@noble/curves 1.9.7 → 2.0.0-beta.2

package/README.md

@@ -5,14 +5,14 @@ Audited & minimal JS implementation of elliptic curve cryptography.
 - 🔒 [**Audited**](#security) by independent security firms
 - 🔻 Tree-shakeable: unused code is excluded from your builds
 - 🏎 Fast: hand-optimized for caveats of JS engines
-- 🔍 Reliable: tested against cross-library, wycheproof and acvp vectors
+- 🔍 Reliable: cross-library / wycheproof tests and fuzzing ensure correctness
 - ➰ Weierstrass, Edwards, Montgomery curves; ECDSA, EdDSA, Schnorr, BLS signatures
 - ✍️ ECDH, hash-to-curve, OPRF, Poseidon ZK-friendly hash
 - 🔖 Non-repudiation (SUF-CMA, SBS) & consensus-friendliness (ZIP215) in ed25519, ed448
 - 🥈 Optional, friendly wrapper over native WebCrypto
 - 🪶 36KB (gzipped) including bundled hashes, 11KB for single-curve build
 
-Curves have 4KB sister projects
+Curves have 5kb sister projects
 [secp256k1](https://github.com/paulmillr/noble-secp256k1) & [ed25519](https://github.com/paulmillr/noble-ed25519).
 They have smaller attack surface, but less features.
 
@@ -30,7 +30,7 @@ Take a glance at [GitHub Discussions](https://github.com/paulmillr/noble-curves/
   [curves](https://github.com/paulmillr/noble-curves),
   [hashes](https://github.com/paulmillr/noble-hashes),
   [post-quantum](https://github.com/paulmillr/noble-post-quantum),
-  4kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
+  5kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
   [ed25519](https://github.com/paulmillr/noble-ed25519)
 - [Check out homepage](https://paulmillr.com/noble/)
   for reading resources, documentation and apps built with noble
@@ -50,251 +50,314 @@ A standalone file [noble-curves.js](https://github.com/paulmillr/noble-curves/re
 ```ts
 // import * from '@noble/curves'; // Error: use sub-imports, to ensure small app size
 import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
-import { ed25519, ed25519ph, ed25519ctx, x25519 } from '@noble/curves/ed25519.js';
-import { ed448, ed448ph, ed448ctx, x448 } from '@noble/curves/ed448.js';
+import { ed25519, ed25519ph, ed25519ctx, x25519, ristretto255 } from '@noble/curves/ed25519.js';
+import { ed448, ed448ph, x448, decaf448 } from '@noble/curves/ed448.js';
 import { p256, p384, p521 } from '@noble/curves/nist.js';
 import { bls12_381 } from '@noble/curves/bls12-381.js';
 import { bn254 } from '@noble/curves/bn254.js';
-import { jubjub, babyjubjub } from '@noble/curves/misc.js';
-import { bytesToHex, hexToBytes, concatBytes, utf8ToBytes } from '@noble/curves/abstract/utils.js';
+import { jubjub, babyjubjub, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 } from '@noble/curves/misc.js';
+
+// hash-to-curve
+import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
+import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
+import { ristretto255_hasher } from '@noble/curves/ed25519.js';
+import { decaf448_hasher } from '@noble/curves/ed448.js';
+
+// OPRFs
+import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
+import { decaf448_oprf } from '@noble/curves/ed448.js';
+
+// utils
+import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
+import { Field } from '@noble/curves/abstract/modular.js';
+import { weierstrass, ecdsa } from '@noble/curves/abstract/weierstrass.js';
+import { edwards, eddsa } from '@noble/curves/abstract/edwards.js';
+import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
+import { FFT, poly } from '@noble/curves/abstract/fft.js';
 ```
 
-- [ECDSA signatures over secp256k1 and others](#ecdsa-signatures-over-secp256k1-and-others)
-- [Hedged ECDSA with noise](#hedged-ecdsa-with-noise)
-- [ECDH: Diffie-Hellman shared secrets](#ecdh-diffie-hellman-shared-secrets)
-- [secp256k1 Schnorr signatures from BIP340](#secp256k1-schnorr-signatures-from-bip340)
-- [ed25519](#ed25519) / [X25519](#x25519) / [ristretto255](#ristretto255)
-- [ed448](#ed448) / [X448](#x448) / [decaf448](#decaf448)
-- [bls12-381](#bls12-381)
-- [bn254 aka alt_bn128](#bn254-aka-alt_bn128)
-- [misc curves](#misc-curves)
-- [Low-level methods](#low-level-methods)
-- [Abstract API](#abstract-api)
-  - [weierstrass](#weierstrass-short-weierstrass-curve), [Projective Point](#projective-weierstrass-point), [ECDSA signatures](#ecdsa-signatures)
-  - [edwards](#edwards-twisted-edwards-curve), [Extended Point](#extended-edwards-point), [EdDSA signatures](#eddsa-signatures)
-  - [montgomery](#montgomery-montgomery-curve)
-  - [bls](#bls-barreto-lynn-scott-curves)
-  - [hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points)
-  - [poseidon](#poseidon-poseidon-hash)
-  - [modular](#modular-modular-arithmetics-utilities)
-  - [fft](#fft-fast-fourier-transform)
-  - [Creating private keys from hashes](#creating-private-keys-from-hashes)
-  - [utils](#utils-useful-utilities)
+- Examples
+  - [ECDSA, EdDSA, Schnorr signatures](#ecdsa-eddsa-schnorr-signatures)
+    - [secp256k1, p256, p384, p521, ed25519, ed448, brainpool](#secp256k1-p256-p384-p521-ed25519-ed448-brainpool)
+    - [ristretto255, decaf448](#ristretto255-decaf448)
+    - [Prehashed signing](#prehashed-signing)
+    - [Hedged ECDSA with noise](#hedged-ecdsa-with-noise)
+    - [Consensus-friendliness vs e-voting](#consensus-friendliness-vs-e-voting)
+  - [ECDH: Diffie-Hellman shared secrets](#ecdh-diffie-hellman-shared-secrets)
+  - [webcrypto: Friendly wrapper](#webcrypto-friendly-wrapper)
+  - [BLS signatures, bls12-381, bn254 aka alt\_bn128](#bls-signatures-bls12-381-bn254-aka-alt_bn128)
+  - [Hashing to curve points](#hash-to-curve-hashing-to-curve-points)
+  - [OPRFs](#oprfs)
+  - [Poseidon hash](#poseidon-poseidon-hash)
+  - [Fast Fourier Transform](#fft-fast-fourier-transform)
+  - [utils](#utils-byte-shuffling-conversion)
+- [Internals](#internals)
+  - [Elliptic curve Point math](#elliptic-curve-point-math)
+  - [modular: Modular arithmetics \& finite fields](#modular-modular-arithmetics--finite-fields)
+  - [weierstrass: Custom Weierstrass curve](#weierstrass-custom-weierstrass-curve)
+  - [edwards: Custom Edwards curve](#edwards-custom-edwards-curve)
+  - [Custom ECDSA instance](#custom-ecdsa-instance)
 - [Security](#security)
 - [Speed](#speed)
-- [Upgrading](#upgrading)
 - [Contributing & testing](#contributing--testing)
-- [License](#license)
+- [Upgrading](#upgrading)
 
