytes('private key', key);
+    try {
+      num = Fn.fromBytes(bytes);
+    } catch (error) {
+      throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
     }
-    if (wrapPrivateKey) num = Fn.create(num); // disabled by default, enabled for BLS
-    if (!Fn.isValidNot0(num)) throw new Error('invalid private key: out of range [1..N-1]');
-    return num;
   }
-  return normPrivateKeyToScalar;
+  if (!Fn.isValidNot0(num)) throw new Error('invalid private key: out of range [1..N-1]');
+  return num;
 }
 
 export function weierstrassN<T>(
   CURVE: WeierstrassOpts<T>,
   curveOpts: WeierstrassExtraOpts<T> = {}
-): ProjConstructor<T> {
+): WeierstrassPointCons<T> {
   const { Fp, Fn } = _createCurveFields('weierstrass', CURVE, curveOpts);
   const { h: cofactor, n: CURVE_ORDER } = CURVE;
   _validateObject(
@@ -478,12 +512,8 @@ export function weierstrassN<T>(
   const { endo } = curveOpts;
   if (endo) {
     // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
-    if (
-      !Fp.is0(CURVE.a) ||
-      typeof endo.beta !== 'bigint' ||
-      typeof endo.splitScalar !== 'function'
-    ) {
-      throw new Error('invalid endo: expected "beta": bigint and "splitScalar": function');
+    if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
+      throw new Error('invalid endo: expected "beta": bigint and "basises": array');
     }
   }
 
@@ -493,8 +523,8 @@ export function weierstrassN<T>(
 
   // Implements IEEE P1363 point encoding
   function pointToBytes(
-    _c: ProjConstructor<T>,
-    point: ProjPointType<T>,
+    _c: WeierstrassPointCons<T>,
+    point: WeierstrassPoint<T>,
     isCompressed: boolean
   ): Uint8Array {
     const { x, y } = point.toAffine();
@@ -578,25 +608,30 @@ export function weierstrassN<T>(
     if (!(other instanceof Point)) throw new Error('ProjectivePoint expected');
   }
 
+  function splitEndoScalarN(k: bigint) {
+    if (!endo || !endo.basises) throw new Error('no endo');
+    return _splitEndoScalar(k, endo.basises, Fn.ORDER);
+  }
+
   // Memoized toAffine / validity check. They are heavy. Points are immutable.
 
   // Converts Projective point to affine (x, y) coordinates.
   // Can accept precomputed Z^-1 - for example, from invertBatch.
   // (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
   const toAffineMemo = memoized((p: Point, iz?: T): AffinePoint<T> => {
-    const { px: x, py: y, pz: z } = p;
+    const { X, Y, Z } = p;
     // Fast-path for normalized points
-    if (Fp.eql(z, Fp.ONE)) return { x, y };
+    if (Fp.eql(Z, Fp.ONE)) return { x: X, y: Y };
     const is0 = p.is0();
     // If invZ was 0, we return zero point. However we still want to execute
     // all operations, so we replace invZ with a random number, 1.
-    if (iz == null) iz = is0 ? Fp.ONE : Fp.inv(z);
-    const ax = Fp.mul(x, iz);
-    const ay = Fp.mul(y, iz);
-    const zz = Fp.mul(z, iz);
+    if (iz == null) iz = is0 ? Fp.ONE : Fp.inv(Z);
+    const x = Fp.mul(X, iz);
+    const y = Fp.mul(Y, iz);
+    const zz = Fp.mul(Z, iz);
     if (is0) return { x: Fp.ZERO, y: Fp.ZERO };
     if (!Fp.eql(zz, Fp.ONE)) throw new Error('invZ was invalid');
-    return { x: ax, y: ay };
+    return { x, y };
   });
   // NOTE: on exception this will crash 'cached' and no value will be set.
   // Otherwise true will be return
@@ -605,7 +640,7 @@ export function weierstrassN<T>(
       // (0, 1, 0) aka ZERO is invalid in most contexts.
       // In BLS, ZERO can be serialized, so we allow it.
       // (0, 0, 0) is invalid representation of ZERO.
-      if (curveOpts.allowInfinityPoint && !Fp.is0(p.py)) return;
+      if (curveOpts.allowInfinityPoint && !Fp.is0(p.Y)) return;
       throw new Error('bad point: ZERO');
     }
     // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
@@ -623,7 +658,7 @@ export function weierstrassN<T>(
     k1neg: boolean,
     k2neg: boolean
   ) {
-    k2p = new Point(Fp.mul(k2p.px, endoBeta), k2p.py, k2p.pz);
+    k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
     k1p = negateCt(k1neg, k1p);
     k2p = negateCt(k2neg, k2p);
     return k1p.add(k2p);
@@ -634,7 +669,7 @@ export function weierstrassN<T>(
    * Default Point works in 2d / affine coordinates: (x, y).
    * We're doing calculations in projective, because its operations don't require costly inversion.
    */
-  class Point implements ProjPointType<T> {
+  class Point implements WeierstrassPoint<T> {
     // base / generator point
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     // zero / infinity / identity point
@@ -643,15 +678,15 @@ export function weierstrassN<T>(
     static readonly Fp = Fp;
     static readonly Fn = Fn;
 
-    readonly px: T;
-    readonly py: T;
-    readonly pz: T;
+    readonly X: T;
+    readonly Y: T;
+    readonly Z: T;
 
     /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
-    constructor(px: T, py: T, pz: T) {
-      this.px = acoord('x', px);
-      this.py = acoord('y', py, true);
-      this.pz = acoord('z', pz);
+    constructor(X: T, Y: T, Z: T) {
+      this.X = acoord('x', X);
+      this.Y = acoord('y', Y, true);
+      this.Z = acoord('z', Z);
       Object.freeze(this);
     }
 
@@ -672,8 +707,18 @@ export function weierstrassN<T>(
       return this.toAffine().y;
     }
 
+    // TODO: remove
+    get px(): T {
+      return this.X;
+    }
+    get py(): T {
+      return this.X;
+    }
+    get pz(): T {
+      return this.Z;
+    }
     static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, 'pz', points);
+      return normalizeZ(Point, points);
     }
 
     static fromBytes(bytes: Uint8Array): Point {
@@ -690,18 +735,16 @@ export function weierstrassN<T>(
 
     /** Multiplies generator point by privateKey. */
     static fromPrivateKey(privateKey: PrivKey) {
-      const normPrivateKeyToScalar = _legacyHelperNormPriv(
-        Fn,
-        curveOpts.allowedPrivateKeyLengths,
-        curveOpts.wrapPrivateKey
-      );
-      return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
+      return Point.BASE.multiply(_normFnElement(Fn, privateKey));
     }
 
