@noble/curves 1.9.4 → 1.9.5

package/esm/abstract/weierstrass.js

@@ -25,11 +25,11 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { hmac } from '@noble/hashes/hmac.js';
+import { hmac as nobleHmac } from '@noble/hashes/hmac.js';
 import { ahash } from '@noble/hashes/utils';
-import { _validateObject, abool, abytes, aInRange, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes, inRange, isBytes, memoized, numberToHexUnpadded, randomBytes, } from "../utils.js";
+import { _validateObject, _abool2 as abool, _abytes2 as abytes, aInRange, bitLen, bitMask, bytesToHex, bytesToNumberBE, concatBytes, createHmacDrbg, ensureBytes, hexToBytes, inRange, isBytes, memoized, numberToHexUnpadded, randomBytes as wcRandomBytes, } from "../utils.js";
 import { _createCurveFields, mulEndoUnsafe, negateCt, normalizeZ, pippenger, wNAF, } from "./curve.js";
-import { Field, FpInvertBatch, getMinHashLength, mapHashToField, validateField, } from "./modular.js";
+import { Field, FpInvertBatch, getMinHashLength, mapHashToField, nLength, validateField, } from "./modular.js";
 // We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
 const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n) / den;
 /**
@@ -60,11 +60,22 @@ export function _splitEndoScalar(k, basis, n) {
     }
     return { k1neg, k1, k2neg, k2 };
 }
-function validateSigVerOpts(opts) {
-    if (opts.lowS !== undefined)
-        abool('lowS', opts.lowS);
-    if (opts.prehash !== undefined)
-        abool('prehash', opts.prehash);
+function validateSigFormat(format) {
+    if (!['compact', 'recovered', 'der'].includes(format))
+        throw new Error('Signature format must be "compact", "recovered", or "der"');
+    return format;
+}
+function validateSigOpts(opts, def) {
+    const optsn = {};
+    for (let optName of Object.keys(def)) {
+        // @ts-ignore
+        optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
+    }
+    abool(optsn.lowS, 'lowS');
+    abool(optsn.prehash, 'prehash');
+    if (optsn.format !== undefined)
+        validateSigFormat(optsn.format);
+    return optsn;
 }
 export class DERErr extends Error {
     constructor(m = '') {
@@ -185,19 +196,6 @@ export const DER = {
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
-// TODO: remove
-export function _legacyHelperEquat(Fp, a, b) {
-    /**
-     * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
-     * @returns y²
-     */
-    function weierstrassEquation(x) {
-        const x2 = Fp.sqr(x); // x * x
-        const x3 = Fp.mul(x2, x); // x² * x
-        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
-    }
-    return weierstrassEquation;
-}
 export function _normFnElement(Fn, key) {
     const { BYTES: expected } = Fn;
     let num;
@@ -217,10 +215,29 @@ export function _normFnElement(Fn, key) {
         throw new Error('invalid private key: out of range [1..N-1]');
     return num;
 }
-export function weierstrassN(CURVE, curveOpts = {}) {
-    const { Fp, Fn } = _createCurveFields('weierstrass', CURVE, curveOpts);
+/**
+ * Creates weierstrass Point constructor, based on specified curve options.