-### Implementations
+### ECDSA, EdDSA, Schnorr signatures
 
-#### ECDSA signatures over secp256k1 and others
+#### secp256k1, p256, p384, p521, ed25519, ed448, brainpool
 
-```ts
-import { secp256k1 } from '@noble/curves/secp256k1.js';
-// import { p256 } from '@noble/curves/nist.js'; // or p384 / p521
-
-const priv = secp256k1.utils.randomPrivateKey();
-const pub = secp256k1.getPublicKey(priv);
-const msg = new Uint8Array(32).fill(1); // message hash (not message) in ecdsa
-const sig = secp256k1.sign(msg, priv); // `{prehash: true}` option is available
-const isValid = secp256k1.verify(sig, msg, pub) === true;
-
-// hex strings are also supported besides Uint8Array-s:
-const privHex = '46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236';
-const pub2 = secp256k1.getPublicKey(privHex);
-
-// public key recovery
-// let sig = secp256k1.Signature.fromCompact(sigHex); // or .fromDER(sigDERHex)
-// sig = sig.addRecoveryBit(bit); // bit is not serialized into compact / der format
-sig.recoverPublicKey(msg).toRawBytes(); // === pub; // public key recovery
+```js
+import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
+import { p256, p384, p521 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { ed448 } from '@noble/curves/ed448.js';
+import { brainpoolP256r1, brainpoolP384r1, brainpoolP512r1 } from '@noble/curves/misc.js';
+for (const curve of [
+  secp256k1, schnorr,
+  p256, p384, p521,
+  ed25519, ed448,
+  brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
+]) {
+  const { secretKey, publicKey } = curve.keygen();
+  const msg = new TextEncoder().encode('hello noble');
+  const sig = curve.sign(msg, secretKey);
+  const isValid = curve.verify(sig, msg, publicKey);
+  console.log(curve, secretKey, publicKey, sig, isValid);
+}
+
+// Specific private key
+import { hexToBytes } from '@noble/curves/utils.js';
+const secret2 = hexToBytes('46c930bc7bb4db7f55da20798697421b98c4175a52c630294d75a84b9c126236');
+const pub2 = secp256k1.getPublicKey(secret2);
 ```
 
-The same code would work for NIST P256 (secp256r1), P384 (secp384r1) & P521 (secp521r1).
+ECDSA signatures use deterministic k, conforming to [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).
+EdDSA conforms to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032).
+Schnorr (secp256k1-only) conforms to [BIP 340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 
-#### Hedged ECDSA with noise
+#### ristretto255, decaf448
 
 ```ts
-const noisySignature = secp256k1.sign(msg, priv, { extraEntropy: true });
-const ent = new Uint8Array(32).fill(3); // set custom entropy
-const noisySignature2 = secp256k1.sign(msg, priv, { extraEntropy: ent });
+import { ristretto255, ristretto255_hasher, ristretto255_oprf } from '@noble/curves/ed25519.js';
+import { decaf448, decaf448_hasher, decaf448_oprf } from '@noble/curves/ed448.js';
+
+console.log(ristretto255.Point, decaf448.Point);
 ```
 
-Hedged ECDSA is add-on, providing improved protection against fault attacks.
-It adds noise to signatures. The technique is used by default in BIP340; we also implement them
-optionally for ECDSA. Check out blog post
-[Deterministic signatures are not your friends](https://paulmillr.com/posts/deterministic-signatures/)
-and [spec draft](https://datatracker.ietf.org/doc/draft-irtf-cfrg-det-sigs-with-noise/).
+Check out [RFC 9496](https://www.rfc-editor.org/rfc/rfc9496) more info on ristretto255 & decaf448.
+Check out separate documentation for [Point](#elliptic-curve-point-math), [hasher](#hash-to-curve-hashing-to-curve-points) and [oprf](#oprfs).
 
-#### ECDH: Diffie-Hellman shared secrets
+#### Prehashed signing
 
-```ts
-const someonesPub = secp256k1.getPublicKey(secp256k1.utils.randomPrivateKey());
-const shared = secp256k1.getSharedSecret(priv, someonesPub);
-// NOTE:
-// - `shared` includes parity byte: strip it using shared.slice(1)
-// - `shared` is not hashed: more secure way is sha256(shared) or hkdf(shared)
+```js
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { keccak256 } from '@noble/hashes/sha3.js';
+const { secretKey } = curve.keygen();
+const msg = new TextEncoder().encode('hello noble');
+// prehash: true (default) - hash using secp256k1.hash (sha256)
+const sig = secp256k1.sign(msg, secretKey);
+// prehash: false - hash using custom hash
+const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
 ```
 
-#### secp256k1 Schnorr signatures from BIP340
+ECDSA `sign()` allows providing `prehash: false`, which enables using custom hashes.
 
-```ts
-import { schnorr } from '@noble/curves/secp256k1.js';
-const priv = schnorr.utils.randomPrivateKey();
-const pub = schnorr.getPublicKey(priv);
-const msg = new TextEncoder().encode('hello');
-const sig = schnorr.sign(msg, priv);
-const isValid = schnorr.verify(sig, msg, pub);
+A ECDSA signature is not just "math over elliptic curve points".
+It's actually math + hashing: p256 is in fact p256 point + sha256 hash.
+By default, we hash messages. To use custom hash methods,
+make sure to disable prehashing.
+
+> [!NOTE]
+> Previously, in noble-curves v1, `prehash: false` was the default.
+> Some other libraries (like libsecp256k1) have no prehashing.
+
+#### Hedged ECDSA with noise
+
+```js
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+const { secretKey } = curve.keygen();
+const msg = new TextEncoder().encode('hello noble');
+// extraEntropy: false - default, hedging disabled
+const sigNoisy = secp256k1.sign(msg, secretKey);
+// extraEntropy: true - fetch 32 random bytes from CSPRNG
+const sigNoisy = secp256k1.sign(msg, secretKey, { extraEntropy: true });
+// extraEntropy: bytes - specific extra entropy
+const ent = Uint8Array.from([0xca, 0xfe, 0x01, 0x23]);
+const sigNoisy2 = secp256k1.sign(msg, secretKey, { extraEntropy: ent });
 ```
 
-#### ed25519
+ECDSA `sign()` allows providing `extraEntropy`, which switches sig generation to hedged mode.
 
-```ts
+By default, ECDSA signatures are generated deterministically,
+following [RFC 6979](https://www.rfc-editor.org/rfc/rfc6979).
+However, purely deterministic signatures are vulnerable to fault attacks.
+Newer signature schemes, such as BIP340 schnorr, switched to hedged signatures because of this.
+Hedging is basically incorporating some randomness into sig generation process.
+
+For more info, check out
+[Deterministic signatures are not your friends](https://paulmillr.com/posts/deterministic-signatures/),
+[RFC 6979](https://www.rfc-editor.org/rfc/rfc6979) section 3.6,
+and [cfrg-det-sigs-with-noise draft](https://datatracker.ietf.org/doc/draft-irtf-cfrg-det-sigs-with-noise/).
+
+#### Consensus-friendliness vs e-voting
+
+```js
 import { ed25519 } from '@noble/curves/ed25519.js';
-const priv = ed25519.utils.randomPrivateKey();
-const pub = ed25519.getPublicKey(priv);
-const msg = new TextEncoder().encode('hello');
-const sig = ed25519.sign(msg, priv);
-ed25519.verify(sig, msg, pub); // Default mode: follows ZIP215
-ed25519.verify(sig, msg, pub, { zip215: false }); // SBS / e-voting / RFC8032 / FIPS 186-5
-
-// Variants from RFC8032: with context, prehashed
-import { ed25519ctx, ed25519ph } from '@noble/curves/ed25519.js';
+const { secretKey, publicKey } = ed25519.keygen();
+const msg = new TextEncoder().encode('hello noble');
+const sig = ed25519.sign(msg, secretKey);
+// zip215: true
+const isValid = ed25519.verify(sig, msg, pub);
+// SBS / e-voting / RFC8032 / FIPS 186-5
+const isValidRfc = ed25519.verify(sig, msg, pub, { zip215: false });
 ```
 