-    /** Multiscalar Multiplication */
+    // TODO: remove
     static msm(points: Point[], scalars: bigint[]): Point {
       return pippenger(Point, Fn, points, scalars);
     }
+    _setWindowSize(windowSize: number) {
+      this.precompute(windowSize);
+    }
 
     /**
      *
@@ -710,16 +753,11 @@ export function weierstrassN<T>(
      * @returns
      */
     precompute(windowSize: number = 8, isLazy = true): Point {
-      wnaf.setWindowSize(this, windowSize);
+      wnaf.createCache(this, windowSize);
       if (!isLazy) this.multiply(_3n); // random number
       return this;
     }
 
-    /** "Private method", don't use it directly */
-    _setWindowSize(windowSize: number) {
-      this.precompute(windowSize);
-    }
-
     // TODO: return `this`
     /** A point on curve is valid if it conforms to equation. */
     assertValidity(): void {
@@ -735,8 +773,8 @@ export function weierstrassN<T>(
     /** Compare one point to another. */
     equals(other: Point): boolean {
       aprjpoint(other);
-      const { px: X1, py: Y1, pz: Z1 } = this;
-      const { px: X2, py: Y2, pz: Z2 } = other;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
       const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
       const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
       return U1 && U2;
@@ -744,7 +782,7 @@ export function weierstrassN<T>(
 
     /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
     negate(): Point {
-      return new Point(this.px, Fp.neg(this.py), this.pz);
+      return new Point(this.X, Fp.neg(this.Y), this.Z);
     }
 
     // Renes-Costello-Batina exception-free doubling formula.
@@ -754,7 +792,7 @@ export function weierstrassN<T>(
     double() {
       const { a, b } = CURVE;
       const b3 = Fp.mul(b, _3n);
-      const { px: X1, py: Y1, pz: Z1 } = this;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       let t0 = Fp.mul(X1, X1); // step 1
       let t1 = Fp.mul(Y1, Y1);
@@ -796,8 +834,8 @@ export function weierstrassN<T>(
     // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
     add(other: Point): Point {
       aprjpoint(other);
-      const { px: X1, py: Y1, pz: Z1 } = this;
-      const { px: X2, py: Y2, pz: Z2 } = other;
+      const { X: X1, Y: Y1, Z: Z1 } = this;
+      const { X: X2, Y: Y2, Z: Z2 } = other;
       let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
       const a = CURVE.a;
       const b3 = Fp.mul(CURVE.b, _3n);
@@ -865,10 +903,10 @@ export function weierstrassN<T>(
       const { endo } = curveOpts;
       if (!Fn.isValidNot0(scalar)) throw new Error('invalid scalar: out of range'); // 0 is invalid
       let point: Point, fake: Point; // Fake point is used to const-time mult
-      const mul = (n: bigint) => wnaf.wNAFCached(this, n, Point.normalizeZ);
+      const mul = (n: bigint) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
       /** See docs for {@link EndomorphismOpts} */
       if (endo) {
-        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
+        const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
         const { p: k1p, f: k1f } = mul(k1);
         const { p: k2p, f: k2f } = mul(k2);
         fake = k1f.add(k2f);
@@ -879,13 +917,13 @@ export function weierstrassN<T>(
         fake = f;
       }
       // Normalize `z` for both points, but return only real one
-      return Point.normalizeZ([point, fake])[0];
+      return normalizeZ(Point, [point, fake])[0];
     }
 
     /**
      * Non-constant-time multiplication. Uses double-and-add algorithm.
      * It's faster, but should only be used when you don't care about
-     * an exposed private key e.g. sig verification, which works over *public* keys.
+     * an exposed secret key e.g. sig verification, which works over *public* keys.
      */
     multiplyUnsafe(sc: bigint): Point {
       const { endo } = curveOpts;
@@ -893,14 +931,13 @@ export function weierstrassN<T>(
       if (!Fn.isValid(sc)) throw new Error('invalid scalar: out of range'); // 0 is valid
       if (sc === _0n || p.is0()) return Point.ZERO;
       if (sc === _1n) return p; // fast-path
-      if (wnaf.hasPrecomputes(this)) return this.multiply(sc);
+      if (wnaf.hasCache(this)) return this.multiply(sc);
       if (endo) {
-        const { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
-        // `wNAFCachedUnsafe` is 30% slower
-        const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2);
+        const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
+        const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
         return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
       } else {
-        return wnaf.wNAFCachedUnsafe(p, sc);
+        return wnaf.unsafe(p, sc);
       }
     }
 
@@ -925,7 +962,7 @@ export function weierstrassN<T>(
       const { isTorsionFree } = curveOpts;
       if (cofactor === _1n) return true;
       if (isTorsionFree) return isTorsionFree(Point, this);
-      return wnaf.wNAFCachedUnsafe(this, CURVE_ORDER).is0();
+      return wnaf.unsafe(this, CURVE_ORDER).is0();
     }
 
     clearCofactor(): Point {
@@ -935,6 +972,11 @@ export function weierstrassN<T>(
       return this.multiplyUnsafe(cofactor);
     }
 
+    isSmallOrder(): boolean {
+      // can we use this.clearCofactor()?
+      return this.multiplyUnsafe(cofactor).is0();
+    }
+
     toBytes(isCompressed = true): Uint8Array {
       abool('isCompressed', isCompressed);
       this.assertValidity();
@@ -955,12 +997,13 @@ export function weierstrassN<T>(
     }
   }
   const bits = Fn.BITS;
-  const wnaf = wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+  const wnaf = new wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
   return Point;
 }
 
 // _legacyWeierstrass
-/** @deprecated use `weierstrassN` */
+// TODO: remove
+/** @deprecated use `weierstrass` in newer releases */
 export function weierstrassPoints<T>(c: CurvePointsTypeWithLength<T>): CurvePointsRes<T> {
   const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
   const Point = weierstrassN(CURVE, curveOpts);
@@ -968,33 +1011,49 @@ export function weierstrassPoints<T>(c: CurvePointsTypeWithLength<T>): CurvePoin
 }
 
