@noble/curves 1.9.6 → 2.0.0-beta.1

package/src/misc.ts

@@ -6,18 +6,19 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { blake256 } from '@noble/hashes/blake1.js';
 import { blake2s } from '@noble/hashes/blake2.js';
-import { sha256, sha512 } from '@noble/hashes/sha2.js';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
+import { concatBytes } from '@noble/hashes/utils.js';
 import {
-  twistedEdwards,
-  type CurveFn,
+  eddsa,
+  edwards,
+  type EdDSA,
   type EdwardsOpts,
   type EdwardsPoint,
 } from './abstract/edwards.ts';
-import { Field, mod } from './abstract/modular.ts';
-import { weierstrass, type CurveFn as WCurveFn } from './abstract/weierstrass.ts';
+import { ecdsa, weierstrass, type ECDSA, type WeierstrassOpts } from './abstract/weierstrass.ts';
 import { bls12_381_Fr } from './bls12-381.ts';
 import { bn254_Fr } from './bn254.ts';
+import { asciiToBytes } from './utils.ts';
 
 // Jubjub curves have 𝔽p over scalar fields of other curves. They are friendly to ZK proofs.
 // jubjub Fp = bls n. babyjubjub Fp = bn254 n.
@@ -32,11 +33,7 @@ const jubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0x1d523cf1ddab1a1793132e78c866c0c33e26ba5cc220fed7cc3f870e59d292aa'),
 };
 /** Curve over scalar field of bls12-381. jubjub Fp = bls n */
-export const jubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...jubjub_CURVE,
-  Fp: bls12_381_Fr,
-  hash: sha512,
-});
+export const jubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(jubjub_CURVE), sha512);
 
 const babyjubjub_CURVE: EdwardsOpts = {
   p: bn254_Fr.ORDER,
@@ -48,13 +45,9 @@ const babyjubjub_CURVE: EdwardsOpts = {
   Gy: BigInt('0xc19139cb84c680a6e14116da06056174a0cfa121e6e5c2450f87d64fc000001'),
 };
 /** Curve over scalar field of bn254. babyjubjub Fp = bn254 n */
-export const babyjubjub: CurveFn = /* @__PURE__ */ twistedEdwards({
-  ...babyjubjub_CURVE,
-  Fp: bn254_Fr,
-  hash: blake256,
-});
+export const babyjubjub: EdDSA = /* @__PURE__ */ eddsa(edwards(babyjubjub_CURVE), blake256);
 
-const jubjub_gh_first_block = utf8ToBytes(
+const jubjub_gh_first_block = asciiToBytes(
   '096b36a5804bfacef1691e173c366a47ff5ba84a44f26ddd7e8d9f79d5b42df0'
 );
 
@@ -87,38 +80,62 @@ export function jubjub_findGroupHash(m: Uint8Array, personalization: Uint8Array)
   return hashes[0];
 }
 
-// Pasta curves. See [Spec](https://o1-labs.github.io/proof-systems/specs/pasta.html).
-
-export const pasta_p: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc094cf91b992d30ed00000001'
-);
-export const pasta_q: bigint = BigInt(
-  '0x40000000000000000000000000000000224698fc0994a8dd8c46eb2100000001'
-);
+const brainpoolP256r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt('0xa9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377'),
+  a: BigInt('0x7d5a0975fc2c3057eef67530417affe7fb8055c126dc5c6ce94a4b44f330b5d9'),
+  b: BigInt('0x26dc5c6ce94a4b44f330b5d9bbd77cbf958416295cf7e1ce6bccdc18ff8c07b6'),
+  n: BigInt('0xa9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7'),
+  Gx: BigInt('0x8bd2aeb9cb7e57cb2c4b482ffc81b7afb9de27e1e3bd23c23a4453bd9ace3262'),
+  Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
+  h: BigInt(1),
+};
+/** Brainpool P256r1 with sha256, from RFC 5639. */
+export const brainpoolP256r1: ECDSA = ecdsa(weierstrass(brainpoolP256r1_CURVE), sha256);
 
