@noble/curves 1.9.7 → 2.0.0-beta.2

package/src/abstract/curve.ts

@@ -4,29 +4,17 @@
  * @module
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-import { bitLen, bitMask, validateObject } from '../utils.ts';
-import { Field, FpInvertBatch, nLength, validateField, type IField } from './modular.ts';
+import { bitLen, bitMask, type Signer } from '../utils.ts';
+import { Field, FpInvertBatch, validateField, type IField } from './modular.ts';
 
-const _0n = BigInt(0);
-const _1n = BigInt(1);
+const _0n = /* @__PURE__ */ BigInt(0);
+const _1n = /* @__PURE__ */ BigInt(1);
 
 export type AffinePoint<T> = {
   x: T;
   y: T;
 } & { Z?: never };
 
-// This was initialy do this way to re-use montgomery ladder in field (add->mul,double->sqr), but
-// that didn't happen and there is probably not much reason to have separate Group like this?
-export interface Group<T extends Group<T>> {
-  double(): T;
-  negate(): T;
-  add(other: T): T;
-  subtract(other: T): T;
-  equals(other: T): boolean;
-  multiply(scalar: bigint): T;
-  toAffine?(invertedZ?: any): AffinePoint<any>;
-}
-
 // We can't "abstract out" coordinates (X, Y, Z; and T in Edwards): argument names of constructor
 // are not accessible. See Typescript gh-56093, gh-41594.
 //
@@ -36,7 +24,7 @@ export interface Group<T extends Group<T>> {
 // but we lose all constrains on methods.
 
 /** Base interface for all elliptic curve Points. */
-export interface CurvePoint<F, P extends CurvePoint<F, P>> extends Group<P> {
+export interface CurvePoint<F, P extends CurvePoint<F, P>> {
   /** Affine x coordinate. Different from projective / extended X coordinate. */
   x: F;
   /** Affine y coordinate. Different from projective / extended Y coordinate. */
@@ -77,7 +65,7 @@ export interface CurvePointCons<P extends CurvePoint<any, P>> {
   /** Creates point from x, y. Does NOT validate if the point is valid. Use `.assertValidity()`. */
   fromAffine(p: AffinePoint<P_F<P>>): P;
   fromBytes(bytes: Uint8Array): P;
-  fromHex(hex: Uint8Array | string): P;
+  fromHex(hex: string): P;
 }
 
 // Type inference helpers: PC - PointConstructor, P - Point, Fp - Field element
@@ -134,16 +122,7 @@ export interface CurveLengths {
   signature?: number;
   seed?: number;
 }
-export type GroupConstructor<T> = {
-  BASE: T;
-  ZERO: T;
-};
-/** @deprecated */
-export type ExtendedGroupConstructor<T> = GroupConstructor<T> & {
-  Fp: IField<any>;
-  Fn: IField<bigint>;
-  fromAffine(ap: AffinePoint<any>): T;
-};
+
 export type Mapper<T> = (i: T[]) => T[];
 
 export function negateCt<T extends { negate: () => T }>(condition: boolean, item: T): T {
@@ -174,7 +153,7 @@ function validateW(W: number, bits: number) {
 }
 
 /** Internal wNAF opts for specific W and scalarBits */
-export type WOpts = {
+type WOpts = {
   windows: number;
   windowSize: number;
   mask: bigint;
@@ -464,7 +443,6 @@ export function mulEndoUnsafe<P extends CurvePoint<any, P>, PC extends CurvePoin
  */
 export function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
   c: PC,
-  fieldN: IField<bigint>,
   points: P[],
   scalars: bigint[]
 ): P {
@@ -474,6 +452,7 @@ export function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCon
   // - https://eprint.iacr.org/2024/750.pdf
   // - https://tches.iacr.org/index.php/TCHES/article/view/10287
   // 0 is accepted in scalars
+  const fieldN = c.Fn;
   validateMSMPoints(points, c);
   validateMSMScalars(scalars, fieldN);
   const plength = points.length;
@@ -517,7 +496,6 @@ export function pippenger<P extends CurvePoint<any, P>, PC extends CurvePointCon
  */
 export function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends CurvePointCons<P>>(
   c: PC,
-  fieldN: IField<bigint>,
   points: P[],
   windowSize: number
 ): (scalars: bigint[]) => P {
@@ -556,6 +534,7 @@ export function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends Cur
    *   - Optimal for ~256 scalars
    *   - Less efficient for 4096+ scalars (Pippenger preferred)
    */
+  const fieldN = c.Fn;
   validateW(windowSize, fieldN.BITS);
   validateMSMPoints(points, c);
   const zero = c.ZERO;
@@ -590,58 +569,6 @@ export function precomputeMSMUnsafe<P extends CurvePoint<any, P>, PC extends Cur
   };
 }
 