 // Instance
-export interface SignatureType {
+export interface ECDSASignature {
   readonly r: bigint;
   readonly s: bigint;
   readonly recovery?: number;
-  assertValidity(): void;
-  addRecoveryBit(recovery: number): RecoveredSignatureType;
+  addRecoveryBit(recovery: number): ECDSASigRecovered;
   hasHighS(): boolean;
-  normalizeS(): SignatureType;
-  recoverPublicKey(msgHash: Hex): ProjPointType<bigint>;
+  normalizeS(): ECDSASignature;
+  recoverPublicKey(msgHash: Hex): WeierstrassPoint<bigint>;
+  toBytes(format?: string): Uint8Array;
+  toHex(format?: string): string;
+
+  /** @deprecated */
+  assertValidity(): void;
+  /** @deprecated use `.toBytes('compact')` */
   toCompactRawBytes(): Uint8Array;
+  /** @deprecated use `.toBytes('compact')` */
   toCompactHex(): string;
+  /** @deprecated use `.toBytes('der')` */
   toDERRawBytes(): Uint8Array;
+  /** @deprecated use `.toBytes('der')` */
   toDERHex(): string;
-  // toBytes(format?: string): Uint8Array;
 }
-export type RecoveredSignatureType = SignatureType & {
+export type SignatureType = ECDSASignature;
+export type ECDSASigRecovered = ECDSASignature & {
   readonly recovery: number;
 };
+export type RecoveredSignatureType = ECDSASigRecovered;
 // Static methods
-export type SignatureConstructor = {
-  new (r: bigint, s: bigint, recovery?: number): SignatureType;
-  fromCompact(hex: Hex): SignatureType;
-  fromDER(hex: Hex): SignatureType;
+export type ECDSASignatureCons = {
+  new (r: bigint, s: bigint, recovery?: number): ECDSASignature;
+  fromBytes(bytes: Uint8Array, format?: ECDSASigFormat): ECDSASignature;
+  fromHex(hex: string, format?: ECDSASigFormat): ECDSASignature;
+
+  /** @deprecated use `.fromBytes(bytes, 'compact')` */
+  fromCompact(hex: Hex): ECDSASignature;
+  /** @deprecated use `.fromBytes(bytes, 'der')` */
+  fromDER(hex: Hex): ECDSASignature;
 };
 export type SignatureLike = { r: bigint; s: bigint };
-export type PubKey = Hex | ProjPointType<bigint>;
+// TODO: remove
+export type PubKey = Hex | WeierstrassPoint<bigint>;
 
+// TODO: remove
 export type CurveType = BasicWCurve<bigint> & {
   hash: CHash; // CHash not FHash because we need outputLen for DRBG
   hmac?: HmacFnSync;
@@ -1009,32 +1068,168 @@ function pprefix(hasEvenY: boolean): Uint8Array {
   return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
 }
 
+// TODO: remove
 export type CurveFn = {
+  /** @deprecated the property will be removed in next release */
   CURVE: CurvePointsType<bigint>;
-  getPublicKey: (privateKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  getSharedSecret: (privateA: PrivKey, publicB: Hex, isCompressed?: boolean) => Uint8Array;
-  sign: (msgHash: Hex, privKey: PrivKey, opts?: SignOpts) => RecoveredSignatureType;
-  verify: (signature: Hex | SignatureLike, msgHash: Hex, publicKey: Hex, opts?: VerOpts) => boolean;
-  Point: ProjConstructor<bigint>;
+  keygen: ECDSA['keygen'];
+  getPublicKey: ECDSA['getPublicKey'];
+  getSharedSecret: ECDSA['getSharedSecret'];
+  sign: ECDSA['sign'];
+  verify: ECDSA['verify'];
+  Point: WeierstrassPointCons<bigint>;
   /** @deprecated use `Point` */
-  ProjectivePoint: ProjConstructor<bigint>;
-  Signature: SignatureConstructor;
-  utils: {
-    normPrivateKeyToScalar: (key: PrivKey) => bigint;
-    isValidPrivateKey(privateKey: PrivKey): boolean;
-    randomPrivateKey: () => Uint8Array;
-    precompute: (windowSize?: number, point?: ProjPointType<bigint>) => ProjPointType<bigint>;
-  };
+  ProjectivePoint: WeierstrassPointCons<bigint>;
+  Signature: ECDSASignatureCons;
+  utils: ECDSA['utils'];
+  info: CurveInfo;
 };
 
+/**
+ * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
+ * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
+ * b = True and y = sqrt(u / v) if (u / v) is square in F, and
+ * b = False and y = sqrt(Z * (u / v)) otherwise.
+ * @param Fp
+ * @param Z
+ * @returns
+ */
+export function SWUFpSqrtRatio<T>(
+  Fp: IField<T>,
+  Z: T
+): (u: T, v: T) => { isValid: boolean; value: T } {
+  // Generic implementation
+  const q = Fp.ORDER;
+  let l = _0n;
+  for (let o = q - _1n; o % _2n === _0n; o /= _2n) l += _1n;
+  const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
+  // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
+  // 2n ** c1 == 2n << (c1-1)
+  const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
+  const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
+  const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
+  const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
+  const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
+  const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
+  const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
+  const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
+  let sqrtRatio = (u: T, v: T): { isValid: boolean; value: T } => {
+    let tv1 = c6; // 1. tv1 = c6
+    let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
+    let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2
+    tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
+    let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
+    tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
+    tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
+    tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
+    tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
+    let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
+    tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
+    let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1
+    tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
+    tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
+    tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
+    tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
+    // 17. for i in (c1, c1 - 1, ..., 2):
+    for (let i = c1; i > _1n; i--) {
+      let tv5 = i - _2n; // 18.    tv5 = i - 2
+      tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
+      let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
+      const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
+      tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
+      tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1
+      tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1
+      tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)
+      tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)
+    }
+    return { isValid: isQR, value: tv3 };
+  };
+  if (Fp.ORDER % _4n === _3n) {
+    // sqrt_ratio_3mod4(u, v)
+    const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
+    const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
+    sqrtRatio = (u: T, v: T) => {
+      let tv1 = Fp.sqr(v); // 1. tv1 = v^2
+      const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
+      tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
+      let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
+      y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
+      const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
+      const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
+      const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u
+      let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
+      return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
+    };
+  }
+  // No curves uses that
+  // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
+  return sqrtRatio;
+}
+/**
+ * Simplified Shallue-van de Woestijne-Ulas Method
+ * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
+ */
+export function mapToCurveSimpleSWU<T>(
+  Fp: IField<T>,
+  opts: {
+    A: T;
+    B: T;
+    Z: T;
+  }
+): (u: T) => { x: T; y: T } {
+  validateField(Fp);
+  const { A, B, Z } = opts;
+  if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
+    throw new Error('mapToCurveSimpleSWU: invalid opts');
+  const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
+  if (!Fp.isOdd) throw new Error('Field does not have .isOdd()');
+  // Input: u, an element of F.
+  // Output: (x, y), a point on E.
+  return (u: T): { x: T; y: T } => {
+    // prettier-ignore
+    let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
+    tv1 = Fp.sqr(u); // 1.  tv1 = u^2
+    tv1 = Fp.mul(tv1, Z); // 2.  tv1 = Z * tv1
+    tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2
+    tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
+    tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
+    tv3 = Fp.mul(tv3, B); // 6.  tv3 = B * tv3
+    tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
+    tv4 = Fp.mul(tv4, A); // 8.  tv4 = A * tv4
+    tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2
+    tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
+    tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
+    tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
+    tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
+    tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
+    tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
+    tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
+    x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
+    const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
+    y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1
+    y = Fp.mul(y, value); // 20.   y = y * y1
+    x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)
+    y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
+    const e1 = Fp.isOdd!(u) === Fp.isOdd!(y); // 23.  e1 = sgn0(u) == sgn0(y)
+    y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
+    const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
+    x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
+    return { x, y };
+  };
+}
+
+/**
+ * Creates ECDSA for given elliptic curve Point and hash function.
+ */
 export function ecdsa(
-  Point: ProjConstructor<bigint>,
-  ecdsaOpts: ECDSAOpts,
-  curveOpts: WeierstrassExtraOpts<bigint> = {}
+  Point: WeierstrassPointCons<bigint>,
+  hash: CHash,
+  ecdsaOpts: ECDSAOpts = {}
 ): ECDSA {
+  ahash(hash);
   _validateObject(
     ecdsaOpts,
-    { hash: 'function' },
+    {},
     {
       hmac: 'function',
       lowS: 'boolean',
@@ -1047,11 +1242,20 @@ export function ecdsa(
   const randomBytes_ = ecdsaOpts.randomBytes || randomBytes;
   const hmac_: HmacFnSync =
     ecdsaOpts.hmac ||
-    (((key, ...msgs) => hmac(ecdsaOpts.hash, key, concatBytes(...msgs))) satisfies HmacFnSync);
+    (((key, ...msgs) => hmac(hash, key, concatBytes(...msgs))) satisfies HmacFnSync);
 