+ *
+ * @example
+```js
+const opts = {
+  p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  h: BigInt(1),
+  a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+  b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+};
+const p256_Point = weierstrass(opts);
+```
+ */
+export function weierstrassN(params, extraOpts = {}) {
+    const validated = _createCurveFields('weierstrass', params, extraOpts);
+    const { Fp, Fn } = validated;
+    let CURVE = validated.CURVE;
     const { h: cofactor, n: CURVE_ORDER } = CURVE;
-    _validateObject(curveOpts, {}, {
+    _validateObject(extraOpts, {}, {
         allowInfinityPoint: 'boolean',
         clearCofactor: 'function',
         isTorsionFree: 'function',
@@ -229,13 +246,14 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         endo: 'object',
         wrapPrivateKey: 'boolean',
     });
-    const { endo } = curveOpts;
+    const { endo } = extraOpts;
     if (endo) {
         // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
         if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
             throw new Error('invalid endo: expected "beta": bigint and "basises": array');
         }
     }
+    const lengths = getWLengths(Fp, Fn);
     function assertCompressionIsSupported() {
         if (!Fp.isOdd)
             throw new Error('compression is not supported: Field does not have .isOdd()');
@@ -244,7 +262,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
     function pointToBytes(_c, point, isCompressed) {
         const { x, y } = point.toAffine();
         const bx = Fp.toBytes(x);
-        abool('isCompressed', isCompressed);
+        abool(isCompressed, 'isCompressed');
         if (isCompressed) {
             assertCompressionIsSupported();
             const hasEvenY = !Fp.isOdd(y);
@@ -255,15 +273,13 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         }
     }
     function pointFromBytes(bytes) {
-        abytes(bytes);
-        const L = Fp.BYTES;
-        const LC = L + 1; // length compressed, e.g. 33 for 32-byte field
-        const LU = 2 * L + 1; // length uncompressed, e.g. 65 for 32-byte field
+        abytes(bytes, undefined, 'Point');
+        const { public: comp, publicUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
         const length = bytes.length;
         const head = bytes[0];
         const tail = bytes.subarray(1);
         // No actual validation is done here: use .assertValidity()
-        if (length === LC && (head === 0x02 || head === 0x03)) {
+        if (length === comp && (head === 0x02 || head === 0x03)) {
             const x = Fp.fromBytes(tail);
             if (!Fp.isValid(x))
                 throw new Error('bad point: is not on curve, wrong x');
@@ -283,21 +299,26 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 y = Fp.neg(y);
             return { x, y };
         }
-        else if (length === LU && head === 0x04) {
+        else if (length === uncomp && head === 0x04) {
             // TODO: more checks
-            const x = Fp.fromBytes(tail.subarray(L * 0, L * 1));
-            const y = Fp.fromBytes(tail.subarray(L * 1, L * 2));
+            const L = Fp.BYTES;
+            const x = Fp.fromBytes(tail.subarray(0, L));
+            const y = Fp.fromBytes(tail.subarray(L, L * 2));
             if (!isValidXY(x, y))
                 throw new Error('bad point: is not on curve');
             return { x, y };
         }
         else {
-            throw new Error(`bad point: got length ${length}, expected compressed=${LC} or uncompressed=${LU}`);
+            throw new Error(`bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`);
         }
     }
-    const toBytes = curveOpts.toBytes || pointToBytes;
-    const fromBytes = curveOpts.fromBytes || pointFromBytes;
-    const weierstrassEquation = _legacyHelperEquat(Fp, CURVE.a, CURVE.b);
+    const encodePoint = extraOpts.toBytes || pointToBytes;
+    const decodePoint = extraOpts.fromBytes || pointFromBytes;
+    function weierstrassEquation(x) {
+        const x2 = Fp.sqr(x); // x * x
+        const x3 = Fp.mul(x2, x); // x² * x
+        return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b); // x³ + a * x + b
+    }
     // TODO: move top-level
     /** Checks whether equation holds for given x, y: y² == x³ + ax + b */
     function isValidXY(x, y) {
@@ -360,7 +381,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
             // (0, 0, 0) is invalid representation of ZERO.