-Default `verify` behavior follows ZIP215 and
-can be used in consensus-critical applications.
-If you need SBS (Strongly Binding Signatures) and FIPS 186-5 compliance,
-use `zip215: false`. Check out [Edwards Signatures section for more info](#edwards-twisted-edwards-curve).
-Both options have SUF-CMA (strong unforgeability under chosen message attacks).
+In ed25519, there is an ability to choose between consensus-friendliness vs e-voting mode.
 
-#### X25519
+- `zip215: true` is default behavior. It has slightly looser verification logic
+  to be [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am), following [ZIP215](https://zips.z.cash/zip-0215) rules
+- `zip215: false` switches verification criteria to strict
+  [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
+  and additionally provides [non-repudiation with SBS](https://eprint.iacr.org/2020/1244),
+  which is useful for:
+  - Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
+  - E-voting: malicious voters may pick keys that allow repudiation in order to deny results
+  - Blockchains: transaction of amount X might also be valid for a different amount Y
 
-```ts
-// X25519 aka ECDH on Curve25519 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
+Both modes have SUF-CMA (strong unforgeability under chosen message attacks).
+
+### ECDH: Diffie-Hellman shared secrets
+
+```js
+import { secp256k1 } from '@noble/curves/secp256k1.js';
 import { x25519 } from '@noble/curves/ed25519.js';
-const priv = 'a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4';
-const pub = 'e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c';
-x25519.getSharedSecret(priv, pub) === x25519.scalarMult(priv, pub); // aliases
-x25519.getPublicKey(priv) === x25519.scalarMultBase(priv);
-x25519.getPublicKey(x25519.utils.randomPrivateKey());
-
-// ed25519 => x25519 conversion
-import { edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519.js';
-edwardsToMontgomeryPub(ed25519.getPublicKey(ed25519.utils.randomPrivateKey()));
-edwardsToMontgomeryPriv(ed25519.utils.randomPrivateKey());
-```
+import { x448 } from '@noble/curves/ed448.js';
+import { p256, p384, p521 } from '@noble/curves/nist.js';
 
-#### ristretto255
+for (const curve of [secp256k1, schnorr, x25519, x448, p256, p384, p521]) {
+  const alice = curve.keygen();
+  const bob = curve.keygen();
+  const sharedKey = curve.getSharedSecret(alice.secretKey, bob.publicKey);
+  console.log('alice', alice, 'bob', bob, 'shared', sharedKey);
+}
 
-```ts
-import { sha512 } from '@noble/hashes/sha2.js';
-import {
-  hashToCurve,
-  encodeToCurve,
-  RistrettoPoint,
-  hashToRistretto255,
-} from '@noble/curves/ed25519.js';
-
-const msg = new TextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');
-hashToCurve(msg);
-
-const rp = RistrettoPoint.fromHex(
-  '6a493210f7499cd17fecb510ae0cea23a110e8d5b901f8acadd3095c73a3b919'
-);
-RistrettoPoint.BASE.multiply(2n).add(rp).subtract(RistrettoPoint.BASE).toRawBytes();
-RistrettoPoint.ZERO.equals(dp) === false;
-// pre-hashed hash-to-curve
-RistrettoPoint.hashToCurve(sha512(msg));
-// full hash-to-curve including domain separation tag
-hashToRistretto255(msg, { DST: 'ristretto255_XMD:SHA-512_R255MAP_RO_' });
+// x25519 & x448 specific methods
+import { ed25519 } from '@noble/curves/ed25519.js';
+const alice = ed25519.keygen();
+const bob = ed25519.keygen();
+const aliceSecX = ed25519.utils.toMontgomerySecret(alice.secretKey);
+const bobPubX = ed25519.utils.toMontgomery(bob.publicKey);
+const sharedKey = x25519.getSharedSecret(aliceSecX, bobPubX);
 ```
 
-Check out [RFC9496](https://www.rfc-editor.org/rfc/rfc9496) more info on ristretto255.
+We provide ECDH over all Weierstrass curves, and over 2 Montgomery curves
+X25519 (Curve25519) & X448 (Curve448), conforming to [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748).
 
-#### ed448
+In Weierstrass curves, shared secrets:
 
-```ts
-import { ed448 } from '@noble/curves/ed448.js';
-const priv = ed448.utils.randomPrivateKey();
-const pub = ed448.getPublicKey(priv);
-const msg = new TextEncoder().encode('whatsup');
-const sig = ed448.sign(msg, priv);
-ed448.verify(sig, msg, pub);
-
-// Variants from RFC8032: prehashed
-import { ed448ph } from '@noble/curves/ed448.js';
-```
+- Include y-parity bytes: use `key.slice(1)` to strip it
+- Are not hashed: use hashing or KDF on top, like `sha256(shared)` or `hkdf(shared)`
 
-#### X448
+#### webcrypto: Friendly wrapper
 
-```ts
-// X448 aka ECDH on Curve448 from [RFC7748](https://www.rfc-editor.org/rfc/rfc7748)
-import { x448 } from '@noble/curves/ed448.js';
-x448.getSharedSecret(priv, pub) === x448.scalarMult(priv, pub); // aliases
-x448.getPublicKey(priv) === x448.scalarMultBase(priv);
+> [!NOTE]
+> Webcrypto methods are always async.
+
+##### webcrypto signatures
 
-// ed448 => x448 conversion
-import { edwardsToMontgomeryPub } from '@noble/curves/ed448.js';
-edwardsToMontgomeryPub(ed448.getPublicKey(ed448.utils.randomPrivateKey()));
+```js
+import { ed25519, ed448, p256, p384, p521 } from './src/webcrypto.ts';
+
+(async () => {
+  for (let [name, curve] of Object.entries({ p256, p384, p521, ed25519, ed448 })) {
+    console.log('curve', name);
+    if (!await curve.isSupported()) {
+      console.log('is not supported, skipping');
+      continue;
+    }
+    const keys = await curve.keygen();
+    const msg = new TextEncoder().encode('hello noble');
+    const sig = await curve.sign(msg, keys.secretKey);
+    const isValid = await curve.verify(sig, msg, keys.publicKey);
+    console.log({
+      keys, msg, sig, isValid
+    });
+  }
+})();
 ```
 
