@protontech/openpgp 6.1.1-patch.4 → 6.2.1

package/dist/lightweight/noble_curves.mjs

@@ -1,121 +1,38 @@
-/*! OpenPGP.js v6.1.1-patch.4 - 2025-07-14 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
+/*! OpenPGP.js v6.2.1 - 2025-08-28 - this is LGPL licensed code, see LICENSE/our website https://openpgpjs.org/ for more information. */
 const globalThis = typeof window !== 'undefined' ? window : typeof global !== 'undefined' ? global : typeof self !== 'undefined' ? self : {};
 
-import { s as sha256, a as sha384, b as sha512 } from './sha512.mjs';
-import { H as Hash, a as ahash, t as toBytes, b as aexists, c as abytes$1, d as concatBytes$1, r as randomBytes, w as wrapConstructor, u as utf8ToBytes$1, s as shake256 } from './sha3.mjs';
+import { h as hexToBytes, a as abytes, b as bytesToHex, i as isBytes, c as concatBytes, d as anumber, H as Hash, e as ahash, t as toBytes, f as clean, g as aexists, r as randomBytes, s as sha256, j as sha384, k as sha512, l as createHasher, m as shake256, n as sha256$1, o as sha384$1, p as sha512$1 } from './sha512.mjs';
 
-// HMAC (RFC 2104)
-class HMAC extends Hash {
-    constructor(hash, _key) {
-        super();
-        this.finished = false;
-        this.destroyed = false;
-        ahash(hash);
-        const key = toBytes(_key);
-        this.iHash = hash.create();
-        if (typeof this.iHash.update !== 'function')
-            throw new Error('Expected instance of class which extends utils.Hash');
-        this.blockLen = this.iHash.blockLen;
-        this.outputLen = this.iHash.outputLen;
-        const blockLen = this.blockLen;
-        const pad = new Uint8Array(blockLen);
-        // blockLen can be bigger than outputLen
-        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36;
-        this.iHash.update(pad);
-        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
-        this.oHash = hash.create();
-        // Undo internal XOR && apply outer XOR
-        for (let i = 0; i < pad.length; i++)
-            pad[i] ^= 0x36 ^ 0x5c;
-        this.oHash.update(pad);
-        pad.fill(0);
-    }
-    update(buf) {
-        aexists(this);
-        this.iHash.update(buf);
-        return this;
-    }
-    digestInto(out) {
-        aexists(this);
-        abytes$1(out, this.outputLen);
-        this.finished = true;
-        this.iHash.digestInto(out);
-        this.oHash.update(out);
-        this.oHash.digestInto(out);
-        this.destroy();
-    }
-    digest() {
-        const out = new Uint8Array(this.oHash.outputLen);
-        this.digestInto(out);
-        return out;
-    }
-    _cloneInto(to) {
-        // Create new instance without calling constructor since key already in state and we don't know it.
-        to || (to = Object.create(Object.getPrototypeOf(this), {}));
-        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
-        to = to;
-        to.finished = finished;
-        to.destroyed = destroyed;
-        to.blockLen = blockLen;
-        to.outputLen = outputLen;
-        to.oHash = oHash._cloneInto(to.oHash);
-        to.iHash = iHash._cloneInto(to.iHash);
-        return to;
-    }
-    destroy() {
-        this.destroyed = true;
-        this.oHash.destroy();
-        this.iHash.destroy();
-    }
-}
 /**
- * HMAC: RFC2104 message authentication code.
- * @param hash - function that would be used e.g. sha256
- * @param key - message key
- * @param message - message data
- * @example
- * import { hmac } from '@noble/hashes/hmac';
- * import { sha256 } from '@noble/hashes/sha2';
- * const mac1 = hmac(sha256, 'key', 'message');
+ * Hex, bytes and number utilities.
+ * @module
  */
-const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
-hmac.create = (hash, key) => new HMAC(hash, key);
-
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// 100 lines of code in the file are duplicated from noble-hashes (utils).
-// This is OK: `abstract` directory does not use noble-hashes.
-// User may opt-in into using different hashing library. This way, noble-hashes
-// won't be included into their bundle.
 const _0n$5 = /* @__PURE__ */ BigInt(0);
-const _1n$7 = /* @__PURE__ */ BigInt(1);
-const _2n$4 = /* @__PURE__ */ BigInt(2);
-function isBytes(a) {
-    return a instanceof Uint8Array || (ArrayBuffer.isView(a) && a.constructor.name === 'Uint8Array');
-}
-function abytes(item) {
-    if (!isBytes(item))
-        throw new Error('Uint8Array expected');
-}
-function abool(title, value) {
-    if (typeof value !== 'boolean')
-        throw new Error(title + ' boolean expected, got ' + value);
-}
-// Array where index 0xf0 (240) is mapped to string 'f0'
-const hexes = /* @__PURE__ */ Array.from({ length: 256 }, (_, i) => i.toString(16).padStart(2, '0'));
-/**
- * @example bytesToHex(Uint8Array.from([0xca, 0xfe, 0x01, 0x23])) // 'cafe0123'
- */
-function bytesToHex(bytes) {
-    abytes(bytes);
-    // pre-caching improves the speed 6x
-    let hex = '';
-    for (let i = 0; i < bytes.length; i++) {
-        hex += hexes[bytes[i]];
+const _1n$6 = /* @__PURE__ */ BigInt(1);
+// tmp name until v2
+function _abool2(value, title = '') {
+    if (typeof value !== 'boolean') {
+        const prefix = title && `"${title}"`;
+        throw new Error(prefix + 'expected boolean, got type=' + typeof value);
     }
-    return hex;
+    return value;
+}
+// tmp name until v2
+/** Asserts something is Uint8Array. */
+function _abytes2(value, length, title = '') {
+    const bytes = isBytes(value);
+    const len = value?.length;
+    const needsLen = length !== undefined;
+    if (!bytes || (needsLen && len !== length)) {
+        const prefix = title && `"${title}" `;
+        const ofLen = needsLen ? ` of length ${length}` : '';
+        const got = bytes ? `length=${len}` : `type=${typeof value}`;
+        throw new Error(prefix + 'expected Uint8Array' + ofLen + ', got ' + got);
+    }
+    return value;
 }
+// Used in weierstrass, der
 function numberToHexUnpadded(num) {
     const hex = num.toString(16);
     return hex.length & 1 ? '0' + hex : hex;
@@ -125,39 +42,6 @@ function hexToNumber(hex) {
         throw new Error('hex string expected, got ' + typeof hex);
     return hex === '' ? _0n$5 : BigInt('0x' + hex); // Big Endian
 }
-// We use optimized technique to convert hex string to byte array
-const asciis = { _0: 48, _9: 57, A: 65, F: 70, a: 97, f: 102 };
-function asciiToBase16(ch) {
-    if (ch >= asciis._0 && ch <= asciis._9)
-        return ch - asciis._0; // '2' => 50-48
-    if (ch >= asciis.A && ch <= asciis.F)
-        return ch - (asciis.A - 10); // 'B' => 66-(65-10)
-    if (ch >= asciis.a && ch <= asciis.f)
-        return ch - (asciis.a - 10); // 'b' => 98-(97-10)
-    return;
-}
-/**
- * @example hexToBytes('cafe0123') // Uint8Array.from([0xca, 0xfe, 0x01, 0x23])
- */
-function hexToBytes(hex) {
-    if (typeof hex !== 'string')
-        throw new Error('hex string expected, got ' + typeof hex);
-    const hl = hex.length;
-    const al = hl / 2;
-    if (hl % 2)
-        throw new Error('hex string expected, got unpadded hex of length ' + hl);
-    const array = new Uint8Array(al);
-    for (let ai = 0, hi = 0; ai < al; ai++, hi += 2) {
-        const n1 = asciiToBase16(hex.charCodeAt(hi));
-        const n2 = asciiToBase16(hex.charCodeAt(hi + 1));
-        if (n1 === undefined || n2 === undefined) {
-            const char = hex[hi] + hex[hi + 1];
-            throw new Error('hex string expected, got non-hex character "' + char + '" at index ' + hi);
-        }
-        array[ai] = n1 * 16 + n2; // multiply first octet, e.g. 'a3' => 10*16+3 => 160 + 3 => 163
-    }
-    return array;
-}
 // BE: Big Endian, LE: Little Endian
 function bytesToNumberBE(bytes) {
     return hexToNumber(bytesToHex(bytes));
@@ -172,15 +56,11 @@ function numberToBytesBE(n, len) {
 function numberToBytesLE(n, len) {
     return numberToBytesBE(n, len).reverse();
 }
-// Unpadded, rarely used
-function numberToVarBytesBE(n) {
-    return hexToBytes(numberToHexUnpadded(n));
-}
 /**
  * Takes hex string or Uint8Array, converts to Uint8Array.
  * Validates output length.
  * Will throw error for other types.
- * @param title descriptive title for an error e.g. 'private key'
+ * @param title descriptive title for an error e.g. 'secret key'
  * @param hex hex string or Uint8Array
  * @param expectedLength optional, will compare to result array's length
  * @returns
@@ -209,40 +89,35 @@ function ensureBytes(title, hex, expectedLength) {
     return res;
 }
 /**
- * Copies several Uint8Arrays into one.
+ * Copies Uint8Array. We can't use u8a.slice(), because u8a can be Buffer,
+ * and Buffer#slice creates mutable copy. Never use Buffers!
  */
-function concatBytes(...arrays) {
-    let sum = 0;
-    for (let i = 0; i < arrays.length; i++) {
-        const a = arrays[i];
-        abytes(a);
-        sum += a.length;
-    }
-    const res = new Uint8Array(sum);
-    for (let i = 0, pad = 0; i < arrays.length; i++) {
-        const a = arrays[i];
-        res.set(a, pad);
-        pad += a.length;
-    }
-    return res;
+function copyBytes(bytes) {
+    return Uint8Array.from(bytes);
 }
-// Compares 2 u8a-s in kinda constant time
-function equalBytes(a, b) {
-    if (a.length !== b.length)
-        return false;
-    let diff = 0;
-    for (let i = 0; i < a.length; i++)
-        diff |= a[i] ^ b[i];
-    return diff === 0;
+/**
+ * Decodes 7-bit ASCII string to Uint8Array, throws on non-ascii symbols
+ * Should be safe to use for things expected to be ASCII.
+ * Returns exact same result as utf8ToBytes for ASCII or throws.
+ */
+function asciiToBytes(ascii) {
+    return Uint8Array.from(ascii, (c, i) => {
+        const charCode = c.charCodeAt(0);
+        if (c.length !== 1 || charCode > 127) {
+            throw new Error(`string contains non-ASCII character "${ascii[i]}" with code ${charCode} at position ${i}`);
+        }
+        return charCode;
+    });
 }
 /**
  * @example utf8ToBytes('abc') // new Uint8Array([97, 98, 99])
  */
-function utf8ToBytes(str) {
-    if (typeof str !== 'string')
-        throw new Error('string expected');
-    return new Uint8Array(new TextEncoder().encode(str)); // https://bugzil.la/1681809
-}
+// export const utf8ToBytes: typeof utf8ToBytes_ = utf8ToBytes_;
+/**
+ * Converts bytes to string using UTF8 encoding.
+ * @example bytesToUtf8(Uint8Array.from([97, 98, 99])) // 'abc'
+ */
+// export const bytesToUtf8: typeof bytesToUtf8_ = bytesToUtf8_;
 // Is positive bigint
 const isPosBig = (n) => typeof n === 'bigint' && _0n$5 <= n;
 function inRange(n, min, max) {
@@ -266,35 +141,19 @@ function aInRange(title, n, min, max) {
 /**
  * Calculates amount of bits in a bigint.
  * Same as `n.toString(2).length`
+ * TODO: merge with nLength in modular
  */
 function bitLen(n) {
     let len;
-    for (len = 0; n > _0n$5; n >>= _1n$7, len += 1)
+    for (len = 0; n > _0n$5; n >>= _1n$6, len += 1)
         ;
     return len;
 }
-/**
- * Gets single bit at position.
- * NOTE: first bit position is 0 (same as arrays)
- * Same as `!!+Array.from(n.toString(2)).reverse()[pos]`
- */
-function bitGet(n, pos) {
-    return (n >> BigInt(pos)) & _1n$7;
-}
-/**
- * Sets single bit at position.
- */
-function bitSet(n, pos, value) {
-    return n | ((value ? _1n$7 : _0n$5) << BigInt(pos));
-}
 /**
  * Calculate mask for N bits. Not using ** operator with bigints because of old engines.
  * Same as BigInt(`0b${Array(i).fill('1').join('')}`)
  */
-const bitMask = (n) => (_2n$4 << BigInt(n - 1)) - _1n$7;
-// DRBG
-const u8n = (data) => new Uint8Array(data); // creates Uint8Array
-const u8fr = (arr) => Uint8Array.from(arr); // another shortcut
+const bitMask = (n) => (_1n$6 << BigInt(n)) - _1n$6;
 /**
  * Minimal HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
  * @returns function that will call DRBG until 2nd arg returns something meaningful
@@ -310,6 +169,8 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
     if (typeof hmacFn !== 'function')
         throw new Error('hmacFn must be a function');
     // Step B, Step C: set hashLen to 8*ceil(hlen/8)
+    const u8n = (len) => new Uint8Array(len); // creates Uint8Array
+    const u8of = (byte) => Uint8Array.of(byte); // another shortcut
     let v = u8n(hashLen); // Minimal non-full-spec HMAC-DRBG from NIST 800-90 for RFC6979 sigs.
     let k = u8n(hashLen); // Steps B and C of RFC6979 3.2: set hashLen, in our case always same
     let i = 0; // Iterations counter, will throw when over 1000
@@ -319,13 +180,13 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
         i = 0;
     };
     const h = (...b) => hmacFn(k, v, ...b); // hmac(k)(v, ...values)
-    const reseed = (seed = u8n()) => {
+    const reseed = (seed = u8n(0)) => {
         // HMAC-DRBG reseed() function. Steps D-G
-        k = h(u8fr([0x00]), seed); // k = hmac(k || v || 0x00 || seed)
+        k = h(u8of(0x00), seed); // k = hmac(k || v || 0x00 || seed)
         v = h(); // v = hmac(k || v)
         if (seed.length === 0)
             return;
-        k = h(u8fr([0x01]), seed); // k = hmac(k || v || 0x01 || seed)
+        k = h(u8of(0x01), seed); // k = hmac(k || v || 0x01 || seed)
         v = h(); // v = hmac(k || v)
     };
     const gen = () => {
@@ -353,51 +214,20 @@ function createHmacDrbg(hashLen, qByteLen, hmacFn) {
     };
     return genUntil;
 }
-// Validating curves and fields
-const validatorFns = {
-    bigint: (val) => typeof val === 'bigint',
-    function: (val) => typeof val === 'function',
-    boolean: (val) => typeof val === 'boolean',
-    string: (val) => typeof val === 'string',
-    stringOrUint8Array: (val) => typeof val === 'string' || isBytes(val),
-    isSafeInteger: (val) => Number.isSafeInteger(val),
-    array: (val) => Array.isArray(val),
-    field: (val, object) => object.Fp.isValid(val),
-    hash: (val) => typeof val === 'function' && Number.isSafeInteger(val.outputLen),
-};
-// type Record<K extends string | number | symbol, T> = { [P in K]: T; }
-function validateObject(object, validators, optValidators = {}) {
-    const checkField = (fieldName, type, isOptional) => {
-        const checkVal = validatorFns[type];
-        if (typeof checkVal !== 'function')
-            throw new Error('invalid validator function');
+function _validateObject(object, fields, optFields = {}) {
+    if (!object || typeof object !== 'object')
+        throw new Error('expected valid options object');
+    function checkField(fieldName, expectedType, isOpt) {
         const val = object[fieldName];
-        if (isOptional && val === undefined)
+        if (isOpt && val === undefined)
             return;
-        if (!checkVal(val, object)) {
-            throw new Error('param ' + String(fieldName) + ' is invalid. Expected ' + type + ', got ' + val);
-        }
-    };
-    for (const [fieldName, type] of Object.entries(validators))
-        checkField(fieldName, type, false);
-    for (const [fieldName, type] of Object.entries(optValidators))
-        checkField(fieldName, type, true);
-    return object;
-}
-// validate type tests
-// const o: { a: number; b: number; c: number } = { a: 1, b: 5, c: 6 };
-// const z0 = validateObject(o, { a: 'isSafeInteger' }, { c: 'bigint' }); // Ok!
-// // Should fail type-check
-// const z1 = validateObject(o, { a: 'tmp' }, { c: 'zz' });
-// const z2 = validateObject(o, { a: 'isSafeInteger' }, { c: 'zz' });
-// const z3 = validateObject(o, { test: 'boolean', z: 'bug' });
-// const z4 = validateObject(o, { a: 'boolean', z: 'bug' });
-/**
- * throws not implemented error
- */
-const notImplemented = () => {
-    throw new Error('not implemented');
-};
+        const current = typeof val;
+        if (current !== expectedType || val === null)
+            throw new Error(`param "${fieldName}" is invalid: expected ${expectedType}, got ${current}`);
+    }
+    Object.entries(fields).forEach(([k, v]) => checkField(k, v, false));
+    Object.entries(optFields).forEach(([k, v]) => checkField(k, v, true));
+}
 /**
  * Memoizes (caches) computation result.
  * Uses WeakMap: the value is going auto-cleaned by GC after last reference is removed.
@@ -414,71 +244,25 @@ function memoized(fn) {
     };
 }
 