-// TODO: remove
-/**
- * Generic BasicCurve interface: works even for polynomial fields (BLS): P, n, h would be ok.
- * Though generator can be different (Fp2 / Fp6 for BLS).
- */
-export type BasicCurve<T> = {
-  Fp: IField<T>; // Field over which we'll do calculations (Fp)
-  n: bigint; // Curve order, total count of valid points in the field
-  nBitLength?: number; // bit length of curve order
-  nByteLength?: number; // byte length of curve order
-  h: bigint; // cofactor. we can assign default=1, but users will just ignore it w/o validation
-  hEff?: bigint; // Number to multiply to clear cofactor
-  Gx: T; // base point X coordinate
-  Gy: T; // base point Y coordinate
-  allowInfinityPoint?: boolean; // bls12-381 requires it. ZERO point is valid, but invalid pubkey
-};
-
-// TODO: remove
-/** @deprecated */
-export function validateBasic<FP, T>(
-  curve: BasicCurve<FP> & T
-): Readonly<
-  {
-    readonly nBitLength: number;
-    readonly nByteLength: number;
-  } & BasicCurve<FP> &
-    T & {
-      p: bigint;
-    }
-> {
-  validateField(curve.Fp);
-  validateObject(
-    curve,
-    {
-      n: 'bigint',
-      h: 'bigint',
-      Gx: 'field',
-      Gy: 'field',
-    },
-    {
-      nBitLength: 'isSafeInteger',
-      nByteLength: 'isSafeInteger',
-    }
-  );
-  // Set defaults
-  return Object.freeze({
-    ...nLength(curve.n, curve.nBitLength),
-    ...curve,
-    ...{ p: curve.Fp.ORDER },
-  } as const);
-}
-
 export type ValidCurveParams<T> = {
   p: bigint;
   n: bigint;
@@ -665,7 +592,7 @@ function createField<T>(order: bigint, field?: IField<T>, isLE?: boolean): IFiel
 export type FpFn<T> = { Fp: IField<T>; Fn: IField<bigint> };
 
 /** Validates CURVE opts and creates fields */
-export function _createCurveFields<T>(
+export function createCurveFields<T>(
   type: 'weierstrass' | 'edwards',
   CURVE: ValidCurveParams<T>,
   curveOpts: Partial<FpFn<T>> = {},
@@ -690,3 +617,17 @@ export function _createCurveFields<T>(
   CURVE = Object.freeze(Object.assign({}, CURVE));
   return { CURVE, Fp, Fn };
 }
+
+type KeygenFn = (
+  seed?: Uint8Array,
+  isCompressed?: boolean
+) => { secretKey: Uint8Array; publicKey: Uint8Array };
+export function createKeygen(
+  randomSecretKey: Function,
+  getPublicKey: Signer['getPublicKey']
+): KeygenFn {
+  return function keygen(seed?: Uint8Array) {
+    const secretKey = randomSecretKey(seed);
+    return { secretKey, publicKey: getPublicKey(secretKey) };
+  };
+}

package/src/abstract/edwards.ts

@@ -6,41 +6,38 @@
  */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 import {
-  _validateObject,
-  _abool2 as abool,
-  _abytes2 as abytes,
+  abool,
+  abytes,
   aInRange,
   bytesToHex,
   bytesToNumberLE,
   concatBytes,
   copyBytes,
-  ensureBytes,
+  hexToBytes,
   isBytes,
   memoized,
   notImplemented,
-  randomBytes as randomBytesWeb,
+  validateObject,
+  randomBytes as wcRandomBytes,
   type FHash,
-  type Hex,
+  type Signer,
 } from '../utils.ts';
 import {
-  _createCurveFields,
+  createCurveFields,
+  createKeygen,
   normalizeZ,
-  pippenger,
   wNAF,
   type AffinePoint,
-  type BasicCurve,
   type CurveLengths,
   type CurvePoint,
   type CurvePointCons,
 } from './curve.ts';
-import { Field, type IField, type NLength } from './modular.ts';
+import { type IField } from './modular.ts';
 
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
 const _0n = BigInt(0), _1n = BigInt(1), _2n = BigInt(2), _8n = BigInt(8);
 
