@noble/curves 1.9.4 → 1.9.6

package/src/abstract/weierstrass.ts

@@ -25,12 +25,12 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { hmac } from '@noble/hashes/hmac.js';
+import { hmac as nobleHmac } from '@noble/hashes/hmac.js';
 import { ahash } from '@noble/hashes/utils';
 import {
   _validateObject,
-  abool,
-  abytes,
+  _abool2 as abool,
+  _abytes2 as abytes,
   aInRange,
   bitLen,
   bitMask,
@@ -44,7 +44,7 @@ import {
   isBytes,
   memoized,
   numberToHexUnpadded,
-  randomBytes,
+  randomBytes as randomBytesWeb,
   type CHash,
   type Hex,
   type PrivKey,
@@ -58,7 +58,7 @@ import {
   wNAF,
   type AffinePoint,
   type BasicCurve,
-  type CurveInfo,
+  type CurveLengths,
   type CurvePoint,
   type CurvePointCons,
 } from './curve.ts';
@@ -67,6 +67,7 @@ import {
   FpInvertBatch,
   getMinHashLength,
   mapHashToField,
+  nLength,
   validateField,
   type IField,
   type NLength,
@@ -104,21 +105,6 @@ export type EndomorphismOpts = {
   basises?: EndoBasis;
   splitScalar?: (k: bigint) => { k1neg: boolean; k1: bigint; k2neg: boolean; k2: bigint };
 };
-export type BasicWCurve<T> = BasicCurve<T> & {
-  // Params: a, b
-  a: T;
-  b: T;
-
-  // Optional params
-  allowedPrivateKeyLengths?: readonly number[]; // for P521
-  wrapPrivateKey?: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
-  endo?: EndomorphismOpts;
-  // When a cofactor != 1, there can be an effective methods to:
-  // 1. Determine whether a point is torsion-free
-  isTorsionFree?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
-  // 2. Clear torsion component
-  clearCofactor?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
-};
 
 // We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
 const divNearest = (num: bigint, den: bigint) => (num + (num >= 0 ? den : -den) / _2n) / den;
@@ -152,23 +138,41 @@ export function _splitEndoScalar(k: bigint, basis: EndoBasis, n: bigint): Scalar
   return { k1neg, k1, k2neg, k2 };
 }
 
-export type ECDSASigFormat = 'compact' | 'der';
-export type Entropy = Hex | boolean;
-export type SignOpts = Partial<{
-  lowS: boolean;
-  extraEntropy: Entropy;
-  prehash: boolean;
-  format: ECDSASigFormat | 'js';
-}>;
-export type VerOpts = Partial<{
-  lowS: boolean;
-  prehash: boolean;
-  format: ECDSASigFormat | 'js' | undefined;
-}>;
+export type ECDSASigFormat = 'compact' | 'recovered' | 'der';
+export type ECDSARecoverOpts = {
+  prehash?: boolean;
+};
+export type ECDSAVerifyOpts = {
+  prehash?: boolean;
+  lowS?: boolean;
+  format?: ECDSASigFormat;
+};
+export type ECDSASignOpts = {
+  prehash?: boolean;
+  lowS?: boolean;
+  format?: ECDSASigFormat;
+  extraEntropy?: Uint8Array | boolean;
+};
+
+function validateSigFormat(format: string): ECDSASigFormat {
+  if (!['compact', 'recovered', 'der'].includes(format))
+    throw new Error('Signature format must be "compact", "recovered", or "der"');
+  return format as ECDSASigFormat;
+}
 
-function validateSigVerOpts(opts: SignOpts | VerOpts) {
-  if (opts.lowS !== undefined) abool('lowS', opts.lowS);
-  if (opts.prehash !== undefined) abool('prehash', opts.prehash);
+function validateSigOpts<T extends ECDSASignOpts, D extends Required<ECDSASignOpts>>(
+  opts: T,
+  def: D
+): Required<ECDSASignOpts> {
+  const optsn: ECDSASignOpts = {};
+  for (let optName of Object.keys(def)) {
+    // @ts-ignore
+    optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
+  }
+  abool(optsn.lowS!, 'lowS');
+  abool(optsn.prehash!, 'prehash');
+  if (optsn.format !== undefined) validateSigFormat(optsn.format);
+  return optsn as Required<ECDSASignOpts>;
 }
 
 /** Instance methods for 3D XYZ projective points. */
@@ -187,11 +191,11 @@ export interface WeierstrassPoint<T> extends CurvePoint<T, WeierstrassPoint<T>>
   toBytes(isCompressed?: boolean): Uint8Array;
   toHex(isCompressed?: boolean): string;
 
-  /** @deprecated use .X */
+  /** @deprecated use `.X` */
   readonly px: T;
-  /** @deprecated use .Y */
+  /** @deprecated use `.Y` */
   readonly py: T;
-  /** @deprecated use .Z */
+  /** @deprecated use `.Z` */
   readonly pz: T;
   /** @deprecated use `toBytes` */
   toRawBytes(isCompressed?: boolean): Uint8Array;
@@ -208,9 +212,10 @@ export interface WeierstrassPoint<T> extends CurvePoint<T, WeierstrassPoint<T>>
 }
 
 /** Static methods for 3D XYZ projective points. */
-export interface WeierstrassPointCons<T> extends CurvePointCons<T, WeierstrassPoint<T>> {
+export interface WeierstrassPointCons<T> extends CurvePointCons<WeierstrassPoint<T>> {
   /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
   new (X: T, Y: T, Z: T): WeierstrassPoint<T>;
+  CURVE(): WeierstrassOpts<T>;
   /** @deprecated use `Point.BASE.multiply(Point.Fn.fromBytes(privateKey))` */
   fromPrivateKey(privateKey: PrivKey): WeierstrassPoint<T>;
   /** @deprecated use `import { normalizeZ } from '@noble/curves/abstract/curve.js';` */
@@ -219,48 +224,6 @@ export interface WeierstrassPointCons<T> extends CurvePointCons<T, WeierstrassPo
   msm(points: WeierstrassPoint<T>[], scalars: bigint[]): WeierstrassPoint<T>;
 }
 
-/** @deprecated use WeierstrassPoint */
-export type ProjPointType<T> = WeierstrassPoint<T>;
-/** @deprecated use WeierstrassPointCons */
-export type ProjConstructor<T> = WeierstrassPointCons<T>;
-
-// TODO: remove
-export type CurvePointsType<T> = BasicWCurve<T> & {
-  fromBytes?: (bytes: Uint8Array) => AffinePoint<T>;
-  toBytes?: (
-    c: WeierstrassPointCons<T>,
-    point: WeierstrassPoint<T>,
-    isCompressed: boolean
-  ) => Uint8Array;
-};
-
-// LegacyWeierstrassOpts
-export type CurvePointsTypeWithLength<T> = Readonly<CurvePointsType<T> & Partial<NLength>>;
-
-// LegacyWeierstrass
-export type CurvePointsRes<T> = {
-  Point: WeierstrassPointCons<T>;
-
-  /** @deprecated the property will be removed in next release */
-  CURVE: CurvePointsType<T>;
-  /** @deprecated use `Point` */
-  ProjectivePoint: WeierstrassPointCons<T>;
-  /** @deprecated use `Point.Fn.fromBytes(privateKey)` */
-  normPrivateKeyToScalar: (key: PrivKey) => bigint;
-  /** @deprecated */
-  weierstrassEquation: (x: T) => T;
-  /** @deprecated use `Point.Fn.isValidNot0(num)` */
-  isWithinCurveOrder: (num: bigint) => boolean;
-};
-
-// Aliases to legacy types
-// export type CurveType = LegacyECDSAOpts;
-// export type CurveFn = LegacyECDSA;
-// export type CurvePointsRes<T> = LegacyWeierstrass<T>;
-// export type CurvePointsType<T> = LegacyWeierstrassOpts<T>;
-// export type CurvePointsTypeWithLength<T> = LegacyWeierstrassOpts<T>;
-// export type BasicWCurve<T> = LegacyWeierstrassOpts<T>;
-
 /**
  * Weierstrass curve options.
  *
@@ -303,6 +266,11 @@ export type WeierstrassExtraOpts<T> = Partial<{
 