-#### decaf448
+##### webcrypto ecdh
 
-```ts
-// decaf448 from [RFC9496](https://www.rfc-editor.org/rfc/rfc9496)
-import { shake256 } from '@noble/hashes/sha3.js';
-import { hashToCurve, encodeToCurve, DecafPoint, hashToDecaf448 } from '@noble/curves/ed448.js';
-
-const msg = new TextEncoder().encode('Ristretto is traditionally a short shot of espresso coffee');
-hashToCurve(msg);
-
-const dp = DecafPoint.fromHex(
-  'c898eb4f87f97c564c6fd61fc7e49689314a1f818ec85eeb3bd5514ac816d38778f69ef347a89fca817e66defdedce178c7cc709b2116e75'
-);
-DecafPoint.BASE.multiply(2n).add(dp).subtract(DecafPoint.BASE).toRawBytes();
-DecafPoint.ZERO.equals(dp) === false;
-// pre-hashed hash-to-curve
-DecafPoint.hashToCurve(shake256(msg, { dkLen: 112 }));
-// full hash-to-curve including domain separation tag
-hashToDecaf448(msg, { DST: 'decaf448_XOF:SHAKE256_D448MAP_RO_' });
+```js
+import { p256, p384, p521, x25519, x448 } from './src/webcrypto.ts';
+
+(async () => {
+  for (let [name, curve] of Object.entries({ p256, p384, p521, x25519, x448 })) {
+    console.log('curve', name);
+    if (!await curve.isSupported()) {
+      console.log('is not supported, skipping');
+      continue;
+    }
+    const alice = await curve.keygen();
+    const bob = await curve.keygen();
+    const shared = await curve.getSharedSecret(alice.secretKey, bob.publicKey);
+    const shared2 = await curve.getSharedSecret(bob.secretKey, alice.publicKey);
+    console.log({shared});
+  }
+})();
 ```
 
-Check out [RFC9496](https://www.rfc-editor.org/rfc/rfc9496) more info on decaf448.
+##### Key conversion from noble to webcrypto and back
 
-#### bls12-381
+```js
+import { p256 as p256n } from './src/nist.ts';
+import { p256 } from './src/webcrypto.ts';
+(async () => {
+  const nobleKeys = p256n.keygen();
+  // convert noble keys to webcrypto
+  const webKeys = {
+    secretKey: await p256.utils.convertSecretKey(nobleKeys.secretKey, 'raw', 'pkcs8'),
+    publicKey: await p256.utils.convertPublicKey(nobleKeys.publicKey, 'raw', 'spki')
+  };
+  // convert webcrypto keys to noble
+  const nobleKeys2 = {
+    secretKey: await p256.utils.convertSecretKey(webKeys.secretKey, 'pkcs8', 'raw'),
+    publicKey: await p256.utils.convertPublicKey(webKeys.publicKey, 'spki', 'raw')
+  };
+})();
+```
+
+### BLS signatures, bls12-381, bn254 aka alt_bn128
 
 ```ts
 import { bls12_381 } from '@noble/curves/bls12-381.js';
-import { hexToBytes } from '@noble/curves/abstract/utils.js';
-
-// private keys are 32 bytes
-const privKey = hexToBytes('67d53f170b908cabb9eb326c3c337762d59289a8fec79f7bc9254b584b73265c');
-// const privKey = bls12_381.utils.randomPrivateKey();
 
-// Long signatures (G2), short public keys (G1)
+// G1 pubkeys, G2 sigs
 const blsl = bls12_381.longSignatures;
-const publicKey = blsl.getPublicKey(privateKey);
-// Sign msg with custom (Ethereum) DST
-const msg = new TextEncoder().encode('hello');
-const DST = 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_';
-const msgp = blsl.hash(msg, DST);
-const signature = blsl.sign(msgp, privateKey);
+const { secretKey, publicKey } = blsl.keygen();
+// const publicKey = blsl.getPublicKey(secretKey);
+const msg = new TextEncoder().encode('hello noble');
+// default DST
+const msgp = blsl.hash(msg);
+// custom DST (Ethereum)
+const msgpd = blsl.hash(msg, 'BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_');
+const signature = blsl.sign(msgp, secretKey);
 const isValid = blsl.verify(signature, msgp, publicKey);
-console.log({ publicKey, signature, isValid });
+console.log('long', { publicKey, signature, isValid });
 
-// Short signatures (G1), long public keys (G2)
+// G1 sigs, G2 pubkeys
 const blss = bls12_381.shortSignatures;
-const publicKey2 = blss.getPublicKey(privateKey);
-const msgp2 = blss.hash(new TextEncoder().encode('hello'), 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_')
-const signature2 = blss.sign(msgp2, privateKey);
+const publicKey2 = blss.getPublicKey(secretKey);
+const msgp2 = blss.hash(msg, 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_');
+const signature2 = blss.sign(msgp2, secretKey);
 const isValid2 = blss.verify(signature2, msgp2, publicKey);
 console.log({ publicKey2, signature2, isValid2 });
 
 // Aggregation
 const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([
-  bls12_381.utils.randomPrivateKey(),
-  bls12_381.utils.randomPrivateKey(),
+  bls12_381.utils.randomSecretKey(),
+  bls12_381.utils.randomSecretKey(),
 ]);
 // const aggregatedSig = bls.aggregateSignatures(sigs)
 
@@ -304,278 +367,88 @@ const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([
 // bls.fields.Fp12.finalExponentiate(bls.fields.Fp12.mul(PointG1, PointG2));
 
 // Others
-// bls.G1.ProjectivePoint.BASE, bls.G2.ProjectivePoint.BASE;
+// bls.G1.Point.BASE, bls.G2.Point.BASE;
 // bls.fields.Fp, bls.fields.Fp2, bls.fields.Fp12, bls.fields.Fr;
 ```
 
 See [abstract/bls](#bls-barreto-lynn-scott-curves).
 For example usage, check out [the implementation of BLS EVM precompiles](https://github.com/ethereumjs/ethereumjs-monorepo/blob/361f4edbc239e795a411ac2da7e5567298b9e7e5/packages/evm/src/precompiles/bls12_381/noble.ts).
 
-#### bn254 aka alt_bn128
-
-```ts
-import { bn254 } from '@noble/curves/bn254.js';
-
-console.log(bn254.G1, bn254.G2, bn254.pairing);
-```
-
-The API mirrors [BLS](#bls12-381). The curve was previously called alt_bn128.
+The BN254 API mirrors [BLS](#bls12-381). The curve was previously called alt_bn128.
 The implementation is compatible with [EIP-196](https://eips.ethereum.org/EIPS/eip-196) and
 [EIP-197](https://eips.ethereum.org/EIPS/eip-197).
 
-We don't implement Point methods toHex / toRawBytes.
-To work around this limitation, has to initialize points on their own from BigInts.
-Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
+For BN254 usage, check out [the implementation of bn254 EVM precompiles](https://github.com/paulmillr/noble-curves/blob/3ed792f8ad9932765b84d1064afea8663a255457/test/bn254.test.js#L697).
+We don't implement Point methods toBytes. To work around this limitation, has to initialize points on their own from BigInts. Reason it's not implemented is because [there is no standard](https://github.com/privacy-scaling-explorations/halo2curves/issues/109).
 Points of divergence:
 
 - Endianness: LE vs BE (byte-swapped)
 - Flags as first hex bits (similar to BLS) vs no-flags
 - Imaginary part last in G2 vs first (c0, c1 vs c1, c0)
 
-For example usage, check out [the implementation of bn254 EVM precompiles](https://github.com/paulmillr/noble-curves/blob/3ed792f8ad9932765b84d1064afea8663a255457/test/bn254.test.js#L697).
-
-#### misc curves
+### hash-to-curve: hashing to curve points
 
