@noble/curves 1.9.5 → 2.0.0-beta.1

package/src/abstract/edwards.ts

@@ -7,33 +7,31 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
   _validateObject,
-  _abool2 as abool,
-  _abytes2 as abytes,
+  abool,
+  abytes,
   aInRange,
   bytesToHex,
   bytesToNumberLE,
   concatBytes,
   copyBytes,
-  ensureBytes,
+  hexToBytes,
+  isBytes,
   memoized,
   notImplemented,
-  numberToBytesLE,
-  randomBytes,
+  randomBytes as wcRandomBytes,
   type FHash,
-  type Hex,
+  type Signer,
 } from '../utils.ts';
 import {
   _createCurveFields,
   normalizeZ,
-  pippenger,
   wNAF,
   type AffinePoint,
-  type BasicCurve,
   type CurveLengths,
   type CurvePoint,
   type CurvePointCons,
 } from './curve.ts';
-import { Field, type IField, type NLength } from './modular.ts';
+import { type IField } from './modular.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
@@ -51,33 +49,14 @@ export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
   readonly Z: bigint;
   /** extended T coordinate */
   readonly T: bigint;
-
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array;
-  /** @deprecated use `p.precompute(windowSize)` */
-  _setWindowSize(windowSize: number): void;
-  /** @deprecated use .X */
-  readonly ex: bigint;
-  /** @deprecated use .Y */
-  readonly ey: bigint;
-  /** @deprecated use .Z */
-  readonly ez: bigint;
-  /** @deprecated use .T */
-  readonly et: bigint;
 }
 /** Static methods of Extended Point with coordinates in X, Y, Z, T. */
 export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
   new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
   CURVE(): EdwardsOpts;
   fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
-  fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
-  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-  msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
+  fromHex(hex: string, zip215?: boolean): EdwardsPoint;
 }
-/** @deprecated use EdwardsPoint */
-export type ExtPointType = EdwardsPoint;
-/** @deprecated use EdwardsPointCons */
-export type ExtPointConstructor = EdwardsPointCons;
 
 /**
  * Twisted Edwards curve options.
@@ -139,13 +118,17 @@ export type EdDSAOpts = Partial<{
  */
 export interface EdDSA {
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
-  getPublicKey: (secretKey: Hex) => Uint8Array;
-  sign: (message: Hex, secretKey: Hex, options?: { context?: Hex }) => Uint8Array;
+  getPublicKey: (secretKey: Uint8Array) => Uint8Array;
+  sign: (
+    message: Uint8Array,
+    secretKey: Uint8Array,
+    options?: { context?: Uint8Array }
+  ) => Uint8Array;
   verify: (
-    sig: Hex,
-    message: Hex,
-    publicKey: Hex,
-    options?: { context?: Hex; zip215: boolean }
+    sig: Uint8Array,
+    message: Uint8Array,
+    publicKey: Uint8Array,
+    options?: { context?: Uint8Array; zip215: boolean }
   ) => boolean;
   Point: EdwardsPointCons;
   utils: {
@@ -155,6 +138,12 @@ export interface EdDSA {
 
     /**
      * Converts ed public key to x public key.
+     *
+     * There is NO `fromMontgomery`:
+     * - There are 2 valid ed25519 points for every x25519, with flipped coordinate
+     * - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
+     *   accepts inputs on the quadratic twist, which can't be moved to ed25519
+     *
      * @example
      * ```js
      * const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
@@ -173,18 +162,13 @@ export interface EdDSA {
      * ```
      */
     toMontgomeryPriv: (privateKey: Uint8Array) => Uint8Array;
-    getExtendedPublicKey: (key: Hex) => {
+    getExtendedPublicKey: (key: Uint8Array) => {
       head: Uint8Array;
       prefix: Uint8Array;
       scalar: bigint;
       point: EdwardsPoint;
       pointBytes: Uint8Array;
     };
-
-    /** @deprecated use `randomSecretKey` */
-    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
-    /** @deprecated use `point.precompute()` */
-    precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
   };
   lengths: CurveLengths;
 }
@@ -201,7 +185,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
   const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
   const { Fp, Fn } = validated;
   let CURVE = validated.CURVE as EdwardsOpts;
-  const { h: cofactor, n: CURVE_ORDER } = CURVE;
+  const { h: cofactor } = CURVE;
   _validateObject(extraOpts, {}, { uvRatio: 'function' });
 