 /**
  * Options for ECDSA signatures over a Weierstrass curve.
+ *
+ * * lowS: (default: true) whether produced / verified signatures occupy low half of ecdsaOpts.p. Prevents malleability.
+ * * hmac: (default: noble-hashes hmac) function, would be used to init hmac-drbg for k generation.
+ * * randomBytes: (default: webcrypto os-level CSPRNG) custom method for fetching secure randomness.
+ * * bits2int, bits2int_modN: used in sigs, sometimes overridden by curves
  */
 export type ECDSAOpts = Partial<{
   lowS: boolean;
@@ -312,20 +280,19 @@ export type ECDSAOpts = Partial<{
   bits2int_modN: (bytes: Uint8Array) => bigint;
 }>;
 
-/** ECDSA is only supported for prime fields, not Fp2 (extension fields). */
-export interface ECDSA {
+/**
+ * Elliptic Curve Diffie-Hellman interface.
+ * Provides keygen, secret-to-public conversion, calculating shared secrets.
+ */
+export interface ECDH {
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
   getPublicKey: (secretKey: PrivKey, isCompressed?: boolean) => Uint8Array;
-  sign: (msgHash: Hex, secretKey: PrivKey, opts?: SignOpts) => ECDSASigRecovered;
-  verify: (signature: Hex | SignatureLike, msgHash: Hex, publicKey: Hex, opts?: VerOpts) => boolean;
   getSharedSecret: (secretKeyA: PrivKey, publicKeyB: Hex, isCompressed?: boolean) => Uint8Array;
   Point: WeierstrassPointCons<bigint>;
-  Signature: ECDSASignatureCons;
   utils: {
     isValidSecretKey: (secretKey: PrivKey) => boolean;
     isValidPublicKey: (publicKey: Uint8Array, isCompressed?: boolean) => boolean;
     randomSecretKey: (seed?: Uint8Array) => Uint8Array;
-
     /** @deprecated use `randomSecretKey` */
     randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
     /** @deprecated use `isValidSecretKey` */
@@ -335,7 +302,23 @@ export interface ECDSA {
     /** @deprecated use `point.precompute()` */
     precompute: (windowSize?: number, point?: WeierstrassPoint<bigint>) => WeierstrassPoint<bigint>;
   };
-  info: CurveInfo;
+  lengths: CurveLengths;
+}
+
+/**
+ * ECDSA interface.
+ * Only supported for prime fields, not Fp2 (extension fields).
+ */
+export interface ECDSA extends ECDH {
+  sign: (message: Hex, secretKey: PrivKey, opts?: ECDSASignOpts) => ECDSASigRecovered;
+  verify: (
+    signature: Uint8Array,
+    message: Uint8Array,
+    publicKey: Uint8Array,
+    opts?: ECDSAVerifyOpts
+  ) => boolean;
+  recoverPublicKey(signature: Uint8Array, message: Uint8Array, opts?: ECDSARecoverOpts): Uint8Array;
+  Signature: ECDSASignatureCons;
 }
 export class DERErr extends Error {
   constructor(m = '') {
@@ -459,19 +442,6 @@ export const DER: IDER = {
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _3n = BigInt(3), _4n = BigInt(4);
 
-// TODO: remove
-export function _legacyHelperEquat<T>(Fp: IField<T>, a: T, b: T): (x: T) => T {
-  /**
-   * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
-   * @returns y²
-   */
-  function weierstrassEquation(x: T): T {
-    const x2 = Fp.sqr(x); // x * x
-    const x3 = Fp.mul(x2, x); // x² * x
-    return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
-  }
-  return weierstrassEquation;
-}
 export function _normFnElement(Fn: IField<bigint>, key: PrivKey): bigint {
   const { BYTES: expected } = Fn;
   let num: bigint;
@@ -489,14 +459,33 @@ export function _normFnElement(Fn: IField<bigint>, key: PrivKey): bigint {
   return num;
 }
 
+/**
+ * Creates weierstrass Point constructor, based on specified curve options.
+ *
+ * @example
+```js
+const opts = {
+  p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  h: BigInt(1),
+  a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+  b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+};
+const p256_Point = weierstrass(opts);
+```
+ */
 export function weierstrassN<T>(
-  CURVE: WeierstrassOpts<T>,
-  curveOpts: WeierstrassExtraOpts<T> = {}
+  params: WeierstrassOpts<T>,
+  extraOpts: WeierstrassExtraOpts<T> = {}
 ): WeierstrassPointCons<T> {
-  const { Fp, Fn } = _createCurveFields('weierstrass', CURVE, curveOpts);
+  const validated = _createCurveFields('weierstrass', params, extraOpts);
+  const { Fp, Fn } = validated;
+  let CURVE = validated.CURVE as WeierstrassOpts<T>;
   const { h: cofactor, n: CURVE_ORDER } = CURVE;
   _validateObject(
-    curveOpts,
+    extraOpts,
     {},
     {
       allowInfinityPoint: 'boolean',
@@ -509,7 +498,7 @@ export function weierstrassN<T>(
     }
   );
 
-  const { endo } = curveOpts;
+  const { endo } = extraOpts;
   if (endo) {
     // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
     if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
@@ -517,6 +506,8 @@ export function weierstrassN<T>(
     }
   }
 
+  const lengths = getWLengths(Fp, Fn);
+
   function assertCompressionIsSupported() {
     if (!Fp.isOdd) throw new Error('compression is not supported: Field does not have .isOdd()');
   }
@@ -529,7 +520,7 @@ export function weierstrassN<T>(
   ): Uint8Array {
     const { x, y } = point.toAffine();
     const bx = Fp.toBytes(x);
-    abool('isCompressed', isCompressed);
+    abool(isCompressed, 'isCompressed');
     if (isCompressed) {
       assertCompressionIsSupported();
       const hasEvenY = !Fp.isOdd!(y);
@@ -539,15 +530,13 @@ export function weierstrassN<T>(
     }
   }
   function pointFromBytes(bytes: Uint8Array) {
-    abytes(bytes);
-    const L = Fp.BYTES;
-    const LC = L + 1; // length compressed, e.g. 33 for 32-byte field
-    const LU = 2 * L + 1; // length uncompressed, e.g. 65 for 32-byte field
+    abytes(bytes, undefined, 'Point');
+    const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
     const length = bytes.length;
     const head = bytes[0];
     const tail = bytes.subarray(1);
     // No actual validation is done here: use .assertValidity()
-    if (length === LC && (head === 0x02 || head === 0x03)) {
+    if (length === comp && (head === 0x02 || head === 0x03)) {
       const x = Fp.fromBytes(tail);
       if (!Fp.isValid(x)) throw new Error('bad point: is not on curve, wrong x');
       const y2 = weierstrassEquation(x); // y² = x³ + ax + b
@@ -563,22 +552,27 @@ export function weierstrassN<T>(
       const isHeadOdd = (head & 1) === 1; // ECDSA-specific
       if (isHeadOdd !== isYOdd) y = Fp.neg(y);
       return { x, y };
-    } else if (length === LU && head === 0x04) {
+    } else if (length === uncomp && head === 0x04) {
       // TODO: more checks
-      const x = Fp.fromBytes(tail.subarray(L * 0, L * 1));
-      const y = Fp.fromBytes(tail.subarray(L * 1, L * 2));
+      const L = Fp.BYTES;
+      const x = Fp.fromBytes(tail.subarray(0, L));
+      const y = Fp.fromBytes(tail.subarray(L, L * 2));
       if (!isValidXY(x, y)) throw new Error('bad point: is not on curve');
       return { x, y };
     } else {
       throw new Error(
-        `bad point: got length ${length}, expected compressed=${LC} or uncompressed=${LU}`
+        `bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`
       );
     }
   }
 