   const { Fp, Fn } = Point;
   const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
 
+  const seedLen = getMinHashLength(CURVE_ORDER);
+  const lengths = {
+    secret: Fn.BYTES,
+    public: 1 + Fp.BYTES,
+    publicUncompressed: 1 + 2 * Fp.BYTES,
+    signature: 2 * Fn.BYTES,
+    seed: seedLen,
+  };
+
   function isBiggerThanHalfOrder(number: bigint) {
     const HALF = CURVE_ORDER >> _1n;
     return number > HALF;
@@ -1068,7 +1272,7 @@ export function ecdsa(
   /**
    * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
    */
-  class Signature implements SignatureType {
+  class Signature implements ECDSASignature {
     readonly r: bigint;
     readonly s: bigint;
     readonly recovery?: number;
@@ -1081,26 +1285,26 @@ export function ecdsa(
       Object.freeze(this);
     }
 
-    // pair (bytes of r, bytes of s)
-    static fromCompact(hex: Hex) {
-      const L = Fn.BYTES;
-      const b = ensureBytes('compactSignature', hex, L * 2);
-      return new Signature(Fn.fromBytes(b.subarray(0, L)), Fn.fromBytes(b.subarray(L, L * 2)));
+    static fromBytes(bytes: Uint8Array, format: ECDSASigFormat = 'compact') {
+      if (format === 'compact') {
+        const L = Fn.BYTES;
+        abytes(bytes, L * 2);
+        const r = bytes.subarray(0, L);
+        const s = bytes.subarray(L, L * 2);
+        return new Signature(Fn.fromBytes(r), Fn.fromBytes(s));
+      }
+      if (format === 'der') {
+        abytes(bytes);
+        const { r, s } = DER.toSig(bytes);
+        return new Signature(r, s);
+      }
+      throw new Error('invalid format');
     }
 
-    // DER encoded ECDSA signature
-    // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
-    static fromDER(hex: Hex) {
-      const { r, s } = DER.toSig(ensureBytes('DER', hex));
-      return new Signature(r, s);
+    static fromHex(hex: string, format?: ECDSASigFormat) {
+      return this.fromBytes(hexToBytes(hex), format);
     }
 
-    /**
-     * @todo remove
-     * @deprecated
-     */
-    assertValidity(): void {}
-
     addRecoveryBit(recovery: number): RecoveredSignature {
       return new Signature(this.r, this.s, recovery) as RecoveredSignature;
     }
@@ -1146,21 +1350,30 @@ export function ecdsa(
       return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
     }
 
-    toBytes(format: 'compact' | 'der') {
+    toBytes(format: ECDSASigFormat = 'compact') {
       if (format === 'compact') return concatBytes(Fn.toBytes(this.r), Fn.toBytes(this.s));
       if (format === 'der') return hexToBytes(DER.hexFromSig(this));
       throw new Error('invalid format');
     }
 
-    // DER-encoded
+    toHex(format?: ECDSASigFormat) {
+      return bytesToHex(this.toBytes(format));
+    }
+
+    // TODO: remove
+    assertValidity(): void {}
+    static fromCompact(hex: Hex) {
+      return Signature.fromBytes(ensureBytes('sig', hex), 'compact');
+    }
+    static fromDER(hex: Hex) {
+      return Signature.fromBytes(ensureBytes('sig', hex), 'der');
+    }
     toDERRawBytes() {
       return this.toBytes('der');
     }
     toDERHex() {
       return bytesToHex(this.toBytes('der'));
     }
-
-    // padded bytes of r, then padded bytes of s
     toCompactRawBytes() {
       return this.toBytes('compact');
     }
@@ -1170,80 +1383,81 @@ export function ecdsa(
   }
   type RecoveredSignature = Signature & { recovery: number };
 