   // Important:
@@ -300,7 +284,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     }
 
     static CURVE(): EdwardsOpts {
-      return CURVE as EdwardsOpts;
+      return CURVE;
     }
 
     static fromAffine(p: AffinePoint<bigint>): Point {
@@ -327,7 +311,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
       // zip215=true:  0 <= y < MASK (2^256 for ed25519)
       // zip215=false: 0 <= y < P (2^255-19 for ed25519)
       const max = zip215 ? MASK : Fp.ORDER;
-      aInRange('pointHex.y', y, _0n, max);
+      aInRange('point.y', y, _0n, max);
 
       // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
       // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
@@ -335,17 +319,18 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
       const u = modP(y2 - _1n); // u = y² - 1
       const v = modP(d * y2 - a); // v = d y² + 1.
       let { isValid, value: x } = uvRatio(u, v); // √(u/v)
-      if (!isValid) throw new Error('Point.fromHex: invalid y coordinate');
+      if (!isValid) throw new Error('bad point: invalid y coordinate');
       const isXOdd = (x & _1n) === _1n; // There are 2 square roots. Use x_0 bit to select proper
       const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
       if (!zip215 && x === _0n && isLastByteOdd)
         // if x=0 and x_0 = 1, fail
-        throw new Error('Point.fromHex: x=0 and x_0=1');
+        throw new Error('bad point: x=0 and x_0=1');
       if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
       return Point.fromAffine({ x, y });
     }
-    static fromHex(bytes: Uint8Array, zip215 = false): Point {
-      return Point.fromBytes(ensureBytes('point', bytes), zip215);
+
+    static fromHex(hex: string, zip215 = false): Point {
+      return Point.fromBytes(hexToBytes(hex), zip215);
     }
 
     get x(): bigint {
@@ -438,9 +423,9 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
 
     // Constant-time multiplication.
     multiply(scalar: bigint): Point {
-      const n = scalar;
-      aInRange('scalar', n, _1n, CURVE_ORDER); // 1 <= scalar < L
-      const { p, f } = wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+      // 1 <= scalar < L
+      if (!Fn.isValidNot0(scalar)) throw new Error('invalid scalar: expected 1 <= sc < curve.n');
+      const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
       return normalizeZ(Point, [p, f])[0];
     }
 
@@ -450,11 +435,11 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     // Does NOT allow scalars higher than CURVE.n.
     // Accepts optional accumulator to merge with multiply (important for sparse scalars)
     multiplyUnsafe(scalar: bigint, acc = Point.ZERO): Point {
-      const n = scalar;
-      aInRange('scalar', n, _0n, CURVE_ORDER); // 0 <= scalar < L
-      if (n === _0n) return Point.ZERO;
-      if (this.is0() || n === _1n) return this;
-      return wnaf.unsafe(this, n, (p) => normalizeZ(Point, p), acc);
+      // 0 <= scalar < L
+      if (!Fn.isValid(scalar)) throw new Error('invalid scalar: expected 0 <= sc < curve.n');
+      if (scalar === _0n) return Point.ZERO;
+      if (this.is0() || scalar === _1n) return this;
+      return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);
     }
 
     // Checks if point is of small order.
@@ -468,7 +453,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     // Multiplies point by curve order and checks if the result is 0.
     // Returns `false` is the point is dirty.
     isTorsionFree(): boolean {
-      return wnaf.unsafe(this, CURVE_ORDER).is0();
+      return wnaf.unsafe(this, CURVE.n).is0();
     }
 