-var ut = /*#__PURE__*/Object.freeze({
-    __proto__: null,
-    aInRange: aInRange,
-    abool: abool,
-    abytes: abytes,
-    bitGet: bitGet,
-    bitLen: bitLen,
-    bitMask: bitMask,
-    bitSet: bitSet,
-    bytesToHex: bytesToHex,
-    bytesToNumberBE: bytesToNumberBE,
-    bytesToNumberLE: bytesToNumberLE,
-    concatBytes: concatBytes,
-    createHmacDrbg: createHmacDrbg,
-    ensureBytes: ensureBytes,
-    equalBytes: equalBytes,
-    hexToBytes: hexToBytes,
-    hexToNumber: hexToNumber,
-    inRange: inRange,
-    isBytes: isBytes,
-    memoized: memoized,
-    notImplemented: notImplemented,
-    numberToBytesBE: numberToBytesBE,
-    numberToBytesLE: numberToBytesLE,
-    numberToHexUnpadded: numberToHexUnpadded,
-    numberToVarBytesBE: numberToVarBytesBE,
-    utf8ToBytes: utf8ToBytes,
-    validateObject: validateObject
-});
-
+/**
+ * Utils for modular division and fields.
+ * Field over 11 is a finite (Galois) field is integer number operations `mod 11`.
+ * There is no division: it is replaced by modular multiplicative inverse.
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Utilities for modular arithmetics and finite fields
 // prettier-ignore
-const _0n$4 = BigInt(0), _1n$6 = BigInt(1), _2n$3 = /* @__PURE__ */ BigInt(2), _3n$2 = /* @__PURE__ */ BigInt(3);
+const _0n$4 = BigInt(0), _1n$5 = BigInt(1), _2n$5 = /* @__PURE__ */ BigInt(2), _3n$2 = /* @__PURE__ */ BigInt(3);
+// prettier-ignore
+const _4n$1 = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _7n = /* @__PURE__ */ BigInt(7);
 // prettier-ignore
-const _4n = /* @__PURE__ */ BigInt(4), _5n = /* @__PURE__ */ BigInt(5), _8n$1 = /* @__PURE__ */ BigInt(8);
+const _8n$1 = /* @__PURE__ */ BigInt(8), _9n = /* @__PURE__ */ BigInt(9), _16n = /* @__PURE__ */ BigInt(16);
 // Calculates a modulo b
 function mod(a, b) {
     const result = a % b;
     return result >= _0n$4 ? result : b + result;
 }
-/**
- * Efficiently raise num to power and do modular division.
- * Unsafe in some contexts: uses ladder, so can expose bigint bits.
- * @example
- * pow(2n, 6n, 11n) // 64n % 11n == 9n
- */
-// TODO: use field version && remove
-function pow(num, power, modulo) {
-    if (power < _0n$4)
-        throw new Error('invalid exponent, negatives unsupported');
-    if (modulo <= _0n$4)
-        throw new Error('invalid modulus');
-    if (modulo === _1n$6)
-        return _0n$4;
-    let res = _1n$6;
-    while (power > _0n$4) {
-        if (power & _1n$6)
-            res = (res * num) % modulo;
-        num = (num * num) % modulo;
-        power >>= _1n$6;
-    }
-    return res;
-}
-// Does x ^ (2 ^ power) mod p. pow2(30, 4) == 30 ^ (2 ^ 4)
+/** Does `x^(2^power)` mod p. `pow2(30, 4)` == `30^(2^4)` */
 function pow2(x, power, modulo) {
     let res = x;
     while (power-- > _0n$4) {
@@ -487,18 +271,20 @@ function pow2(x, power, modulo) {
     }
     return res;
 }
-// Inverses number over modulo
+/**
+ * Inverses number over modulo.
+ * Implemented using [Euclidean GCD](https://brilliant.org/wiki/extended-euclidean-algorithm/).
+ */
 function invert(number, modulo) {
     if (number === _0n$4)
         throw new Error('invert: expected non-zero number');
     if (modulo <= _0n$4)
         throw new Error('invert: expected positive modulus, got ' + modulo);
-    // Euclidean GCD https://brilliant.org/wiki/extended-euclidean-algorithm/
     // Fermat's little theorem "CT-like" version inv(n) = n^(m-2) mod m is 30x slower.
     let a = mod(number, modulo);
     let b = modulo;
     // prettier-ignore
-    let x = _0n$4, u = _1n$6;
+    let x = _0n$4, u = _1n$5;
     while (a !== _0n$4) {
         // JIT applies optimization if those two lines follow each other
         const q = b / a;
@@ -508,111 +294,152 @@ function invert(number, modulo) {
         b = a, a = r, x = u, u = m;
     }
     const gcd = b;
-    if (gcd !== _1n$6)
+    if (gcd !== _1n$5)
         throw new Error('invert: does not exist');
     return mod(x, modulo);
 }
+function assertIsSquare(Fp, root, n) {
+    if (!Fp.eql(Fp.sqr(root), n))
+        throw new Error('Cannot find square root');
+}
+// Not all roots are possible! Example which will throw:
+// const NUM =
+// n = 72057594037927816n;
+// Fp = Field(BigInt('0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaab'));
+function sqrt3mod4(Fp, n) {
+    const p1div4 = (Fp.ORDER + _1n$5) / _4n$1;
+    const root = Fp.pow(n, p1div4);
+    assertIsSquare(Fp, root, n);
+    return root;
+}
+function sqrt5mod8(Fp, n) {
+    const p5div8 = (Fp.ORDER - _5n) / _8n$1;
+    const n2 = Fp.mul(n, _2n$5);
+    const v = Fp.pow(n2, p5div8);
+    const nv = Fp.mul(n, v);
+    const i = Fp.mul(Fp.mul(nv, _2n$5), v);
+    const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
+    assertIsSquare(Fp, root, n);
+    return root;
+}
+// Based on RFC9380, Kong algorithm
+// prettier-ignore
+function sqrt9mod16(P) {
+    const Fp_ = Field(P);
+    const tn = tonelliShanks(P);
+    const c1 = tn(Fp_, Fp_.neg(Fp_.ONE)); //  1. c1 = sqrt(-1) in F, i.e., (c1^2) == -1 in F
+    const c2 = tn(Fp_, c1); //  2. c2 = sqrt(c1) in F, i.e., (c2^2) == c1 in F
+    const c3 = tn(Fp_, Fp_.neg(c1)); //  3. c3 = sqrt(-c1) in F, i.e., (c3^2) == -c1 in F
+    const c4 = (P + _7n) / _16n; //  4. c4 = (q + 7) / 16        # Integer arithmetic
+    return (Fp, n) => {
+        let tv1 = Fp.pow(n, c4); //  1. tv1 = x^c4
+        let tv2 = Fp.mul(tv1, c1); //  2. tv2 = c1 * tv1
+        const tv3 = Fp.mul(tv1, c2); //  3. tv3 = c2 * tv1
+        const tv4 = Fp.mul(tv1, c3); //  4. tv4 = c3 * tv1
+        const e1 = Fp.eql(Fp.sqr(tv2), n); //  5.  e1 = (tv2^2) == x
+        const e2 = Fp.eql(Fp.sqr(tv3), n); //  6.  e2 = (tv3^2) == x
+        tv1 = Fp.cmov(tv1, tv2, e1); //  7. tv1 = CMOV(tv1, tv2, e1)  # Select tv2 if (tv2^2) == x
+        tv2 = Fp.cmov(tv4, tv3, e2); //  8. tv2 = CMOV(tv4, tv3, e2)  # Select tv3 if (tv3^2) == x
+        const e3 = Fp.eql(Fp.sqr(tv2), n); //  9.  e3 = (tv2^2) == x
+        const root = Fp.cmov(tv1, tv2, e3); // 10.  z = CMOV(tv1, tv2, e3)   # Select sqrt from tv1 & tv2
+        assertIsSquare(Fp, root, n);
+        return root;
+    };
+}
 /**
  * Tonelli-Shanks square root search algorithm.
  * 1. https://eprint.iacr.org/2012/685.pdf (page 12)
  * 2. Square Roots from 1; 24, 51, 10 to Dan Shanks
- * Will start an infinite loop if field order P is not prime.
  * @param P field order
  * @returns function that takes field Fp (created from P) and number n
  */
 function tonelliShanks(P) {
-    // Legendre constant: used to calculate Legendre symbol (a | p),
-    // which denotes the value of a^((p-1)/2) (mod p).
-    // (a | p) ≡ 1    if a is a square (mod p)
-    // (a | p) ≡ -1   if a is not a square (mod p)
-    // (a | p) ≡ 0    if a ≡ 0 (mod p)
-    const legendreC = (P - _1n$6) / _2n$3;
-    let Q, S, Z;
-    // Step 1: By factoring out powers of 2 from p - 1,
-    // find q and s such that p - 1 = q*(2^s) with q odd
-    for (Q = P - _1n$6, S = 0; Q % _2n$3 === _0n$4; Q /= _2n$3, S++)
-        ;
-    // Step 2: Select a non-square z such that (z | p) ≡ -1 and set c ≡ zq
-    for (Z = _2n$3; Z < P && pow(Z, legendreC, P) !== P - _1n$6; Z++) {
-        // Crash instead of infinity loop, we cannot reasonable count until P.
-        if (Z > 1000)
-            throw new Error('Cannot find square root: likely non-prime P');
-    }
-    // Fast-path
-    if (S === 1) {
-        const p1div4 = (P + _1n$6) / _4n;
-        return function tonelliFast(Fp, n) {
-            const root = Fp.pow(n, p1div4);
-            if (!Fp.eql(Fp.sqr(root), n))
-                throw new Error('Cannot find square root');
-            return root;
-        };
+    // Initialization (precomputation).
+    // Caching initialization could boost perf by 7%.
+    if (P < _3n$2)
+        throw new Error('sqrt is not defined for small field');
+    // Factor P - 1 = Q * 2^S, where Q is odd
+    let Q = P - _1n$5;
+    let S = 0;
+    while (Q % _2n$5 === _0n$4) {
+        Q /= _2n$5;
+        S++;
     }
+    // Find the first quadratic non-residue Z >= 2
+    let Z = _2n$5;
+    const _Fp = Field(P);
+    while (FpLegendre(_Fp, Z) === 1) {
+        // Basic primality test for P. After x iterations, chance of
+        // not finding quadratic non-residue is 2^x, so 2^1000.
+        if (Z++ > 1000)
+            throw new Error('Cannot find square root: probably non-prime P');
+    }
+    // Fast-path; usually done before Z, but we do "primality test".
+    if (S === 1)
+        return sqrt3mod4;
     // Slow-path
-    const Q1div2 = (Q + _1n$6) / _2n$3;
+    // TODO: test on Fp2 and others
+    let cc = _Fp.pow(Z, Q); // c = z^Q
+    const Q1div2 = (Q + _1n$5) / _2n$5;
     return function tonelliSlow(Fp, n) {
-        // Step 0: Check that n is indeed a square: (n | p) should not be ≡ -1
-        if (Fp.pow(n, legendreC) === Fp.neg(Fp.ONE))
+        if (Fp.is0(n))
+            return n;
+        // Check if n is a quadratic residue using Legendre symbol
+        if (FpLegendre(Fp, n) !== 1)
             throw new Error('Cannot find square root');
-        let r = S;
-        // TODO: will fail at Fp2/etc
-        let g = Fp.pow(Fp.mul(Fp.ONE, Z), Q); // will update both x and b
-        let x = Fp.pow(n, Q1div2); // first guess at the square root
-        let b = Fp.pow(n, Q); // first guess at the fudge factor
-        while (!Fp.eql(b, Fp.ONE)) {
-            if (Fp.eql(b, Fp.ZERO))
-                return Fp.ZERO; // https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm (4. If t = 0, return r = 0)
-            // Find m such b^(2^m)==1
-            let m = 1;
-            for (let t2 = Fp.sqr(b); m < r; m++) {
-                if (Fp.eql(t2, Fp.ONE))
-                    break;
-                t2 = Fp.sqr(t2); // t2 *= t2
+        // Initialize variables for the main loop
+        let M = S;
+        let c = Fp.mul(Fp.ONE, cc); // c = z^Q, move cc from field _Fp into field Fp
+        let t = Fp.pow(n, Q); // t = n^Q, first guess at the fudge factor
+        let R = Fp.pow(n, Q1div2); // R = n^((Q+1)/2), first guess at the square root
+        // Main loop
+        // while t != 1
+        while (!Fp.eql(t, Fp.ONE)) {
+            if (Fp.is0(t))
+                return Fp.ZERO; // if t=0 return R=0
+            let i = 1;
+            // Find the smallest i >= 1 such that t^(2^i) ≡ 1 (mod P)
+            let t_tmp = Fp.sqr(t); // t^(2^1)
+            while (!Fp.eql(t_tmp, Fp.ONE)) {
+                i++;
+                t_tmp = Fp.sqr(t_tmp); // t^(2^2)...
+                if (i === M)
+                    throw new Error('Cannot find square root');
             }
-            // NOTE: r-m-1 can be bigger than 32, need to convert to bigint before shift, otherwise there will be overflow
-            const ge = Fp.pow(g, _1n$6 << BigInt(r - m - 1)); // ge = 2^(r-m-1)
-            g = Fp.sqr(ge); // g = ge * ge
-            x = Fp.mul(x, ge); // x *= ge
-            b = Fp.mul(b, g); // b *= g
-            r = m;
-        }
-        return x;
+            // Calculate the exponent for b: 2^(M - i - 1)
+            const exponent = _1n$5 << BigInt(M - i - 1); // bigint is important
+            const b = Fp.pow(c, exponent); // b = 2^(M - i - 1)
+            // Update variables
+            M = i;
+            c = Fp.sqr(b); // c = b^2
+            t = Fp.mul(t, c); // t = (t * b^2)
+            R = Fp.mul(R, b); // R = R*b
+        }
+        return R;
     };
 }
+/**
+ * Square root for a finite field. Will try optimized versions first:
+ *
+ * 1. P ≡ 3 (mod 4)
+ * 2. P ≡ 5 (mod 8)
+ * 3. P ≡ 9 (mod 16)
+ * 4. Tonelli-Shanks algorithm
+ *
+ * Different algorithms can give different roots, it is up to user to decide which one they want.
+ * For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
+ */
 function FpSqrt(P) {
-    // NOTE: different algorithms can give different roots, it is up to user to decide which one they want.
-    // For example there is FpSqrtOdd/FpSqrtEven to choice root based on oddness (used for hash-to-curve).
-    // P ≡ 3 (mod 4)
-    // √n = n^((P+1)/4)
-    if (P % _4n === _3n$2) {
-        // Not all roots possible!
-        // const ORDER =
-        //   0x1a0111ea397fe69a4b1ba7b6434bacd764774b84f38512bf6730d2a0f6b0f6241eabfffeb153ffffb9feffffffffaaabn;
-        // const NUM = 72057594037927816n;
-        const p1div4 = (P + _1n$6) / _4n;
-        return function sqrt3mod4(Fp, n) {
-            const root = Fp.pow(n, p1div4);
-            // Throw if root**2 != n
-            if (!Fp.eql(Fp.sqr(root), n))
-                throw new Error('Cannot find square root');
-            return root;
-        };
-    }
-    // Atkin algorithm for q ≡ 5 (mod 8), https://eprint.iacr.org/2012/685.pdf (page 10)
-    if (P % _8n$1 === _5n) {
-        const c1 = (P - _5n) / _8n$1;
-        return function sqrt5mod8(Fp, n) {
-            const n2 = Fp.mul(n, _2n$3);
-            const v = Fp.pow(n2, c1);
-            const nv = Fp.mul(n, v);
-            const i = Fp.mul(Fp.mul(nv, _2n$3), v);
-            const root = Fp.mul(nv, Fp.sub(i, Fp.ONE));
-            if (!Fp.eql(Fp.sqr(root), n))
-                throw new Error('Cannot find square root');
-            return root;
-        };
-    }
-    // Other cases: Tonelli-Shanks algorithm
+    // P ≡ 3 (mod 4) => √n = n^((P+1)/4)
+    if (P % _4n$1 === _3n$2)
+        return sqrt3mod4;
+    // P ≡ 5 (mod 8) => Atkin algorithm, page 10 of https://eprint.iacr.org/2012/685.pdf
+    if (P % _8n$1 === _5n)
+        return sqrt5mod8;
+    // P ≡ 9 (mod 16) => Kong algorithm, page 11 of https://eprint.iacr.org/2012/685.pdf (algorithm 4)
+    if (P % _16n === _9n)
+        return sqrt9mod16(P);
+    // Tonelli-Shanks algorithm
     return tonelliShanks(P);
 }
 // prettier-ignore
@@ -625,99 +452,156 @@ function validateField(field) {
     const initial = {
         ORDER: 'bigint',
         MASK: 'bigint',
-        BYTES: 'isSafeInteger',
-        BITS: 'isSafeInteger',
+        BYTES: 'number',
+        BITS: 'number',
     };
     const opts = FIELD_FIELDS.reduce((map, val) => {
         map[val] = 'function';
         return map;
     }, initial);
-    return validateObject(field, opts);
+    _validateObject(field, opts);
+    // const max = 16384;
+    // if (field.BYTES < 1 || field.BYTES > max) throw new Error('invalid field');
+    // if (field.BITS < 1 || field.BITS > 8 * max) throw new Error('invalid field');
+    return field;
 }
 // Generic field functions
 /**
  * Same as `pow` but for Fp: non-constant-time.
  * Unsafe in some contexts: uses ladder, so can expose bigint bits.
  */
-function FpPow(f, num, power) {
-    // Should have same speed as pow for bigints
-    // TODO: benchmark!
+function FpPow(Fp, num, power) {
     if (power < _0n$4)
         throw new Error('invalid exponent, negatives unsupported');
     if (power === _0n$4)
-        return f.ONE;
-    if (power === _1n$6)
+        return Fp.ONE;
+    if (power === _1n$5)
         return num;
-    let p = f.ONE;
+    let p = Fp.ONE;
     let d = num;
     while (power > _0n$4) {
-        if (power & _1n$6)
-            p = f.mul(p, d);
-        d = f.sqr(d);
-        power >>= _1n$6;
+        if (power & _1n$5)
+            p = Fp.mul(p, d);
+        d = Fp.sqr(d);
+        power >>= _1n$5;
     }
     return p;
 }
 /**
  * Efficiently invert an array of Field elements.
- * `inv(0)` will return `undefined` here: make sure to throw an error.
+ * Exception-free. Will return `undefined` for 0 elements.
+ * @param passZero map 0 to 0 (instead of undefined)
  */
-function FpInvertBatch(f, nums) {
-    const tmp = new Array(nums.length);
+function FpInvertBatch(Fp, nums, passZero = false) {
+    const inverted = new Array(nums.length).fill(passZero ? Fp.ZERO : undefined);
     // Walk from first to last, multiply them by each other MOD p
-    const lastMultiplied = nums.reduce((acc, num, i) => {
-        if (f.is0(num))
+    const multipliedAcc = nums.reduce((acc, num, i) => {
+        if (Fp.is0(num))
             return acc;
-        tmp[i] = acc;
-        return f.mul(acc, num);
-    }, f.ONE);
+        inverted[i] = acc;
+        return Fp.mul(acc, num);
+    }, Fp.ONE);
     // Invert last element
-    const inverted = f.inv(lastMultiplied);
+    const invertedAcc = Fp.inv(multipliedAcc);
     // Walk from last to first, multiply them by inverted each other MOD p
     nums.reduceRight((acc, num, i) => {
-        if (f.is0(num))
+        if (Fp.is0(num))
             return acc;
-        tmp[i] = f.mul(acc, tmp[i]);
-        return f.mul(acc, num);
-    }, inverted);
-    return tmp;
+        inverted[i] = Fp.mul(acc, inverted[i]);
+        return Fp.mul(acc, num);
+    }, invertedAcc);
+    return inverted;
+}
+/**
+ * Legendre symbol.
+ * Legendre constant is used to calculate Legendre symbol (a | p)
+ * which denotes the value of a^((p-1)/2) (mod p).
+ *
+ * * (a | p) ≡ 1    if a is a square (mod p), quadratic residue
+ * * (a | p) ≡ -1   if a is not a square (mod p), quadratic non residue
+ * * (a | p) ≡ 0    if a ≡ 0 (mod p)
+ */
+function FpLegendre(Fp, n) {
+    // We can use 3rd argument as optional cache of this value
+    // but seems unneeded for now. The operation is very fast.
+    const p1mod2 = (Fp.ORDER - _1n$5) / _2n$5;
+    const powered = Fp.pow(n, p1mod2);
+    const yes = Fp.eql(powered, Fp.ONE);
+    const zero = Fp.eql(powered, Fp.ZERO);
+    const no = Fp.eql(powered, Fp.neg(Fp.ONE));
+    if (!yes && !zero && !no)
+        throw new Error('invalid Legendre symbol result');
+    return yes ? 1 : zero ? 0 : -1;
 }
 // CURVE.n lengths
 function nLength(n, nBitLength) {
     // Bit size, byte size of CURVE.n
+    if (nBitLength !== undefined)
+        anumber(nBitLength);
     const _nBitLength = nBitLength !== undefined ? nBitLength : n.toString(2).length;
     const nByteLength = Math.ceil(_nBitLength / 8);
     return { nBitLength: _nBitLength, nByteLength };
 }
 /**
- * Initializes a finite field over prime. **Non-primes are not supported.**
- * Do not init in loop: slow. Very fragile: always run a benchmark on a change.
- * Major performance optimizations:
- * * a) denormalized operations like mulN instead of mul
- * * b) same object shape: never add or remove keys
- * * c) Object.freeze
- * NOTE: operations don't check 'isValid' for all elements for performance reasons,
+ * Creates a finite field. Major performance optimizations:
+ * * 1. Denormalized operations like mulN instead of mul.
+ * * 2. Identical object shape: never add or remove keys.
+ * * 3. `Object.freeze`.
+ * Fragile: always run a benchmark on a change.
+ * Security note: operations don't check 'isValid' for all elements for performance reasons,
  * it is caller responsibility to check this.
- * This is low-level code, please make sure you know what you doing.
- * @param ORDER prime positive bigint
+ * This is low-level code, please make sure you know what you're doing.
+ *
+ * Note about field properties:
+ * * CHARACTERISTIC p = prime number, number of elements in main subgroup.
+ * * ORDER q = similar to cofactor in curves, may be composite `q = p^m`.
+ *
+ * @param ORDER field order, probably prime, or could be composite
  * @param bitLen how many bits the field consumes
- * @param isLE (def: false) if encoding / decoding should be in little-endian
+ * @param isLE (default: false) if encoding / decoding should be in little-endian
  * @param redef optional faster redefinitions of sqrt and other methods
  */
-function Field(ORDER, bitLen, isLE = false, redef = {}) {
+function Field(ORDER, bitLenOrOpts, // TODO: use opts only in v2?
+isLE = false, opts = {}) {
     if (ORDER <= _0n$4)
         throw new Error('invalid field: expected ORDER > 0, got ' + ORDER);
-    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, bitLen);
+    let _nbitLength = undefined;
+    let _sqrt = undefined;
+    let modFromBytes = false;
+    let allowedLengths = undefined;
+    if (typeof bitLenOrOpts === 'object' && bitLenOrOpts != null) {
+        if (opts.sqrt || isLE)
+            throw new Error('cannot specify opts in two arguments');
+        const _opts = bitLenOrOpts;
+        if (_opts.BITS)
+            _nbitLength = _opts.BITS;
+        if (_opts.sqrt)
+            _sqrt = _opts.sqrt;
+        if (typeof _opts.isLE === 'boolean')
+            isLE = _opts.isLE;
+        if (typeof _opts.modFromBytes === 'boolean')
+            modFromBytes = _opts.modFromBytes;
+        allowedLengths = _opts.allowedLengths;
+    }
+    else {
+        if (typeof bitLenOrOpts === 'number')
+            _nbitLength = bitLenOrOpts;
+        if (opts.sqrt)
+            _sqrt = opts.sqrt;
+    }
+    const { nBitLength: BITS, nByteLength: BYTES } = nLength(ORDER, _nbitLength);
     if (BYTES > 2048)
         throw new Error('invalid field: expected ORDER of <= 2048 bytes');
     let sqrtP; // cached sqrtP
     const f = Object.freeze({
         ORDER,
+        isLE,
         BITS,
         BYTES,
         MASK: bitMask(BITS),
         ZERO: _0n$4,
-        ONE: _1n$6,
+        ONE: _1n$5,
+        allowedLengths: allowedLengths,
         create: (num) => mod(num, ORDER),
         isValid: (num) => {
             if (typeof num !== 'bigint')
@@ -725,7 +609,9 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
             return _0n$4 <= num && num < ORDER; // 0 is valid element, but it's not invertible
         },
         is0: (num) => num === _0n$4,
-        isOdd: (num) => (num & _1n$6) === _1n$6,
+        // is valid and invertible
+        isValidNot0: (num) => !f.is0(num) && f.isValid(num),
+        isOdd: (num) => (num & _1n$5) === _1n$5,
         neg: (num) => mod(-num, ORDER),
         eql: (lhs, rhs) => lhs === rhs,
         sqr: (num) => mod(num * num, ORDER),
@@ -740,22 +626,40 @@ function Field(ORDER, bitLen, isLE = false, redef = {}) {
         subN: (lhs, rhs) => lhs - rhs,
         mulN: (lhs, rhs) => lhs * rhs,
         inv: (num) => invert(num, ORDER),
-        sqrt: redef.sqrt ||
+        sqrt: _sqrt ||
             ((n) => {
                 if (!sqrtP)
                     sqrtP = FpSqrt(ORDER);
                 return sqrtP(f, n);
             }),
-        invertBatch: (lst) => FpInvertBatch(f, lst),
-        // TODO: do we really need constant cmov?
-        // We don't have const-time bigints anyway, so probably will be not very useful
-        cmov: (a, b, c) => (c ? b : a),
         toBytes: (num) => (isLE ? numberToBytesLE(num, BYTES) : numberToBytesBE(num, BYTES)),
-        fromBytes: (bytes) => {
+        fromBytes: (bytes, skipValidation = true) => {
+            if (allowedLengths) {
+                if (!allowedLengths.includes(bytes.length) || bytes.length > BYTES) {
+                    throw new Error('Field.fromBytes: expected ' + allowedLengths + ' bytes, got ' + bytes.length);
+                }
+                const padded = new Uint8Array(BYTES);
+                // isLE add 0 to right, !isLE to the left.
+                padded.set(bytes, isLE ? 0 : padded.length - bytes.length);
+                bytes = padded;
+            }
             if (bytes.length !== BYTES)
                 throw new Error('Field.fromBytes: expected ' + BYTES + ' bytes, got ' + bytes.length);
-            return isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+            let scalar = isLE ? bytesToNumberLE(bytes) : bytesToNumberBE(bytes);
+            if (modFromBytes)
+                scalar = mod(scalar, ORDER);
+            if (!skipValidation)
+                if (!f.isValid(scalar))
+                    throw new Error('invalid field element: outside of range 0..ORDER');
+            // NOTE: we don't validate scalar here, please use isValid. This done such way because some
+            // protocol may allow non-reduced scalar that reduced later or changed some other way.
+            return scalar;
         },
+        // TODO: we don't need it here, move out to separate fn
+        invertBatch: (lst) => FpInvertBatch(f, lst),
+        // We can't move this out because Fp6, Fp12 implement it
+        // and it's unclear what to return in there.
+        cmov: (a, b, c) => (c ? b : a),
     });
     return Object.freeze(f);
 }
@@ -802,29 +706,153 @@ function mapHashToField(key, fieldOrder, isLE = false) {
     // No small numbers: need to understand bias story. No huge numbers: easier to detect JS timings.
     if (len < 16 || len < minLen || len > 1024)
         throw new Error('expected ' + minLen + '-1024 bytes of input, got ' + len);
-    const num = isLE ? bytesToNumberBE(key) : bytesToNumberLE(key);
+    const num = isLE ? bytesToNumberLE(key) : bytesToNumberBE(key);
     // `mod(x, 11)` can sometimes produce 0. `mod(x, 10) + 1` is the same, but no 0
-    const reduced = mod(num, fieldOrder - _1n$6) + _1n$6;
+    const reduced = mod(num, fieldOrder - _1n$5) + _1n$5;
     return isLE ? numberToBytesLE(reduced, fieldLen) : numberToBytesBE(reduced, fieldLen);
 }
 