 ```ts
-import { jubjub, babyjubjub } from '@noble/curves/misc.js';
-```
-
-Miscellaneous, rarely used curves are contained in the module.
-Jubjub curves have Fp over scalar fields of other curves. They are friendly to ZK proofs.
-jubjub Fp = bls n. babyjubjub Fp = bn254 n.
-
-## Abstract API
-
-Abstract API allows to define custom curves. All arithmetics is done with JS
-bigints over finite fields, which is defined from `modular` sub-module.
-For scalar multiplication, we use
-[precomputed tables with w-ary non-adjacent form (wNAF)](https://paulmillr.com/posts/noble-secp256k1-fast-ecc/).
-Precomputes are enabled for weierstrass and edwards BASE points of a curve.
-Implementations use [noble-hashes](https://github.com/paulmillr/noble-hashes).
-It's always possible to use different hashing library.
-
-
-### weierstrass: Short Weierstrass curve
-
-```js
-import { weierstrass } from '@noble/curves/abstract/weierstrass.js';
-// NIST secp192r1 aka p192. https://www.secg.org/sec2-v2.pdf
-const p192_CURVE = {
-  p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
-  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
-  h: 1n,
-  a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
-  b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
-  Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
-  Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
+import { bls12_381 } from './src/bls12-381.ts';
+import { ed25519_hasher, ristretto255_hasher } from './src/ed25519.ts';
+import { decaf448_hasher, ed448_hasher } from './src/ed448.ts';
+import { p256_hasher, p384_hasher, p521_hasher } from './src/nist.ts';
+import { secp256k1_hasher } from './src/secp256k1.ts';
+
+const h = {
+  secp256k1_hasher,
+  p256_hasher, p384_hasher, p521_hasher,
+  ed25519_hasher,
+  ed448_hasher,
+  ristretto255_hasher,
+  decaf448_hasher,
+  bls_G1: bls12_381.G1,
+  bls_G2: bls12_381.G2
 };
-const p192_Point = weierstrass(p192_CURVE);
-```
-
-Short Weierstrass curve's formula is `y² = x³ + ax + b`. `weierstrass`
-expects arguments `a`, `b`, field characteristic `p`, curve order `n`,
-cofactor `h` and coordinates `Gx`, `Gy` of generator point.
-
-#### Projective Weierstrass Point
 
-```js
-// # weierstrass Point methods
-// projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
-// const p = new Point(x, y, z);
-const p = Point.BASE;
-// arithmetics
-p.add(p).equals(p.double());
-p.subtract(p).equals(Point.ZERO);
-p.negate();
-p.multiply(31415n);
-
-// decoding, encoding
-const b = p.toBytes();
-const p2 = Point.fromBytes(b);
-// affine conversion
-const { x, y } = p.toAffine();
-const p3 = Point.fromAffine({ x, y });
-
-// Multi-scalar-multiplication (MSM) is basically `(Pa + Qb + Rc + ...)`.
-// It's 10-30x faster vs naive addition for large amount of points.
-// Pippenger algorithm is used underneath.
-const points = [Point.BASE, Point.BASE.multiply(2n), Point.BASE.multiply(4n), Point.BASE.multiply(8n)];
-Point.msm(points, [3n, 5n, 7n, 11n]).equals(Point.BASE.multiply(129n)); // 129*G
+const msg = Uint8Array.from([0xca, 0xfe, 0x01, 0x23]);
+console.log('msg', msg);
+for (let [name, c] of Object.entries(h)) {
+  const hashToCurve = c.hashToCurve(msg).toHex();
+  const hashToCurve_customDST = c.hashToCurve(msg, { DST: 'hello noble' }).toHex();
+  const encodeToCurve = 'encodeToCurve' in c ? c.encodeToCurve(msg).toHex() : undefined;
+  // ristretto255, decaf448 only
+  const deriveToCurve = 'deriveToCurve' in c ?
+    c.deriveToCurve!(new Uint8Array(c.Point.Fp.BYTES * 2)).toHex() : undefined;
+  const hashToScalar = c.hashToScalar(msg);
+  console.log({
+    name, hashToCurve, hashToCurve_customDST, encodeToCurve, deriveToCurve, hashToScalar
+  });
+}
+
+// abstract methods
+import { expand_message_xmd, expand_message_xof, hash_to_field } from '@noble/curves/abstract/hash-to-curve.js';
 ```
 
-#### ECDSA signatures
-
-```js
-import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
-import { sha256 } from '@noble/hashes/sha2.js';
-const p192 = ecdsa(p192_Point, sha256);
-const priv = p192.utils.randomPrivateKey();
-const pub = p192.getPublicKey(priv);
-const msg = sha256(new TextEncoder().encode('custom curve'));
-const sig = p192.sign(msg);
-const isValid = p192.verify(sig, msg, pub);
-```
-
-ECDSA signatures:
-
-- Are represented by `Signature` instances with `r, s` and optional `recovery` properties
-- Have `recoverPublicKey()`, `toBytes()` with optional `format: 'compact' | 'der'`
-- Can be prehashed, or non-prehashed:
-  - `sign(msgHash, privKey)` (default, prehash: false) - you did hashing before
-  - `sign(msg, privKey, {prehash: true})` - curves will do hashing for you
-- Are generated deterministically, following [RFC6979](https://www.rfc-editor.org/rfc/rfc6979).
-  - Consider [hedged ECDSA with noise](#hedged-ecdsa-with-noise) for adding randomness into
-    for signatures, to get improved security against fault attacks.
-
-### edwards: Twisted Edwards curve
-
-```ts
-import { edwards } from '@noble/curves/abstract/edwards.js';
-const ed25519_CURVE = {
-  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
-  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
-  h: 8n,
-  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
-  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
-  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
-  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n,
-};
-const ed25519_Point = edwards(ed25519_CURVE);
-```
-
-Twisted Edwards curve's formula is `ax² + y² = 1 + dx²y²`.
-You must specify `a`, `d`, field characteristic `p`, curve order `n` (sometimes named as `L`),
-cofactor `h` and coordinates `Gx`, `Gy` of generator point.
-
-#### Extended Edwards Point
+The module allows to hash arbitrary strings to elliptic curve points. Implements [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
 
-```js
-const Point = ed25519_Point;
-// extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z)
-// const p = new Point(x, y, z, t);
-
-const p = Point.BASE;
-// arithmetics
-p.add(p).equals(p.double());
-p.subtract(p).equals(Point.ZERO);
-p.negate();
-p.multiply(31415n);
-
-// decoding, encoding
-const b = p.toBytes();
-const p2 = Point.fromBytes(b);
-// on-curve test
-p.assertValidity();
-// affine conversion
-const { x, y } = p.toAffine();
-const p3 = Point.fromAffine({ x, y });
-// misc
-const pcl = p.clearCofactor();
-console.log(p.isTorsionFree(), p.isSmallOrder());
-```
+> [!NOTE]
+> Why is `p256_hasher` separate from `p256`?
+> The methods reside in separate _hasher namespace for tree-shaking:
+> this way users who don't need hash-to-curve, won't have it in their builds.
 
-#### EdDSA signatures
+### OPRFs
 