-export type UVRatio = (u: bigint, v: bigint) => { isValid: boolean; value: bigint };
-
 /** Instance of Extended Point with coordinates in X, Y, Z, T. */
 export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
   /** extended X coordinate. Different from affine x. */
@@ -51,33 +48,14 @@ export interface EdwardsPoint extends CurvePoint<bigint, EdwardsPoint> {
   readonly Z: bigint;
   /** extended T coordinate */
   readonly T: bigint;
-
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array;
-  /** @deprecated use `p.precompute(windowSize)` */
-  _setWindowSize(windowSize: number): void;
-  /** @deprecated use .X */
-  readonly ex: bigint;
-  /** @deprecated use .Y */
-  readonly ey: bigint;
-  /** @deprecated use .Z */
-  readonly ez: bigint;
-  /** @deprecated use .T */
-  readonly et: bigint;
 }
 /** Static methods of Extended Point with coordinates in X, Y, Z, T. */
 export interface EdwardsPointCons extends CurvePointCons<EdwardsPoint> {
   new (X: bigint, Y: bigint, Z: bigint, T: bigint): EdwardsPoint;
   CURVE(): EdwardsOpts;
   fromBytes(bytes: Uint8Array, zip215?: boolean): EdwardsPoint;
-  fromHex(hex: Hex, zip215?: boolean): EdwardsPoint;
-  /** @deprecated use `import { pippenger } from '@noble/curves/abstract/curve.js';` */
-  msm(points: EdwardsPoint[], scalars: bigint[]): EdwardsPoint;
+  fromHex(hex: string, zip215?: boolean): EdwardsPoint;
 }
-/** @deprecated use EdwardsPoint */
-export type ExtPointType = EdwardsPoint;
-/** @deprecated use EdwardsPointCons */
-export type ExtPointConstructor = EdwardsPointCons;
 
 /**
  * Twisted Edwards curve options.
@@ -139,13 +117,17 @@ export type EdDSAOpts = Partial<{
  */
 export interface EdDSA {
   keygen: (seed?: Uint8Array) => { secretKey: Uint8Array; publicKey: Uint8Array };
-  getPublicKey: (secretKey: Hex) => Uint8Array;
-  sign: (message: Hex, secretKey: Hex, options?: { context?: Hex }) => Uint8Array;
+  getPublicKey: (secretKey: Uint8Array) => Uint8Array;
+  sign: (
+    message: Uint8Array,
+    secretKey: Uint8Array,
+    options?: { context?: Uint8Array }
+  ) => Uint8Array;
   verify: (
-    sig: Hex,
-    message: Hex,
-    publicKey: Hex,
-    options?: { context?: Hex; zip215: boolean }
+    sig: Uint8Array,
+    message: Uint8Array,
+    publicKey: Uint8Array,
+    options?: { context?: Uint8Array; zip215: boolean }
   ) => boolean;
   Point: EdwardsPointCons;
   utils: {
@@ -163,9 +145,10 @@ export interface EdDSA {
      *
      * @example
      * ```js
-     * const someonesPub = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
+     * const someonesPub_ed = ed25519.getPublicKey(ed25519.utils.randomSecretKey());
+     * const someonesPub = ed25519.utils.toMontgomery(someonesPub);
      * const aPriv = x25519.utils.randomSecretKey();
-     * x25519.getSharedSecret(aPriv, ed25519.utils.toMontgomery(someonesPub))
+     * const shared = x25519.getSharedSecret(aPriv, someonesPub)
      * ```
      */
     toMontgomery: (publicKey: Uint8Array) => Uint8Array;
@@ -174,23 +157,19 @@ export interface EdDSA {
      * @example
      * ```js
      * const someonesPub = x25519.getPublicKey(x25519.utils.randomSecretKey());
-     * const aPriv = ed25519.utils.randomSecretKey();
-     * x25519.getSharedSecret(ed25519.utils.toMontgomerySecret(aPriv), someonesPub)
+     * const aPriv_ed = ed25519.utils.randomSecretKey();
+     * const aPriv = ed25519.utils.toMontgomerySecret(aPriv_ed);
+     * const shared = x25519.getSharedSecret(aPriv, someonesPub)
      * ```
      */
-    toMontgomerySecret: (privateKey: Uint8Array) => Uint8Array;
-    getExtendedPublicKey: (key: Hex) => {
+    toMontgomerySecret: (secretKey: Uint8Array) => Uint8Array;
+    getExtendedPublicKey: (key: Uint8Array) => {
       head: Uint8Array;
       prefix: Uint8Array;
       scalar: bigint;
       point: EdwardsPoint;
       pointBytes: Uint8Array;
     };
-
-    /** @deprecated use `randomSecretKey` */
-    randomPrivateKey: (seed?: Uint8Array) => Uint8Array;
-    /** @deprecated use `point.precompute()` */
-    precompute: (windowSize?: number, point?: EdwardsPoint) => EdwardsPoint;
   };
   lengths: CurveLengths;
 }
@@ -204,11 +183,11 @@ function isEdValidXY(Fp: IField<bigint>, CURVE: EdwardsOpts, x: bigint, y: bigin
 }
 