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @module
+ */
+class HMAC extends Hash {
+    constructor(hash, _key) {
+        super();
+        this.finished = false;
+        this.destroyed = false;
+        ahash(hash);
+        const key = toBytes(_key);
+        this.iHash = hash.create();
+        if (typeof this.iHash.update !== 'function')
+            throw new Error('Expected instance of class which extends utils.Hash');
+        this.blockLen = this.iHash.blockLen;
+        this.outputLen = this.iHash.outputLen;
+        const blockLen = this.blockLen;
+        const pad = new Uint8Array(blockLen);
+        // blockLen can be bigger than outputLen
+        pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36;
+        this.iHash.update(pad);
+        // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+        this.oHash = hash.create();
+        // Undo internal XOR && apply outer XOR
+        for (let i = 0; i < pad.length; i++)
+            pad[i] ^= 0x36 ^ 0x5c;
+        this.oHash.update(pad);
+        clean(pad);
+    }
+    update(buf) {
+        aexists(this);
+        this.iHash.update(buf);
+        return this;
+    }
+    digestInto(out) {
+        aexists(this);
+        abytes(out, this.outputLen);
+        this.finished = true;
+        this.iHash.digestInto(out);
+        this.oHash.update(out);
+        this.oHash.digestInto(out);
+        this.destroy();
+    }
+    digest() {
+        const out = new Uint8Array(this.oHash.outputLen);
+        this.digestInto(out);
+        return out;
+    }
+    _cloneInto(to) {
+        // Create new instance without calling constructor since key already in state and we don't know it.
+        to || (to = Object.create(Object.getPrototypeOf(this), {}));
+        const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+        to = to;
+        to.finished = finished;
+        to.destroyed = destroyed;
+        to.blockLen = blockLen;
+        to.outputLen = outputLen;
+        to.oHash = oHash._cloneInto(to.oHash);
+        to.iHash = iHash._cloneInto(to.iHash);
+        return to;
+    }
+    clone() {
+        return this._cloneInto();
+    }
+    destroy() {
+        this.destroyed = true;
+        this.oHash.destroy();
+        this.iHash.destroy();
+    }
+}
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @param hash - function that would be used e.g. sha256
+ * @param key - message key
+ * @param message - message data
+ * @example
+ * import { hmac } from '@noble/hashes/hmac';
+ * import { sha256 } from '@noble/hashes/sha2';
+ * const mac1 = hmac(sha256, 'key', 'message');
+ */
+const hmac = (hash, key, message) => new HMAC(hash, key).update(message).digest();
+hmac.create = (hash, key) => new HMAC(hash, key);
+
+/**
+ * Methods for elliptic curve multiplication by scalars.
+ * Contains wNAF, pippenger.
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Abelian group utilities
 const _0n$3 = BigInt(0);
-const _1n$5 = BigInt(1);
-function constTimeNegate(condition, item) {
+const _1n$4 = BigInt(1);
+function negateCt(condition, item) {
     const neg = item.negate();
     return condition ? neg : item;
 }
+/**
+ * Takes a bunch of Projective Points but executes only one
+ * inversion on all of them. Inversion is very slow operation,
+ * so this improves performance massively.
+ * Optimization: converts a list of projective points to a list of identical points with Z=1.
+ */
+function normalizeZ(c, points) {
+    const invertedZs = FpInvertBatch(c.Fp, points.map((p) => p.Z));
+    return points.map((p, i) => c.fromAffine(p.toAffine(invertedZs[i])));
+}
 function validateW(W, bits) {
     if (!Number.isSafeInteger(W) || W <= 0 || W > bits)
         throw new Error('invalid window size, expected [1..' + bits + '], got W=' + W);
 }
-function calcWOpts(W, bits) {
-    validateW(W, bits);
-    const windows = Math.ceil(bits / W) + 1; // +1, because
-    const windowSize = 2 ** (W - 1); // -1 because we skip zero
-    return { windows, windowSize };
+function calcWOpts(W, scalarBits) {
+    validateW(W, scalarBits);
+    const windows = Math.ceil(scalarBits / W) + 1; // W=8 33. Not 32, because we skip zero
+    const windowSize = 2 ** (W - 1); // W=8 128. Not 256, because we skip zero
+    const maxNumber = 2 ** W; // W=8 256
+    const mask = bitMask(W); // W=8 255 == mask 0b11111111
+    const shiftBy = BigInt(W); // W=8 8
+    return { windows, windowSize, mask, maxNumber, shiftBy };
+}
+function calcOffsets(n, window, wOpts) {
+    const { windowSize, mask, maxNumber, shiftBy } = wOpts;
+    let wbits = Number(n & mask); // extract W bits.
+    let nextN = n >> shiftBy; // shift number by W bits.
+    // What actually happens here:
+    // const highestBit = Number(mask ^ (mask >> 1n));
+    // let wbits2 = wbits - 1; // skip zero
+    // if (wbits2 & highestBit) { wbits2 ^= Number(mask); // (~);
+    // split if bits > max: +224 => 256-32
+    if (wbits > windowSize) {
+        // we skip zero, which means instead of `>= size-1`, we do `> size`
+        wbits -= maxNumber; // -32, can be maxNumber - wbits, but then we need to set isNeg here.
+        nextN += _1n$4; // +256 (carry)
+    }
+    const offsetStart = window * windowSize;
+    const offset = offsetStart + Math.abs(wbits) - 1; // -1 because we skip zero
+    const isZero = wbits === 0; // is current window slice a 0?
+    const isNeg = wbits < 0; // is current window slice negative?
+    const isNegF = window % 2 !== 0; // fake random statement for noise
+    const offsetF = offsetStart; // fake offset for noise
+    return { nextN, offset, isZero, isNeg, isNegF, offsetF };
 }
 function validateMSMPoints(points, c) {
     if (!Array.isArray(points))
@@ -843,199 +871,213 @@ function validateMSMScalars(scalars, field) {
     });
 }
 // Since points in different groups cannot be equal (different object constructor),
-// we can have single place to store precomputes
+// we can have single place to store precomputes.
+// Allows to make points frozen / immutable.
 const pointPrecomputes = new WeakMap();
-const pointWindowSizes = new WeakMap(); // This allows use make points immutable (nothing changes inside)
+const pointWindowSizes = new WeakMap();
 function getW(P) {
+    // To disable precomputes:
+    // return 1;
     return pointWindowSizes.get(P) || 1;
 }
-// Elliptic curve multiplication of Point by scalar. Fragile.
-// Scalars should always be less than curve order: this should be checked inside of a curve itself.
-// Creates precomputation tables for fast multiplication:
-// - private scalar is split by fixed size windows of W bits
-// - every window point is collected from window's table & added to accumulator
-// - since windows are different, same point inside tables won't be accessed more than once per calc
-// - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
-// - +1 window is neccessary for wNAF
-// - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
-// TODO: Research returning 2d JS array of windows, instead of a single window. This would allow
-// windows to be in different memory locations
-function wNAF(c, bits) {
-    return {
-        constTimeNegate,
-        hasPrecomputes(elm) {
-            return getW(elm) !== 1;
-        },
-        // non-const time multiplication ladder
-        unsafeLadder(elm, n, p = c.ZERO) {
-            let d = elm;
-            while (n > _0n$3) {
-                if (n & _1n$5)
-                    p = p.add(d);
-                d = d.double();
-                n >>= _1n$5;
-            }
-            return p;
-        },
-        /**
-         * Creates a wNAF precomputation window. Used for caching.
-         * Default window size is set by `utils.precompute()` and is equal to 8.
-         * Number of precomputed points depends on the curve size:
-         * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
-         * - 𝑊 is the window size
-         * - 𝑛 is the bitlength of the curve order.
-         * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
-         * @param elm Point instance
-         * @param W window size
-         * @returns precomputed point tables flattened to a single array
-         */
-        precomputeWindow(elm, W) {
-            const { windows, windowSize } = calcWOpts(W, bits);
-            const points = [];
-            let p = elm;
-            let base = p;
-            for (let window = 0; window < windows; window++) {
-                base = p;
+function assert0(n) {
+    if (n !== _0n$3)
+        throw new Error('invalid wNAF');
+}
+/**
+ * Elliptic curve multiplication of Point by scalar. Fragile.
+ * Table generation takes **30MB of ram and 10ms on high-end CPU**,
+ * but may take much longer on slow devices. Actual generation will happen on
+ * first call of `multiply()`. By default, `BASE` point is precomputed.
+ *
+ * Scalars should always be less than curve order: this should be checked inside of a curve itself.
+ * Creates precomputation tables for fast multiplication:
+ * - private scalar is split by fixed size windows of W bits
+ * - every window point is collected from window's table & added to accumulator
+ * - since windows are different, same point inside tables won't be accessed more than once per calc
+ * - each multiplication is 'Math.ceil(CURVE_ORDER / 𝑊) + 1' point additions (fixed for any scalar)
+ * - +1 window is neccessary for wNAF
+ * - wNAF reduces table size: 2x less memory + 2x faster generation, but 10% slower multiplication
+ *
+ * @todo Research returning 2d JS array of windows, instead of a single window.
+ * This would allow windows to be in different memory locations
+ */
+class wNAF {
+    // Parametrized with a given Point class (not individual point)
+    constructor(Point, bits) {
+        this.BASE = Point.BASE;
+        this.ZERO = Point.ZERO;
+        this.Fn = Point.Fn;
+        this.bits = bits;
+    }
+    // non-const time multiplication ladder
+    _unsafeLadder(elm, n, p = this.ZERO) {
+        let d = elm;
+        while (n > _0n$3) {
+            if (n & _1n$4)
+                p = p.add(d);
+            d = d.double();
+            n >>= _1n$4;
+        }
+        return p;
+    }
+    /**
+     * Creates a wNAF precomputation window. Used for caching.
+     * Default window size is set by `utils.precompute()` and is equal to 8.
+     * Number of precomputed points depends on the curve size:
+     * 2^(𝑊−1) * (Math.ceil(𝑛 / 𝑊) + 1), where:
+     * - 𝑊 is the window size
+     * - 𝑛 is the bitlength of the curve order.
+     * For a 256-bit curve and window size 8, the number of precomputed points is 128 * 33 = 4224.
+     * @param point Point instance
+     * @param W window size
+     * @returns precomputed point tables flattened to a single array
+     */
+    precomputeWindow(point, W) {
+        const { windows, windowSize } = calcWOpts(W, this.bits);
+        const points = [];
+        let p = point;
+        let base = p;
+        for (let window = 0; window < windows; window++) {
+            base = p;
+            points.push(base);
+            // i=1, bc we skip 0
+            for (let i = 1; i < windowSize; i++) {
+                base = base.add(p);
                 points.push(base);
-                // =1, because we skip zero
-                for (let i = 1; i < windowSize; i++) {
-                    base = base.add(p);
-                    points.push(base);
-                }
-                p = base.double();
             }
-            return points;
-        },
-        /**
-         * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
-         * @param W window size
-         * @param precomputes precomputed tables
-         * @param n scalar (we don't check here, but should be less than curve order)
-         * @returns real and fake (for const-time) points
-         */
-        wNAF(W, precomputes, n) {
-            // TODO: maybe check that scalar is less than group order? wNAF behavious is undefined otherwise
-            // But need to carefully remove other checks before wNAF. ORDER == bits here
-            const { windows, windowSize } = calcWOpts(W, bits);
-            let p = c.ZERO;
-            let f = c.BASE;
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-            const maxNumber = 2 ** W;
-            const shiftBy = BigInt(W);
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n$5;
-                }
-                // This code was first written with assumption that 'f' and 'p' will never be infinity point:
-                // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
-                // there is negate now: it is possible that negated element from low value
-                // would be the same as high element, which will create carry into next window.
-                // It's not obvious how this can fail, but still worth investigating later.
-                // Check if we're onto Zero point.
-                // Add random point inside current window to f.
-                const offset1 = offset;
-                const offset2 = offset + Math.abs(wbits) - 1; // -1 because we skip zero
-                const cond1 = window % 2 !== 0;
-                const cond2 = wbits < 0;
-                if (wbits === 0) {
-                    // The most important part for const-time getPublicKey
-                    f = f.add(constTimeNegate(cond1, precomputes[offset1]));
-                }
-                else {
-                    p = p.add(constTimeNegate(cond2, precomputes[offset2]));
-                }
+            p = base.double();
+        }
+        return points;
+    }
+    /**
+     * Implements ec multiplication using precomputed tables and w-ary non-adjacent form.
+     * More compact implementation:
+     * https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541
+     * @returns real and fake (for const-time) points
+     */
+    wNAF(W, precomputes, n) {
+        // Scalar should be smaller than field order
+        if (!this.Fn.isValid(n))
+            throw new Error('invalid scalar');
+        // Accumulators
+        let p = this.ZERO;
+        let f = this.BASE;
+        // This code was first written with assumption that 'f' and 'p' will never be infinity point:
+        // since each addition is multiplied by 2 ** W, it cannot cancel each other. However,
+        // there is negate now: it is possible that negated element from low value
+        // would be the same as high element, which will create carry into next window.
+        // It's not obvious how this can fail, but still worth investigating later.
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            // (n === _0n) is handled and not early-exited. isEven and offsetF are used for noise
+            const { nextN, offset, isZero, isNeg, isNegF, offsetF } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // bits are 0: add garbage to fake point
+                // Important part for const-time getPublicKey: add random "noise" point to f.
+                f = f.add(negateCt(isNegF, precomputes[offsetF]));
             }
-            // JIT-compiler should not eliminate f here, since it will later be used in normalizeZ()
-            // Even if the variable is still unused, there are some checks which will
-            // throw an exception, so compiler needs to prove they won't happen, which is hard.
-            // At this point there is a way to F be infinity-point even if p is not,
-            // which makes it less const-time: around 1 bigint multiply.
-            return { p, f };
-        },
-        /**
-         * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
-         * @param W window size
-         * @param precomputes precomputed tables
-         * @param n scalar (we don't check here, but should be less than curve order)
-         * @param acc accumulator point to add result of multiplication
-         * @returns point
-         */
-        wNAFUnsafe(W, precomputes, n, acc = c.ZERO) {
-            const { windows, windowSize } = calcWOpts(W, bits);
-            const mask = BigInt(2 ** W - 1); // Create mask with W ones: 0b1111 for W=4 etc.
-            const maxNumber = 2 ** W;
-            const shiftBy = BigInt(W);
-            for (let window = 0; window < windows; window++) {
-                const offset = window * windowSize;
-                if (n === _0n$3)
-                    break; // No need to go over empty scalar
-                // Extract W bits.
-                let wbits = Number(n & mask);
-                // Shift number by W bits.
-                n >>= shiftBy;
-                // If the bits are bigger than max size, we'll split those.
-                // +224 => 256 - 32
-                if (wbits > windowSize) {
-                    wbits -= maxNumber;
-                    n += _1n$5;
-                }
-                if (wbits === 0)
-                    continue;
-                let curr = precomputes[offset + Math.abs(wbits) - 1]; // -1 because we skip zero
-                if (wbits < 0)
-                    curr = curr.negate();
-                // NOTE: by re-using acc, we can save a lot of additions in case of MSM
-                acc = acc.add(curr);
+            else {
+                // bits are 1: add to result point
+                p = p.add(negateCt(isNeg, precomputes[offset]));
             }
-            return acc;
-        },
-        getPrecomputes(W, P, transform) {
-            // Calculate precomputes on a first run, reuse them after
-            let comp = pointPrecomputes.get(P);
-            if (!comp) {
-                comp = this.precomputeWindow(P, W);
-                if (W !== 1)
-                    pointPrecomputes.set(P, transform(comp));
+        }
+        assert0(n);
+        // Return both real and fake points: JIT won't eliminate f.
+        // At this point there is a way to F be infinity-point even if p is not,
+        // which makes it less const-time: around 1 bigint multiply.
+        return { p, f };
+    }
+    /**
+     * Implements ec unsafe (non const-time) multiplication using precomputed tables and w-ary non-adjacent form.
+     * @param acc accumulator point to add result of multiplication
+     * @returns point
+     */
+    wNAFUnsafe(W, precomputes, n, acc = this.ZERO) {
+        const wo = calcWOpts(W, this.bits);
+        for (let window = 0; window < wo.windows; window++) {
+            if (n === _0n$3)
+                break; // Early-exit, skip 0 value
+            const { nextN, offset, isZero, isNeg } = calcOffsets(n, window, wo);
+            n = nextN;
+            if (isZero) {
+                // Window bits are 0: skip processing.
+                // Move to next window.
+                continue;
             }
-            return comp;
-        },
-        wNAFCached(P, n, transform) {
-            const W = getW(P);
-            return this.wNAF(W, this.getPrecomputes(W, P, transform), n);
-        },
-        wNAFCachedUnsafe(P, n, transform, prev) {
-            const W = getW(P);
-            if (W === 1)
-                return this.unsafeLadder(P, n, prev); // For W=1 ladder is ~x2 faster
-            return this.wNAFUnsafe(W, this.getPrecomputes(W, P, transform), n, prev);
-        },
-        // We calculate precomputes for elliptic curve point multiplication
-        // using windowed method. This specifies window size and
-        // stores precomputed values. Usually only base point would be precomputed.
-        setWindowSize(P, W) {
-            validateW(W, bits);
-            pointWindowSizes.set(P, W);
-            pointPrecomputes.delete(P);
-        },
-    };
+            else {
+                const item = precomputes[offset];
+                acc = acc.add(isNeg ? item.negate() : item); // Re-using acc allows to save adds in MSM
+            }
+        }
+        assert0(n);
+        return acc;
+    }
+    getPrecomputes(W, point, transform) {
+        // Calculate precomputes on a first run, reuse them after
+        let comp = pointPrecomputes.get(point);
+        if (!comp) {
+            comp = this.precomputeWindow(point, W);
+            if (W !== 1) {
+                // Doing transform outside of if brings 15% perf hit
+                if (typeof transform === 'function')
+                    comp = transform(comp);
+                pointPrecomputes.set(point, comp);
+            }
+        }
+        return comp;
+    }
+    cached(point, scalar, transform) {
+        const W = getW(point);
+        return this.wNAF(W, this.getPrecomputes(W, point, transform), scalar);
+    }
+    unsafe(point, scalar, transform, prev) {
+        const W = getW(point);
+        if (W === 1)
+            return this._unsafeLadder(point, scalar, prev); // For W=1 ladder is ~x2 faster
+        return this.wNAFUnsafe(W, this.getPrecomputes(W, point, transform), scalar, prev);
+    }
+    // We calculate precomputes for elliptic curve point multiplication
+    // using windowed method. This specifies window size and
+    // stores precomputed values. Usually only base point would be precomputed.
+    createCache(P, W) {
+        validateW(W, this.bits);
+        pointWindowSizes.set(P, W);
+        pointPrecomputes.delete(P);
+    }
+    hasCache(elm) {
+        return getW(elm) !== 1;
+    }
+}
+/**
+ * Endomorphism-specific multiplication for Koblitz curves.
+ * Cost: 128 dbl, 0-256 adds.
+ */
+function mulEndoUnsafe(Point, point, k1, k2) {
+    let acc = point;
+    let p1 = Point.ZERO;
+    let p2 = Point.ZERO;
+    while (k1 > _0n$3 || k2 > _0n$3) {
+        if (k1 & _1n$4)
+            p1 = p1.add(acc);
+        if (k2 & _1n$4)
+            p2 = p2.add(acc);
+        acc = acc.double();
+        k1 >>= _1n$4;
+        k2 >>= _1n$4;
+    }
+    return { p1, p2 };
 }
 /**
  * Pippenger algorithm for multi-scalar multiplication (MSM, Pa + Qb + Rc + ...).
- * 30x faster vs naive addition on L=4096, 10x faster with precomputes.
+ * 30x faster vs naive addition on L=4096, 10x faster than precomputes.
  * For N=254bit, L=1, it does: 1024 ADD + 254 DBL. For L=5: 1536 ADD + 254 DBL.
  * Algorithmically constant-time (for same L), even when 1 point + scalar, or when scalar = 0.
  * @param c Curve Point constructor
  * @param fieldN field over CURVE.N - important that it's not over CURVE.P
  * @param points array of L curve points
- * @param scalars array of L scalars (aka private keys / bigints)
+ * @param scalars array of L scalars (aka secret keys / bigints)
  */
 function pippenger(c, fieldN, points, scalars) {
     // If we split scalars by some window (let's say 8 bits), every chunk will only
@@ -1046,20 +1088,29 @@ function pippenger(c, fieldN, points, scalars) {
     // 0 is accepted in scalars
     validateMSMPoints(points, c);
     validateMSMScalars(scalars, fieldN);
-    if (points.length !== scalars.length)
+    const plength = points.length;
+    const slength = scalars.length;
+    if (plength !== slength)
         throw new Error('arrays of points and scalars must have equal length');
+    // if (plength === 0) throw new Error('array must be of length >= 2');
     const zero = c.ZERO;
-    const wbits = bitLen(BigInt(points.length));
-    const windowSize = wbits > 12 ? wbits - 3 : wbits > 4 ? wbits - 2 : wbits ? 2 : 1; // in bits
-    const MASK = (1 << windowSize) - 1;
-    const buckets = new Array(MASK + 1).fill(zero); // +1 for zero array
+    const wbits = bitLen(BigInt(plength));
+    let windowSize = 1; // bits
+    if (wbits > 12)
+        windowSize = wbits - 3;
+    else if (wbits > 4)
+        windowSize = wbits - 2;
+    else if (wbits > 0)
+        windowSize = 2;
+    const MASK = bitMask(windowSize);
+    const buckets = new Array(Number(MASK) + 1).fill(zero); // +1 for zero array
     const lastBits = Math.floor((fieldN.BITS - 1) / windowSize) * windowSize;
     let sum = zero;
     for (let i = lastBits; i >= 0; i -= windowSize) {
         buckets.fill(zero);
-        for (let j = 0; j < scalars.length; j++) {
+        for (let j = 0; j < slength; j++) {
             const scalar = scalars[j];
-            const wbits = Number((scalar >> BigInt(i)) & BigInt(MASK));
+            const wbits = Number((scalar >> BigInt(i)) & MASK);
             buckets[wbits] = buckets[wbits].add(points[j]);
         }
         let resI = zero; // not using this will do small speed-up, but will lose ct
@@ -1075,61 +1126,120 @@ function pippenger(c, fieldN, points, scalars) {
     }
     return sum;
 }
-function validateBasic(curve) {
-    validateField(curve.Fp);
-    validateObject(curve, {
-        n: 'bigint',
-        h: 'bigint',
-        Gx: 'field',
-        Gy: 'field',
-    }, {
-        nBitLength: 'isSafeInteger',
-        nByteLength: 'isSafeInteger',
-    });
-    // Set defaults
-    return Object.freeze({
-        ...nLength(curve.n, curve.nBitLength),
-        ...curve,
-        ...{ p: curve.Fp.ORDER },
-    });
+function createField(order, field, isLE) {
+    if (field) {
+        if (field.ORDER !== order)
+            throw new Error('Field.ORDER must match order: Fp == p, Fn == n');
+        validateField(field);
+        return field;
+    }
+    else {
+        return Field(order, { isLE });
+    }
+}
+/** Validates CURVE opts and creates fields */
+function _createCurveFields(type, CURVE, curveOpts = {}, FpFnLE) {
+    if (FpFnLE === undefined)
+        FpFnLE = type === 'edwards';
+    if (!CURVE || typeof CURVE !== 'object')
+        throw new Error(`expected valid ${type} CURVE object`);
+    for (const p of ['p', 'n', 'h']) {
+        const val = CURVE[p];
+        if (!(typeof val === 'bigint' && val > _0n$3))
+            throw new Error(`CURVE.${p} must be positive bigint`);
+    }
+    const Fp = createField(CURVE.p, curveOpts.Fp, FpFnLE);
+    const Fn = createField(CURVE.n, curveOpts.Fn, FpFnLE);
+    const _b = type === 'weierstrass' ? 'b' : 'd';
+    const params = ['Gx', 'Gy', 'a', _b];
+    for (const p of params) {
+        // @ts-ignore
+        if (!Fp.isValid(CURVE[p]))
+            throw new Error(`CURVE.${p} must be valid field element of CURVE.Fp`);
+    }
+    CURVE = Object.freeze(Object.assign({}, CURVE));
+    return { CURVE, Fp, Fn };
 }
 