-/**
- * @deprecated
- */
-export const pallas: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_p),
-  n: pasta_q,
-  Gx: mod(BigInt(-1), pasta_p),
-  Gy: BigInt(2),
+const brainpoolP384r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53'
+  ),
+  a: BigInt(
+    '0x7bc382c63d8c150c3c72080ace05afa0c2bea28e4fb22787139165efba91f90f8aa5814a503ad4eb04a8c7dd22ce2826'
+  ),
+  b: BigInt(
+    '0x04a8c7dd22ce28268b39b55416f0447c2fb77de107dcd2a62e880ea53eeb62d57cb4390295dbc9943ab78696fa504c11'
+  ),
+  n: BigInt(
+    '0x8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b31f166e6cac0425a7cf3ab6af6b7fc3103b883202e9046565'
+  ),
+  Gx: BigInt(
+    '0x1d1c64f068cf45ffa2a63a81b7c13f6b8847a3e77ef14fe3db7fcafe0cbd10e8e826e03436d646aaef87b2e247d4af1e'
+  ),
+  Gy: BigInt(
+    '0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
-/**
- * @deprecated
- */
-export const vesta: WCurveFn = weierstrass({
-  a: BigInt(0),
-  b: BigInt(5),
-  Fp: Field(pasta_q),
-  n: pasta_p,
-  Gx: mod(BigInt(-1), pasta_q),
-  Gy: BigInt(2),
+};
+/** Brainpool P384r1 with sha384, from RFC 5639. */
+export const brainpoolP384r1: ECDSA = ecdsa(weierstrass(brainpoolP384r1_CURVE), sha384);
+
+const brainpoolP512r1_CURVE: WeierstrassOpts<bigint> = {
+  p: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3'
+  ),
+  a: BigInt(
+    '0x7830a3318b603b89e2327145ac234cc594cbdd8d3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94ca'
+  ),
+  b: BigInt(
+    '0x3df91610a83441caea9863bc2ded5d5aa8253aa10a2ef1c98b9ac8b57f1117a72bf2c7b9e7c1ac4d77fc94cadc083e67984050b75ebae5dd2809bd638016f723'
+  ),
+  n: BigInt(
+    '0xaadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069'
+  ),
+  Gx: BigInt(
+    '0x81aee4bdd82ed9645a21322e9c4c6a9385ed9f70b5d916c1b43b62eef4d0098eff3b1f78e2d0d48d50d1687b93b97d5f7c6d5047406a5e688b352209bcb9f822'
+  ),
+  Gy: BigInt(
+    '0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'
+  ),
   h: BigInt(1),
-  hash: sha256,
-});
+};
+/** Brainpool P521r1 with sha512, from RFC 5639. */
+export const brainpoolP512r1: ECDSA = ecdsa(weierstrass(brainpoolP512r1_CURVE), sha512);

package/src/nist.ts

@@ -5,11 +5,14 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256, sha384, sha512 } from '@noble/hashes/sha2.js';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
 import { createHasher, type H2CHasher } from './abstract/hash-to-curve.ts';
 import { Field } from './abstract/modular.ts';
+import { createORPF, type OPRF } from './abstract/oprf.ts';
 import {
+  ecdsa,
   mapToCurveSimpleSWU,
+  weierstrass,
+  type ECDSA,
   type WeierstrassOpts,
   type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
@@ -72,9 +75,6 @@ const p521_CURVE: WeierstrassOpts<bigint> = {
   ),
 };
 
-const Fp256 = Field(p256_CURVE.p);
-const Fp384 = Field(p384_CURVE.p);
-const Fp521 = Field(p521_CURVE.p);
 type SwuOpts = {
   A: bigint;
   B: bigint;
@@ -86,18 +86,17 @@ function createSWU(Point: WeierstrassPointCons<bigint>, opts: SwuOpts) {
 }
 
 /** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
-export const p256: CurveFnWithCreate = createCurve(
-  { ...p256_CURVE, Fp: Fp256, lowS: false },
-  sha256
-);
+
+const p256_Point = /* @__PURE__ */ weierstrass(p256_CURVE);
+export const p256: ECDSA = /* @__PURE__ */ ecdsa(p256_Point, sha256);
 /** Hashing / encoding to p256 points / field. RFC 9380 methods. */
-export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p256_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p256.Point,
-    createSWU(p256.Point, {
+    p256_Point,
+    createSWU(p256_Point, {
       A: p256_CURVE.a,
       B: p256_CURVE.b,
-      Z: p256.Point.Fp.create(BigInt('-10')),
+      Z: p256_Point.Fp.create(BigInt('-10')),
     }),
     {
       DST: 'P256_XMD:SHA-256_SSWU_RO_',
@@ -111,27 +110,26 @@ export const p256_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   );
 })();
 
-// export const p256_oprf: OPRF = createORPF({
-//   name: 'P256-SHA256',
-//   Point: p256.Point,
-//   hash: sha256,
-//   hashToGroup: p256_hasher.hashToCurve,
-//   hashToScalar: p256_hasher.hashToScalar,
-// });
+export const p256_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P256-SHA256',
+    Point: p256_Point,
+    hash: sha256,
+    hashToGroup: p256_hasher.hashToCurve,
+    hashToScalar: p256_hasher.hashToScalar,
+  }))();
 