 export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}): EdwardsPointCons {
-  const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
+  const validated = createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
   const { Fp, Fn } = validated;
   let CURVE = validated.CURVE as EdwardsOpts;
   const { h: cofactor } = CURVE;
-  _validateObject(extraOpts, {}, { uvRatio: 'function' });
+  validateObject(extraOpts, {}, { uvRatio: 'function' });
 
   // Important:
   // There are some places where Fp.BYTES is used instead of nByteLength.
@@ -243,8 +222,8 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     return n;
   }
 
-  function aextpoint(other: unknown) {
-    if (!(other instanceof Point)) throw new Error('ExtendedPoint expected');
+  function aedpoint(other: unknown) {
+    if (!(other instanceof Point)) throw new Error('EdwardsPoint expected');
   }
   // Converts Extended point to default (x, y) coordinates.
   // Can accept precomputed Z^-1 - for example, from invertBatch.
@@ -350,8 +329,9 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
       if (isLastByteOdd !== isXOdd) x = modP(-x); // if x_0 != x mod 2, set x = p-x
       return Point.fromAffine({ x, y });
     }
-    static fromHex(bytes: Uint8Array, zip215 = false): Point {
-      return Point.fromBytes(ensureBytes('point', bytes), zip215);
+
+    static fromHex(hex: string, zip215 = false): Point {
+      return Point.fromBytes(hexToBytes(hex), zip215);
     }
 
     get x(): bigint {
@@ -374,7 +354,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
 
     // Compare one point to another.
     equals(other: Point): boolean {
-      aextpoint(other);
+      aedpoint(other);
       const { X: X1, Y: Y1, Z: Z1 } = this;
       const { X: X2, Y: Y2, Z: Z2 } = other;
       const X1Z2 = modP(X1 * Z2);
@@ -419,7 +399,7 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
     // Cost: 9M + 1*a + 1*d + 7add.
     add(other: Point) {
-      aextpoint(other);
+      aedpoint(other);
       const { a, d } = CURVE;
       const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
       const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
@@ -504,32 +484,6 @@ export function edwards(params: EdwardsOpts, extraOpts: EdwardsExtraOpts = {}):
     toString() {
       return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
     }
-
-    // TODO: remove
-    get ex(): bigint {
-      return this.X;
-    }
-    get ey(): bigint {
-      return this.Y;
-    }
-    get ez(): bigint {
-      return this.Z;
-    }
-    get et(): bigint {
-      return this.T;
-    }
-    static normalizeZ(points: Point[]): Point[] {
-      return normalizeZ(Point, points);
-    }
-    static msm(points: Point[], scalars: bigint[]): Point {
-      return pippenger(Point, Fn, points, scalars);
-    }
-    _setWindowSize(windowSize: number) {
-      this.precompute(windowSize);
-    }
-    toRawBytes(): Uint8Array {
-      return this.toBytes();
-    }
   }
   const wnaf = new wNAF(Point, Fn.BITS);
   Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
@@ -564,7 +518,7 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
     notImplemented();
   }
 
-  static fromHex(_hex: Hex): any {
+  static fromHex(_hex: string): any {
     notImplemented();
   }
 
@@ -639,11 +593,6 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
   abstract is0(): boolean;
   protected abstract assertSame(other: T): void;
   protected abstract init(ep: EdwardsPoint): T;
-
-  /** @deprecated use `toBytes` */
-  toRawBytes(): Uint8Array {
-    return this.toBytes();
-  }
 }
 
 /**
@@ -651,7 +600,7 @@ export abstract class PrimeEdwardsPoint<T extends PrimeEdwardsPoint<T>>
  */
 export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpts = {}): EdDSA {
   if (typeof cHash !== 'function') throw new Error('"hash" function param is required');
-  _validateObject(
+  validateObject(
     eddsaOpts,
     {},
     {
@@ -666,7 +615,7 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   const { prehash } = eddsaOpts;
   const { BASE, Fp, Fn } = Point;
 
