@noble/curves 2.0.1 → 2.2.0

package/README.md

@@ -7,10 +7,10 @@ Audited & minimal JS implementation of elliptic curve cryptography.
 - 🏎 Fast: hand-optimized for caveats of JS engines
 - 🔍 Reliable: cross-library / wycheproof tests and fuzzing ensure correctness
 - ➰ Weierstrass, Edwards, Montgomery curves; ECDSA, EdDSA, Schnorr, BLS signatures
-- ✍️ ECDH, hash-to-curve, OPRF, Poseidon ZK-friendly hash
+- ✍️ ECDH, hash-to-curve, OPRF, FROST, Poseidon hash, FFT
 - 🔖 Non-repudiation (SUF-CMA, SBS) & consensus-friendliness (ZIP215) in ed25519, ed448
 - 🥈 Optional, friendly wrapper over native WebCrypto
-- 🪶 29KB (gzipped) including bundled hashes, 11KB for single-curve build
+- 🪶 32KB (gzipped) including bundled hashes, 11KB for single-curve build
 
 Curves have 5kb sister projects
 [secp256k1](https://github.com/paulmillr/noble-secp256k1) & [ed25519](https://github.com/paulmillr/noble-ed25519).
@@ -32,8 +32,8 @@ Take a glance at [GitHub Discussions](https://github.com/paulmillr/noble-curves/
   [post-quantum](https://github.com/paulmillr/noble-post-quantum),
   5kb [secp256k1](https://github.com/paulmillr/noble-secp256k1) /
   [ed25519](https://github.com/paulmillr/noble-ed25519)
-- [Check out homepage](https://paulmillr.com/noble/)
-  for reading resources, documentation and apps built with noble
+- [Check out the homepage](https://paulmillr.com/noble/)
+  for reading resources, documentation, and apps built with noble
 
 ## Usage
 
@@ -67,7 +67,7 @@ import { ristretto255_oprf } from '@noble/curves/ed25519.js';
 import { decaf448_oprf } from '@noble/curves/ed448.js';
 
 // utils
-import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/abstract/utils.js';
+import { bytesToHex, hexToBytes, concatBytes } from '@noble/curves/utils.js';
 import { Field } from '@noble/curves/abstract/modular.js';
 import { weierstrass, ecdsa } from '@noble/curves/abstract/weierstrass.js';
 import { edwards, eddsa } from '@noble/curves/abstract/edwards.js';
@@ -80,6 +80,7 @@ import { FFT, poly } from '@noble/curves/abstract/fft.js';
     - [secp256k1, p256, p384, p521, ed25519, ed448, brainpool](#secp256k1-p256-p384-p521-ed25519-ed448-brainpool)
     - [ristretto255, decaf448](#ristretto255-decaf448)
     - [Prehashed signing](#prehashed-signing)
+    - [Recovering public keys from signatures](#recovering-public-keys-from-signatures)
     - [Hedged ECDSA with noise](#hedged-ecdsa-with-noise)
     - [Consensus-friendliness vs e-voting](#consensus-friendliness-vs-e-voting)
   - [ECDH: Diffie-Hellman shared secrets](#ecdh-diffie-hellman-shared-secrets)
@@ -87,6 +88,7 @@ import { FFT, poly } from '@noble/curves/abstract/fft.js';
   - [BLS signatures, bls12-381, bn254 aka alt\_bn128](#bls-signatures-bls12-381-bn254-aka-alt_bn128)
   - [Hashing to curve points](#hash-to-curve-hashing-to-curve-points)
   - [OPRFs](#oprfs)
+  - [FROST threshold signatures](#frost-threshold-signatures)
   - [Poseidon hash](#poseidon-poseidon-hash)
   - [Fast Fourier Transform](#fft-fast-fourier-transform)
   - [utils](#utils-byte-shuffling-conversion)
@@ -134,6 +136,8 @@ ECDSA signatures use deterministic k, conforming to [RFC 6979](https://www.rfc-e
 EdDSA conforms to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032).
 Schnorr (secp256k1-only) conforms to [BIP 340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki).
 