-  const normPrivateKeyToScalar = _legacyHelperNormPriv(
-    Fn,
-    curveOpts.allowedPrivateKeyLengths,
-    curveOpts.wrapPrivateKey
-  );
+  function isValidSecretKey(privateKey: PrivKey) {
+    try {
+      return !!_normFnElement(Fn, privateKey);
+    } catch (error) {
+      return false;
+    }
+  }
+  function isValidPublicKey(publicKey: Uint8Array, isCompressed?: boolean): boolean {
+    try {
+      const l = publicKey.length;
+      if (isCompressed === true && l !== lengths.public) return false;
+      if (isCompressed === false && l !== lengths.publicUncompressed) return false;
+      return !!Point.fromBytes(publicKey);
+    } catch (error) {
+      return false;
+    }
+  }
+  /**
+   * Produces cryptographically secure secret key from random of size
+   * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+   */
+  function randomSecretKey(seed = randomBytes_(seedLen)): Uint8Array {
+    return mapHashToField(seed, CURVE_ORDER);
+  }
 
   const utils = {
-    isValidPrivateKey(privateKey: PrivKey) {
-      try {
-        normPrivateKeyToScalar(privateKey);
-        return true;
-      } catch (error) {
-        return false;
-      }
-    },
-    normPrivateKeyToScalar: normPrivateKeyToScalar,
-
-    /**
-     * Produces cryptographically secure private key from random of size
-     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-     */
-    randomPrivateKey: (): Uint8Array => {
-      const n = CURVE_ORDER;
-      return mapHashToField(randomBytes_(getMinHashLength(n)), n);
-    },
+    isValidSecretKey,
+    isValidPublicKey,
+    randomSecretKey,
 
-    precompute(windowSize = 8, point = Point.BASE): typeof Point.BASE {
+    // TODO: remove
+    isValidPrivateKey: isValidSecretKey,
+    randomPrivateKey: randomSecretKey,
+    normPrivateKeyToScalar: (key: PrivKey) => _normFnElement(Fn, key),
+    precompute(windowSize = 8, point = Point.BASE): WeierstrassPoint<bigint> {
       return point.precompute(windowSize, false);
     },
   };
 
   /**
-   * Computes public key for a private key. Checks for validity of the private key.
-   * @param privateKey private key
+   * Computes public key for a secret key. Checks for validity of the secret key.
    * @param isCompressed whether to return compact (default), or full key
    * @returns Public key, full when isCompressed=false; short when isCompressed=true
    */
-  function getPublicKey(privateKey: PrivKey, isCompressed = true): Uint8Array {
-    return Point.fromPrivateKey(privateKey).toBytes(isCompressed);
+  function getPublicKey(secretKey: PrivKey, isCompressed = true): Uint8Array {
+    return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
   }
 
   /**
    * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
    */
   function isProbPub(item: PrivKey | PubKey): boolean | undefined {
+    // TODO: remove
     if (typeof item === 'bigint') return false;
+    // TODO: remove
     if (item instanceof Point) return true;
-    const arr = ensureBytes('key', item);
-    const length = arr.length;
-    const L = Fp.BYTES;
-    const LC = L + 1; // e.g. 33 for 32
-    const LU = 2 * L + 1; // e.g. 65 for 32
-    if (curveOpts.allowedPrivateKeyLengths || Fn.BYTES === LC) {
-      return undefined;
-    } else {
-      return length === LC || length === LU;
-    }
+    if (Fn.allowedLengths || lengths.secret === lengths.public) return undefined;
+    const l = ensureBytes('key', item).length;
+    return l === lengths.public || l === lengths.publicUncompressed;
   }
 
   /**
    * ECDH (Elliptic Curve Diffie Hellman).
-   * Computes shared public key from private key and public key.
-   * Checks: 1) private key validity 2) shared key is on-curve.
+   * Computes shared public key from secret key A and public key B.
+   * Checks: 1) secret key validity 2) shared key is on-curve.
    * Does NOT hash the result.
-   * @param privateA private key
-   * @param publicB different public key
    * @param isCompressed whether to return compact (default), or full key
    * @returns shared public key
    */
-  function getSharedSecret(privateA: PrivKey, publicB: Hex, isCompressed = true): Uint8Array {
-    if (isProbPub(privateA) === true) throw new Error('first arg must be private key');
-    if (isProbPub(publicB) === false) throw new Error('second arg must be public key');
-    const b = Point.fromHex(publicB); // check for being on-curve
-    return b.multiply(normPrivateKeyToScalar(privateA)).toBytes(isCompressed);
+  function getSharedSecret(secretKeyA: PrivKey, publicKeyB: Hex, isCompressed = true): Uint8Array {
+    if (isProbPub(secretKeyA) === true) throw new Error('first arg must be private key');
+    if (isProbPub(publicKeyB) === false) throw new Error('second arg must be public key');
+    const s = _normFnElement(Fn, secretKeyA);
+    const b = Point.fromHex(publicKeyB); // checks for being on-curve
+    return b.multiply(s).toBytes(isCompressed);
   }
 
   // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
@@ -1285,7 +1499,6 @@ export function ecdsa(
   function prepSig(msgHash: Hex, privateKey: PrivKey, opts = defaultSigOpts) {
     if (['recovered', 'canonical'].some((k) => k in opts))
       throw new Error('sign() legacy options not supported');
-    const { hash } = ecdsaOpts;
     let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
     if (lowS == null) lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
     msgHash = ensureBytes('msgHash', msgHash);
@@ -1296,17 +1509,21 @@ export function ecdsa(
     // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
     // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
     const h1int = bits2int_modN(msgHash);
-    const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
+    const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
     const seedArgs = [int2octets(d), int2octets(h1int)];
     // extraEntropy. RFC6979 3.6: additional k' (optional).
     if (ent != null && ent !== false) {
       // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-      const e = ent === true ? randomBytes_(Fp.BYTES) : ent; // generate random bytes OR pass as-is
+      const e = ent === true ? randomBytes_(lengths.secret) : ent; // gen random bytes OR pass as-is
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
     const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
     const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
     // Converts signature params into point w r/s, checks result for validity.
+    // To transform k => Signature:
+    // q = k⋅G
+    // r = q.x mod n
+    // s = k^-1(m + rd) mod n
     // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
     // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
     // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
@@ -1316,7 +1533,7 @@ export function ecdsa(
       const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
       if (!Fn.isValidNot0(k)) return; // Valid scalars (including k) must be in 1..N-1
       const ik = Fn.inv(k); // k^-1 mod n
-      const q = Point.BASE.multiply(k).toAffine(); // q = Gk
+      const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
       const r = Fn.create(q.x); // r = q.x mod n
       if (r === _0n) return;
       const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
@@ -1335,21 +1552,17 @@ export function ecdsa(
   const defaultVerOpts: VerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
 