-            if (curveOpts.allowInfinityPoint && !Fp.is0(p.Y))
+            if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y))
                 return;
             throw new Error('bad point: ZERO');
         }
@@ -393,6 +414,9 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             this.Z = acoord('z', Z);
             Object.freeze(this);
         }
+        static CURVE() {
+            return CURVE;
+        }
         /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
         static fromAffine(p) {
             const { x, y } = p || {};
@@ -405,45 +429,19 @@ export function weierstrassN(CURVE, curveOpts = {}) {
                 return Point.ZERO;
             return new Point(x, y, Fp.ONE);
         }
-        get x() {
-            return this.toAffine().x;
-        }
-        get y() {
-            return this.toAffine().y;
-        }
-        // TODO: remove
-        get px() {
-            return this.X;
-        }
-        get py() {
-            return this.X;
-        }
-        get pz() {
-            return this.Z;
-        }
-        static normalizeZ(points) {
-            return normalizeZ(Point, points);
-        }
         static fromBytes(bytes) {
-            abytes(bytes);
-            return Point.fromHex(bytes);
-        }
-        /** Converts hash string or Uint8Array to Point. */
-        static fromHex(hex) {
-            const P = Point.fromAffine(fromBytes(ensureBytes('pointHex', hex)));
+            const P = Point.fromAffine(decodePoint(abytes(bytes, undefined, 'point')));
             P.assertValidity();
             return P;
         }
-        /** Multiplies generator point by privateKey. */
-        static fromPrivateKey(privateKey) {
-            return Point.BASE.multiply(_normFnElement(Fn, privateKey));
+        static fromHex(hex) {
+            return Point.fromBytes(ensureBytes('pointHex', hex));
         }
-        // TODO: remove
-        static msm(points, scalars) {
-            return pippenger(Point, Fn, points, scalars);
+        get x() {
+            return this.toAffine().x;
         }
-        _setWindowSize(windowSize) {
-            this.precompute(windowSize);
+        get y() {
+            return this.toAffine().y;
         }
         /**
          *
@@ -592,7 +590,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
          * @returns New point
          */
         multiply(scalar) {
-            const { endo } = curveOpts;
+            const { endo } = extraOpts;
             if (!Fn.isValidNot0(scalar))
                 throw new Error('invalid scalar: out of range'); // 0 is invalid
             let point, fake; // Fake point is used to const-time mult
@@ -619,7 +617,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
          * an exposed secret key e.g. sig verification, which works over *public* keys.
          */
         multiplyUnsafe(sc) {
-            const { endo } = curveOpts;
+            const { endo } = extraOpts;
             const p = this;
             if (!Fn.isValid(sc))
                 throw new Error('invalid scalar: out of range'); // 0 is valid
@@ -654,7 +652,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
          * Always torsion-free for cofactor=1 curves.
          */
         isTorsionFree() {
-            const { isTorsionFree } = curveOpts;
+            const { isTorsionFree } = extraOpts;
             if (cofactor === _1n)
                 return true;
             if (isTorsionFree)
@@ -662,7 +660,7 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             return wnaf.unsafe(this, CURVE_ORDER).is0();
         }
         clearCofactor() {
-            const { clearCofactor } = curveOpts;
+            const { clearCofactor } = extraOpts;
             if (cofactor === _1n)
                 return this; // Fast-path
             if (clearCofactor)
@@ -674,13 +672,9 @@ export function weierstrassN(CURVE, curveOpts = {}) {
             return this.multiplyUnsafe(cofactor).is0();
         }
         toBytes(isCompressed = true) {
-            abool('isCompressed', isCompressed);
+            abool(isCompressed, 'isCompressed');
             this.assertValidity();
-            return toBytes(Point, this, isCompressed);
-        }
-        /** @deprecated use `toBytes` */
-        toRawBytes(isCompressed = true) {
-            return this.toBytes(isCompressed);
+            return encodePoint(Point, this, isCompressed);
         }
         toHex(isCompressed = true) {
             return bytesToHex(this.toBytes(isCompressed));
@@ -688,26 +682,44 @@ export function weierstrassN(CURVE, curveOpts = {}) {
         toString() {
             return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
         }
+        // TODO: remove
+        get px() {
+            return this.X;
+        }
+        get py() {
+            return this.X;
+        }
+        get pz() {
+            return this.Z;
+        }
+        toRawBytes(isCompressed = true) {
+            return this.toBytes(isCompressed);
+        }
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
+        static normalizeZ(points) {
+            return normalizeZ(Point, points);
+        }
+        static msm(points, scalars) {
+            return pippenger(Point, Fn, points, scalars);
+        }
+        static fromPrivateKey(privateKey) {
+            return Point.BASE.multiply(_normFnElement(Fn, privateKey));
+        }
     }
     // base / generator point
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     // zero / infinity / identity point
     Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
-    // fields
+    // math field
     Point.Fp = Fp;
+    // scalar field
     Point.Fn = Fn;
     const bits = Fn.BITS;
-    const wnaf = new wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+    const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
     return Point;
 }
-// _legacyWeierstrass
-// TODO: remove
-/** @deprecated use `weierstrass` in newer releases */
-export function weierstrassPoints(c) {
-    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
-    const Point = weierstrassN(CURVE, curveOpts);
-    return _weierstrass_new_output_to_legacy(c, Point);
-}
 // Points start with byte 0x02 when y is even; otherwise 0x03
 function pprefix(hasEvenY) {
     return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
@@ -836,8 +848,122 @@ export function mapToCurveSimpleSWU(Fp, opts) {
         return { x, y };
     };
 }
+function getWLengths(Fp, Fn) {
+    return {
+        secret: Fn.BYTES,
+        public: 1 + Fp.BYTES,
+        publicUncompressed: 1 + 2 * Fp.BYTES,
+        publicKeyHasPrefix: true,
+        signature: 2 * Fn.BYTES,
+    };
+}
+/**
+ * Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
+ * This helper ensures no signature functionality is present. Less code, smaller bundle size.