 ```js
-const ed25519 = eddsa(ed25519_Point, { hash: sha512 });
-// ed25519.getPublicKey();
-// ed25519.sign();
-// ed25519.verify();
+import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
+import { decaf448_orpf } from '@noble/curves/ed448.js';
 ```
 
-We define ed25519, ed448; user can use custom curves with EdDSA,
-but EdDSA in general is not defined. Check out `edwards.ts` source code.
-
-For EdDSA signatures:
-
-- `zip215: true` is default behavior. It has slightly looser verification logic
-  to be [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am), following [ZIP215](https://zips.z.cash/zip-0215) rules
-- `zip215: false` switches verification criteria to strict
-  [RFC8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
-  and additionally provides [non-repudiation with SBS](https://eprint.iacr.org/2020/1244),
-  which is useful for:
-  - Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
-  - E-voting: malicious voters may pick keys that allow repudiation in order to deny results
-  - Blockchains: transaction of amount X might also be valid for a different amount Y
-- Both modes have SUF-CMA (strong unforgeability under chosen message attacks).
-
-### montgomery: Montgomery curve
-
-The module contains methods for x-only ECDH on Curve25519 / Curve448 from RFC7748.
-Proper Elliptic Curve Points are not implemented yet.
-
-### bls: Barreto-Lynn-Scott curves
-
-The module abstracts BLS (Barreto-Lynn-Scott) pairing-friendly elliptic curve construction.
-They allow to construct [zk-SNARKs](https://z.cash/technology/zksnarks/) and
-use aggregated, batch-verifiable
-[threshold signatures](https://medium.com/snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716),
-using Boneh-Lynn-Shacham signature scheme.
-
-The module doesn't expose `CURVE` property: use `G1.CURVE`, `G2.CURVE` instead.
-Only BLS12-381 is currently implemented.
-Defining BLS12-377 and BLS24 should be straightforward.
-
-The default BLS uses short public keys (with public keys in G1 and signatures in G2).
-Short signatures (public keys in G2 and signatures in G1) are also supported.
-
-### hash-to-curve: Hashing strings to curve points
-
-The module allows to hash arbitrary strings to elliptic curve points. Implements [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380).
-
-Every curve has exported `hashToCurve` and `encodeToCurve` methods. You should always prefer `hashToCurve` for security:
-
-```ts
-import { hashToCurve, encodeToCurve } from '@noble/curves/secp256k1.js';
-import { randomBytes } from '@noble/hashes/utils.js';
-hashToCurve('0102abcd');
-console.log(hashToCurve(randomBytes()));
-console.log(encodeToCurve(randomBytes()));
-
-import { bls12_381 } from '@noble/curves/bls12-381.js';
-bls12_381.G1.hashToCurve(randomBytes(), { DST: 'another' });
-bls12_381.G2.hashToCurve(randomBytes(), { DST: 'custom' });
-```
+We provide OPRFs (oblivious pseudorandom functions),
+conforming to [RFC 9497](https://www.rfc-editor.org/rfc/rfc9497).
 
-Low-level methods from the spec:
+OPRF allows to interactively create an `Output = PRF(Input, serverSecretKey)`:
 
-```ts
-// produces a uniformly random byte string using a cryptographic hash function H that outputs b bits.
-function expand_message_xmd(
-  msg: Uint8Array,
-  DST: Uint8Array,
-  lenInBytes: number,
-  H: CHash // For CHash see abstract/weierstrass docs section
-): Uint8Array;
-// produces a uniformly random byte string using an extendable-output function (XOF) H.
-function expand_message_xof(
-  msg: Uint8Array,
-  DST: Uint8Array,
-  lenInBytes: number,
-  k: number,
-  H: CHash
-): Uint8Array;
-// Hashes arbitrary-length byte strings to a list of one or more elements of a finite field F
-function hash_to_field(msg: Uint8Array, count: number, options: Opts): bigint[][];
-
-/**
- * * `DST` is a domain separation tag, defined in section 2.2.5
- * * `p` characteristic of F, where F is a finite field of characteristic p and order q = p^m
- * * `m` is extension degree (1 for prime fields)
- * * `k` is the target security target in bits (e.g. 128), from section 5.1
- * * `expand` is `xmd` (SHA2, SHA3, BLAKE) or `xof` (SHAKE, BLAKE-XOF)
- * * `hash` conforming to `utils.CHash` interface, with `outputLen` / `blockLen` props
- */
-type UnicodeOrBytes = string | Uint8Array;
-type Opts = {
-  DST: UnicodeOrBytes;
-  p: bigint;
-  m: number;
-  k: number;
-  expand?: 'xmd' | 'xof';
-  hash: CHash;
-};
-```
+- Server cannot calculate Output by itself: it doesn't know Input
+- Client cannot calculate Output by itself: it doesn't know server secretKey
+- An attacker interception the communication can't restore Input/Output/serverSecretKey and can't
+  link Input to some value.
 
 ### poseidon: Poseidon hash
 
@@ -611,13 +484,93 @@ const permutation = poseidon.poseidon(opts);
 const sponge = poseidon.poseidonSponge(opts); // use carefully, not specced
 ```
 