-  const toBytes = curveOpts.toBytes || pointToBytes;
-  const fromBytes = curveOpts.fromBytes || pointFromBytes;
-  const weierstrassEquation = _legacyHelperEquat(Fp, CURVE.a, CURVE.b);
+  const encodePoint = extraOpts.toBytes || pointToBytes;
+  const decodePoint = extraOpts.fromBytes || pointFromBytes;
+  function weierstrassEquation(x: T): T {
+    const x2 = Fp.sqr(x); // x * x
+    const x3 = Fp.mul(x2, x); // x² * x
+    return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b); // x³ + a * x + b
+  }
 
   // TODO: move top-level
   /** Checks whether equation holds for given x, y: y² == x³ + ax + b */
@@ -640,7 +634,7 @@ export function weierstrassN<T>(
       // (0, 1, 0) aka ZERO is invalid in most contexts.
       // In BLS, ZERO can be serialized, so we allow it.
       // (0, 0, 0) is invalid representation of ZERO.
-      if (curveOpts.allowInfinityPoint && !Fp.is0(p.Y)) return;
+      if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y)) return;
       throw new Error('bad point: ZERO');
     }
     // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
@@ -674,8 +668,9 @@ export function weierstrassN<T>(
     static readonly BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
     // zero / infinity / identity point
     static readonly ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
-    // fields
+    // math field
     static readonly Fp = Fp;
+    // scalar field
     static readonly Fn = Fn;
 
     readonly X: T;
@@ -690,6 +685,10 @@ export function weierstrassN<T>(
       Object.freeze(this);
     }
 
+    static CURVE(): WeierstrassOpts<T> {
+      return CURVE;
+    }
+
     /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
     static fromAffine(p: AffinePoint<T>): Point {
       const { x, y } = p || {};
@@ -700,50 +699,20 @@ export function weierstrassN<T>(
       return new Point(x, y, Fp.ONE);
     }
 
-    get x(): T {
-      return this.toAffine().x;
-    }
-    get y(): T {
-      return this.toAffine().y;
-    }
-
-    // TODO: remove
-    get px(): T {
-      return this.X;
-    }
-    get py(): T {
-      return this.X;
-    }
-    get pz(): T {
-      return this.Z;
-    }
-    static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, points);
-    }
-
     static fromBytes(bytes: Uint8Array): Point {
-      abytes(bytes);
-      return Point.fromHex(bytes);
-    }
-
-    /** Converts hash string or Uint8Array to Point. */
-    static fromHex(hex: Hex): Point {
-      const P = Point.fromAffine(fromBytes(ensureBytes('pointHex', hex)));
+      const P = Point.fromAffine(decodePoint(abytes(bytes, undefined, 'point')));
       P.assertValidity();
       return P;
     }
-
-    /** Multiplies generator point by privateKey. */
-    static fromPrivateKey(privateKey: PrivKey) {
-      return Point.BASE.multiply(_normFnElement(Fn, privateKey));
+    static fromHex(hex: Hex): Point {
+      return Point.fromBytes(ensureBytes('pointHex', hex));
     }
 
-    // TODO: remove
-    static msm(points: Point[], scalars: bigint[]): Point {
-      return pippenger(Point, Fn, points, scalars);
+    get x(): T {
+      return this.toAffine().x;
     }
-    _setWindowSize(windowSize: number) {
-      this.precompute(windowSize);
+    get y(): T {
+      return this.toAffine().y;
     }
 
     /**
@@ -900,7 +869,7 @@ export function weierstrassN<T>(
      * @returns New point
      */
     multiply(scalar: bigint): Point {
-      const { endo } = curveOpts;
+      const { endo } = extraOpts;
       if (!Fn.isValidNot0(scalar)) throw new Error('invalid scalar: out of range'); // 0 is invalid
       let point: Point, fake: Point; // Fake point is used to const-time mult
       const mul = (n: bigint) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
@@ -926,8 +895,8 @@ export function weierstrassN<T>(
      * an exposed secret key e.g. sig verification, which works over *public* keys.
      */
     multiplyUnsafe(sc: bigint): Point {
-      const { endo } = curveOpts;
-      const p = this;
+      const { endo } = extraOpts;
+      const p = this as Point;
       if (!Fn.isValid(sc)) throw new Error('invalid scalar: out of range'); // 0 is valid
       if (sc === _0n || p.is0()) return Point.ZERO;
       if (sc === _1n) return p; // fast-path
@@ -959,14 +928,14 @@ export function weierstrassN<T>(
      * Always torsion-free for cofactor=1 curves.
      */
     isTorsionFree(): boolean {
-      const { isTorsionFree } = curveOpts;
+      const { isTorsionFree } = extraOpts;
       if (cofactor === _1n) return true;
       if (isTorsionFree) return isTorsionFree(Point, this);
       return wnaf.unsafe(this, CURVE_ORDER).is0();
     }
 
     clearCofactor(): Point {
-      const { clearCofactor } = curveOpts;
+      const { clearCofactor } = extraOpts;
       if (cofactor === _1n) return this; // Fast-path
       if (clearCofactor) return clearCofactor(Point, this) as Point;
       return this.multiplyUnsafe(cofactor);
@@ -978,14 +947,9 @@ export function weierstrassN<T>(
     }
 
     toBytes(isCompressed = true): Uint8Array {
-      abool('isCompressed', isCompressed);
+      abool(isCompressed, 'isCompressed');
       this.assertValidity();
-      return toBytes(Point, this, isCompressed);
-    }
-
-    /** @deprecated use `toBytes` */
-    toRawBytes(isCompressed = true): Uint8Array {
-      return this.toBytes(isCompressed);
+      return encodePoint(Point, this, isCompressed);
     }
 
     toHex(isCompressed = true): string {
@@ -995,35 +959,55 @@ export function weierstrassN<T>(
     toString() {
       return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
+
+    // TODO: remove
+    get px(): T {
+      return this.X;
+    }
+    get py(): T {
+      return this.X;
+    }
+    get pz(): T {
+      return this.Z;
+    }
+    toRawBytes(isCompressed = true): Uint8Array {
+      return this.toBytes(isCompressed);
+    }
+    _setWindowSize(windowSize: number) {
+      this.precompute(windowSize);
+    }
+    static normalizeZ(points: Point[]): Point[] {
+      return normalizeZ(Point, points);
+    }
+    static msm(points: Point[], scalars: bigint[]): Point {
+      return pippenger(Point, Fn, points, scalars);
+    }
+    static fromPrivateKey(privateKey: PrivKey) {
+      return Point.BASE.multiply(_normFnElement(Fn, privateKey));
+    }
   }
   const bits = Fn.BITS;
-  const wnaf = new wNAF(Point, curveOpts.endo ? Math.ceil(bits / 2) : bits);
+  const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
+  Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
   return Point;
 }
 