+const p384_Point = /* @__PURE__ */ weierstrass(p384_CURVE);
 /** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
-export const p384: CurveFnWithCreate = createCurve(
-  { ...p384_CURVE, Fp: Fp384, lowS: false },
-  sha384
-);
+export const p384: ECDSA = /* @__PURE__ */ ecdsa(p384_Point, sha384);
 /** Hashing / encoding to p384 points / field. RFC 9380 methods. */
-export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p384_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p384.Point,
-    createSWU(p384.Point, {
+    p384_Point,
+    createSWU(p384_Point, {
       A: p384_CURVE.a,
       B: p384_CURVE.b,
-      Z: p384.Point.Fp.create(BigInt('-12')),
+      Z: p384_Point.Fp.create(BigInt('-12')),
     }),
     {
       DST: 'P384_XMD:SHA-384_SSWU_RO_',
@@ -145,36 +143,28 @@ export const p384_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   );
 })();
 
-// export const p384_oprf: OPRF = createORPF({
-//   name: 'P384-SHA384',
-//   Point: p384.Point,
-//   hash: sha384,
-//   hashToGroup: p384_hasher.hashToCurve,
-//   hashToScalar: p384_hasher.hashToScalar,
-// });
+export const p384_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P384-SHA384',
+    Point: p384_Point,
+    hash: sha384,
+    hashToGroup: p384_hasher.hashToCurve,
+    hashToScalar: p384_hasher.hashToScalar,
+  }))();
 
-// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
+const Fn521 = /* @__PURE__ */ Field(p521_CURVE.n, { allowedLengths: [65, 66] });
+const p521_Point = /* @__PURE__ */ weierstrass(p521_CURVE, { Fn: Fn521 });
 /** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
-export const p521: CurveFnWithCreate = createCurve(
-  { ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] },
-  sha512
-);
-
-/** @deprecated use `p256` for consistency with `p256_hasher` */
-export const secp256r1: typeof p256 = p256;
-/** @deprecated use `p384` for consistency with `p384_hasher` */
-export const secp384r1: typeof p384 = p384;
-/** @deprecated use `p521` for consistency with `p521_hasher` */
-export const secp521r1: typeof p521 = p521;
+export const p521: ECDSA = /* @__PURE__ */ ecdsa(p521_Point, sha512);
 
 /** Hashing / encoding to p521 points / field. RFC 9380 methods. */
-export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
+export const p521_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() => {
   return createHasher(
-    p521.Point,
-    createSWU(p521.Point, {
+    p521_Point,
+    createSWU(p521_Point, {
       A: p521_CURVE.a,
       B: p521_CURVE.b,
-      Z: p521.Point.Fp.create(BigInt('-4')),
+      Z: p521_Point.Fp.create(BigInt('-4')),
     }),
     {
       DST: 'P521_XMD:SHA-512_SSWU_RO_',
@@ -188,10 +178,11 @@ export const p521_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() => {
   );
 })();
 
-// export const p521_oprf: OPRF = createORPF({
-//   name: 'P521-SHA512',
-//   Point: p521.Point,
-//   hash: sha512,
-//   hashToGroup: p521_hasher.hashToCurve,
-//   hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
-// });
+export const p521_oprf: OPRF = /* @__PURE__ */ (() =>
+  createORPF({
+    name: 'P521-SHA512',
+    Point: p521_Point,
+    hash: sha512,
+    hashToGroup: p521_hasher.hashToCurve,
+    hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
+  }))();

package/src/secp256k1.ts

@@ -8,35 +8,23 @@
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import { sha256 } from '@noble/hashes/sha2.js';
 import { randomBytes } from '@noble/hashes/utils.js';
-import { createCurve, type CurveFnWithCreate } from './_shortw_utils.ts';
 import type { CurveLengths } from './abstract/curve.ts';
+import { createHasher, type H2CHasher, isogenyMap } from './abstract/hash-to-curve.ts';
+import { Field, mapHashToField, pow2 } from './abstract/modular.ts';
 import {
-  createHasher,
-  type H2CHasher,
-  type H2CMethod,
-  isogenyMap,
-} from './abstract/hash-to-curve.ts';
-import { Field, mapHashToField, mod, pow2 } from './abstract/modular.ts';
-import {
-  _normFnElement,
+  type ECDSA,
+  ecdsa,
   type EndomorphismOpts,
   mapToCurveSimpleSWU,
   type WeierstrassPoint as PointType,
+  weierstrass,
   type WeierstrassOpts,
   type WeierstrassPointCons,
 } from './abstract/weierstrass.ts';
-import type { Hex, PrivKey } from './utils.ts';
-import {
-  bytesToNumberBE,
-  concatBytes,
-  ensureBytes,
-  inRange,
-  numberToBytesBE,
-  utf8ToBytes,
-} from './utils.ts';
+import { abytes, asciiToBytes, bytesToNumberBE, concatBytes, inRange } from './utils.ts';
 