-  const randomBytes = eddsaOpts.randomBytes || randomBytesWeb;
+  const randomBytes = eddsaOpts.randomBytes || wcRandomBytes;
   const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes: Uint8Array) => bytes);
   const domain =
     eddsaOpts.domain ||
@@ -682,12 +631,12 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   // Get the hashed private scalar per RFC8032 5.1.5
-  function getPrivateScalar(key: Hex) {
+  function getPrivateScalar(key: Uint8Array) {
     const len = lengths.secretKey;
-    key = ensureBytes('private key', key, len);
+    abytes(key, lengths.secretKey, 'secretKey');
     // Hash private key with curve's hash function to produce uniformingly random input
     // Check byte lengths: ensure(64, h(ensure(32, key)))
-    const hashed = ensureBytes('hashed private key', cHash(key), 2 * len);
+    const hashed = abytes(cHash(key), 2 * len, 'hashedSecretKey');
     const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
     const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
     const scalar = modN_LE(head); // The actual private scalar
@@ -695,7 +644,7 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
-  function getExtendedPublicKey(secretKey: Hex) {
+  function getExtendedPublicKey(secretKey: Uint8Array) {
     const { head, prefix, scalar } = getPrivateScalar(secretKey);
     const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
     const pointBytes = point.toBytes();
@@ -703,19 +652,23 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   /** Calculates EdDSA pub key. RFC8032 5.1.5. */
-  function getPublicKey(secretKey: Hex): Uint8Array {
+  function getPublicKey(secretKey: Uint8Array): Uint8Array {
     return getExtendedPublicKey(secretKey).pointBytes;
   }
 
   // int('LE', SHA512(dom2(F, C) || msgs)) mod N
-  function hashDomainToScalar(context: Hex = Uint8Array.of(), ...msgs: Uint8Array[]) {
+  function hashDomainToScalar(context: Uint8Array = Uint8Array.of(), ...msgs: Uint8Array[]) {
     const msg = concatBytes(...msgs);
-    return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
+    return modN_LE(cHash(domain(msg, abytes(context, undefined, 'context'), !!prehash)));
   }
 
-  /** Signs message with privateKey. RFC8032 5.1.6 */
-  function sign(msg: Hex, secretKey: Hex, options: { context?: Hex } = {}): Uint8Array {
-    msg = ensureBytes('message', msg);
+  /** Signs message with secret key. RFC8032 5.1.6 */
+  function sign(
+    msg: Uint8Array,
+    secretKey: Uint8Array,
+    options: { context?: Uint8Array } = {}
+  ): Uint8Array {
+    msg = abytes(msg, undefined, 'message');
     if (prehash) msg = prehash(msg); // for ed25519ph etc.
     const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
     const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
@@ -728,18 +681,23 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   }
 
   // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-  const verifyOpts: { context?: Hex; zip215?: boolean } = { zip215: true };
+  const verifyOpts: { context?: Uint8Array; zip215?: boolean } = { zip215: true };
 
   /**
    * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
    * An extended group equation is checked.
    */
-  function verify(sig: Hex, msg: Hex, publicKey: Hex, options = verifyOpts): boolean {
+  function verify(
+    sig: Uint8Array,
+    msg: Uint8Array,
+    publicKey: Uint8Array,
+    options = verifyOpts
+  ): boolean {
     const { context, zip215 } = options;
     const len = lengths.signature;
-    sig = ensureBytes('signature', sig, len);
-    msg = ensureBytes('message', msg);
-    publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);
+    sig = abytes(sig, len, 'signature');
+    msg = abytes(msg, undefined, 'message');
+    publicKey = abytes(publicKey, lengths.publicKey, 'publicKey');
     if (zip215 !== undefined) abool(zip215, 'zip215');
     if (prehash) msg = prehash(msg); // for ed25519ph, etc
 