+ */
+export function ecdh(Point, ecdhOpts = {}) {
+    const { Fn } = Point;
+    const randomBytes_ = ecdhOpts.randomBytes || wcRandomBytes;
+    const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
+    function isValidSecretKey(secretKey) {
+        try {
+            return !!_normFnElement(Fn, secretKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    function isValidPublicKey(publicKey, isCompressed) {
+        const { public: comp, publicUncompressed } = lengths;
+        try {
+            const l = publicKey.length;
+            if (isCompressed === true && l !== comp)
+                return false;
+            if (isCompressed === false && l !== publicUncompressed)
+                return false;
+            return !!Point.fromBytes(publicKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    /**
+     * Produces cryptographically secure secret key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    function randomSecretKey(seed = randomBytes_(lengths.seed)) {
+        return mapHashToField(abytes(seed, lengths.seed, 'seed'), Fn.ORDER);
+    }
+    /**
+     * Computes public key for a secret key. Checks for validity of the secret key.
+     * @param isCompressed whether to return compact (default), or full key
+     * @returns Public key, full when isCompressed=false; short when isCompressed=true
+     */
+    function getPublicKey(secretKey, isCompressed = true) {
+        return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
+    }
+    function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    }
+    /**
+     * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
+     */
+    function isProbPub(item) {
+        if (typeof item === 'bigint')
+            return false;
+        if (item instanceof Point)
+            return true;
+        if (Fn.allowedLengths || lengths.secret === lengths.public)
+            return undefined;
+        const l = ensureBytes('key', item).length;
+        return l === lengths.public || l === lengths.publicUncompressed;
+    }
+    /**
+     * ECDH (Elliptic Curve Diffie Hellman).
+     * Computes shared public key from secret key A and public key B.
+     * Checks: 1) secret key validity 2) shared key is on-curve.
+     * Does NOT hash the result.
+     * @param isCompressed whether to return compact (default), or full key
+     * @returns shared public key
+     */
+    function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
+        if (isProbPub(secretKeyA) === true)
+            throw new Error('first arg must be private key');
+        if (isProbPub(publicKeyB) === false)
+            throw new Error('second arg must be public key');
+        const s = _normFnElement(Fn, secretKeyA);
+        const b = Point.fromHex(publicKeyB); // checks for being on-curve
+        return b.multiply(s).toBytes(isCompressed);
+    }
+    const utils = {
+        isValidSecretKey,
+        isValidPublicKey,
+        randomSecretKey,
+        // TODO: remove
+        isValidPrivateKey: isValidSecretKey,
+        randomPrivateKey: randomSecretKey,
+        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
+        precompute(windowSize = 8, point = Point.BASE) {
+            return point.precompute(windowSize, false);
+        },
+    };
+    return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
+}
 /**
- * Creates ECDSA for given elliptic curve Point and hash function.
+ * Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
+ * We need `hash` for 2 features:
+ * 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
+ * 2. k generation in `sign`, using HMAC-drbg(hash)
+ *
+ * ECDSAOpts are only rarely needed.