+Messages are always hashed first.
+
 #### ristretto255, decaf448
 
 ```ts
@@ -150,36 +154,60 @@ Check out separate documentation for [Point](#elliptic-curve-point-math), [hashe
 
 ```js
 import { secp256k1 } from '@noble/curves/secp256k1.js';
-import { keccak256 } from '@noble/hashes/sha3.js';
-const { secretKey } = curve.keygen();
+import { keccak_256 } from '@noble/hashes/sha3.js';
+const { secretKey } = secp256k1.keygen();
 const msg = new TextEncoder().encode('hello noble');
 // prehash: true (default) - hash using secp256k1.hash (sha256)
 const sig = secp256k1.sign(msg, secretKey);
 // prehash: false - hash using custom hash
-const sigKeccak = secp256k1.sign(keccak256(msg), secretKey, { prehash: false });
+const sigKeccak = secp256k1.sign(keccak_256(msg), secretKey, { prehash: false });
 ```
 
-ECDSA `sign()` allows providing `prehash: false`, which enables using custom hashes.
+Default sign() and verify() behavior (`prehash: true`) applies built-in hash function to message first.
+For secp256k1 that's sha256, for p521 that's sha512.
 
-A ECDSA signature is not just "math over elliptic curve points".
-It's actually math + hashing: p256 is in fact p256 point + sha256 hash.
-By default, we hash messages. To use custom hash methods,
-make sure to disable prehashing.
+Providing `prehash: false` allows user to specify their own hash function (e.g. use secp256k1 + keccak_256).
 
 > [!NOTE]
 > Previously, in noble-curves v1, `prehash: false` was the default.
 > Some other libraries (like libsecp256k1) have no prehashing.
 
+#### Recovering public keys from signatures
+
+```js
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+const { secretKey, publicKey } = secp256k1.keygen();
+const msg = new TextEncoder().encode('hello noble');
+const sigRec = secp256k1.sign(msg, secretKey, { format: 'recovered' });
+const publicKey_ = secp256k1.recoverPublicKey(sigRec, msg); // == publicKey
+
+// recovered sig is compact sig with an extra byte
+const sigNoRec = secp256k1.sign(msg, secretKey, { format: 'compact' });
+// sigNoRec == sigRec.slice(1)
+
+// Signature instance
+const sigInstance = secp256k1.Signature.fromBytes(sigRec, 'recovered');
+```
+
+Public key recovery - only supported with ECDSA.
+
+> [!NOTE]
+> Key recovery is a simple math operation.
+> There are no guarantees the signing was actually done.
+> It's possible to forge signature and msg hash (r, s, h), which would
+> recover into a random public key, but it's not feasible
+> to find m which would lead to this specific forged h.
+
 #### Hedged ECDSA with noise
 