+/**
+ * Short Weierstrass curve methods. The formula is: y² = x³ + ax + b.
+ *
+ * ### Design rationale for types
+ *
+ * * Interaction between classes from different curves should fail:
+ *   `k256.Point.BASE.add(p256.Point.BASE)`
+ * * For this purpose we want to use `instanceof` operator, which is fast and works during runtime
+ * * Different calls of `curve()` would return different classes -
+ *   `curve(params) !== curve(params)`: if somebody decided to monkey-patch their curve,
+ *   it won't affect others
+ *
+ * TypeScript can't infer types for classes created inside a function. Classes is one instance
+ * of nominative types in TypeScript and interfaces only check for shape, so it's hard to create
+ * unique type for every function call.
+ *
+ * We can use generic types via some param, like curve opts, but that would:
+ *     1. Enable interaction between `curve(params)` and `curve(params)` (curves of same params)
+ *     which is hard to debug.
+ *     2. Params can be generic and we can't enforce them to be constant value:
+ *     if somebody creates curve from non-constant params,
+ *     it would be allowed to interact with other curves with non-constant params
+ *
+ * @todo https://www.typescriptlang.org/docs/handbook/release-notes/typescript-2-7.html#unique-symbol
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Short Weierstrass curve. The formula is: y² = x³ + ax + b
-function validateSigVerOpts(opts) {
-    if (opts.lowS !== undefined)
-        abool('lowS', opts.lowS);
-    if (opts.prehash !== undefined)
-        abool('prehash', opts.prehash);
-}
-function validatePointOpts(curve) {
-    const opts = validateBasic(curve);
-    validateObject(opts, {
-        a: 'field',
-        b: 'field',
-    }, {
-        allowedPrivateKeyLengths: 'array',
-        wrapPrivateKey: 'boolean',
-        isTorsionFree: 'function',
-        clearCofactor: 'function',
-        allowInfinityPoint: 'boolean',
-        fromBytes: 'function',
-        toBytes: 'function',
-    });
-    const { endo, Fp, a } = opts;
-    if (endo) {
-        if (!Fp.eql(a, Fp.ZERO)) {
-            throw new Error('invalid endomorphism, can only be defined for Koblitz curves that have a=0');
-        }
-        if (typeof endo !== 'object' ||
-            typeof endo.beta !== 'bigint' ||
-            typeof endo.splitScalar !== 'function') {
-            throw new Error('invalid endomorphism, expected beta: bigint and splitScalar: function');
-        }
+// We construct basis in such way that den is always positive and equals n, but num sign depends on basis (not on secret value)
+const divNearest = (num, den) => (num + (num >= 0 ? den : -den) / _2n$4) / den;
+/**
+ * Splits scalar for GLV endomorphism.
+ */
+function _splitEndoScalar(k, basis, n) {
+    // Split scalar into two such that part is ~half bits: `abs(part) < sqrt(N)`
+    // Since part can be negative, we need to do this on point.
+    // TODO: verifyScalar function which consumes lambda
+    const [[a1, b1], [a2, b2]] = basis;
+    const c1 = divNearest(b2 * k, n);
+    const c2 = divNearest(-b1 * k, n);
+    // |k1|/|k2| is < sqrt(N), but can be negative.
+    // If we do `k1 mod N`, we'll get big scalar (`> sqrt(N)`): so, we do cheaper negation instead.
+    let k1 = k - c1 * a1 - c2 * a2;
+    let k2 = -c1 * b1 - c2 * b2;
+    const k1neg = k1 < _0n$2;
+    const k2neg = k2 < _0n$2;
+    if (k1neg)
+        k1 = -k1;
+    if (k2neg)
+        k2 = -k2;
+    // Double check that resulting scalar less than half bits of N: otherwise wNAF will fail.
+    // This should only happen on wrong basises. Also, math inside is too complex and I don't trust it.
+    const MAX_NUM = bitMask(Math.ceil(bitLen(n) / 2)) + _1n$3; // Half bits of N
+    if (k1 < _0n$2 || k1 >= MAX_NUM || k2 < _0n$2 || k2 >= MAX_NUM) {
+        throw new Error('splitScalar (endomorphism): failed, k=' + k);
+    }
+    return { k1neg, k1, k2neg, k2 };
+}
+function validateSigFormat(format) {
+    if (!['compact', 'recovered', 'der'].includes(format))
+        throw new Error('Signature format must be "compact", "recovered", or "der"');
+    return format;
+}
+function validateSigOpts(opts, def) {
+    const optsn = {};
+    for (let optName of Object.keys(def)) {
+        // @ts-ignore
+        optsn[optName] = opts[optName] === undefined ? def[optName] : opts[optName];
+    }
+    _abool2(optsn.lowS, 'lowS');
+    _abool2(optsn.prehash, 'prehash');
+    if (optsn.format !== undefined)
+        validateSigFormat(optsn.format);
+    return optsn;
+}
+class DERErr extends Error {
+    constructor(m = '') {
+        super(m);
     }
-    return Object.freeze({ ...opts });
 }
-const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
 /**
  * ASN.1 DER encoding utilities. ASN is very complex & fragile. Format:
  *
@@ -1139,11 +1249,7 @@ const { bytesToNumberBE: b2n, hexToBytes: h2b } = ut;
  */
 const DER = {
     // asn.1 DER encoding utils
-    Err: class DERErr extends Error {
-        constructor(m = '') {
-            super(m);
-        }
-    },
+    Err: DERErr,
     // Basic building block is TLV (Tag-Length-Value)
     _tlv: {
         encode: (tag, data) => {
@@ -1221,14 +1327,13 @@ const DER = {
                 throw new E('invalid signature integer: negative');
             if (data[0] === 0x00 && !(data[1] & 128))
                 throw new E('invalid signature integer: unnecessary leading zero');
-            return b2n(data);
+            return bytesToNumberBE(data);
         },
     },
     toSig(hex) {
         // parse DER signature
         const { Err: E, _int: int, _tlv: tlv } = DER;
-        const data = typeof hex === 'string' ? h2b(hex) : hex;
-        abytes(data);
+        const data = ensureBytes('signature', hex);
         const { v: seqBytes, l: seqLeftBytes } = tlv.decode(0x30, data);
         if (seqLeftBytes.length)
             throw new E('invalid signature: left bytes after parsing');
@@ -1248,98 +1353,184 @@ const DER = {
 };
 // Be friendly to bad ECMAScript parsers by not using bigint literals
 // prettier-ignore
-const _0n$2 = BigInt(0), _1n$4 = BigInt(1); BigInt(2); const _3n$1 = BigInt(3); BigInt(4);
-function weierstrassPoints(opts) {
-    const CURVE = validatePointOpts(opts);
-    const { Fp } = CURVE; // All curves has same field / group length as for now, but they can differ
-    const Fn = Field(CURVE.n, CURVE.nBitLength);
-    const toBytes = CURVE.toBytes ||
-        ((_c, point, _isCompressed) => {
-            const a = point.toAffine();
-            return concatBytes(Uint8Array.from([0x04]), Fp.toBytes(a.x), Fp.toBytes(a.y));
-        });
-    const fromBytes = CURVE.fromBytes ||
-        ((bytes) => {
-            // const head = bytes[0];
-            const tail = bytes.subarray(1);
-            // if (head !== 0x04) throw new Error('Only non-compressed encoding is supported');
-            const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-            const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-            return { x, y };
-        });
-    /**
-     * y² = x³ + ax + b: Short weierstrass curve formula
-     * @returns y²
-     */
-    function weierstrassEquation(x) {
-        const { a, b } = CURVE;
-        const x2 = Fp.sqr(x); // x * x
-        const x3 = Fp.mul(x2, x); // x2 * x
-        return Fp.add(Fp.add(x3, Fp.mul(x, a)), b); // x3 + a * x + b
+const _0n$2 = BigInt(0), _1n$3 = BigInt(1), _2n$4 = BigInt(2), _3n$1 = BigInt(3), _4n = BigInt(4);
+function _normFnElement(Fn, key) {
+    const { BYTES: expected } = Fn;
+    let num;
+    if (typeof key === 'bigint') {
+        num = key;
     }
-    // Validate whether the passed curve params are valid.
-    // We check if curve equation works for generator point.
-    // `assertValidity()` won't work: `isTorsionFree()` is not available at this point in bls12-381.
-    // ProjectivePoint class has not been initialized yet.
-    if (!Fp.eql(Fp.sqr(CURVE.Gy), weierstrassEquation(CURVE.Gx)))
-        throw new Error('bad generator point: equation left != right');
-    // Valid group elements reside in range 1..n-1
-    function isWithinCurveOrder(num) {
-        return inRange(num, _1n$4, CURVE.n);
-    }
-    // Validates if priv key is valid and converts it to bigint.
-    // Supports options allowedPrivateKeyLengths and wrapPrivateKey.
-    function normPrivateKeyToScalar(key) {
-        const { allowedPrivateKeyLengths: lengths, nByteLength, wrapPrivateKey, n: N } = CURVE;
-        if (lengths && typeof key !== 'bigint') {
-            if (isBytes(key))
-                key = bytesToHex(key);
-            // Normalize to hex string, pad. E.g. P521 would norm 130-132 char hex to 132-char bytes
-            if (typeof key !== 'string' || !lengths.includes(key.length))
-                throw new Error('invalid private key');
-            key = key.padStart(nByteLength * 2, '0');
-        }
-        let num;
+    else {
+        let bytes = ensureBytes('private key', key);
         try {
-            num =
-                typeof key === 'bigint'
-                    ? key
-                    : bytesToNumberBE(ensureBytes('private key', key, nByteLength));
+            num = Fn.fromBytes(bytes);
         }
         catch (error) {
-            throw new Error('invalid private key, expected hex or ' + nByteLength + ' bytes, got ' + typeof key);
+            throw new Error(`invalid private key: expected ui8a of size ${expected}, got ${typeof key}`);
+        }
+    }
+    if (!Fn.isValidNot0(num))
+        throw new Error('invalid private key: out of range [1..N-1]');
+    return num;
+}
+/**
+ * Creates weierstrass Point constructor, based on specified curve options.
+ *
+ * @example
+```js
+const opts = {
+  p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
+  n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
+  h: BigInt(1),
+  a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+  b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
+  Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
+  Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
+};
+const p256_Point = weierstrass(opts);
+```
+ */
+function weierstrassN(params, extraOpts = {}) {
+    const validated = _createCurveFields('weierstrass', params, extraOpts);
+    const { Fp, Fn } = validated;
+    let CURVE = validated.CURVE;
+    const { h: cofactor, n: CURVE_ORDER } = CURVE;
+    _validateObject(extraOpts, {}, {
+        allowInfinityPoint: 'boolean',
+        clearCofactor: 'function',
+        isTorsionFree: 'function',
+        fromBytes: 'function',
+        toBytes: 'function',
+        endo: 'object',
+        wrapPrivateKey: 'boolean',
+    });
+    const { endo } = extraOpts;
+    if (endo) {
+        // validateObject(endo, { beta: 'bigint', splitScalar: 'function' });
+        if (!Fp.is0(CURVE.a) || typeof endo.beta !== 'bigint' || !Array.isArray(endo.basises)) {
+            throw new Error('invalid endo: expected "beta": bigint and "basises": array');
+        }
+    }
+    const lengths = getWLengths(Fp, Fn);
+    function assertCompressionIsSupported() {
+        if (!Fp.isOdd)
+            throw new Error('compression is not supported: Field does not have .isOdd()');
+    }
+    // Implements IEEE P1363 point encoding
+    function pointToBytes(_c, point, isCompressed) {
+        const { x, y } = point.toAffine();
+        const bx = Fp.toBytes(x);
+        _abool2(isCompressed, 'isCompressed');
+        if (isCompressed) {
+            assertCompressionIsSupported();
+            const hasEvenY = !Fp.isOdd(y);
+            return concatBytes(pprefix(hasEvenY), bx);
+        }
+        else {
+            return concatBytes(Uint8Array.of(0x04), bx, Fp.toBytes(y));
         }
-        if (wrapPrivateKey)
-            num = mod(num, N); // disabled by default, enabled for BLS
-        aInRange('private key', num, _1n$4, N); // num in range [1..N-1]
-        return num;
     }
-    function assertPrjPoint(other) {
+    function pointFromBytes(bytes) {
+        _abytes2(bytes, undefined, 'Point');
+        const { publicKey: comp, publicKeyUncompressed: uncomp } = lengths; // e.g. for 32-byte: 33, 65
+        const length = bytes.length;
+        const head = bytes[0];
+        const tail = bytes.subarray(1);
+        // No actual validation is done here: use .assertValidity()
+        if (length === comp && (head === 0x02 || head === 0x03)) {
+            const x = Fp.fromBytes(tail);
+            if (!Fp.isValid(x))
+                throw new Error('bad point: is not on curve, wrong x');
+            const y2 = weierstrassEquation(x); // y² = x³ + ax + b
+            let y;
+            try {
+                y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
+            }
+            catch (sqrtError) {
+                const err = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
+                throw new Error('bad point: is not on curve, sqrt error' + err);
+            }
+            assertCompressionIsSupported();
+            const isYOdd = Fp.isOdd(y); // (y & _1n) === _1n;
+            const isHeadOdd = (head & 1) === 1; // ECDSA-specific
+            if (isHeadOdd !== isYOdd)
+                y = Fp.neg(y);
+            return { x, y };
+        }
+        else if (length === uncomp && head === 0x04) {
+            // TODO: more checks
+            const L = Fp.BYTES;
+            const x = Fp.fromBytes(tail.subarray(0, L));
+            const y = Fp.fromBytes(tail.subarray(L, L * 2));
+            if (!isValidXY(x, y))
+                throw new Error('bad point: is not on curve');
+            return { x, y };
+        }
+        else {
+            throw new Error(`bad point: got length ${length}, expected compressed=${comp} or uncompressed=${uncomp}`);
+        }
+    }
+    const encodePoint = extraOpts.toBytes || pointToBytes;
+    const decodePoint = extraOpts.fromBytes || pointFromBytes;
+    function weierstrassEquation(x) {
+        const x2 = Fp.sqr(x); // x * x
+        const x3 = Fp.mul(x2, x); // x² * x
+        return Fp.add(Fp.add(x3, Fp.mul(x, CURVE.a)), CURVE.b); // x³ + a * x + b
+    }
+    // TODO: move top-level
+    /** Checks whether equation holds for given x, y: y² == x³ + ax + b */
+    function isValidXY(x, y) {
+        const left = Fp.sqr(y); // y²
+        const right = weierstrassEquation(x); // x³ + ax + b
+        return Fp.eql(left, right);
+    }
+    // Validate whether the passed curve params are valid.
+    // Test 1: equation y² = x³ + ax + b should work for generator point.
+    if (!isValidXY(CURVE.Gx, CURVE.Gy))
+        throw new Error('bad curve params: generator point');
+    // Test 2: discriminant Δ part should be non-zero: 4a³ + 27b² != 0.
+    // Guarantees curve is genus-1, smooth (non-singular).
+    const _4a3 = Fp.mul(Fp.pow(CURVE.a, _3n$1), _4n);
+    const _27b2 = Fp.mul(Fp.sqr(CURVE.b), BigInt(27));
+    if (Fp.is0(Fp.add(_4a3, _27b2)))
+        throw new Error('bad curve params: a or b');
+    /** Asserts coordinate is valid: 0 <= n < Fp.ORDER. */
+    function acoord(title, n, banZero = false) {
+        if (!Fp.isValid(n) || (banZero && Fp.is0(n)))
+            throw new Error(`bad point coordinate ${title}`);
+        return n;
+    }
+    function aprjpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ProjectivePoint expected');
     }
+    function splitEndoScalarN(k) {
+        if (!endo || !endo.basises)
+            throw new Error('no endo');
+        return _splitEndoScalar(k, endo.basises, Fn.ORDER);
+    }
     // Memoized toAffine / validity check. They are heavy. Points are immutable.
     // Converts Projective point to affine (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
-    // (x, y, z) ∋ (x=x/z, y=y/z)
+    // (X, Y, Z) ∋ (x=X/Z, y=Y/Z)
     const toAffineMemo = memoized((p, iz) => {
-        const { px: x, py: y, pz: z } = p;
+        const { X, Y, Z } = p;
         // Fast-path for normalized points
-        if (Fp.eql(z, Fp.ONE))
-            return { x, y };
+        if (Fp.eql(Z, Fp.ONE))
+            return { x: X, y: Y };
         const is0 = p.is0();
         // If invZ was 0, we return zero point. However we still want to execute
         // all operations, so we replace invZ with a random number, 1.
         if (iz == null)
-            iz = is0 ? Fp.ONE : Fp.inv(z);
-        const ax = Fp.mul(x, iz);
-        const ay = Fp.mul(y, iz);
-        const zz = Fp.mul(z, iz);
+            iz = is0 ? Fp.ONE : Fp.inv(Z);
+        const x = Fp.mul(X, iz);
+        const y = Fp.mul(Y, iz);
+        const zz = Fp.mul(Z, iz);
         if (is0)
             return { x: Fp.ZERO, y: Fp.ZERO };
         if (!Fp.eql(zz, Fp.ONE))
             throw new Error('invZ was invalid');
-        return { x: ax, y: ay };
+        return { x, y };
     });
     // NOTE: on exception this will crash 'cached' and no value will be set.
     // Otherwise true will be return
@@ -1348,55 +1539,62 @@ function weierstrassPoints(opts) {
             // (0, 1, 0) aka ZERO is invalid in most contexts.
             // In BLS, ZERO can be serialized, so we allow it.
             // (0, 0, 0) is invalid representation of ZERO.
-            if (CURVE.allowInfinityPoint && !Fp.is0(p.py))
+            if (extraOpts.allowInfinityPoint && !Fp.is0(p.Y))
                 return;
             throw new Error('bad point: ZERO');
         }
         // Some 3rd-party test vectors require different wording between here & `fromCompressedHex`
         const { x, y } = p.toAffine();
-        // Check if x, y are valid field elements
         if (!Fp.isValid(x) || !Fp.isValid(y))
-            throw new Error('bad point: x or y not FE');
-        const left = Fp.sqr(y); // y²
-        const right = weierstrassEquation(x); // x³ + ax + b
-        if (!Fp.eql(left, right))
+            throw new Error('bad point: x or y not field elements');
+        if (!isValidXY(x, y))
             throw new Error('bad point: equation left != right');
         if (!p.isTorsionFree())
             throw new Error('bad point: not in prime-order subgroup');
         return true;
     });
+    function finishEndo(endoBeta, k1p, k2p, k1neg, k2neg) {
+        k2p = new Point(Fp.mul(k2p.X, endoBeta), k2p.Y, k2p.Z);
+        k1p = negateCt(k1neg, k1p);
+        k2p = negateCt(k2neg, k2p);
+        return k1p.add(k2p);
+    }
     /**
-     * Projective Point works in 3d / projective (homogeneous) coordinates: (x, y, z) ∋ (x=x/z, y=y/z)
-     * Default Point works in 2d / affine coordinates: (x, y)
+     * Projective Point works in 3d / projective (homogeneous) coordinates:(X, Y, Z) ∋ (x=X/Z, y=Y/Z).
+     * Default Point works in 2d / affine coordinates: (x, y).
      * We're doing calculations in projective, because its operations don't require costly inversion.
      */
     class Point {
-        constructor(px, py, pz) {
-            this.px = px;
-            this.py = py;
-            this.pz = pz;
-            if (px == null || !Fp.isValid(px))
-                throw new Error('x required');
-            if (py == null || !Fp.isValid(py))
-                throw new Error('y required');
-            if (pz == null || !Fp.isValid(pz))
-                throw new Error('z required');
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
+        constructor(X, Y, Z) {
+            this.X = acoord('x', X);
+            this.Y = acoord('y', Y, true);
+            this.Z = acoord('z', Z);
             Object.freeze(this);
         }
-        // Does not validate if the point is on-curve.
-        // Use fromHex instead, or call assertValidity() later.
+        static CURVE() {
+            return CURVE;
+        }
+        /** Does NOT validate if the point is valid. Use `.assertValidity()`. */
         static fromAffine(p) {
             const { x, y } = p || {};
             if (!p || !Fp.isValid(x) || !Fp.isValid(y))
                 throw new Error('invalid affine point');
             if (p instanceof Point)
                 throw new Error('projective point not allowed');
-            const is0 = (i) => Fp.eql(i, Fp.ZERO);
-            // fromAffine(x:0, y:0) would produce (x:0, y:0, z:1), but we need (x:0, y:1, z:0)
-            if (is0(x) && is0(y))
+            // (0, 0) would've produced (0, 0, 1) - instead, we need (0, 1, 0)
+            if (Fp.is0(x) && Fp.is0(y))
                 return Point.ZERO;
             return new Point(x, y, Fp.ONE);
         }
+        static fromBytes(bytes) {
+            const P = Point.fromAffine(decodePoint(_abytes2(bytes, undefined, 'point')));
+            P.assertValidity();
+            return P;
+        }
+        static fromHex(hex) {
+            return Point.fromBytes(ensureBytes('pointHex', hex));
+        }
         get x() {
             return this.toAffine().x;
         }
@@ -1404,62 +1602,40 @@ function weierstrassPoints(opts) {
             return this.toAffine().y;
         }
         /**
-         * Takes a bunch of Projective Points but executes only one
-         * inversion on all of them. Inversion is very slow operation,
-         * so this improves performance massively.
-         * Optimization: converts a list of projective points to a list of identical points with Z=1.
-         */
-        static normalizeZ(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.pz));
-            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
-        }
-        /**
-         * Converts hash string or Uint8Array to Point.
-         * @param hex short/long ECDSA hex
+         *
+         * @param windowSize
+         * @param isLazy true will defer table computation until the first multiplication
+         * @returns
          */
-        static fromHex(hex) {
-            const P = Point.fromAffine(fromBytes(ensureBytes('pointHex', hex)));
-            P.assertValidity();
-            return P;
-        }
-        // Multiplies generator point by privateKey.
-        static fromPrivateKey(privateKey) {
-            return Point.BASE.multiply(normPrivateKeyToScalar(privateKey));
-        }
-        // Multiscalar Multiplication
-        static msm(points, scalars) {
-            return pippenger(Point, Fn, points, scalars);
-        }
-        // "Private method", don't use it directly
-        _setWindowSize(windowSize) {
-            wnaf.setWindowSize(this, windowSize);
-        }
-        // A point on curve is valid if it conforms to equation.
+        precompute(windowSize = 8, isLazy = true) {
+            wnaf.createCache(this, windowSize);
+            if (!isLazy)
+                this.multiply(_3n$1); // random number
+            return this;
+        }
+        // TODO: return `this`
+        /** A point on curve is valid if it conforms to equation. */
         assertValidity() {
             assertValidMemo(this);
         }
         hasEvenY() {
             const { y } = this.toAffine();
-            if (Fp.isOdd)
-                return !Fp.isOdd(y);
-            throw new Error("Field doesn't support isOdd");
+            if (!Fp.isOdd)
+                throw new Error("Field doesn't support isOdd");
+            return !Fp.isOdd(y);
         }
-        /**
-         * Compare one point to another.
-         */
+        /** Compare one point to another. */
         equals(other) {
-            assertPrjPoint(other);
-            const { px: X1, py: Y1, pz: Z1 } = this;
-            const { px: X2, py: Y2, pz: Z2 } = other;
+            aprjpoint(other);
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             const U1 = Fp.eql(Fp.mul(X1, Z2), Fp.mul(X2, Z1));
             const U2 = Fp.eql(Fp.mul(Y1, Z2), Fp.mul(Y2, Z1));
             return U1 && U2;
         }
-        /**
-         * Flips point to one corresponding to (x, -y) in Affine coordinates.
-         */
+        /** Flips point to one corresponding to (x, -y) in Affine coordinates. */
         negate() {
-            return new Point(this.px, Fp.neg(this.py), this.pz);
+            return new Point(this.X, Fp.neg(this.Y), this.Z);
         }
         // Renes-Costello-Batina exception-free doubling formula.
         // There is 30% faster Jacobian formula, but it is not complete.
@@ -1468,7 +1644,7 @@ function weierstrassPoints(opts) {
         double() {
             const { a, b } = CURVE;
             const b3 = Fp.mul(b, _3n$1);
-            const { px: X1, py: Y1, pz: Z1 } = this;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             let t0 = Fp.mul(X1, X1); // step 1
             let t1 = Fp.mul(Y1, Y1);
@@ -1508,9 +1684,9 @@ function weierstrassPoints(opts) {
         // https://eprint.iacr.org/2015/1060, algorithm 1
         // Cost: 12M + 0S + 3*a + 3*b3 + 23add.
         add(other) {
-            assertPrjPoint(other);
-            const { px: X1, py: Y1, pz: Z1 } = this;
-            const { px: X2, py: Y2, pz: Z2 } = other;
+            aprjpoint(other);
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             let X3 = Fp.ZERO, Y3 = Fp.ZERO, Z3 = Fp.ZERO; // prettier-ignore
             const a = CURVE.a;
             const b3 = Fp.mul(CURVE.b, _3n$1);
@@ -1562,46 +1738,6 @@ function weierstrassPoints(opts) {
         is0() {
             return this.equals(Point.ZERO);
         }
-        wNAF(n) {
-            return wnaf.wNAFCached(this, n, Point.normalizeZ);
-        }
-        /**
-         * Non-constant-time multiplication. Uses double-and-add algorithm.
-         * It's faster, but should only be used when you don't care about
-         * an exposed private key e.g. sig verification, which works over *public* keys.
-         */
-        multiplyUnsafe(sc) {
-            const { endo, n: N } = CURVE;
-            aInRange('scalar', sc, _0n$2, N);
-            const I = Point.ZERO;
-            if (sc === _0n$2)
-                return I;
-            if (this.is0() || sc === _1n$4)
-                return this;
-            // Case a: no endomorphism. Case b: has precomputes.
-            if (!endo || wnaf.hasPrecomputes(this))
-                return wnaf.wNAFCachedUnsafe(this, sc, Point.normalizeZ);
-            // Case c: endomorphism
-            let { k1neg, k1, k2neg, k2 } = endo.splitScalar(sc);
-            let k1p = I;
-            let k2p = I;
-            let d = this;
-            while (k1 > _0n$2 || k2 > _0n$2) {
-                if (k1 & _1n$4)
-                    k1p = k1p.add(d);
-                if (k2 & _1n$4)
-                    k2p = k2p.add(d);
-                d = d.double();
-                k1 >>= _1n$4;
-                k2 >>= _1n$4;
-            }
-            if (k1neg)
-                k1p = k1p.negate();
-            if (k2neg)
-                k2p = k2p.negate();
-            k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-            return k1p.add(k2p);
-        }
         /**
          * Constant time multiplication.
          * Uses wNAF method. Windowed method may be 10% faster,
@@ -1612,222 +1748,360 @@ function weierstrassPoints(opts) {
          * @returns New point
          */
         multiply(scalar) {
-            const { endo, n: N } = CURVE;
-            aInRange('scalar', scalar, _1n$4, N);
+            const { endo } = extraOpts;
+            if (!Fn.isValidNot0(scalar))
+                throw new Error('invalid scalar: out of range'); // 0 is invalid
             let point, fake; // Fake point is used to const-time mult
+            const mul = (n) => wnaf.cached(this, n, (p) => normalizeZ(Point, p));
+            /** See docs for {@link EndomorphismOpts} */
             if (endo) {
-                const { k1neg, k1, k2neg, k2 } = endo.splitScalar(scalar);
-                let { p: k1p, f: f1p } = this.wNAF(k1);
-                let { p: k2p, f: f2p } = this.wNAF(k2);
-                k1p = wnaf.constTimeNegate(k1neg, k1p);
-                k2p = wnaf.constTimeNegate(k2neg, k2p);
-                k2p = new Point(Fp.mul(k2p.px, endo.beta), k2p.py, k2p.pz);
-                point = k1p.add(k2p);
-                fake = f1p.add(f2p);
+                const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(scalar);
+                const { p: k1p, f: k1f } = mul(k1);
+                const { p: k2p, f: k2f } = mul(k2);
+                fake = k1f.add(k2f);
+                point = finishEndo(endo.beta, k1p, k2p, k1neg, k2neg);
             }
             else {
-                const { p, f } = this.wNAF(scalar);
+                const { p, f } = mul(scalar);
                 point = p;
                 fake = f;
             }
             // Normalize `z` for both points, but return only real one
-            return Point.normalizeZ([point, fake])[0];
+            return normalizeZ(Point, [point, fake])[0];
         }
         /**
-         * Efficiently calculate `aP + bQ`. Unsafe, can expose private key, if used incorrectly.
-         * Not using Strauss-Shamir trick: precomputation tables are faster.
-         * The trick could be useful if both P and Q are not G (not in our case).
-         * @returns non-zero affine point
+         * Non-constant-time multiplication. Uses double-and-add algorithm.
+         * It's faster, but should only be used when you don't care about
+         * an exposed secret key e.g. sig verification, which works over *public* keys.
          */
+        multiplyUnsafe(sc) {
+            const { endo } = extraOpts;
+            const p = this;
+            if (!Fn.isValid(sc))
+                throw new Error('invalid scalar: out of range'); // 0 is valid
+            if (sc === _0n$2 || p.is0())
+                return Point.ZERO;
+            if (sc === _1n$3)
+                return p; // fast-path
+            if (wnaf.hasCache(this))
+                return this.multiply(sc);
+            if (endo) {
+                const { k1neg, k1, k2neg, k2 } = splitEndoScalarN(sc);
+                const { p1, p2 } = mulEndoUnsafe(Point, p, k1, k2); // 30% faster vs wnaf.unsafe
+                return finishEndo(endo.beta, p1, p2, k1neg, k2neg);
+            }
+            else {
+                return wnaf.unsafe(p, sc);
+            }
+        }
         multiplyAndAddUnsafe(Q, a, b) {
-            const G = Point.BASE; // No Strauss-Shamir trick: we have 10% faster G precomputes
-            const mul = (P, a // Select faster multiply() method
-            ) => (a === _0n$2 || a === _1n$4 || !P.equals(G) ? P.multiplyUnsafe(a) : P.multiply(a));
-            const sum = mul(this, a).add(mul(Q, b));
+            const sum = this.multiplyUnsafe(a).add(Q.multiplyUnsafe(b));
             return sum.is0() ? undefined : sum;
         }
-        // Converts Projective point to affine (x, y) coordinates.
-        // Can accept precomputed Z^-1 - for example, from invertBatch.
-        // (x, y, z) ∋ (x=x/z, y=y/z)
-        toAffine(iz) {
-            return toAffineMemo(this, iz);
+        /**
+         * Converts Projective point to affine (x, y) coordinates.
+         * @param invertedZ Z^-1 (inverted zero) - optional, precomputation is useful for invertBatch
+         */
+        toAffine(invertedZ) {
+            return toAffineMemo(this, invertedZ);
         }
+        /**
+         * Checks whether Point is free of torsion elements (is in prime subgroup).
+         * Always torsion-free for cofactor=1 curves.
+         */
         isTorsionFree() {
-            const { h: cofactor, isTorsionFree } = CURVE;
-            if (cofactor === _1n$4)
-                return true; // No subgroups, always torsion-free
+            const { isTorsionFree } = extraOpts;
+            if (cofactor === _1n$3)
+                return true;
             if (isTorsionFree)
                 return isTorsionFree(Point, this);
-            throw new Error('isTorsionFree() has not been declared for the elliptic curve');
+            return wnaf.unsafe(this, CURVE_ORDER).is0();
         }
         clearCofactor() {
-            const { h: cofactor, clearCofactor } = CURVE;
-            if (cofactor === _1n$4)
+            const { clearCofactor } = extraOpts;
+            if (cofactor === _1n$3)
                 return this; // Fast-path
             if (clearCofactor)
                 return clearCofactor(Point, this);
-            return this.multiplyUnsafe(CURVE.h);
+            return this.multiplyUnsafe(cofactor);
         }
-        toRawBytes(isCompressed = true) {
-            abool('isCompressed', isCompressed);
+        isSmallOrder() {
+            // can we use this.clearCofactor()?
+            return this.multiplyUnsafe(cofactor).is0();
+        }
+        toBytes(isCompressed = true) {
+            _abool2(isCompressed, 'isCompressed');
             this.assertValidity();
-            return toBytes(Point, this, isCompressed);
+            return encodePoint(Point, this, isCompressed);
         }
         toHex(isCompressed = true) {
-            abool('isCompressed', isCompressed);
-            return bytesToHex(this.toRawBytes(isCompressed));
+            return bytesToHex(this.toBytes(isCompressed));
+        }
+        toString() {
+            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
+        }
+        // TODO: remove
+        get px() {
+            return this.X;
+        }
+        get py() {
+            return this.X;
+        }
+        get pz() {
+            return this.Z;
+        }
+        toRawBytes(isCompressed = true) {
+            return this.toBytes(isCompressed);
+        }
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
+        static normalizeZ(points) {
+            return normalizeZ(Point, points);
+        }
+        static msm(points, scalars) {
+            return pippenger(Point, Fn, points, scalars);
+        }
+        static fromPrivateKey(privateKey) {
+            return Point.BASE.multiply(_normFnElement(Fn, privateKey));
         }
     }
+    // base / generator point
     Point.BASE = new Point(CURVE.Gx, CURVE.Gy, Fp.ONE);
-    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO);
-    const _bits = CURVE.nBitLength;
-    const wnaf = wNAF(Point, CURVE.endo ? Math.ceil(_bits / 2) : _bits);
-    // Validate if generator point is on curve
+    // zero / infinity / identity point
+    Point.ZERO = new Point(Fp.ZERO, Fp.ONE, Fp.ZERO); // 0, 1, 0
+    // math field
+    Point.Fp = Fp;
+    // scalar field
+    Point.Fn = Fn;
+    const bits = Fn.BITS;
+    const wnaf = new wNAF(Point, extraOpts.endo ? Math.ceil(bits / 2) : bits);
+    Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+    return Point;
+}
+// Points start with byte 0x02 when y is even; otherwise 0x03
+function pprefix(hasEvenY) {
+    return Uint8Array.of(hasEvenY ? 0x02 : 0x03);
+}
+function getWLengths(Fp, Fn) {
     return {
-        CURVE,
-        ProjectivePoint: Point,
-        normPrivateKeyToScalar,
-        weierstrassEquation,
-        isWithinCurveOrder,
+        secretKey: Fn.BYTES,
+        publicKey: 1 + Fp.BYTES,
+        publicKeyUncompressed: 1 + 2 * Fp.BYTES,
+        publicKeyHasPrefix: true,
+        signature: 2 * Fn.BYTES,
     };
 }
-function validateOpts$2(curve) {
-    const opts = validateBasic(curve);
-    validateObject(opts, {
-        hash: 'hash',
-        hmac: 'function',
-        randomBytes: 'function',
-    }, {
-        bits2int: 'function',
-        bits2int_modN: 'function',
-        lowS: 'boolean',
-    });
-    return Object.freeze({ lowS: true, ...opts });
+/**
+ * Sometimes users only need getPublicKey, getSharedSecret, and secret key handling.
+ * This helper ensures no signature functionality is present. Less code, smaller bundle size.
+ */
+function ecdh(Point, ecdhOpts = {}) {
+    const { Fn } = Point;
+    const randomBytes_ = ecdhOpts.randomBytes || randomBytes;
+    const lengths = Object.assign(getWLengths(Point.Fp, Fn), { seed: getMinHashLength(Fn.ORDER) });
+    function isValidSecretKey(secretKey) {
+        try {
+            return !!_normFnElement(Fn, secretKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    function isValidPublicKey(publicKey, isCompressed) {