-// _legacyWeierstrass
-// TODO: remove
-/** @deprecated use `weierstrass` in newer releases */
-export function weierstrassPoints<T>(c: CurvePointsTypeWithLength<T>): CurvePointsRes<T> {
-  const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
-  const Point = weierstrassN(CURVE, curveOpts);
-  return _weierstrass_new_output_to_legacy(c, Point);
-}
-
-// Instance
+/** Methods of ECDSA signature instance. */
 export interface ECDSASignature {
   readonly r: bigint;
   readonly s: bigint;
   readonly recovery?: number;
   addRecoveryBit(recovery: number): ECDSASigRecovered;
   hasHighS(): boolean;
-  normalizeS(): ECDSASignature;
-  recoverPublicKey(msgHash: Hex): WeierstrassPoint<bigint>;
   toBytes(format?: string): Uint8Array;
   toHex(format?: string): string;
 
   /** @deprecated */
   assertValidity(): void;
+  /** @deprecated */
+  normalizeS(): ECDSASignature;
+  /** @deprecated use standalone method `curve.recoverPublicKey(sig.toBytes('recovered'), msg)` */
+  recoverPublicKey(msgHash: Hex): WeierstrassPoint<bigint>;
   /** @deprecated use `.toBytes('compact')` */
   toCompactRawBytes(): Uint8Array;
   /** @deprecated use `.toBytes('compact')` */
@@ -1033,12 +1017,10 @@ export interface ECDSASignature {
   /** @deprecated use `.toBytes('der')` */
   toDERHex(): string;
 }
-export type SignatureType = ECDSASignature;
 export type ECDSASigRecovered = ECDSASignature & {
   readonly recovery: number;
 };
-export type RecoveredSignatureType = ECDSASigRecovered;
-// Static methods
+/** Methods of ECDSA signature constructor. */
 export type ECDSASignatureCons = {
   new (r: bigint, s: bigint, recovery?: number): ECDSASignature;
   fromBytes(bytes: Uint8Array, format?: ECDSASigFormat): ECDSASignature;
@@ -1049,42 +1031,12 @@ export type ECDSASignatureCons = {
   /** @deprecated use `.fromBytes(bytes, 'der')` */
   fromDER(hex: Hex): ECDSASignature;
 };
-export type SignatureLike = { r: bigint; s: bigint };
-// TODO: remove
-export type PubKey = Hex | WeierstrassPoint<bigint>;
-
-// TODO: remove
-export type CurveType = BasicWCurve<bigint> & {
-  hash: CHash; // CHash not FHash because we need outputLen for DRBG
-  hmac?: HmacFnSync;
-  randomBytes?: (bytesLength?: number) => Uint8Array;
-  lowS?: boolean;
-  bits2int?: (bytes: Uint8Array) => bigint;
-  bits2int_modN?: (bytes: Uint8Array) => bigint;
-};
 
 // Points start with byte 0x02 when y is even; otherwise 0x03
 function pprefix(hasEvenY: boolean): Uint8Array {
   return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
 }
 
-// TODO: remove
-export type CurveFn = {
-  /** @deprecated the property will be removed in next release */
-  CURVE: CurvePointsType<bigint>;
-  keygen: ECDSA['keygen'];
-  getPublicKey: ECDSA['getPublicKey'];
-  getSharedSecret: ECDSA['getSharedSecret'];
-  sign: ECDSA['sign'];
-  verify: ECDSA['verify'];
-  Point: WeierstrassPointCons<bigint>;
-  /** @deprecated use `Point` */
-  ProjectivePoint: WeierstrassPointCons<bigint>;
-  Signature: ECDSASignatureCons;
-  utils: ECDSA['utils'];
-  info: CurveInfo;
-};
-
 /**
  * Implementation of the Shallue and van de Woestijne method for any weierstrass curve.
  * TODO: check if there is a way to merge this with uvRatio in Edwards; move to modular.
@@ -1218,87 +1170,211 @@ export function mapToCurveSimpleSWU<T>(
   };
 }
 
+function getWLengths<T>(Fp: IField<T>, Fn: IField<bigint>) {
+  return {
+    secretKey: Fn.BYTES,
+    publicKey: 1 + Fp.BYTES,
+    publicKeyUncompressed: 1 + 2 * Fp.BYTES,
+    publicKeyHasPrefix: true,
+    signature: 2 * Fn.BYTES,
+  };
+}
+
 /**
- * Creates ECDSA for given elliptic curve Point and hash function.
+ * Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
+ * This helper ensures no signature functionality is present. Less code, smaller bundle size.
  */
-export function ecdsa(
+export function ecdh(
   Point: WeierstrassPointCons<bigint>,
-  hash: CHash,
-  ecdsaOpts: ECDSAOpts = {}
-): ECDSA {
-  ahash(hash);
-  _validateObject(
-    ecdsaOpts,
-    {},
-    {
-      hmac: 'function',
-      lowS: 'boolean',
-      randomBytes: 'function',
-      bits2int: 'function',
-      bits2int_modN: 'function',
-    }
-  );
-
-  const randomBytes_ = ecdsaOpts.randomBytes || randomBytes;
-  const hmac_: HmacFnSync =
-    ecdsaOpts.hmac ||
-    (((key, ...msgs) => hmac(hash, key, concatBytes(...msgs))) satisfies HmacFnSync);
-
-  const { Fp, Fn } = Point;
-  const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
-
-  const seedLen = getMinHashLength(CURVE_ORDER);
-  const lengths = {
-    secret: Fn.BYTES,
-    public: 1 + Fp.BYTES,
-    publicUncompressed: 1 + 2 * Fp.BYTES,
-    signature: 2 * Fn.BYTES,
-    seed: seedLen,
-  };
+  ecdhOpts: { randomBytes?: (bytesLength?: number) => Uint8Array } = {}
+): ECDH {
+  const { Fn } = Point;
+  const randomBytes_ = ecdhOpts.randomBytes || randomBytesWeb;
+  const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
 
-  function isBiggerThanHalfOrder(number: bigint) {
-    const HALF = CURVE_ORDER >> _1n;
-    return number > HALF;
+  function isValidSecretKey(secretKey: PrivKey) {
+    try {
+      return !!_normFnElement(Fn, secretKey);
+    } catch (error) {
+      return false;
+    }
   }
 
-  function normalizeS(s: bigint) {
-    return isBiggerThanHalfOrder(s) ? Fn.neg(s) : s;
+  function isValidPublicKey(publicKey: Uint8Array, isCompressed?: boolean): boolean {
+    const { publicKey: comp, publicKeyUncompressed } = lengths;
+    try {
+      const l = publicKey.length;
+      if (isCompressed === true && l !== comp) return false;
+      if (isCompressed === false && l !== publicKeyUncompressed) return false;
+      return !!Point.fromBytes(publicKey);
+    } catch (error) {
+      return false;
+    }
   }
-  function aValidRS(title: string, num: bigint) {
-    if (!Fn.isValidNot0(num))
-      throw new Error(`invalid signature ${title}: out of range 1..CURVE.n`);
+
+  /**
+   * Produces cryptographically secure secret key from random of size
+   * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+   */
+  function randomSecretKey(seed = randomBytes_(lengths.seed)): Uint8Array {
+    return mapHashToField(abytes(seed, lengths.seed, 'seed'), Fn.ORDER);
+  }
+
+  /**
+   * Computes public key for a secret key. Checks for validity of the secret key.
+   * @param isCompressed whether to return compact (default), or full key
+   * @returns Public key, full when isCompressed=false; short when isCompressed=true
+   */
+  function getPublicKey(secretKey: PrivKey, isCompressed = true): Uint8Array {
+    return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
+  }
+
+  function keygen(seed?: Uint8Array) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  }
+
+  /**
+   * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
+   */
+  function isProbPub(item: PrivKey | PubKey): boolean | undefined {
+    if (typeof item === 'bigint') return false;
+    if (item instanceof Point) return true;
+    const { secretKey, publicKey, publicKeyUncompressed } = lengths;
+    if (Fn.allowedLengths || secretKey === publicKey) return undefined;
+    const l = ensureBytes('key', item).length;
+    return l === publicKey || l === publicKeyUncompressed;
   }
 