+ *
+ * @example
+ * ```js
+ * const p256_Point = weierstrass(...);
+ * const p256_sha256 = ecdsa(p256_Point, sha256);
+ * const p256_sha224 = ecdsa(p256_Point, sha224);
+ * ```
  */
 export function ecdsa(Point, hash, ecdsaOpts = {}) {
     ahash(hash);
@@ -848,19 +974,19 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         bits2int: 'function',
         bits2int_modN: 'function',
     });
-    const randomBytes_ = ecdsaOpts.randomBytes || randomBytes;
+    const randomBytes_ = ecdsaOpts.randomBytes || wcRandomBytes;
     const hmac_ = ecdsaOpts.hmac ||
-        ((key, ...msgs) => hmac(hash, key, concatBytes(...msgs)));
+        ((key, ...msgs) => nobleHmac(hash, key, concatBytes(...msgs)));
     const { Fp, Fn } = Point;
     const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
-    const seedLen = getMinHashLength(CURVE_ORDER);
-    const lengths = {
-        secret: Fn.BYTES,
-        public: 1 + Fp.BYTES,
-        publicUncompressed: 1 + 2 * Fp.BYTES,
-        signature: 2 * Fn.BYTES,
-        seed: seedLen,
+    const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
+    const defaultSigOpts = {
+        prehash: false,
+        lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : false,
+        format: undefined, //'compact' as ECDSASigFormat,
+        extraEntropy: false,
     };
+    const defaultSigOpts_format = 'compact';
     function isBiggerThanHalfOrder(number) {
         const HALF = CURVE_ORDER >> _1n;
         return number > HALF;
@@ -868,37 +994,41 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
     function normalizeS(s) {
         return isBiggerThanHalfOrder(s) ? Fn.neg(s) : s;
     }
-    function aValidRS(title, num) {
+    function validateRS(title, num) {
         if (!Fn.isValidNot0(num))
-            throw new Error(`invalid signature ${title}: out of range 1..CURVE.n`);
+            throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
+        return num;
     }
     /**
-     * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
+     * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
      */
     class Signature {
         constructor(r, s, recovery) {
-            aValidRS('r', r); // r in [1..N-1]
-            aValidRS('s', s); // s in [1..N-1]
-            this.r = r;
-            this.s = s;
+            this.r = validateRS('r', r); // r in [1..N-1];
+            this.s = validateRS('s', s); // s in [1..N-1];
             if (recovery != null)
                 this.recovery = recovery;
             Object.freeze(this);
         }
-        static fromBytes(bytes, format = 'compact') {
-            if (format === 'compact') {
-                const L = Fn.BYTES;
-                abytes(bytes, L * 2);
-                const r = bytes.subarray(0, L);
-                const s = bytes.subarray(L, L * 2);
-                return new Signature(Fn.fromBytes(r), Fn.fromBytes(s));
-            }
+        static fromBytes(bytes, format = defaultSigOpts_format) {
+            validateSigFormat(format);
+            const size = lengths.signature;
+            let recid;
             if (format === 'der') {
-                abytes(bytes);
-                const { r, s } = DER.toSig(bytes);
+                const { r, s } = DER.toSig(abytes(bytes));
                 return new Signature(r, s);
             }
-            throw new Error('invalid format');
+            if (format === 'recovered') {
+                abytes(bytes, size + 1);
+                recid = bytes[0];
+                format = 'compact';
+                bytes = bytes.subarray(1);
+            }
+            abytes(bytes, size);
+            const L = size / 2;
+            const r = bytes.subarray(0, L);
+            const s = bytes.subarray(L, L * 2);
+            return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
         }
         static fromHex(hex, format) {
             return this.fromBytes(hexToBytes(hex), format);
@@ -906,7 +1036,6 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
-        // ProjPointType<bigint>
         recoverPublicKey(msgHash) {
             const FIELD_ORDER = Fp.ORDER;
             const { r, s, recovery: rec } = this;
@@ -927,7 +1056,7 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
             if (!Fp.isValid(radj))
                 throw new Error('recovery id 2 or 3 invalid');
             const x = Fp.toBytes(radj);
-            const R = Point.fromHex(concatBytes(pprefix((rec & 1) === 0), x));
+            const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
             const ir = Fn.inv(radj); // r^-1
             const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash
             const u1 = Fn.create(-h * ir); // -hr^-1
@@ -943,15 +1072,18 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         hasHighS() {
             return isBiggerThanHalfOrder(this.s);
         }
-        normalizeS() {
-            return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
-        }
-        toBytes(format = 'compact') {
-            if (format === 'compact')
-                return concatBytes(Fn.toBytes(this.r), Fn.toBytes(this.s));
+        toBytes(format = defaultSigOpts_format) {
+            validateSigFormat(format);