+        const { publicKey: comp, publicKeyUncompressed } = lengths;
+        try {
+            const l = publicKey.length;
+            if (isCompressed === true && l !== comp)
+                return false;
+            if (isCompressed === false && l !== publicKeyUncompressed)
+                return false;
+            return !!Point.fromBytes(publicKey);
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    /**
+     * Produces cryptographically secure secret key from random of size
+     * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
+     */
+    function randomSecretKey(seed = randomBytes_(lengths.seed)) {
+        return mapHashToField(_abytes2(seed, lengths.seed, 'seed'), Fn.ORDER);
+    }
+    /**
+     * Computes public key for a secret key. Checks for validity of the secret key.
+     * @param isCompressed whether to return compact (default), or full key
+     * @returns Public key, full when isCompressed=false; short when isCompressed=true
+     */
+    function getPublicKey(secretKey, isCompressed = true) {
+        return Point.BASE.multiply(_normFnElement(Fn, secretKey)).toBytes(isCompressed);
+    }
+    function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    }
+    /**
+     * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
+     */
+    function isProbPub(item) {
+        if (typeof item === 'bigint')
+            return false;
+        if (item instanceof Point)
+            return true;
+        const { secretKey, publicKey, publicKeyUncompressed } = lengths;
+        if (Fn.allowedLengths || secretKey === publicKey)
+            return undefined;
+        const l = ensureBytes('key', item).length;
+        return l === publicKey || l === publicKeyUncompressed;
+    }
+    /**
+     * ECDH (Elliptic Curve Diffie Hellman).
+     * Computes shared public key from secret key A and public key B.
+     * Checks: 1) secret key validity 2) shared key is on-curve.
+     * Does NOT hash the result.
+     * @param isCompressed whether to return compact (default), or full key
+     * @returns shared public key
+     */
+    function getSharedSecret(secretKeyA, publicKeyB, isCompressed = true) {
+        if (isProbPub(secretKeyA) === true)
+            throw new Error('first arg must be private key');
+        if (isProbPub(publicKeyB) === false)
+            throw new Error('second arg must be public key');
+        const s = _normFnElement(Fn, secretKeyA);
+        const b = Point.fromHex(publicKeyB); // checks for being on-curve
+        return b.multiply(s).toBytes(isCompressed);
+    }
+    const utils = {
+        isValidSecretKey,
+        isValidPublicKey,
+        randomSecretKey,
+        // TODO: remove
+        isValidPrivateKey: isValidSecretKey,
+        randomPrivateKey: randomSecretKey,
+        normPrivateKeyToScalar: (key) => _normFnElement(Fn, key),
+        precompute(windowSize = 8, point = Point.BASE) {
+            return point.precompute(windowSize, false);
+        },
+    };
+    return Object.freeze({ getPublicKey, getSharedSecret, keygen, Point, utils, lengths });
 }
 /**
- * Creates short weierstrass curve and ECDSA signature methods for it.
+ * Creates ECDSA signing interface for given elliptic curve `Point` and `hash` function.
+ * We need `hash` for 2 features:
+ * 1. Message prehash-ing. NOT used if `sign` / `verify` are called with `prehash: false`
+ * 2. k generation in `sign`, using HMAC-drbg(hash)
+ *
+ * ECDSAOpts are only rarely needed.
+ *
  * @example
- * import { Field } from '@noble/curves/abstract/modular';
- * // Before that, define BigInt-s: a, b, p, n, Gx, Gy
- * const curve = weierstrass({ a, b, Fp: Field(p), n, Gx, Gy, h: 1n })
+ * ```js
+ * const p256_Point = weierstrass(...);
+ * const p256_sha256 = ecdsa(p256_Point, sha256);
+ * const p256_sha224 = ecdsa(p256_Point, sha224);
+ * const p256_sha224_r = ecdsa(p256_Point, sha224, { randomBytes: (length) => { ... } });
+ * ```
  */
-function weierstrass(curveDef) {
-    const CURVE = validateOpts$2(curveDef);
-    const { Fp, n: CURVE_ORDER } = CURVE;
-    const compressedLen = Fp.BYTES + 1; // e.g. 33 for 32
-    const uncompressedLen = 2 * Fp.BYTES + 1; // e.g. 65 for 32
-    function modN(a) {
-        return mod(a, CURVE_ORDER);
-    }
-    function invN(a) {
-        return invert(a, CURVE_ORDER);
-    }
-    const { ProjectivePoint: Point, normPrivateKeyToScalar, weierstrassEquation, isWithinCurveOrder, } = weierstrassPoints({
-        ...CURVE,
-        toBytes(_c, point, isCompressed) {
-            const a = point.toAffine();
-            const x = Fp.toBytes(a.x);
-            const cat = concatBytes;
-            abool('isCompressed', isCompressed);
-            if (isCompressed) {
-                return cat(Uint8Array.from([point.hasEvenY() ? 0x02 : 0x03]), x);
-            }
-            else {
-                return cat(Uint8Array.from([0x04]), x, Fp.toBytes(a.y));
-            }
-        },
-        fromBytes(bytes) {
-            const len = bytes.length;
-            const head = bytes[0];
-            const tail = bytes.subarray(1);
-            // this.assertValidity() is done inside of fromHex
-            if (len === compressedLen && (head === 0x02 || head === 0x03)) {
-                const x = bytesToNumberBE(tail);
-                if (!inRange(x, _1n$4, Fp.ORDER))
-                    throw new Error('Point is not on curve');
-                const y2 = weierstrassEquation(x); // y² = x³ + ax + b
-                let y;
-                try {
-                    y = Fp.sqrt(y2); // y = y² ^ (p+1)/4
-                }
-                catch (sqrtError) {
-                    const suffix = sqrtError instanceof Error ? ': ' + sqrtError.message : '';
-                    throw new Error('Point is not on curve' + suffix);
-                }
-                const isYOdd = (y & _1n$4) === _1n$4;
-                // ECDSA
-                const isHeadOdd = (head & 1) === 1;
-                if (isHeadOdd !== isYOdd)
-                    y = Fp.neg(y);
-                return { x, y };
-            }
-            else if (len === uncompressedLen && head === 0x04) {
-                const x = Fp.fromBytes(tail.subarray(0, Fp.BYTES));
-                const y = Fp.fromBytes(tail.subarray(Fp.BYTES, 2 * Fp.BYTES));
-                return { x, y };
-            }
-            else {
-                const cl = compressedLen;
-                const ul = uncompressedLen;
-                throw new Error('invalid Point, expected length of ' + cl + ', or uncompressed ' + ul + ', got ' + len);
-            }
-        },
+function ecdsa(Point, hash, ecdsaOpts = {}) {
+    ahash(hash);
+    _validateObject(ecdsaOpts, {}, {
+        hmac: 'function',
+        lowS: 'boolean',
+        randomBytes: 'function',
+        bits2int: 'function',
+        bits2int_modN: 'function',
     });
-    const numToNByteStr = (num) => bytesToHex(numberToBytesBE(num, CURVE.nByteLength));
+    const randomBytes$1 = ecdsaOpts.randomBytes || randomBytes;
+    const hmac$1 = ecdsaOpts.hmac ||
+        ((key, ...msgs) => hmac(hash, key, concatBytes(...msgs)));
+    const { Fp, Fn } = Point;
+    const { ORDER: CURVE_ORDER, BITS: fnBits } = Fn;
+    const { keygen, getPublicKey, getSharedSecret, utils, lengths } = ecdh(Point, ecdsaOpts);
+    const defaultSigOpts = {
+        prehash: false,
+        lowS: typeof ecdsaOpts.lowS === 'boolean' ? ecdsaOpts.lowS : false,
+        format: undefined, //'compact' as ECDSASigFormat,
+        extraEntropy: false,
+    };
+    const defaultSigOpts_format = 'compact';
     function isBiggerThanHalfOrder(number) {
-        const HALF = CURVE_ORDER >> _1n$4;
+        const HALF = CURVE_ORDER >> _1n$3;
         return number > HALF;
     }
-    function normalizeS(s) {
-        return isBiggerThanHalfOrder(s) ? modN(-s) : s;
+    function validateRS(title, num) {
+        if (!Fn.isValidNot0(num))
+            throw new Error(`invalid signature ${title}: out of range 1..Point.Fn.ORDER`);
+        return num;
+    }
+    function validateSigLength(bytes, format) {
+        validateSigFormat(format);
+        const size = lengths.signature;
+        const sizer = format === 'compact' ? size : format === 'recovered' ? size + 1 : undefined;
+        return _abytes2(bytes, sizer, `${format} signature`);
     }
-    // slice bytes num
-    const slcNum = (b, from, to) => bytesToNumberBE(b.slice(from, to));
     /**
-     * ECDSA signature with its (r, s) properties. Supports DER & compact representations.
+     * ECDSA signature with its (r, s) properties. Supports compact, recovered & DER representations.
      */
     class Signature {
         constructor(r, s, recovery) {
-            this.r = r;
-            this.s = s;
-            this.recovery = recovery;
-            this.assertValidity();
-        }
-        // pair (bytes of r, bytes of s)
-        static fromCompact(hex) {
-            const l = CURVE.nByteLength;
-            hex = ensureBytes('compactSignature', hex, l * 2);
-            return new Signature(slcNum(hex, 0, l), slcNum(hex, l, 2 * l));
+            this.r = validateRS('r', r); // r in [1..N-1];
+            this.s = validateRS('s', s); // s in [1..N-1];
+            if (recovery != null)
+                this.recovery = recovery;
+            Object.freeze(this);
         }
-        // DER encoded ECDSA signature
-        // https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script
-        static fromDER(hex) {
-            const { r, s } = DER.toSig(ensureBytes('DER', hex));
-            return new Signature(r, s);
+        static fromBytes(bytes, format = defaultSigOpts_format) {
+            validateSigLength(bytes, format);
+            let recid;
+            if (format === 'der') {
+                const { r, s } = DER.toSig(_abytes2(bytes));
+                return new Signature(r, s);
+            }
+            if (format === 'recovered') {
+                recid = bytes[0];
+                format = 'compact';
+                bytes = bytes.subarray(1);
+            }
+            const L = Fn.BYTES;
+            const r = bytes.subarray(0, L);
+            const s = bytes.subarray(L, L * 2);
+            return new Signature(Fn.fromBytes(r), Fn.fromBytes(s), recid);
         }
-        assertValidity() {
-            aInRange('r', this.r, _1n$4, CURVE_ORDER); // r in [1..N]
-            aInRange('s', this.s, _1n$4, CURVE_ORDER); // s in [1..N]
+        static fromHex(hex, format) {
+            return this.fromBytes(hexToBytes(hex), format);
         }
         addRecoveryBit(recovery) {
             return new Signature(this.r, this.s, recovery);
         }
-        recoverPublicKey(msgHash) {
+        recoverPublicKey(messageHash) {
+            const FIELD_ORDER = Fp.ORDER;
             const { r, s, recovery: rec } = this;
-            const h = bits2int_modN(ensureBytes('msgHash', msgHash)); // Truncate hash
             if (rec == null || ![0, 1, 2, 3].includes(rec))
                 throw new Error('recovery id invalid');
-            const radj = rec === 2 || rec === 3 ? r + CURVE.n : r;
-            if (radj >= Fp.ORDER)
+            // ECDSA recovery is hard for cofactor > 1 curves.
+            // In sign, `r = q.x mod n`, and here we recover q.x from r.
+            // While recovering q.x >= n, we need to add r+n for cofactor=1 curves.
+            // However, for cofactor>1, r+n may not get q.x:
+            // r+n*i would need to be done instead where i is unknown.
+            // To easily get i, we either need to:
+            // a. increase amount of valid recid values (4, 5...); OR
+            // b. prohibit non-prime-order signatures (recid > 1).
+            const hasCofactor = CURVE_ORDER * _2n$4 < FIELD_ORDER;
+            if (hasCofactor && rec > 1)
+                throw new Error('recovery id is ambiguous for h>1 curve');
+            const radj = rec === 2 || rec === 3 ? r + CURVE_ORDER : r;
+            if (!Fp.isValid(radj))
                 throw new Error('recovery id 2 or 3 invalid');
-            const prefix = (rec & 1) === 0 ? '02' : '03';
-            const R = Point.fromHex(prefix + numToNByteStr(radj));
-            const ir = invN(radj); // r^-1
-            const u1 = modN(-h * ir); // -hr^-1
-            const u2 = modN(s * ir); // sr^-1
-            const Q = Point.BASE.multiplyAndAddUnsafe(R, u1, u2); // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1)
-            if (!Q)
-                throw new Error('point at infinify'); // unsafe is fine: no priv data leaked
+            const x = Fp.toBytes(radj);
+            const R = Point.fromBytes(concatBytes(pprefix((rec & 1) === 0), x));
+            const ir = Fn.inv(radj); // r^-1
+            const h = bits2int_modN(ensureBytes('msgHash', messageHash)); // Truncate hash
+            const u1 = Fn.create(-h * ir); // -hr^-1
+            const u2 = Fn.create(s * ir); // sr^-1
+            // (sr^-1)R-(hr^-1)G = -(hr^-1)G + (sr^-1). unsafe is fine: there is no private data.
+            const Q = Point.BASE.multiplyUnsafe(u1).add(R.multiplyUnsafe(u2));
+            if (Q.is0())
+                throw new Error('point at infinify');
             Q.assertValidity();
             return Q;
         }
@@ -1835,466 +2109,484 @@ function weierstrass(curveDef) {
         hasHighS() {
             return isBiggerThanHalfOrder(this.s);
         }
+        toBytes(format = defaultSigOpts_format) {
+            validateSigFormat(format);
+            if (format === 'der')
+                return hexToBytes(DER.hexFromSig(this));
+            const r = Fn.toBytes(this.r);
+            const s = Fn.toBytes(this.s);
+            if (format === 'recovered') {
+                if (this.recovery == null)
+                    throw new Error('recovery bit must be present');
+                return concatBytes(Uint8Array.of(this.recovery), r, s);
+            }
+            return concatBytes(r, s);
+        }
+        toHex(format) {
+            return bytesToHex(this.toBytes(format));
+        }
+        // TODO: remove
+        assertValidity() { }
+        static fromCompact(hex) {
+            return Signature.fromBytes(ensureBytes('sig', hex), 'compact');
+        }
+        static fromDER(hex) {
+            return Signature.fromBytes(ensureBytes('sig', hex), 'der');
+        }
         normalizeS() {
-            return this.hasHighS() ? new Signature(this.r, modN(-this.s), this.recovery) : this;
+            return this.hasHighS() ? new Signature(this.r, Fn.neg(this.s), this.recovery) : this;
         }
-        // DER-encoded
         toDERRawBytes() {
-            return hexToBytes(this.toDERHex());
+            return this.toBytes('der');
         }
         toDERHex() {
-            return DER.hexFromSig({ r: this.r, s: this.s });
+            return bytesToHex(this.toBytes('der'));
         }
-        // padded bytes of r, then padded bytes of s
         toCompactRawBytes() {
-            return hexToBytes(this.toCompactHex());
+            return this.toBytes('compact');
         }
         toCompactHex() {
-            return numToNByteStr(this.r) + numToNByteStr(this.s);
+            return bytesToHex(this.toBytes('compact'));
         }
     }
-    const utils = {
-        isValidPrivateKey(privateKey) {
-            try {
-                normPrivateKeyToScalar(privateKey);
-                return true;
-            }
-            catch (error) {
-                return false;
-            }
-        },
-        normPrivateKeyToScalar: normPrivateKeyToScalar,
-        /**
-         * Produces cryptographically secure private key from random of size
-         * (groupLen + ceil(groupLen / 2)) with modulo bias being negligible.
-         */
-        randomPrivateKey: () => {
-            const length = getMinHashLength(CURVE.n);
-            return mapHashToField(CURVE.randomBytes(length), CURVE.n);
-        },
-        /**
-         * Creates precompute table for an arbitrary EC point. Makes point "cached".
-         * Allows to massively speed-up `point.multiply(scalar)`.
-         * @returns cached point
-         * @example
-         * const fast = utils.precompute(8, ProjectivePoint.fromHex(someonesPubKey));
-         * fast.multiply(privKey); // much faster ECDH now
-         */
-        precompute(windowSize = 8, point = Point.BASE) {
-            point._setWindowSize(windowSize);
-            point.multiply(BigInt(3)); // 3 is arbitrary, just need any number here
-            return point;
-        },
-    };
-    /**
-     * Computes public key for a private key. Checks for validity of the private key.
-     * @param privateKey private key
-     * @param isCompressed whether to return compact (default), or full key
-     * @returns Public key, full when isCompressed=false; short when isCompressed=true
-     */
-    function getPublicKey(privateKey, isCompressed = true) {
-        return Point.fromPrivateKey(privateKey).toRawBytes(isCompressed);
-    }
-    /**
-     * Quick and dirty check for item being public key. Does not validate hex, or being on-curve.
-     */
-    function isProbPub(item) {
-        const arr = isBytes(item);
-        const str = typeof item === 'string';
-        const len = (arr || str) && item.length;
-        if (arr)
-            return len === compressedLen || len === uncompressedLen;
-        if (str)
-            return len === 2 * compressedLen || len === 2 * uncompressedLen;
-        if (item instanceof Point)
-            return true;
-        return false;
-    }
-    /**
-     * ECDH (Elliptic Curve Diffie Hellman).
-     * Computes shared public key from private key and public key.
-     * Checks: 1) private key validity 2) shared key is on-curve.
-     * Does NOT hash the result.
-     * @param privateA private key
-     * @param publicB different public key
-     * @param isCompressed whether to return compact (default), or full key
-     * @returns shared public key
-     */
-    function getSharedSecret(privateA, publicB, isCompressed = true) {
-        if (isProbPub(privateA))
-            throw new Error('first arg must be private key');
-        if (!isProbPub(publicB))
-            throw new Error('second arg must be public key');
-        const b = Point.fromHex(publicB); // check for being on-curve
-        return b.multiply(normPrivateKeyToScalar(privateA)).toRawBytes(isCompressed);
-    }
     // RFC6979: ensure ECDSA msg is X bytes and < N. RFC suggests optional truncating via bits2octets.
     // FIPS 186-4 4.6 suggests the leftmost min(nBitLen, outLen) bits, which matches bits2int.
     // bits2int can produce res>N, we can do mod(res, N) since the bitLen is the same.
     // int2octets can't be used; pads small msgs with 0: unacceptatble for trunc as per RFC vectors
-    const bits2int = CURVE.bits2int ||
-        function (bytes) {
-            // Our custom check "just in case"
+    const bits2int = ecdsaOpts.bits2int ||
+        function bits2int_def(bytes) {
+            // Our custom check "just in case", for protection against DoS
             if (bytes.length > 8192)
                 throw new Error('input is too large');
             // For curves with nBitLength % 8 !== 0: bits2octets(bits2octets(m)) !== bits2octets(m)
             // for some cases, since bytes.length * 8 is not actual bitLength.
             const num = bytesToNumberBE(bytes); // check for == u8 done here
-            const delta = bytes.length * 8 - CURVE.nBitLength; // truncate to nBitLength leftmost bits
+            const delta = bytes.length * 8 - fnBits; // truncate to nBitLength leftmost bits
             return delta > 0 ? num >> BigInt(delta) : num;
         };
-    const bits2int_modN = CURVE.bits2int_modN ||
-        function (bytes) {
-            return modN(bits2int(bytes)); // can't use bytesToNumberBE here
+    const bits2int_modN = ecdsaOpts.bits2int_modN ||
+        function bits2int_modN_def(bytes) {
+            return Fn.create(bits2int(bytes)); // can't use bytesToNumberBE here
         };
-    // NOTE: pads output with zero as per spec
-    const ORDER_MASK = bitMask(CURVE.nBitLength);
+    // Pads output with zero as per spec
+    const ORDER_MASK = bitMask(fnBits);
+    /** Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`. */
+    function int2octets(num) {
+        // IMPORTANT: the check ensures working for case `Fn.BYTES != Fn.BITS * 8`
+        aInRange('num < 2^' + fnBits, num, _0n$2, ORDER_MASK);
+        return Fn.toBytes(num);
+    }
+    function validateMsgAndHash(message, prehash) {
+        _abytes2(message, undefined, 'message');
+        return prehash ? _abytes2(hash(message), undefined, 'prehashed message') : message;
+    }
     /**
-     * Converts to bytes. Checks if num in `[0..ORDER_MASK-1]` e.g.: `[0..2^256-1]`.
+     * Steps A, D of RFC6979 3.2.
+     * Creates RFC6979 seed; converts msg/privKey to numbers.
+     * Used only in sign, not in verify.
+     *
+     * Warning: we cannot assume here that message has same amount of bytes as curve order,
+     * this will be invalid at least for P521. Also it can be bigger for P224 + SHA256.
      */
-    function int2octets(num) {
-        aInRange('num < 2^' + CURVE.nBitLength, num, _0n$2, ORDER_MASK);
-        // works with order, can have different size than numToField!
-        return numberToBytesBE(num, CURVE.nByteLength);
-    }
-    // Steps A, D of RFC6979 3.2
-    // Creates RFC6979 seed; converts msg/privKey to numbers.
-    // Used only in sign, not in verify.
-    // NOTE: we cannot assume here that msgHash has same amount of bytes as curve order,
-    // this will be invalid at least for P521. Also it can be bigger for P224 + SHA256
-    function prepSig(msgHash, privateKey, opts = defaultSigOpts) {
+    function prepSig(message, privateKey, opts) {
         if (['recovered', 'canonical'].some((k) => k in opts))
             throw new Error('sign() legacy options not supported');
-        const { hash, randomBytes } = CURVE;
-        let { lowS, prehash, extraEntropy: ent } = opts; // generates low-s sigs by default
-        if (lowS == null)
-            lowS = true; // RFC6979 3.2: we skip step A, because we already provide hash
-        msgHash = ensureBytes('msgHash', msgHash);
-        validateSigVerOpts(opts);
-        if (prehash)
-            msgHash = ensureBytes('prehashed msgHash', hash(msgHash));
+        const { lowS, prehash, extraEntropy } = validateSigOpts(opts, defaultSigOpts);
+        message = validateMsgAndHash(message, prehash); // RFC6979 3.2 A: h1 = H(m)
         // We can't later call bits2octets, since nested bits2int is broken for curves
-        // with nBitLength % 8 !== 0. Because of that, we unwrap it here as int2octets call.
+        // with fnBits % 8 !== 0. Because of that, we unwrap it here as int2octets call.
         // const bits2octets = (bits) => int2octets(bits2int_modN(bits))
-        const h1int = bits2int_modN(msgHash);
-        const d = normPrivateKeyToScalar(privateKey); // validate private key, convert to bigint
+        const h1int = bits2int_modN(message);
+        const d = _normFnElement(Fn, privateKey); // validate secret key, convert to bigint
         const seedArgs = [int2octets(d), int2octets(h1int)];
         // extraEntropy. RFC6979 3.6: additional k' (optional).
-        if (ent != null && ent !== false) {
+        if (extraEntropy != null && extraEntropy !== false) {
             // K = HMAC_K(V || 0x00 || int2octets(x) || bits2octets(h1) || k')
-            const e = ent === true ? randomBytes(Fp.BYTES) : ent; // generate random bytes OR pass as-is
+            // gen random bytes OR pass as-is
+            const e = extraEntropy === true ? randomBytes$1(lengths.secretKey) : extraEntropy;
             seedArgs.push(ensureBytes('extraEntropy', e)); // check for being bytes
         }
         const seed = concatBytes(...seedArgs); // Step D of RFC6979 3.2
         const m = h1int; // NOTE: no need to call bits2int second time here, it is inside truncateHash!
         // Converts signature params into point w r/s, checks result for validity.
+        // To transform k => Signature:
+        // q = k⋅G
+        // r = q.x mod n
+        // s = k^-1(m + rd) mod n
+        // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
+        // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
+        // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
         function k2sig(kBytes) {
             // RFC 6979 Section 3.2, step 3: k = bits2int(T)
-            const k = bits2int(kBytes); // Cannot use fields methods, since it is group element
-            if (!isWithinCurveOrder(k))
-                return; // Important: all mod() calls here must be done over N
-            const ik = invN(k); // k^-1 mod n
-            const q = Point.BASE.multiply(k).toAffine(); // q = Gk
-            const r = modN(q.x); // r = q.x mod n
+            // Important: all mod() calls here must be done over N
+            const k = bits2int(kBytes); // mod n, not mod p
+            if (!Fn.isValidNot0(k))
+                return; // Valid scalars (including k) must be in 1..N-1
+            const ik = Fn.inv(k); // k^-1 mod n
+            const q = Point.BASE.multiply(k).toAffine(); // q = k⋅G
+            const r = Fn.create(q.x); // r = q.x mod n
             if (r === _0n$2)
                 return;
-            // Can use scalar blinding b^-1(bm + bdr) where b ∈ [1,q−1] according to
-            // https://tches.iacr.org/index.php/TCHES/article/view/7337/6509. We've decided against it:
-            // a) dependency on CSPRNG b) 15% slowdown c) doesn't really help since bigints are not CT
-            const s = modN(ik * modN(m + r * d)); // Not using blinding here
+            const s = Fn.create(ik * Fn.create(m + r * d)); // Not using blinding here, see comment above
             if (s === _0n$2)
                 return;
-            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n$4); // recovery bit (2 or 3, when q.x > n)
+            let recovery = (q.x === r ? 0 : 2) | Number(q.y & _1n$3); // recovery bit (2 or 3, when q.x > n)
             let normS = s;
             if (lowS && isBiggerThanHalfOrder(s)) {
-                normS = normalizeS(s); // if lowS was passed, ensure s is always
+                normS = Fn.neg(s); // if lowS was passed, ensure s is always
                 recovery ^= 1; // // in the bottom half of N
             }
             return new Signature(r, normS, recovery); // use normS, not s
         }
         return { seed, k2sig };
     }
-    const defaultSigOpts = { lowS: CURVE.lowS, prehash: false };
-    const defaultVerOpts = { lowS: CURVE.lowS, prehash: false };
     /**
-     * Signs message hash with a private key.
+     * Signs message hash with a secret key.
+     *
      * ```
-     * sign(m, d, k) where
+     * sign(m, d) where
+     *   k = rfc6979_hmac_drbg(m, d)
      *   (x, y) = G × k
      *   r = x mod n
-     *   s = (m + dr)/k mod n
+     *   s = (m + dr) / k mod n
      * ```
-     * @param msgHash NOT message. msg needs to be hashed to `msgHash`, or use `prehash`.
-     * @param privKey private key
-     * @param opts lowS for non-malleable sigs. extraEntropy for mixing randomness into k. prehash will hash first arg.
-     * @returns signature with recovery param
      */
-    function sign(msgHash, privKey, opts = defaultSigOpts) {
-        const { seed, k2sig } = prepSig(msgHash, privKey, opts); // Steps A, D of RFC6979 3.2.
-        const C = CURVE;
-        const drbg = createHmacDrbg(C.hash.outputLen, C.nByteLength, C.hmac);
-        return drbg(seed, k2sig); // Steps B, C, D, E, F, G
-    }
-    // Enable precomputes. Slows down first publicKey computation by 20ms.
-    Point.BASE._setWindowSize(8);
-    // utils.precompute(8, ProjectivePoint.BASE)
-    /**
-     * Verifies a signature against message hash and public key.
-     * Rejects lowS signatures by default: to override,
-     * specify option `{lowS: false}`. Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
-     *
-     * ```
-     * verify(r, s, h, P) where
-     *   U1 = hs^-1 mod n
-     *   U2 = rs^-1 mod n
-     *   R = U1⋅G - U2⋅P
-     *   mod(R.x, n) == r
-     * ```
-     */
-    function verify(signature, msgHash, publicKey, opts = defaultVerOpts) {
-        const sg = signature;
-        msgHash = ensureBytes('msgHash', msgHash);
-        publicKey = ensureBytes('publicKey', publicKey);
-        const { lowS, prehash, format } = opts;
-        // Verify opts, deduce signature format
-        validateSigVerOpts(opts);
-        if ('strict' in opts)
-            throw new Error('options.strict was renamed to lowS');
-        if (format !== undefined && format !== 'compact' && format !== 'der')
-            throw new Error('format must be compact or der');
+    function sign(message, secretKey, opts = {}) {
+        message = ensureBytes('message', message);
+        const { seed, k2sig } = prepSig(message, secretKey, opts); // Steps A, D of RFC6979 3.2.
+        const drbg = createHmacDrbg(hash.outputLen, Fn.BYTES, hmac$1);
+        const sig = drbg(seed, k2sig); // Steps B, C, D, E, F, G
+        return sig;
+    }
+    function tryParsingSig(sg) {
+        // Try to deduce format
+        let sig = undefined;
         const isHex = typeof sg === 'string' || isBytes(sg);
         const isObj = !isHex &&
-            !format &&
-            typeof sg === 'object' &&
             sg !== null &&
+            typeof sg === 'object' &&
             typeof sg.r === 'bigint' &&
             typeof sg.s === 'bigint';
         if (!isHex && !isObj)
             throw new Error('invalid signature, expected Uint8Array, hex string or Signature instance');
-        let _sig = undefined;
-        let P;
-        try {
-            if (isObj)
-                _sig = new Signature(sg.r, sg.s);
-            if (isHex) {
-                // Signature can be represented in 2 ways: compact (2*nByteLength) & DER (variable-length).
-                // Since DER can also be 2*nByteLength bytes, we check for it first.
+        if (isObj) {
+            sig = new Signature(sg.r, sg.s);
+        }
+        else if (isHex) {
+            try {
+                sig = Signature.fromBytes(ensureBytes('sig', sg), 'der');
+            }
+            catch (derError) {
+                if (!(derError instanceof DER.Err))
+                    throw derError;
+            }
+            if (!sig) {
                 try {
-                    if (format !== 'compact')
-                        _sig = Signature.fromDER(sg);
+                    sig = Signature.fromBytes(ensureBytes('sig', sg), 'compact');
                 }
-                catch (derError) {
-                    if (!(derError instanceof DER.Err))
-                        throw derError;
+                catch (error) {
+                    return false;
                 }
-                if (!_sig && format !== 'der')
-                    _sig = Signature.fromCompact(sg);
             }
-            P = Point.fromHex(publicKey);
-        }
-        catch (error) {
-            return false;
         }
-        if (!_sig)
+        if (!sig)
             return false;
-        if (lowS && _sig.hasHighS())
+        return sig;
+    }
+    /**
+     * Verifies a signature against message and public key.
+     * Rejects lowS signatures by default: see {@link ECDSAVerifyOpts}.
+     * Implements section 4.1.4 from https://www.secg.org/sec1-v2.pdf:
+     *
+     * ```
+     * verify(r, s, h, P) where
+     *   u1 = hs^-1 mod n
+     *   u2 = rs^-1 mod n
+     *   R = u1⋅G + u2⋅P
+     *   mod(R.x, n) == r
+     * ```
+     */
+    function verify(signature, message, publicKey, opts = {}) {
+        const { lowS, prehash, format } = validateSigOpts(opts, defaultSigOpts);
+        publicKey = ensureBytes('publicKey', publicKey);
+        message = validateMsgAndHash(ensureBytes('message', message), prehash);
+        if ('strict' in opts)
+            throw new Error('options.strict was renamed to lowS');
+        const sig = format === undefined
+            ? tryParsingSig(signature)
+            : Signature.fromBytes(ensureBytes('sig', signature), format);
+        if (sig === false)
             return false;
-        if (prehash)
-            msgHash = CURVE.hash(msgHash);
-        const { r, s } = _sig;
-        const h = bits2int_modN(msgHash); // Cannot use fields methods, since it is group element
-        const is = invN(s); // s^-1
-        const u1 = modN(h * is); // u1 = hs^-1 mod n
-        const u2 = modN(r * is); // u2 = rs^-1 mod n
-        const R = Point.BASE.multiplyAndAddUnsafe(P, u1, u2)?.toAffine(); // R = u1⋅G + u2⋅P
-        if (!R)
+        try {
+            const P = Point.fromBytes(publicKey);
+            if (lowS && sig.hasHighS())
+                return false;
+            const { r, s } = sig;
+            const h = bits2int_modN(message); // mod n, not mod p
+            const is = Fn.inv(s); // s^-1 mod n
+            const u1 = Fn.create(h * is); // u1 = hs^-1 mod n
+            const u2 = Fn.create(r * is); // u2 = rs^-1 mod n
+            const R = Point.BASE.multiplyUnsafe(u1).add(P.multiplyUnsafe(u2)); // u1⋅G + u2⋅P
+            if (R.is0())
+                return false;
+            const v = Fn.create(R.x); // v = r.x mod n
+            return v === r;
+        }
+        catch (e) {
             return false;
-        const v = modN(R.x);
-        return v === r;
+        }
     }
-    return {
-        CURVE,
+    function recoverPublicKey(signature, message, opts = {}) {
+        const { prehash } = validateSigOpts(opts, defaultSigOpts);
+        message = validateMsgAndHash(message, prehash);
+        return Signature.fromBytes(signature, 'recovered').recoverPublicKey(message).toBytes();
+    }
+    return Object.freeze({
+        keygen,
         getPublicKey,
         getSharedSecret,
+        utils,
+        lengths,
+        Point,
         sign,
         verify,
-        ProjectivePoint: Point,
+        recoverPublicKey,
         Signature,
-        utils,
+        hash,
+    });
+}
+function _weierstrass_legacy_opts_to_new(c) {
+    const CURVE = {
+        a: c.a,
+        b: c.b,
+        p: c.Fp.ORDER,
+        n: c.n,
+        h: c.h,
+        Gx: c.Gx,
+        Gy: c.Gy,
+    };
+    const Fp = c.Fp;
+    let allowedLengths = c.allowedPrivateKeyLengths
+        ? Array.from(new Set(c.allowedPrivateKeyLengths.map((l) => Math.ceil(l / 2))))
+        : undefined;
+    const Fn = Field(CURVE.n, {
+        BITS: c.nBitLength,
+        allowedLengths: allowedLengths,
+        modFromBytes: c.wrapPrivateKey,
+    });
+    const curveOpts = {
+        Fp,
+        Fn,
+        allowInfinityPoint: c.allowInfinityPoint,
+        endo: c.endo,
+        isTorsionFree: c.isTorsionFree,
+        clearCofactor: c.clearCofactor,
+        fromBytes: c.fromBytes,
+        toBytes: c.toBytes,
+    };
+    return { CURVE, curveOpts };
+}
+function _ecdsa_legacy_opts_to_new(c) {
+    const { CURVE, curveOpts } = _weierstrass_legacy_opts_to_new(c);
+    const ecdsaOpts = {
+        hmac: c.hmac,
+        randomBytes: c.randomBytes,
+        lowS: c.lowS,
+        bits2int: c.bits2int,
+        bits2int_modN: c.bits2int_modN,
     };
+    return { CURVE, curveOpts, hash: c.hash, ecdsaOpts };
+}
+function _ecdsa_new_output_to_legacy(c, _ecdsa) {
+    const Point = _ecdsa.Point;
+    return Object.assign({}, _ecdsa, {
+        ProjectivePoint: Point,
+        CURVE: Object.assign({}, c, nLength(Point.Fn.ORDER, Point.Fn.BITS)),
+    });
+}
+// _ecdsa_legacy
+function weierstrass(c) {
+    const { CURVE, curveOpts, hash, ecdsaOpts } = _ecdsa_legacy_opts_to_new(c);
+    const Point = weierstrassN(CURVE, curveOpts);
+    const signs = ecdsa(Point, hash, ecdsaOpts);
+    return _ecdsa_new_output_to_legacy(c, signs);
 }
 