   /**
-   * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
+   * ECDH (Elliptic Curve Diffie Hellman).
+   * Computes shared public key from secret key A and public key B.
+   * Checks: 1) secret key validity 2) shared key is on-curve.
+   * Does NOT hash the result.
+   * @param isCompressed whether to return compact (default), or full key
+   * @returns shared public key
+   */
+  function getSharedSecret(secretKeyA: PrivKey, publicKeyB: Hex, isCompressed = true): Uint8Array {
+    if (isProbPub(secretKeyA) === true) throw new Error('first arg must be private key');
+    if (isProbPub(publicKeyB) === false) throw new Error('second arg must be public key');
+    const s = _normFnElement(Fn, secretKeyA);
+    const b = Point.fromHex(publicKeyB); // checks for being on-curve
+    return b.multiply(s).toBytes(isCompressed);
+  }
+
+  const utils = {
+    isValidSecretKey,
+    isValidPublicKey,
+    randomSecretKey,
+
+    // TODO: remove
+    isValidPrivateKey: isValidSecretKey,
+    randomPrivateKey: randomSecretKey,
+    normPrivateKeyToScalar: (key: PrivKey) => _normFnElement(Fn, key),
+    precompute(windowSize = 8, point = Point.BASE): WeierstrassPoint<bigint> {
+      return point.precompute(windowSize, false);
+    },
+  };
+
+  return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
+}
+
+/**
+ * Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
+ * We need `hash` for 2 features:
+ * 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
+ * 2. k generation in `sign`, using HMAC-drbg(hash)
+ *
+ * ECDSAOpts are only rarely needed.
+ *
+ * @example
+ * ```js
+ * const p256_Point = weierstrass(...);
+ * const p256_sha256 = ecdsa(p256_Point, sha256);
+ * const p256_sha224 = ecdsa(p256_Point, sha224);
+ * const p256_sha224_r = ecdsa(p256_Point, sha224, { randomBytes: (length) => { ... } });
+ * ```
+ */
+export function ecdsa(
+  Point: WeierstrassPointCons<bigint>,
+  hash: CHash,
+  ecdsaOpts: ECDSAOpts = {}
+): ECDSA {
+  ahash(hash);
+  _validateObject(
+    ecdsaOpts,
+    {},
+    {
+      hmac: 'function',
+      lowS: 'boolean',
+      randomBytes: 'function',
+      bits2int: 'function',
+      bits2int_modN: 'function',
+    }
+  );
+
+  const randomBytes = ecdsaOpts.randomBytes || randomBytesWeb;
+  const hmac: HmacFnSync =
+    ecdsaOpts.hmac ||
+    (((key, ...msgs) => nobleHmac(hash, key, concatBytes(...msgs))) satisfies HmacFnSync);
+
+  const { Fp, Fn } = Point;
+  const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
+  const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
+  const defaultSigOpts: Required<ECDSASignOpts> = {
+    prehash: false,
+    lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : false,
+    format: undefined as any, //'compact' as ECDSASigFormat,
+    extraEntropy: false,
+  };
+  const defaultSigOpts_format = 'compact';
+
+  function isBiggerThanHalfOrder(number: bigint) {
+    const HALF = CURVE_ORDER >> _1n;
+    return number > HALF;
+  }
+  function validateRS(title: string, num: bigint): bigint {
+    if (!Fn.isValidNot0(num))
+      throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
+    return num;
+  }
+  function validateSigLength(bytes: Uint8Array, format: ECDSASigFormat) {
+    validateSigFormat(format);
+    const size = lengths.signature!;
+    const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
+    return abytes(bytes, sizer, `${format} signature`);
+  }
+
+  /**
+   * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
    */
   class Signature implements ECDSASignature {
     readonly r: bigint;
     readonly s: bigint;
     readonly recovery?: number;
     constructor(r: bigint, s: bigint, recovery?: number) {
-      aValidRS('r', r); // r in [1..N-1]
-      aValidRS('s', s); // s in [1..N-1]
-      this.r = r;
-      this.s = s;
+      this.r = validateRS('r', r); // r in [1..N-1];
+      this.s = validateRS('s', s); // s in [1..N-1];
       if (recovery != null) this.recovery = recovery;
       Object.freeze(this);
     }
 
-    static fromBytes(bytes: Uint8Array, format: ECDSASigFormat = 'compact') {
-      if (format === 'compact') {
-        const L = Fn.BYTES;
-        abytes(bytes, L * 2);
-        const r = bytes.subarray(0, L);
-        const s = bytes.subarray(L, L * 2);
-        return new Signature(Fn.fromBytes(r), Fn.fromBytes(s));
-      }
+    static fromBytes(bytes: Uint8Array, format: ECDSASigFormat = defaultSigOpts_format): Signature {
+      validateSigLength(bytes, format);
+      let recid: number | undefined;
       if (format === 'der') {
-        abytes(bytes);
-        const { r, s } = DER.toSig(bytes);
+        const { r, s } = DER.toSig(abytes(bytes));
         return new Signature(r, s);
       }
-      throw new Error('invalid format');
+      if (format === 'recovered') {
+        recid = bytes[0];
+        format = 'compact';
+        bytes = bytes.subarray(1);
+      }
+      const L = Fn.BYTES;
+      const r = bytes.subarray(0, L);
+      const s = bytes.subarray(L, L * 2);
+      return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
     }
 
     static fromHex(hex: string, format?: ECDSASigFormat) {
@@ -1309,8 +1385,7 @@ export function ecdsa(
       return new Signature(this.r, this.s, recovery) as RecoveredSignature;
     }
 
-    // ProjPointType<bigint>
-    recoverPublicKey(msgHash: Hex): typeof Point.BASE {
+    recoverPublicKey(messageHash: Hex): WeierstrassPoint<bigint> {
       const FIELD_ORDER = Fp.ORDER;
       const { r, s, recovery: rec } = this;
       if (rec == null || ![0, 1, 2, 3].includes(rec)) throw new Error('recovery id invalid');
@@ -1329,9 +1404,9 @@ export function ecdsa(
       const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
       if (!Fp.isValid(radj)) throw new Error('recovery id 2 or 3 invalid');
       const x = Fp.toBytes(radj);
-      const R = Point.fromHex(concatBytes(pprefix((rec & 1) === 0), x));
+      const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
       const ir = Fn.inv(radj); // r^-1
-      const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash
+      const h = bits2int_modN(ensureBytes('msgHash', messageHash)); // Truncate hash
       const u1 = Fn.create(-h * ir); // -hr^-1
       const u2 = Fn.create(s * ir); // sr^-1
       // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
@@ -1346,14 +1421,16 @@ export function ecdsa(
       return isBiggerThanHalfOrder(this.s);
     }
 
-    normalizeS() {
-      return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
-    }
-
-    toBytes(format: ECDSASigFormat = 'compact') {
-      if (format === 'compact') return concatBytes(Fn.toBytes(this.r), Fn.toBytes(this.s));
+    toBytes(format: ECDSASigFormat = defaultSigOpts_format) {
+      validateSigFormat(format);
       if (format === 'der') return hexToBytes(DER.hexFromSig(this));
-      throw new Error('invalid format');
+      const r = Fn.toBytes(this.r);
+      const s = Fn.toBytes(this.s);
+      if (format === 'recovered') {
+        if (this.recovery == null) throw new Error('recovery bit must be present');
+        return concatBytes(Uint8Array.of(this.recovery), r, s);
+      }
+      return concatBytes(r, s);
     }
 
     toHex(format?: ECDSASigFormat) {
@@ -1368,6 +1445,9 @@ export function ecdsa(
     static fromDER(hex: Hex) {
       return Signature.fromBytes(ensureBytes('sig', hex), 'der');
     }
+    normalizeS() {
+      return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
+    }
     toDERRawBytes() {
       return this.toBytes('der');
     }
@@ -1383,90 +1463,13 @@ export function ecdsa(
   }
   type RecoveredSignature = Signature & { recovery: number };
 