   /**
-   * Signs message hash with a private key.
+   * Signs message hash with a secret key.
    * ```
    * sign(m, d, k) where
    *   (x, y) = G × k
    *   r = x mod n
    *   s = (m + dr)/k mod n
    * ```
-   * @param msgHash NOT message. msg needs to be hashed to `msgHash`, or use `prehash`.
-   * @param privKey private key
-   * @param opts lowS for non-malleable sigs. extraEntropy for mixing randomness into k. prehash will hash first arg.
-   * @returns signature with recovery param
    */
-  function sign(msgHash: Hex, privKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
-    const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
-    const drbg = createHmacDrbg<RecoveredSignature>(ecdsaOpts.hash.outputLen, Fn.BYTES, hmac_);
+  function sign(msgHash: Hex, secretKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
+    const { seed, k2sig } = prepSig(msgHash, secretKey, opts); // Steps A, D of RFC6979 3.2.
+    const drbg = createHmacDrbg<RecoveredSignature>(hash.outputLen, Fn.BYTES, hmac_);
     return drbg(seed, k2sig); // Steps B, C, D, E, F, G
   }
 
@@ -1386,90 +1599,103 @@ export function ecdsa(
     // TODO: remove
     if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
 
-    if (format !== undefined && !['compact', 'der', 'js'].includes(format))
-      throw new Error('format must be "compact", "der" or "js"');
-    const isHex = typeof sg === 'string' || isBytes(sg);
-    const isObj =
-      !isHex &&
-      !format &&
-      typeof sg === 'object' &&
-      sg !== null &&
-      typeof sg.r === 'bigint' &&
-      typeof sg.s === 'bigint';
-    if (!isHex && !isObj)
-      throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
     let _sig: Signature | undefined = undefined;
-    let P: ProjPointType<bigint>;
-
-    // deduce signature format
-    try {
-      // if (format === 'js') {
-      //   if (sg != null && !isBytes(sg)) _sig = new Signature(sg.r, sg.s);
-      // } else if (format === 'compact') {
-      //   _sig = Signature.fromCompact(sg);
-      // } else if (format === 'der') {
-      //   _sig = Signature.fromDER(sg);
-      // } else {
-      //   throw new Error('invalid format');
-      // }
+    let P: WeierstrassPoint<bigint>;
+
+    if (format === undefined) {
+      // Try to deduce format
+      const isHex = typeof sg === 'string' || isBytes(sg);
+      const isObj =
+        !isHex &&
+        sg !== null &&
+        typeof sg === 'object' &&
+        typeof sg.r === 'bigint' &&
+        typeof sg.s === 'bigint';
+      if (!isHex && !isObj)
+        throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
       if (isObj) {
-        if (format === undefined || format === 'js') {
-          _sig = new Signature(sg.r, sg.s);
-        } else {
-          throw new Error('invalid format');
-        }
-      }
-      if (isHex) {
+        _sig = new Signature(sg.r, sg.s);
+      } else if (isHex) {
         // TODO: remove this malleable check
         // Signature can be represented in 2 ways: compact (2*Fn.BYTES) & DER (variable-length).
         // Since DER can also be 2*Fn.BYTES bytes, we check for it first.
         try {
-          if (format !== 'compact') _sig = Signature.fromDER(sg);
+          _sig = Signature.fromDER(sg);
         } catch (derError) {
           if (!(derError instanceof DER.Err)) throw derError;
         }
-        if (!_sig && format !== 'der') _sig = Signature.fromCompact(sg);
+        if (!_sig) {
+          try {
+            _sig = Signature.fromCompact(sg);
+          } catch (error) {
+            return false;
+          }
+        }
+      }
+    } else {
+      if (format === 'compact' || format === 'der') {
+        if (typeof sg !== 'string' && !isBytes(sg))
+          throw new Error('"der" / "compact" format expects Uint8Array signature');
+        _sig = Signature.fromBytes(ensureBytes('sig', sg), format);
+      } else if (format === 'js') {
+        if (!(sg instanceof Signature)) throw new Error('"js" format expects Signature instance');
+        _sig = sg;
+      } else {
+        throw new Error('format must be "compact", "der" or "js"');
       }
+    }
+
+    if (!_sig) return false;
+    try {
       P = Point.fromHex(publicKey);
-    } catch (error) {
+      if (lowS && _sig.hasHighS()) return false;
+      // todo: optional.hash => hash
+      if (prehash) msgHash = hash(msgHash);
+      const { r, s } = _sig;
+      const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
+      const is = Fn.inv(s); // s^-1
+      const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
+      const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
+      const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+      if (R.is0()) return false;
+      const v = Fn.create(R.x); // v = r.x mod n
+      return v === r;
+    } catch (e) {
       return false;
     }
-    if (!_sig) return false;
-    if (lowS && _sig.hasHighS()) return false;
-    // todo: optional.hash => hash
-    if (prehash) msgHash = ecdsaOpts.hash(msgHash);
-    const { r, s } = _sig;
-    const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-    const is = Fn.inv(s); // s^-1
-    const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
-    const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
-    const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
-    if (R.is0()) return false;
-    const v = Fn.create(R.x); // v = r.x mod n
-    return v === r;
   }
-  // TODO: clarify API for cloning .clone({hash: sha512}) ? .createWith({hash: sha512})?
-  // const clone = (hash: CHash): ECDSA => ecdsa(Point, { ...ecdsaOpts, ...getHash(hash) }, curveOpts);
+
+  function keygen(seed?: Uint8Array) {
+    const secretKey = utils.randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  }
+
   return Object.freeze({
+    keygen,
     getPublicKey,
-    getSharedSecret,
     sign,
     verify,
+    getSharedSecret,
     utils,
     Point,
     Signature,
+    info: { type: 'weierstrass' as const, lengths, publicKeyHasPrefix: true },
   });
 }
 