+/**
+ * Utilities for short weierstrass curves, combined with noble-hashes.
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// connects noble-curves to noble-hashes
-function getHash(hash) {
-    return {
-        hash,
-        hmac: (key, ...msgs) => hmac(hash, key, concatBytes$1(...msgs)),
-        randomBytes,
-    };
-}
+/** @deprecated use new `weierstrass()` and `ecdsa()` methods */
 function createCurve(curveDef, defHash) {
-    const create = (hash) => weierstrass({ ...curveDef, ...getHash(hash) });
-    return Object.freeze({ ...create(defHash), create });
+    const create = (hash) => weierstrass({ ...curveDef, hash: hash });
+    return { ...create(defHash), create };
 }
 
+/**
+ * Internal module for NIST P256, P384, P521 curves.
+ * Do not use for now.
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// NIST secp256r1 aka p256
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
-const Fp256 = Field(BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'));
-const CURVE_A$4 = Fp256.create(BigInt('-3'));
-const CURVE_B$4 = BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b');
-// prettier-ignore
-const p256 = createCurve({
-    a: CURVE_A$4, // Equation params: a, b
-    b: CURVE_B$4,
-    Fp: Fp256, // Field: 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n-1n
-    // Curve order, total count of valid points in the field
+// p = 2n**224n * (2n**32n-1n) + 2n**192n + 2n**96n - 1n
+// a = Fp256.create(BigInt('-3'));
+const p256_CURVE = {
+    p: BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff'),
     n: BigInt('0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551'),
-    // Base (generator) point (x, y)
+    h: BigInt(1),
+    a: BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'),
+    b: BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'),
     Gx: BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296'),
     Gy: BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'),
-    h: BigInt(1),
-    lowS: false,
-}, sha256);
-
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// NIST secp384r1 aka p384
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-384
-// Field over which we'll do calculations.
-// prettier-ignore
-const P$1 = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff');
-const Fp384 = Field(P$1);
-const CURVE_A$3 = Fp384.create(BigInt('-3'));
-// prettier-ignore
-const CURVE_B$3 = BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef');
-// prettier-ignore
-const p384 = createCurve({
-    a: CURVE_A$3, // Equation params: a, b
-    b: CURVE_B$3,
-    Fp: Fp384, // Field: 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
-    // Curve order, total count of valid points in the field.
+};
+// p = 2n**384n - 2n**128n - 2n**96n + 2n**32n - 1n
+const p384_CURVE = {
+    p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff'),
     n: BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973'),
-    // Base (generator) point (x, y)
+    h: BigInt(1),
+    a: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000fffffffc'),
+    b: BigInt('0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef'),
     Gx: BigInt('0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7'),
     Gy: BigInt('0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f'),
+};
+// p = 2n**521n - 1n
+const p521_CURVE = {
+    p: BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
+    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
     h: BigInt(1),
-    lowS: false,
-}, sha384);
-
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// NIST secp521r1 aka p521
-// Note that it's 521, which differs from 512 of its hash function.
-// https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-521
-// Field over which we'll do calculations.
-// prettier-ignore
-const P = BigInt('0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
-const Fp521 = Field(P);
-const CURVE = {
-    a: Fp521.create(BigInt('-3')),
+    a: BigInt('0x1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc'),
     b: BigInt('0x0051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00'),
-    Fp: Fp521,
-    n: BigInt('0x01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409'),
     Gx: BigInt('0x00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66'),
     Gy: BigInt('0x011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650'),
-    h: BigInt(1),
 };
-// prettier-ignore
-const p521 = createCurve({
-    a: CURVE.a, // Equation params: a, b
-    b: CURVE.b,
-    Fp: Fp521, // Field: 2n**521n - 1n
-    // Curve order, total count of valid points in the field
-    n: CURVE.n,
-    Gx: CURVE.Gx, // Base point (x, y) aka generator point
-    Gy: CURVE.Gy,
-    h: CURVE.h,
-    lowS: false,
-    allowedPrivateKeyLengths: [130, 131, 132] // P521 keys are variable-length. Normalize to 132b
-}, sha512);
+const Fp256 = Field(p256_CURVE.p);
+const Fp384 = Field(p384_CURVE.p);
+const Fp521 = Field(p521_CURVE.p);
+/** NIST P256 (aka secp256r1, prime256v1) curve, ECDSA and ECDH methods. */
+const p256$1 = createCurve({ ...p256_CURVE, Fp: Fp256, lowS: false }, sha256);
+// export const p256_oprf: OPRF = createORPF({
+//   name: 'P256-SHA256',
+//   Point: p256.Point,
+//   hash: sha256,
+//   hashToGroup: p256_hasher.hashToCurve,
+//   hashToScalar: p256_hasher.hashToScalar,
+// });
+/** NIST P384 (aka secp384r1) curve, ECDSA and ECDH methods. */
+const p384$1 = createCurve({ ...p384_CURVE, Fp: Fp384, lowS: false }, sha384);
+// export const p384_oprf: OPRF = createORPF({
+//   name: 'P384-SHA384',
+//   Point: p384.Point,
+//   hash: sha384,
+//   hashToGroup: p384_hasher.hashToCurve,
+//   hashToScalar: p384_hasher.hashToScalar,
+// });
+// const Fn521 = Field(p521_CURVE.n, { allowedScalarLengths: [65, 66] });
+/** NIST P521 (aka secp521r1) curve, ECDSA and ECDH methods. */
+const p521$1 = createCurve({ ...p521_CURVE, Fp: Fp521, lowS: false, allowedPrivateKeyLengths: [130, 131, 132] }, sha512);
+// export const p521_oprf: OPRF = createORPF({
+//   name: 'P521-SHA512',
+//   Point: p521.Point,
+//   hash: sha512,
+//   hashToGroup: p521_hasher.hashToCurve,
+//   hashToScalar: p521_hasher.hashToScalar, // produces L=98 just like in RFC
+// });
+
+/**
+ * NIST secp256r1 aka p256.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/** @deprecated use `import { p256 } from '@noble/curves/nist.js';` */
+const p256 = p256$1;
 