-### modular: Modular arithmetics utilities
+### fft: Fast Fourier Transform
+
+```ts
+import * as fft from '@noble/curves/abstract/fft.js';
+import { bls12_381 } from '@noble/curves/bls12-381.js';
+const Fr = bls12_381.fields.Fr;
+const roots = fft.rootsOfUnity(Fr, 7n);
+const fftFr = fft.FFT(roots, Fr);
+```
+
+Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
+API may change at any time. The code has not been audited. Feature requests are welcome.
+
+### utils: byte shuffling, conversion
 
 ```ts
-import * as mod from '@noble/curves/abstract/modular.js';
+import { bytesToHex, concatBytes, equalBytes, hexToBytes } from '@noble/curves/abstract/utils.js';
+
+bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23]));
+hexToBytes('cafe0123');
+concatBytes(Uint8Array.from([0xca, 0xfe]), Uint8Array.from([0x01, 0x23]));
+equalBytes(Uint8Array.of(0xca), Uint8Array.of(0xca));
+```
+
+### Internals
+
+#### Elliptic curve Point math
+
+```js
+import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
+import { p256, p384, p521 } from '@noble/curves/nist.js';
+import { ed25519, ristretto255 } from '@noble/curves/ed25519.js';
+import { ed448, decaf448 } from '@noble/curves/ed448.js';
+import { bls12_381 } from '@noble/curves/bls12-381.js'
+import { bn254 } from '@noble/curves/bn254.js';
+import { jubjub, babyjubjub } from '@noble/curves/misc.js';
+
+const curves = [
+  secp256k1, schnorr, p256, p384, p521, ed25519, ed448,
+  ristretto255, decaf448,
+  bls12_381.G1, bls12_381.G2, bn254.G1, bn254.G2,
+  jubjub, babyjubjub
+];
+for (const curve of curves) {
+  const { Point } = curve;
+  const { BASE, ZERO, Fp, Fn } = Point;
+  const p = BASE.multiply(2n);
+
+  // Initialization
+  if (info.type === 'weierstrass') {
+    // projective (homogeneous) coordinates: (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
+    const p_ = new Point(BASE.X, BASE.Y, BASE.Z);
+  } else if (info.type === 'edwards') {
+    // extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z)
+    const p_ = new Point(BASE.X, BASE.Y, BASE.Z, BASE.T);
+  }
+
+  // Math
+  const p1 = p.add(p);
+  const p2 = p.double();
+  const p3 = p.subtract(p);
+  const p4 = p.negate();
+  const p5 = p.multiply(451n);
+
+  // MSM (multi-scalar multiplication)
+  const pa = [BASE, BASE.multiply(2n), BASE.multiply(4n), BASE.multiply(8n)];
+  const p6 = Point.msm(pa, [3n, 5n, 7n, 11n]);
+  const _true3 = p6.equals(BASE.multiply(129n)); // 129*G
+
+  const pcl = p.clearCofactor();
+  console.log(p.isTorsionFree(), p.isSmallOrder());
+
+  const r1 = p.toBytes();
+  const r1_ = Point.fromBytes(r1);
+  const r2 = p.toAffine();
+  const { x, y } = r2;
+  const r2_ = Point.fromAffine(r2);
+}
+```
+
+#### modular: Modular arithmetics & finite fields
+
+```js
+import { mod, invert, Field } from '@noble/curves/abstract/modular.js';
 
 // Finite Field utils
-const fp = mod.Field(2n ** 255n - 19n); // Finite field over 2^255-19
+const fp = Field(2n ** 255n - 19n); // Finite field over 2^255-19
 fp.mul(591n, 932n); // multiplication
 fp.pow(481n, 11024858120n); // exponentiation
 fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17)
@@ -625,79 +578,73 @@ fp.inv(5n); // modular inverse
 fp.sqrt(21n); // square root
 
 // Non-Field generic utils are also available
-mod.mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
-mod.invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
-mod.invertBatch([1n, 2n, 4n], 21n); // => [1n, 11n, 16n] in one inversion
+mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
+invert(17n, 10n); // invert(17) mod 10; modular multiplicative inverse
 ```
 
-Field operations are not constant-time: they are using JS bigints, see [security](#security).
+All arithmetics is done with JS bigints over finite fields,
+which is defined from `modular` sub-module.
+
+Field operations are not constant-time: see [security](#security).
 The fact is mostly irrelevant, but the important method to keep in mind is `pow`,
 which may leak exponent bits, when used naïvely.
 
-`mod.Field` is always **field over prime number**. Non-prime fields aren't supported for now.
-We don't test for prime-ness for speed and because algorithms are probabilistic anyway.
-Initializing a non-prime field could make your app suspectible to
-DoS (infilite loop) on Tonelli-Shanks square root calculation.
-
-Unlike `mod.inv`, `mod.invertBatch` won't throw on `0`: make sure to throw an error yourself.
-
-### fft: Fast Fourier Transform
-
-Experimental implementation of NTT / FFT (Fast Fourier Transform) over finite fields.
-API may change at any time. The code has not been audited. Feature requests are welcome.
+#### weierstrass: Custom Weierstrass curve
 
-```ts
-import * as fft from '@noble/curves/abstract/fft.js';
+```js
+import { weierstrass } from '@noble/curves/abstract/weierstrass.js';
+// NIST secp192r1 aka p192. https://www.secg.org/sec2-v2.pdf
+const p192_CURVE = {
+  p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
+  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
+  h: 1n,
+  a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
+  b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
+  Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
+  Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
+};
+const p192_Point = weierstrass(p192_CURVE);
 ```
 
-#### Creating private keys from hashes
-
-You can't simply make a 32-byte private key from a 32-byte hash.
-Doing so will make the key [biased](https://research.kudelskisecurity.com/2020/07/28/the-definitive-guide-to-modulo-bias-and-how-to-avoid-it/).
-
-To make the bias negligible, we follow [FIPS 186-5 A.2](https://csrc.nist.gov/publications/detail/fips/186/5/final)
-and [RFC 9380](https://www.rfc-editor.org/rfc/rfc9380#section-5.2).
-This means, for 32-byte key, we would need 48-byte hash to get 2^-128 bias, which matches curve security level.
+Short Weierstrass curve's formula is `y² = x³ + ax + b`. `weierstrass`
+expects arguments `a`, `b`, field characteristic `p`, curve order `n`,
+cofactor `h` and coordinates `Gx`, `Gy` of generator point.
 
-`hashToPrivateScalar()` that hashes to **private key** was created for this purpose.
-Use [abstract/hash-to-curve](#hash-to-curve-hashing-strings-to-curve-points)
-if you need to hash to **public key**.
+#### edwards: Custom Edwards curve
 
-```ts
-import { p256 } from '@noble/curves/nist.js';
-import { sha256 } from '@noble/hashes/sha2.js';
-import { hkdf } from '@noble/hashes/hkdf.js';
-import * as mod from '@noble/curves/abstract/modular.js';
-const someKey = new Uint8Array(32).fill(2); // Needs to actually be random, not .fill(2)
-const derived = hkdf(sha256, someKey, undefined, 'application', 48); // 48 bytes for 32-byte priv
-const validPrivateKey = mod.hashToPrivateScalar(derived, p256.CURVE.n);
+```js
+import { edwards } from '@noble/curves/abstract/edwards.js';
+const ed25519_CURVE = {
+  p: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffedn,
+  n: 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3edn,
+  h: 8n,
+  a: 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffecn,
+  d: 0x52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3n,
+  Gx: 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51an,
+  Gy: 0x6666666666666666666666666666666666666666666666666666666666666658n,
+};
+const ed25519_Point = edwards(ed25519_CURVE);
 ```
 
-### utils: Useful utilities
-
-```ts
-import * as utils from '@noble/curves/abstract/utils.js';
-
-utils.bytesToHex(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
-utils.hexToBytes('deadbeef');
-utils.numberToHexUnpadded(123n);
-utils.hexToNumber();
+Twisted Edwards curve's formula is `ax² + y² = 1 + dx²y²`.
+You must specify `a`, `d`, field characteristic `p`, curve order `n` (sometimes named as `L`),
+cofactor `h` and coordinates `Gx`, `Gy` of generator point.
 