+// TODO: remove
 export type WsPointComposed<T> = {
   CURVE: WeierstrassOpts<T>;
   curveOpts: WeierstrassExtraOpts<T>;
 };
+// TODO: remove
 export type WsComposed = {
   CURVE: WeierstrassOpts<bigint>;
+  hash: CHash;
   curveOpts: WeierstrassExtraOpts<bigint>;
   ecdsaOpts: ECDSAOpts;
 };
+// TODO: remove
 function _weierstrass_legacy_opts_to_new<T>(c: CurvePointsType<T>): WsPointComposed<T> {
   const CURVE: WeierstrassOpts<T> = {
     a: c.a,
@@ -1481,14 +1707,19 @@ function _weierstrass_legacy_opts_to_new<T>(c: CurvePointsType<T>): WsPointCompo
     Gy: c.Gy,
   };
   const Fp = c.Fp;
-  const Fn = Field(CURVE.n, c.nBitLength);
+  let allowedLengths = c.allowedPrivateKeyLengths
+    ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
+    : undefined;
+  const Fn = Field(CURVE.n, {
+    BITS: c.nBitLength,
+    allowedLengths: allowedLengths,
+    modOnDecode: c.wrapPrivateKey,
+  });
   const curveOpts: WeierstrassExtraOpts<T> = {
     Fp,
     Fn,
-    allowedPrivateKeyLengths: c.allowedPrivateKeyLengths,
     allowInfinityPoint: c.allowInfinityPoint,
     endo: c.endo,
-    wrapPrivateKey: c.wrapPrivateKey,
     isTorsionFree: c.isTorsionFree,
     clearCofactor: c.clearCofactor,
     fromBytes: c.fromBytes,
@@ -1499,18 +1730,18 @@ function _weierstrass_legacy_opts_to_new<T>(c: CurvePointsType<T>): WsPointCompo
 function _ecdsa_legacy_opts_to_new(c: CurveType): WsComposed {
   const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
   const ecdsaOpts: ECDSAOpts = {
-    hash: c.hash,
     hmac: c.hmac,
     randomBytes: c.randomBytes,
     lowS: c.lowS,
     bits2int: c.bits2int,
     bits2int_modN: c.bits2int_modN,
   };
-  return { CURVE, curveOpts, ecdsaOpts };
+  return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
 }
+// TODO: remove
 function _weierstrass_new_output_to_legacy<T>(
   c: CurvePointsType<T>,
-  Point: ProjConstructor<T>
+  Point: WeierstrassPointCons<T>
 ): CurvePointsRes<T> {
   const { Fp, Fn } = Point;
   // TODO: remove
@@ -1518,23 +1749,19 @@ function _weierstrass_new_output_to_legacy<T>(
     return inRange(num, _1n, Fn.ORDER);
   }
   const weierstrassEquation = _legacyHelperEquat(Fp, c.a, c.b);
-  const normPrivateKeyToScalar = _legacyHelperNormPriv(
-    Fn,
-    c.allowedPrivateKeyLengths,
-    c.wrapPrivateKey
-  );
   return Object.assign(
     {},
     {
       CURVE: c,
       Point: Point,
       ProjectivePoint: Point,
-      normPrivateKeyToScalar,
+      normPrivateKeyToScalar: (key: PrivKey) => _normFnElement(Fn, key),
       weierstrassEquation,
       isWithinCurveOrder,
     }
   );
 }
+// TODO: remove
 function _ecdsa_new_output_to_legacy(c: CurveType, ecdsa: ECDSA): CurveFn {
   return Object.assign({}, ecdsa, {
     ProjectivePoint: ecdsa.Point,
@@ -1544,141 +1771,8 @@ function _ecdsa_new_output_to_legacy(c: CurveType, ecdsa: ECDSA): CurveFn {
 