@@ -776,13 +734,11 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
   function randomSecretKey(seed = randomBytes(lengths.seed)): Uint8Array {
     return abytes(seed, lengths.seed, 'seed');
   }
-  function keygen(seed?: Uint8Array) {
-    const secretKey = utils.randomSecretKey(seed);
-    return { secretKey, publicKey: getPublicKey(secretKey) };
-  }
+
   function isValidSecretKey(key: Uint8Array): boolean {
     return isBytes(key) && key.length === Fn.BYTES;
   }
+
   function isValidPublicKey(key: Uint8Array, zip215?: boolean): boolean {
     try {
       return !!Point.fromBytes(key, zip215);
@@ -813,102 +769,21 @@ export function eddsa(Point: EdwardsPointCons, cHash: FHash, eddsaOpts: EdDSAOpt
       const u = is25519 ? Fp.div(_1n + y, _1n - y) : Fp.div(y - _1n, y + _1n);
       return Fp.toBytes(u);
     },
-
     toMontgomerySecret(secretKey: Uint8Array): Uint8Array {
       const size = lengths.secretKey;
       abytes(secretKey, size);
       const hashed = cHash(secretKey.subarray(0, size));
       return adjustScalarBytes(hashed).subarray(0, size);
     },
-
-    /** @deprecated */
-    randomPrivateKey: randomSecretKey,
-    /** @deprecated */
-    precompute(windowSize = 8, point: EdwardsPoint = Point.BASE): EdwardsPoint {
-      return point.precompute(windowSize, false);
-    },
   };
 
   return Object.freeze({
-    keygen,
+    keygen: createKeygen(randomSecretKey, getPublicKey),
     getPublicKey,
     sign,
     verify,
     utils,
     Point,
     lengths,
-  });
-}
-
-// TODO: remove everything below
-export type CurveType = BasicCurve<bigint> & {
-  a: bigint; // curve param a
-  d: bigint; // curve param d
-  /** @deprecated the property will be removed in next release */
-  hash: FHash; // Hashing
-  randomBytes?: (bytesLength?: number) => Uint8Array; // CSPRNG
-  adjustScalarBytes?: (bytes: Uint8Array) => Uint8Array; // clears bits to get valid field elemtn
-  domain?: (data: Uint8Array, ctx: Uint8Array, phflag: boolean) => Uint8Array; // Used for hashing
-  uvRatio?: UVRatio; // Ratio √(u/v)
-  prehash?: FHash; // RFC 8032 pre-hashing of messages to sign() / verify()
-  mapToCurve?: (scalar: bigint[]) => AffinePoint<bigint>; // for hash-to-curve standard
-};
-export type CurveTypeWithLength = Readonly<CurveType & Partial<NLength>>;
-export type CurveFn = {
-  /** @deprecated the property will be removed in next release */
-  CURVE: CurveType;
-  keygen: EdDSA['keygen'];
-  getPublicKey: EdDSA['getPublicKey'];
-  sign: EdDSA['sign'];
-  verify: EdDSA['verify'];
-  Point: EdwardsPointCons;
-  /** @deprecated use `Point` */
-  ExtendedPoint: EdwardsPointCons;
-  utils: EdDSA['utils'];
-  lengths: CurveLengths;
-};
-export type EdComposed = {
-  CURVE: EdwardsOpts;
-  curveOpts: EdwardsExtraOpts;
-  hash: FHash;
-  eddsaOpts: EdDSAOpts;
-};
-function _eddsa_legacy_opts_to_new(c: CurveTypeWithLength): EdComposed {
-  const CURVE: EdwardsOpts = {
-    a: c.a,
-    d: c.d,
-    p: c.Fp.ORDER,
-    n: c.n,
-    h: c.h,
-    Gx: c.Gx,
-    Gy: c.Gy,
-  };
-  const Fp = c.Fp;
-  const Fn = Field(CURVE.n, c.nBitLength, true);
-  const curveOpts: EdwardsExtraOpts = { Fp, Fn, uvRatio: c.uvRatio };
-  const eddsaOpts: EdDSAOpts = {
-    randomBytes: c.randomBytes,
-    adjustScalarBytes: c.adjustScalarBytes,
-    domain: c.domain,
-    prehash: c.prehash,
-    mapToCurve: c.mapToCurve,
-  };
-  return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
-}
-function _eddsa_new_output_to_legacy(c: CurveTypeWithLength, eddsa: EdDSA): CurveFn {
-  const Point = eddsa.Point;
-  const legacy = Object.assign({}, eddsa, {
-    ExtendedPoint: Point,
-    CURVE: c,
-    nBitLength: Point.Fn.BITS,
-    nByteLength: Point.Fn.BYTES,
-  });
-  return legacy;
-}
-// TODO: remove. Use eddsa
-export function twistedEdwards(c: CurveTypeWithLength): CurveFn {
-  const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
-  const Point = edwards(CURVE, curveOpts);
-  const EDDSA = eddsa(Point, hash, eddsaOpts);
-  return _eddsa_new_output_to_legacy(c, EDDSA);
+  }) satisfies Signer;
 }