-  function isValidSecretKey(privateKey: PrivKey) {
-    try {
-      return !!_normFnElement(Fn, privateKey);
-    } catch (error) {
-      return false;
-    }
-  }
-  function isValidPublicKey(publicKey: Uint8Array, isCompressed?: boolean): boolean {
-    try {
-      const l = publicKey.length;
-      if (isCompressed === true && l !== lengths.public) return false;
-      if (isCompressed === false && l !== lengths.publicUncompressed) return false;
-      return !!Point.fromBytes(publicKey);
-    } catch (error) {
-      return false;
-    }
-  }
-  /**
-   * Produces cryptographically secure secret key from random of size
-   * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-   */
-  function randomSecretKey(seed = randomBytes_(seedLen)): Uint8Array {
-    return mapHashToField(seed, CURVE_ORDER);
-  }
-
-  const utils = {
-    isValidSecretKey,
-    isValidPublicKey,
-    randomSecretKey,
-
-    // TODO: remove
-    isValidPrivateKey: isValidSecretKey,
-    randomPrivateKey: randomSecretKey,
-    normPrivateKeyToScalar: (key: PrivKey) => _normFnElement(Fn, key),
-    precompute(windowSize = 8, point = Point.BASE): WeierstrassPoint<bigint> {
-      return point.precompute(windowSize, false);
-    },
-  };
-
-  /**
-   * Computes public key for a secret key. Checks for validity of the secret key.
-   * @param isCompressed whether to return compact (default), or full key
-   * @returns Public key, full when isCompressed=false; short when isCompressed=true
-   */
-  function getPublicKey(secretKey: PrivKey, isCompressed = true): Uint8Array {
-    return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
-  }
-
-  /**
-   * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
-   */
-  function isProbPub(item: PrivKey | PubKey): boolean | undefined {
-    // TODO: remove
-    if (typeof item === 'bigint') return false;
-    // TODO: remove
-    if (item instanceof Point) return true;
-    if (Fn.allowedLengths || lengths.secret === lengths.public) return undefined;
-    const l = ensureBytes('key', item).length;
-    return l === lengths.public || l === lengths.publicUncompressed;
-  }
-
-  /**
-   * ECDH (Elliptic Curve Diffie Hellman).
-   * Computes shared public key from secret key A and public key B.
-   * Checks: 1) secret key validity 2) shared key is on-curve.
-   * Does NOT hash the result.
-   * @param isCompressed whether to return compact (default), or full key
-   * @returns shared public key
-   */
-  function getSharedSecret(secretKeyA: PrivKey, publicKeyB: Hex, isCompressed = true): Uint8Array {
-    if (isProbPub(secretKeyA) === true) throw new Error('first arg must be private key');
-    if (isProbPub(publicKeyB) === false) throw new Error('second arg must be public key');
-    const s = _normFnElement(Fn, secretKeyA);
-    const b = Point.fromHex(publicKeyB); // checks for being on-curve
-    return b.multiply(s).toBytes(isCompressed);
-  }
-
   // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
   // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
   // bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.
   // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
   const bits2int =
     ecdsaOpts.bits2int ||
-    function (bytes: Uint8Array): bigint {
+    function bits2int_def(bytes: Uint8Array): bigint {
       // Our custom check "just in case", for protection against DoS
       if (bytes.length > 8192) throw new Error('input is too large');
       // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
@@ -1477,44 +1480,47 @@ export function ecdsa(
     };
   const bits2int_modN =
     ecdsaOpts.bits2int_modN ||
-    function (bytes: Uint8Array): bigint {
+    function bits2int_modN_def(bytes: Uint8Array): bigint {
       return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
     };
-  // NOTE: pads output with zero as per spec
+  // Pads output with zero as per spec
   const ORDER_MASK = bitMask(fnBits);
-  /**
-   * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
-   */
+  /** Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`. */
   function int2octets(num: bigint): Uint8Array {
     // IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
     aInRange('num < 2^' + fnBits, num, _0n, ORDER_MASK);
     return Fn.toBytes(num);
   }
 
-  // Steps A, D of RFC6979 3.2
-  // Creates RFC6979 seed; converts msg/privKey to numbers.
-  // Used only in sign, not in verify.
-  // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
-  // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
-  function prepSig(msgHash: Hex, privateKey: PrivKey, opts = defaultSigOpts) {
+  function validateMsgAndHash(message: Uint8Array, prehash: boolean) {
+    abytes(message, undefined, 'message');
+    return prehash ? abytes(hash(message), undefined, 'prehashed message') : message;
+  }
+
+  /**
+   * Steps A, D of RFC6979 3.2.
+   * Creates RFC6979 seed; converts msg/privKey to numbers.
+   * Used only in sign, not in verify.
+   *
+   * Warning: we cannot assume here that message has same amount of bytes as curve order,
+   * this will be invalid at least for P521. Also it can be bigger for P224 + SHA256.
+   */
+  function prepSig(message: Uint8Array, privateKey: PrivKey, opts: ECDSASignOpts) {
     if (['recovered', 'canonical'].some((k) => k in opts))
       throw new Error('sign() legacy options not supported');
-    let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
-    if (lowS == null) lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
-    msgHash = ensureBytes('msgHash', msgHash);
-    validateSigVerOpts(opts);
-    if (prehash) msgHash = ensureBytes('prehashed msgHash', hash(msgHash));
-
+    const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
+    message = validateMsgAndHash(message, prehash); // RFC6979 3.2 A: h1 = H(m)
     // We can't later call bits2octets, since nested bits2int is broken for curves
     // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
     // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
-    const h1int = bits2int_modN(msgHash);
+    const h1int = bits2int_modN(message);
     const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
     const seedArgs = [int2octets(d), int2octets(h1int)];
     // extraEntropy. RFC6979 3.6: additional k' (optional).
-    if (ent != null && ent !== false) {
+    if (extraEntropy != null && extraEntropy !== false) {
       // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-      const e = ent === true ? randomBytes_(lengths.secret) : ent; // gen random bytes OR pass as-is
+      // gen random bytes OR pass as-is
+      const e = extraEntropy === true ? randomBytes(lengths.secretKey) : extraEntropy;
       seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
     }
     const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
@@ -1530,7 +1536,7 @@ export function ecdsa(
     function k2sig(kBytes: Uint8Array): RecoveredSignature | undefined {
       // RFC 6979 Section 3.2, step 3: k = bits2int(T)
       // Important: all mod() calls here must be done over N
-      const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
+      const k = bits2int(kBytes); // mod n, not mod p
       if (!Fn.isValidNot0(k)) return; // Valid scalars (including k) must be in 1..N-1
       const ik = Fn.inv(k); // k^-1 mod n
       const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
@@ -1541,122 +1547,102 @@ export function ecdsa(
       let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n); // recovery bit (2 or 3, when q.x > n)
       let normS = s;
       if (lowS && isBiggerThanHalfOrder(s)) {
-        normS = normalizeS(s); // if lowS was passed, ensure s is always
+        normS = Fn.neg(s); // if lowS was passed, ensure s is always
         recovery ^= 1; // // in the bottom half of N
       }
       return new Signature(r, normS, recovery) as RecoveredSignature; // use normS, not s
     }
     return { seed, k2sig };
   }
-  const defaultSigOpts: SignOpts = { lowS: ecdsaOpts.lowS, prehash: false };
-  const defaultVerOpts: VerOpts = { lowS: ecdsaOpts.lowS, prehash: false };
 