 // _ecdsa_legacy
 export function weierstrass(c: CurveType): CurveFn {
-  const { CURVE, curveOpts, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
+  const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
   const Point = weierstrassN(CURVE, curveOpts);
-  const signs = ecdsa(Point, ecdsaOpts, curveOpts);
+  const signs = ecdsa(Point, hash, ecdsaOpts);
   return _ecdsa_new_output_to_legacy(c, signs);
 }
-
-/**
- * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
- * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
- * b = True and y = sqrt(u / v) if (u / v) is square in F, and
- * b = False and y = sqrt(Z * (u / v)) otherwise.
- * @param Fp
- * @param Z
- * @returns
- */
-export function SWUFpSqrtRatio<T>(
-  Fp: IField<T>,
-  Z: T
-): (u: T, v: T) => { isValid: boolean; value: T } {
-  // Generic implementation
-  const q = Fp.ORDER;
-  let l = _0n;
-  for (let o = q - _1n; o % _2n === _0n; o /= _2n) l += _1n;
-  const c1 = l; // 1. c1, the largest integer such that 2^c1 divides q - 1.
-  // We need 2n ** c1 and 2n ** (c1-1). We can't use **; but we can use <<.
-  // 2n ** c1 == 2n << (c1-1)
-  const _2n_pow_c1_1 = _2n << (c1 - _1n - _1n);
-  const _2n_pow_c1 = _2n_pow_c1_1 * _2n;
-  const c2 = (q - _1n) / _2n_pow_c1; // 2. c2 = (q - 1) / (2^c1)  # Integer arithmetic
-  const c3 = (c2 - _1n) / _2n; // 3. c3 = (c2 - 1) / 2            # Integer arithmetic
-  const c4 = _2n_pow_c1 - _1n; // 4. c4 = 2^c1 - 1                # Integer arithmetic
-  const c5 = _2n_pow_c1_1; // 5. c5 = 2^(c1 - 1)                  # Integer arithmetic
-  const c6 = Fp.pow(Z, c2); // 6. c6 = Z^c2
-  const c7 = Fp.pow(Z, (c2 + _1n) / _2n); // 7. c7 = Z^((c2 + 1) / 2)
-  let sqrtRatio = (u: T, v: T): { isValid: boolean; value: T } => {
-    let tv1 = c6; // 1. tv1 = c6
-    let tv2 = Fp.pow(v, c4); // 2. tv2 = v^c4
-    let tv3 = Fp.sqr(tv2); // 3. tv3 = tv2^2
-    tv3 = Fp.mul(tv3, v); // 4. tv3 = tv3 * v
-    let tv5 = Fp.mul(u, tv3); // 5. tv5 = u * tv3
-    tv5 = Fp.pow(tv5, c3); // 6. tv5 = tv5^c3
-    tv5 = Fp.mul(tv5, tv2); // 7. tv5 = tv5 * tv2
-    tv2 = Fp.mul(tv5, v); // 8. tv2 = tv5 * v
-    tv3 = Fp.mul(tv5, u); // 9. tv3 = tv5 * u
-    let tv4 = Fp.mul(tv3, tv2); // 10. tv4 = tv3 * tv2
-    tv5 = Fp.pow(tv4, c5); // 11. tv5 = tv4^c5
-    let isQR = Fp.eql(tv5, Fp.ONE); // 12. isQR = tv5 == 1
-    tv2 = Fp.mul(tv3, c7); // 13. tv2 = tv3 * c7
-    tv5 = Fp.mul(tv4, tv1); // 14. tv5 = tv4 * tv1
-    tv3 = Fp.cmov(tv2, tv3, isQR); // 15. tv3 = CMOV(tv2, tv3, isQR)
-    tv4 = Fp.cmov(tv5, tv4, isQR); // 16. tv4 = CMOV(tv5, tv4, isQR)
-    // 17. for i in (c1, c1 - 1, ..., 2):
-    for (let i = c1; i > _1n; i--) {
-      let tv5 = i - _2n; // 18.    tv5 = i - 2
-      tv5 = _2n << (tv5 - _1n); // 19.    tv5 = 2^tv5
-      let tvv5 = Fp.pow(tv4, tv5); // 20.    tv5 = tv4^tv5
-      const e1 = Fp.eql(tvv5, Fp.ONE); // 21.    e1 = tv5 == 1
-      tv2 = Fp.mul(tv3, tv1); // 22.    tv2 = tv3 * tv1
-      tv1 = Fp.mul(tv1, tv1); // 23.    tv1 = tv1 * tv1
-      tvv5 = Fp.mul(tv4, tv1); // 24.    tv5 = tv4 * tv1
-      tv3 = Fp.cmov(tv2, tv3, e1); // 25.    tv3 = CMOV(tv2, tv3, e1)
-      tv4 = Fp.cmov(tvv5, tv4, e1); // 26.    tv4 = CMOV(tv5, tv4, e1)
-    }
-    return { isValid: isQR, value: tv3 };
-  };
-  if (Fp.ORDER % _4n === _3n) {
-    // sqrt_ratio_3mod4(u, v)
-    const c1 = (Fp.ORDER - _3n) / _4n; // 1. c1 = (q - 3) / 4     # Integer arithmetic
-    const c2 = Fp.sqrt(Fp.neg(Z)); // 2. c2 = sqrt(-Z)
-    sqrtRatio = (u: T, v: T) => {
-      let tv1 = Fp.sqr(v); // 1. tv1 = v^2
-      const tv2 = Fp.mul(u, v); // 2. tv2 = u * v
-      tv1 = Fp.mul(tv1, tv2); // 3. tv1 = tv1 * tv2
-      let y1 = Fp.pow(tv1, c1); // 4. y1 = tv1^c1
-      y1 = Fp.mul(y1, tv2); // 5. y1 = y1 * tv2
-      const y2 = Fp.mul(y1, c2); // 6. y2 = y1 * c2
-      const tv3 = Fp.mul(Fp.sqr(y1), v); // 7. tv3 = y1^2; 8. tv3 = tv3 * v
-      const isQR = Fp.eql(tv3, u); // 9. isQR = tv3 == u
-      let y = Fp.cmov(y2, y1, isQR); // 10. y = CMOV(y2, y1, isQR)
-      return { isValid: isQR, value: y }; // 11. return (isQR, y) isQR ? y : y*c2
-    };
-  }
-  // No curves uses that
-  // if (Fp.ORDER % _8n === _5n) // sqrt_ratio_5mod8
-  return sqrtRatio;
-}
-/**
- * Simplified Shallue-van de Woestijne-Ulas Method
- * https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2
- */
-export function mapToCurveSimpleSWU<T>(
-  Fp: IField<T>,
-  opts: {
-    A: T;
-    B: T;
-    Z: T;
-  }
-): (u: T) => { x: T; y: T } {
-  validateField(Fp);
-  const { A, B, Z } = opts;
-  if (!Fp.isValid(A) || !Fp.isValid(B) || !Fp.isValid(Z))
-    throw new Error('mapToCurveSimpleSWU: invalid opts');
-  const sqrtRatio = SWUFpSqrtRatio(Fp, Z);
-  if (!Fp.isOdd) throw new Error('Field does not have .isOdd()');
-  // Input: u, an element of F.
-  // Output: (x, y), a point on E.
-  return (u: T): { x: T; y: T } => {
-    // prettier-ignore
-    let tv1, tv2, tv3, tv4, tv5, tv6, x, y;
-    tv1 = Fp.sqr(u); // 1.  tv1 = u^2
-    tv1 = Fp.mul(tv1, Z); // 2.  tv1 = Z * tv1
-    tv2 = Fp.sqr(tv1); // 3.  tv2 = tv1^2
-    tv2 = Fp.add(tv2, tv1); // 4.  tv2 = tv2 + tv1
-    tv3 = Fp.add(tv2, Fp.ONE); // 5.  tv3 = tv2 + 1
-    tv3 = Fp.mul(tv3, B); // 6.  tv3 = B * tv3
-    tv4 = Fp.cmov(Z, Fp.neg(tv2), !Fp.eql(tv2, Fp.ZERO)); // 7.  tv4 = CMOV(Z, -tv2, tv2 != 0)
-    tv4 = Fp.mul(tv4, A); // 8.  tv4 = A * tv4
-    tv2 = Fp.sqr(tv3); // 9.  tv2 = tv3^2
-    tv6 = Fp.sqr(tv4); // 10. tv6 = tv4^2
-    tv5 = Fp.mul(tv6, A); // 11. tv5 = A * tv6
-    tv2 = Fp.add(tv2, tv5); // 12. tv2 = tv2 + tv5
-    tv2 = Fp.mul(tv2, tv3); // 13. tv2 = tv2 * tv3
-    tv6 = Fp.mul(tv6, tv4); // 14. tv6 = tv6 * tv4
-    tv5 = Fp.mul(tv6, B); // 15. tv5 = B * tv6
-    tv2 = Fp.add(tv2, tv5); // 16. tv2 = tv2 + tv5
-    x = Fp.mul(tv1, tv3); // 17.   x = tv1 * tv3
-    const { isValid, value } = sqrtRatio(tv2, tv6); // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)
-    y = Fp.mul(tv1, u); // 19.   y = tv1 * u  -> Z * u^3 * y1
-    y = Fp.mul(y, value); // 20.   y = y * y1
-    x = Fp.cmov(x, tv3, isValid); // 21.   x = CMOV(x, tv3, is_gx1_square)
-    y = Fp.cmov(y, value, isValid); // 22.   y = CMOV(y, y1, is_gx1_square)
-    const e1 = Fp.isOdd!(u) === Fp.isOdd!(y); // 23.  e1 = sgn0(u) == sgn0(y)
-    y = Fp.cmov(Fp.neg(y), y, e1); // 24.   y = CMOV(-y, y, e1)
-    const tv4_inv = FpInvertBatch(Fp, [tv4], true)[0];
-    x = Fp.mul(x, tv4_inv); // 25.   x = x / tv4
-    return { x, y };
-  };
-}