 // Seems like generator was produced from some seed:
-// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
+// `Pointk1.BASE.multiply(Pointk1.Fn.inv(2n, N)).toAffine().x`
 // // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
 const secp256k1_CURVE: WeierstrassOpts<bigint> = {
   p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
@@ -89,6 +77,10 @@ function sqrtMod(y: bigint): bigint {
 }
 
 const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
+const Pointk1 = /* @__PURE__ */ weierstrass(secp256k1_CURVE, {
+  Fp: Fpk1,
+  endo: secp256k1_ENDO,
+});
 
 /**
  * secp256k1 curve, ECDSA and ECDH methods.
@@ -104,10 +96,8 @@ const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
  * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
  * ```
  */
-export const secp256k1: CurveFnWithCreate = createCurve(
-  { ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO },
-  sha256
-);
+
+export const secp256k1: ECDSA = /* @__PURE__ */ ecdsa(Pointk1, sha256);
 
 // Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
 // https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
@@ -116,7 +106,7 @@ const TAGGED_HASH_PREFIXES: { [tag: string]: Uint8Array } = {};
 function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
   let tagP = TAGGED_HASH_PREFIXES[tag];
   if (tagP === undefined) {
-    const tagH = sha256(utf8ToBytes(tag));
+    const tagH = sha256(asciiToBytes(tag));
     tagP = concatBytes(tagH, tagH);
     TAGGED_HASH_PREFIXES[tag] = tagP;
   }
@@ -125,13 +115,12 @@ function taggedHash(tag: string, ...messages: Uint8Array[]): Uint8Array {
 
 // ECDSA compact points are 33-byte. Schnorr is 32: we strip first byte 0x02 or 0x03
 const pointToBytes = (point: PointType<bigint>) => point.toBytes(true).slice(1);
-const Pointk1 = /* @__PURE__ */ (() => secp256k1.Point)();
 const hasEven = (y: bigint) => y % _2n === _0n;
 
 // Calculate point, scalar and bytes
-function schnorrGetExtPubKey(priv: PrivKey) {
+function schnorrGetExtPubKey(priv: Uint8Array) {
   const { Fn, BASE } = Pointk1;
-  const d_ = _normFnElement(Fn, priv);
+  const d_ = Fn.fromBytes(priv);
   const p = BASE.multiply(d_); // P = d'⋅G; 0 < d' < n check is done inside
   const scalar = hasEven(p.y) ? d_ : Fn.neg(d_);
   return { scalar, bytes: pointToBytes(p) };
@@ -164,7 +153,7 @@ function challenge(...args: Uint8Array[]): bigint {
 /**
  * Schnorr public key is just `x` coordinate of Point as per BIP340.
  */
-function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
+function schnorrGetPublicKey(secretKey: Uint8Array): Uint8Array {
   return schnorrGetExtPubKey(secretKey).bytes; // d'=int(sk). Fail if d'=0 or d'≥n. Ret bytes(d'⋅G)
 }
 
@@ -172,11 +161,15 @@ function schnorrGetPublicKey(secretKey: Hex): Uint8Array {
  * Creates Schnorr signature as per BIP340. Verifies itself before returning anything.
  * auxRand is optional and is not the sole source of k generation: bad CSPRNG won't be dangerous.
  */
-function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomBytes(32)): Uint8Array {
+function schnorrSign(
+  message: Uint8Array,
+  secretKey: Uint8Array,
+  auxRand: Uint8Array = randomBytes(32)
+): Uint8Array {
   const { Fn } = Pointk1;
-  const m = ensureBytes('message', message);
+  const m = abytes(message, undefined, 'message');
   const { bytes: px, scalar: d } = schnorrGetExtPubKey(secretKey); // checks for isWithinCurveOrder
-  const a = ensureBytes('auxRand', auxRand, 32); // Auxiliary random data a: a 32-byte array
+  const a = abytes(auxRand, 32, 'auxRand'); // Auxiliary random data a: a 32-byte array
   const t = Fn.toBytes(d ^ num(taggedHash('BIP0340/aux', a))); // Let t be the byte-wise xor of bytes(d) and hash/aux(a)
   const rand = taggedHash('BIP0340/nonce', t, px, m); // Let rand = hash/nonce(t || bytes(P) || m)
   // Let k' = int(rand) mod n. Fail if k' = 0. Let R = k'⋅G