 ```js
 import { secp256k1 } from '@noble/curves/secp256k1.js';
-const { secretKey } = curve.keygen();
+const { secretKey } = secp256k1.keygen();
 const msg = new TextEncoder().encode('hello noble');
 // extraEntropy: false - default, hedging disabled
 const sigNoisy = secp256k1.sign(msg, secretKey);
 // extraEntropy: true - fetch 32 random bytes from CSPRNG
-const sigNoisy = secp256k1.sign(msg, secretKey, { extraEntropy: true });
+const sigNoisyA = secp256k1.sign(msg, secretKey, { extraEntropy: true });
 // extraEntropy: bytes - specific extra entropy
 const ent = Uint8Array.from([0xca, 0xfe, 0x01, 0x23]);
 const sigNoisy2 = secp256k1.sign(msg, secretKey, { extraEntropy: ent });
@@ -206,24 +234,24 @@ const { secretKey, publicKey } = ed25519.keygen();
 const msg = new TextEncoder().encode('hello noble');
 const sig = ed25519.sign(msg, secretKey);
 // zip215: true
-const isValid = ed25519.verify(sig, msg, pub);
+const isValid = ed25519.verify(sig, msg, publicKey);
 // SBS / e-voting / RFC8032 / FIPS 186-5
-const isValidRfc = ed25519.verify(sig, msg, pub, { zip215: false });
+const isValidRfc = ed25519.verify(sig, msg, publicKey, { zip215: false });
 ```
 
+> [!NOTE]
+> Most other libraries don't have SUF-CMA & SBS - less optimal choice for their security.
+
 In ed25519, there is an ability to choose between consensus-friendliness vs e-voting mode.
 
-- `zip215: true` is default behavior. It has slightly looser verification logic
-  to be [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am), following [ZIP215](https://zips.z.cash/zip-0215) rules
-- `zip215: false` switches verification criteria to strict
-  [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final)
-  and additionally provides [non-repudiation with SBS](https://eprint.iacr.org/2020/1244),
-  which is useful for:
-  - Contract Signing: if A signed an agreement with B using key that allows repudiation, it can later claim that it signed a different contract
-  - E-voting: malicious voters may pick keys that allow repudiation in order to deny results
-  - Blockchains: transaction of amount X might also be valid for a different amount Y
+* `zip215: true` (default) uses the more permissive, [consensus-friendly](https://hdevalence.ca/blog/2020-10-04-its-25519am) verification rules defined in [ZIP215](https://zips.z.cash/zip-0215).
+* `zip215: false` enforces strict [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032) / [FIPS 186-5](https://csrc.nist.gov/publications/detail/fips/186/5/final) verification and adds SBS-based non-repudiation, which is useful for:
+    * **Contract signing:** prevents a signer from later claiming they signed a different document
+    * **E-voting:** stops voters from choosing keys that let them repudiate their vote
+    * **Blockchains:** avoids signatures valid for multiple transactions (e.g., amount X also validating amount Y)
 
 Both modes have SUF-CMA (strong unforgeability under chosen message attacks).
+See [Taming the many EdDSAs](https://eprint.iacr.org/2020/1244) for more info.
 
 ### ECDH: Diffie-Hellman shared secrets
 
@@ -233,7 +261,7 @@ import { x25519 } from '@noble/curves/ed25519.js';
 import { x448 } from '@noble/curves/ed448.js';
 import { p256, p384, p521 } from '@noble/curves/nist.js';
 
-for (const curve of [secp256k1, schnorr, x25519, x448, p256, p384, p521]) {
+for (const curve of [secp256k1, x25519, x448, p256, p384, p521]) {
   const alice = curve.keygen();
   const bob = curve.keygen();
   const sharedKey = curve.getSharedSecret(alice.secretKey, bob.publicKey);
@@ -265,7 +293,7 @@ In Weierstrass curves, shared secrets:
 ##### webcrypto signatures
 
 ```js
-import { ed25519, ed448, p256, p384, p521 } from './src/webcrypto.ts';
+import { ed25519, ed448, p256, p384, p521 } from '@noble/curves/webcrypto.js';
 
 (async () => {
   for (let [name, curve] of Object.entries({ p256, p384, p521, ed25519, ed448 })) {
@@ -288,7 +316,7 @@ import { ed25519, ed448, p256, p384, p521 } from './src/webcrypto.ts';
 ##### webcrypto ecdh
 
 ```js
-import { p256, p384, p521, x25519, x448 } from './src/webcrypto.ts';
+import { p256, p384, p521, x25519, x448 } from '@noble/curves/webcrypto.js';
 
 (async () => {
   for (let [name, curve] of Object.entries({ p256, p384, p521, x25519, x448 })) {
@@ -309,8 +337,8 @@ import { p256, p384, p521, x25519, x448 } from './src/webcrypto.ts';
 ##### Key conversion from noble to webcrypto and back
 
 ```js
-import { p256 as p256n } from './src/nist.ts';
-import { p256 } from './src/webcrypto.ts';
+import { p256 as p256n } from '@noble/curves/nist.js';
+import { p256 } from '@noble/curves/webcrypto.js';
 (async () => {
   const nobleKeys = p256n.keygen();
   // convert noble keys to webcrypto
@@ -352,13 +380,13 @@ const blss = bls12_381.shortSignatures;
 const publicKey2 = blss.getPublicKey(secretKey);
 const msgp2 = blss.hash(msg, 'BLS_SIG_BLS12381G1_XMD:SHA-256_SSWU_RO_NUL_');
 const signature2 = blss.sign(msgp2, secretKey);
-const isValid2 = blss.verify(signature2, msgp2, publicKey);
+const isValid2 = blss.verify(signature2, msgp2, publicKey2);
 console.log({ publicKey2, signature2, isValid2 });
 
 // Aggregation
 const aggregatedKey = bls12_381.longSignatures.aggregatePublicKeys([
-  bls12_381.utils.randomSecretKey(),
-  bls12_381.utils.randomSecretKey(),
+  blsl.getPublicKey(bls12_381.utils.randomSecretKey()),
+  blsl.getPublicKey(bls12_381.utils.randomSecretKey()),
 ]);
 // const aggregatedSig = bls.aggregateSignatures(sigs)
 