     // Converts Extended point to default (x, y) coordinates.
@@ -484,13 +469,12 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
 
     toBytes(): Uint8Array {
       const { x, y } = this.toAffine();
-      const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
-      bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0; // when compressing, it's enough to store y
-      return bytes; // and use the last byte to encode sign of x
-    }
-    /** @deprecated use `toBytes` */
-    toRawBytes(): Uint8Array {
-      return this.toBytes();
+      // Fp.toBytes() allows non-canonical encoding of y (>= p).
+      const bytes = Fp.toBytes(y);
+      // Each y has 2 valid points: (x, y), (x,-y).
+      // When compressing, it's enough to store y and use the last byte to encode sign of x
+      bytes[bytes.length - 1] |= x & _1n ? 0x80 : 0;
+      return bytes;
     }
     toHex(): string {
       return bytesToHex(this.toBytes());
@@ -499,31 +483,9 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     toString() {
       return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
-
-    // TODO: remove
-    get ex(): bigint {
-      return this.X;
-    }
-    get ey(): bigint {
-      return this.Y;
-    }
-    get ez(): bigint {
-      return this.Z;
-    }
-    get et(): bigint {
-      return this.T;
-    }
-    static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, points);
-    }
-    static msm(points: Point[], scalars: bigint[]): Point {
-      return pippenger(Point, Fn, points, scalars);
-    }
-    _setWindowSize(windowSize: number) {
-      this.precompute(windowSize);
-    }
   }
-  const wnaf = new wNAF(Point, Fn.BYTES * 8); // Fn.BITS?
+  const wnaf = new wNAF(Point, Fn.BITS);
+  Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
   return Point;
 }
 
@@ -555,7 +517,7 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
     notImplemented();
   }
 
-  static fromHex(_hex: Hex): any {
+  static fromHex(_hex: string): any {
     notImplemented();
   }
 
@@ -580,11 +542,6 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
     return this.ep.toAffine(invertedZ);
   }
 
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array {
-    return this.toBytes();
-  }
-
   toHex(): string {
     return bytesToHex(this.toBytes());
   }
@@ -655,11 +612,10 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   );
 
   const { prehash } = eddsaOpts;
-  const { BASE: G, Fp, Fn } = Point;
-  const CURVE_ORDER = Fn.ORDER;
+  const { BASE, Fp, Fn } = Point;
 
-  const randomBytes_ = eddsaOpts.randomBytes || randomBytes;
-  const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes: Uint8Array) => bytes); // NOOP
+  const randomBytes = eddsaOpts.randomBytes || wcRandomBytes;
+  const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
   const domain =
     eddsaOpts.domain ||
     ((data: Uint8Array, ctx: Uint8Array, phflag: boolean) => {
@@ -668,23 +624,18 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
       return data;
     }); // NOOP
 
-  function modN(a: bigint) {
-    return Fn.create(a);
-  }
-
   // Little-endian SHA512 with modulo n
   function modN_LE(hash: Uint8Array): bigint {
-    // Not using Fn.fromBytes: hash can be 2*Fn.BYTES
-    return modN(bytesToNumberLE(hash));
+    return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit
   }
 
   // Get the hashed private scalar per RFC8032 5.1.5
-  function getPrivateScalar(key: Hex) {
-    const len = lengths.secret;
-    key = ensureBytes('private key', key, len);
+  function getPrivateScalar(key: Uint8Array) {
+    const len = lengths.secretKey;
+    abytes(key, lengths.secretKey, 'secretKey');
     // Hash private key with curve's hash function to produce uniformingly random input
     // Check byte lengths: ensure(64, h(ensure(32, key)))
-    const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);
+    const hashed = abytes(cHash(key), 2 * len, 'hashedSecretKey');
     const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
     const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
     const scalar = modN_LE(head); // The actual private scalar
@@ -692,52 +643,60 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
-  function getExtendedPublicKey(secretKey: Hex) {
+  function getExtendedPublicKey(secretKey: Uint8Array) {
     const { head, prefix, scalar } = getPrivateScalar(secretKey);
-    const point = G.multiply(scalar); // Point on Edwards curve aka public key
+    const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
     const pointBytes = point.toBytes();
     return { head, prefix, scalar, point, pointBytes };
   }
 