+/**
+ * NIST secp384r1 aka p384.
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-// Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y²
-// Be friendly to bad ECMAScript parsers by not using bigint literals
-// prettier-ignore
-const _0n$1 = BigInt(0), _1n$3 = BigInt(1), _2n$2 = BigInt(2), _8n = BigInt(8);
-// verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
-const VERIFY_DEFAULT = { zip215: true };
-function validateOpts$1(curve) {
-    const opts = validateBasic(curve);
-    validateObject(curve, {
-        hash: 'function',
-        a: 'bigint',
-        d: 'bigint',
-        randomBytes: 'function',
-    }, {
-        adjustScalarBytes: 'function',
-        domain: 'function',
-        uvRatio: 'function',
-        mapToCurve: 'function',
-    });
-    // Set defaults
-    return Object.freeze({ ...opts });
-}
+/** @deprecated use `import { p384 } from '@noble/curves/nist.js';` */
+const p384 = p384$1;
+
 /**
- * Creates Twisted Edwards curve with EdDSA signatures.
- * @example
- * import { Field } from '@noble/curves/abstract/modular';
- * // Before that, define BigInt-s: a, d, p, n, Gx, Gy, h
- * const curve = twistedEdwards({ a, d, Fp: Field(p), n, Gx, Gy, h })
+ * NIST secp521r1 aka p521.
+ * @module
+ */
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+/** @deprecated use `import { p521 } from '@noble/curves/nist.js';` */
+const p521 = p521$1;
+
+/**
+ * Twisted Edwards curve. The formula is: ax² + y² = 1 + dx²y².
+ * For design rationale of types / exports, see weierstrass module documentation.
+ * Untwisted Edwards curves exist, but they aren't used in real-world protocols.
+ * @module
  */
-function twistedEdwards(curveDef) {
-    const CURVE = validateOpts$1(curveDef);
-    const { Fp, n: CURVE_ORDER, prehash: prehash, hash: cHash, randomBytes, nByteLength, h: cofactor, } = CURVE;
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// Be friendly to bad ECMAScript parsers by not using bigint literals
+// prettier-ignore
+const _0n$1 = BigInt(0), _1n$2 = BigInt(1), _2n$3 = BigInt(2), _8n = BigInt(8);
+function isEdValidXY(Fp, CURVE, x, y) {
+    const x2 = Fp.sqr(x);
+    const y2 = Fp.sqr(y);
+    const left = Fp.add(Fp.mul(CURVE.a, x2), y2);
+    const right = Fp.add(Fp.ONE, Fp.mul(CURVE.d, Fp.mul(x2, y2)));
+    return Fp.eql(left, right);
+}
+function edwards(params, extraOpts = {}) {
+    const validated = _createCurveFields('edwards', params, extraOpts, extraOpts.FpFnLE);
+    const { Fp, Fn } = validated;
+    let CURVE = validated.CURVE;
+    const { h: cofactor } = CURVE;
+    _validateObject(extraOpts, {}, { uvRatio: 'function' });
     // Important:
     // There are some places where Fp.BYTES is used instead of nByteLength.
     // So far, everything has been tested with curves of Fp.BYTES == nByteLength.
     // TODO: test and find curves which behave otherwise.
-    const MASK = _2n$2 << (BigInt(nByteLength * 8) - _1n$3);
-    const modP = Fp.create; // Function overrides
-    const Fn = Field(CURVE.n, CURVE.nBitLength);
+    const MASK = _2n$3 << (BigInt(Fn.BYTES * 8) - _1n$2);
+    const modP = (n) => Fp.create(n); // Function overrides
     // sqrt(u/v)
-    const uvRatio = CURVE.uvRatio ||
+    const uvRatio = extraOpts.uvRatio ||
         ((u, v) => {
             try {
-                return { isValid: true, value: Fp.sqrt(u * Fp.inv(v)) };
+                return { isValid: true, value: Fp.sqrt(Fp.div(u, v)) };
             }
             catch (e) {
                 return { isValid: false, value: _0n$1 };
             }
         });
-    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes); // NOOP
-    const domain = CURVE.domain ||
-        ((data, ctx, phflag) => {
-            abool('phflag', phflag);
-            if (ctx.length || phflag)
-                throw new Error('Contexts/pre-hash are not supported');
-            return data;
-        }); // NOOP
-    // 0 <= n < MASK
-    // Coordinates larger than Fp.ORDER are allowed for zip215
-    function aCoordinate(title, n) {
-        aInRange('coordinate ' + title, n, _0n$1, MASK);
+    // Validate whether the passed curve params are valid.
+    // equation ax² + y² = 1 + dx²y² should work for generator point.
+    if (!isEdValidXY(Fp, CURVE, CURVE.Gx, CURVE.Gy))
+        throw new Error('bad curve params: generator point');
+    /**
+     * Asserts coordinate is valid: 0 <= n < MASK.
+     * Coordinates >= Fp.ORDER are allowed for zip215.
+     */
+    function acoord(title, n, banZero = false) {
+        const min = banZero ? _1n$2 : _0n$1;
+        aInRange('coordinate ' + title, n, min, MASK);
+        return n;
     }
-    function assertPoint(other) {
+    function aextpoint(other) {
         if (!(other instanceof Point))
             throw new Error('ExtendedPoint expected');
     }
     // Converts Extended point to default (x, y) coordinates.
     // Can accept precomputed Z^-1 - for example, from invertBatch.
     const toAffineMemo = memoized((p, iz) => {
-        const { ex: x, ey: y, ez: z } = p;
+        const { X, Y, Z } = p;
         const is0 = p.is0();
         if (iz == null)
-            iz = is0 ? _8n : Fp.inv(z); // 8 was chosen arbitrarily
-        const ax = modP(x * iz);
-        const ay = modP(y * iz);
-        const zz = modP(z * iz);
+            iz = is0 ? _8n : Fp.inv(Z); // 8 was chosen arbitrarily
+        const x = modP(X * iz);
+        const y = modP(Y * iz);
+        const zz = Fp.mul(Z, iz);
         if (is0)
-            return { x: _0n$1, y: _1n$3 };
-        if (zz !== _1n$3)
+            return { x: _0n$1, y: _1n$2 };
+        if (zz !== _1n$2)
             throw new Error('invZ was invalid');
-        return { x: ax, y: ay };
+        return { x, y };
     });
     const assertValidMemo = memoized((p) => {
         const { a, d } = CURVE;
@@ -2302,7 +2594,7 @@ function twistedEdwards(curveDef) {
             throw new Error('bad point: ZERO'); // TODO: optimize, with vars below?
         // Equation in affine coordinates: ax² + y² = 1 + dx²y²
         // Equation in projective coordinates (X/Z, Y/Z, Z):  (aX² + Y²)Z² = Z⁴ + dX²Y²
-        const { ex: X, ey: Y, ez: Z, et: T } = p;
+        const { X, Y, Z, T } = p;
         const X2 = modP(X * X); // X²
         const Y2 = modP(Y * Y); // Y²
         const Z2 = modP(Z * Z); // Z²
@@ -2319,56 +2611,84 @@ function twistedEdwards(curveDef) {
             throw new Error('bad point: equation left != right (2)');
         return true;
     });
-    // Extended Point works in extended coordinates: (x, y, z, t) ∋ (x=x/z, y=y/z, t=xy).
+    // Extended Point works in extended coordinates: (X, Y, Z, T) ∋ (x=X/Z, y=Y/Z, T=xy).
     // https://en.wikipedia.org/wiki/Twisted_Edwards_curve#Extended_coordinates
     class Point {
-        constructor(ex, ey, ez, et) {
-            this.ex = ex;
-            this.ey = ey;
-            this.ez = ez;
-            this.et = et;
-            aCoordinate('x', ex);
-            aCoordinate('y', ey);
-            aCoordinate('z', ez);
-            aCoordinate('t', et);
+        constructor(X, Y, Z, T) {
+            this.X = acoord('x', X);
+            this.Y = acoord('y', Y);
+            this.Z = acoord('z', Z, true);
+            this.T = acoord('t', T);
             Object.freeze(this);
         }
-        get x() {
-            return this.toAffine().x;
-        }
-        get y() {
-            return this.toAffine().y;
+        static CURVE() {
+            return CURVE;
         }
         static fromAffine(p) {
             if (p instanceof Point)
                 throw new Error('extended point not allowed');
             const { x, y } = p || {};
-            aCoordinate('x', x);
-            aCoordinate('y', y);
-            return new Point(x, y, _1n$3, modP(x * y));
+            acoord('x', x);
+            acoord('y', y);
+            return new Point(x, y, _1n$2, modP(x * y));
         }
-        static normalizeZ(points) {
-            const toInv = Fp.invertBatch(points.map((p) => p.ez));
-            return points.map((p, i) => p.toAffine(toInv[i])).map(Point.fromAffine);
+        // Uses algo from RFC8032 5.1.3.
+        static fromBytes(bytes, zip215 = false) {
+            const len = Fp.BYTES;
+            const { a, d } = CURVE;
+            bytes = copyBytes(_abytes2(bytes, len, 'point'));
+            _abool2(zip215, 'zip215');
+            const normed = copyBytes(bytes); // copy again, we'll manipulate it
+            const lastByte = bytes[len - 1]; // select last byte
+            normed[len - 1] = lastByte & -129; // clear last bit
+            const y = bytesToNumberLE(normed);
+            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
+            // RFC8032 prohibits >= p, but ZIP215 doesn't
+            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
+            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
+            const max = zip215 ? MASK : Fp.ORDER;
+            aInRange('point.y', y, _0n$1, max);
+            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
+            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
+            const y2 = modP(y * y); // denominator is always non-0 mod p.
+            const u = modP(y2 - _1n$2); // u = y² - 1
+            const v = modP(d * y2 - a); // v = d y² + 1.
+            let { isValid, value: x } = uvRatio(u, v); // √(u/v)
+            if (!isValid)
+                throw new Error('bad point: invalid y coordinate');
+            const isXOdd = (x & _1n$2) === _1n$2; // There are 2 square roots. Use x_0 bit to select proper
+            const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
+            if (!zip215 && x === _0n$1 && isLastByteOdd)
+                // if x=0 and x_0 = 1, fail
+                throw new Error('bad point: x=0 and x_0=1');
+            if (isLastByteOdd !== isXOdd)
+                x = modP(-x); // if x_0 != x mod 2, set x = p-x
+            return Point.fromAffine({ x, y });
         }
-        // Multiscalar Multiplication
-        static msm(points, scalars) {
-            return pippenger(Point, Fn, points, scalars);
+        static fromHex(bytes, zip215 = false) {
+            return Point.fromBytes(ensureBytes('point', bytes), zip215);
         }
-        // "Private method", don't use it directly
-        _setWindowSize(windowSize) {
-            wnaf.setWindowSize(this, windowSize);
+        get x() {
+            return this.toAffine().x;
+        }
+        get y() {
+            return this.toAffine().y;
         }
-        // Not required for fromHex(), which always creates valid points.
-        // Could be useful for fromAffine().
+        precompute(windowSize = 8, isLazy = true) {
+            wnaf.createCache(this, windowSize);
+            if (!isLazy)
+                this.multiply(_2n$3); // random number
+            return this;
+        }
+        // Useful in fromAffine() - not for fromBytes(), which always created valid points.
         assertValidity() {
             assertValidMemo(this);
         }
         // Compare one point to another.
         equals(other) {
-            assertPoint(other);
-            const { ex: X1, ey: Y1, ez: Z1 } = this;
-            const { ex: X2, ey: Y2, ez: Z2 } = other;
+            aextpoint(other);
+            const { X: X1, Y: Y1, Z: Z1 } = this;
+            const { X: X2, Y: Y2, Z: Z2 } = other;
             const X1Z2 = modP(X1 * Z2);
             const X2Z1 = modP(X2 * Z1);
             const Y1Z2 = modP(Y1 * Z2);
@@ -2380,17 +2700,17 @@ function twistedEdwards(curveDef) {
         }
         negate() {
             // Flips point sign to a negative one (-x, y in affine coords)
-            return new Point(modP(-this.ex), this.ey, this.ez, modP(-this.et));
+            return new Point(modP(-this.X), this.Y, this.Z, modP(-this.T));
         }
         // Fast algo for doubling Extended Point.
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd
         // Cost: 4M + 4S + 1*a + 6add + 1*2.
         double() {
             const { a } = CURVE;
-            const { ex: X1, ey: Y1, ez: Z1 } = this;
+            const { X: X1, Y: Y1, Z: Z1 } = this;
             const A = modP(X1 * X1); // A = X12
             const B = modP(Y1 * Y1); // B = Y12
-            const C = modP(_2n$2 * modP(Z1 * Z1)); // C = 2*Z12
+            const C = modP(_2n$3 * modP(Z1 * Z1)); // C = 2*Z12
             const D = modP(a * A); // D = a*A
             const x1y1 = X1 + Y1;
             const E = modP(modP(x1y1 * x1y1) - A - B); // E = (X1+Y1)2-A-B
@@ -2407,31 +2727,10 @@ function twistedEdwards(curveDef) {
         // https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd
         // Cost: 9M + 1*a + 1*d + 7add.
         add(other) {
-            assertPoint(other);
+            aextpoint(other);
             const { a, d } = CURVE;
-            const { ex: X1, ey: Y1, ez: Z1, et: T1 } = this;
-            const { ex: X2, ey: Y2, ez: Z2, et: T2 } = other;
-            // Faster algo for adding 2 Extended Points when curve's a=-1.
-            // http://hyperelliptic.org/EFD/g1p/auto-twisted-extended-1.html#addition-add-2008-hwcd-4
-            // Cost: 8M + 8add + 2*2.
-            // Note: It does not check whether the `other` point is valid.
-            if (a === BigInt(-1)) {
-                const A = modP((Y1 - X1) * (Y2 + X2));
-                const B = modP((Y1 + X1) * (Y2 - X2));
-                const F = modP(B - A);
-                if (F === _0n$1)
-                    return this.double(); // Same point. Tests say it doesn't affect timing
-                const C = modP(Z1 * _2n$2 * T2);
-                const D = modP(T1 * _2n$2 * Z2);
-                const E = D + C;
-                const G = B + A;
-                const H = D - C;
-                const X3 = modP(E * F);
-                const Y3 = modP(G * H);
-                const T3 = modP(E * H);
-                const Z3 = modP(F * G);
-                return new Point(X3, Y3, Z3, T3);
-            }
+            const { X: X1, Y: Y1, Z: Z1, T: T1 } = this;
+            const { X: X2, Y: Y2, Z: Z2, T: T2 } = other;
             const A = modP(X1 * X2); // A = X1*X2
             const B = modP(Y1 * Y2); // B = Y1*Y2
             const C = modP(T1 * d * T2); // C = T1*d*T2
@@ -2449,15 +2748,13 @@ function twistedEdwards(curveDef) {
         subtract(other) {
             return this.add(other.negate());
         }
-        wNAF(n) {
-            return wnaf.wNAFCached(this, n, Point.normalizeZ);
-        }
         // Constant-time multiplication.
         multiply(scalar) {
-            const n = scalar;
-            aInRange('scalar', n, _1n$3, CURVE_ORDER); // 1 <= scalar < L
-            const { p, f } = this.wNAF(n);
-            return Point.normalizeZ([p, f])[0];
+            // 1 <= scalar < L
+            if (!Fn.isValidNot0(scalar))
+                throw new Error('invalid scalar: expected 1 <= sc < curve.n');
+            const { p, f } = wnaf.cached(this, scalar, (p) => normalizeZ(Point, p));
+            return normalizeZ(Point, [p, f])[0];
         }
         // Non-constant-time multiplication. Uses double-and-add algorithm.
         // It's faster, but should only be used when you don't care about
@@ -2465,13 +2762,14 @@ function twistedEdwards(curveDef) {
         // Does NOT allow scalars higher than CURVE.n.
         // Accepts optional accumulator to merge with multiply (important for sparse scalars)
         multiplyUnsafe(scalar, acc = Point.ZERO) {
-            const n = scalar;
-            aInRange('scalar', n, _0n$1, CURVE_ORDER); // 0 <= scalar < L
-            if (n === _0n$1)
-                return I;
-            if (this.is0() || n === _1n$3)
+            // 0 <= scalar < L
+            if (!Fn.isValid(scalar))
+                throw new Error('invalid scalar: expected 0 <= sc < curve.n');
+            if (scalar === _0n$1)
+                return Point.ZERO;
+            if (this.is0() || scalar === _1n$2)
                 return this;
-            return wnaf.wNAFCachedUnsafe(this, n, Point.normalizeZ, acc);
+            return wnaf.unsafe(this, scalar, (p) => normalizeZ(Point, p), acc);
         }
         // Checks if point is of small order.
         // If you add something to small order point, you will have "dirty"
@@ -2483,80 +2781,102 @@ function twistedEdwards(curveDef) {
         // Multiplies point by curve order and checks if the result is 0.
         // Returns `false` is the point is dirty.
         isTorsionFree() {
-            return wnaf.unsafeLadder(this, CURVE_ORDER).is0();
+            return wnaf.unsafe(this, CURVE.n).is0();
         }
         // Converts Extended point to default (x, y) coordinates.
         // Can accept precomputed Z^-1 - for example, from invertBatch.
-        toAffine(iz) {
-            return toAffineMemo(this, iz);
+        toAffine(invertedZ) {
+            return toAffineMemo(this, invertedZ);
         }
         clearCofactor() {
-            const { h: cofactor } = CURVE;
-            if (cofactor === _1n$3)
+            if (cofactor === _1n$2)
                 return this;
             return this.multiplyUnsafe(cofactor);
         }
-        // Converts hash string or Uint8Array to Point.
-        // Uses algo from RFC8032 5.1.3.
-        static fromHex(hex, zip215 = false) {
-            const { d, a } = CURVE;
-            const len = Fp.BYTES;
-            hex = ensureBytes('pointHex', hex, len); // copy hex to a new array
-            abool('zip215', zip215);
-            const normed = hex.slice(); // copy again, we'll manipulate it
-            const lastByte = hex[len - 1]; // select last byte
-            normed[len - 1] = lastByte & ~0x80; // clear last bit
-            const y = bytesToNumberLE(normed);
-            // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
-            // RFC8032 prohibits >= p, but ZIP215 doesn't
-            // zip215=true:  0 <= y < MASK (2^256 for ed25519)
-            // zip215=false: 0 <= y < P (2^255-19 for ed25519)
-            const max = zip215 ? MASK : Fp.ORDER;
-            aInRange('pointHex.y', y, _0n$1, max);
-            // Ed25519: x² = (y²-1)/(dy²+1) mod p. Ed448: x² = (y²-1)/(dy²-1) mod p. Generic case:
-            // ax²+y²=1+dx²y² => y²-1=dx²y²-ax² => y²-1=x²(dy²-a) => x²=(y²-1)/(dy²-a)
-            const y2 = modP(y * y); // denominator is always non-0 mod p.
-            const u = modP(y2 - _1n$3); // u = y² - 1
-            const v = modP(d * y2 - a); // v = d y² + 1.
-            let { isValid, value: x } = uvRatio(u, v); // √(u/v)
-            if (!isValid)
-                throw new Error('Point.fromHex: invalid y coordinate');
-            const isXOdd = (x & _1n$3) === _1n$3; // There are 2 square roots. Use x_0 bit to select proper
-            const isLastByteOdd = (lastByte & 0x80) !== 0; // x_0, last bit
-            if (!zip215 && x === _0n$1 && isLastByteOdd)
-                // if x=0 and x_0 = 1, fail
-                throw new Error('Point.fromHex: x=0 and x_0=1');
-            if (isLastByteOdd !== isXOdd)
-                x = modP(-x); // if x_0 != x mod 2, set x = p-x
-            return Point.fromAffine({ x, y });
-        }
-        static fromPrivateKey(privKey) {
-            return getExtendedPublicKey(privKey).point;
-        }
-        toRawBytes() {
+        toBytes() {
             const { x, y } = this.toAffine();
-            const bytes = numberToBytesLE(y, Fp.BYTES); // each y has 2 x values (x, -y)
-            bytes[bytes.length - 1] |= x & _1n$3 ? 0x80 : 0; // when compressing, it's enough to store y
-            return bytes; // and use the last byte to encode sign of x
+            // Fp.toBytes() allows non-canonical encoding of y (>= p).
+            const bytes = Fp.toBytes(y);
+            // Each y has 2 valid points: (x, y), (x,-y).
+            // When compressing, it's enough to store y and use the last byte to encode sign of x
+            bytes[bytes.length - 1] |= x & _1n$2 ? 0x80 : 0;
+            return bytes;
         }
         toHex() {
-            return bytesToHex(this.toRawBytes()); // Same as toRawBytes, but returns string.
+            return bytesToHex(this.toBytes());
+        }
+        toString() {
+            return `<Point ${this.is0() ? 'ZERO' : this.toHex()}>`;
+        }
+        // TODO: remove
+        get ex() {
+            return this.X;
+        }
+        get ey() {
+            return this.Y;
+        }
+        get ez() {
+            return this.Z;
+        }
+        get et() {
+            return this.T;
+        }
+        static normalizeZ(points) {
+            return normalizeZ(Point, points);
+        }
+        static msm(points, scalars) {
+            return pippenger(Point, Fn, points, scalars);
+        }
+        _setWindowSize(windowSize) {
+            this.precompute(windowSize);
+        }
+        toRawBytes() {
+            return this.toBytes();
         }
     }
-    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n$3, modP(CURVE.Gx * CURVE.Gy));
-    Point.ZERO = new Point(_0n$1, _1n$3, _1n$3, _0n$1); // 0, 1, 1, 0
-    const { BASE: G, ZERO: I } = Point;
-    const wnaf = wNAF(Point, nByteLength * 8);
-    function modN(a) {
-        return mod(a, CURVE_ORDER);
-    }
+    // base / generator point
+    Point.BASE = new Point(CURVE.Gx, CURVE.Gy, _1n$2, modP(CURVE.Gx * CURVE.Gy));
+    // zero / infinity / identity point
+    Point.ZERO = new Point(_0n$1, _1n$2, _1n$2, _0n$1); // 0, 1, 1, 0
+    // math field
+    Point.Fp = Fp;
+    // scalar field
+    Point.Fn = Fn;
+    const wnaf = new wNAF(Point, Fn.BITS);
+    Point.BASE.precompute(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
+    return Point;
+}
+/**
+ * Initializes EdDSA signatures over given Edwards curve.
+ */
+function eddsa(Point, cHash, eddsaOpts = {}) {
+    if (typeof cHash !== 'function')
+        throw new Error('"hash" function param is required');
+    _validateObject(eddsaOpts, {}, {
+        adjustScalarBytes: 'function',
+        randomBytes: 'function',
+        domain: 'function',
+        prehash: 'function',
+        mapToCurve: 'function',
+    });
+    const { prehash } = eddsaOpts;
+    const { BASE, Fp, Fn } = Point;
+    const randomBytes$1 = eddsaOpts.randomBytes || randomBytes;
+    const adjustScalarBytes = eddsaOpts.adjustScalarBytes || ((bytes) => bytes);
+    const domain = eddsaOpts.domain ||
+        ((data, ctx, phflag) => {
+            _abool2(phflag, 'phflag');
+            if (ctx.length || phflag)
+                throw new Error('Contexts/pre-hash are not supported');
+            return data;
+        }); // NOOP
     // Little-endian SHA512 with modulo n
     function modN_LE(hash) {
-        return modN(bytesToNumberLE(hash));
+        return Fn.create(bytesToNumberLE(hash)); // Not Fn.fromBytes: it has length limit
     }
-    /** Convenience method that creates public key and other stuff. RFC8032 5.1.5 */
-    function getExtendedPublicKey(key) {
-        const len = Fp.BYTES;
+    // Get the hashed private scalar per RFC8032 5.1.5
+    function getPrivateScalar(key) {
+        const len = lengths.secretKey;
         key = ensureBytes('private key', key, len);
         // Hash private key with curve's hash function to produce uniformingly random input
         // Check byte lengths: ensure(64, h(ensure(32, key)))
@@ -2564,171 +2884,293 @@ function twistedEdwards(curveDef) {
         const head = adjustScalarBytes(hashed.slice(0, len)); // clear first half bits, produce FE
         const prefix = hashed.slice(len, 2 * len); // second half is called key prefix (5.1.6)
         const scalar = modN_LE(head); // The actual private scalar
-        const point = G.multiply(scalar); // Point on Edwards curve aka public key
-        const pointBytes = point.toRawBytes(); // Uint8Array representation
+        return { head, prefix, scalar };
+    }
+    /** Convenience method that creates public key from scalar. RFC8032 5.1.5 */
+    function getExtendedPublicKey(secretKey) {
+        const { head, prefix, scalar } = getPrivateScalar(secretKey);
+        const point = BASE.multiply(scalar); // Point on Edwards curve aka public key
+        const pointBytes = point.toBytes();
         return { head, prefix, scalar, point, pointBytes };
     }
-    // Calculates EdDSA pub key. RFC8032 5.1.5. Privkey is hashed. Use first half with 3 bits cleared
-    function getPublicKey(privKey) {
-        return getExtendedPublicKey(privKey).pointBytes;
+    /** Calculates EdDSA pub key. RFC8032 5.1.5. */
+    function getPublicKey(secretKey) {
+        return getExtendedPublicKey(secretKey).pointBytes;
     }
     // int('LE', SHA512(dom2(F, C) || msgs)) mod N
-    function hashDomainToScalar(context = new Uint8Array(), ...msgs) {
+    function hashDomainToScalar(context = Uint8Array.of(), ...msgs) {
         const msg = concatBytes(...msgs);
         return modN_LE(cHash(domain(msg, ensureBytes('context', context), !!prehash)));
     }
     /** Signs message with privateKey. RFC8032 5.1.6 */
-    function sign(msg, privKey, options = {}) {
+    function sign(msg, secretKey, options = {}) {
         msg = ensureBytes('message', msg);
         if (prehash)
             msg = prehash(msg); // for ed25519ph etc.
-        const { prefix, scalar, pointBytes } = getExtendedPublicKey(privKey);
+        const { prefix, scalar, pointBytes } = getExtendedPublicKey(secretKey);
         const r = hashDomainToScalar(options.context, prefix, msg); // r = dom2(F, C) || prefix || PH(M)
-        const R = G.multiply(r).toRawBytes(); // R = rG
+        const R = BASE.multiply(r).toBytes(); // R = rG
         const k = hashDomainToScalar(options.context, R, pointBytes, msg); // R || A || PH(M)
-        const s = modN(r + k * scalar); // S = (r + k * s) mod L
-        aInRange('signature.s', s, _0n$1, CURVE_ORDER); // 0 <= s < l
-        const res = concatBytes(R, numberToBytesLE(s, Fp.BYTES));
-        return ensureBytes('result', res, Fp.BYTES * 2); // 64-byte signature
+        const s = Fn.create(r + k * scalar); // S = (r + k * s) mod L
+        if (!Fn.isValid(s))
+            throw new Error('sign failed: invalid s'); // 0 <= s < L
+        const rs = concatBytes(R, Fn.toBytes(s));
+        return _abytes2(rs, lengths.signature, 'result');
     }
-    const verifyOpts = VERIFY_DEFAULT;
+    // verification rule is either zip215 or rfc8032 / nist186-5. Consult fromHex:
+    const verifyOpts = { zip215: true };
     /**
      * Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
      * An extended group equation is checked.
      */
     function verify(sig, msg, publicKey, options = verifyOpts) {
         const { context, zip215 } = options;
-        const len = Fp.BYTES; // Verifies EdDSA signature against message and public key. RFC8032 5.1.7.
-        sig = ensureBytes('signature', sig, 2 * len); // An extended group equation is checked.
+        const len = lengths.signature;
+        sig = ensureBytes('signature', sig, len);
         msg = ensureBytes('message', msg);
-        publicKey = ensureBytes('publicKey', publicKey, len);
+        publicKey = ensureBytes('publicKey', publicKey, lengths.publicKey);
         if (zip215 !== undefined)
-            abool('zip215', zip215);
+            _abool2(zip215, 'zip215');
         if (prehash)
             msg = prehash(msg); // for ed25519ph, etc
-        const s = bytesToNumberLE(sig.slice(len, 2 * len));
+        const mid = len / 2;
+        const r = sig.subarray(0, mid);
+        const s = bytesToNumberLE(sig.subarray(mid, len));
         let A, R, SB;
         try {
             // zip215=true is good for consensus-critical apps. =false follows RFC8032 / NIST186-5.
             // zip215=true:  0 <= y < MASK (2^256 for ed25519)
             // zip215=false: 0 <= y < P (2^255-19 for ed25519)
-            A = Point.fromHex(publicKey, zip215);
-            R = Point.fromHex(sig.slice(0, len), zip215);
-            SB = G.multiplyUnsafe(s); // 0 <= s < l is done inside
+            A = Point.fromBytes(publicKey, zip215);
+            R = Point.fromBytes(r, zip215);
+            SB = BASE.multiplyUnsafe(s); // 0 <= s < l is done inside
         }
         catch (error) {
             return false;
         }
         if (!zip215 && A.isSmallOrder())
-            return false;
-        const k = hashDomainToScalar(context, R.toRawBytes(), A.toRawBytes(), msg);
+            return false; // zip215 allows public keys of small order
+        const k = hashDomainToScalar(context, R.toBytes(), A.toBytes(), msg);
         const RkA = R.add(A.multiplyUnsafe(k));
         // Extended group equation
         // [8][S]B = [8]R + [8][k]A'
-        return RkA.subtract(SB).clearCofactor().equals(Point.ZERO);
+        return RkA.subtract(SB).clearCofactor().is0();
+    }
+    const _size = Fp.BYTES; // 32 for ed25519, 57 for ed448
+    const lengths = {
+        secretKey: _size,
+        publicKey: _size,
+        signature: 2 * _size,
+        seed: _size,
+    };
+    function randomSecretKey(seed = randomBytes$1(lengths.seed)) {
+        return _abytes2(seed, lengths.seed, 'seed');
+    }
+    function keygen(seed) {
+        const secretKey = utils.randomSecretKey(seed);
+        return { secretKey, publicKey: getPublicKey(secretKey) };
+    }
+    function isValidSecretKey(key) {
+        return isBytes(key) && key.length === Fn.BYTES;
+    }
+    function isValidPublicKey(key, zip215) {
+        try {
+            return !!Point.fromBytes(key, zip215);
+        }
+        catch (error) {
+            return false;
+        }
     }
-    G._setWindowSize(8); // Enable precomputes. Slows down first publicKey computation by 20ms.
     const utils = {
         getExtendedPublicKey,
-        // ed25519 private keys are uniform 32b. No need to check for modulo bias, like in secp256k1.
-        randomPrivateKey: () => randomBytes(Fp.BYTES),
+        randomSecretKey,
+        isValidSecretKey,
+        isValidPublicKey,
         /**
-         * We're doing scalar multiplication (used in getPublicKey etc) with precomputed BASE_POINT
-         * values. This slows down first getPublicKey() by milliseconds (see Speed section),
-         * but allows to speed-up subsequent getPublicKey() calls up to 20x.
-         * @param windowSize 2, 4, 8, 16
+         * Converts ed public key to x public key. Uses formula:
+         * - ed25519:
+         *   - `(u, v) = ((1+y)/(1-y), sqrt(-486664)*u/x)`
+         *   - `(x, y) = (sqrt(-486664)*u/v, (u-1)/(u+1))`
+         * - ed448:
+         *   - `(u, v) = ((y-1)/(y+1), sqrt(156324)*u/x)`
+         *   - `(x, y) = (sqrt(156324)*u/v, (1+u)/(1-u))`
          */
+        toMontgomery(publicKey) {
+            const { y } = Point.fromBytes(publicKey);
+            const size = lengths.publicKey;
+            const is25519 = size === 32;
+            if (!is25519 && size !== 57)
+                throw new Error('only defined for 25519 and 448');
+            const u = is25519 ? Fp.div(_1n$2 + y, _1n$2 - y) : Fp.div(y - _1n$2, y + _1n$2);
+            return Fp.toBytes(u);
+        },
+        toMontgomeryPriv(secretKey) {
+            const size = lengths.secretKey;
+            _abytes2(secretKey, size);
+            const hashed = cHash(secretKey.subarray(0, size));
+            return adjustScalarBytes(hashed).subarray(0, size);
+        },
+        /** @deprecated */
+        randomPrivateKey: randomSecretKey,
+        /** @deprecated */
         precompute(windowSize = 8, point = Point.BASE) {
-            point._setWindowSize(windowSize);
-            point.multiply(BigInt(3));
-            return point;
+            return point.precompute(windowSize, false);
         },
     };
-    return {
-        CURVE,
+    return Object.freeze({
+        keygen,
         getPublicKey,
         sign,
         verify,
-        ExtendedPoint: Point,
         utils,
+        Point,
+        lengths,
+    });
+}
+function _eddsa_legacy_opts_to_new(c) {
+    const CURVE = {
+        a: c.a,
+        d: c.d,
+        p: c.Fp.ORDER,
+        n: c.n,
+        h: c.h,
+        Gx: c.Gx,
+        Gy: c.Gy,
+    };
+    const Fp = c.Fp;
+    const Fn = Field(CURVE.n, c.nBitLength, true);
+    const curveOpts = { Fp, Fn, uvRatio: c.uvRatio };
+    const eddsaOpts = {
+        randomBytes: c.randomBytes,
+        adjustScalarBytes: c.adjustScalarBytes,
+        domain: c.domain,
+        prehash: c.prehash,
+        mapToCurve: c.mapToCurve,
     };
+    return { CURVE, curveOpts, hash: c.hash, eddsaOpts };
+}
+function _eddsa_new_output_to_legacy(c, eddsa) {
+    const Point = eddsa.Point;
+    const legacy = Object.assign({}, eddsa, {
+        ExtendedPoint: Point,
+        CURVE: c,
+        nBitLength: Point.Fn.BITS,
+        nByteLength: Point.Fn.BYTES,
+    });
+    return legacy;
+}
+// TODO: remove. Use eddsa
+function twistedEdwards(c) {
+    const { CURVE, curveOpts, hash, eddsaOpts } = _eddsa_legacy_opts_to_new(c);
+    const Point = edwards(CURVE, curveOpts);
+    const EDDSA = eddsa(Point, hash, eddsaOpts);
+    return _eddsa_new_output_to_legacy(c, EDDSA);
 }
 