@@ -390,11 +418,11 @@ Points of divergence:
 ### hash-to-curve: hashing to curve points
 
 ```ts
-import { bls12_381 } from './src/bls12-381.ts';
-import { ed25519_hasher, ristretto255_hasher } from './src/ed25519.ts';
-import { decaf448_hasher, ed448_hasher } from './src/ed448.ts';
-import { p256_hasher, p384_hasher, p521_hasher } from './src/nist.ts';
-import { secp256k1_hasher } from './src/secp256k1.ts';
+import { bls12_381 } from '@noble/curves/bls12-381.js';
+import { ed25519_hasher, ristretto255_hasher } from '@noble/curves/ed25519.js';
+import { decaf448_hasher, ed448_hasher } from '@noble/curves/ed448.js';
+import { p256_hasher, p384_hasher, p521_hasher } from '@noble/curves/nist.js';
+import { secp256k1_hasher } from '@noble/curves/secp256k1.js';
 
 const h = {
   secp256k1_hasher,
@@ -438,7 +466,7 @@ The module allows to hash arbitrary strings to elliptic curve points. Implements
 ```js
 import { p256_oprf, p384_oprf, p521_oprf } from '@noble/curves/nist.js';
 import { ristretto255_oprf } from '@noble/curves/ed25519.js';
-import { decaf448_orpf } from '@noble/curves/ed448.js';
+import { decaf448_oprf } from '@noble/curves/ed448.js';
 ```
 
 We provide OPRFs (oblivious pseudorandom functions),
@@ -451,6 +479,84 @@ OPRF allows to interactively create an `Output = PRF(Input, serverSecretKey)`:
 - An attacker interception the communication can't restore Input/Output/serverSecretKey and can't
   link Input to some value.
 
+### FROST threshold signatures
+
+FROST implements [RFC 9591](https://www.rfc-editor.org/rfc/rfc9591) threshold Schnorr signing.
+It is similar to multisig from the application point of view: any `min` of `max` participants
+can jointly produce one Schnorr signature under a shared public key.
+Supported ciphersuites are `p256_FROST`, `ed25519_FROST`, `ed448_FROST`, `ristretto255_FROST`,
+`secp256k1_FROST`, and `schnorr_FROST` (Taproot-compatible secp256k1).
+Signing has two rounds: selected signers commit first, then produce signature shares.
+
+> [!WARNING]
+> The FROST code is new and has not been audited yet.
+> It passes the imported `frost-rs` vectors/examples and local regression tests.
+
+```js
+import { p256_FROST } from '@noble/curves/nist.js';
+
+const signers = { min: 2, max: 3 };
+const alice = p256_FROST.Identifier.derive('alice@example.com');
+const bob = p256_FROST.Identifier.derive('bob@example.com');
+const carol = p256_FROST.Identifier.derive('carol@example.com');
+// trusted dealer
+const deal = p256_FROST.trustedDealer(signers, [alice, bob, carol]);
+for (const id of [alice, bob, carol]) p256_FROST.validateSecret(deal.secretShares[id], deal.public);
+
+const msg = new TextEncoder().encode('hello threshold');
+// round 1: selected signers commit
+const aliceRound1 = p256_FROST.commit(deal.secretShares[alice]);
+const bobRound1 = p256_FROST.commit(deal.secretShares[bob]);
+const commitmentList = [aliceRound1.commitments, bobRound1.commitments];
+// round 2: signers produce signature shares
+const sigShares = {
+  [alice]: p256_FROST.signShare(
+    deal.secretShares[alice],
+    deal.public,
+    aliceRound1.nonces,
+    commitmentList,
+    msg
+  ),
+  [bob]: p256_FROST.signShare(
+    deal.secretShares[bob],
+    deal.public,
+    bobRound1.nonces,
+    commitmentList,
+    msg
+  ),
+};
+const sig = p256_FROST.aggregate(deal.public, commitmentList, msg, sigShares);
+const isValid = p256_FROST.verify(sig, msg, deal.public.commitments[0]);
+```
+
+Key generation can be done with a trusted dealer or with DKG.
+DKG has three rounds: participants commit to key generation, exchange private shares, then derive final participant keys.
+
+```js
+import { p256_FROST } from '@noble/curves/nist.js';
+
+const signers = { min: 2, max: 3 };
+const alice = p256_FROST.DKG.round1(p256_FROST.Identifier.fromNumber(1), signers);
+const bob = p256_FROST.DKG.round1(p256_FROST.Identifier.fromNumber(2), signers);
+const carol = p256_FROST.DKG.round1(p256_FROST.Identifier.fromNumber(3), signers);
+
+// round 1: participants commit to key generation
+const aliceRound2 = p256_FROST.DKG.round2(alice.secret, [bob.public, carol.public]);
+const bobRound2 = p256_FROST.DKG.round2(bob.secret, [alice.public, carol.public]);
+const carolRound2 = p256_FROST.DKG.round2(carol.secret, [alice.public, bob.public]);
+
+// round 2: private shares for each recipient
+const aliceKey = p256_FROST.DKG.round3(alice.secret, [bob.public, carol.public], [
+  bobRound2[p256_FROST.Identifier.fromNumber(1)],
+  carolRound2[p256_FROST.Identifier.fromNumber(1)],
+]);
+// round 3: final participant key package
+```
+
+DKG helpers are intended for interoperable testing and practical key generation.
+The library implements the cryptographic steps, not the surrounding application protocol:
+callers still need authenticated communication, coordination, retries, session handling, and policy.
+
 ### poseidon: Poseidon hash
 
 Implements [Poseidon](https://www.poseidon-hash.info) ZK-friendly hash:
@@ -461,11 +567,13 @@ We don't provide them: you should construct them manually.
 Check out [scure-starknet](https://github.com/paulmillr/scure-starknet) package for a proper example.
 