   /** Calculates EdDSA pub key. RFC8032 5.1.5. */
-  function getPublicKey(secretKey: Hex): Uint8Array {
+  function getPublicKey(secretKey: Uint8Array): Uint8Array {
     return getExtendedPublicKey(secretKey).pointBytes;
   }
 
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
-  function hashDomainToScalar(context: Hex = Uint8Array.of(), ...msgs: Uint8Array[]) {
+  function hashDomainToScalar(context: Uint8Array = Uint8Array.of(), ...msgs: Uint8Array[]) {
     const msg = concatBytes(...msgs);
-    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
+    return modN_LE(cHash(domain(msg, abytes(context, undefined, 'context'), !!prehash)));
   }
 
   /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, secretKey: Hex, options: { context?: Hex } = {}): Uint8Array {
-    msg = ensureBytes('message', msg);
+  function sign(
+    msg: Uint8Array,
+    secretKey: Uint8Array,
+    options: { context?: Uint8Array } = {}
+  ): Uint8Array {
+    msg = abytes(msg, undefined, 'message');
     if (prehash) msg = prehash(msg); // for ed25519ph etc.
     const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
     const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
-    const R = G.multiply(r).toBytes(); // R = rG
+    const R = BASE.multiply(r).toBytes(); // R = rG
     const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
-    const s = modN(r + k * scalar); // S = (r + k * s) mod L
-    aInRange('signature.s', s, _0n, CURVE_ORDER); // 0 <= s < l
-    const L = Fp.BYTES;
-    const res = concatBytes(R, numberToBytesLE(s, L));
-    return ensureBytes('result', res, L * 2); // 64-byte signature
+    const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
+    if (!Fn.isValid(s)) throw new Error('sign failed: invalid s'); // 0 <= s < L
+    const rs = concatBytes(R, Fn.toBytes(s));
+    return abytes(rs, lengths.signature, 'result');
   }
 
   // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-  const verifyOpts: { context?: Hex; zip215?: boolean } = { zip215: true };
+  const verifyOpts: { context?: Uint8Array; zip215?: boolean } = { zip215: true };
 
   /**
    * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
    * An extended group equation is checked.
    */
-  function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
+  function verify(
+    sig: Uint8Array,
+    msg: Uint8Array,
+    publicKey: Uint8Array,
+    options = verifyOpts
+  ): boolean {
     const { context, zip215 } = options;
-    const len = lengths.signature; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
-    sig = ensureBytes('signature', sig, len); // An extended group equation is checked.
-    msg = ensureBytes('message', msg);
-    publicKey = ensureBytes('publicKey', publicKey, lengths.public);
+    const len = lengths.signature;
+    sig = abytes(sig, len, 'signature');
+    msg = abytes(msg, undefined, 'message');
+    publicKey = abytes(publicKey, lengths.publicKey, 'publicKey');
     if (zip215 !== undefined) abool(zip215, 'zip215');
     if (prehash) msg = prehash(msg); // for ed25519ph, etc
 
@@ -751,11 +710,11 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
       // zip215=false: 0 <= y < P (2^255-19 for ed25519)
       A = Point.fromBytes(publicKey, zip215);
       R = Point.fromBytes(r, zip215);
-      SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+      SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
     } catch (error) {
       return false;
     }
-    if (!zip215 && A.isSmallOrder()) return false;
+    if (!zip215 && A.isSmallOrder()) return false; // zip215 allows public keys of small order
 
     const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
     const RkA = R.add(A.multiplyUnsafe(k));
@@ -764,16 +723,14 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
     return RkA.subtract(SB).clearCofactor().is0();
   }
 