   /**
    * Signs message hash with a secret key.
+   *
    * ```
-   * sign(m, d, k) where
+   * sign(m, d) where
+   *   k = rfc6979_hmac_drbg(m, d)
    *   (x, y) = G × k
    *   r = x mod n
-   *   s = (m + dr)/k mod n
+   *   s = (m + dr) / k mod n
    * ```
    */
-  function sign(msgHash: Hex, secretKey: PrivKey, opts = defaultSigOpts): RecoveredSignature {
-    const { seed, k2sig } = prepSig(msgHash, secretKey, opts); // Steps A, D of RFC6979 3.2.
-    const drbg = createHmacDrbg<RecoveredSignature>(hash.outputLen, Fn.BYTES, hmac_);
-    return drbg(seed, k2sig); // Steps B, C, D, E, F, G
+  function sign(message: Hex, secretKey: PrivKey, opts: ECDSASignOpts = {}): RecoveredSignature {
+    message = ensureBytes('message', message);
+    const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
+    const drbg = createHmacDrbg<RecoveredSignature>(hash.outputLen, Fn.BYTES, hmac);
+    const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
+    return sig;
   }
 
-  // Enable precomputes. Slows down first publicKey computation by 20ms.
-  Point.BASE.precompute(8);
+  function tryParsingSig(sg: Hex | SignatureLike) {
+    // Try to deduce format
+    let sig: Signature | undefined = undefined;
+    const isHex = typeof sg === 'string' || isBytes(sg);
+    const isObj =
+      !isHex &&
+      sg !== null &&
+      typeof sg === 'object' &&
+      typeof sg.r === 'bigint' &&
+      typeof sg.s === 'bigint';
+    if (!isHex && !isObj)
+      throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
+    if (isObj) {
+      sig = new Signature(sg.r, sg.s);
+    } else if (isHex) {
+      try {
+        sig = Signature.fromBytes(ensureBytes('sig', sg), 'der');
+      } catch (derError) {
+        if (!(derError instanceof DER.Err)) throw derError;
+      }
+      if (!sig) {
+        try {
+          sig = Signature.fromBytes(ensureBytes('sig', sg), 'compact');
+        } catch (error) {
+          return false;
+        }
+      }
+    }
+    if (!sig) return false;
+    return sig;
+  }
 
   /**
-   * Verifies a signature against message hash and public key.
-   * Rejects lowS signatures by default: to override,
-   * specify option `{lowS: false}`. Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
+   * Verifies a signature against message and public key.
+   * Rejects lowS signatures by default: see {@link ECDSAVerifyOpts}.
+   * Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
    *
    * ```
    * verify(r, s, h, P) where
-   *   U1 = hs^-1 mod n
-   *   U2 = rs^-1 mod n
-   *   R = U1⋅G - U2⋅P
+   *   u1 = hs^-1 mod n
+   *   u2 = rs^-1 mod n
+   *   R = u1⋅G + u2⋅P
    *   mod(R.x, n) == r
    * ```
    */
   function verify(
     signature: Hex | SignatureLike,
-    msgHash: Hex,
+    message: Hex,
     publicKey: Hex,
-    opts = defaultVerOpts
+    opts: ECDSAVerifyOpts = {}
   ): boolean {
-    const sg = signature;
-    msgHash = ensureBytes('msgHash', msgHash);
+    const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
     publicKey = ensureBytes('publicKey', publicKey);
-
-    // Verify opts
-    validateSigVerOpts(opts);
-    const { lowS, prehash, format } = opts;
-
-    // TODO: remove
+    message = validateMsgAndHash(ensureBytes('message', message), prehash);
     if ('strict' in opts) throw new Error('options.strict was renamed to lowS');
-
-    let _sig: Signature | undefined = undefined;
-    let P: WeierstrassPoint<bigint>;
-
-    if (format === undefined) {
-      // Try to deduce format
-      const isHex = typeof sg === 'string' || isBytes(sg);
-      const isObj =
-        !isHex &&
-        sg !== null &&
-        typeof sg === 'object' &&
-        typeof sg.r === 'bigint' &&
-        typeof sg.s === 'bigint';
-      if (!isHex && !isObj)
-        throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
-      if (isObj) {
-        _sig = new Signature(sg.r, sg.s);
-      } else if (isHex) {
-        // TODO: remove this malleable check
-        // Signature can be represented in 2 ways: compact (2*Fn.BYTES) & DER (variable-length).
-        // Since DER can also be 2*Fn.BYTES bytes, we check for it first.
-        try {
-          _sig = Signature.fromDER(sg);
-        } catch (derError) {
-          if (!(derError instanceof DER.Err)) throw derError;
-        }
-        if (!_sig) {
-          try {
-            _sig = Signature.fromCompact(sg);
-          } catch (error) {
-            return false;
-          }
-        }
-      }
-    } else {
-      if (format === 'compact' || format === 'der') {
-        if (typeof sg !== 'string' && !isBytes(sg))
-          throw new Error('"der" / "compact" format expects Uint8Array signature');
-        _sig = Signature.fromBytes(ensureBytes('sig', sg), format);
-      } else if (format === 'js') {
-        if (!(sg instanceof Signature)) throw new Error('"js" format expects Signature instance');
-        _sig = sg;
-      } else {
-        throw new Error('format must be "compact", "der" or "js"');
-      }
-    }
-
-    if (!_sig) return false;
+    const sig =
+      format === undefined
+        ? tryParsingSig(signature)
+        : Signature.fromBytes(ensureBytes('sig', signature as Hex), format);
+    if (sig === false) return false;
     try {
-      P = Point.fromHex(publicKey);
-      if (lowS && _sig.hasHighS()) return false;
-      // todo: optional.hash => hash
-      if (prehash) msgHash = hash(msgHash);
-      const { r, s } = _sig;
-      const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-      const is = Fn.inv(s); // s^-1
+      const P = Point.fromBytes(publicKey);
+      if (lowS && sig.hasHighS()) return false;
+      const { r, s } = sig;
+      const h = bits2int_modN(message); // mod n, not mod p
+      const is = Fn.inv(s); // s^-1 mod n
       const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
       const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
-      const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2));
+      const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2)); // u1⋅G + u2⋅P
       if (R.is0()) return false;
       const v = Fn.create(R.x); // v = r.x mod n
       return v === r;
@@ -1665,37 +1651,144 @@ export function ecdsa(
     }
   }
 
-  function keygen(seed?: Uint8Array) {
-    const secretKey = utils.randomSecretKey(seed);
-    return { secretKey, publicKey: getPublicKey(secretKey) };
+  function recoverPublicKey(
+    signature: Uint8Array,
+    message: Uint8Array,
+    opts: ECDSARecoverOpts = {}
+  ): Uint8Array {
+    const { prehash } = validateSigOpts(opts, defaultSigOpts);
+    message = validateMsgAndHash(message, prehash);
+    return Signature.fromBytes(signature, 'recovered').recoverPublicKey(message).toBytes();
   }
 
   return Object.freeze({
     keygen,
     getPublicKey,
-    sign,
-    verify,
     getSharedSecret,
     utils,
+    lengths,
     Point,
+    sign,
+    verify,
+    recoverPublicKey,
     Signature,
-    info: { type: 'weierstrass' as const, lengths, publicKeyHasPrefix: true },
+    hash,
   });
 }
 