 ```ts
-import { poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
+import { bn254 } from '@noble/curves/bn254.js';
+import { grainGenConstants, poseidon, poseidonSponge } from '@noble/curves/abstract/poseidon.js';
 
 const rate = 2;
 const capacity = 1;
-const { mds, roundConstants } = poseidon.grainGenConstants({
+const Fp = bn254.fields.Fr;
+const { mds, roundConstants } = grainGenConstants({
   Fp,
   t: rate + capacity,
   roundsFull: 8,
@@ -481,8 +589,8 @@ const opts = {
   roundsFull: 8,
   roundsPartial: 31,
 };
-const permutation = poseidon.poseidon(opts);
-const sponge = poseidon.poseidonSponge(opts); // use carefully, not specced
+const permutation = poseidon({ ...opts, t: rate + capacity });
+const sponge = poseidonSponge(opts); // use carefully, not specced
 ```
 
 ### fft: Fast Fourier Transform
@@ -501,7 +609,7 @@ API may change at any time. The code has not been audited. Feature requests are
 ### utils: byte shuffling, conversion
 
 ```ts
-import { bytesToHex, concatBytes, equalBytes, hexToBytes } from '@noble/curves/abstract/utils.js';
+import { bytesToHex, concatBytes, equalBytes, hexToBytes } from '@noble/curves/utils.js';
 
 bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23]));
 hexToBytes('cafe0123');
@@ -514,30 +622,32 @@ equalBytes(Uint8Array.of(0xca), Uint8Array.of(0xca));
 #### Elliptic curve Point math
 
 ```js
+import { pippenger } from '@noble/curves/abstract/curve.js';
 import { secp256k1, schnorr } from '@noble/curves/secp256k1.js';
 import { p256, p384, p521 } from '@noble/curves/nist.js';
 import { ed25519, ristretto255 } from '@noble/curves/ed25519.js';
 import { ed448, decaf448 } from '@noble/curves/ed448.js';
-import { bls12_381 } from '@noble/curves/bls12-381.js'
+import { bls12_381 } from '@noble/curves/bls12-381.js';
 import { bn254 } from '@noble/curves/bn254.js';
 import { jubjub, babyjubjub } from '@noble/curves/misc.js';
 
 const curves = [
   secp256k1, schnorr, p256, p384, p521, ed25519, ed448,
   ristretto255, decaf448,
-  bls12_381.G1, bls12_381.G2, bn254.G1, bn254.G2,
+  bls12_381.G1, bls12_381.G2, bn254.G1,
   jubjub, babyjubjub
 ];
 for (const curve of curves) {
   const { Point } = curve;
   const { BASE, ZERO, Fp, Fn } = Point;
+  const info = Point.CURVE?.();
   const p = BASE.multiply(2n);
 
   // Initialization
-  if (info.type === 'weierstrass') {
+  if (info?.type === 'weierstrass') {
     // projective (homogeneous) coordinates: (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
     const p_ = new Point(BASE.X, BASE.Y, BASE.Z);
-  } else if (info.type === 'edwards') {
+  } else if (info?.type === 'edwards') {
     // extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z)
     const p_ = new Point(BASE.X, BASE.Y, BASE.Z, BASE.T);
   }
@@ -551,11 +661,11 @@ for (const curve of curves) {
 
   // MSM (multi-scalar multiplication)
   const pa = [BASE, BASE.multiply(2n), BASE.multiply(4n), BASE.multiply(8n)];
-  const p6 = Point.msm(pa, [3n, 5n, 7n, 11n]);
+  const p6 = pippenger(Point, pa, [3n, 5n, 7n, 11n]);
   const _true3 = p6.equals(BASE.multiply(129n)); // 129*G
 
   const pcl = p.clearCofactor();
-  console.log(p.isTorsionFree(), p.isSmallOrder());
+  const isTorsionFree = p.isTorsionFree();
 
   const r1 = p.toBytes();
   const r1_ = Point.fromBytes(r1);
@@ -576,7 +686,7 @@ fp.mul(591n, 932n); // multiplication
 fp.pow(481n, 11024858120n); // exponentiation
 fp.div(5n, 17n); // division: 5/17 mod 2^255-19 == 5 * invert(17)
 fp.inv(5n); // modular inverse
-fp.sqrt(21n); // square root
+fp.sqrt(4n); // square root
 
 // Non-Field generic utils are also available
 mod(21n, 10n); // 21 mod 10 == 1n; fixed version of 21 % 10
@@ -634,11 +744,21 @@ cofactor `h` and coordinates `Gx`, `Gy` of generator point.
 #### Custom ECDSA instance
 
 ```js
-import { ecdsa } from '@noble/curves/abstract/weierstrass.js';
-import { sha256 } from '@noble/hashes/sha2.js';
+import { weierstrass, ecdsa } from '@noble/curves/abstract/weierstrass.js';
+import { sha224, sha256 } from '@noble/hashes/sha2.js';
+const p192_CURVE = {
+  p: 0xfffffffffffffffffffffffffffffffeffffffffffffffffn,
+  n: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831n,
+  h: 1n,
+  a: 0xfffffffffffffffffffffffffffffffefffffffffffffffcn,
+  b: 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1n,
+  Gx: 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012n,
+  Gy: 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811n,
+};
+const p192_Point = weierstrass(p192_CURVE);
 const p192_sha256 = ecdsa(p192_Point, sha256);
 // or
-const p192_sha224 = ecdsa(p192.Point, sha224);
+const p192_sha224 = ecdsa(p192_Point, sha224);
 
 const keys = p192_sha256.keygen();
 const msg = new TextEncoder().encode('custom curve');
@@ -648,21 +768,24 @@ const isValid = p192_sha256.verify(sig, msg, keys.publicKey);
 
 ## Security
 
-The library has been independently audited:
+The library has been audited:
 
-- at version 1.6.0, in Sep 2024, by [Cure53](https://cure53.de)
+- at version 2.2.0, in Apr 2026, by ourselves (self-audited)
+  - Scope: everything
+  - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/2.2.0..main)
+- at version 1.6.0, in Sep 2024, independently, by [Cure53](https://cure53.de)
   - PDFs: [website](https://cure53.de/audit-report_noble-crypto-libs.pdf), [in-repo](./audit/2024-09-cure53-audit-nbl4.pdf)
   - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/1.6.0..main)
   - Scope: ed25519, ed448, their add-ons, bls12-381, bn254,
     hash-to-curve, low-level primitives bls, tower, edwards, montgomery.
   - The audit has been funded by [OpenSats](https://opensats.org)
-- at version 1.2.0, in Sep 2023, by [Kudelski Security](https://kudelskisecurity.com)
+- at version 1.2.0, in Sep 2023, independently, by [Kudelski Security](https://kudelskisecurity.com)
   - PDFs: [in-repo](./audit/2023-09-kudelski-audit-starknet.pdf)
   - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/1.2.0..main)
   - Scope: [scure-starknet](https://github.com/paulmillr/scure-starknet) and its related
     abstract modules of noble-curves: `curve`, `modular`, `poseidon`, `weierstrass`
   - The audit has been funded by [Starkware](https://starkware.co)
-- at version 0.7.3, in Feb 2023, by [Trail of Bits](https://www.trailofbits.com)
+- at version 0.7.3, in Feb 2023, independently, by [Trail of Bits](https://www.trailofbits.com)
   - PDFs: [website](https://github.com/trailofbits/publications/blob/master/reviews/2023-01-ryanshea-noblecurveslibrary-securityreview.pdf),
     [in-repo](./audit/2023-01-trailofbits-audit-curves.pdf)
   - [Changes since audit](https://github.com/paulmillr/noble-curves/compare/0.7.3..main)
@@ -711,31 +834,27 @@ test-suite in the actual application that consumes the library.
 