-  G.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
-
-  const _size = Fp.BYTES;
+  const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
   const lengths = {
-    secret: _size,
-    public: _size,
+    secretKey: _size,
+    publicKey: _size,
     signature: 2 * _size,
     seed: _size,
   };
-  function randomSecretKey(seed = randomBytes_!(lengths.seed)): Uint8Array {
+  function randomSecretKey(seed = randomBytes(lengths.seed)): Uint8Array {
     return abytes(seed, lengths.seed, 'seed');
   }
   function keygen(seed?: Uint8Array) {
@@ -782,11 +739,7 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   function isValidSecretKey(key: Uint8Array): boolean {
-    try {
-      return !!Fn.fromBytes(key, false);
-    } catch (error) {
-      return false;
-    }
+    return isBytes(key) && key.length === Fn.BYTES;
   }
 
   function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
@@ -810,34 +763,21 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
      * - ed448:
      *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
      *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
-     *
-     * There is NO `fromMontgomery`:
-     * - There are 2 valid ed25519 points for every x25519, with flipped coordinate
-     * - Sometimes there are 0 valid ed25519 points, because x25519 *additionally*
-     *   accepts inputs on the quadratic twist, which can't be moved to ed25519
      */
     toMontgomery(publicKey: Uint8Array): Uint8Array {
       const { y } = Point.fromBytes(publicKey);
-      const size = lengths.public;
+      const size = lengths.publicKey;
       const is25519 = size === 32;
       if (!is25519 && size !== 57) throw new Error('only defined for 25519 and 448');
       const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
       return Fp.toBytes(u);
     },
-
     toMontgomeryPriv(secretKey: Uint8Array): Uint8Array {
-      const size = lengths.secret;
+      const size = lengths.secretKey;
       abytes(secretKey, size);
       const hashed = cHash(secretKey.subarray(0, size));
       return adjustScalarBytes(hashed).subarray(0, size);
     },
-
-    /** @deprecated */
-    randomPrivateKey: randomSecretKey,
-    /** @deprecated */
-    precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
-      return point.precompute(windowSize, false);
-    },
   };
 
   return Object.freeze({
@@ -848,72 +788,5 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
     utils,
     Point,
     lengths,
-  });
-}
-
-// TODO: remove everything below
-export type CurveType = BasicCurve<bigint> & {
-  a: bigint; // curve param a
-  d: bigint; // curve param d
-  /** @deprecated the property will be removed in next release */
-  hash: FHash; // Hashing
-  randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
-  uvRatio?: UVRatio; // Ratio √(u/v)
-  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
-  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
-};
-export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
-export type CurveFn = {
-  /** @deprecated the property will be removed in next release */
-  CURVE: CurveType;
-  keygen: EdDSA['keygen'];
-  getPublicKey: EdDSA['getPublicKey'];
-  sign: EdDSA['sign'];
-  verify: EdDSA['verify'];
-  Point: EdwardsPointCons;
-  /** @deprecated use `Point` */
-  ExtendedPoint: EdwardsPointCons;
-  utils: EdDSA['utils'];
-  lengths: CurveLengths;
-};
-export type EdComposed = {
-  CURVE: EdwardsOpts;
-  curveOpts: EdwardsExtraOpts;
-  hash: FHash;
-  eddsaOpts: EdDSAOpts;
-};
-function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
-  const CURVE: EdwardsOpts = {
-    a: c.a,
-    d: c.d,
-    p: c.Fp.ORDER,
-    n: c.n,
-    h: c.h,
-    Gx: c.Gx,
-    Gy: c.Gy,
-  };
-  const Fp = c.Fp;
-  const Fn = Field(CURVE.n, c.nBitLength, true);
-  const curveOpts: EdwardsExtraOpts = { Fp, Fn, uvRatio: c.uvRatio };
-  const eddsaOpts: EdDSAOpts = {
-    randomBytes: c.randomBytes,
-    adjustScalarBytes: c.adjustScalarBytes,
-    domain: c.domain,
-    prehash: c.prehash,
-    mapToCurve: c.mapToCurve,
-  };
-  return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
-}
-function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
-  const legacy = Object.assign({}, eddsa, { ExtendedPoint: eddsa.Point, CURVE: c });
-  return legacy;
-}
-// TODO: remove. Use eddsa
-export function twistedEdwards(c: CurveTypeWithLength): CurveFn {
-  const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
-  const Point = edwards(CURVE, curveOpts);
-  const EDDSA = eddsa(Point, hash, eddsaOpts);
-  return _eddsa_new_output_to_legacy(c, EDDSA);
+  }) satisfies Signer;
 }