+/**
+ * Montgomery curve methods. It's not really whole montgomery curve,
+ * just bunch of very specific methods for X25519 / X448 from
+ * [RFC 7748](https://www.rfc-editor.org/rfc/rfc7748)
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 const _0n = BigInt(0);
-const _1n$2 = BigInt(1);
+const _1n$1 = BigInt(1);
+const _2n$2 = BigInt(2);
 function validateOpts(curve) {
-    validateObject(curve, {
-        a: 'bigint',
-    }, {
-        montgomeryBits: 'isSafeInteger',
-        nByteLength: 'isSafeInteger',
+    _validateObject(curve, {
         adjustScalarBytes: 'function',
-        domain: 'function',
         powPminus2: 'function',
-        Gu: 'bigint',
     });
-    // Set defaults
     return Object.freeze({ ...curve });
 }
-// NOTE: not really montgomery curve, just bunch of very specific methods for X25519/X448 (RFC 7748, https://www.rfc-editor.org/rfc/rfc7748)
-// Uses only one coordinate instead of two
 function montgomery(curveDef) {
     const CURVE = validateOpts(curveDef);
-    const { P } = CURVE;
+    const { P, type, adjustScalarBytes, powPminus2, randomBytes: rand } = CURVE;
+    const is25519 = type === 'x25519';
+    if (!is25519 && type !== 'x448')
+        throw new Error('invalid type');
+    const randomBytes_ = rand || randomBytes;
+    const montgomeryBits = is25519 ? 255 : 448;
+    const fieldLen = is25519 ? 32 : 56;
+    const Gu = is25519 ? BigInt(9) : BigInt(5);
+    // RFC 7748 #5:
+    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519 and
+    // (156326 - 2) / 4 = 39081 for curve448/X448
+    // const a = is25519 ? 156326n : 486662n;
+    const a24 = is25519 ? BigInt(121665) : BigInt(39081);
+    // RFC: x25519 "the resulting integer is of the form 2^254 plus
+    // eight times a value between 0 and 2^251 - 1 (inclusive)"
+    // x448: "2^447 plus four times a value between 0 and 2^445 - 1 (inclusive)"
+    const minScalar = is25519 ? _2n$2 ** BigInt(254) : _2n$2 ** BigInt(447);
+    const maxAdded = is25519
+        ? BigInt(8) * _2n$2 ** BigInt(251) - _1n$1
+        : BigInt(4) * _2n$2 ** BigInt(445) - _1n$1;
+    const maxScalar = minScalar + maxAdded + _1n$1; // (inclusive)
     const modP = (n) => mod(n, P);
-    const montgomeryBits = CURVE.montgomeryBits;
-    const montgomeryBytes = Math.ceil(montgomeryBits / 8);
-    const fieldLen = CURVE.nByteLength;
-    const adjustScalarBytes = CURVE.adjustScalarBytes || ((bytes) => bytes);
-    const powPminus2 = CURVE.powPminus2 || ((x) => pow(x, P - BigInt(2), P));
-    // cswap from RFC7748. But it is not from RFC7748!
-    /*
-      cswap(swap, x_2, x_3):
-           dummy = mask(swap) AND (x_2 XOR x_3)
-           x_2 = x_2 XOR dummy
-           x_3 = x_3 XOR dummy
-           Return (x_2, x_3)
-    Where mask(swap) is the all-1 or all-0 word of the same length as x_2
-     and x_3, computed, e.g., as mask(swap) = 0 - swap.
-    */
+    const GuBytes = encodeU(Gu);
+    function encodeU(u) {
+        return numberToBytesLE(modP(u), fieldLen);
+    }
+    function decodeU(u) {
+        const _u = ensureBytes('u coordinate', u, fieldLen);
+        // RFC: When receiving such an array, implementations of X25519
+        // (but not X448) MUST mask the most significant bit in the final byte.
+        if (is25519)
+            _u[31] &= 127; // 0b0111_1111
+        // RFC: Implementations MUST accept non-canonical values and process them as
+        // if they had been reduced modulo the field prime.  The non-canonical
+        // values are 2^255 - 19 through 2^255 - 1 for X25519 and 2^448 - 2^224
+        // - 1 through 2^448 - 1 for X448.
+        return modP(bytesToNumberLE(_u));
+    }
+    function decodeScalar(scalar) {
+        return bytesToNumberLE(adjustScalarBytes(ensureBytes('scalar', scalar, fieldLen)));
+    }
+    function scalarMult(scalar, u) {
+        const pu = montgomeryLadder(decodeU(u), decodeScalar(scalar));
+        // Some public keys are useless, of low-order. Curve author doesn't think
+        // it needs to be validated, but we do it nonetheless.
+        // https://cr.yp.to/ecdh.html#validate
+        if (pu === _0n)
+            throw new Error('invalid private or public key received');
+        return encodeU(pu);
+    }
+    // Computes public key from private. By doing scalar multiplication of base point.
+    function scalarMultBase(scalar) {
+        return scalarMult(scalar, GuBytes);
+    }
+    // cswap from RFC7748 "example code"
     function cswap(swap, x_2, x_3) {
+        // dummy = mask(swap) AND (x_2 XOR x_3)
+        // Where mask(swap) is the all-1 or all-0 word of the same length as x_2
+        // and x_3, computed, e.g., as mask(swap) = 0 - swap.
         const dummy = modP(swap * (x_2 - x_3));
-        x_2 = modP(x_2 - dummy);
-        x_3 = modP(x_3 + dummy);
-        return [x_2, x_3];
+        x_2 = modP(x_2 - dummy); // x_2 = x_2 XOR dummy
+        x_3 = modP(x_3 + dummy); // x_3 = x_3 XOR dummy
+        return { x_2, x_3 };
     }
-    // x25519 from 4
-    // The constant a24 is (486662 - 2) / 4 = 121665 for curve25519/X25519
-    const a24 = (CURVE.a - BigInt(2)) / BigInt(4);
     /**
-     *
+     * Montgomery x-only multiplication ladder.
      * @param pointU u coordinate (x) on Montgomery Curve 25519
      * @param scalar by which the point would be multiplied
      * @returns new Point on Montgomery curve
      */
     function montgomeryLadder(u, scalar) {
         aInRange('u', u, _0n, P);
-        aInRange('scalar', scalar, _0n, P);
-        // Section 5: Implementations MUST accept non-canonical values and process them as
-        // if they had been reduced modulo the field prime.
+        aInRange('scalar', scalar, minScalar, maxScalar);
         const k = scalar;
         const x_1 = u;
-        let x_2 = _1n$2;
+        let x_2 = _1n$1;
         let z_2 = _0n;
         let x_3 = u;
-        let z_3 = _1n$2;
+        let z_3 = _1n$1;
         let swap = _0n;
-        let sw;
         for (let t = BigInt(montgomeryBits - 1); t >= _0n; t--) {
-            const k_t = (k >> t) & _1n$2;
+            const k_t = (k >> t) & _1n$1;
             swap ^= k_t;
-            sw = cswap(swap, x_2, x_3);
-            x_2 = sw[0];
-            x_3 = sw[1];
-            sw = cswap(swap, z_2, z_3);
-            z_2 = sw[0];
-            z_3 = sw[1];
+            ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+            ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
             swap = k_t;
             const A = x_2 + z_2;
             const AA = modP(A * A);
@@ -2746,84 +3188,82 @@ function montgomery(curveDef) {
             x_2 = modP(AA * BB);
             z_2 = modP(E * (AA + modP(a24 * E)));
         }
-        // (x_2, x_3) = cswap(swap, x_2, x_3)
-        sw = cswap(swap, x_2, x_3);
-        x_2 = sw[0];
-        x_3 = sw[1];
-        // (z_2, z_3) = cswap(swap, z_2, z_3)
-        sw = cswap(swap, z_2, z_3);
-        z_2 = sw[0];
-        z_3 = sw[1];
-        // z_2^(p - 2)
-        const z2 = powPminus2(z_2);
-        // Return x_2 * (z_2^(p - 2))
-        return modP(x_2 * z2);
-    }
-    function encodeUCoordinate(u) {
-        return numberToBytesLE(modP(u), montgomeryBytes);
-    }
-    function decodeUCoordinate(uEnc) {
-        // Section 5: When receiving such an array, implementations of X25519
-        // MUST mask the most significant bit in the final byte.
-        const u = ensureBytes('u coordinate', uEnc, montgomeryBytes);
-        if (fieldLen === 32)
-            u[31] &= 127; // 0b0111_1111
-        return bytesToNumberLE(u);
-    }
-    function decodeScalar(n) {
-        const bytes = ensureBytes('scalar', n);
-        const len = bytes.length;
-        if (len !== montgomeryBytes && len !== fieldLen) {
-            let valid = '' + montgomeryBytes + ' or ' + fieldLen;
-            throw new Error('invalid scalar, expected ' + valid + ' bytes, got ' + len);
-        }
-        return bytesToNumberLE(adjustScalarBytes(bytes));
+        ({ x_2, x_3 } = cswap(swap, x_2, x_3));
+        ({ x_2: z_2, x_3: z_3 } = cswap(swap, z_2, z_3));
+        const z2 = powPminus2(z_2); // `Fp.pow(x, P - _2n)` is much slower equivalent
+        return modP(x_2 * z2); // Return x_2 * (z_2^(p - 2))
     }
-    function scalarMult(scalar, u) {
-        const pointU = decodeUCoordinate(u);
-        const _scalar = decodeScalar(scalar);
-        const pu = montgomeryLadder(pointU, _scalar);
-        // The result was not contributory
-        // https://cr.yp.to/ecdh.html#validate
-        if (pu === _0n)
-            throw new Error('invalid private or public key received');
-        return encodeUCoordinate(pu);
-    }
-    // Computes public key from private. By doing scalar multiplication of base point.
-    const GuBytes = encodeUCoordinate(CURVE.Gu);
-    function scalarMultBase(scalar) {
-        return scalarMult(scalar, GuBytes);
+    const lengths = {
+        secretKey: fieldLen,
+        publicKey: fieldLen,
+        seed: fieldLen,
+    };
+    const randomSecretKey = (seed = randomBytes_(fieldLen)) => {
+        abytes(seed, lengths.seed);
+        return seed;
+    };
+    function keygen(seed) {
+        const secretKey = randomSecretKey(seed);
+        return { secretKey, publicKey: scalarMultBase(secretKey) };
     }
+    const utils = {
+        randomSecretKey,
+        randomPrivateKey: randomSecretKey,
+    };
     return {
+        keygen,
+        getSharedSecret: (secretKey, publicKey) => scalarMult(secretKey, publicKey),
+        getPublicKey: (secretKey) => scalarMultBase(secretKey),
         scalarMult,
         scalarMultBase,
-        getSharedSecret: (privateKey, publicKey) => scalarMult(privateKey, publicKey),
-        getPublicKey: (privateKey) => scalarMultBase(privateKey),
-        utils: { randomPrivateKey: () => CURVE.randomBytes(CURVE.nByteLength) },
-        GuBytes: GuBytes,
+        utils,
+        GuBytes: GuBytes.slice(),
+        lengths,
     };
 }
 
-/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
 /**
  * Edwards448 (not Ed448-Goldilocks) curve with following addons:
  * - X448 ECDH
  * - Decaf cofactor elimination
  * - Elligator hash-to-group / point indistinguishability
  * Conforms to RFC 8032 https://www.rfc-editor.org/rfc/rfc8032.html#section-5.2
+ * @module
  */
-const shake256_114 = wrapConstructor(() => shake256.create({ dkLen: 114 }));
-const shake256_64 = wrapConstructor(() => shake256.create({ dkLen: 64 }));
-const ed448P = BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018365439');
+/*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
+// edwards448 curve
+// a = 1n
+// d = Fp.neg(39081n)
+// Finite field 2n**448n - 2n**224n - 1n
+// Subgroup order
+// 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
+const ed448_CURVE = {
+    p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff'),
+    n: BigInt('0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3'),
+    h: BigInt(4),
+    a: BigInt(1),
+    d: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756'),
+    Gx: BigInt('0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e'),
+    Gy: BigInt('0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14'),
+};
+// E448 NIST curve is identical to edwards448, except for:
+// d = 39082/39081
+// Gx = 3/2
+const E448_CURVE = Object.assign({}, ed448_CURVE, {
+    d: BigInt('0xd78b4bdc7f0daf19f24f38c29373a2ccad46157242a50f37809b1da3412a12e79ccc9c81264cfe9ad080997058fb61c4243cc32dbaa156b9'),
+    Gx: BigInt('0x79a70b2b70400553ae7c9df416c792c61128751ac92969240c25a07d728bdc93e21f7787ed6972249de732f38496cd11698713093e9c04fc'),
+    Gy: BigInt('0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff80000000000000000000000000000000000000000000000000000001'),
+});
+const shake256_114 = /* @__PURE__ */ createHasher(() => shake256.create({ dkLen: 114 }));
 // prettier-ignore
-const _1n$1 = BigInt(1), _2n$1 = BigInt(2), _3n = BigInt(3); BigInt(4); const _11n = BigInt(11);
+const _1n = BigInt(1), _2n$1 = BigInt(2), _3n = BigInt(3); BigInt(4); const _11n = BigInt(11);
 // prettier-ignore
 const _22n = BigInt(22), _44n = BigInt(44), _88n = BigInt(88), _223n = BigInt(223);
 // powPminus3div4 calculates z = x^k mod p, where k = (p-3)/4.
 // Used for efficient square root calculation.
 // ((P-3)/4).toString(2) would produce bits [223x 1, 0, 222x 1]
 function ed448_pow_Pminus3div4(x) {
-    const P = ed448P;
+    const P = ed448_CURVE.p;
     const b2 = (x * x * x) % P;
     const b3 = (b2 * b2 * x) % P;
     const b6 = (pow2(b3, _3n, P) * b3) % P;
@@ -2835,23 +3275,22 @@ function ed448_pow_Pminus3div4(x) {
     const b176 = (pow2(b88, _88n, P) * b88) % P;
     const b220 = (pow2(b176, _44n, P) * b44) % P;
     const b222 = (pow2(b220, _2n$1, P) * b2) % P;
-    const b223 = (pow2(b222, _1n$1, P) * x) % P;
+    const b223 = (pow2(b222, _1n, P) * x) % P;
     return (pow2(b223, _223n, P) * b222) % P;
 }
 function adjustScalarBytes(bytes) {
-    // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0, and the most
-    // significant bit of the last byte to 1.
+    // Section 5: Likewise, for X448, set the two least significant bits of the first byte to 0,
     bytes[0] &= 252; // 0b11111100
     // and the most significant bit of the last byte to 1.
     bytes[55] |= 128; // 0b10000000
-    // NOTE: is is NOOP for 56 bytes scalars (X25519/X448)
+    // NOTE: is NOOP for 56 bytes scalars (X25519/X448)
     bytes[56] = 0; // Byte outside of group (456 buts vs 448 bits)
     return bytes;
 }
 // Constant-time ratio of u to v. Allows to combine inversion and square root u/√v.
 // Uses algo from RFC8032 5.1.3.
 function uvRatio(u, v) {
-    const P = ed448P;
+    const P = ed448_CURVE.p;
     // https://www.rfc-editor.org/rfc/rfc8032#section-5.2.3
     // To compute the square root of (u/v), the first step is to compute the
     //   candidate root x = (u/v)^((p+1)/4).  This can be done using the
@@ -2869,81 +3308,99 @@ function uvRatio(u, v) {
     // square root exists, and the decoding fails.
     return { isValid: mod(x2 * v, P) === u, value: x };
 }
-const Fp$3 = Field(ed448P, 456, true);
-const ED448_DEF = {
-    // Param: a
-    a: BigInt(1),
-    // -39081. Negative number is P - number
-    d: BigInt('726838724295606890549323807888004534353641360687318060281490199180612328166730772686396383698676545930088884461843637361053498018326358'),
-    // Finite field 𝔽p over which we'll do calculations; 2n**448n - 2n**224n - 1n
+// Finite field 2n**448n - 2n**224n - 1n
+// The value fits in 448 bits, but we use 456-bit (57-byte) elements because of bitflags.
+// - ed25519 fits in 255 bits, allowing using last 1 byte for specifying bit flag of point negation.
+// - ed448 fits in 448 bits. We can't use last 1 byte: we can only use a bit 224 in the middle.
+const Fp$3 = /* @__PURE__ */ (() => Field(ed448_CURVE.p, { BITS: 456, isLE: true }))();
+const Fn = /* @__PURE__ */ (() => Field(ed448_CURVE.n, { BITS: 456, isLE: true }))();
+// SHAKE256(dom4(phflag,context)||x, 114)
+function dom4(data, ctx, phflag) {
+    if (ctx.length > 255)
+        throw new Error('context must be smaller than 255, got: ' + ctx.length);
+    return concatBytes(asciiToBytes('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
+}
+// const ed448_eddsa_opts = { adjustScalarBytes, domain: dom4 };
+// const ed448_Point = edwards(ed448_CURVE, { Fp, Fn, uvRatio });
+const ED448_DEF = /* @__PURE__ */ (() => ({
+    ...ed448_CURVE,
     Fp: Fp$3,
-    // Subgroup order: how many points curve has;
-    // 2n**446n - 13818066809895115352007386748515426880336692474882178609894547503885n
-    n: BigInt('181709681073901722637330951972001133588410340171829515070372549795146003961539585716195755291692375963310293709091662304773755859649779'),
-    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-    nBitLength: 456,
-    // Cofactor
-    h: BigInt(4),
-    // Base point (x, y) aka generator point
-    Gx: BigInt('224580040295924300187604334099896036246789641632564134246125461686950415467406032909029192869357953282578032075146446173674602635247710'),
-    Gy: BigInt('298819210078481492676017930443930673437544040154080242095928241372331506189835876003536878655418784733982303233503462500531545062832660'),
-    // SHAKE256(dom4(phflag,context)||x, 114)
+    Fn,
+    nBitLength: Fn.BITS,
     hash: shake256_114,
-    randomBytes,
     adjustScalarBytes,
-    // dom4
-    domain: (data, ctx, phflag) => {
-        if (ctx.length > 255)
-            throw new Error('context must be smaller than 255, got: ' + ctx.length);
-        return concatBytes$1(utf8ToBytes$1('SigEd448'), new Uint8Array([phflag ? 1 : 0, ctx.length]), ctx, data);
-    },
+    domain: dom4,
     uvRatio,
-};
-const ed448 = /* @__PURE__ */ twistedEdwards(ED448_DEF);
-// NOTE: there is no ed448ctx, since ed448 supports ctx by default
-/* @__PURE__ */ twistedEdwards({ ...ED448_DEF, prehash: shake256_64 });
-const x448 = /* @__PURE__ */ (() => montgomery({
-    a: BigInt(156326),
-    // RFC 7748 has 56-byte keys, RFC 8032 has 57-byte keys
-    montgomeryBits: 448,
-    nByteLength: 56,
-    P: ed448P,
-    Gu: BigInt(5),
-    powPminus2: (x) => {
-        const P = ed448P;
-        const Pminus3div4 = ed448_pow_Pminus3div4(x);
-        const Pminus3 = pow2(Pminus3div4, BigInt(2), P);
-        return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
-    },
-    adjustScalarBytes,
-    randomBytes,
 }))();
-// TODO: add edwardsToMontgomeryPriv, similar to ed25519 version
-// Hash To Curve Elligator2 Map
-(Fp$3.ORDER - BigInt(3)) / BigInt(4); // 1. c1 = (q - 3) / 4         # Integer arithmetic
-BigInt(156326);
-// 1-d
-BigInt('39082');
-// 1-2d
-BigInt('78163');
-// √(-d)
-BigInt('98944233647732219769177004876929019128417576295529901074099889598043702116001257856802131563896515373927712232092845883226922417596214');
-// 1 / √(-d)
-BigInt('315019913931389607337177038330951043522456072897266928557328499619017160722351061360252776265186336876723201881398623946864393857820716');
-BigInt('0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff');
+/**
+ * ed448 EdDSA curve and methods.
+ * @example
+ * import { ed448 } from '@noble/curves/ed448';
+ * const { secretKey, publicKey } = ed448.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = ed448.sign(msg, secretKey);
+ * const isValid = ed448.verify(sig, msg, publicKey);
+ */
+const ed448 = twistedEdwards(ED448_DEF);
+/**
+ * E448 curve, defined by NIST.
+ * E448 != edwards448 used in ed448.
+ * E448 is birationally equivalent to edwards448.
+ */
+edwards(E448_CURVE);
+/**
+ * ECDH using curve448 aka x448.
+ * x448 has 56-byte keys as per RFC 7748, while
+ * ed448 has 57-byte keys as per RFC 8032.
+ */
+const x448 = /* @__PURE__ */ (() => {
+    const P = ed448_CURVE.p;
+    return montgomery({
+        P,
+        type: 'x448',
+        powPminus2: (x) => {
+            const Pminus3div4 = ed448_pow_Pminus3div4(x);
+            const Pminus3 = pow2(Pminus3div4, _2n$1, P);
+            return mod(Pminus3 * x, P); // Pminus3 * x = Pminus2
+        },
+        adjustScalarBytes,
+    });
+})();
 
+/**
+ * SECG secp256k1. See [pdf](https://www.secg.org/sec2-v2.pdf).
+ *
+ * Belongs to Koblitz curves: it has efficiently-computable GLV endomorphism ψ,
+ * check out {@link EndomorphismOpts}. Seems to be rigid (not backdoored).
+ * @module
+ */
 /*! noble-curves - MIT License (c) 2022 Paul Miller (paulmillr.com) */
-const secp256k1P = BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f');
-const secp256k1N = BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141');
-const _1n = BigInt(1);
-const _2n = BigInt(2);
-const divNearest = (a, b) => (a + b / _2n) / b;
+// Seems like generator was produced from some seed:
+// `Point.BASE.multiply(Point.Fn.inv(2n, N)).toAffine().x`
+// // gives short x 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63n
+const secp256k1_CURVE = {
+    p: BigInt('0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f'),
+    n: BigInt('0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141'),
+    h: BigInt(1),
+    a: BigInt(0),
+    b: BigInt(7),
+    Gx: BigInt('0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798'),
+    Gy: BigInt('0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8'),
+};
+const secp256k1_ENDO = {
+    beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
+    basises: [
+        [BigInt('0x3086d221a7d46bcde86c90e49284eb15'), -BigInt('0xe4437ed6010e88286f547fa90abfe4c3')],
+        [BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8'), BigInt('0x3086d221a7d46bcde86c90e49284eb15')],
+    ],
+};
+const _2n = /* @__PURE__ */ BigInt(2);
 /**
  * √n = n^((p+1)/4) for fields p = 3 mod 4. We unwrap the loop and multiply bit-by-bit.
  * (P+1n/4n).toString(2) would produce bits [223x 1, 0, 22x 1, 4x 0, 11, 00]
  */
 function sqrtMod(y) {
-    const P = secp256k1P;
+    const P = secp256k1_CURVE.p;
     // prettier-ignore
     const _3n = BigInt(3), _6n = BigInt(6), _11n = BigInt(11), _22n = BigInt(22);
     // prettier-ignore
@@ -2966,56 +3423,22 @@ function sqrtMod(y) {
         throw new Error('Cannot find square root');
     return root;
 }
-const Fpk1 = Field(secp256k1P, undefined, undefined, { sqrt: sqrtMod });
+const Fpk1 = Field(secp256k1_CURVE.p, { sqrt: sqrtMod });
 /**
- * secp256k1 short weierstrass curve and ECDSA signatures over it.
+ * secp256k1 curve, ECDSA and ECDH methods.
+ *
+ * Field: `2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n`
+ *
+ * @example
+ * ```js
+ * import { secp256k1 } from '@noble/curves/secp256k1';
+ * const { secretKey, publicKey } = secp256k1.keygen();
+ * const msg = new TextEncoder().encode('hello');
+ * const sig = secp256k1.sign(msg, secretKey);
+ * const isValid = secp256k1.verify(sig, msg, publicKey) === true;
+ * ```
  */
-const secp256k1 = createCurve({
-    a: BigInt(0), // equation params: a, b
-    b: BigInt(7), // Seem to be rigid: bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975
-    Fp: Fpk1, // Field's prime: 2n**256n - 2n**32n - 2n**9n - 2n**8n - 2n**7n - 2n**6n - 2n**4n - 1n
-    n: secp256k1N, // Curve order, total count of valid points in the field
-    // Base point (x, y) aka generator point
-    Gx: BigInt('55066263022277343669578718895168534326250603453777594175500187360389116729240'),
-    Gy: BigInt('32670510020758816978083085130507043184471273380659243275938904335757337482424'),
-    h: BigInt(1), // Cofactor
-    lowS: true, // Allow only low-S signatures by default in sign() and verify()
-    /**
-     * secp256k1 belongs to Koblitz curves: it has efficiently computable endomorphism.
-     * Endomorphism uses 2x less RAM, speeds up precomputation by 2x and ECDH / key recovery by 20%.
-     * For precomputed wNAF it trades off 1/2 init time & 1/3 ram for 20% perf hit.
-     * Explanation: https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066
-     */
-    endo: {
-        beta: BigInt('0x7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee'),
-        splitScalar: (k) => {
-            const n = secp256k1N;
-            const a1 = BigInt('0x3086d221a7d46bcde86c90e49284eb15');
-            const b1 = -_1n * BigInt('0xe4437ed6010e88286f547fa90abfe4c3');
-            const a2 = BigInt('0x114ca50f7a8e2f3f657c1108d9d44cfd8');
-            const b2 = a1;
-            const POW_2_128 = BigInt('0x100000000000000000000000000000000'); // (2n**128n).toString(16)
-            const c1 = divNearest(b2 * k, n);
-            const c2 = divNearest(-b1 * k, n);
-            let k1 = mod(k - c1 * a1 - c2 * a2, n);
-            let k2 = mod(-c1 * b1 - c2 * b2, n);
-            const k1neg = k1 > POW_2_128;
-            const k2neg = k2 > POW_2_128;
-            if (k1neg)
-                k1 = n - k1;
-            if (k2neg)
-                k2 = n - k2;
-            if (k1 > POW_2_128 || k2 > POW_2_128) {
-                throw new Error('splitScalar: Endomorphism failed, k=' + k);
-            }
-            return { k1neg, k1, k2neg, k2 };
-        },
-    },
-}, sha256);
-// Schnorr signatures are superior to ECDSA from above. Below is Schnorr-specific BIP0340 code.
-// https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki
-BigInt(0);
-secp256k1.ProjectivePoint;
+const secp256k1 = createCurve({ ...secp256k1_CURVE, Fp: Fpk1, lowS: true, endo: secp256k1_ENDO }, sha256);
 
 // brainpoolP256r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.4
 // eslint-disable-next-line new-cap
@@ -3034,7 +3457,7 @@ const brainpoolP256r1 = createCurve({
     Gy: BigInt('0x547ef835c3dac4fd97f8461a14611dc9c27745132ded8e545c1d54c72f046997'),
     h: BigInt(1),
     lowS: false
-}, sha256);
+}, sha256$1);
 
 // brainpoolP384 r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.6
 // eslint-disable-next-line new-cap
@@ -3053,7 +3476,7 @@ const brainpoolP384r1 = createCurve({
     Gy: BigInt('0x8abe1d7520f9c2a45cb1eb8e95cfd55262b70b29feec5864e19c054ff99129280e4646217791811142820341263c5315'),
     h: BigInt(1),
     lowS: false
-}, sha384);
+}, sha384$1);
 
 // brainpoolP512r1: https://datatracker.ietf.org/doc/html/rfc5639#section-3.7
 // eslint-disable-next-line new-cap
@@ -3072,7 +3495,7 @@ const brainpoolP512r1 = createCurve({
     Gy: BigInt('0x7dde385d566332ecc0eabfa9cf7822fdf209f70024a57b1aa000c55b881f8111b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892'),
     h: BigInt(1),
     lowS: false
-}, sha512);
+}, sha512$1);
 
 /**
  * This file is needed to dynamic import the noble-curves.