             if (format === 'der')
                 return hexToBytes(DER.hexFromSig(this));
-            throw new Error('invalid format');
+            const r = Fn.toBytes(this.r);
+            const s = Fn.toBytes(this.s);
+            if (format === 'recovered') {
+                if (this.recovery == null)
+                    throw new Error('recovery bit must be present');
+                return concatBytes(Uint8Array.of(this.recovery), r, s);
+            }
+            return concatBytes(r, s);
         }
         toHex(format) {
             return bytesToHex(this.toBytes(format));
@@ -964,6 +1096,9 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         static fromDER(hex) {
             return Signature.fromBytes(ensureBytes('sig', hex), 'der');
         }
+        normalizeS() {
+            return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
+        }
         toDERRawBytes() {
             return this.toBytes('der');
         }
@@ -977,86 +1112,6 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
             return bytesToHex(this.toBytes('compact'));
         }
     }
-    function isValidSecretKey(privateKey) {
-        try {
-            return !!_normFnElement(Fn, privateKey);
-        }
-        catch (error) {
-            return false;
-        }
-    }
-    function isValidPublicKey(publicKey, isCompressed) {
-        try {
-            const l = publicKey.length;
-            if (isCompressed === true && l !== lengths.public)
-                return false;
-            if (isCompressed === false && l !== lengths.publicUncompressed)
-                return false;
-            return !!Point.fromBytes(publicKey);
-        }
-        catch (error) {
-            return false;
-        }
-    }
-    /**
-     * Produces cryptographically secure secret key from random of size
-     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-     */
-    function randomSecretKey(seed = randomBytes_(seedLen)) {
-        return mapHashToField(seed, CURVE_ORDER);
-    }
-    const utils = {
-        isValidSecretKey,
-        isValidPublicKey,
-        randomSecretKey,
-        // TODO: remove
-        isValidPrivateKey: isValidSecretKey,
-        randomPrivateKey: randomSecretKey,
-        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
-        precompute(windowSize = 8, point = Point.BASE) {
-            return point.precompute(windowSize, false);
-        },
-    };
-    /**
-     * Computes public key for a secret key. Checks for validity of the secret key.
-     * @param isCompressed whether to return compact (default), or full key
-     * @returns Public key, full when isCompressed=false; short when isCompressed=true
-     */
-    function getPublicKey(secretKey, isCompressed = true) {
-        return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
-    }
-    /**
-     * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
-     */
-    function isProbPub(item) {
-        // TODO: remove
-        if (typeof item === 'bigint')
-            return false;
-        // TODO: remove
-        if (item instanceof Point)
-            return true;
-        if (Fn.allowedLengths || lengths.secret === lengths.public)
-            return undefined;
-        const l = ensureBytes('key', item).length;
-        return l === lengths.public || l === lengths.publicUncompressed;
-    }
-    /**
-     * ECDH (Elliptic Curve Diffie Hellman).
-     * Computes shared public key from secret key A and public key B.
-     * Checks: 1) secret key validity 2) shared key is on-curve.
-     * Does NOT hash the result.
-     * @param isCompressed whether to return compact (default), or full key
-     * @returns shared public key
-     */
-    function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
-        if (isProbPub(secretKeyA) === true)
-            throw new Error('first arg must be private key');
-        if (isProbPub(publicKeyB) === false)
-            throw new Error('second arg must be public key');
-        const s = _normFnElement(Fn, secretKeyA);
-        const b = Point.fromHex(publicKeyB); // checks for being on-curve
-        return b.multiply(s).toBytes(isCompressed);
-    }
     // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
     // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
     // bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.
@@ -1086,31 +1141,33 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         aInRange('num < 2^' + fnBits, num, _0n, ORDER_MASK);
         return Fn.toBytes(num);
     }
-    // Steps A, D of RFC6979 3.2
-    // Creates RFC6979 seed; converts msg/privKey to numbers.
-    // Used only in sign, not in verify.
-    // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
-    // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
-    function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
+    /**
+     * Steps A, D of RFC6979 3.2.
+     * Creates RFC6979 seed; converts msg/privKey to numbers.
+     * Used only in sign, not in verify.
+     *
+     * Warning: we cannot assume here that message has same amount of bytes as curve order,
+     * this will be invalid at least for P521. Also it can be bigger for P224 + SHA256.