+// TODO: remove everything below
+/** @deprecated */
+export type SignatureType = ECDSASignature;
+/** @deprecated */
+export type RecoveredSignatureType = ECDSASigRecovered;
+/** @deprecated */
+export type SignatureLike = { r: bigint; s: bigint };
+/** @deprecated use `Uint8Array | boolean` */
+export type Entropy = Hex | boolean;
+export type BasicWCurve<T> = BasicCurve<T> & {
+  // Params: a, b
+  a: T;
+  b: T;
+
+  // Optional params
+  allowedPrivateKeyLengths?: readonly number[]; // for P521
+  wrapPrivateKey?: boolean; // bls12-381 requires mod(n) instead of rejecting keys >= n
+  endo?: EndomorphismOpts;
+  // When a cofactor != 1, there can be an effective methods to:
+  // 1. Determine whether a point is torsion-free
+  isTorsionFree?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => boolean;
+  // 2. Clear torsion component
+  clearCofactor?: (c: WeierstrassPointCons<T>, point: WeierstrassPoint<T>) => WeierstrassPoint<T>;
+};
+/** @deprecated use ECDSASignOpts */
+export type SignOpts = ECDSASignOpts;
+/** @deprecated use ECDSASignOpts */
+export type VerOpts = ECDSAVerifyOpts;
+
+/** @deprecated use WeierstrassPoint */
+export type ProjPointType<T> = WeierstrassPoint<T>;
+/** @deprecated use WeierstrassPointCons */
+export type ProjConstructor<T> = WeierstrassPointCons<T>;
+
 // TODO: remove
+export type CurvePointsType<T> = BasicWCurve<T> & {
+  fromBytes?: (bytes: Uint8Array) => AffinePoint<T>;
+  toBytes?: (
+    c: WeierstrassPointCons<T>,
+    point: WeierstrassPoint<T>,
+    isCompressed: boolean
+  ) => Uint8Array;
+};
+
+// LegacyWeierstrassOpts
+export type CurvePointsTypeWithLength<T> = Readonly<CurvePointsType<T> & Partial<NLength>>;
+
+// LegacyWeierstrass
+export type CurvePointsRes<T> = {
+  Point: WeierstrassPointCons<T>;
+
+  /** @deprecated use `Point.CURVE()` */
+  CURVE: CurvePointsType<T>;
+  /** @deprecated use `Point` */
+  ProjectivePoint: WeierstrassPointCons<T>;
+  /** @deprecated use `Point.Fn.fromBytes(privateKey)` */
+  normPrivateKeyToScalar: (key: PrivKey) => bigint;
+  /** @deprecated */
+  weierstrassEquation: (x: T) => T;
+  /** @deprecated use `Point.Fn.isValidNot0(num)` */
+  isWithinCurveOrder: (num: bigint) => boolean;
+};
+
+// Aliases to legacy types
+// export type CurveType = LegacyECDSAOpts;
+// export type CurveFn = LegacyECDSA;
+// export type CurvePointsRes<T> = LegacyWeierstrass<T>;
+// export type CurvePointsType<T> = LegacyWeierstrassOpts<T>;
+// export type CurvePointsTypeWithLength<T> = LegacyWeierstrassOpts<T>;
+// export type BasicWCurve<T> = LegacyWeierstrassOpts<T>;
+
+/** @deprecated use `Uint8Array` */
+export type PubKey = Hex | WeierstrassPoint<bigint>;
+export type CurveType = BasicWCurve<bigint> & {
+  hash: CHash; // CHash not FHash because we need outputLen for DRBG
+  hmac?: HmacFnSync;
+  randomBytes?: (bytesLength?: number) => Uint8Array;
+  lowS?: boolean;
+  bits2int?: (bytes: Uint8Array) => bigint;
+  bits2int_modN?: (bytes: Uint8Array) => bigint;
+};
+export type CurveFn = {
+  /** @deprecated use `Point.CURVE()` */
+  CURVE: CurvePointsType<bigint>;
+  keygen: ECDSA['keygen'];
+  getPublicKey: ECDSA['getPublicKey'];
+  getSharedSecret: ECDSA['getSharedSecret'];
+  sign: ECDSA['sign'];
+  verify: ECDSA['verify'];
+  Point: WeierstrassPointCons<bigint>;
+  /** @deprecated use `Point` */
+  ProjectivePoint: WeierstrassPointCons<bigint>;
+  Signature: ECDSASignatureCons;
+  utils: ECDSA['utils'];
+  lengths: ECDSA['lengths'];
+};
+/** @deprecated use `weierstrass` in newer releases */
+export function weierstrassPoints<T>(c: CurvePointsTypeWithLength<T>): CurvePointsRes<T> {
+  const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+  const Point = weierstrassN(CURVE, curveOpts);
+  return _weierstrass_new_output_to_legacy(c, Point);
+}
 export type WsPointComposed<T> = {
   CURVE: WeierstrassOpts<T>;
   curveOpts: WeierstrassExtraOpts<T>;
 };
-// TODO: remove
 export type WsComposed = {
+  /** @deprecated use `Point.CURVE()` */
   CURVE: WeierstrassOpts<bigint>;
   hash: CHash;
   curveOpts: WeierstrassExtraOpts<bigint>;
   ecdsaOpts: ECDSAOpts;
 };
-// TODO: remove
 function _weierstrass_legacy_opts_to_new<T>(c: CurvePointsType<T>): WsPointComposed<T> {
   const CURVE: WeierstrassOpts<T> = {
     a: c.a,
@@ -1713,7 +1806,7 @@ function _weierstrass_legacy_opts_to_new<T>(c: CurvePointsType<T>): WsPointCompo
   const Fn = Field(CURVE.n, {
     BITS: c.nBitLength,
     allowedLengths: allowedLengths,
-    modOnDecode: c.wrapPrivateKey,
+    modFromBytes: c.wrapPrivateKey,
   });
   const curveOpts: WeierstrassExtraOpts<T> = {
     Fp,
@@ -1738,13 +1831,23 @@ function _ecdsa_legacy_opts_to_new(c: CurveType): WsComposed {
   };
   return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
 }
-// TODO: remove
+export function _legacyHelperEquat<T>(Fp: IField<T>, a: T, b: T): (x: T) => T {
+  /**
+   * y² = x³ + ax + b: Short weierstrass curve formula. Takes x, returns y².
+   * @returns y²
+   */
+  function weierstrassEquation(x: T): T {
+    const x2 = Fp.sqr(x); // x * x
+    const x3 = Fp.mul(x2, x); // x² * x
+    return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x³ + a * x + b
+  }
+  return weierstrassEquation;
+}
 function _weierstrass_new_output_to_legacy<T>(
   c: CurvePointsType<T>,
   Point: WeierstrassPointCons<T>
 ): CurvePointsRes<T> {
   const { Fp, Fn } = Point;
-  // TODO: remove
   function isWithinCurveOrder(num: bigint): boolean {
     return inRange(num, _1n, Fn.ORDER);
   }
@@ -1761,11 +1864,11 @@ function _weierstrass_new_output_to_legacy<T>(
     }
   );
 }
-// TODO: remove
-function _ecdsa_new_output_to_legacy(c: CurveType, ecdsa: ECDSA): CurveFn {
-  return Object.assign({}, ecdsa, {
-    ProjectivePoint: ecdsa.Point,
-    CURVE: c,
+function _ecdsa_new_output_to_legacy(c: CurveType, _ecdsa: ECDSA): CurveFn {
+  const Point = _ecdsa.Point;
+  return Object.assign({}, _ecdsa, {
+    ProjectivePoint: Point,
+    CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS)),
   });
 }