-utils.bytesToNumberBE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
-utils.bytesToNumberLE(Uint8Array.from([0xde, 0xad, 0xbe, 0xef]));
-utils.numberToBytesBE(123n, 32);
-utils.numberToBytesLE(123n, 64);
+#### Custom ECDSA instance
 
-utils.concatBytes(Uint8Array.from([0xde, 0xad]), Uint8Array.from([0xbe, 0xef]));
-utils.nLength(255n);
-utils.equalBytes(Uint8Array.from([0xde]), Uint8Array.from([0xde]));
+```js
+import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+const p192_sha256 = ecdsa(p192_Point, sha256);
+// or
+const p192_sha224 = ecdsa(p192.Point, sha224);
+
+const keys = p192_sha256.keygen();
+const msg = new TextEncoder().encode('custom curve');
+const sig = p192_sha256.sign(msg, keys.secretKey);
+const isValid = p192_sha256.verify(sig, msg, keys.publicKey);
 ```
 
-### Unreleased bits
-
-- `test/unreleased-xeddsa.ts` contains implementation of XEd25519, defined by Signal
-- `test/misc/endomorphism.js` contains tool for generation of endomorphism params for Koblitz curves
-
 ## Security
 
 The library has been independently audited:
@@ -723,7 +670,7 @@ The library has been independently audited:
   - The audit has been funded by [Ryan Shea](https://www.shea.io)
 
 It is tested against property-based, cross-library and Wycheproof vectors,
-and is being fuzzed in [the separate repo](https://github.com/paulmillr/fuzzing).
+and is being fuzzed in [the separate repo](https://github.com/paulmillr/integration-tests).
 
 If you see anything unusual: investigate and report.
 
@@ -820,8 +767,8 @@ init 10ms
 getPublicKey x 9,099 ops/sec @ 109μs/op
 sign x 7,182 ops/sec @ 139μs/op
 verify x 1,188 ops/sec @ 841μs/op
-getSharedSecret x 735 ops/sec @ 1ms/op
 recoverPublicKey x 1,265 ops/sec @ 790μs/op
+getSharedSecret x 735 ops/sec @ 1ms/op
 schnorr.sign x 957 ops/sec @ 1ms/op
 schnorr.verify x 1,210 ops/sec @ 825μs/op
 
@@ -917,14 +864,82 @@ aggregateSignatures/2048 x 0 ops/sec @ 2823ms/op
 
 Supported node.js versions:
 
-- v2: v20.19+ (ESM-only)
-- v1: v14.21+ (ESM & CJS)
-
-### curves v1 => curves v2
-
-WIP. Changelog of v2, when upgrading from curves v1.
-
-### noble-secp256k1 v1 => curves v1
+- v2 (2025-08): v20.19+ (ESM-only)
+- v1 (2023-04): v14.21+ (ESM & CJS)
+
+### curves v1 to curves v2
+
+v2 massively simplifies internals, improves security, reduces bundle size and lays path for the future.
+We tried to keep v2 as much backwards-compatible as possible.
+
+Submodule paths now require `.js` extension e.g. `curves/ed25519` => `curves/ed25519.js`.
+This allows usage in bundler-less environments without source maps
+
+**Logic** changes:
+
+- Most methods now expect Uint8Array, string hex inputs are prohibited
+    - The change simplifies reasoning, improves security and reduces malleability
+    - `Point.fromHex` now expects string-only hex inputs, use `Point.fromBytes` for Uint8Array
+- Breaking changes of ECDSA (secp256k1, p256, p384...):
+    - sign, verify: Switch to **prehashed messages**. Instead of
+      messageHash, the methods now expect unhashed message.
+      To bring back old behavior, use option `{prehash: false}`
+    - sign, verify: Switch to **lowS signatures** by default.
+      This change doesn't affect secp256k1, which has been using lowS since beginning.
+      To bring back old behavior, use option `{lowS: true}`
+    - sign, verify: Switch to **Uint8Array signatures** (format: 'compact') by default.
+    - verify: **der format must be explicitly specified** in `{format: 'der'}`.
+      This reduces malleability
+    - verify: **prohibit Signature-instance** signature. User must now always do
+      `signature.toBytes()`
+- Breaking changes of BLS signatures (bls12-381, bn254):
+    - Move getPublicKey, sign, verify, signShortSignature etc into two new namespaces:
+      bls.longSignatures (G1 pubkeys, G2 sigs) and bls.shortSignatures (G1 sigs, G2 pubkeys).
+    - verifyBatch now expects array of inputs `{message: ..., publicKey: ...}[]`
+- Curve changes:
+    - Massively simplify curve creation, split it into point creation & sig generator creation
+    - New methods are `weierstrass() + ecdsa()` / `edwards() + eddsa()`
+    - weierstrass / edwards expect simplified curve params (Fp became p)
+    - ecdsa / eddsa expect Point class and hash
+    - Remove unnecessary Fn argument in `pippenger`
+- modular changes:
+    - Field#fromBytes() now validates elements to be in 0..order-1 range
+- Massive type renamings and improvements
+
+**Renamings:**
+
+- Module changes
+    - `p256`, `p384`, `p521` modules have been moved into `nist`
+    - `jubjub` module has been moved into `misc`
+- Point changes
+    - ExtendedPoint, ProjectivePoint => Point
+    - Point coordinates (projective / extended) from px/ex, py/ey, pz/ez, et => X, Y, Z, T
+    - Point.normalizeZ, Point.msm => separate methods in `abstract/curve.js` submodule
+    - Point.fromPrivateKey() got removed, use `Point.BASE.multiply()` and `Point.Fn.fromBytes(secretKey)`
+    - toRawBytes, fromRawBytes => toBytes, fromBytes
+    - RistrettoPoint => ristretto255.Point, DecafPoiont => decaf448.Point
+- Signature (ECDSA) changes
+    - toCompactRawBytes, toDERRawBytes => toBytes('compact'), toBytes('der')
+    - toCompactHex, toDERHex => toHex('compact'), toHex('der')
+    - fromCompact, fromDER => fromBytes(format), fromHex(format)
+- utils changes
+    - randomPrivateKey => randomSecretKey
+    - utils.precompute, Point#_setWindowSize => Point#precompute
+    - edwardsToMontgomery => utils.toMontgomery
+    - edwardsToMontgomeryPriv => utils.toMontgomerySecret
+- Rename all curve-specific hash-to-curve methods to `*curve*_hasher`.
+  Example: `secp256k1.hashToCurve` => `secp256k1_hasher.hashToCurve()`
+
+**Removed features:**
+
+- Point#multiplyAndAddUnsafe, Point#hasEvenY
+- CURVE property with all kinds of random stuff. Point.CURVE() now replaces it, but only provides
+  curve parameters
+- Remove `pasta`, `bn254_weierstrass` (NOT pairing-based bn254) curves
+- Field.MASK
+- utils.normPrivateKeyToScalar
+
+### noble-secp256k1 v1 to curves v1
 
 Previously, the library was split into single-feature packages
 [noble-secp256k1](https://github.com/paulmillr/noble-secp256k1),
@@ -932,7 +947,7 @@ Previously, the library was split into single-feature packages
 [noble-bls12-381](https://github.com/paulmillr/noble-bls12-381).
 
 Curves continue their original work. The single-feature packages changed their
-direction towards providing minimal 4kb implementations of cryptography,
+direction towards providing minimal 5kb implementations of cryptography,
 which means they have less features.
 
 - `getPublicKey`
@@ -961,9 +976,9 @@ which means they have less features.
 - `utils` were split into `utils` (same api as in noble-curves) and
   `etc` (`hmacSha256Sync` and others)
 
-### noble-ed25519 v1 => curves v1
+### noble-ed25519 v1 to curves v1
 
-Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) 1.7:
+Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519):
 
 - Methods are now sync by default
 - `bigint` is no longer allowed in `getPublicKey`, `sign`, `verify`. Reason: ed25519 is LE, can lead to bugs
@@ -974,7 +989,7 @@ Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519) 1.7:
 - `getSharedSecret` was moved to `x25519` module
 - `toX25519` has been moved to `edwardsToMontgomeryPub` and `edwardsToMontgomeryPriv` methods
 
-### noble-bls12-381 => curves v1
+### noble-bls12-381 to curves v1
 
 Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):