+     */
+    function prepSig(message, privateKey, opts) {
         if (['recovered', 'canonical'].some((k) => k in opts))
             throw new Error('sign() legacy options not supported');
-        let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
-        if (lowS == null)
-            lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
-        msgHash = ensureBytes('msgHash', msgHash);
-        validateSigVerOpts(opts);
+        const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
+        // RFC6979 3.2: we skip step A, because we already provide hash
+        message = abytes(message, undefined, 'message');
         if (prehash)
-            msgHash = ensureBytes('prehashed msgHash', hash(msgHash));
+            message = abytes(hash(message), undefined, 'prehashed message');
         // We can't later call bits2octets, since nested bits2int is broken for curves
         // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
-        const h1int = bits2int_modN(msgHash);
+        const h1int = bits2int_modN(message);
         const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
         const seedArgs = [int2octets(d), int2octets(h1int)];
         // extraEntropy. RFC6979 3.6: additional k' (optional).
-        if (ent != null && ent !== false) {
+        if (extraEntropy != null && extraEntropy !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-            const e = ent === true ? randomBytes_(lengths.secret) : ent; // gen random bytes OR pass as-is
+            // gen random bytes OR pass as-is
+            const e = extraEntropy === true ? randomBytes_(lengths.secret) : extraEntropy;
             seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
         }
         const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
@@ -1126,7 +1183,7 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         function k2sig(kBytes) {
             // RFC 6979 Section 3.2, step 3: k = bits2int(T)
             // Important: all mod() calls here must be done over N
-            const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
+            const k = bits2int(kBytes); // mod n, not mod p
             if (!Fn.isValidNot0(k))
                 return; // Valid scalars (including k) must be in 1..N-1
             const ik = Fn.inv(k); // k^-1 mod n
@@ -1147,49 +1204,48 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
         }
         return { seed, k2sig };
     }
-    const defaultSigOpts = { lowS: ecdsaOpts.lowS, prehash: false };
-    const defaultVerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
     /**
      * Signs message hash with a secret key.
+     *
      * ```
-     * sign(m, d, k) where
+     * sign(m, d) where
+     *   k = rfc6979_hmac_drbg(m, d)
      *   (x, y) = G × k
      *   r = x mod n
-     *   s = (m + dr)/k mod n
+     *   s = (m + dr) / k mod n
      * ```
      */
-    function sign(msgHash, secretKey, opts = defaultSigOpts) {
-        const { seed, k2sig } = prepSig(msgHash, secretKey, opts); // Steps A, D of RFC6979 3.2.
+    function sign(message, secretKey, opts = {}) {
+        message = ensureBytes('message', message);
+        const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
         const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac_);
-        return drbg(seed, k2sig); // Steps B, C, D, E, F, G
+        const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
+        return sig;
     }
     // Enable precomputes. Slows down first publicKey computation by 20ms.
     Point.BASE.precompute(8);
     /**
-     * Verifies a signature against message hash and public key.
-     * Rejects lowS signatures by default: to override,
-     * specify option `{lowS: false}`. Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
+     * Verifies a signature against message and public key.
+     * Rejects lowS signatures by default: see {@link ECDSAVerifyOpts}.