@@ -194,19 +187,18 @@ function schnorrSign(message: Hex, secretKey: PrivKey, auxRand: Hex = randomByte
  * Verifies Schnorr signature.
  * Will swallow errors & return false except for initial type validation of arguments.
  */
-function schnorrVerify(signature: Hex, message: Hex, publicKey: Hex): boolean {
+function schnorrVerify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): boolean {
   const { Fn, BASE } = Pointk1;
-  const sig = ensureBytes('signature', signature, 64);
-  const m = ensureBytes('message', message);
-  const pub = ensureBytes('publicKey', publicKey, 32);
+  const sig = abytes(signature, 64, 'signature');
+  const m = abytes(message, undefined, 'message');
+  const pub = abytes(publicKey, 32, 'publicKey');
   try {
     const P = lift_x(num(pub)); // P = lift_x(int(pk)); fail if that fails
     const r = num(sig.subarray(0, 32)); // Let r = int(sig[0:32]); fail if r ≥ p.
     if (!inRange(r, _1n, secp256k1_CURVE.p)) return false;
     const s = num(sig.subarray(32, 64)); // Let s = int(sig[32:64]); fail if s ≥ n.
     if (!inRange(s, _1n, secp256k1_CURVE.n)) return false;
-    // int(challenge(bytes(r)||bytes(P)||m))%n
-    const e = challenge(Fn.toBytes(r), pointToBytes(P), m);
+    const e = challenge(Fn.toBytes(r), pointToBytes(P), m); // int(challenge(bytes(r)||bytes(P)||m))%n
     // R = s⋅G - e⋅P, where -eP == (n-e)P
     const R = BASE.multiplyUnsafe(s).add(P.multiplyUnsafe(Fn.neg(e)));
     const { x, y } = R.toAffine();
@@ -229,15 +221,6 @@ export type SecpSchnorr = {
     pointToBytes: (point: PointType<bigint>) => Uint8Array;
     lift_x: typeof lift_x;
     taggedHash: typeof taggedHash;
-
-    /** @deprecated use `randomSecretKey` */
-    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
-    /** @deprecated use `utils` */
-    numberToBytesBE: typeof numberToBytesBE;
-    /** @deprecated use `utils` */
-    bytesToNumberBE: typeof bytesToNumberBE;
-    /** @deprecated use `modular` */
-    mod: typeof mod;
   };
   lengths: CurveLengths;
 };
@@ -260,8 +243,6 @@ export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
   const randomSecretKey = (seed = randomBytes(seedLength)): Uint8Array => {
     return mapHashToField(seed, secp256k1_CURVE.n);
   };
-  // TODO: remove
-  secp256k1.utils.randomSecretKey;
   function keygen(seed?: Uint8Array) {
     const secretKey = randomSecretKey(seed);
     return { secretKey, publicKey: schnorrGetPublicKey(secretKey) };
@@ -273,16 +254,10 @@ export const schnorr: SecpSchnorr = /* @__PURE__ */ (() => {
     verify: schnorrVerify,
     Point: Pointk1,
     utils: {
-      randomSecretKey: randomSecretKey,
-      randomPrivateKey: randomSecretKey,
+      randomSecretKey,
       taggedHash,
-
-      // TODO: remove
       lift_x,
       pointToBytes,
-      numberToBytesBE,
-      bytesToNumberBE,
-      mod,
     },
     lengths: {
       secretKey: size,
@@ -335,9 +310,9 @@ const mapSWU = /* @__PURE__ */ (() =>
   }))();
 
 /** Hashing / encoding to secp256k1 points / field. RFC 9380 methods. */
-export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
+export const secp256k1_hasher: H2CHasher<WeierstrassPointCons<bigint>> = /* @__PURE__ */ (() =>
   createHasher(
-    secp256k1.Point,
+    Pointk1,
     (scalars: bigint[]) => {
       const { x, y } = mapSWU(Fpk1.create(scalars[0]));
       return isoMap(x, y);
@@ -352,11 +327,3 @@ export const secp256k1_hasher: H2CHasher<bigint> = /* @__PURE__ */ (() =>
       hash: sha256,
     }
   ))();
-
-/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
-export const hashToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  secp256k1_hasher.hashToCurve)();
-
-/** @deprecated use `import { secp256k1_hasher } from '@noble/curves/secp256k1.js';` */
-export const encodeToCurve: H2CMethod<bigint> = /* @__PURE__ */ (() =>
-  secp256k1_hasher.encodeToCurve)();