 ### Supply chain security
 
-- **Commits** are signed with PGP keys, to prevent forgery. Make sure to verify commit signatures
-- **Releases** are transparent and built on GitHub CI. Make sure to verify [provenance](https://docs.npmjs.com/generating-provenance-statements) logs
-  - Use GitHub CLI to verify single-file builds:
-    `gh attestation verify --owner paulmillr noble-curves.js`
-- **Rare releasing** is followed to ensure less re-audit need for end-users
-- **Dependencies** are minimized and locked-down: any dependency could get hacked and users will be downloading malware with every install.
-  - We make sure to use as few dependencies as possible
-  - Automatic dep updates are prevented by locking-down version ranges; diffs are checked with `npm-diff`
-- **Dev Dependencies** are disabled for end-users; they are only used to develop / build the source code
+- **Commits** are signed with PGP keys to prevent forgery. Be sure to verify the commit signatures
+- **Releases** are made transparently through token-less GitHub CI and Trusted Publishing. Be sure to verify the [provenance logs](https://docs.npmjs.com/generating-provenance-statements) for authenticity.
+- **Rare releasing** is practiced to minimize the need for re-audits by end-users.
+- **Dependencies** are minimized and strictly pinned to reduce supply-chain risk.
+  - We use as few dependencies as possible.
+  - Version ranges are locked, and changes are checked with npm-diff.
+- **Dev dependencies** are excluded from end-user installs; they’re only used for development and build steps.
 
 For this package, there is 1 dependency; and a few dev dependencies:
 
 - [noble-hashes](https://github.com/paulmillr/noble-hashes) provides cryptographic hashing functionality
-- micro-bmark, micro-should and jsbt are used for benchmarking / testing / build tooling and developed by the same author
-- prettier, fast-check and typescript are used for code quality / test generation / ts compilation. It's hard to audit their source code thoroughly and fully because of their size
+- jsbt is used for benchmarking / testing / build tooling and developed by the same author
+- prettier, fast-check and typescript are used for code quality / test generation / ts compilation
 
 ### Randomness
 
-We're deferring to built-in
-[crypto.getRandomValues](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues)
-which is considered cryptographically secure (CSPRNG).
+We rely on the built-in
+[`crypto.getRandomValues`](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues),
+which is considered a cryptographically secure PRNG.
 
-In the past, browsers had bugs that made it weak: it may happen again.
-Implementing a userspace CSPRNG to get resilient to the weakness
-is even worse: there is no reliable userspace source of quality entropy.
+Browsers have had weaknesses in the past - and could again - but implementing a userspace CSPRNG is even worse, as there’s no reliable userspace source of high-quality entropy.
 
 ### Quantum computers
 
@@ -895,13 +1014,15 @@ Changes:
 - Most methods now expect Uint8Array, string hex inputs are prohibited
     - The change simplifies reasoning, improves security and reduces malleability
     - `Point.fromHex` now expects string-only hex inputs, use `Point.fromBytes` for Uint8Array
+- Many methods were renamed, upgrade to curves v1.9 first to highlight deprecated old names
 - Breaking changes of ECDSA (secp256k1, p256, p384...):
+    - To bring back old behavior, pass `{ prehash: false, lowS: false }` to sign / verify
     - sign, verify: Switch to **prehashed messages**. Instead of
       messageHash, the methods now expect unhashed message.
       To bring back old behavior, use option `{prehash: false}`
     - sign, verify: Switch to **lowS signatures** by default.
       This change doesn't affect secp256k1, which has been using lowS since beginning.
-      To bring back old behavior, use option `{lowS: true}`
+      To bring back old behavior, use option `{lowS: false}`
     - sign, verify: Switch to **Uint8Array signatures** (format: 'compact') by default.
     - verify: **der format must be explicitly specified** in `{format: 'der'}`.
       This reduces malleability
@@ -949,13 +1070,13 @@ Renamings:
 Removed features:
 