+     * Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
      *
      * ```
      * verify(r, s, h, P) where
-     *   U1 = hs^-1 mod n
-     *   U2 = rs^-1 mod n
-     *   R = U1⋅G - U2⋅P
+     *   u1 = hs^-1 mod n
+     *   u2 = rs^-1 mod n
+     *   R = u1⋅G + u2⋅P
      *   mod(R.x, n) == r
      * ```
      */
-    function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
+    function verify(signature, message, publicKey, opts = {}) {
         const sg = signature;
-        msgHash = ensureBytes('msgHash', msgHash);
+        message = ensureBytes('msgHash', message);
         publicKey = ensureBytes('publicKey', publicKey);
-        // Verify opts
-        validateSigVerOpts(opts);
-        const { lowS, prehash, format } = opts;
-        // TODO: remove
-        if ('strict' in opts)
-            throw new Error('options.strict was renamed to lowS');
+        const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
         let _sig = undefined;
         let P;
+        if ('strict' in opts)
+            throw new Error('options.strict was renamed to lowS');
         if (format === undefined) {
             // Try to deduce format
             const isHex = typeof sg === 'string' || isBytes(sg);
@@ -1230,11 +1286,6 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
                     throw new Error('"der" / "compact" format expects Uint8Array signature');
                 _sig = Signature.fromBytes(ensureBytes('sig', sg), format);
             }
-            else if (format === 'js') {
-                if (!(sg instanceof Signature))
-                    throw new Error('"js" format expects Signature instance');
-                _sig = sg;
-            }
             else {
                 throw new Error('format must be "compact", "der" or "js"');
             }
@@ -1247,13 +1298,13 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
                 return false;
             // todo: optional.hash => hash
             if (prehash)
-                msgHash = hash(msgHash);
+                message = hash(message);
             const { r, s } = _sig;
-            const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-            const is = Fn.inv(s); // s^-1
+            const h = bits2int_modN(message); // mod n, not mod p
+            const is = Fn.inv(s); // s^-1 mod n
             const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
             const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
-            const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+            const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2)); // u1⋅G + u2⋅P
             if (R.is0())
                 return false;
             const v = Fn.create(R.x); // v = r.x mod n
@@ -1263,23 +1314,34 @@ export function ecdsa(Point, hash, ecdsaOpts = {}) {
             return false;
         }
     }
-    function keygen(seed) {
-        const secretKey = utils.randomSecretKey(seed);
-        return { secretKey, publicKey: getPublicKey(secretKey) };
+    function recoverPublicKey(signature, message, opts = {}) {
+        const prehash = opts.prehash !== undefined ? opts.prehash : defaultSigOpts.prehash;
+        abool(prehash, 'prehash');
+        message = abytes(message, undefined, 'message');
+        if (prehash)
+            message = abytes(hash(message), undefined, 'prehashed message');
+        return Signature.fromBytes(signature, 'recovered').recoverPublicKey(message).toBytes();
     }
     return Object.freeze({
         keygen,
         getPublicKey,
-        sign,
-        verify,
         getSharedSecret,
         utils,
+        lengths,
         Point,
+        sign,
+        verify,
+        recoverPublicKey,
         Signature,
-        info: { type: 'weierstrass', lengths, publicKeyHasPrefix: true },
+        hash,
     });
 }
-// TODO: remove
+/** @deprecated use `weierstrass` in newer releases */
+export function weierstrassPoints(c) {
+    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+    const Point = weierstrassN(CURVE, curveOpts);
+    return _weierstrass_new_output_to_legacy(c, Point);
+}
 function _weierstrass_legacy_opts_to_new(c) {
     const CURVE = {
         a: c.a,
@@ -1297,7 +1359,7 @@ function _weierstrass_legacy_opts_to_new(c) {
     const Fn = Field(CURVE.n, {
         BITS: c.nBitLength,
         allowedLengths: allowedLengths,
-        modOnDecode: c.wrapPrivateKey,
+        modFromBytes: c.wrapPrivateKey,
     });
     const curveOpts = {
         Fp,
@@ -1322,10 +1384,20 @@ function _ecdsa_legacy_opts_to_new(c) {
     };
     return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
 }
-// TODO: remove
+export function _legacyHelperEquat(Fp, a, b) {
+    /**
+     * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
+     * @returns y²
+     */
+    function weierstrassEquation(x) {
+        const x2 = Fp.sqr(x); // x * x
+        const x3 = Fp.mul(x2, x); // x² * x
+        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
+    }
+    return weierstrassEquation;
+}
 function _weierstrass_new_output_to_legacy(c, Point) {
     const { Fp, Fn } = Point;
-    // TODO: remove
     function isWithinCurveOrder(num) {
         return inRange(num, _1n, Fn.ORDER);
     }
@@ -1339,11 +1411,11 @@ function _weierstrass_new_output_to_legacy(c, Point) {
         isWithinCurveOrder,
     });
 }
-// TODO: remove
-function _ecdsa_new_output_to_legacy(c, ecdsa) {
-    return Object.assign({}, ecdsa, {
-        ProjectivePoint: ecdsa.Point,
-        CURVE: c,
+function _ecdsa_new_output_to_legacy(c, _ecdsa) {
+    const Point = _ecdsa.Point;
+    return Object.assign({}, _ecdsa, {
+        ProjectivePoint: Point,
+        CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS)),
     });
 }
 // _ecdsa_legacy