 - Point#multiplyAndAddUnsafe, Point#hasEvenY
-- CURVE property with all kinds of random stuff. Point.CURVE() now replaces it, but only provides
+- `CURVE` property with all kinds of random stuff. Point.CURVE() now replaces it, but only provides
   curve parameters
 - Remove `pasta`, `bn254_weierstrass` (NOT pairing-based bn254) curves
+- utils.normPrivateKeyToScalar - use `Point.Fn.fromBytes`
 - Field.MASK
-- utils.normPrivateKeyToScalar
 
-### noble-secp256k1 v1 to curves v1
+### secp256k1 v1, ed25519 v1, bls12-381 v1 to curves v1
 
 Previously, the library was split into single-feature packages
 [noble-secp256k1](https://github.com/paulmillr/noble-secp256k1),
@@ -964,55 +1085,26 @@ Previously, the library was split into single-feature packages
 
 Curves continue their original work. The single-feature packages changed their
 direction towards providing minimal 5kb implementations of cryptography,
-which means they have less features.
-
-- `getPublicKey`
-  - now produce 33-byte compressed signatures by default
-  - to use old behavior, which produced 65-byte uncompressed keys, set
-    argument `isCompressed` to `false`: `getPublicKey(priv, false)`
-- `sign`
-  - is now sync
-  - now returns `Signature` instance with `{ r, s, recovery }` properties
-  - `canonical` option was renamed to `lowS`
-  - `recovered` option has been removed because recovery bit is always returned now
-  - `der` option has been removed. There are 2 options:
-    1. Use compact encoding: `fromCompact`, `toCompactRawBytes`, `toCompactHex`.
-       Compact encoding is simply a concatenation of 32-byte r and 32-byte s.
-    2. If you must use DER encoding, switch to noble-curves (see above).
-- `verify`
-  - is now sync
-  - `strict` option was renamed to `lowS`
-- `getSharedSecret`
-  - now produce 33-byte compressed signatures by default
-  - to use old behavior, which produced 65-byte uncompressed keys, set
-    argument `isCompressed` to `false`: `getSharedSecret(a, b, false)`
+which means they have less features. Separate bls package had been deprecated.
+
+secp256k1:
+
+- `getPublicKey`: defaults to compressed sigs (use second argument to adjust)
+- `sign`: renamed options `canonical` => `lowS`; `der` => `format: 'der'`
+- `verify`: renamed option `strict` => `lowS`
+- `getSharedSecret`: defaults to compressed sigs (use third argument to adjust)
 - `recoverPublicKey(msg, sig, rec)` was changed to `sig.recoverPublicKey(msg)`
-- `number` type for private keys have been removed: use `bigint` instead
 - `Point` (2d xy) has been changed to `ProjectivePoint` (3d xyz)
-- `utils` were split into `utils` (same api as in noble-curves) and
-  `etc` (`hmacSha256Sync` and others)
-
-### noble-ed25519 v1 to curves v1
 
-Upgrading from [@noble/ed25519](https://github.com/paulmillr/noble-ed25519):
+ed25519:
 
-- Methods are now sync by default
-- `bigint` is no longer allowed in `getPublicKey`, `sign`, `verify`. Reason: ed25519 is LE, can lead to bugs
-- `Point` (2d xy) has been changed to `ExtendedPoint` (xyzt)
-- `Signature` was removed: just use raw bytes or hex now
-- `utils` were split into `utils` (same api as in noble-curves) and
-  `etc` (`sha512Sync` and others)
+- `Signature` was removed in favor of raw bytes
 - `getSharedSecret` was moved to `x25519` module
-- `toX25519` has been moved to `edwardsToMontgomeryPub` and `edwardsToMontgomeryPriv` methods
-
-### noble-bls12-381 to curves v1
 
-Upgrading from [@noble/bls12-381](https://github.com/paulmillr/noble-bls12-381):
+bls12-381:
 
-- Methods and classes were renamed:
-  - PointG1 -> G1.Point, PointG2 -> G2.Point
-  - PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
-- Fp2 ORDER was corrected
+- Renamed PointG1 -> G1.Point, PointG2 -> G2.Point
+- Renamed PointG2.fromSignature -> Signature.decode, PointG2.toSignature -> Signature.encode
 
 ## Contributing & testing